[RFC] selinux: support wildcard network interface names

Message ID	20241217135517.534645-1-cgoettsche@seltendoof.de (mailing list archive)
State	New
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 301211F6680; Tue, 17 Dec 2024 13:55:26 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <stephen.smalley.work@gmail.com>, Ondrej Mosnacek <omosnace@redhat.com>, =?utf-8?q?Thi=C3=A9baud_Weksteen?= <tweek@google.com>, =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= <brambonne@google.com>, Casey Schaufler <casey@schaufler-ca.com>, GUO Zihua <guozihua@huawei.com>, Canfeng Guo <guocanfeng@uniontech.com>, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, John Johansen <john.johansen@canonical.com> Subject: [RFC PATCH] selinux: support wildcard network interface names Date: Tue, 17 Dec 2024 14:55:12 +0100 Message-ID: <20241217135517.534645-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[RFC] selinux: support wildcard network interface names \| expand [RFC] selinux: support wildcard network interface names

Message ID

20241217135517.534645-1-cgoettsche@seltendoof.de (mailing list archive)

State

New

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: 
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Paul Moore <paul@paul-moore.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Ondrej Mosnacek <omosnace@redhat.com>,
 =?utf-8?q?Thi=C3=A9baud_Weksteen?= <tweek@google.com>, =?utf-8?q?Bram_Bonn?=
	=?utf-8?q?=C3=A9?= <brambonne@google.com>,
 Casey Schaufler <casey@schaufler-ca.com>, GUO Zihua <guozihua@huawei.com>,
 Canfeng Guo <guocanfeng@uniontech.com>, selinux@vger.kernel.org,
 linux-kernel@vger.kernel.org, John Johansen <john.johansen@canonical.com>
Subject: [RFC PATCH] selinux: support wildcard network interface names
Date: Tue, 17 Dec 2024 14:55:12 +0100
Message-ID: <20241217135517.534645-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[RFC] selinux: support wildcard network interface names | expand

Commit Message

Christian Göttsche Dec. 17, 2024, 1:55 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

Add support for wildcard matching of network interface names.  This is
useful for auto-generated interfaces, for example podman creates network
interfaces for containers with the naming scheme podman0, podman1,
podman2, ...

Since the wildcard characters '?' and '*' should be very uncommon in
network interface names, and thus if netifcon definitions, avoid
introducing a new policy version or capability.

Netifcon definitions are compared against in the order given by the
policy, so userspace tools should sort them in a reasonable order.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 security/selinux/include/security.h | 2 +-
 security/selinux/ss/services.c      | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 10949df22fa4..f6e7ba57a1fc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -298,7 +298,7 @@  int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 
 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid);
+int security_netif_sid(const char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 55fdc7ca232b..2f878fa99692 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,6 +46,7 @@ 
 #include <linux/in.h>
 #include <linux/sched.h>
 #include <linux/audit.h>
+#include <linux/parser.h>
 #include <linux/vmalloc.h>
 #include <linux/lsm_hooks.h>
 #include <net/netlabel.h>
@@ -2554,7 +2555,7 @@  int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
  * @name: interface name
  * @if_sid: interface SID
  */
-int security_netif_sid(char *name, u32 *if_sid)
+int security_netif_sid(const char *name, u32 *if_sid)
 {
 	struct selinux_policy *policy;
 	struct policydb *policydb;
@@ -2576,7 +2577,7 @@  int security_netif_sid(char *name, u32 *if_sid)
 
 	c = policydb->ocontexts[OCON_NETIF];
 	while (c) {
-		if (strcmp(name, c->u.name) == 0)
+		if (match_wildcard(c->u.name, name))
 			break;
 		c = c->next;
 	}

[RFC] selinux: support wildcard network interface names

Commit Message

Patch