selinux: Resolve resource leak using the default disk label

Commit id a994ef2d1 changed the mechanism to store/update the default security label from using disk->seclabels[0] to allocating one on the fly. That change allocated the label, but never saved it. This patch will save the label. The new virDomainDiskDefAddSecurityLabelDef() is a copy of the virDomainDefAddSecurityLabelDef(). (cherry picked from commit 05cc03518987fa0f8399930d14c1d635591ca49b) Conflicts: src/conf/domain_conf.h
2025-01-28 15:35:22 +00:00 · 2013-01-18 09:34:13 -05:00 · 2013-01-18 09:34:13 -05:00 · 8cdeb0f85e
commit 8cdeb0f85e
parent f104a2a6b3
3 changed files with 45 additions and 17 deletions
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@ -15389,26 +15389,51 @@ virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model)
 {
    virSecurityLabelDefPtr seclabel = NULL;

-    if (VIR_ALLOC(seclabel) < 0) {
-        virReportOOMError();
-        return NULL;
-    }
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;

    if (model) {
        seclabel->model = strdup(model);
-        if (seclabel->model == NULL) {
-            virReportOOMError();
-            virSecurityLabelDefFree(seclabel);
-            return NULL;
-        }
+        if (seclabel->model == NULL)
+            goto no_memory;
    }

-    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0) {
-        virReportOOMError();
-        virSecurityLabelDefFree(seclabel);
-        return NULL;
-    }
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
    def->seclabels[def->nseclabels - 1] = seclabel;

    return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityLabelDefFree(seclabel);
+    return NULL;
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model)
+{
+    virSecurityDeviceLabelDefPtr seclabel = NULL;
+
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;
+
+    if (model) {
+        seclabel->model = strdup(model);
+        if (seclabel->model == NULL)
+            goto no_memory;
+    }
+
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
+    def->seclabels[def->nseclabels - 1] = seclabel;
+
+    return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityDeviceLabelDefFree(seclabel);
+    return NULL;
 }
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@ -2144,6 +2144,9 @@ virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
 virSecurityLabelDefPtr
 virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model);

+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model);
+
 typedef const char* (*virLifecycleToStringFunc)(int type);
 typedef int (*virLifecycleFromStringFunc)(const char *type);

--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1050,10 +1050,10 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
    if (ret == 1 && !disk_seclabel) {
        /* If we failed to set a label, but virt_use_nfs let us
         * proceed anyway, then we don't need to relabel later.  */
-        if (VIR_ALLOC(disk_seclabel) < 0) {
-            virReportOOMError();
+        disk_seclabel =
+            virDomainDiskDefAddSecurityLabelDef(disk, SECURITY_SELINUX_NAME);
+        if (!disk_seclabel)
            return -1;
-        }
        disk_seclabel->norelabel = true;
        ret = 0;
    }