On Fri, Jul 24, 2020 at 8:34 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Hi list, > > I stumbled over a systemd commit [1], handling the event where > getcon_raw returns 0 (success) and the returned context is NULL. > The commit points to the SELinux userland source lines [2]. > > Is this by design? > Or should either errno be set to ENODATA and ret to -1, or this case > be mentioned in the manpage? For most of the other process security attributes (e.g. exec, fscreate, ...), get*con() can return NULL if the attribute has not been set by the process, and set*con() can be passed NULL to clear the attribute (i.e. reset to using the policy defaults), and this is not an error condition. getprevcon() and getcon() are the exceptions; the kernel will always return non-zero length contexts for "prev" and "current", so this will never happen for them (and you can't set "prev" at all and "current" cannot be set to NULL/0-length). They just happen to share the same underlying libselinux implementation as the others. So this is not a possible case and doesn't require handling. I suppose we could make that clearer in the man pages. > > > [1]: https://github.com/systemd/systemd/commit/199a892218e1f36e7bd7d5da2d78de6b13f04488 > [2]: https://github.com/SELinuxProject/selinux/blob/4246bb550dee5246c8567804325b7da206cd76cf/libselinux/src/procattr.c#L175
