selinux: Resolve resource leak using the default disk label

Commit id a994ef2d1 changed the mechanism to store/update the default
security label from using disk->seclabels[0] to allocating one on the
fly. That change allocated the label, but never saved it.  This patch
will save the label. The new virDomainDiskDefAddSecurityLabelDef() is
a copy of the virDomainDefAddSecurityLabelDef().
(cherry picked from commit 05cc03518987fa0f8399930d14c1d635591ca49b)

Conflicts:
	src/conf/domain_conf.h

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index c64d7ffcf36b7928010b1f8dbd41dae750238777..b7382b530d2ec7366d9c8b74aaf5937860e2985f 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -15389,26 +15389,51 @@ virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model)
 {
     virSecurityLabelDefPtr seclabel = NULL;
 
-    if (VIR_ALLOC(seclabel) < 0) {
-        virReportOOMError();
-        return NULL;
-    }
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;
 
     if (model) {
         seclabel->model = strdup(model);
-        if (seclabel->model == NULL) {
-            virReportOOMError();
-            virSecurityLabelDefFree(seclabel);
-            return NULL;
-        }
+        if (seclabel->model == NULL)
+            goto no_memory;
     }
 
-    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0) {
-        virReportOOMError();
-        virSecurityLabelDefFree(seclabel);
-        return NULL;
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
+    def->seclabels[def->nseclabels - 1] = seclabel;
+
+    return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityLabelDefFree(seclabel);
+    return NULL;
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model)
+{
+    virSecurityDeviceLabelDefPtr seclabel = NULL;
+
+    if (VIR_ALLOC(seclabel) < 0)
+        goto no_memory;
+
+    if (model) {
+        seclabel->model = strdup(model);
+        if (seclabel->model == NULL)
+            goto no_memory;
     }
+
+    if (VIR_EXPAND_N(def->seclabels, def->nseclabels, 1) < 0)
+        goto no_memory;
+
     def->seclabels[def->nseclabels - 1] = seclabel;
 
     return seclabel;
+
+no_memory:
+    virReportOOMError();
+    virSecurityDeviceLabelDefFree(seclabel);
+    return NULL;
 }

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 1a61318591fb55a134d8ad5cfb847e7e5ee6dc96..a9650f898cc492d064aad175b833357e7f28c0dc 100644 (file)
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2144,6 +2144,9 @@ virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
 virSecurityLabelDefPtr
 virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model);
 
+virSecurityDeviceLabelDefPtr
+virDomainDiskDefAddSecurityLabelDef(virDomainDiskDefPtr def, const char *model);
+
 typedef const char* (*virLifecycleToStringFunc)(int type);
 typedef int (*virLifecycleFromStringFunc)(const char *type);
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 3157e83b1a63305b47a5b410994c7c0605a768d3..52e1e4932f3ab21d6ae5e2b10c5325d7b63a8cea 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1050,10 +1050,10 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
     if (ret == 1 && !disk_seclabel) {
         /* If we failed to set a label, but virt_use_nfs let us
          * proceed anyway, then we don't need to relabel later.  */
-        if (VIR_ALLOC(disk_seclabel) < 0) {
-            virReportOOMError();
+        disk_seclabel =
+            virDomainDiskDefAddSecurityLabelDef(disk, SECURITY_SELINUX_NAME);
+        if (!disk_seclabel)
             return -1;
-        }
         disk_seclabel->norelabel = true;
         ret = 0;
     }