From: James Carter <jwcart2@gmail.com>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding
Date: Fri, 17 Dec 2021 08:57:15 -0500 [thread overview]
Message-ID: <CAP+JOzQNE3JHZXj7EdoGq=zrQ9Jx9m8ZTG=eukV7-Qm-n7U=7Q@mail.gmail.com> (raw)
In-Reply-To: <CAP+JOzQjR9wbnb9aQu7MmzhbD+kZ-F_Aep=UOdEpnPr_s1D0mQ@mail.gmail.com>
On Thu, Dec 9, 2021 at 3:30 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Nov 30, 2021 at 4:51 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Accept IPv4 addresses embedded in IPv6, like `::ffff:127.0.0.1`.
> > This allows using those in nodecon statements leading to fine grained
> > access control:
> >
> > type=AVC msg=audit(11/29/21 20:27:44.437:419) : avc: granted { node_bind } for pid=27500 comm=intercept saddr=::ffff:127.0.0.1 src=46293 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
> >
> > This does effect policies in the traditional language due to CIL usage
> > in semodule(8).
> >
> > Also print on conversion failures the address in question.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Both of these have been merged.
Thanks,
Jim
> > ---
> > libsepol/cil/src/cil_build_ast.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> > index 9c34be23..eccb331b 100644
> > --- a/libsepol/cil/src/cil_build_ast.c
> > +++ b/libsepol/cil/src/cil_build_ast.c
> > @@ -5668,10 +5668,10 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> > goto exit;
> > }
> >
> > - if (strchr(addr_node->data, '.') != NULL) {
> > - addr->family = AF_INET;
> > - } else {
> > + if (strchr(addr_node->data, ':') != NULL) {
> > addr->family = AF_INET6;
> > + } else {
> > + addr->family = AF_INET;
> > }
> >
> > rc = inet_pton(addr->family, addr_node->data, &addr->ip);
> > @@ -5683,7 +5683,7 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> > return SEPOL_OK;
> >
> > exit:
> > - cil_log(CIL_ERR, "Bad ip address or netmask\n");
> > + cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "n/a");
> > return rc;
> > }
> >
> > --
> > 2.34.1
> >
prev parent reply other threads:[~2021-12-17 13:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 11:00 [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding Christian Göttsche
2021-11-30 11:00 ` [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement Christian Göttsche
2021-12-09 20:31 ` James Carter
2021-12-09 20:30 ` [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding James Carter
2021-12-17 13:57 ` James Carter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+JOzQNE3JHZXj7EdoGq=zrQ9Jx9m8ZTG=eukV7-Qm-n7U=7Q@mail.gmail.com' \
--to=jwcart2@gmail.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.