Merge pull request #7622 from hxtk/master

Fix for incorrect evaluation of error condition within libpod.LabelVolumePath.
containers · Oct 2, 2020 · 51851e1 · 51851e1
2 parents f372f4b + c8f9117
commit 51851e1
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 4 deletions.
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
@@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
 	return final, nil
 }
 
+var lvpRelabel = label.Relabel
+var lvpInitLabels = label.InitLabels
+var lvpReleaseLabel = label.ReleaseLabel
+
 // LabelVolumePath takes a mount path for a volume and gives it an
 // selinux label of either shared or not
 func LabelVolumePath(path string) error {
-	_, mountLabel, err := label.InitLabels([]string{})
+	_, mountLabel, err := lvpInitLabels([]string{})
 	if err != nil {
 		return errors.Wrapf(err, "error getting default mountlabels")
 	}
-	if err := label.ReleaseLabel(mountLabel); err != nil {
+	if err := lvpReleaseLabel(mountLabel); err != nil {
 		return errors.Wrapf(err, "error releasing label %q", mountLabel)
 	}
 
-	if err := label.Relabel(path, mountLabel, true); err != nil {
-		if err != syscall.ENOTSUP {
+	if err := lvpRelabel(path, mountLabel, true); err != nil {
+		if err == syscall.ENOTSUP {
 			logrus.Debugf("Labeling not supported on %q", path)
 		} else {
 			return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel)

diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go
@@ -0,0 +1,39 @@
+package libpod
+
+import (
+	"syscall"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLabelVolumePath(t *testing.T) {
+	// Set up mocked SELinux functions for testing.
+	oldRelabel := lvpRelabel
+	oldInitLabels := lvpInitLabels
+	oldReleaseLabel := lvpReleaseLabel
+	defer func() {
+		lvpRelabel = oldRelabel
+		lvpInitLabels = oldInitLabels
+		lvpReleaseLabel = oldReleaseLabel
+	}()
+
+	// Relabel returns ENOTSUP unconditionally.
+	lvpRelabel = func(path string, fileLabel string, shared bool) error {
+		return syscall.ENOTSUP
+	}
+
+	// InitLabels and ReleaseLabel both return dummy values and nil errors.
+	lvpInitLabels = func(options []string) (string, string, error) {
+		pLabel := "system_u:system_r:container_t:s0:c1,c2"
+		mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
+		return pLabel, mLabel, nil
+	}
+	lvpReleaseLabel = func(label string) error {
+		return nil
+	}
+
+	// LabelVolumePath should not return an error if the operation is unsupported.
+	err := LabelVolumePath("/foo/bar")
+	assert.NoError(t, err)
+}