From 805acad4a959c96a5813a86b12f648f71942f1a6 Mon Sep 17 00:00:00 2001
From: Andrea Claudi <aclaudi@redhat.com>
Date: Wed, 20 Sep 2023 18:38:33 +0200
Subject: [PATCH] iproute-6.2.0-4.el8

* Wed Sep 20 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-4.el8
- ip vrf: make ipvrf_exec SELinux-aware (Andrea Claudi) [1780023]
- lib: add SELinux include and stub functions (Andrea Claudi) [1780023]
- ss: make SELinux stub functions conformant to API definitions (Andrea Claudi) [1780023]
- ss: make is_selinux_enabled stub work like in SELinux (Andrea Claudi) [1780023]
Resolves: rhbz#1780023

Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
 ...ux_enabled-stub-work-like-in-SELinux.patch |  55 ++++++
 ...stub-functions-conformant-to-API-def.patch |  52 ++++++
 ...d-SELinux-include-and-stub-functions.patch | 156 ++++++++++++++++++
 ...ip-vrf-make-ipvrf_exec-SELinux-aware.patch |  81 +++++++++
 iproute.spec                                  |  12 +-
 5 files changed, 355 insertions(+), 1 deletion(-)
 create mode 100644 0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
 create mode 100644 0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
 create mode 100644 0006-lib-add-SELinux-include-and-stub-functions.patch
 create mode 100644 0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch

diff --git a/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch b/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
new file mode 100644
index 0000000..7696fd2
--- /dev/null
+++ b/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
@@ -0,0 +1,55 @@
+From dcff6d4c73cd9c33b4103a4505ecebe6852f63df Mon Sep 17 00:00:00 2001
+Message-ID: <dcff6d4c73cd9c33b4103a4505ecebe6852f63df.1695227714.git.aclaudi@redhat.com>
+In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Tue, 5 Sep 2023 12:44:19 +0200
+Subject: [PATCH] ss: make is_selinux_enabled stub work like in SELinux
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
+Upstream Status: iproute2-next.git commit c8970828
+
+commit c8970828b6509af3ab0f2982da335fb6a6c846af
+Author: Andrea Claudi <aclaudi@redhat.com>
+Date:   Wed Aug 23 19:29:59 2023 +0200
+
+    ss: make is_selinux_enabled stub work like in SELinux
+
+    From the is_selinux_enabled() manpage:
+
+    is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not.
+
+    This makes the is_selinux_enabled() stub functions works exactly like
+    the SELinux function it is supposed to replace.
+
+    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+    Signed-off-by: David Ahern <dsahern@kernel.org>
+---
+ misc/ss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/misc/ss.c b/misc/ss.c
+index de02fccb..d2dffbf8 100644
+--- a/misc/ss.c
++++ b/misc/ss.c
+@@ -77,7 +77,7 @@
+ /* Stubs for SELinux functions */
+ static int is_selinux_enabled(void)
+ {
+-	return -1;
++	return 0;
+ }
+ 
+ static int getpidcon(pid_t pid, char **context)
+@@ -5684,7 +5684,7 @@ int main(int argc, char *argv[])
+ 			show_sock_ctx++;
+ 			/* fall through */
+ 		case 'Z':
+-			if (is_selinux_enabled() <= 0) {
++			if (!is_selinux_enabled()) {
+ 				fprintf(stderr, "ss: SELinux is not enabled.\n");
+ 				exit(1);
+ 			}
+-- 
+2.41.0
+
diff --git a/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch b/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
new file mode 100644
index 0000000..4896199
--- /dev/null
+++ b/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
@@ -0,0 +1,52 @@
+From d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768 Mon Sep 17 00:00:00 2001
+Message-ID: <d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768.1695227714.git.aclaudi@redhat.com>
+In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Tue, 5 Sep 2023 12:44:19 +0200
+Subject: [PATCH] ss: make SELinux stub functions conformant to API definitions
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
+Upstream Status: iproute2-next.git commit 61c6882c
+
+commit 61c6882ce21c1247c06cd61783120be0a2e2019c
+Author: Andrea Claudi <aclaudi@redhat.com>
+Date:   Wed Aug 23 19:30:00 2023 +0200
+
+    ss: make SELinux stub functions conformant to API definitions
+
+    getfilecon() and security_get_initial_context() use the const qualifier
+    for their first paramater in SELinux APIs.
+
+    This commit adds the const qualifier to these functions, making them
+    conformant to API definitions.
+
+    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+    Signed-off-by: David Ahern <dsahern@kernel.org>
+---
+ misc/ss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/misc/ss.c b/misc/ss.c
+index d2dffbf8..fe19f489 100644
+--- a/misc/ss.c
++++ b/misc/ss.c
+@@ -86,13 +86,13 @@ static int getpidcon(pid_t pid, char **context)
+ 	return -1;
+ }
+ 
+-static int getfilecon(char *path, char **context)
++static int getfilecon(const char *path, char **context)
+ {
+ 	*context = NULL;
+ 	return -1;
+ }
+ 
+-static int security_get_initial_context(char *name,  char **context)
++static int security_get_initial_context(const char *name,  char **context)
+ {
+ 	*context = NULL;
+ 	return -1;
+-- 
+2.41.0
+
diff --git a/0006-lib-add-SELinux-include-and-stub-functions.patch b/0006-lib-add-SELinux-include-and-stub-functions.patch
new file mode 100644
index 0000000..169093b
--- /dev/null
+++ b/0006-lib-add-SELinux-include-and-stub-functions.patch
@@ -0,0 +1,156 @@
+From 0e71f7774a764c0a19037b79b71d7146769082ac Mon Sep 17 00:00:00 2001
+Message-ID: <0e71f7774a764c0a19037b79b71d7146769082ac.1695227714.git.aclaudi@redhat.com>
+In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Tue, 5 Sep 2023 12:44:19 +0200
+Subject: [PATCH] lib: add SELinux include and stub functions
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
+Upstream Status: iproute2-next.git commit e246ebc3
+
+commit e246ebc3b7f1f438310ad6fd1d5976ba6ccf7a69
+Author: Andrea Claudi <aclaudi@redhat.com>
+Date:   Wed Aug 23 19:30:01 2023 +0200
+
+    lib: add SELinux include and stub functions
+
+    ss provides some selinux stub functions, useful when iproute2 is
+    compiled without selinux support.
+
+    Move them to lib/ so we can use them in other iproute2 tools.
+
+    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+    Signed-off-by: David Ahern <dsahern@kernel.org>
+---
+ include/selinux.h |  9 +++++++++
+ lib/Makefile      |  4 ++++
+ lib/selinux.c     | 32 ++++++++++++++++++++++++++++++++
+ misc/ss.c         | 34 +---------------------------------
+ 4 files changed, 46 insertions(+), 33 deletions(-)
+ create mode 100644 include/selinux.h
+ create mode 100644 lib/selinux.c
+
+diff --git a/include/selinux.h b/include/selinux.h
+new file mode 100644
+index 00000000..499aa966
+--- /dev/null
++++ b/include/selinux.h
+@@ -0,0 +1,9 @@
++#if HAVE_SELINUX
++#include <selinux/selinux.h>
++#else
++int is_selinux_enabled(void);
++void freecon(char *context);
++int getpidcon(pid_t pid, char **context);
++int getfilecon(const char *path, char **context);
++int security_get_initial_context(const char *name,  char **context);
++#endif
+diff --git a/lib/Makefile b/lib/Makefile
+index ddedd37f..aa7bbd2e 100644
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -13,6 +13,10 @@ UTILOBJ += bpf_libbpf.o
+ endif
+ endif
+ 
++ifneq ($(HAVE_SELINUX),y)
++UTILOBJ += selinux.o
++endif
++
+ NLOBJ=libgenl.o libnetlink.o
+ ifeq ($(HAVE_MNL),y)
+ NLOBJ += mnl_utils.o
+diff --git a/lib/selinux.c b/lib/selinux.c
+new file mode 100644
+index 00000000..4e6805fc
+--- /dev/null
++++ b/lib/selinux.c
+@@ -0,0 +1,32 @@
++#include <stdlib.h>
++#include <unistd.h>
++#include "selinux.h"
++
++/* Stubs for SELinux functions */
++int is_selinux_enabled(void)
++{
++	return 0;
++}
++
++void freecon(char *context)
++{
++	free(context);
++}
++
++int getpidcon(pid_t pid, char **context)
++{
++	*context = NULL;
++	return -1;
++}
++
++int getfilecon(const char *path, char **context)
++{
++	*context = NULL;
++	return -1;
++}
++
++int security_get_initial_context(const char *name,  char **context)
++{
++	*context = NULL;
++	return -1;
++}
+diff --git a/misc/ss.c b/misc/ss.c
+index fe19f489..6e18bf0c 100644
+--- a/misc/ss.c
++++ b/misc/ss.c
+@@ -33,6 +33,7 @@
+ #include "version.h"
+ #include "rt_names.h"
+ #include "cg_map.h"
++#include "selinux.h"
+ 
+ #include <linux/tcp.h>
+ #include <linux/unix_diag.h>
+@@ -71,39 +72,6 @@
+ #define BUF_CHUNKS_MAX 5	/* Maximum number of allocated buffer chunks */
+ #define LEN_ALIGN(x) (((x) + 1) & ~1)
+ 
+-#if HAVE_SELINUX
+-#include <selinux/selinux.h>
+-#else
+-/* Stubs for SELinux functions */
+-static int is_selinux_enabled(void)
+-{
+-	return 0;
+-}
+-
+-static int getpidcon(pid_t pid, char **context)
+-{
+-	*context = NULL;
+-	return -1;
+-}
+-
+-static int getfilecon(const char *path, char **context)
+-{
+-	*context = NULL;
+-	return -1;
+-}
+-
+-static int security_get_initial_context(const char *name,  char **context)
+-{
+-	*context = NULL;
+-	return -1;
+-}
+-
+-static void freecon(char *context)
+-{
+-	free(context);
+-}
+-#endif
+-
+ int preferred_family = AF_UNSPEC;
+ static int show_options;
+ int show_details;
+-- 
+2.41.0
+
diff --git a/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch b/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
new file mode 100644
index 0000000..d87cf48
--- /dev/null
+++ b/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
@@ -0,0 +1,81 @@
+From 6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2 Mon Sep 17 00:00:00 2001
+Message-ID: <6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2.1695227714.git.aclaudi@redhat.com>
+In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Tue, 5 Sep 2023 12:44:19 +0200
+Subject: [PATCH] ip vrf: make ipvrf_exec SELinux-aware
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
+Upstream Status: iproute2-next.git commit 0d0eeaa6
+
+commit 0d0eeaa6cb9218e57ce910fc3a8991b80da6393e
+Author: Andrea Claudi <aclaudi@redhat.com>
+Date:   Wed Aug 23 19:30:02 2023 +0200
+
+    ip vrf: make ipvrf_exec SELinux-aware
+
+    When using ip vrf and SELinux is enabled, make sure to set the exec file
+    context before calling cmd_exec.
+
+    This ensures that the command is executed with the right context,
+    falling back to the ifconfig_t context when needed.
+
+    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+    Signed-off-by: David Ahern <dsahern@kernel.org>
+---
+ include/selinux.h | 1 +
+ ip/ipvrf.c        | 6 ++++++
+ lib/selinux.c     | 5 +++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/include/selinux.h b/include/selinux.h
+index 499aa966..592c7680 100644
+--- a/include/selinux.h
++++ b/include/selinux.h
+@@ -6,4 +6,5 @@ void freecon(char *context);
+ int getpidcon(pid_t pid, char **context);
+ int getfilecon(const char *path, char **context);
+ int security_get_initial_context(const char *name,  char **context);
++int setexecfilecon(const char *filename, const char *fallback_type);
+ #endif
+diff --git a/ip/ipvrf.c b/ip/ipvrf.c
+index 0718bea8..b0dd2abe 100644
+--- a/ip/ipvrf.c
++++ b/ip/ipvrf.c
+@@ -24,6 +24,7 @@
+ #include "utils.h"
+ #include "ip_common.h"
+ #include "bpf_util.h"
++#include "selinux.h"
+ 
+ #define CGRP_PROC_FILE  "/cgroup.procs"
+ 
+@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv)
+ 		return -1;
+ 	}
+ 
++	if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) {
++		fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]);
++		return -1;
++	}
++
+ 	return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]);
+ }
+ 
+diff --git a/lib/selinux.c b/lib/selinux.c
+index 4e6805fc..7e5dd16d 100644
+--- a/lib/selinux.c
++++ b/lib/selinux.c
+@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name,  char **context)
+ 	*context = NULL;
+ 	return -1;
+ }
++
++int setexecfilecon(const char *filename, const char *fallback_type)
++{
++	return -1;
++}
+-- 
+2.41.0
+
diff --git a/iproute.spec b/iproute.spec
index 29f706a..28ebccd 100644
--- a/iproute.spec
+++ b/iproute.spec
@@ -1,7 +1,7 @@
 Summary:            Advanced IP routing and network device configuration tools
 Name:               iproute
 Version:            6.2.0
-Release:            3%{?dist}%{?buildid}
+Release:            4%{?dist}%{?buildid}
 %if 0%{?rhel}
 Group:              Applications/System
 %endif
@@ -11,6 +11,10 @@ Source1:            rt_dsfield.deprecated
 Patch0:             0001-Update-kernel-headers.patch
 Patch1:             0002-macvlan-Add-bclim-parameter.patch
 Patch2:             0003-tc-add-missing-separator.patch
+Patch3:             0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
+Patch4:             0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
+Patch5:             0006-lib-add-SELinux-include-and-stub-functions.patch
+Patch6:             0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
 
 License:            GPL-2.0-or-later AND NIST-PD
 BuildRequires:      bison
@@ -142,6 +146,12 @@ cat %{SOURCE1} >>%{buildroot}%{_sysconfdir}/iproute2/rt_dsfield
 %{_includedir}/iproute2/bpf_elf.h
 
 %changelog
+* Wed Sep 20 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-4.el8
+- ip vrf: make ipvrf_exec SELinux-aware (Andrea Claudi) [1780023]
+- lib: add SELinux include and stub functions (Andrea Claudi) [1780023]
+- ss: make SELinux stub functions conformant to API definitions (Andrea Claudi) [1780023]
+- ss: make is_selinux_enabled stub work like in SELinux (Andrea Claudi) [1780023]
+
 * Wed Jun 07 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-3.el8
 - tc: add missing separator (Andrea Claudi)