Skip to content

Commit 581ebad

Browse files
kolyshkinthaJeztah
kolyshkin
and
thaJeztah
committed
InitLabels: refactor
1. Use an early return instead of hefty "if" body. 2. Avoid a second call to pcon.Get. Best reviewed with --ignore-all-space. Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1 parent d0f37ab commit 581ebad

1 file changed

Lines changed: 39 additions & 37 deletions

File tree

go-selinux/label/label_linux.go

Lines changed: 39 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -31,48 +31,50 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
3131
return "", "", nil
3232
}
3333
processLabel, mountLabel := selinux.ContainerLabels()
34-
if processLabel != "" {
35-
defer func() {
36-
if retErr != nil {
37-
selinux.ReleaseLabel(mountLabel)
38-
}
39-
}()
40-
pcon, err := selinux.NewContext(processLabel)
41-
if err != nil {
42-
return "", "", err
34+
if processLabel == "" {
35+
// processLabel is required; if empty, do nothing.
36+
return processLabel, mountLabel, nil
37+
}
38+
defer func() {
39+
if retErr != nil {
40+
selinux.ReleaseLabel(mountLabel)
4341
}
44-
mcsLevel := pcon["level"]
45-
mcon, err := selinux.NewContext(mountLabel)
46-
if err != nil {
47-
return "", "", err
42+
}()
43+
pcon, err := selinux.NewContext(processLabel)
44+
if err != nil {
45+
return "", "", err
46+
}
47+
mcsLevel := pcon["level"]
48+
mcon, err := selinux.NewContext(mountLabel)
49+
if err != nil {
50+
return "", "", err
51+
}
52+
for _, opt := range options {
53+
if opt == "disable" {
54+
selinux.ReleaseLabel(mountLabel)
55+
return "", selinux.PrivContainerMountLabel(), nil
56+
}
57+
k, v, ok := strings.Cut(opt, ":")
58+
if !ok || !validOptions[k] {
59+
return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
4860
}
49-
for _, opt := range options {
50-
if opt == "disable" {
51-
selinux.ReleaseLabel(mountLabel)
52-
return "", selinux.PrivContainerMountLabel(), nil
53-
}
54-
k, v, ok := strings.Cut(opt, ":")
55-
if !ok || !validOptions[k] {
56-
return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
57-
}
58-
if k == "filetype" {
59-
mcon["type"] = v
60-
continue
61-
}
62-
pcon[k] = v
63-
if k == "level" || k == "user" {
64-
mcon[k] = v
65-
}
61+
if k == "filetype" {
62+
mcon["type"] = v
63+
continue
6664
}
67-
if pcon.Get() != processLabel {
68-
if pcon["level"] != mcsLevel {
69-
selinux.ReleaseLabel(processLabel)
70-
}
71-
processLabel = pcon.Get()
72-
selinux.ReserveLabel(processLabel)
65+
pcon[k] = v
66+
if k == "level" || k == "user" {
67+
mcon[k] = v
68+
}
69+
}
70+
if p := pcon.Get(); p != processLabel {
71+
if pcon["level"] != mcsLevel {
72+
selinux.ReleaseLabel(processLabel)
7373
}
74-
mountLabel = mcon.Get()
74+
selinux.ReserveLabel(p)
75+
processLabel = p
7576
}
77+
mountLabel = mcon.Get()
7678
return processLabel, mountLabel, nil
7779
}
7880

0 commit comments

Comments
 (0)