1. Patchew
  2. linux
  3. View series

[PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache

Christian Göttsche posted 1 patch 9 months, 1 week ago 
security/selinux/ss/services.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
[PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache
Posted by Christian Göttsche 9 months, 1 week ago 
From: Christian Göttsche <cgzones@googlemail.com>

Retrieve the netlabel_wildcard policy capability in security_netif_sid()
from the locked active policy instead of the cached value in
selinux_state.

Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 security/selinux/ss/services.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1b11648d9b85..e431772c6168 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
 		return 0;
 	}
 
-	wildcard_support = selinux_policycap_netif_wildcard();
-
 retry:
 	rc = 0;
 	rcu_read_lock();
 	policy = rcu_dereference(selinux_state.policy);
 	policydb = &policy->policydb;
 	sidtab = policy->sidtab;
+	wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
 
 	c = policydb->ocontexts[OCON_NETIF];
 	while (c) {
-- 
2.47.2
Re: [PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache
Posted by Paul Moore 9 months ago 
On Mar 12, 2025 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgoettsche@seltendoof.de> wrote:
> 
> Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> from the locked active policy instead of the cached value in
> selinux_state.
> 
> Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/ss/services.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)

As this is a fix for a commit in selinux/dev, I've gone ahead and merged
this into selinux/dev (with a /netlabel/netif/ tweak) to the commit
description.

Thanks everyone.

--
paul-moore.com
Re: [PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache
Posted by Stephen Smalley 9 months, 1 week ago 
On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> from the locked active policy instead of the cached value in
> selinux_state.
>
> Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Do we have tests for this feature? I didn't see any.

> ---
>  security/selinux/ss/services.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 1b11648d9b85..e431772c6168 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
>                 return 0;
>         }
>
> -       wildcard_support = selinux_policycap_netif_wildcard();
> -
>  retry:
>         rc = 0;
>         rcu_read_lock();
>         policy = rcu_dereference(selinux_state.policy);
>         policydb = &policy->policydb;
>         sidtab = policy->sidtab;
> +       wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
>
>         c = policydb->ocontexts[OCON_NETIF];
>         while (c) {
> --
> 2.47.2
>
Re: [PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache
Posted by Christian Göttsche 9 months, 1 week ago 
On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@googlemail.com>
> >
> > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > from the locked active policy instead of the cached value in
> > selinux_state.
> >
> > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> Do we have tests for this feature? I didn't see any.

No.

Is there a way to retrieve the context of a network interface without
actually sending packets? (Then one could simply use `ip link add
$name_to_test type dummy`).

> > ---
> >  security/selinux/ss/services.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index 1b11648d9b85..e431772c6168 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
> >                 return 0;
> >         }
> >
> > -       wildcard_support = selinux_policycap_netif_wildcard();
> > -
> >  retry:
> >         rc = 0;
> >         rcu_read_lock();
> >         policy = rcu_dereference(selinux_state.policy);
> >         policydb = &policy->policydb;
> >         sidtab = policy->sidtab;
> > +       wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
> >
> >         c = policydb->ocontexts[OCON_NETIF];
> >         while (c) {
> > --
> > 2.47.2
> >

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.