summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-10-02 06:36:53 -0400
committerGitHub <noreply@github.com>2020-10-02 06:36:53 -0400
commit51851e10ba7d18ceb5ed3c263cc2e044da5d60ae (patch)
treee893ac5860b7ee4734677abf26a4514d0da8fbec /libpod
parentf372f4bea35a7a2e3a9a4745d6099c08d19c6db5 (diff)
parentc8f9117cef3cb72a506881b634e097368da1e854 (diff)
downloadpodman-51851e10ba7d18ceb5ed3c263cc2e044da5d60ae.tar.gz
podman-51851e10ba7d18ceb5ed3c263cc2e044da5d60ae.tar.bz2
podman-51851e10ba7d18ceb5ed3c263cc2e044da5d60ae.zip
Merge pull request #7622 from hxtk/master
Fix for incorrect evaluation of error condition within libpod.LabelVolumePath.
Diffstat (limited to 'libpod')
-rw-r--r--libpod/util_linux.go12
-rw-r--r--libpod/util_linux_test.go39
2 files changed, 47 insertions, 4 deletions
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
index 03c3ab061..5184ed393 100644
--- a/libpod/util_linux.go
+++ b/libpod/util_linux.go
@@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
return final, nil
}
+var lvpRelabel = label.Relabel
+var lvpInitLabels = label.InitLabels
+var lvpReleaseLabel = label.ReleaseLabel
+
// LabelVolumePath takes a mount path for a volume and gives it an
// selinux label of either shared or not
func LabelVolumePath(path string) error {
- _, mountLabel, err := label.InitLabels([]string{})
+ _, mountLabel, err := lvpInitLabels([]string{})
if err != nil {
return errors.Wrapf(err, "error getting default mountlabels")
}
- if err := label.ReleaseLabel(mountLabel); err != nil {
+ if err := lvpReleaseLabel(mountLabel); err != nil {
return errors.Wrapf(err, "error releasing label %q", mountLabel)
}
- if err := label.Relabel(path, mountLabel, true); err != nil {
- if err != syscall.ENOTSUP {
+ if err := lvpRelabel(path, mountLabel, true); err != nil {
+ if err == syscall.ENOTSUP {
logrus.Debugf("Labeling not supported on %q", path)
} else {
return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel)
diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go
new file mode 100644
index 000000000..5fcb04beb
--- /dev/null
+++ b/libpod/util_linux_test.go
@@ -0,0 +1,39 @@
+package libpod
+
+import (
+ "syscall"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestLabelVolumePath(t *testing.T) {
+ // Set up mocked SELinux functions for testing.
+ oldRelabel := lvpRelabel
+ oldInitLabels := lvpInitLabels
+ oldReleaseLabel := lvpReleaseLabel
+ defer func() {
+ lvpRelabel = oldRelabel
+ lvpInitLabels = oldInitLabels
+ lvpReleaseLabel = oldReleaseLabel
+ }()
+
+ // Relabel returns ENOTSUP unconditionally.
+ lvpRelabel = func(path string, fileLabel string, shared bool) error {
+ return syscall.ENOTSUP
+ }
+
+ // InitLabels and ReleaseLabel both return dummy values and nil errors.
+ lvpInitLabels = func(options []string) (string, string, error) {
+ pLabel := "system_u:system_r:container_t:s0:c1,c2"
+ mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
+ return pLabel, mLabel, nil
+ }
+ lvpReleaseLabel = func(label string) error {
+ return nil
+ }
+
+ // LabelVolumePath should not return an error if the operation is unsupported.
+ err := LabelVolumePath("/foo/bar")
+ assert.NoError(t, err)
+}