[RFC PATCH] selinux: support wildcard network interface names

Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> · Tue, 17 Dec 2024 14:55:12 +0100

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Add support for wildcard matching of network interface names.  This is
useful for auto-generated interfaces, for example podman creates network
interfaces for containers with the naming scheme podman0, podman1,
podman2, ...

Since the wildcard characters '?' and '*' should be very uncommon in
network interface names, and thus if netifcon definitions, avoid
introducing a new policy version or capability.

Netifcon definitions are compared against in the order given by the
policy, so userspace tools should sort them in a reasonable order.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 security/selinux/include/security.h | 2 +-
 security/selinux/ss/services.c      | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 10949df22fa4..f6e7ba57a1fc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 
 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid);
+int security_netif_sid(const char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 55fdc7ca232b..2f878fa99692 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,6 +46,7 @@
 #include <linux/in.h>
 #include <linux/sched.h>
 #include <linux/audit.h>
+#include <linux/parser.h>
 #include <linux/vmalloc.h>
 #include <linux/lsm_hooks.h>
 #include <net/netlabel.h>
@@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
  * @name: interface name
  * @if_sid: interface SID
  */
-int security_netif_sid(char *name, u32 *if_sid)
+int security_netif_sid(const char *name, u32 *if_sid)
 {
 	struct selinux_policy *policy;
 	struct policydb *policydb;
@@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
 
 	c = policydb->ocontexts[OCON_NETIF];
 	while (c) {
-		if (strcmp(name, c->u.name) == 0)
+		if (match_wildcard(c->u.name, name))
 			break;
 		c = c->next;
 	}
-- 
2.45.2








