lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAJ2a_DdDnBeCgXuoVC0yRZT6+R8h4z85q+Vw81Oaw5ahvm7dJQ@mail.gmail.com>
Date: Tue, 7 Jan 2025 15:05:35 +0100
From: Christian Göttsche <cgzones@...glemail.com>
To: selinux@...r.kernel.org
Cc: Paul Moore <paul@...l-moore.com>, Stephen Smalley <stephen.smalley.work@...il.com>, 
	Ondrej Mosnacek <omosnace@...hat.com>, Thiébaud Weksteen <tweek@...gle.com>, 
	Bram Bonné <brambonne@...gle.com>, 
	Casey Schaufler <casey@...aufler-ca.com>, GUO Zihua <guozihua@...wei.com>, 
	Canfeng Guo <guocanfeng@...ontech.com>, linux-kernel@...r.kernel.org, 
	John Johansen <john.johansen@...onical.com>, cgzones@...glemail.com
Subject: Re: [RFC PATCH] selinux: support wildcard network interface names

On Tue, 17 Dec 2024 at 15:11, Christian Göttsche
<cgoettsche@...tendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@...glemail.com>
>
> Add support for wildcard matching of network interface names.  This is
> useful for auto-generated interfaces, for example podman creates network
> interfaces for containers with the naming scheme podman0, podman1,
> podman2, ...
>
> Since the wildcard characters '?' and '*' should be very uncommon in
> network interface names, and thus if netifcon definitions, avoid
> introducing a new policy version or capability.
>
> Netifcon definitions are compared against in the order given by the
> policy, so userspace tools should sort them in a reasonable order.

Kindly ping.
Any comments on this one?

> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
>  security/selinux/include/security.h | 2 +-
>  security/selinux/ss/services.c      | 5 +++--
>  2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 10949df22fa4..f6e7ba57a1fc 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
>
>  int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
>
> -int security_netif_sid(char *name, u32 *if_sid);
> +int security_netif_sid(const char *name, u32 *if_sid);
>
>  int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 55fdc7ca232b..2f878fa99692 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -46,6 +46,7 @@
>  #include <linux/in.h>
>  #include <linux/sched.h>
>  #include <linux/audit.h>
> +#include <linux/parser.h>
>  #include <linux/vmalloc.h>
>  #include <linux/lsm_hooks.h>
>  #include <net/netlabel.h>
> @@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
>   * @name: interface name
>   * @if_sid: interface SID
>   */
> -int security_netif_sid(char *name, u32 *if_sid)
> +int security_netif_sid(const char *name, u32 *if_sid)
>  {
>         struct selinux_policy *policy;
>         struct policydb *policydb;
> @@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
>
>         c = policydb->ocontexts[OCON_NETIF];
>         while (c) {
> -               if (strcmp(name, c->u.name) == 0)
> +               if (match_wildcard(c->u.name, name))
>                         break;
>                 c = c->next;
>         }
> --
> 2.45.2
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ