diff options
author | Peter <peter@psanders.me> | 2020-09-13 10:47:42 -0400 |
---|---|---|
committer | Peter <peter@psanders.me> | 2020-09-13 23:24:15 -0400 |
commit | c8f9117cef3cb72a506881b634e097368da1e854 (patch) | |
tree | 0ad14aad75bb54067e1213ca7f0158488add6672 | |
parent | 25fb0c2b966c193e8c4045e440316850f6f1b889 (diff) | |
download | podman-c8f9117cef3cb72a506881b634e097368da1e854.tar.gz podman-c8f9117cef3cb72a506881b634e097368da1e854.tar.bz2 podman-c8f9117cef3cb72a506881b634e097368da1e854.zip |
Fix mismatch between log messages and behavior of libpod.LabelVolumePath.
A reading of LabelVolumePath suggests that the intended behavior
upon encountering ENOTSUP is to log the issue and continue without
error, while all other errors in the Relabeling operation should
be considered errors of LabelVolumePath and passed up accordingly.
This is not the behavior that is encountered, as this test shows:
it is instead considered an error if and only if the Relabeling
operation returns ENOTSUP, spitting out a somewhat incongruous
error message, while all other error types that may be returned
are logged without being propogated, with an even more incongruous
error message saying that the operation was not supported.
The comparison was changed to match the behavior documented by the
log messages, and a test was added that will simulate executing
this function on a path where the mounted filesystem does not
support SELinux labels, with the assertion that the function should
not return an error in order to highlight the condition these
changes seek to alleviate.
Signed-off-by: Peter <peter@psanders.me>
-rw-r--r-- | libpod/util_linux.go | 12 | ||||
-rw-r--r-- | libpod/util_linux_test.go | 39 |
2 files changed, 47 insertions, 4 deletions
diff --git a/libpod/util_linux.go b/libpod/util_linux.go index 03c3ab061..5184ed393 100644 --- a/libpod/util_linux.go +++ b/libpod/util_linux.go @@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) { return final, nil } +var lvpRelabel = label.Relabel +var lvpInitLabels = label.InitLabels +var lvpReleaseLabel = label.ReleaseLabel + // LabelVolumePath takes a mount path for a volume and gives it an // selinux label of either shared or not func LabelVolumePath(path string) error { - _, mountLabel, err := label.InitLabels([]string{}) + _, mountLabel, err := lvpInitLabels([]string{}) if err != nil { return errors.Wrapf(err, "error getting default mountlabels") } - if err := label.ReleaseLabel(mountLabel); err != nil { + if err := lvpReleaseLabel(mountLabel); err != nil { return errors.Wrapf(err, "error releasing label %q", mountLabel) } - if err := label.Relabel(path, mountLabel, true); err != nil { - if err != syscall.ENOTSUP { + if err := lvpRelabel(path, mountLabel, true); err != nil { + if err == syscall.ENOTSUP { logrus.Debugf("Labeling not supported on %q", path) } else { return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel) diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go new file mode 100644 index 000000000..5fcb04beb --- /dev/null +++ b/libpod/util_linux_test.go @@ -0,0 +1,39 @@ +package libpod + +import ( + "syscall" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestLabelVolumePath(t *testing.T) { + // Set up mocked SELinux functions for testing. + oldRelabel := lvpRelabel + oldInitLabels := lvpInitLabels + oldReleaseLabel := lvpReleaseLabel + defer func() { + lvpRelabel = oldRelabel + lvpInitLabels = oldInitLabels + lvpReleaseLabel = oldReleaseLabel + }() + + // Relabel returns ENOTSUP unconditionally. + lvpRelabel = func(path string, fileLabel string, shared bool) error { + return syscall.ENOTSUP + } + + // InitLabels and ReleaseLabel both return dummy values and nil errors. + lvpInitLabels = func(options []string) (string, string, error) { + pLabel := "system_u:system_r:container_t:s0:c1,c2" + mLabel := "system_u:object_r:container_file_t:s0:c1,c2" + return pLabel, mLabel, nil + } + lvpReleaseLabel = func(label string) error { + return nil + } + + // LabelVolumePath should not return an error if the operation is unsupported. + err := LabelVolumePath("/foo/bar") + assert.NoError(t, err) +} |