debian/patches/extra/0006-lsm-fixup-lsm_process_label_set_at-return-values.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Thu, 12 Jul 2018 15:16:40 +0200
   4 Subject: [PATCH] lsm: fixup lsm_process_label_set_at return values
   5
   6 Always return -1 on error (some code paths returned -1, some
   7 returned negative error codes), don't assume 'errno' is set
   8 afterwards, as the function already prints errors and not
   9 all code paths will have a usable errno value.
  10
  11 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  12 (cherry picked from commit c68d5b0dd63ea8226698ae3ff8a5336a60c171c3)
  13 ---
  14  src/lxc/lsm/apparmor.c |  2 +-
  15  src/lxc/lsm/lsm.c      | 12 ++++++++----
  16  2 files changed, 9 insertions(+), 5 deletions(-)
  17
  18 diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
  19 index 1507917c..95b61943 100644
  20 --- a/src/lxc/lsm/apparmor.c
  21 +++ b/src/lxc/lsm/apparmor.c
  22 @@ -241,7 +241,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
  23         ret = lsm_process_label_set_at(label_fd, label, on_exec);
  24         close(label_fd);
  25         if (ret < 0) {
  26 -               SYSERROR("Failed to change apparmor profile to %s", label);
  27 +               ERROR("Failed to change apparmor profile to %s", label);
  28                 return -1;
  29         }
  30
  31 diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
  32 index f4500ae2..8d7de2db 100644
  33 --- a/src/lxc/lsm/lsm.c
  34 +++ b/src/lxc/lsm/lsm.c
  35 @@ -142,18 +142,20 @@ int lsm_process_label_set_at(int label_fd, const char *label, bool on_exec)
  36
  37                 if (on_exec) {
  38                         ERROR("Changing AppArmor profile on exec not supported");
  39 -                       return -EINVAL;
  40 +                       return -1;
  41                 }
  42
  43                 len = strlen(label) + strlen("changeprofile ") + 1;
  44                 command = malloc(len);
  45                 if (!command)
  46 -                       return -1;
  47 +                       goto on_error;
  48
  49                 ret = snprintf(command, len, "changeprofile %s", label);
  50                 if (ret < 0 || (size_t)ret >= len) {
  51 +                       int saved_errno = errno;
  52                         free(command);
  53 -                       return -1;
  54 +                       errno = saved_errno;
  55 +                       goto on_error;
  56                 }
  57
  58                 ret = lxc_write_nointr(label_fd, command, len - 1);
  59 @@ -161,9 +163,11 @@ int lsm_process_label_set_at(int label_fd, const char *label, bool on_exec)
  60         } else if (strcmp(name, "SELinux") == 0) {
  61                 ret = lxc_write_nointr(label_fd, label, strlen(label));
  62         } else {
  63 -               ret = -EINVAL;
  64 +               errno = EINVAL;
  65 +               ret = -1;
  66         }
  67         if (ret < 0) {
  68 +on_error:
  69                 SYSERROR("Failed to set %s label \"%s\"", name, label);
  70                 return -1;
  71         }
  72 --
  73 2.11.0
  74