From 5b30470ea3f441403c20f8ddc5a62a6db61bf7e3 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Mon, 7 Dec 2020 14:45:47 +0100
Subject: pam_namespace: check for string_to_security_class failure

Check for the unlikely case string_to_security_class() does not find the
associated SELinux security class.
This will only happen if the loaded SELinux policy does not define the
class "dir" (which no sane policy does) or querying the selinuxfs
fails.

Suggested by #309
---
 modules/pam_namespace/pam_namespace.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'modules/pam_namespace')

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index f8ced1c3..4d4188d0 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -844,6 +844,12 @@ static int form_context(const struct polydir_s *polyptr,
 
 	if (polyptr->method == CONTEXT) {
 		tclass = string_to_security_class("dir");
+		if (tclass == 0) {
+			pam_syslog(idata->pamh, LOG_ERR,
+				   "Error getting dir security class");
+			freecon(scon);
+			return PAM_SESSION_ERR;
+		}
 
 		if (security_compute_member(scon, *origcon, tclass,
 					i_context) < 0) {
-- 
cgit v1.2.3