[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCHv2 1/2] selinux: fix segfault in virSecuritySELinuxMCSGetProcessRange



On Tue, Jun 04, 2013 at 01:23:59PM +0200, Ján Tomko wrote:
> From: James Gilliland <neclimdul gmail com>
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=969878
> ---
>  src/security/security_selinux.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index b862fbf..3c67f24 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -189,6 +189,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
>      context_t ourContext = NULL;
>      char *cat = NULL;
>      char *tmp;
> +    const char *contextRange;
>      int ret = -1;
>  
>      if (getcon_raw(&ourSecContext) < 0) {
> @@ -202,8 +203,14 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
>                               ourSecContext);
>          goto cleanup;
>      }
> +    if (!(contextRange = context_range_get(ourContext))) {
> +        virReportSystemError(errno,
> +                             _("Unable to parse current SELinux context range '%s'"),
> +                             ourSecContext);
> +        goto cleanup;
> +    }

Re-thinking this again. Raising an error here will technically be
a regression in functionality vs older libvirt. I think we need
to automatically fill in "s0" for *sens if contextRange is
NULL, instead of raising an error. Also add to the comment before
this function that 'system_u:system_r:virtd_t' is a valid
context too.

>  
> -    if (VIR_STRDUP(*sens, context_range_get(ourContext)) < 0)
> +    if (VIR_STRDUP(*sens, contextRange) < 0)
>          goto cleanup;
>  
>      /* Find and blank out the category part (if any) */


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]