mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 04:25:19 +00:00
selinux: assume 's0' if the range is empty
This fixes a crash: https://bugzilla.redhat.com/show_bug.cgi?id=969878
This commit is contained in:
parent
e4f6fb04b7
commit
0b466db29b
@ -170,11 +170,13 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
|
|||||||
/*
|
/*
|
||||||
* This needs to cope with several styles of range
|
* This needs to cope with several styles of range
|
||||||
*
|
*
|
||||||
|
* system_u:system_r:virtd_t
|
||||||
* system_u:system_r:virtd_t:s0
|
* system_u:system_r:virtd_t:s0
|
||||||
* system_u:system_r:virtd_t:s0-s0
|
* system_u:system_r:virtd_t:s0-s0
|
||||||
* system_u:system_r:virtd_t:s0-s0:c0.c1023
|
* system_u:system_r:virtd_t:s0-s0:c0.c1023
|
||||||
*
|
*
|
||||||
* In the first two cases, we'll assume c0.c1023 for
|
* In the first case we'll assume s0:c0.c1023 and
|
||||||
|
* in the next two cases, we'll assume c0.c1023 for
|
||||||
* the category part, since that's what we're really
|
* the category part, since that's what we're really
|
||||||
* interested in. This won't work in Enforcing mode,
|
* interested in. This won't work in Enforcing mode,
|
||||||
* but will prevent libvirtd breaking in Permissive
|
* but will prevent libvirtd breaking in Permissive
|
||||||
@ -189,6 +191,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
|
|||||||
context_t ourContext = NULL;
|
context_t ourContext = NULL;
|
||||||
char *cat = NULL;
|
char *cat = NULL;
|
||||||
char *tmp;
|
char *tmp;
|
||||||
|
const char *contextRange;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
if (getcon_raw(&ourSecContext) < 0) {
|
if (getcon_raw(&ourSecContext) < 0) {
|
||||||
@ -202,8 +205,10 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
|
|||||||
ourSecContext);
|
ourSecContext);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
if (!(contextRange = context_range_get(ourContext)))
|
||||||
|
contextRange = "s0";
|
||||||
|
|
||||||
if (VIR_STRDUP(*sens, context_range_get(ourContext)) < 0)
|
if (VIR_STRDUP(*sens, contextRange) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Find and blank out the category part (if any) */
|
/* Find and blank out the category part (if any) */
|
||||||
|
@ -333,6 +333,12 @@ mymain(void)
|
|||||||
"system_u", "system_r", "object_r",
|
"system_u", "system_r", "object_r",
|
||||||
"svirt_t", "svirt_image_t",
|
"svirt_t", "svirt_image_t",
|
||||||
2, 3, 0, 1023);
|
2, 3, 0, 1023);
|
||||||
|
DO_TEST_GEN_LABEL("dynamic virtd, missing range",
|
||||||
|
"system_u:system_r:virtd_t",
|
||||||
|
true, NULL, NULL,
|
||||||
|
"system_u", "system_r", "object_r",
|
||||||
|
"svirt_t", "svirt_image_t",
|
||||||
|
0, 0, 0, 1023);
|
||||||
|
|
||||||
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
|
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user