On 05/15/2017 04:42 PM, Dan Jurgens wrote:
From: Daniel Jurgens
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.
Signed-off-by: Daniel Jurgens
---
v1:
Stephen Smalley:
- Removed unused domain and type params from sepol_ibendport_sid.
- Remove ibendport initial sid from ocontext_selinux_isid_to_cil
- Check the length provide for the device name in ocontext_read_selinux
- Used strcmp for dev_name comparison.
James Carter:
- Added ibendport handling to kernel_to_cil.c and kernel_to_conf.c
Signed-off-by: Daniel Jurgens
---
checkpolicy/checkpolicy.c | 20 ++
libsepol/include/sepol/policydb/services.h | 8 ++
libsepol/src/expand.c | 8 ++
libsepol/src/kernel_to_cil.c | 42 ++
libsepol/src/kernel_to_conf.c | 41 +
libsepol/src/libsepol.map.in | 1 +
libsepol/src/module_to_cil.c | 14 ++
libsepol/src/policydb.c| 26 +++---
libsepol/src/services.c| 37 ++
libsepol/src/write.c | 14 ++
10 files changed, 208 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index d0e46ba..94bf083 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -701,6 +701,7 @@ int main(int argc, char **argv)
printf("i) display constraint expressions\n");
printf("j) display validatetrans expressions\n");
printf("k) Call ibpkey_sid\n");
+ printf("l) Call ibendport_sid\n");
#ifdef EQUIVTYPES
printf("z) Show equivalent types\n");
#endif
@@ -1245,6 +1246,25 @@ int main(int argc, char **argv)
printf("sid %d\n", ssid);
}
break;
+ case 'l':
+ printf("device name (eg. mlx4_0)? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ name = malloc((strlen(ans) + 1) * sizeof(char));
+ if (!name) {
+ fprintf(stderr, "couldn't malloc string.\n");
+ break;
+ }
+ strcpy(name, ans);
+
+ printf("port? ");
+ FGETS(ans, sizeof(ans), stdin);
+ port = atoi(ans);
+ sepol_ibendport_sid(name, port, );
+ printf("sid %d\n", ssid);
+ free(name);
+ break;
#ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libsepol/include/sepol/policydb/services.h
b/libsepol/include/sepol/policydb/services.h
index 459254e..e4f2f11 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -196,6 +196,14 @@ extern int sepol_ibpkey_sid(void *subnet_prefix_p,
sepol_security_id_t *out_sid);
/*
+ * Return the SID of the ibendport specified by
+ * `dev_name', and `port'.
+ */
+extern int sepol_ibendport_sid(char *dev_name,
+ uint8_t port,
+ sepol_security_id_t *out_sid);
+
+/*
* Return the SIDs to use for a network interface
* with the name `name'. The `if_sid' SID is returned for
* the interface and the `msg_sid' SID is returned as
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index c45ecbe..061945e 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2226,6 +2226,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey;
n->u.ibpkey.high_pkey = c->u.ibpkey.high_pkey;
break;
+ case OCON_IBENDPORT:
+ n->u.ibendport.dev_name =
strdup(c->u.ibendport.dev_name);
+ if (!n->u.ibendport.dev_name) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ n->u.ibendport.port = c->u.ibendport.port;
+ break;
case OCON_PORT:
n->u.port.protocol = c->u.port.protocol;
n->u.port.low_port = c->u.port.low_port;
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index fcfd0e0..6587ff4 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c