From 8af43b61c17e9a18b06fd6ab26370543f21eb4e4 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Sun, 2 Mar 2025 16:40:45 +0100 Subject: selinux: support wildcard network interface names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for wildcard matching of network interface names. This is useful for auto-generated interfaces, for example podman creates network interfaces for containers with the naming scheme podman0, podman1, podman2, ... To maintain backward compatibility guard this feature with a new policy capability 'netif_wildcard'. Netifcon definitions are compared against in the order given by the policy, so userspace tools should sort them in a reasonable order. Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore --- security/selinux/include/policycap.h | 1 + 1 file changed, 1 insertion(+) (limited to 'security/selinux/include/policycap.h') diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index 079679fe7254..bd402d3fd3ae 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -15,6 +15,7 @@ enum { POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, POLICYDB_CAP_NETLINK_XPERM, + POLICYDB_CAP_NETIF_WILDCARD, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) -- cgit v1.2.3