lsm: Make a not-nosuid /tmp

This was the thing that was breaking our `unconfined_t` -> `install_t`
transition; the host `/tmp` is `nosuid`.  It simplifies things
here to just make our own, so do that.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

lib/src/install.rs

@@ -873,9 +873,22 @@ fn ensure_var() -> Result<()> {
 /// We can't bind mount though - we need to symlink it so that each calling process
 /// will traverse the link.
 #[context("Linking tmp mounts to host")]
-pub(crate) fn propagate_tmp_mounts_to_host() -> Result<()> {
-    // Point our /tmp and /var/tmp at the host, via the /proc/1/root magic link
-    for path in ["/tmp", "/var/tmp"].map(Utf8Path::new) {
+pub(crate) fn setup_tmp_mounts() -> Result<()> {
+    let st = rustix::fs::statfs("/tmp")?;
+    if st.f_type == libc::TMPFS_MAGIC {
+        tracing::trace!("Already have tmpfs /tmp")
+    } else {
+        // Note we explicitly also don't want a "nosuid" tmp, because that
+        // suppresses our install_t transition
+        Task::new_and_run(
+            "Mounting tmpfs /tmp",
+            "mount",
+            ["tmpfs", "-t", "tmpfs", "/tmp"],
+        )?;
+    }
+
+    // Point our /var/tmp at the host, via the /proc/1/root magic link
+    for path in ["/var/tmp"].map(Utf8Path::new) {
         if path.try_exists()? {
             let st = rustix::fs::statfs(path.as_std_path()).context(path)?;
             if st.f_type != libc::OVERLAYFS_SUPER_MAGIC {
@@ -999,7 +1012,7 @@ async fn prepare_install(
     }
 
     ensure_var()?;
-    propagate_tmp_mounts_to_host()?;
+    setup_tmp_mounts()?;
 
     // Even though we require running in a container, the mounts we create should be specific
     // to this process, so let's enter a private mountns to avoid leaking them.

lib/src/lsm.rs

@@ -33,14 +33,6 @@ fn get_current_security_context() -> Result<String> {
     std::fs::read_to_string(SELF_CURRENT).with_context(|| format!("Reading {SELF_CURRENT}"))
 }
 
-/// Determine if a security context is the "install_t" type which can
-/// write arbitrary labels.
-fn context_is_install_t(context: &str) -> bool {
-    // TODO: we shouldn't actually hardcode this...it's just ugly though
-    // to figure out whether we really can gain CAP_MAC_ADMIN.
-    context.contains(":install_t:")
-}
-
 #[context("Testing install_t")]
 fn test_install_t() -> Result<bool> {
     let tmpf = tempfile::NamedTempFile::new()?;
@@ -112,10 +104,6 @@ impl Drop for SetEnforceGuard {
 #[cfg(feature = "install")]
 pub(crate) fn selinux_ensure_install_or_setenforce() -> Result<Option<SetEnforceGuard>> {
     // If the process already has install_t, exit early
-    let current = get_current_security_context()?;
-    if context_is_install_t(&current) {
-        return Ok(None);
-    }
     // Note that this may re-exec the entire process
     if selinux_ensure_install()? {
         return Ok(None);
@@ -125,6 +113,7 @@ pub(crate) fn selinux_ensure_install_or_setenforce() -> Result<Option<SetEnforce
         selinux_set_permissive(true)?;
         Some(SetEnforceGuard)
     } else {
+        let current = get_current_security_context()?;
         anyhow::bail!("Failed to enter install_t (running as {current}) - use BOOTC_SETENFORCE0_FALLBACK=1 to override");
     };
     Ok(g)