1. Patchew
  2. Libvirt
  3. View series

[PATCH] securityselinuxhelper: Fix retval of setcon_raw() and security_disable()

Michal Privoznik posted 1 patch 2 years, 11 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/19d023e8eb3b15f26d1125a21bcc1eee56be031d.1620636736.git.mprivozn@redhat.com
tests/securityselinuxhelper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] securityselinuxhelper: Fix retval of setcon_raw() and security_disable()
Posted by Michal Privoznik 2 years, 11 months ago 
The securityselinuxhelper is a mock that's replacing libselinux
APIs with our own implementation to achieve deterministic
results. Our implementation uses env vars (among other things) to
hold internal state. For instance, "FAKE_SELINUX_CONTEXT" and
"FAKE_SELINUX_DISABLED" variables are used. However, as we were
switching from setenv() to g_setenv() we also changed the set of
possible retvals from setcon_raw() and security_disable().
Previously, the retval of setenv() was used directly which
returns 0 on success and -1 on error. But g_setenv() has
different retval semantics: it returns 1 on success and 0 on
error.

This discrepancy can be observed by running viridentitytest where
case #2 reports an error ("!") - because setcon_raw() returns 1.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 tests/securityselinuxhelper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
index b308ef5095..c3d6505ef2 100644
--- a/tests/securityselinuxhelper.c
+++ b/tests/securityselinuxhelper.c
@@ -140,7 +140,7 @@ int setcon_raw(const char *context)
         errno = EINVAL;
         return -1;
     }
-    return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE);
+    return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE) == TRUE ? 0 : -1;
 }
 
 int setcon(const char *context)
@@ -219,7 +219,7 @@ int security_disable(void)
         return -1;
     }
 
-    return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE);
+    return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1;
 }
 
 int security_getenforce(void)
-- 
2.26.3
Re: [PATCH] securityselinuxhelper: Fix retval of setcon_raw() and security_disable()
Posted by Ján Tomko 2 years, 11 months ago 
On a Monday in 2021, Michal Privoznik wrote:
>The securityselinuxhelper is a mock that's replacing libselinux
>APIs with our own implementation to achieve deterministic
>results. Our implementation uses env vars (among other things) to
>hold internal state. For instance, "FAKE_SELINUX_CONTEXT" and
>"FAKE_SELINUX_DISABLED" variables are used. However, as we were
>switching from setenv() to g_setenv() we also changed the set of
>possible retvals from setcon_raw() and security_disable().
>Previously, the retval of setenv() was used directly which
>returns 0 on success and -1 on error. But g_setenv() has
>different retval semantics: it returns 1 on success and 0 on
>error.
>
>This discrepancy can be observed by running viridentitytest where
>case #2 reports an error ("!") - because setcon_raw() returns 1.
>
>Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>---
> tests/securityselinuxhelper.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.