On 10/31/2012 01:13 PM, qsw...@tresys.com wrote:
From: Quentin Swain <qsw...@tresys.com>
Added getvpnctx to selinux.h used by ipsec-tools to retrieve context for
creating labeled SPD policies.Added stubs of sidget and sidput needed by
ipsec-tools in /external/ipsec-tools/src/racoon/security.c.
Why isn't this done as a proper selabel backend like property_contexts
and file_contexts? Accessed using the selinux/label.h interfaces.
Also, don't add stubs for dead code - fix ipsec-tools by removing those
calls instead! Will happen for free if you switch to using
selinux_check_access() for the permission checking.
Change-Id: I4175cd5ae910de6dc95babe590ad3ff903d9ed10
---
Android.mk | 3 ++-
include/selinux/selinux.h | 5 +++++
src/avc.c | 10 +++++++++
src/label_vpn.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 src/label_vpn.c
diff --git a/Android.mk b/Android.mk
index 14c9aab..1badf38 100644
--- a/Android.mk
+++ b/Android.mk
@@ -26,7 +26,8 @@ common_SRC_FILES := \
src/avc_internal.c \
src/avc_sidtab.c \
src/get_initial_context.c \
- src/checkAccess.c
+ src/checkAccess.c\
+ src/label_vpn.c
common_HOST_FILES := \
src/callbacks.c \
diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
index f9a02eb..ccc7c97 100644
--- a/include/selinux/selinux.h
+++ b/include/selinux/selinux.h
@@ -100,6 +100,11 @@ extern int fsetfilecon(int fd, security_context_t con);
Caller must free via freecon. */
extern int getpeercon(int fd, security_context_t * con);
+/* Get context for a VPN connection based on the remote IP
+ and traffic direction and return the proper label string
+*/
+extern char* getvpnctx(int direction, char* raddr);
+
/* Wrappers for the selinuxfs (policy) API. */
typedef unsigned int access_vector_t;
diff --git a/src/avc.c b/src/avc.c
index 3ce724d..c39ca1b 100644
--- a/src/avc.c
+++ b/src/avc.c
@@ -86,6 +86,16 @@ int avc_sid_to_context(security_id_t sid, security_context_t
* ctx)
return rc;
}
+int sidget(security_id_t sid __attribute__((unused)))
+{
+ return 1;
+}
+
+int sidput(security_id_t sid __attribute__((unused)))
+{
+ return 1;
+}
+
int avc_get_initial_sid(const char * name, security_id_t * sid)
{
int rc;
diff --git a/src/label_vpn.c b/src/label_vpn.c
new file mode 100644
index 0000000..de293dd
--- /dev/null
+++ b/src/label_vpn.c
@@ -0,0 +1,53 @@
+/*
+ * VPN Contexts backend for mapping hostnames to labels
+ */
+
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "callbacks.h"
+#include "label_internal.h"
+
+
+static const struct selinux_opt vpn_opts[] = {
+ { SELABEL_OPT_PATH, "/system/etc/security/vpn_contexts" }
+};
+
+
+char* getvpnctx(int dir, char* raddr)
+{
+ FILE *fp = NULL;
+ int mdir, *d = &mdir, length;
+ char buff[512],maddr[16],label[256];
+ security_context_t def;
+ char *path = (struct selinux_opt *)vpn_opts[0].value;
+
+ if((security_get_initial_context("unlabeled",&def)!= 0) || (def == NULL))
+ return NULL;
+
+ // if no context file label with default value
+ if((fp = fopen(path,"r")) == NULL)
+ return def;
+
+ while(fgets(buff,sizeof(buff),fp) != NULL){
+ // Treat # lines as a comment
+ if(!strncmp(buff,"#",1))
+ continue;
+
+ sscanf(buff,"%d\t%16s\t%250s",d,maddr,label);
+ length = (strlen(raddr)<= strlen(maddr)) ? strlen(raddr)
+ : strlen(maddr);
+
+ if((*d == dir) && !strncmp(maddr,raddr,length)){
+ fclose(fp);
+ return label;
+ }
+ }
+ // if no match use default
+ fclose(fp);
+ return def;
+}
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
