From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
The virSecuritySELinuxGenNewContext method was not reporting any
errors, leaving it upto the caller to report a generic error.
In addition it could potentially trigger a strdup(NULL) in an
OOM scenario. Move all error porting into the
virSecuritySELinuxGenNewContext method where accurate info
can be provided
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/security/security_selinux.c | 67 +++++++++++++++++++++++------------------
1 file changed, 37 insertions(+), 30 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ca19b70..1b5c02e 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -99,20 +99,37 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
}
static char *
-virSecuritySELinuxGenNewContext(const char *oldcontext, const char *mcs)
+virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
{
- char *newcontext = NULL;
- char *scontext = strdup(oldcontext);
- context_t con;
- if (!scontext) goto err;
- con = context_new(scontext);
- if (!con) goto err;
- context_range_set(con, mcs);
- newcontext = strdup(context_str(con));
- context_free(con);
-err:
- freecon(scontext);
- return newcontext;
+ context_t context;
+ char *ret = NULL;
+ char *str;
+
+ if (!(context = context_new(basecontext))) {
+ virReportSystemError(errno,
+ _("Unable to parse base SELinux context '%s'"),
+ basecontext);
+ goto cleanup;
+ }
+
+ if (context_range_set(context, mcs) != 0) {
+ virReportSystemError(errno,
+ _("Unable to set SELinux context MCS '%s'"),
+ mcs);
+ goto cleanup;
+ }
+ if (!(str = context_str(context))) {
+ virReportSystemError(errno, "%s",
+ _("Unable to format SELinux context"));
+ goto cleanup;
+ }
+ if (!(ret = strdup(str))) {
+ virReportOOMError();
+ goto cleanup;
+ }
+cleanup:
+ context_free(context);
+ return ret;
}
@@ -348,15 +365,11 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
break;
}
- def->seclabel.label =
- virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
- def->seclabel.baselabel :
- data->domain_context, mcs);
- if (! def->seclabel.label) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("cannot generate selinux context for %s"), mcs);
+ if (!(def->seclabel.label =
+ virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
+ def->seclabel.baselabel :
+ data->domain_context, mcs)))
goto cleanup;
- }
break;
case VIR_DOMAIN_SECLABEL_NONE:
@@ -371,12 +384,9 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
}
if (!def->seclabel.norelabel) {
- def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
- if (!def->seclabel.imagelabel) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("cannot generate selinux context for %s"), mcs);
+ if (!(def->seclabel.imagelabel =
+ virSecuritySELinuxGenNewContext(data->file_context, mcs)))
goto cleanup;
- }
}
if (!def->seclabel.model &&
@@ -1576,11 +1586,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
virReportOOMError();
goto cleanup;
}
- label = virSecuritySELinuxGenNewContext(data->file_context, mcs);
- if (!label) {
- virReportOOMError();
+ if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
goto cleanup;
- }
}
}
--
1.7.11.2
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list