* getcon family: returning success while context is NULL
@ 2020-07-24 12:34 Christian Göttsche
2020-07-24 13:13 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Christian Göttsche @ 2020-07-24 12:34 UTC (permalink / raw)
To: SElinux list
Hi list,
I stumbled over a systemd commit [1], handling the event where
getcon_raw returns 0 (success) and the returned context is NULL.
The commit points to the SELinux userland source lines [2].
Is this by design?
Or should either errno be set to ENODATA and ret to -1, or this case
be mentioned in the manpage?
[1]: https://github.com/systemd/systemd/commit/199a892218e1f36e7bd7d5da2d78de6b13f04488
[2]: https://github.com/SELinuxProject/selinux/blob/4246bb550dee5246c8567804325b7da206cd76cf/libselinux/src/procattr.c#L175
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: getcon family: returning success while context is NULL
2020-07-24 12:34 getcon family: returning success while context is NULL Christian Göttsche
@ 2020-07-24 13:13 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2020-07-24 13:13 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Fri, Jul 24, 2020 at 8:34 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Hi list,
>
> I stumbled over a systemd commit [1], handling the event where
> getcon_raw returns 0 (success) and the returned context is NULL.
> The commit points to the SELinux userland source lines [2].
>
> Is this by design?
> Or should either errno be set to ENODATA and ret to -1, or this case
> be mentioned in the manpage?
For most of the other process security attributes (e.g. exec,
fscreate, ...), get*con() can return NULL if the attribute has not
been set by the process, and set*con() can be passed NULL to clear the
attribute (i.e. reset to using the policy defaults), and this is not
an error condition. getprevcon() and getcon() are the exceptions; the
kernel will always return non-zero length contexts for "prev" and
"current", so this will never happen for them (and you can't set
"prev" at all and "current" cannot be set to NULL/0-length). They
just happen to share the same underlying libselinux implementation as
the others. So this is not a possible case and doesn't require
handling. I suppose we could make that clearer in the man pages.
>
>
> [1]: https://github.com/systemd/systemd/commit/199a892218e1f36e7bd7d5da2d78de6b13f04488
> [2]: https://github.com/SELinuxProject/selinux/blob/4246bb550dee5246c8567804325b7da206cd76cf/libselinux/src/procattr.c#L175
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-24 13:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-24 12:34 getcon family: returning success while context is NULL Christian Göttsche
2020-07-24 13:13 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).