Merge pull request #6652 from bboozzoo/bboozzoo/selinux-sanity-mount-…

…context sanity: use proper SELinux context when mounting squashfs
snapcore · Mar 27, 2019 · 7411732 · 7411732
2 parents 07de0fa + 8d8a9be
commit 7411732
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/sanity/squashfs.go b/sanity/squashfs.go
@@ -34,6 +34,8 @@ import (
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/osutil/squashfs"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/selinux"
 )
 
 func init() {
@@ -96,7 +98,14 @@ func checkSquashfsMount() error {
 	if err != nil {
 		return err
 	}
-	cmd := exec.Command("mount", "-t", fstype, tmpSquashfsFile.Name(), tmpMountDir)
+	options := []string{"-t", fstype}
+	if release.SELinuxLevel() != release.NoSELinux {
+		if ctx := selinux.SnapMountContext(); ctx != "" {
+			options = append(options, "-o", "context="+ctx)
+		}
+	}
+	options = append(options, tmpSquashfsFile.Name(), tmpMountDir)
+	cmd := exec.Command("mount", options...)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("cannot mount squashfs image using %q: %v", fstype, osutil.OutputErr(output, err))

diff --git a/sanity/squashfs_test.go b/sanity/squashfs_test.go
@@ -23,6 +23,7 @@ import (
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/osutil/squashfs"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/sanity"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -93,3 +94,29 @@ func (s *sanitySuite) TestCheckSquashfsMountWrongContent(c *C) {
 	c.Check(mockMount.Calls(), HasLen, 1)
 	c.Check(mockUmount.Calls(), HasLen, 1)
 }
+
+func (s *sanitySuite) TestCheckSquashfsMountSELinuxContext(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
+	mockMount := testutil.MockCommand(c, "mount", "echo 'mock ran'")
+	defer mockMount.Restore()
+
+	mockUmount := testutil.MockCommand(c, "umount", "")
+	defer mockUmount.Restore()
+
+	mockSELinux := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil })
+	defer mockSELinux()
+
+	err := sanity.CheckSquashfsMount()
+	c.Assert(err, ErrorMatches, `squashfs mount returned no err but canary file cannot be read`)
+
+	c.Check(mockMount.Calls(), HasLen, 1)
+	c.Check(mockUmount.Calls(), HasLen, 1)
+	squashfsFile := mockMount.Calls()[0][5]
+	mountPoint := mockMount.Calls()[0][6]
+
+	c.Check(mockMount.Calls(), DeepEquals, [][]string{
+		{"mount", "-t", "squashfs", "-o", "context=system_u:object_r:snappy_snap_t:s0", squashfsFile, mountPoint},
+	})
+}