security/selinux/include/security.h | 2 +- security/selinux/ss/services.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-)
From: Christian Göttsche <cgzones@googlemail.com>
Add support for wildcard matching of network interface names. This is
useful for auto-generated interfaces, for example podman creates network
interfaces for containers with the naming scheme podman0, podman1,
podman2, ...
Since the wildcard characters '?' and '*' should be very uncommon in
network interface names, and thus if netifcon definitions, avoid
introducing a new policy version or capability.
Netifcon definitions are compared against in the order given by the
policy, so userspace tools should sort them in a reasonable order.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
security/selinux/include/security.h | 2 +-
security/selinux/ss/services.c | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 10949df22fa4..f6e7ba57a1fc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
-int security_netif_sid(char *name, u32 *if_sid);
+int security_netif_sid(const char *name, u32 *if_sid);
int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 55fdc7ca232b..2f878fa99692 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,6 +46,7 @@
#include <linux/in.h>
#include <linux/sched.h>
#include <linux/audit.h>
+#include <linux/parser.h>
#include <linux/vmalloc.h>
#include <linux/lsm_hooks.h>
#include <net/netlabel.h>
@@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
* @name: interface name
* @if_sid: interface SID
*/
-int security_netif_sid(char *name, u32 *if_sid)
+int security_netif_sid(const char *name, u32 *if_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
c = policydb->ocontexts[OCON_NETIF];
while (c) {
- if (strcmp(name, c->u.name) == 0)
+ if (match_wildcard(c->u.name, name))
break;
c = c->next;
}
--
2.45.2
On Dec 17, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgoettsche@seltendoof.de> wrote: > > Add support for wildcard matching of network interface names. This is > useful for auto-generated interfaces, for example podman creates network > interfaces for containers with the naming scheme podman0, podman1, > podman2, ... > > Since the wildcard characters '?' and '*' should be very uncommon in > network interface names, and thus if netifcon definitions, avoid > introducing a new policy version or capability. > > Netifcon definitions are compared against in the order given by the > policy, so userspace tools should sort them in a reasonable order. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > security/selinux/include/security.h | 2 +- > security/selinux/ss/services.c | 5 +++-- > 2 files changed, 4 insertions(+), 3 deletions(-) My apologies on the delay in responding, overall I think is a nice improvement, but I would feel a lot better if we wrapped this with a policy capability so that users/admins that did run into a problem would have a way to work around this using policy. -- paul-moore.com
On Tue, 17 Dec 2024 at 15:11, Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> Add support for wildcard matching of network interface names. This is
> useful for auto-generated interfaces, for example podman creates network
> interfaces for containers with the naming scheme podman0, podman1,
> podman2, ...
>
> Since the wildcard characters '?' and '*' should be very uncommon in
> network interface names, and thus if netifcon definitions, avoid
> introducing a new policy version or capability.
>
> Netifcon definitions are compared against in the order given by the
> policy, so userspace tools should sort them in a reasonable order.
Kindly ping.
Any comments on this one?
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> security/selinux/include/security.h | 2 +-
> security/selinux/ss/services.c | 5 +++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 10949df22fa4..f6e7ba57a1fc 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
>
> int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
>
> -int security_netif_sid(char *name, u32 *if_sid);
> +int security_netif_sid(const char *name, u32 *if_sid);
>
> int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 55fdc7ca232b..2f878fa99692 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -46,6 +46,7 @@
> #include <linux/in.h>
> #include <linux/sched.h>
> #include <linux/audit.h>
> +#include <linux/parser.h>
> #include <linux/vmalloc.h>
> #include <linux/lsm_hooks.h>
> #include <net/netlabel.h>
> @@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
> * @name: interface name
> * @if_sid: interface SID
> */
> -int security_netif_sid(char *name, u32 *if_sid)
> +int security_netif_sid(const char *name, u32 *if_sid)
> {
> struct selinux_policy *policy;
> struct policydb *policydb;
> @@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
>
> c = policydb->ocontexts[OCON_NETIF];
> while (c) {
> - if (strcmp(name, c->u.name) == 0)
> + if (match_wildcard(c->u.name, name))
> break;
> c = c->next;
> }
> --
> 2.45.2
>
© 2016 - 2025 Red Hat, Inc.