pam_namespace: check for string_to_security_class failure

Check for the unlikely case string_to_security_class() does not find the associated SELinux security class. This will only happen if the loaded SELinux policy does not define the class "dir" (which no sane policy does) or querying the selinuxfs fails. Suggested by #309
author: Christian Göttsche <cgzones@googlemail.com> 2020-12-07 14:45:47 +0100
committer: Tomáš Mráz <tmraz@redhat.com> 2020-12-08 18:15:08 +0100
commit: 5b30470ea3f441403c20f8ddc5a62a6db61bf7e3 (patch)
tree: a48131b35099b19dfc865584e4cac395233e7e26 /modules/pam_namespace/pam_namespace.c
parent: deb5a9fb07ce3dad86ad66789c91b703ad12ca2f (diff)
download: pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.tar.gz
pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.tar.bz2
pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index f8ced1c3..4d4188d0 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -844,6 +844,12 @@ static int form_context(const struct polydir_s *polyptr,
 
 	if (polyptr->method == CONTEXT) {
 		tclass = string_to_security_class("dir");
+		if (tclass == 0) {
+			pam_syslog(idata->pamh, LOG_ERR,
+				   "Error getting dir security class");
+			freecon(scon);
+			return PAM_SESSION_ERR;
+		}
 
 		if (security_compute_member(scon, *origcon, tclass,
 					i_context) < 0) {
author	Christian Göttsche <cgzones@googlemail.com>	2020-12-07 14:45:47 +0100
committer	Tomáš Mráz <tmraz@redhat.com>	2020-12-08 18:15:08 +0100
commit	5b30470ea3f441403c20f8ddc5a62a6db61bf7e3 (patch)
tree	a48131b35099b19dfc865584e4cac395233e7e26 /modules/pam_namespace/pam_namespace.c
parent	deb5a9fb07ce3dad86ad66789c91b703ad12ca2f (diff)
download	pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.tar.gz pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.tar.bz2 pam-5b30470ea3f441403c20f8ddc5a62a6db61bf7e3.zip