libpod: leave thread locked on errors

if the SELinux label could not be restored correctly, leave the OS thread locked so that it is terminated once it returns to the threads pool. [NO NEW TESTS NEEDED] the failure is hard to reproduce Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-05-18 15:47:51 +08:00 · 2021-11-24 11:06:38 +01:00
parent 4b014a3aec
commit c7ebaeee0e
1 changed files with 12 additions and 4 deletions
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@ -847,10 +847,14 @@ func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options Container
 	err = utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
 	// Ignore error returned from SetSocketLabel("") call,
 	// can't recover.
-	if labelErr := label.SetSocketLabel(""); labelErr != nil {
+	if labelErr := label.SetSocketLabel(""); labelErr == nil {
+		// Unlock the thread only if the process label could be restored
+		// successfully.  Otherwise leave the thread locked and the Go runtime
+		// will terminate it once it returns to the threads pool.
+		runtime.UnlockOSThread()
+	} else {
 		logrus.Errorf("Unable to reset socket label: %q", labelErr)
 	}
-	runtime.UnlockOSThread()

 	runtimeCheckpointDuration := func() int64 {
 		if options.PrintStats {
@ -1464,10 +1468,14 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
 	err = cmd.Start()
 	// Ignore error returned from SetProcessLabel("") call,
 	// can't recover.
-	if labelErr := label.SetProcessLabel(""); labelErr != nil {
+	if labelErr := label.SetProcessLabel(""); labelErr == nil {
+		// Unlock the thread only if the process label could be restored
+		// successfully.  Otherwise leave the thread locked and the Go runtime
+		// will terminate it once it returns to the threads pool.
+		runtime.UnlockOSThread()
+	} else {
 		logrus.Errorf("Unable to set process label: %q", labelErr)
 	}
-	runtime.UnlockOSThread()
 	return err
 }