From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 4 May 2016 19:48:44 +0000 (-0600)
Subject: In relabel_tty() always jump to bad: on error, regardless of the
X-Git-Tag: SUDO_1_8_17^2~120
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2cd22f290632c5c3e49dc21ad1267080037f2fa1;p=sudo

In relabel_tty() always jump to bad: on error, regardless of the
value of se_state.enforcing.  On error, return -1 if enforcing,
else 0.  Coverity CID 104099.
---

diff --git a/src/selinux.c b/src/selinux.c
index 9009131f1..e2d375b3d 100644
--- a/src/selinux.c
+++ b/src/selinux.c
@@ -163,8 +163,7 @@ relabel_tty(const char *ttyn, int ptyfd)
 	se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
 	if (se_state.ttyfd == -1) {
 	    sudo_warn(U_("unable to open %s, not relabeling tty"), ttyn);
-	    if (se_state.enforcing)
-		goto bad;
+	    goto bad;
 	}
 	(void)fcntl(se_state.ttyfd, F_SETFL,
 	    fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
@@ -172,30 +171,26 @@ relabel_tty(const char *ttyn, int ptyfd)
 
     if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
 	sudo_warn(U_("unable to get current tty context, not relabeling tty"));
-	if (se_state.enforcing)
-	    goto bad;
+	goto bad;
     }
 
     if (tty_con) {
 	security_class_t tclass = string_to_security_class("chr_file");
 	if (tclass == 0) {
 	    sudo_warn(U_("unknown security class chr_file, not relabeling tty"));
-	    if (se_state.enforcing)
-		goto bad;
+	    goto bad;
 	}
 	if (security_compute_relabel(se_state.new_context, tty_con,
 	    tclass, &new_tty_con) < 0) {
 	    sudo_warn(U_("unable to get new tty context, not relabeling tty"));
-	    if (se_state.enforcing)
-		goto bad;
+	    goto bad;
 	}
     }
 
     if (new_tty_con != NULL) {
 	if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
 	    sudo_warn(U_("unable to set new tty context"));
-	    if (se_state.enforcing)
-		goto bad;
+	    goto bad;
 	}
     }
 
@@ -204,8 +199,7 @@ relabel_tty(const char *ttyn, int ptyfd)
 	se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
 	if (se_state.ttyfd == -1) {
 	    sudo_warn(U_("unable to open %s"), ttyn);
-	    if (se_state.enforcing)
-		goto bad;
+	    goto bad;
 	}
 	if (dup2(se_state.ttyfd, ptyfd) == -1) {
 	    sudo_warn("dup2");
@@ -242,7 +236,7 @@ bad:
 	se_state.ttyfd = -1;
     }
     freecon(tty_con);
-    debug_return_int(-1);
+    debug_return_int(se_state.enforcing ? -1 : 0);
 }
 
 /*