From: Purushottam choudhary <purushottam.choudhary@kpit.com>
Date: Wed, 28 Oct 2020 16:41:49 +0000 (+0530)
Subject: network: selinux hook handling to enumerate nexthop
X-Git-Tag: v247-rc2~35
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=92b555aaabf710e0a672a7244e8c0e3963075133;p=thirdparty%2Fsystemd.git

network: selinux hook handling to enumerate nexthop

When selinux is enabled, the call of
manager_rtnl_enumerate_nexthop() fails.

This fix is to facilitate selinux hook handling for enumerating
nexthop.

In manager_rtnl_enumerate_nexthop() there is a check
if "Not supported" is returned by the send_netlink() call.

This check expects that -EOPNOTSUPP is returned,
the selinux hook seems to return -EINVAL instead.

This happens in kernel older than 5.3
(more specificallytorvalds/linux@65ee00a) as it does not support
nexthop handling through netlink.

And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
returns -EINVAL.

Thus adding a call in the manager_rtnl_enumerate_nexthop for the
extra return -EINVAL.
---

diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index b5aba1f1dc2..ff00d865092 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -38,6 +38,7 @@
 #include "ordered-set.h"
 #include "path-lookup.h"
 #include "path-util.h"
+#include "selinux-util.h"
 #include "set.h"
 #include "signal-util.h"
 #include "stat-util.h"
@@ -971,7 +972,7 @@ static int manager_enumerate_internal(
 
         r = sd_netlink_call(m->rtnl, req, 0, &reply);
         if (r < 0) {
-                if (r == -EOPNOTSUPP && name) {
+                if (name && (r == -EOPNOTSUPP || (r == -EINVAL && mac_selinux_enforcing()))) {
                         log_debug_errno(r, "%s are not supported by the kernel. Ignoring.", name);
                         return 0;
                 }