Re: [RFC PATCH] selinux: support wildcard network interface names

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Tue, 7 Jan 2025 15:05:35 +0100

On Tue, 17 Dec 2024 at 15:11, Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Add support for wildcard matching of network interface names.  This is
> useful for auto-generated interfaces, for example podman creates network
> interfaces for containers with the naming scheme podman0, podman1,
> podman2, ...
>
> Since the wildcard characters '?' and '*' should be very uncommon in
> network interface names, and thus if netifcon definitions, avoid
> introducing a new policy version or capability.
>
> Netifcon definitions are compared against in the order given by the
> policy, so userspace tools should sort them in a reasonable order.

Kindly ping.
Any comments on this one?

> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  security/selinux/include/security.h | 2 +-
>  security/selinux/ss/services.c      | 5 +++--
>  2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 10949df22fa4..f6e7ba57a1fc 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -298,7 +298,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
>
>  int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
>
> -int security_netif_sid(char *name, u32 *if_sid);
> +int security_netif_sid(const char *name, u32 *if_sid);
>
>  int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 55fdc7ca232b..2f878fa99692 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -46,6 +46,7 @@
>  #include <linux/in.h>
>  #include <linux/sched.h>
>  #include <linux/audit.h>
> +#include <linux/parser.h>
>  #include <linux/vmalloc.h>
>  #include <linux/lsm_hooks.h>
>  #include <net/netlabel.h>
> @@ -2554,7 +2555,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
>   * @name: interface name
>   * @if_sid: interface SID
>   */
> -int security_netif_sid(char *name, u32 *if_sid)
> +int security_netif_sid(const char *name, u32 *if_sid)
>  {
>         struct selinux_policy *policy;
>         struct policydb *policydb;
> @@ -2576,7 +2577,7 @@ int security_netif_sid(char *name, u32 *if_sid)
>
>         c = policydb->ocontexts[OCON_NETIF];
>         while (c) {
> -               if (strcmp(name, c->u.name) == 0)
> +               if (match_wildcard(c->u.name, name))
>                         break;
>                 c = c->next;
>         }
> --
> 2.45.2
>