From patchwork Wed Aug 23 17:29:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Claudi X-Patchwork-Id: 13363007 X-Patchwork-Delegate: dsahern@gmail.com Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 946351F18D for ; Wed, 23 Aug 2023 17:30:58 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAC67E7D for ; Wed, 23 Aug 2023 10:30:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692811855; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3MvbKMYwnqe69v0yc2E4ycPNeJxScqvzFFwMZHNI0yI=; b=LKNDGMyG7mEceOzRrmNy2g5EIDafYzYZxiS2Q46MBPdSwhmvjLKSZuXxQZD9LpLM6VMV8c xrc8CWrfvFFxzW44arMBwgL0ixlSdjXCFMx1hWlTh2QHzxxvUwfmjgxrj1kyvA7V0booTZ lYAymbpWoRygxzbgS2dtw1k966ZxkWY= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-652-8eq7y_nROCKTWYN4HIXclw-1; Wed, 23 Aug 2023 13:30:50 -0400 X-MC-Unique: 8eq7y_nROCKTWYN4HIXclw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0D52C1C0896E; Wed, 23 Aug 2023 17:30:50 +0000 (UTC) Received: from renaissance-vector.redhat.com (unknown [10.39.194.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 24332492C13; Wed, 23 Aug 2023 17:30:48 +0000 (UTC) From: Andrea Claudi To: netdev@vger.kernel.org Cc: Stephen Hemminger , David Ahern Subject: [PATCH iproute2-next 1/4] ss: make is_selinux_enabled stub work like in SELinux Date: Wed, 23 Aug 2023 19:29:59 +0200 Message-ID: <33564ea9f7c5c8d6f536a2c8db526ca1e14737a0.1692804730.git.aclaudi@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: dsahern@gmail.com From the is_selinux_enabled() manpage: is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not. This makes the is_selinux_enabled() stub functions works exactly like the SELinux function it is supposed to replace. Signed-off-by: Andrea Claudi --- misc/ss.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/ss.c b/misc/ss.c index 6d34ad0e..007cb349 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -77,7 +77,7 @@ /* Stubs for SELinux functions */ static int is_selinux_enabled(void) { - return -1; + return 0; } static int getpidcon(pid_t pid, char **context) @@ -5682,7 +5682,7 @@ int main(int argc, char *argv[]) show_sock_ctx++; /* fall through */ case 'Z': - if (is_selinux_enabled() <= 0) { + if (!is_selinux_enabled()) { fprintf(stderr, "ss: SELinux is not enabled.\n"); exit(1); } From patchwork Wed Aug 23 17:30:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Claudi X-Patchwork-Id: 13363006 X-Patchwork-Delegate: dsahern@gmail.com Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73F201ED56 for ; Wed, 23 Aug 2023 17:30:58 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B90ECE7C for ; Wed, 23 Aug 2023 10:30:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692811855; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NKOW2pfhGio1igZ7vupeGut7GiiDl2J/8wcRw6SuG+M=; b=UFFrb9QmnH+qiDF6No9XcCMcnufaNb8XOCnfeTjc/5WNuY6BqIWMGVuJFdQ7fAI3mSNvIU ZDsxZQ5BmRgFOZfq8YW5+O3n5dSOjouJTxLuJyYLQqF081HvE/kuXNPcaULL/NO0cY01Pn GYMRjHX7tzRKyKO5SpyKYtn3OfL9jKE= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-678-Acpr2D7RMDq9ANz6itwKPQ-1; Wed, 23 Aug 2023 13:30:51 -0400 X-MC-Unique: Acpr2D7RMDq9ANz6itwKPQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 90053185A792; Wed, 23 Aug 2023 17:30:51 +0000 (UTC) Received: from renaissance-vector.redhat.com (unknown [10.39.194.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6538A492C13; Wed, 23 Aug 2023 17:30:50 +0000 (UTC) From: Andrea Claudi To: netdev@vger.kernel.org Cc: Stephen Hemminger , David Ahern Subject: [PATCH iproute2-next 2/4] ss: make SELinux stub functions conformant to API definitions Date: Wed, 23 Aug 2023 19:30:00 +0200 Message-ID: <139f6e818c49b9a2dfd6eb1074afebd8dac5ccec.1692804730.git.aclaudi@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: dsahern@gmail.com getfilecon() and security_get_initial_context() use the const qualifier for their first paramater in SELinux APIs. This commit adds the const qualifier to these functions, making them conformant to API definitions. Signed-off-by: Andrea Claudi --- misc/ss.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/ss.c b/misc/ss.c index 007cb349..b3183630 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -86,13 +86,13 @@ static int getpidcon(pid_t pid, char **context) return -1; } -static int getfilecon(char *path, char **context) +static int getfilecon(const char *path, char **context) { *context = NULL; return -1; } -static int security_get_initial_context(char *name, char **context) +static int security_get_initial_context(const char *name, char **context) { *context = NULL; return -1; From patchwork Wed Aug 23 17:30:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Claudi X-Patchwork-Id: 13363008 X-Patchwork-Delegate: dsahern@gmail.com Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC0E41F193 for ; Wed, 23 Aug 2023 17:30:58 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85B14E7B for ; Wed, 23 Aug 2023 10:30:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692811854; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YA7yvBy+YjOzps+3DAp9V5ZbeCkQpGhp7ng8IJtzjlU=; b=fA54jldX7etPY/x4UODgzp0qxIpaguP7fAgwaCpsR44lk+u9G5dj27nKDVq4NJ1NSYvl4T +pTKmqOYgqetnP8n8CWOcgdc4vv0fjDffMwKOiK8kGxqpDpOp5U2h8FKIDRoin0VPCEKId eG20JKrwxMkph+P5QqBmF0W860ccZ34= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-427-8kamPRonPtaN0uwUfmj44A-1; Wed, 23 Aug 2023 13:30:53 -0400 X-MC-Unique: 8kamPRonPtaN0uwUfmj44A-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CF83C101A5BA; Wed, 23 Aug 2023 17:30:52 +0000 (UTC) Received: from renaissance-vector.redhat.com (unknown [10.39.194.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id E1F9C492C13; Wed, 23 Aug 2023 17:30:51 +0000 (UTC) From: Andrea Claudi To: netdev@vger.kernel.org Cc: Stephen Hemminger , David Ahern Subject: [PATCH iproute2-next 3/4] lib: add SELinux include and stub functions Date: Wed, 23 Aug 2023 19:30:01 +0200 Message-ID: <3cac535713c87bb3e759e4d3210a0e56cf5398ed.1692804730.git.aclaudi@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: dsahern@gmail.com ss provides some selinux stub functions, useful when iproute2 is compiled without selinux support. Move them to lib/ so we can use them in other iproute2 tools. Signed-off-by: Andrea Claudi --- include/selinux.h | 9 +++++++++ lib/Makefile | 4 ++++ lib/selinux.c | 32 ++++++++++++++++++++++++++++++++ misc/ss.c | 34 +--------------------------------- 4 files changed, 46 insertions(+), 33 deletions(-) create mode 100644 include/selinux.h create mode 100644 lib/selinux.c diff --git a/include/selinux.h b/include/selinux.h new file mode 100644 index 00000000..499aa966 --- /dev/null +++ b/include/selinux.h @@ -0,0 +1,9 @@ +#if HAVE_SELINUX +#include +#else +int is_selinux_enabled(void); +void freecon(char *context); +int getpidcon(pid_t pid, char **context); +int getfilecon(const char *path, char **context); +int security_get_initial_context(const char *name, char **context); +#endif diff --git a/lib/Makefile b/lib/Makefile index ddedd37f..aa7bbd2e 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -13,6 +13,10 @@ UTILOBJ += bpf_libbpf.o endif endif +ifneq ($(HAVE_SELINUX),y) +UTILOBJ += selinux.o +endif + NLOBJ=libgenl.o libnetlink.o ifeq ($(HAVE_MNL),y) NLOBJ += mnl_utils.o diff --git a/lib/selinux.c b/lib/selinux.c new file mode 100644 index 00000000..4e6805fc --- /dev/null +++ b/lib/selinux.c @@ -0,0 +1,32 @@ +#include +#include +#include "selinux.h" + +/* Stubs for SELinux functions */ +int is_selinux_enabled(void) +{ + return 0; +} + +void freecon(char *context) +{ + free(context); +} + +int getpidcon(pid_t pid, char **context) +{ + *context = NULL; + return -1; +} + +int getfilecon(const char *path, char **context) +{ + *context = NULL; + return -1; +} + +int security_get_initial_context(const char *name, char **context) +{ + *context = NULL; + return -1; +} diff --git a/misc/ss.c b/misc/ss.c index b3183630..2ef19039 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -33,6 +33,7 @@ #include "version.h" #include "rt_names.h" #include "cg_map.h" +#include "selinux.h" #include #include @@ -71,39 +72,6 @@ #define BUF_CHUNKS_MAX 5 /* Maximum number of allocated buffer chunks */ #define LEN_ALIGN(x) (((x) + 1) & ~1) -#if HAVE_SELINUX -#include -#else -/* Stubs for SELinux functions */ -static int is_selinux_enabled(void) -{ - return 0; -} - -static int getpidcon(pid_t pid, char **context) -{ - *context = NULL; - return -1; -} - -static int getfilecon(const char *path, char **context) -{ - *context = NULL; - return -1; -} - -static int security_get_initial_context(const char *name, char **context) -{ - *context = NULL; - return -1; -} - -static void freecon(char *context) -{ - free(context); -} -#endif - int preferred_family = AF_UNSPEC; static int show_options; int show_details; From patchwork Wed Aug 23 17:30:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Claudi X-Patchwork-Id: 13363009 X-Patchwork-Delegate: dsahern@gmail.com Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CA881F927 for ; Wed, 23 Aug 2023 17:31:01 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E5E8E77 for ; Wed, 23 Aug 2023 10:30:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692811858; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EqTyXiYk85eSAkuFlWw7TwM0UuCOfOOwIwWYHvwxf1Q=; b=PjSivwf1Ka9WdYWh+0SsuUhPQWF0KsvI3HTEsSkPd8rEyndFZqs47YN1PMZQJ45qE4CCXu 1ffl0BP2hkpZJ1oCWbnvGYyoibepiD2hQoeFn42gqnx51enP8FntVvP90RPB6XbdR00Ku2 3I94/4weHiVNPr3mVeHy+p3BVh8ggNU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-539--nPCCUbzOyaiAstHkb_IhQ-1; Wed, 23 Aug 2023 13:30:55 -0400 X-MC-Unique: -nPCCUbzOyaiAstHkb_IhQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CBC76853065; Wed, 23 Aug 2023 17:30:54 +0000 (UTC) Received: from renaissance-vector.redhat.com (unknown [10.39.194.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 37238492C13; Wed, 23 Aug 2023 17:30:53 +0000 (UTC) From: Andrea Claudi To: netdev@vger.kernel.org Cc: Stephen Hemminger , David Ahern Subject: [PATCH iproute2-next 4/4] ip vrf: make ipvrf_exec SELinux-aware Date: Wed, 23 Aug 2023 19:30:02 +0200 Message-ID: <0595f76490e04b9337df0f97001bbc0232c3bd01.1692804730.git.aclaudi@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: dsahern@gmail.com When using ip vrf and SELinux is enabled, make sure to set the exec file context before calling cmd_exec. This ensures that the command is executed with the right context, falling back to the ifconfig_t context when needed. Signed-off-by: Andrea Claudi --- include/selinux.h | 1 + ip/ipvrf.c | 6 ++++++ lib/selinux.c | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/include/selinux.h b/include/selinux.h index 499aa966..592c7680 100644 --- a/include/selinux.h +++ b/include/selinux.h @@ -6,4 +6,5 @@ void freecon(char *context); int getpidcon(pid_t pid, char **context); int getfilecon(const char *path, char **context); int security_get_initial_context(const char *name, char **context); +int setexecfilecon(const char *filename, const char *fallback_type); #endif diff --git a/ip/ipvrf.c b/ip/ipvrf.c index d6b59adb..12beaec3 100644 --- a/ip/ipvrf.c +++ b/ip/ipvrf.c @@ -24,6 +24,7 @@ #include "utils.h" #include "ip_common.h" #include "bpf_util.h" +#include "selinux.h" #define CGRP_PROC_FILE "/cgroup.procs" @@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv) return -1; } + if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) { + fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]); + return -1; + } + return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]); } diff --git a/lib/selinux.c b/lib/selinux.c index 4e6805fc..7e5dd16d 100644 --- a/lib/selinux.c +++ b/lib/selinux.c @@ -30,3 +30,8 @@ int security_get_initial_context(const char *name, char **context) *context = NULL; return -1; } + +int setexecfilecon(const char *filename, const char *fallback_type) +{ + return -1; +}