* [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
@ 2020-11-04 10:34 Purushottam choudhary
2020-11-12 9:33 ` Purushottam choudhary
0 siblings, 1 reply; 4+ messages in thread
From: Purushottam choudhary @ 2020-11-04 10:34 UTC (permalink / raw)
To: openembedded-core, raj.khem; +Cc: nisha.parrakat, anuj.chougule, aditya.tayade
When selinux is enabled, the call of
manager_rtnl_enumerate_nexthop() fails.
This fix is to facilitate selinux hook handling
for enumerating nexthop.
In manager_rtnl_enumerate_nexthop() there is a check
if "Not supported" is returned by the send_netlink() call.
This check expects that -EOPNOTSUPP is returned,
the selinux hook seems to return -EINVAL instead.
This happens in kernel older than 5.3
(more specificallytorvalds/linux@65ee00a) as it does not support
nexthop handling through netlink.
And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
returns -EINVAL.
Thus adding a call in the manager_rtnl_enumerate_nexthop for the
extra return -EINVAL.
Note: systemd version is different in yocto project (v246.6) and
systemd master(v247) and In systemd verison(246.6)
mac_selinux_enforcing() function is not declared and defined.
Signed-off-by: Purushottam choudhary <purushottam.choudhary@kpit.com>
---
...elinux-hook-handling-to-enumerate-nexthop.patch | 46 ++++++++++++++++++++++
meta/recipes-core/systemd/systemd_246.6.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
diff --git a/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch b/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
new file mode 100644
index 0000000..b1c92ed
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
@@ -0,0 +1,46 @@
+From 92b555aaabf710e0a672a7244e8c0e3963075133 Mon Sep 17 00:00:00 2001
+From: Purushottam choudhary <purushottam.choudhary@kpit.com>
+Date: Wed, 28 Oct 2020 22:11:49 +0530
+Subject: [PATCH] network: selinux hook handling to enumerate nexthop
+
+When selinux is enabled, the call of
+manager_rtnl_enumerate_nexthop() fails.
+
+This fix is to facilitate selinux hook handling for enumerating
+nexthop.
+
+In manager_rtnl_enumerate_nexthop() there is a check
+if "Not supported" is returned by the send_netlink() call.
+
+This check expects that -EOPNOTSUPP is returned,
+the selinux hook seems to return -EINVAL instead.
+
+This happens in kernel older than 5.3
+(more specificallytorvalds/linux@65ee00a) as it does not support
+nexthop handling through netlink.
+
+And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
+returns -EINVAL.
+
+Thus adding a call in the manager_rtnl_enumerate_nexthop for the
+extra return -EINVAL.
+
+Upstream-Status: Backport
+https://github.com/systemd/systemd/commit/92b555aaabf710e0a672a7244e8c0e3963075133
+---
+ src/network/networkd-manager.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index a6c1a39..2a9be85 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -2121,7 +2121,7 @@ int manager_rtnl_enumerate_nexthop(Manager *m) {
+
+ r = sd_netlink_call(m->rtnl, req, 0, &reply);
+ if (r < 0) {
+- if (r == -EOPNOTSUPP) {
++ if (r == -EOPNOTSUPP || r == -EINVAL) {
+ log_debug("Nexthop are not supported by the kernel. Ignoring.");
+ return 0;
+ }
diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
index 9215adf..78990f4 100644
--- a/meta/recipes-core/systemd/systemd_246.6.bb
+++ b/meta/recipes-core/systemd/systemd_246.6.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+ file://selinux-hook-handling-to-enumerate-nexthop.patch \
"
# patches needed by musl
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
2020-11-04 10:34 [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop Purushottam choudhary
@ 2020-11-12 9:33 ` Purushottam choudhary
2020-11-12 12:56 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 4+ messages in thread
From: Purushottam choudhary @ 2020-11-12 9:33 UTC (permalink / raw)
To: openembedded-core, raj.khem; +Cc: Nisha Parrakat, Anuj Chougule, Aditya Tayade
[-- Attachment #1: Type: text/plain, Size: 5176 bytes --]
Hi Openembedded/Khem,
Is there any update on this patch?
Could you please let me know?
Thanks & Regards,
Purushottam
________________________________
From: Purushottam Choudhary <purushottam.choudhary@kpit.com>
Sent: Wednesday, November 4, 2020 4:04 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
Cc: Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com>; Aditya Tayade <Aditya.Tayade@kpit.com>
Subject: [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
When selinux is enabled, the call of
manager_rtnl_enumerate_nexthop() fails.
This fix is to facilitate selinux hook handling
for enumerating nexthop.
In manager_rtnl_enumerate_nexthop() there is a check
if "Not supported" is returned by the send_netlink() call.
This check expects that -EOPNOTSUPP is returned,
the selinux hook seems to return -EINVAL instead.
This happens in kernel older than 5.3
(more specificallytorvalds/linux@65ee00a) as it does not support
nexthop handling through netlink.
And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
returns -EINVAL.
Thus adding a call in the manager_rtnl_enumerate_nexthop for the
extra return -EINVAL.
Note: systemd version is different in yocto project (v246.6) and
systemd master(v247) and In systemd verison(246.6)
mac_selinux_enforcing() function is not declared and defined.
Signed-off-by: Purushottam choudhary <purushottam.choudhary@kpit.com>
---
...elinux-hook-handling-to-enumerate-nexthop.patch | 46 ++++++++++++++++++++++
meta/recipes-core/systemd/systemd_246.6.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
diff --git a/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch b/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
new file mode 100644
index 0000000..b1c92ed
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/selinux-hook-handling-to-enumerate-nexthop.patch
@@ -0,0 +1,46 @@
+From 92b555aaabf710e0a672a7244e8c0e3963075133 Mon Sep 17 00:00:00 2001
+From: Purushottam choudhary <purushottam.choudhary@kpit.com>
+Date: Wed, 28 Oct 2020 22:11:49 +0530
+Subject: [PATCH] network: selinux hook handling to enumerate nexthop
+
+When selinux is enabled, the call of
+manager_rtnl_enumerate_nexthop() fails.
+
+This fix is to facilitate selinux hook handling for enumerating
+nexthop.
+
+In manager_rtnl_enumerate_nexthop() there is a check
+if "Not supported" is returned by the send_netlink() call.
+
+This check expects that -EOPNOTSUPP is returned,
+the selinux hook seems to return -EINVAL instead.
+
+This happens in kernel older than 5.3
+(more specificallytorvalds/linux@65ee00a) as it does not support
+nexthop handling through netlink.
+
+And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
+returns -EINVAL.
+
+Thus adding a call in the manager_rtnl_enumerate_nexthop for the
+extra return -EINVAL.
+
+Upstream-Status: Backport
+https://github.com/systemd/systemd/commit/92b555aaabf710e0a672a7244e8c0e3963075133
+---
+ src/network/networkd-manager.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index a6c1a39..2a9be85 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -2121,7 +2121,7 @@ int manager_rtnl_enumerate_nexthop(Manager *m) {
+
+ r = sd_netlink_call(m->rtnl, req, 0, &reply);
+ if (r < 0) {
+- if (r == -EOPNOTSUPP) {
++ if (r == -EOPNOTSUPP || r == -EINVAL) {
+ log_debug("Nexthop are not supported by the kernel. Ignoring.");
+ return 0;
+ }
diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
index 9215adf..78990f4 100644
--- a/meta/recipes-core/systemd/systemd_246.6.bb
+++ b/meta/recipes-core/systemd/systemd_246.6.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+ file://selinux-hook-handling-to-enumerate-nexthop.patch \
"
# patches needed by musl
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #2: Type: text/html, Size: 8165 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
2020-11-12 9:33 ` Purushottam choudhary
@ 2020-11-12 12:56 ` Richard Purdie
2020-11-12 17:28 ` Purushottam choudhary
0 siblings, 1 reply; 4+ messages in thread
From: Richard Purdie @ 2020-11-12 12:56 UTC (permalink / raw)
To: Purushottam choudhary, openembedded-core, raj.khem
Cc: Nisha Parrakat, Anuj Chougule, Aditya Tayade
On Thu, 2020-11-12 at 09:33 +0000, Purushottam choudhary wrote:
> Hi Openembedded/Khem,
>
> Is there any update on this patch?
>
> Could you please let me know?
Its merged in master?
http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=ec37a2be661bbaa494455a5417db148495920039
Cheers,
Richard
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
2020-11-12 12:56 ` [OE-core] " Richard Purdie
@ 2020-11-12 17:28 ` Purushottam choudhary
0 siblings, 0 replies; 4+ messages in thread
From: Purushottam choudhary @ 2020-11-12 17:28 UTC (permalink / raw)
To: richard.purdie
Cc: Nisha Parrakat, Anuj Chougule, Aditya Tayade, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2014 bytes --]
Hi Richard,
Thanks for the confirmation.
Thanks & Regards,
Purushottam
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Richard Purdie via lists.openembedded.org <richard.purdie=linuxfoundation.org@lists.openembedded.org>
Sent: Thursday, November 12, 2020 6:26 PM
To: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
Cc: Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com>; Aditya Tayade <Aditya.Tayade@kpit.com>
Subject: Re: [OE-core] [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop
On Thu, 2020-11-12 at 09:33 +0000, Purushottam choudhary wrote:
> Hi Openembedded/Khem,
>
> Is there any update on this patch?
>
> Could you please let me know?
Its merged in master?
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgit.yoctoproject.org%2Fcgit.cgi%2Fpoky%2Fcommit%2F%3Fid%3Dec37a2be661bbaa494455a5417db148495920039&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7Cdb50284ca0484f529a0008d8870a60ff%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637407825958213035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LburxF64bQEONDaryJB35DBr4bRLas6wg8GWudVOID0%3D&reserved=0
Cheers,
Richard
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #2: Type: text/html, Size: 3826 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-12 17:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-04 10:34 [poky][master][PATCH] systemd: selinux hook handling to enumerate nexthop Purushottam choudhary
2020-11-12 9:33 ` Purushottam choudhary
2020-11-12 12:56 ` [OE-core] " Richard Purdie
2020-11-12 17:28 ` Purushottam choudhary
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.