aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter <peter@psanders.me>2020-09-13 10:47:42 -0400
committerPeter <peter@psanders.me>2020-09-13 23:24:15 -0400
commitc8f9117cef3cb72a506881b634e097368da1e854 (patch)
tree0ad14aad75bb54067e1213ca7f0158488add6672
parent25fb0c2b966c193e8c4045e440316850f6f1b889 (diff)
downloadpodman-c8f9117cef3cb72a506881b634e097368da1e854.tar.gz
podman-c8f9117cef3cb72a506881b634e097368da1e854.tar.bz2
podman-c8f9117cef3cb72a506881b634e097368da1e854.zip
Fix mismatch between log messages and behavior of libpod.LabelVolumePath.
A reading of LabelVolumePath suggests that the intended behavior upon encountering ENOTSUP is to log the issue and continue without error, while all other errors in the Relabeling operation should be considered errors of LabelVolumePath and passed up accordingly. This is not the behavior that is encountered, as this test shows: it is instead considered an error if and only if the Relabeling operation returns ENOTSUP, spitting out a somewhat incongruous error message, while all other error types that may be returned are logged without being propogated, with an even more incongruous error message saying that the operation was not supported. The comparison was changed to match the behavior documented by the log messages, and a test was added that will simulate executing this function on a path where the mounted filesystem does not support SELinux labels, with the assertion that the function should not return an error in order to highlight the condition these changes seek to alleviate. Signed-off-by: Peter <peter@psanders.me>
-rw-r--r--libpod/util_linux.go12
-rw-r--r--libpod/util_linux_test.go39
2 files changed, 47 insertions, 4 deletions
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
index 03c3ab061..5184ed393 100644
--- a/libpod/util_linux.go
+++ b/libpod/util_linux.go
@@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
return final, nil
}
+var lvpRelabel = label.Relabel
+var lvpInitLabels = label.InitLabels
+var lvpReleaseLabel = label.ReleaseLabel
+
// LabelVolumePath takes a mount path for a volume and gives it an
// selinux label of either shared or not
func LabelVolumePath(path string) error {
- _, mountLabel, err := label.InitLabels([]string{})
+ _, mountLabel, err := lvpInitLabels([]string{})
if err != nil {
return errors.Wrapf(err, "error getting default mountlabels")
}
- if err := label.ReleaseLabel(mountLabel); err != nil {
+ if err := lvpReleaseLabel(mountLabel); err != nil {
return errors.Wrapf(err, "error releasing label %q", mountLabel)
}
- if err := label.Relabel(path, mountLabel, true); err != nil {
- if err != syscall.ENOTSUP {
+ if err := lvpRelabel(path, mountLabel, true); err != nil {
+ if err == syscall.ENOTSUP {
logrus.Debugf("Labeling not supported on %q", path)
} else {
return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel)
diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go
new file mode 100644
index 000000000..5fcb04beb
--- /dev/null
+++ b/libpod/util_linux_test.go
@@ -0,0 +1,39 @@
+package libpod
+
+import (
+ "syscall"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestLabelVolumePath(t *testing.T) {
+ // Set up mocked SELinux functions for testing.
+ oldRelabel := lvpRelabel
+ oldInitLabels := lvpInitLabels
+ oldReleaseLabel := lvpReleaseLabel
+ defer func() {
+ lvpRelabel = oldRelabel
+ lvpInitLabels = oldInitLabels
+ lvpReleaseLabel = oldReleaseLabel
+ }()
+
+ // Relabel returns ENOTSUP unconditionally.
+ lvpRelabel = func(path string, fileLabel string, shared bool) error {
+ return syscall.ENOTSUP
+ }
+
+ // InitLabels and ReleaseLabel both return dummy values and nil errors.
+ lvpInitLabels = func(options []string) (string, string, error) {
+ pLabel := "system_u:system_r:container_t:s0:c1,c2"
+ mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
+ return pLabel, mLabel, nil
+ }
+ lvpReleaseLabel = func(label string) error {
+ return nil
+ }
+
+ // LabelVolumePath should not return an error if the operation is unsupported.
+ err := LabelVolumePath("/foo/bar")
+ assert.NoError(t, err)
+}