selinux: Resolve resource leak using the default disk label

Commit id a994ef2d1 changed the mechanism to store/update the default
security label from using disk->seclabels[0] to allocating one on the
fly. That change allocated the label, but never saved it.  This patch
will save the label. The new virDomainDiskDefAddSecurityLabelDef() is
a copy of the virDomainDefAddSecurityLabelDef().

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 0b9ba13f2ef14b252c25e7e2bb642f8a17f5a781..7640af7888b38d3ce194e99148981aa285359a78 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -16041,26 +16041,51 @@ virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model)
 {
     virSecurityLabelDefPtr seclabel = NULL;
 
-    if (VIR_ALLOC(seclabel) < 0) {
-        virReportOOMError();
-        return NULL;
-    }
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;
 
     if (model) {
         seclabel->model = strdup(model);
-        if (seclabel->model == NULL) {
-            virReportOOMError();
-            virSecurityLabelDefFree(seclabel);
-            return NULL;
-        }
+        if (seclabel->model == NULL)
+            goto no_memory;
     }
 
-    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0) {
-        virReportOOMError();
-        virSecurityLabelDefFree(seclabel);
-        return NULL;
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
+    def->seclabels[def->nseclabels - 1] = seclabel;
+
+    return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityLabelDefFree(seclabel);
+    return NULL;
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model)
+{
+    virSecurityDeviceLabelDefPtr seclabel = NULL;
+
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;
+
+    if (model) {
+        seclabel->model = strdup(model);
+        if (seclabel->model == NULL)
+            goto no_memory;
     }
+
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
     def->seclabels[def->nseclabels - 1] = seclabel;
 
     return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityDeviceLabelDefFree(seclabel);
+    return NULL;
 }

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index ce36003cea8be8c656264683dbb1b7694364d227..9770ffb393715b36dde1f6672379570007f1942c 100644 (file)
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2222,6 +2222,9 @@ virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
 virSecurityLabelDefPtr
 virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model);
 
+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model);
+
 typedef const char* (*virEventActionToStringFunc)(int type);
 typedef int (*virEventActionFromStringFunc)(const char *type);
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b5e1a9a1d92cc2cf964cd6bdb689b4ba1a7c53ae..511e92342c816d6e280a4bda657950bad9e98617 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1095,10 +1095,10 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
     if (ret == 1 && !disk_seclabel) {
         /* If we failed to set a label, but virt_use_nfs let us
          * proceed anyway, then we don't need to relabel later.  */
-        if (VIR_ALLOC(disk_seclabel) < 0) {
-            virReportOOMError();
+        disk_seclabel =
+            virDomainDiskDefAddSecurityLabelDef(disk, SECURITY_SELINUX_NAME);
+        if (!disk_seclabel)
             return -1;
-        }
         disk_seclabel->norelabel = true;
         ret = 0;
     }