checkpolicy: drop host bits in IPv6 CIDR address

Drop the host bits in the IPV6 address defined via a CIDR notation in define_ipv6_cidr_node_context(), similar to define_ipv4_cidr_node_context(). Otherwise the kernel will never match this entry since the host bits from the actual address will be zeroed before comparison, see security/selinux/ss/services.c:match_ipv6_addrmask(). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2025-04-01 00:30:41 +00:00 · 2024-12-02 12:04:13 +01:00 · 2024-12-02 12:04:13 +01:00 · 42d653aae5
commit 42d653aae5
parent c28d920324
4 changed files with 19 additions and 1 deletions
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@ -5709,6 +5709,14 @@ static void ipv6_cidr_bits_to_mask(unsigned long cidr_bits, struct in6_addr *mas
 	}
 }

+static void ipv6_apply_mask(struct in6_addr *restrict addr, const struct in6_addr *restrict mask)
+{
+	unsigned i;
+
+	for (i = 0; i < 4; i++)
+		addr->s6_addr32[i] &= mask->s6_addr32[i];
+}
+
 static int insert_ipv6_node(ocontext_t *newc)
 {
 	ocontext_t *c, *l;
@ -5884,6 +5892,7 @@ int define_ipv6_cidr_node_context(void)
 		return -1;
 	}

+	ipv6_apply_mask(&addr, &mask);
 	memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
 	memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);

--- a/checkpolicy/tests/policy_allonce.conf
+++ b/checkpolicy/tests/policy_allonce.conf
@ -76,9 +76,12 @@ portcon tcp 80 USER1:ROLE1:TYPE1
 portcon udp 100-200 USER1:ROLE1:TYPE1
 netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
 nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
-nodecon 127.0.0.0/24 USER1:ROLE1:TYPE1
+nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
+nodecon 127.0.0.1/24 USER1:ROLE1:TYPE1
+nodecon 192.168.41.0/16 USER1:ROLE1:TYPE1
 nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
 nodecon ff80::/16 USER1:ROLE1:TYPE1
+nodecon ff00::1/8 USER1:ROLE1:TYPE1
 # hex numbers will be turned in decimal ones
 ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1
 ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1
--- a/checkpolicy/tests/policy_allonce.expected.conf
+++ b/checkpolicy/tests/policy_allonce.expected.conf
@ -82,8 +82,11 @@ portcon udp 100-200 USER1:ROLE1:TYPE1
 netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
 nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
 nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
+nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
+nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
 nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
 nodecon ff80:: ffff:: USER1:ROLE1:TYPE1
+nodecon ff00:: ff00:: USER1:ROLE1:TYPE1
 ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
 ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
 ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
--- a/checkpolicy/tests/policy_allonce.expected_opt.conf
+++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
@ -82,8 +82,11 @@ portcon udp 100-200 USER1:ROLE1:TYPE1
 netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
 nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
 nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
+nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
+nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
 nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
 nodecon ff80:: ffff:: USER1:ROLE1:TYPE1
+nodecon ff00:: ff00:: USER1:ROLE1:TYPE1
 ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
 ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
 ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1