networkd: NetLabel integration#23269
Conversation
|
Information for Fallback Peer Labeling for SELinux could be helpful to the reviewers. |
|
This pull request introduces 1 alert when merging 133cf88 into b0221bb - view on LGTM.com new alerts:
|
133cf88 to
2aa82e9
Compare
|
focal-amd failure most likely unrelated. @yuwata PTAL. |
yuwata
left a comment
There was a problem hiding this comment.
Instead of introducing IPv4NetLabelUnlabel=and IPv6NetLabelUnlabel= in [Network] section, please add NetLabel= or so in [Address], [DHCPv4], [DHCPv6], [IPv6AcceptRA], [DHCPPrefixDelegation] sections.
Then, we can assign different labels to each address.
Also, please move the netlabel related functions to networkd-netlabel.[ch] or so, as networkd-address.c and networkd-network.c are already too big.
f1e10ff to
705af57
Compare
705af57 to
f1d4ddc
Compare
f1d4ddc to
504f349
Compare
e69bee4 to
d4cb7f7
Compare
d4cb7f7 to
75f288e
Compare
|
Hmm, still fails because of memory leaks. |
75f288e to
7a4d4cf
Compare
|
Thanks for the review, updated. |
|
All green! |
7a4d4cf to
ad07e69
Compare
New directive `NetLabel=` provides a method for integrating dynamic network
configuration into Linux NetLabel subsystem rules, used by Linux security
modules (LSMs) for network access control. The option expects a whitespace
separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.
Example:
```
[DHCP]
NetLabel=system_u:object_r:localnet_peer_t:s0
```
With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.0/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation
```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```
Result:
```
$ sudo netlabelctl -p unlbl list
...
interface: eth0
address: 10.0.0.0/8
label: "system_u:object_r:localnet_peer_t:s0"
...
```
ad07e69 to
1c659e0
Compare
|
Why was this merged without review? |
|
But it was reviewed by @yuwata. |
|
FWIW to avoid scenarios like this it should be possible to somewhat enforce approvals with https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
It's probably bureaucracy but on the other hand it appears a lot of PRs have been approved like that anyway so it seems it shouldn't be too annoying. |
I reviewed several times, but I have neither said 'LGTM' nor set the green label... Sorry for late final review, but this needs to be re-reviewed. Temporary setting 'merged-but-needs-fixing'. |
| <para>This setting provides a method for integrating dynamic network configuration into Linux | ||
| NetLabel subsystem rules, used by Linux security modules (LSMs) for network access control. The | ||
| option expects a whitespace separated list of NetLabel labels. The labels must conform to lexical | ||
| restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and | ||
| subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be |
There was a problem hiding this comment.
It'd be good to add some hyperrefences here, e.g. to kernel docs for LSM and NetLabel.
| <varlistentry> | ||
| <term><varname>NetLabel=</varname></term> | ||
| <listitem> | ||
| <para>As in [Address] section.</para> |
There was a problem hiding this comment.
"This setting accepts the same arguments as NetLabel= in the [Address] section."
There was a problem hiding this comment.
I used the same short text 'As in ...' like is used elsewhere in this manual page (MUDURL=, UseDNS=, MACAddress= etc). Wouldn't it be more consistent to use similar style also here so that it can be sort of skipped by the reader more easily?
| <varlistentry> | ||
| <term><varname>NetLabel=</varname></term> | ||
| <listitem> | ||
| <para>As in [Address] section.</para> |
| <varlistentry> | ||
| <term><varname>NetLabel=</varname></term> | ||
| <listitem> | ||
| <para>As in [Address] section.</para> |
| return 1; | ||
| } | ||
|
|
||
| log_link_debug(link, "NetLabel operation successful"); |
There was a problem hiding this comment.
Hmm, this message is not very informative. If I saw it without context, I would have no idea what was being done and why. Can you rephrase it?
There was a problem hiding this comment.
I agree it would be nice to have more verbose message explaining what exactly was successful (or what failed). But there isn't any context related to the operation available in the callback, just Link (which may have several Address) and the raw message.
In the earlier version I used synchronous sending and then the errors messages were able to be more precise.
| /* Label semantics depend on LSM but let's do basic checks */ | ||
| if (!string_is_safe(w)) { | ||
| log_syntax(unit, LOG_WARNING, filename, line, 0, | ||
| "Bad NetLabel label, ignoring: %s", w); |
There was a problem hiding this comment.
If w is not safe, it shouldn't be printed. Please cescape it before pritning.
| r = netlabel_command(NLBL_UNLABEL_C_STATICADD, label, address); | ||
| if (r < 0) | ||
| log_link_warning_errno(address->link, r, "Adding NetLabel %s for IP address %s failed, ignoring: %m", | ||
| label, strna(addr_str)); |
| int r; | ||
| Set **set = data; |
There was a problem hiding this comment.
Set **set = ASSERT_PTR(data);
int r;Add links to documentation to NetLabel, LSM, Netlabel Fallback Peer Labeling and NFT. Use a positive boolean function nft_identifier_good() to help grok the checks more easily than nft_identifier_bad(). Escape logged invalid items. Add an ASSERT_PTR() for 'data' in config_parse_netlabel(). Use a different debug message when NFT operation fails. Align nfproto_table strings. Remove NFT_SET_MSGS, it's only used once.
|
Created #23712 for the fixes. |
This reverts PR systemd#23269 and its follow-up commit. Especially, 2299b1c (partially), and 3cf6383. The PR was merged without final approval, and has several issues: - The NetLabel for static addresses are not assigned, as labels are stored in the Address objects managed by Network, instead of Link. - If NetLabel is specified for a static address, then the address section will be invalid and the address will not be configured, - It should be implemented with Request object, - There is no test about the feature.
New directives
IPv4NetLabelUnlabel=andIPv6NetLabelUnlabel=provide amethod for integrating dynamic network configuration into Linux NetLabel
subsystem rules, used by Linux security modules (LSMs) for network access
control. The options expect a whitespace separated list of NetLabel
labels. The labels must conform to lexical restrictions of LSM labels. When
an interface is configured with IP addresses, the addresses and subnetwork
masks will be appended to the NetLabel Fallback Peer Labeling rules. They will
be removed when the interface is deconfigured. Failures to manage the labels
will be ignored.
Example:
With the above rules for interface
eth0, when the interface is configured withan IPv4 address of 10.0.0.0/8,
systemd-networkdperforms the equivalent ofnetlabelctloperationResult: