Re: [PATCH] selinux: get netlabel_wildcard policycap from policy instead of cache

From: Christian Göttsche
Date: Fri Mar 14 2025 - 09:01:42 EST


On Wed, 12 Mar 2025 at 14:04, Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Wed, Mar 12, 2025 at 4:01 AM Christian Göttsche
> <cgoettsche@xxxxxxxxxxxxx> wrote:
> >
> > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > Retrieve the netlabel_wildcard policy capability in security_netif_sid()
> > from the locked active policy instead of the cached value in
> > selinux_state.
> >
> > Fixes: 8af43b61c17e ("selinux: support wildcard network interface names")
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
>
> Do we have tests for this feature? I didn't see any.

No.

Is there a way to retrieve the context of a network interface without
actually sending packets? (Then one could simply use `ip link add
$name_to_test type dummy`).

> > ---
> > security/selinux/ss/services.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index 1b11648d9b85..e431772c6168 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
> > return 0;
> > }
> >
> > - wildcard_support = selinux_policycap_netif_wildcard();
> > -
> > retry:
> > rc = 0;
> > rcu_read_lock();
> > policy = rcu_dereference(selinux_state.policy);
> > policydb = &policy->policydb;
> > sidtab = policy->sidtab;
> > + wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
> >
> > c = policydb->ocontexts[OCON_NETIF];
> > while (c) {
> > --
> > 2.47.2
> >