| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ2a_Dc4pNdL8bp_wydmRmQ46GXkWhcA5jTVApF3E415stcA=A@mail.gmail.com>
Date: Fri, 14 Mar 2025 14:01:21 +0100
From: Christian Göttsche <cgzones@...glemail.com>
To: Stephen Smalley <stephen.smalley.work@...il.com>
Cc: Paul Moore <paul@...l-moore.com>, Ondrej Mosnacek <omosnace@...hat.com>,
Casey Schaufler <casey@...aufler-ca.com>, Thiébaud Weksteen <tweek@...gle.com>,
Mimi Zohar <zohar@...ux.ibm.com>, GUO Zihua <guozihua@...wei.com>,
Canfeng Guo <guocanfeng@...ontech.com>, selinux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] selinux: get netlabel_wildcard policycap from policy
instead of cache
On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
<stephen.smalley.work@...il.com> wrote:
>
> On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> <cgoettsche@...tendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@...glemail.com>
> >
> > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > from the locked active policy instead of the cached value in
> > selinux_state.
> >
> > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@...il.com>
>
> Do we have tests for this feature? I didn't see any.
No.
Is there a way to retrieve the context of a network interface without
actually sending packets? (Then one could simply use `ip link add
$name_to_test type dummy`).
> > ---
> > security/selinux/ss/services.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index 1b11648d9b85..e431772c6168 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
> > return 0;
> > }
> >
> > - wildcard_support = selinux_policycap_netif_wildcard();
> > -
> > retry:
> > rc = 0;
> > rcu_read_lock();
> > policy = rcu_dereference(selinux_state.policy);
> > policydb = &policy->policydb;
> > sidtab = policy->sidtab;
> > + wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
> >
> > c = policydb->ocontexts[OCON_NETIF];
> > while (c) {
> > --
> > 2.47.2
> >
Powered by blists - more mailing lists