cp: fix SELinux context handling for cp-a-selinux GNU test

This commit is contained in:
Christopher Dryden
2026-01-12 23:48:38 +00:00
committed by Sylvestre Ledru
parent 9922135bea
commit 102c94fa78
9 changed files with 196 additions and 26 deletions
+1
View File
@@ -85,6 +85,7 @@ cp-error-selinux-not-enabled = SELinux was not enabled during the compile time!
cp-error-selinux-set-context = failed to set the security context of { $path }: { $error }
cp-error-selinux-get-context = failed to get security context of { $path }
cp-error-selinux-error = SELinux error: { $error }
cp-error-selinux-context-conflict = cannot combine --context (-Z) with --preserve=context
cp-error-cannot-create-fifo = cannot create fifo { $path }: File exists
cp-error-invalid-attribute = invalid attribute { $value }
cp-error-failed-to-create-whole-tree = failed to create whole tree
+1
View File
@@ -85,6 +85,7 @@ cp-error-selinux-not-enabled = SELinux n'était pas activé lors de la compilati
cp-error-selinux-set-context = échec de la définition du contexte de sécurité de { $path } : { $error }
cp-error-selinux-get-context = échec de l'obtention du contexte de sécurité de { $path }
cp-error-selinux-error = Erreur SELinux : { $error }
cp-error-selinux-context-conflict = impossible de combiner --context (-Z) avec --preserve=context
cp-error-cannot-create-fifo = impossible de créer le fifo { $path } : Le fichier existe
cp-error-invalid-attribute = attribut invalide { $value }
cp-error-failed-to-create-whole-tree = échec de la création de l'arborescence complète
+22 -2
View File
@@ -26,6 +26,8 @@ use uucore::translate;
use uucore::uio_error;
use walkdir::{DirEntry, WalkDir};
#[cfg(all(feature = "selinux", target_os = "linux"))]
use crate::set_selinux_context;
use crate::{
CopyMode, CopyResult, CpError, Options, aligned_ancestors, context_for, copy_attributes,
copy_file,
@@ -492,6 +494,7 @@ pub(crate) fn copy_directory(
&entry.local_to_target,
&options.attributes,
false,
options.set_selinux_context,
)?;
continue;
}
@@ -534,6 +537,7 @@ pub(crate) fn copy_directory(
&entry.local_to_target,
&options.attributes,
false,
options.set_selinux_context,
)?;
}
}
@@ -550,7 +554,18 @@ pub(crate) fn copy_directory(
// Fix permissions for all directories we created
// This ensures that even sibling directories get their permissions fixed
for dir in dirs_needing_permissions {
copy_attributes(&dir.source, &dir.dest, &options.attributes, dir.was_created)?;
copy_attributes(
&dir.source,
&dir.dest,
&options.attributes,
dir.was_created,
options.set_selinux_context,
)?;
#[cfg(all(feature = "selinux", target_os = "linux"))]
if options.set_selinux_context {
set_selinux_context(&dir.dest, options.context.as_ref())?;
}
}
// Also fix permissions for parent directories,
@@ -559,7 +574,12 @@ pub(crate) fn copy_directory(
let dest = target.join(root.file_name().unwrap());
for (x, y) in aligned_ancestors(root, dest.as_path()) {
if let Ok(src) = canonicalize(x, MissingHandling::Normal, ResolveMode::Physical) {
copy_attributes(&src, y, &options.attributes, false)?;
copy_attributes(&src, y, &options.attributes, false, options.set_selinux_context)?;
#[cfg(all(feature = "selinux", target_os = "linux"))]
if options.set_selinux_context {
set_selinux_context(y, options.context.as_ref())?;
}
}
}
}
+92 -19
View File
@@ -1159,6 +1159,21 @@ impl Options {
None
};
// -Z/--context conflicts with explicit --preserve=context but overrides implicit (from -a)
if set_selinux_context || context.is_some() {
match attributes.context {
Preserve::Yes { required: true } => {
return Err(CpError::Error(translate!(
"cp-error-selinux-context-conflict"
)));
}
Preserve::Yes { required: false } => {
attributes.context = Preserve::No { explicit: false };
}
Preserve::No { .. } => {}
}
}
let options = Self {
attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY),
copy_contents: matches.get_flag(options::COPY_CONTENTS),
@@ -1550,7 +1565,7 @@ fn copy_source(
if options.parents {
for (x, y) in aligned_ancestors(source, dest.as_path()) {
if let Ok(src) = canonicalize(x, MissingHandling::Normal, ResolveMode::Physical) {
copy_attributes(&src, y, &options.attributes, false)?;
copy_attributes(&src, y, &options.attributes, false, options.set_selinux_context)?;
}
}
}
@@ -1671,12 +1686,27 @@ fn handle_preserve<F: Fn() -> CopyResult<()>>(p: Preserve, f: F) -> CopyResult<(
Ok(())
}
#[cfg(all(feature = "selinux", target_os = "linux"))]
pub(crate) fn set_selinux_context(path: &Path, context: Option<&String>) -> CopyResult<()> {
if !uucore::selinux::is_selinux_enabled() {
return Ok(());
}
match uucore::selinux::set_selinux_security_context(path, context) {
Ok(()) => Ok(()),
Err(uucore::selinux::SeLinuxError::OperationNotSupported) => Ok(()),
Err(e) => Err(CpError::Error(
translate!("cp-error-selinux-error", "error" => e),
)),
}
}
/// Copies extended attributes (xattrs) from `source` to `dest`, ensuring that `dest` is temporarily
/// user-writable if needed and restoring its original permissions afterward. This avoids "Operation
/// not permitted" errors on read-only files. Returns an error if permission or metadata operations fail,
/// or if xattr copying fails.
#[cfg(all(unix, not(target_os = "android")))]
fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
fn copy_extended_attrs(source: &Path, dest: &Path, skip_selinux: bool) -> CopyResult<()> {
let metadata = fs::symlink_metadata(dest)?;
// Check if the destination file is currently read-only for the user.
@@ -1692,7 +1722,13 @@ fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
// Perform the xattr copy and capture any potential error,
// so we can restore permissions before returning.
let copy_xattrs_result = copy_xattrs(source, dest);
let copy_xattrs_result = if skip_selinux {
// When -Z is used, skip copying security.selinux xattr so that
// the default context can be set instead of preserving from source
copy_xattrs_skip_selinux(source, dest)
} else {
copy_xattrs(source, dest)
};
// Restore read-only if we changed it.
if was_readonly {
@@ -1712,12 +1748,31 @@ fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
Ok(())
}
/// Copy extended attributes but skip security.selinux
#[cfg(all(unix, not(target_os = "android")))]
fn copy_xattrs_skip_selinux(source: &Path, dest: &Path) -> std::io::Result<()> {
for attr_name in xattr::list(source)? {
// Skip security.selinux when -Z is used to set default context
if attr_name.to_string_lossy() == "security.selinux" {
continue;
}
if let Some(value) = xattr::get(source, &attr_name)? {
xattr::set(dest, &attr_name, &value)?;
}
}
Ok(())
}
/// Copy the specified attributes from one path to another.
/// If `skip_selinux_xattr` is true, the security.selinux xattr will not be copied
/// (used when -Z is specified to set the default context instead).
#[allow(unused_variables)]
pub(crate) fn copy_attributes(
source: &Path,
dest: &Path,
attributes: &Attributes,
dest_is_freshly_created_dir: bool,
skip_selinux_xattr: bool,
) -> CopyResult<()> {
let context = &*format!("{} -> {}", source.quote(), dest.quote());
let source_metadata =
@@ -1822,9 +1877,10 @@ pub(crate) fn copy_attributes(
handle_preserve(attributes.xattr, || -> CopyResult<()> {
#[cfg(all(unix, not(target_os = "android")))]
{
copy_extended_attrs(source, dest)?;
copy_extended_attrs(source, dest, skip_selinux_xattr)?;
}
#[cfg(not(all(unix, not(target_os = "android"))))]
#[allow(unused_variables)]
{
// The documentation for GNU cp states:
//
@@ -2576,33 +2632,44 @@ fn copy_file(
fs::set_permissions(dest, dest_permissions).ok();
}
if options.dereference(source_in_command_line) {
let copy_attributes_result = if options.dereference(source_in_command_line) {
// Try to canonicalize, but if it fails (e.g., due to inaccessible parent directories),
// fall back to the original source path
let src_for_attrs = canonicalize(source, MissingHandling::Normal, ResolveMode::Physical)
.ok()
.filter(|p| p.exists())
.unwrap_or_else(|| source.to_path_buf());
copy_attributes(&src_for_attrs, dest, &options.attributes, false)?;
copy_attributes(
&src_for_attrs,
dest,
&options.attributes,
false,
options.set_selinux_context,
)
} else if source_is_stream && !source.exists() {
// Some stream files may not exist after we have copied it,
// like anonymous pipes. Thus, we can't really copy its
// attributes. However, this is already handled in the stream
// copy function (see `copy_stream` under platform/linux.rs).
Ok(())
} else {
copy_attributes(source, dest, &options.attributes, false)?;
}
copy_attributes(
source,
dest,
&options.attributes,
false,
options.set_selinux_context,
)
};
#[cfg(all(feature = "selinux", any(target_os = "linux", target_os = "android")))]
if options.set_selinux_context && uucore::selinux::is_selinux_enabled() {
// Set the given selinux permissions on the copied file.
if let Err(e) =
uucore::selinux::set_selinux_security_context(dest, options.context.as_ref())
{
return Err(CpError::Error(
translate!("cp-error-selinux-error", "error" => e),
));
}
// GNU cp truncates the destination when a required attribute cannot be preserved
copy_attributes_result.inspect_err(|_| {
fs::File::create(dest).map(|f| f.set_len(0)).ok();
})?;
#[cfg(all(feature = "selinux", target_os = "linux"))]
if options.set_selinux_context {
set_selinux_context(dest, options.context.as_ref())?;
}
// Skip tracking copied files when using --link mode since hard link
@@ -2772,7 +2839,13 @@ fn copy_link(
delete_path(dest, options)?;
}
symlink_file(&link, dest, symlinked_files)?;
copy_attributes(source, dest, &options.attributes, false)
copy_attributes(
source,
dest,
&options.attributes,
false,
options.set_selinux_context,
)
}
/// Generate an error message if `target` is not the correct `target_type`
+1
View File
@@ -45,6 +45,7 @@ selinux-error-file-open-failure = failed to open the file: { $error }
selinux-error-context-retrieval-failure = failed to retrieve the security context: { $error }
selinux-error-context-set-failure = failed to set default file creation context to '{ $context }': { $error }
selinux-error-context-conversion-failure = failed to set default file creation context to '{ $context }': { $error }
selinux-error-operation-not-supported = operation not supported
# SMACK error messages
smack-error-not-enabled = SMACK is not enabled on this system
+1
View File
@@ -45,6 +45,7 @@ selinux-error-file-open-failure = échec de l'ouverture du fichier : { $error }
selinux-error-context-retrieval-failure = échec de la récupération du contexte de sécurité : { $error }
selinux-error-context-set-failure = échec de la définition du contexte de création de fichier par défaut à '{ $context }' : { $error }
selinux-error-context-conversion-failure = échec de la définition du contexte de création de fichier par défaut à '{ $context }' : { $error }
selinux-error-operation-not-supported = opération non prise en charge
# Messages d'erreur de traversée sécurisée
safe-traversal-error-path-contains-null = le chemin contient un octet null
+21 -4
View File
@@ -30,6 +30,9 @@ pub enum SeLinuxError {
#[error("{}", translate!("selinux-error-context-conversion-failure", "context" => .0.clone(), "error" => .1.clone()))]
ContextConversionFailure(String, String),
#[error("{}", translate!("selinux-error-operation-not-supported"))]
OperationNotSupported,
}
impl UError for SeLinuxError {
@@ -40,6 +43,7 @@ impl UError for SeLinuxError {
Self::ContextRetrievalFailure(_) => 3,
Self::ContextSetFailure(_, _) => 4,
Self::ContextConversionFailure(_, _) => 5,
Self::OperationNotSupported => 6,
}
}
}
@@ -154,13 +158,23 @@ pub fn set_selinux_security_context(
false,
)
.set_for_path(path, false, false)
.map_err(|e| {
SeLinuxError::ContextSetFailure(ctx_str.to_owned(), selinux_error_description(&e))
.map_err(|e| match &e {
selinux::errors::Error::IO1Path { source, .. }
if source.raw_os_error() == Some(libc::ENOTSUP) =>
{
SeLinuxError::OperationNotSupported
}
_ => SeLinuxError::ContextSetFailure(ctx_str.to_owned(), selinux_error_description(&e)),
})
} else {
// If no context provided, set the default SELinux context for the path
SecurityContext::set_default_for_path(path).map_err(|e| {
SeLinuxError::ContextSetFailure(String::new(), selinux_error_description(&e))
SecurityContext::set_default_for_path(path).map_err(|e| match &e {
selinux::errors::Error::IO1Path { source, .. }
if source.raw_os_error() == Some(libc::ENOTSUP) =>
{
SeLinuxError::OperationNotSupported
}
_ => SeLinuxError::ContextSetFailure(String::new(), selinux_error_description(&e)),
})
}
}
@@ -532,6 +546,9 @@ mod tests {
"File open failure occurred despite file being created: {e}"
);
}
Err(e @ SeLinuxError::OperationNotSupported) => {
println!("{e}");
}
}
}
+56
View File
@@ -7671,3 +7671,59 @@ fn test_cp_gnu_preserve_mode() {
assert_eq!(d1_mode, d3_mode);
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_a_z_overrides_context() {
use std::path::Path;
use uucore::selinux::{get_selinux_security_context, set_selinux_security_context};
let (at, mut ucmd) = at_and_ucmd!();
at.touch("src");
let ctx = "unconfined_u:object_r:user_tmp_t:s0".to_string();
if set_selinux_security_context(Path::new(&at.plus_as_string("src")), Some(&ctx)).is_err() {
return;
}
let src_ctx =
get_selinux_security_context(Path::new(&at.plus_as_string("src")), false).unwrap();
ucmd.args(&["-aZ", "src", "dst"]).succeeds();
let dst_ctx =
get_selinux_security_context(Path::new(&at.plus_as_string("dst")), false).unwrap();
assert_ne!(src_ctx, dst_ctx, "-aZ should override context from -a");
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_a_preserves_context() {
use std::path::Path;
use uucore::selinux::{get_selinux_security_context, set_selinux_security_context};
let (at, mut ucmd) = at_and_ucmd!();
at.touch("src");
let ctx = "unconfined_u:object_r:user_tmp_t:s0".to_string();
if set_selinux_security_context(Path::new(&at.plus_as_string("src")), Some(&ctx)).is_err() {
return;
}
let src_ctx =
get_selinux_security_context(Path::new(&at.plus_as_string("src")), false).unwrap();
ucmd.args(&["-a", "src", "dst"]).succeeds();
let dst_ctx =
get_selinux_security_context(Path::new(&at.plus_as_string("dst")), false).unwrap();
assert_eq!(src_ctx, dst_ctx, "-a should preserve SELinux context");
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_context_with_z_fails() {
let (at, mut ucmd) = at_and_ucmd!();
at.touch("src");
ucmd.args(&["--preserve=context", "-Z", "src", "dst"])
.fails()
.stderr_contains("cannot combine");
}
+1 -1
View File
@@ -90,7 +90,7 @@ cd -
export CARGOFLAGS # tell to make
if [ "${SELINUX_ENABLED}" = 1 ];then
# Build few utils for SELinux for faster build. MULTICALL=y fails...
make UTILS="cat chcon chmod cp cut dd echo env groups id install ln ls mkdir mkfifo mknod mktemp mv printf rm rmdir runcon seq stat test touch tr true uname wc whoami"
"${MAKE}" UTILS="cat chcon chmod cp cut dd echo env groups id install ln ls mkdir mkfifo mknod mktemp mv printf realpath rm rmdir runcon seq stat test touch tr true uname wc whoami"
else
# Use MULTICALL=y for faster build
make MULTICALL=y SKIP_UTILS=more