Fix mismatch between log messages and behavior of libpod.LabelVolumeP…

…ath. A reading of LabelVolumePath suggests that the intended behavior upon encountering ENOTSUP is to log the issue and continue without error, while all other errors in the Relabeling operation should be considered errors of LabelVolumePath and passed up accordingly. This is not the behavior that is encountered, as this test shows: it is instead considered an error if and only if the Relabeling operation returns ENOTSUP, spitting out a somewhat incongruous error message, while all other error types that may be returned are logged without being propogated, with an even more incongruous error message saying that the operation was not supported. The comparison was changed to match the behavior documented by the log messages, and a test was added that will simulate executing this function on a path where the mounted filesystem does not support SELinux labels, with the assertion that the function should not return an error in order to highlight the condition these changes seek to alleviate. Signed-off-by: Peter <[email protected]>
mheon · Oct 14, 2020 · 06cc0bf · 06cc0bf
1 parent ab4eb68
commit 06cc0bf
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 4 deletions.
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
@@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
 	return final, nil
 }
 
+var lvpRelabel = label.Relabel
+var lvpInitLabels = label.InitLabels
+var lvpReleaseLabel = label.ReleaseLabel
+
 // LabelVolumePath takes a mount path for a volume and gives it an
 // selinux label of either shared or not
 func LabelVolumePath(path string) error {
-	_, mountLabel, err := label.InitLabels([]string{})
+	_, mountLabel, err := lvpInitLabels([]string{})
 	if err != nil {
 		return errors.Wrapf(err, "error getting default mountlabels")
 	}
-	if err := label.ReleaseLabel(mountLabel); err != nil {
+	if err := lvpReleaseLabel(mountLabel); err != nil {
 		return errors.Wrapf(err, "error releasing label %q", mountLabel)
 	}
 
-	if err := label.Relabel(path, mountLabel, true); err != nil {
-		if err != syscall.ENOTSUP {
+	if err := lvpRelabel(path, mountLabel, true); err != nil {
+		if err == syscall.ENOTSUP {
 			logrus.Debugf("Labeling not supported on %q", path)
 		} else {
 			return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel)

diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go
@@ -0,0 +1,39 @@
+package libpod
+
+import (
+	"syscall"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLabelVolumePath(t *testing.T) {
+	// Set up mocked SELinux functions for testing.
+	oldRelabel := lvpRelabel
+	oldInitLabels := lvpInitLabels
+	oldReleaseLabel := lvpReleaseLabel
+	defer func() {
+		lvpRelabel = oldRelabel
+		lvpInitLabels = oldInitLabels
+		lvpReleaseLabel = oldReleaseLabel
+	}()
+
+	// Relabel returns ENOTSUP unconditionally.
+	lvpRelabel = func(path string, fileLabel string, shared bool) error {
+		return syscall.ENOTSUP
+	}
+
+	// InitLabels and ReleaseLabel both return dummy values and nil errors.
+	lvpInitLabels = func(options []string) (string, string, error) {
+		pLabel := "system_u:system_r:container_t:s0:c1,c2"
+		mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
+		return pLabel, mLabel, nil
+	}
+	lvpReleaseLabel = func(label string) error {
+		return nil
+	}
+
+	// LabelVolumePath should not return an error if the operation is unsupported.
+	err := LabelVolumePath("/foo/bar")
+	assert.NoError(t, err)
+}