From 07d744068d437b09d7a07975e88e18440f5db2f3 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 27 Jan 2020 20:16:35 -0800
Subject: filesystem: don't overwrite existing protector links

When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist.  Instead, if it already
exists and points to the mount, just use it.  If it already exists and
points to the wrong place, return an error.

Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.
---
 actions/policy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actions/policy.go')

diff --git a/actions/policy.go b/actions/policy.go
index 41e108e..9d644c1 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -315,7 +315,7 @@ func (policy *Policy) AddProtector(protector *Protector) error {
 	// to it on the policy's filesystem.
 	if policy.Context.Mount != protector.Context.Mount {
 		log.Printf("policy on %s\n protector on %s\n", policy.Context.Mount, protector.Context.Mount)
-		err := policy.Context.Mount.AddLinkedProtector(
+		_, err := policy.Context.Mount.AddLinkedProtector(
 			protector.Descriptor(), protector.Context.Mount)
 		if err != nil {
 			return err
-- 
cgit v1.2.3