ip vrf: make ipvrf_exec SELinux-aware

When using ip vrf and SELinux is enabled, make sure to set the exec file
context before calling cmd_exec.

This ensures that the command is executed with the right context,
falling back to the ifconfig_t context when needed.

Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>

diff --git a/include/selinux.h b/include/selinux.h
index 499aa966a7fb76bd7a1a6d6662ac0f69511b6a76..592c76808a466050be28299bd0232aeeca4c8abf 100644 (file)
--- a/include/selinux.h
+++ b/include/selinux.h
@@ -6,4 +6,5 @@ void freecon(char *context);
 int getpidcon(pid_t pid, char **context);
 int getfilecon(const char *path, char **context);
 int security_get_initial_context(const char *name,  char **context);
+int setexecfilecon(const char *filename, const char *fallback_type);
 #endif

diff --git a/ip/ipvrf.c b/ip/ipvrf.c
index d6b59adbb21640be800f6795bf0b19df85f6dae8..12beaec34d409f83e7e66ea25f8d0d8c792e19f3 100644 (file)
--- a/ip/ipvrf.c
+++ b/ip/ipvrf.c
@@ -24,6 +24,7 @@
 #include "utils.h"
 #include "ip_common.h"
 #include "bpf_util.h"
+#include "selinux.h"
 
 #define CGRP_PROC_FILE  "/cgroup.procs"
 
@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv)
                return -1;
        }
 
+       if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) {
+               fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]);
+               return -1;
+       }
+
        return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]);
 }
 

diff --git a/lib/selinux.c b/lib/selinux.c
index 4e6805fcb4bac9e350f4ffeb2450689513b085f7..7e5dd16d04709173a0e3210066fdd0730c1ec95a 100644 (file)
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name,  char **context)
        *context = NULL;
        return -1;
 }
+
+int setexecfilecon(const char *filename, const char *fallback_type)
+{
+       return -1;
+}