lsm: fixup lsm_process_label_set_at return values

Always return -1 on error (some code paths returned -1, some
returned negative error codes), don't assume 'errno' is set
afterwards, as the function already prints errors and not
all code paths will have a usable errno value.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 1507917c84426965ea7e1fc72c97939157dcc56e..95b61943ee21c548720fcac5d04fcbdddcab95ab 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -241,7 +241,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
        ret = lsm_process_label_set_at(label_fd, label, on_exec);
        close(label_fd);
        if (ret < 0) {
-               SYSERROR("Failed to change apparmor profile to %s", label);
+               ERROR("Failed to change apparmor profile to %s", label);
                return -1;
        }
 

diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
index f4500ae20e986c027a94f1d5ccbbff04caff17d3..8d7de2dbef36f829a16fe7c650d5b3c93622d47d 100644 (file)
--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
@@ -142,18 +142,20 @@ int lsm_process_label_set_at(int label_fd, const char *label, bool on_exec)
 
                if (on_exec) {
                        ERROR("Changing AppArmor profile on exec not supported");
-                       return -EINVAL;
+                       return -1;
                }
 
                len = strlen(label) + strlen("changeprofile ") + 1;
                command = malloc(len);
                if (!command)
-                       return -1;
+                       goto on_error;
 
                ret = snprintf(command, len, "changeprofile %s", label);
                if (ret < 0 || (size_t)ret >= len) {
+                       int saved_errno = errno;
                        free(command);
-                       return -1;
+                       errno = saved_errno;
+                       goto on_error;
                }
 
                ret = lxc_write_nointr(label_fd, command, len - 1);
@@ -161,9 +163,11 @@ int lsm_process_label_set_at(int label_fd, const char *label, bool on_exec)
        } else if (strcmp(name, "SELinux") == 0) {
                ret = lxc_write_nointr(label_fd, label, strlen(label));
        } else {
-               ret = -EINVAL;
+               errno = EINVAL;
+               ret = -1;
        }
        if (ret < 0) {
+on_error:
                SYSERROR("Failed to set %s label \"%s\"", name, label);
                return -1;
        }