SELinux: Ensure we validate labels

Verify you are getting a valid SELinux label before proceeding.  Some
SELinux checks were broken.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>

Closes: #43
Approved by: cgwalters

3 files changed, 18 insertions, 4 deletions

diff --git a/bubblewrap.c b/bubblewrap.c
index ee66016..896cd85 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -940,6 +940,8 @@ parse_args (int *argcp,
             die ("--exec-label not supported on this system");
 
           opt_exec_label = argv[1];
+          if (label_valid (argv[1]) < 0)
+            die_with_error ("--exec-label invalid");
           argv += 1;
           argc -= 1;
         }
@@ -951,7 +953,8 @@ parse_args (int *argcp,
             die ("--file-label not supported on this system");
 
           opt_file_label = argv[1];
-          label_create_file (opt_file_label);
+          if (label_create_file (opt_file_label))
+            die_with_error ("--file-label setup failed");
 
           argv += 1;
           argc -= 1;
diff --git a/utils.c b/utils.c
index 02c1857..c7d3232 100644
--- a/utils.c
+++ b/utils.c
@@ -623,10 +623,10 @@ int
 label_support ()
 {
 #ifdef HAVE_SELINUX
-  if (is_selinux_enabled () > 0)
-    return -1;
+  if (is_selinux_enabled () == 1)
+    return 0;
 #endif
-  return 0;
+  return -1;
 }
 
 char *
@@ -665,3 +665,13 @@ label_exec (const char *exec_label)
 #endif
   return 0;
 }
+
+int
+label_valid (const char *label)
+{
+#ifdef HAVE_SELINUX
+  if (is_selinux_enabled () > 0 && label)
+    return security_check_context ((security_context_t)label);
+#endif
+  return -1;
+}
diff --git a/utils.h b/utils.h
index 039546f..73ba251 100644
--- a/utils.h
+++ b/utils.h
@@ -110,6 +110,7 @@ int   pivot_root     (const char   *new_root,
 char *label_mount    (const char *opt,
 		      const char *mount_label);
 int   label_exec     (const char *exec_label);
+int   label_valid    (const char *label);
 int   label_support  (void);
 int   label_create_file (const char *file_label);