path: root/security/selinux/include/objsec.h
diff options
authorPaul Moore <pmoore@redhat.com>2014-09-10 17:09:57 -0400
committerPaul Moore <pmoore@redhat.com>2014-09-10 17:09:57 -0400
commitcbe0d6e8794f1da6cac1ea3864d2cfaf0bf87c8e (patch)
tree36d99ec1ecc4fec26ede0516059e611729a5afb9 /security/selinux/include/objsec.h
parent25db6bea1ff5a78ef493eefdcbb9c1d27134e560 (diff)
selinux: make the netif cache namespace aware
While SELinux largely ignores namespaces, for good reason, there are some places where it needs to at least be aware of namespaces in order to function correctly. Network namespaces are one example. Basic awareness of network namespaces are necessary in order to match a network interface's index number to an actual network device. This patch corrects a problem with network interfaces added to a non-init namespace, and can be reproduced with the following commands: [NOTE: the NetLabel configuration is here only to active the dynamic networking controls ] # netlabelctl unlbl add default address: \ label:system_u:object_r:unlabeled_t:s0 # netlabelctl unlbl add default address:::/0 \ label:system_u:object_r:unlabeled_t:s0 # netlabelctl cipsov4 add pass doi:100 tags:1 # netlabelctl map add domain:lspp_test_netlabel_t \ protocol:cipsov4,100 # ip link add type veth # ip netns add myns # ip link set veth1 netns myns # ip a add dev veth0 # ip netns exec myns ip a add dev veth1 # ip l set veth0 up # ip netns exec myns ip l set veth1 up # ping -c 1 # ip netns exec myns ping -c 1 Reported-by: Jiri Jaburek <jjaburek@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security/selinux/include/objsec.h')
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 078e553f52f2..81fa718d5cb3 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,7 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <net/net_namespace.h>
#include "flask.h"
#include "avc.h"
@@ -78,6 +79,7 @@ struct ipc_security_struct {
struct netif_security_struct {
+ struct net *ns; /* network namespace */
int ifindex; /* device index */
u32 sid; /* SID for this interface */