From: James Carter <jwcart2@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>, selinux@tycho.nsa.gov
Subject: Re: [PATCH] selinux: Add support for portcon dccp protocol
Date: Wed, 6 Apr 2016 11:50:36 -0400 [thread overview]
Message-ID: <5705304C.5070107@tycho.nsa.gov> (raw)
In-Reply-To: <1459943075-4050-1-git-send-email-richard_c_haines@btinternet.com>
On 04/06/2016 07:44 AM, Richard Haines wrote:
> This adds CIL and checkpolicy support for the (portcon dccp ...)
> statement. The kernel already handles name_bind and name_connect
> permissions for the dccp_socket class.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Applied.
Thanks,
Jim
> ---
> checkpolicy/checkpolicy.c | 2 ++
> checkpolicy/policy_define.c | 2 ++
> libsepol/cil/src/cil.c | 1 +
> libsepol/cil/src/cil_binary.c | 3 +++
> libsepol/cil/src/cil_build_ast.c | 2 ++
> libsepol/cil/src/cil_internal.h | 4 +++-
> libsepol/cil/src/cil_policy.c | 2 ++
> libsepol/cil/src/cil_tree.c | 2 ++
> libsepol/include/sepol/port_record.h | 1 +
> libsepol/src/module_to_cil.c | 1 +
> libsepol/src/port_record.c | 2 ++
> libsepol/src/ports.c | 4 ++++
> secilc/docs/cil_network_labeling_statements.md | 5 +++--
> secilc/test/policy.cil | 1 +
> 14 files changed, 29 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index 9da661e..ea9ee00 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -919,6 +919,8 @@ int main(int argc, char **argv)
> protocol = IPPROTO_TCP;
> else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
> protocol = IPPROTO_UDP;
> + else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
> + protocol = IPPROTO_DCCP;
> else {
> printf("unknown protocol\n");
> break;
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index ee20fea..7a4d2f1 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -4876,6 +4876,8 @@ int define_port_context(unsigned int low, unsigned int high)
> protocol = IPPROTO_TCP;
> } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
> protocol = IPPROTO_UDP;
> + } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
> + protocol = IPPROTO_DCCP;
> } else {
> yyerror2("unrecognized protocol %s", id);
> free(newc);
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index afdc240..de7033a 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -108,6 +108,7 @@ static void cil_init_keys(void)
> CIL_KEY_STAR = cil_strpool_add("*");
> CIL_KEY_UDP = cil_strpool_add("udp");
> CIL_KEY_TCP = cil_strpool_add("tcp");
> + CIL_KEY_DCCP = cil_strpool_add("dccp");
> CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
> CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
> CIL_KEY_ALLOW = cil_strpool_add("allow");
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index f749e53..5d7e52e 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -3035,6 +3035,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
> case CIL_PROTOCOL_TCP:
> new_ocon->u.port.protocol = IPPROTO_TCP;
> break;
> + case CIL_PROTOCOL_DCCP:
> + new_ocon->u.port.protocol = IPPROTO_DCCP;
> + break;
> default:
> /* should not get here */
> rc = SEPOL_ERR;
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 1135e06..90fee8e 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -4261,6 +4261,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
> portcon->proto = CIL_PROTOCOL_UDP;
> } else if (proto == CIL_KEY_TCP) {
> portcon->proto = CIL_PROTOCOL_TCP;
> + } else if (proto == CIL_KEY_DCCP) {
> + portcon->proto = CIL_PROTOCOL_DCCP;
> } else {
> cil_log(CIL_ERR, "Invalid protocol\n");
> rc = SEPOL_ERR;
> diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
> index a0a5480..a75ddf8 100644
> --- a/libsepol/cil/src/cil_internal.h
> +++ b/libsepol/cil/src/cil_internal.h
> @@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R;
> char *CIL_KEY_STAR;
> char *CIL_KEY_TCP;
> char *CIL_KEY_UDP;
> +char *CIL_KEY_DCCP;
> char *CIL_KEY_AUDITALLOW;
> char *CIL_KEY_TUNABLEIF;
> char *CIL_KEY_ALLOW;
> @@ -713,7 +714,8 @@ struct cil_filecon {
>
> enum cil_protocol {
> CIL_PROTOCOL_UDP = 1,
> - CIL_PROTOCOL_TCP
> + CIL_PROTOCOL_TCP,
> + CIL_PROTOCOL_DCCP
> };
>
> struct cil_portcon {
> diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
> index 2c9b158..382129b 100644
> --- a/libsepol/cil/src/cil_policy.c
> +++ b/libsepol/cil/src/cil_policy.c
> @@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
> fprintf(file_arr[NETIFCONS], "udp ");
> } else if (portcon->proto == CIL_PROTOCOL_TCP) {
> fprintf(file_arr[NETIFCONS], "tcp ");
> + } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
> + fprintf(file_arr[NETIFCONS], "dccp ");
> }
> fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
> fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
> diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
> index 1c23efc..563b817 100644
> --- a/libsepol/cil/src/cil_tree.c
> +++ b/libsepol/cil/src/cil_tree.c
> @@ -1319,6 +1319,8 @@ void cil_tree_print_node(struct cil_tree_node *node)
> cil_log(CIL_INFO, " udp");
> } else if (portcon->proto == CIL_PROTOCOL_TCP) {
> cil_log(CIL_INFO, " tcp");
> + } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
> + cil_log(CIL_INFO, " dccp");
> }
> cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high);
>
> diff --git a/libsepol/include/sepol/port_record.h b/libsepol/include/sepol/port_record.h
> index 697cea4..c07d1fa 100644
> --- a/libsepol/include/sepol/port_record.h
> +++ b/libsepol/include/sepol/port_record.h
> @@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t;
>
> #define SEPOL_PROTO_UDP 0
> #define SEPOL_PROTO_TCP 1
> +#define SEPOL_PROTO_DCCP 2
>
> /* Key */
> extern int sepol_port_compare(const sepol_port_t * port,
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 18ec6b9..b478d9f 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2537,6 +2537,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p
> switch (portcon->u.port.protocol) {
> case IPPROTO_TCP: protocol = "tcp"; break;
> case IPPROTO_UDP: protocol = "udp"; break;
> + case IPPROTO_DCCP: protocol = "dccp"; break;
> default:
> log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
> rc = -1;
> diff --git a/libsepol/src/port_record.c b/libsepol/src/port_record.c
> index 6a33d93..ed9093b 100644
> --- a/libsepol/src/port_record.c
> +++ b/libsepol/src/port_record.c
> @@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto)
> return "udp";
> case SEPOL_PROTO_TCP:
> return "tcp";
> + case SEPOL_PROTO_DCCP:
> + return "dccp";
> default:
> return "???";
> }
> diff --git a/libsepol/src/ports.c b/libsepol/src/ports.c
> index 607a629..b1ee094 100644
> --- a/libsepol/src/ports.c
> +++ b/libsepol/src/ports.c
> @@ -16,6 +16,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
> return IPPROTO_TCP;
> case SEPOL_PROTO_UDP:
> return IPPROTO_UDP;
> + case SEPOL_PROTO_DCCP:
> + return IPPROTO_DCCP;
> default:
> ERR(handle, "unsupported protocol %u", proto);
> return STATUS_ERR;
> @@ -30,6 +32,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
> return SEPOL_PROTO_TCP;
> case IPPROTO_UDP:
> return SEPOL_PROTO_UDP;
> + case IPPROTO_DCCP:
> + return SEPOL_PROTO_DCCP;
> default:
> ERR(handle, "invalid protocol %u " "found in policy", proto);
> return STATUS_ERR;
> diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md
> index 183b350..b06dbcc 100644
> --- a/secilc/docs/cil_network_labeling_statements.md
> +++ b/secilc/docs/cil_network_labeling_statements.md
> @@ -155,7 +155,7 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme
> portcon
> -------
>
> -Label a udp or tcp port.
> +Label a udp, tcp or dccp port.
>
> **Statement definition:**
>
> @@ -175,7 +175,7 @@ Label a udp or tcp port.
> </tr>
> <tr class="even">
> <td align="left"><p><code>protocol</code></p></td>
> -<td align="left"><p>The protocol keyword <code>tcp</code> or <code>udp</code>.</p></td>
> +<td align="left"><p>The protocol keyword <code>tcp</code>, <code>udp</code> or <code>dccp</code>.</p></td>
> </tr>
> <tr class="odd">
> <td align="left"><p><code>port |</code></p>
> @@ -199,3 +199,4 @@ These examples show named and anonymous [`portcon`](cil_network_labeling_stateme
> (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
> (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
> (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
> + (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2)))
> diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil
> index 884d2dc..2078399 100644
> --- a/secilc/test/policy.cil
> +++ b/secilc/test/policy.cil
> @@ -270,6 +270,7 @@
> (nodecon ip_v6 netmask_v6 system_u_bin_t_l2h)
> (portcon udp 25 system_u_bin_t_l2h)
> (portcon tcp 22 system_u_bin_t_l2h)
> + (portcon dccp (2048 2096) system_u_bin_t_l2h)
> (genfscon - "/usr/bin" system_u_bin_t_l2h)
> (netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts?
> (fsuse xattr ext3 system_u_bin_t_l2h)
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
prev parent reply other threads:[~2016-04-06 15:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 11:44 [PATCH] selinux: Add support for portcon dccp protocol Richard Haines
2016-04-06 15:50 ` James Carter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5705304C.5070107@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.