* Proposed patch for handling bindresvport call.
@ 2006-11-07 19:36 Daniel J Walsh
0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2006-11-07 19:36 UTC (permalink / raw)
To: Christopher J. PeBenito, Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 695 bytes --]
Currently we handle reserved ports from 1-1023 by defining
reserved_port_t to cover that range. The bindresvport call which I
believe results in most if not all of the
corenet_bind_all_reserved_ports calls in policy, actually only binds to
512-1023.
I propose with this patch that we break the range in to, adding a
hi_reserved_port_t to reserved_port_t and making reserved_port_t go from
1-511 and hi_reserved_port_t go from 512-1023.
This fixes a bug in the calls to corenet_bind_all_rpc_ports, which
currently fails on undefined ports.
Perhaps we should rename this call.
Eventually we should replace all corenet_bind_all_reserved_ports with
corenet_bind_all_rpc_ports.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 4542 bytes --]
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-10-17 13:47:44.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in 2006-11-07 11:31:40.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+ allow $1 hi_reserved_port_t:tcp_socket { send_msg recv_msg };
')
########################################
@@ -1016,9 +1018,11 @@
interface(`corenet_udp_send_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:udp_socket send_msg;
+ allow $1 hi_reserved_port_t:udp_socket send_msg;
')
########################################
@@ -1034,9 +1038,11 @@
interface(`corenet_udp_receive_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:udp_socket recv_msg;
+ allow $1 hi_reserved_port_t:udp_socket recv_msg;
')
########################################
@@ -1067,9 +1073,11 @@
interface(`corenet_tcp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 hi_reserved_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
')
@@ -1086,9 +1094,11 @@
interface(`corenet_udp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 hi_reserved_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
')
@@ -1105,9 +1115,11 @@
interface(`corenet_tcp_connect_reserved_port',`
gen_require(`
type reserved_port_t;
+ type hi_reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_connect;
+ allow $1 hi_reserved_port_t:tcp_socket name_connect;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-06 11:13:17.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-07 11:32:22.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
#
-# reserved_port_t is the type of INET port numbers below 1024.
+# reserved_port_t is the type of INET port numbers below 512.
#
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -152,8 +160,11 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-09-29 14:28:01.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4 2006-11-07 11:08:36.000000000 -0500
@@ -55,8 +55,8 @@
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`
typeattribute $1 reserved_port_type;
-#bindresvport in glibc starts searching for reserved ports at 600
-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+#bindresvport in glibc starts searching for reserved ports at 512
+ifelse(eval($3 >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
',`dnl')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-11-07 19:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-07 19:36 Proposed patch for handling bindresvport call Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.