iproute-6.2.0-4.el8

* Wed Sep 20 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-4.el8 - ip vrf: make ipvrf_exec SELinux-aware (Andrea Claudi) [1780023] - lib: add SELinux include and stub functions (Andrea Claudi) [1780023] - ss: make SELinux stub functions conformant to API definitions (Andrea Claudi) [1780023] - ss: make is_selinux_enabled stub work like in SELinux (Andrea Claudi) [1780023] Resolves: rhbz#1780023 Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
2023-09-20 18:38:33 +02:00 · 2023-09-20 18:38:33 +02:00 · 805acad4a9
commit 805acad4a9
parent de46600ae3
5 changed files with 355 additions and 1 deletions
--- a/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
+++ b/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
@ -0,0 +1,55 @@
 From dcff6d4c73cd9c33b4103a4505ecebe6852f63df Mon Sep 17 00:00:00 2001
 Message-ID: <dcff6d4c73cd9c33b4103a4505ecebe6852f63df.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ss: make is_selinux_enabled stub work like in SELinux
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit c8970828
 commit c8970828b6509af3ab0f2982da335fb6a6c846af
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:29:59 2023 +0200
    ss: make is_selinux_enabled stub work like in SELinux
    From the is_selinux_enabled() manpage:
    is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not.
    This makes the is_selinux_enabled() stub functions works exactly like
    the SELinux function it is supposed to replace.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 misc/ss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/misc/ss.c b/misc/ss.c
 index de02fccb..d2dffbf8 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -77,7 +77,7 @@
 /* Stubs for SELinux functions */
 static int is_selinux_enabled(void)
 {
 -	return -1;
 +	return 0;
 }
 static int getpidcon(pid_t pid, char **context)
@@ -5684,7 +5684,7 @@ int main(int argc, char *argv[])
 			show_sock_ctx++;
 			/* fall through */
 		case 'Z':
 -			if (is_selinux_enabled() <= 0) {
 +			if (!is_selinux_enabled()) {
 				fprintf(stderr, "ss: SELinux is not enabled.\n");
 				exit(1);
 			}
 -- 
 2.41.0
--- a/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
+++ b/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
@ -0,0 +1,52 @@
 From d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768 Mon Sep 17 00:00:00 2001
 Message-ID: <d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ss: make SELinux stub functions conformant to API definitions
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit 61c6882c
 commit 61c6882ce21c1247c06cd61783120be0a2e2019c
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:00 2023 +0200
    ss: make SELinux stub functions conformant to API definitions
    getfilecon() and security_get_initial_context() use the const qualifier
    for their first paramater in SELinux APIs.
    This commit adds the const qualifier to these functions, making them
    conformant to API definitions.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 misc/ss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/misc/ss.c b/misc/ss.c
 index d2dffbf8..fe19f489 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -86,13 +86,13 @@ static int getpidcon(pid_t pid, char **context)
 	return -1;
 }
 -static int getfilecon(char *path, char **context)
 +static int getfilecon(const char *path, char **context)
 {
 	*context = NULL;
 	return -1;
 }
 -static int security_get_initial_context(char *name,  char **context)
 +static int security_get_initial_context(const char *name,  char **context)
 {
 	*context = NULL;
 	return -1;
 -- 
 2.41.0
--- a/0006-lib-add-SELinux-include-and-stub-functions.patch
+++ b/0006-lib-add-SELinux-include-and-stub-functions.patch
@ -0,0 +1,156 @@
 From 0e71f7774a764c0a19037b79b71d7146769082ac Mon Sep 17 00:00:00 2001
 Message-ID: <0e71f7774a764c0a19037b79b71d7146769082ac.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] lib: add SELinux include and stub functions
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit e246ebc3
 commit e246ebc3b7f1f438310ad6fd1d5976ba6ccf7a69
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:01 2023 +0200
    lib: add SELinux include and stub functions
    ss provides some selinux stub functions, useful when iproute2 is
    compiled without selinux support.
    Move them to lib/ so we can use them in other iproute2 tools.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 include/selinux.h |  9 +++++++++
 lib/Makefile      |  4 ++++
 lib/selinux.c     | 32 ++++++++++++++++++++++++++++++++
 misc/ss.c         | 34 +---------------------------------
 4 files changed, 46 insertions(+), 33 deletions(-)
 create mode 100644 include/selinux.h
 create mode 100644 lib/selinux.c
 diff --git a/include/selinux.h b/include/selinux.h
 new file mode 100644
 index 00000000..499aa966
 --- /dev/null
 +++ b/include/selinux.h
@@ -0,0 +1,9 @@
 +#if HAVE_SELINUX
 +#include <selinux/selinux.h>
 +#else
 +int is_selinux_enabled(void);
 +void freecon(char *context);
 +int getpidcon(pid_t pid, char **context);
 +int getfilecon(const char *path, char **context);
 +int security_get_initial_context(const char *name,  char **context);
 +#endif
 diff --git a/lib/Makefile b/lib/Makefile
 index ddedd37f..aa7bbd2e 100644
 --- a/lib/Makefile
 +++ b/lib/Makefile
@@ -13,6 +13,10 @@ UTILOBJ += bpf_libbpf.o
 endif
 endif
 +ifneq ($(HAVE_SELINUX),y)
 +UTILOBJ += selinux.o
 +endif
 +
 NLOBJ=libgenl.o libnetlink.o
 ifeq ($(HAVE_MNL),y)
 NLOBJ += mnl_utils.o
 diff --git a/lib/selinux.c b/lib/selinux.c
 new file mode 100644
 index 00000000..4e6805fc
 --- /dev/null
 +++ b/lib/selinux.c
@@ -0,0 +1,32 @@
 +#include <stdlib.h>
 +#include <unistd.h>
 +#include "selinux.h"
 +
 +/* Stubs for SELinux functions */
 +int is_selinux_enabled(void)
 +{
 +	return 0;
 +}
 +
 +void freecon(char *context)
 +{
 +	free(context);
 +}
 +
 +int getpidcon(pid_t pid, char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 +
 +int getfilecon(const char *path, char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 +
 +int security_get_initial_context(const char *name,  char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 diff --git a/misc/ss.c b/misc/ss.c
 index fe19f489..6e18bf0c 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -33,6 +33,7 @@
 #include "version.h"
 #include "rt_names.h"
 #include "cg_map.h"
 +#include "selinux.h"
 #include <linux/tcp.h>
 #include <linux/unix_diag.h>
@@ -71,39 +72,6 @@
 #define BUF_CHUNKS_MAX 5	/* Maximum number of allocated buffer chunks */
 #define LEN_ALIGN(x) (((x) + 1) & ~1)
 -#if HAVE_SELINUX
 -#include <selinux/selinux.h>
 -#else
 -/* Stubs for SELinux functions */
 -static int is_selinux_enabled(void)
 -{
 -	return 0;
 -}
 -
 -static int getpidcon(pid_t pid, char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static int getfilecon(const char *path, char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static int security_get_initial_context(const char *name,  char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static void freecon(char *context)
 -{
 -	free(context);
 -}
 -#endif
 -
 int preferred_family = AF_UNSPEC;
 static int show_options;
 int show_details;
 -- 
 2.41.0
--- a/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
+++ b/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
@ -0,0 +1,81 @@
 From 6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2 Mon Sep 17 00:00:00 2001
 Message-ID: <6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ip vrf: make ipvrf_exec SELinux-aware
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit 0d0eeaa6
 commit 0d0eeaa6cb9218e57ce910fc3a8991b80da6393e
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:02 2023 +0200
    ip vrf: make ipvrf_exec SELinux-aware
    When using ip vrf and SELinux is enabled, make sure to set the exec file
    context before calling cmd_exec.
    This ensures that the command is executed with the right context,
    falling back to the ifconfig_t context when needed.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 include/selinux.h | 1 +
 ip/ipvrf.c        | 6 ++++++
 lib/selinux.c     | 5 +++++
 3 files changed, 12 insertions(+)
 diff --git a/include/selinux.h b/include/selinux.h
 index 499aa966..592c7680 100644
 --- a/include/selinux.h
 +++ b/include/selinux.h
@@ -6,4 +6,5 @@ void freecon(char *context);
 int getpidcon(pid_t pid, char **context);
 int getfilecon(const char *path, char **context);
 int security_get_initial_context(const char *name,  char **context);
 +int setexecfilecon(const char *filename, const char *fallback_type);
 #endif
 diff --git a/ip/ipvrf.c b/ip/ipvrf.c
 index 0718bea8..b0dd2abe 100644
 --- a/ip/ipvrf.c
 +++ b/ip/ipvrf.c
@@ -24,6 +24,7 @@
 #include "utils.h"
 #include "ip_common.h"
 #include "bpf_util.h"
 +#include "selinux.h"
 #define CGRP_PROC_FILE  "/cgroup.procs"
@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv)
 		return -1;
 	}
 +	if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) {
 +		fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]);
 +		return -1;
 +	}
 +
 	return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]);
 }
 diff --git a/lib/selinux.c b/lib/selinux.c
 index 4e6805fc..7e5dd16d 100644
 --- a/lib/selinux.c
 +++ b/lib/selinux.c
@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name,  char **context)
 	*context = NULL;
 	return -1;
 }
 +
 +int setexecfilecon(const char *filename, const char *fallback_type)
 +{
 +	return -1;
 +}
 -- 
 2.41.0
--- a/iproute.spec
+++ b/iproute.spec
@ -1,7 +1,7 @@
 Summary:            Advanced IP routing and network device configuration tools
 Name:               iproute
 Version:            6.2.0
-Release:            3%{?dist}%{?buildid}
+Release:            4%{?dist}%{?buildid}
 %if 0%{?rhel}
 Group:              Applications/System
 %endif
@ -11,6 +11,10 @@ Source1:            rt_dsfield.deprecated
 Patch0:             0001-Update-kernel-headers.patch
 Patch1:             0002-macvlan-Add-bclim-parameter.patch
 Patch2:             0003-tc-add-missing-separator.patch
 Patch3:             0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
 Patch4:             0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
 Patch5:             0006-lib-add-SELinux-include-and-stub-functions.patch
 Patch6:             0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
 License:            GPL-2.0-or-later AND NIST-PD
 BuildRequires:      bison
@ -142,6 +146,12 @@ cat %{SOURCE1} >>%{buildroot}%{_sysconfdir}/iproute2/rt_dsfield
 %{_includedir}/iproute2/bpf_elf.h
 %changelog
 * Wed Sep 20 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-4.el8
 - ip vrf: make ipvrf_exec SELinux-aware (Andrea Claudi) [1780023]
 - lib: add SELinux include and stub functions (Andrea Claudi) [1780023]
 - ss: make SELinux stub functions conformant to API definitions (Andrea Claudi) [1780023]
 - ss: make is_selinux_enabled stub work like in SELinux (Andrea Claudi) [1780023]
 * Wed Jun 07 2023 Andrea Claudi <aclaudi@redhat.com> - 6.2.0-3.el8
 - tc: add missing separator (Andrea Claudi)