ncm-network: Restrictions on device naming should match kernel

That is: - Maximum 15 characters (16 including null) - No whitespace - No forward-slashes - No colons (but they are allowed in filenames to label alias IPs) While we're at it, make the regexp in the module absolute, as we're actually matching filenames there. Similar validation should also happen in the schema as only throwing errors at runtime is _really_ unfriendly.
quattor · Dec 5, 2024 · 8e677c9 · 8e677c9
1 parent 124f057
commit 8e677c9
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 27 deletions.
diff --git a/ncm-network/src/main/pan/components/network/types/network.pan b/ncm-network/src/main/pan/components/network/types/network.pan
@@ -53,8 +53,15 @@ type structure_network = {
     "gatewaydev" ? valid_interface
     @{Per interface network settings.
       These values are used to generate the /etc/sysconfig/network-scripts/ifcfg-<interface> files
-      when using ncm-network.}
-    "interfaces" : network_interface{}
+      when using ncm-network.
+      Interface names must be no more than 15 characters in and cannot contain whitespace, ".", "/" or ":".
+    }
+    "interfaces" : network_interface{} with {
+        foreach (i; _; SELF) {
+            match(i, '^[^\s\/.:]{1,15}$') || error('Device name "%s" is invalid', i);
+        };
+        true;
+    }
     "nameserver" ? type_ip[]
     "nisdomain" ? string(1..64) with match(SELF, '^\S+$')
     @{Setting nozeroconf to true stops an interface from being assigned an automatic address in the 169.254.0.0 subnet.}

diff --git a/ncm-network/src/main/perl/network.pm b/ncm-network/src/main/perl/network.pm
@@ -95,6 +95,7 @@ use CAF::FileEditor;
 use CAF::FileWriter;
 use CAF::Path 17.7.0;
 use NetAddr::IP;
+use File::Basename;
 
 use POSIX qw(WIFEXITED WEXITSTATUS);
 use Readonly;
@@ -153,30 +154,10 @@ Readonly my $HARDWARE_PATH => '/hardware/cards/nic';
 
 # Regexp for the supported ifcfg-<device> devices.
 # $1 must match the device name
+# Note that device names cannot contain ":", but the filenames generated may use ":" to delimit named alias IPs
 Readonly my $DEVICE_REGEXP => qr{
-    - # separator from e.g. ifcfg or route
-    ( # start whole match group $1
-        ( # start devicename group $2
-            (?:
-                eth|seth|em|
-                bond|br|ovirtmgmt|
-                vlan|usb|vxlan|
-                ib|
-                tun|
-                p\d+p|
-                en(?:
-                    o(?:\d+d)?| # onboard
-                    (?:p\d+)?s(?:\d+f)?(?:\d+d)? # [pci]slot[function][device]
-                )(?:\d+np)?  # [partition]
-             )\d+| # mandatory numbering
-             enx[[:xdigit:]]{12} # enx MAC address
-        )
-        (?:_(\w+))? # opional suffix group $3
-        (?:\.\d+)? # optional VLAN
-        (?::\w+)? # optional alias
-    ) # end whole matching group
-    $
-}x;
+    /^(?:ifcfg|route6?)-([^\s\/.]{1,15})$/
+};
 
 Readonly our $NETWORKCFG => "/etc/sysconfig/network";
 
@@ -228,10 +209,10 @@ sub _is_executable
 # undef otherwise.
 sub is_valid_interface
 {
-    my ($self, $filename) = @_;
+    my ($self, $filepath) = @_;
+    my $filename = basename($filepath);
 
     # Very primitive, based on regex only
-    # Not even the full filename (eg ifcfg) or anything
     if ($filename =~ m/$DEVICE_REGEXP/) {
         my $ifupdownname = $1;
         my $name = $2;