Message ID | 20241217135517.534645-1-cgoettsche@seltendoof.de (mailing list archive) |
---|---|
State | New |
Delegated to: | Paul Moore |
Headers | show |
Series | [RFC] selinux: support wildcard network interface names | expand |
On Tue, 17 Dec 2024 at 15:11, Christian Göttsche <cgoettsche@seltendoof.de> wrote: > > From: Christian Göttsche <cgzones@googlemail.com> > > Add support for wildcard matching of network interface names. This is > useful for auto-generated interfaces, for example podman creates network > interfaces for containers with the naming scheme podman0, podman1, > podman2, ... > > Since the wildcard characters '?' and '*' should be very uncommon in > network interface names, and thus if netifcon definitions, avoid > introducing a new policy version or capability. > > Netifcon definitions are compared against in the order given by the > policy, so userspace tools should sort them in a reasonable order. Kindly ping. Any comments on this one? > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > security/selinux/include/security.h | 2 +- > security/selinux/ss/services.c | 5 +++-- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h > index 10949df22fa4..f6e7ba57a1fc 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid); > > int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid); > > -int security_netif_sid(char *name, u32 *if_sid); > +int security_netif_sid(const char *name, u32 *if_sid); > > int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 55fdc7ca232b..2f878fa99692 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -46,6 +46,7 @@ > #include <linux/in.h> > #include <linux/sched.h> > #include <linux/audit.h> > +#include <linux/parser.h> > #include <linux/vmalloc.h> > #include <linux/lsm_hooks.h> > #include <net/netlabel.h> > @@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid) > * @name: interface name > * @if_sid: interface SID > */ > -int security_netif_sid(char *name, u32 *if_sid) > +int security_netif_sid(const char *name, u32 *if_sid) > { > struct selinux_policy *policy; > struct policydb *policydb; > @@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid) > > c = policydb->ocontexts[OCON_NETIF]; > while (c) { > - if (strcmp(name, c->u.name) == 0) > + if (match_wildcard(c->u.name, name)) > break; > c = c->next; > } > -- > 2.45.2 >
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 10949df22fa4..f6e7ba57a1fc 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid); int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid); -int security_netif_sid(char *name, u32 *if_sid); +int security_netif_sid(const char *name, u32 *if_sid); int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 55fdc7ca232b..2f878fa99692 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -46,6 +46,7 @@ #include <linux/in.h> #include <linux/sched.h> #include <linux/audit.h> +#include <linux/parser.h> #include <linux/vmalloc.h> #include <linux/lsm_hooks.h> #include <net/netlabel.h> @@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid) * @name: interface name * @if_sid: interface SID */ -int security_netif_sid(char *name, u32 *if_sid) +int security_netif_sid(const char *name, u32 *if_sid) { struct selinux_policy *policy; struct policydb *policydb; @@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid) c = policydb->ocontexts[OCON_NETIF]; while (c) { - if (strcmp(name, c->u.name) == 0) + if (match_wildcard(c->u.name, name)) break; c = c->next; }