lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20241217135517.534645-1-cgoettsche@seltendoof.de>
Date: Tue, 17 Dec 2024 14:55:12 +0100
From: Christian Göttsche <cgoettsche@...tendoof.de>
To: 
Cc: Christian Göttsche <cgzones@...glemail.com>,
	Paul Moore <paul@...l-moore.com>,
	Stephen Smalley <stephen.smalley.work@...il.com>,
	Ondrej Mosnacek <omosnace@...hat.com>,
	Thiébaud Weksteen <tweek@...gle.com>,
	Bram Bonné <brambonne@...gle.com>,
	Casey Schaufler <casey@...aufler-ca.com>,
	GUO Zihua <guozihua@...wei.com>,
	Canfeng Guo <guocanfeng@...ontech.com>,
	selinux@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	John Johansen <john.johansen@...onical.com>
Subject: [RFC PATCH] selinux: support wildcard network interface names

From: Christian Göttsche <cgzones@...glemail.com>

Add support for wildcard matching of network interface names.  This is
useful for auto-generated interfaces, for example podman creates network
interfaces for containers with the naming scheme podman0, podman1,
podman2, ...

Since the wildcard characters '?' and '*' should be very uncommon in
network interface names, and thus if netifcon definitions, avoid
introducing a new policy version or capability.

Netifcon definitions are compared against in the order given by the
policy, so userspace tools should sort them in a reasonable order.

Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
---
 security/selinux/include/security.h | 2 +-
 security/selinux/ss/services.c      | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 10949df22fa4..f6e7ba57a1fc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 
 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid);
+int security_netif_sid(const char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 55fdc7ca232b..2f878fa99692 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,6 +46,7 @@
 #include <linux/in.h>
 #include <linux/sched.h>
 #include <linux/audit.h>
+#include <linux/parser.h>
 #include <linux/vmalloc.h>
 #include <linux/lsm_hooks.h>
 #include <net/netlabel.h>
@@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
  * @name: interface name
  * @if_sid: interface SID
  */
-int security_netif_sid(char *name, u32 *if_sid)
+int security_netif_sid(const char *name, u32 *if_sid)
 {
 	struct selinux_policy *policy;
 	struct policydb *policydb;
@@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
 
 	c = policydb->ocontexts[OCON_NETIF];
 	while (c) {
-		if (strcmp(name, c->u.name) == 0)
+		if (match_wildcard(c->u.name, name))
 			break;
 		c = c->next;
 	}
-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ