[net-next,10/12] selinux: add support for RTM_NEWTUNNEL, RTM_DELTUNNEL, and RTM_GETTUNNEL

Commit Message

Roopa Prabhu Feb. 20, 2022, 2:04 p.m. UTC

From: Benjamin Poirier <bpoirier@nvidia.com>

This patch adds newly added RTM_*TUNNEL msgs to nlmsg_route_perms

Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
---
 security/selinux/nlmsgtab.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Benjamin Poirier Feb. 21, 2022, 1:47 a.m. UTC | #1

On 2022-02-20 14:04 +0000, Roopa Prabhu wrote:
> From: Benjamin Poirier <bpoirier@nvidia.com>
> 
> This patch adds newly added RTM_*TUNNEL msgs to nlmsg_route_perms
> 
> Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
> ---
>  security/selinux/nlmsgtab.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index 94ea2a8b2bb7..6ad3ee02e023 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -91,6 +91,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
>  	{ RTM_NEWNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>  	{ RTM_DELNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>  	{ RTM_GETNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
> +	{ RTM_NEWTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> +	{ RTM_DELTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> +	{ RTM_GETTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
>  };
>  
>  static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
> @@ -176,7 +179,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
>  		 * structures at the top of this file with the new mappings
>  		 * before updating the BUILD_BUG_ON() macro!
>  		 */
> -		BUILD_BUG_ON(RTM_MAX != (RTM_NEWNEXTHOPBUCKET + 3));
> +		BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));

This patch should be folded with patch 06 ("rtnetlink: add new rtm
tunnel api for tunnel id filtering") otherwise there is build breakage
partway through the series when compiling with
CONFIG_SECURITY_SELINUX=y:

  CC      security/selinux/nlmsgtab.o
In file included from <command-line>:
security/selinux/nlmsgtab.c: In function ‘selinux_nlmsg_lookup’:
././include/linux/compiler_types.h:349:45: error: call to ‘__compiletime_assert_516’ declared with attribute error: BUILD_BUG_ON failed: RTM_MAX != (RTM_NEWNEXTHOPBUCKET + 3)
  349 |         _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
      |                                             ^

Patch

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 94ea2a8b2bb7..6ad3ee02e023 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -91,6 +91,9 @@  static const struct nlmsg_perm nlmsg_route_perms[] =
 	{ RTM_NEWNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
 	{ RTM_DELNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
 	{ RTM_GETNEXTHOPBUCKET,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
+	{ RTM_NEWTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+	{ RTM_DELTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+	{ RTM_GETTUNNEL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
 };
 
 static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
@@ -176,7 +179,7 @@  int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
 		 * structures at the top of this file with the new mappings
 		 * before updating the BUILD_BUG_ON() macro!
 		 */
-		BUILD_BUG_ON(RTM_MAX != (RTM_NEWNEXTHOPBUCKET + 3));
+		BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));
 		err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
 				 sizeof(nlmsg_route_perms));
 		break;