From bd2f695b3d89efe0c52bba975f9540634125178a Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 22 May 2024 12:29:07 +0200
Subject: pam_namespace: free SELinux context on error path

* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]:
Free SELinux context in case of an error.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to.
1460|               pam_syslog(idata->pamh, LOG_ERR,
1461|                          "Error creating directory %s: %m", dir);
1462|->             return PAM_SESSION_ERR;
1463|       }
1464|
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 modules/pam_namespace/pam_namespace.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'modules/pam_namespace/pam_namespace.c')

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 781dac20..2dab49ef 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1462,6 +1462,9 @@ static int create_polydir(struct polydir_s *polyptr,
     if (rc == -1) {
             pam_syslog(idata->pamh, LOG_ERR,
                        "Error creating directory %s: %m", dir);
+#ifdef WITH_SELINUX
+            freecon(oldcon_raw);
+#endif
             return PAM_SESSION_ERR;
     }
 
-- 
cgit v1.2.3