selinux: get netif_wildcard policycap from policy instead of cache

Retrieve the netif_wildcard policy capability in security_netif_sid() from the locked active policy instead of the cached value in selinux_state. Fixes: 8af43b61c17e ("selinux: support wildcard network interface names") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> [PM: /netlabel/netif/ due to a typo in the description] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Christian Göttsche <cgzones@googlemail.com> 2025-03-12 09:00:48 +0100
committer: Paul Moore <paul@paul-moore.com> 2025-03-17 16:22:04 -0400
commit: a3d3043ef24ac750f05a164e48f3d0833ebf0252 (patch)
tree: ad3876c4dc254fe0c2d23c775a86ca2e6ff09433 /security
parent: 8af43b61c17e9a18b06fd6ab26370543f21eb4e4 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1b11648d9b85..e431772c6168 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2587,14 +2587,13 @@ int security_netif_sid(const char *name, u32 *if_sid)
 		return 0;
 	}
 
-	wildcard_support = selinux_policycap_netif_wildcard();
-
 retry:
 	rc = 0;
 	rcu_read_lock();
 	policy = rcu_dereference(selinux_state.policy);
 	policydb = &policy->policydb;
 	sidtab = policy->sidtab;
+	wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);
 
 	c = policydb->ocontexts[OCON_NETIF];
 	while (c) {
author	Christian Göttsche <cgzones@googlemail.com>	2025-03-12 09:00:48 +0100
committer	Paul Moore <paul@paul-moore.com>	2025-03-17 16:22:04 -0400
commit	a3d3043ef24ac750f05a164e48f3d0833ebf0252 (patch)
tree	ad3876c4dc254fe0c2d23c775a86ca2e6ff09433 /security
parent	8af43b61c17e9a18b06fd6ab26370543f21eb4e4 (diff)