ip vrf: make ipvrf_exec SELinux-aware

When using ip vrf and SELinux is enabled, make sure to set the exec file
context before calling cmd_exec.

This ensures that the command is executed with the right context,
falling back to the ifconfig_t context when needed.

Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: David Ahern <dsahern@kernel.org>

include/selinux.h

@@ -6,4 +6,5 @@ void freecon(char *context);
 int getpidcon(pid_t pid, char **context);
 int getfilecon(const char *path, char **context);
 int security_get_initial_context(const char *name,  char **context);
+int setexecfilecon(const char *filename, const char *fallback_type);
 #endif

ip/ipvrf.c

@@ -24,6 +24,7 @@
 #include "utils.h"
 #include "ip_common.h"
 #include "bpf_util.h"
+#include "selinux.h"
 
 #define CGRP_PROC_FILE  "/cgroup.procs"
 
@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv)
 		return -1;
 	}
 
+	if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) {
+		fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]);
+		return -1;
+	}
+
 	return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]);
 }
 

lib/selinux.c

@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name,  char **context)
 	*context = NULL;
 	return -1;
 }
+
+int setexecfilecon(const char *filename, const char *fallback_type)
+{
+	return -1;
+}