Re: [PATCH v1 5/9] libsepol: Add ibendport ocontext handling

2017-05-18 Thread Daniel Jurgens 
On 5/17/2017 8:53 AM, James Carter wrote:
> On 05/15/2017 04:42 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>>
>> +exit:
>> +if (rc != 0) {
>> +sepol_log_err("Error writing ibendportcon rules to CIL\n");
>> +}
>> +
>> +return rc;
>> +}
>> +
> You need to have the ibendport rules sorted like I mentioned for ibpkey in 
> patch 2.
>
> Jim
Done for both patches.

Re: [PATCH v1 5/9] libsepol: Add ibendport ocontext handling

2017-05-17 Thread James Carter 

On 05/15/2017 04:42 PM, Dan Jurgens wrote:

From: Daniel Jurgens 

Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens 

---
v1:
Stephen Smalley:
- Removed unused domain and type params from sepol_ibendport_sid.
- Remove ibendport initial sid from ocontext_selinux_isid_to_cil
- Check the length provide for the device name in ocontext_read_selinux
- Used strcmp for dev_name comparison.

James Carter:
- Added ibendport handling to kernel_to_cil.c and kernel_to_conf.c

Signed-off-by: Daniel Jurgens 
---
  checkpolicy/checkpolicy.c  | 20 ++
  libsepol/include/sepol/policydb/services.h |  8 ++
  libsepol/src/expand.c  |  8 ++
  libsepol/src/kernel_to_cil.c   | 42 ++
  libsepol/src/kernel_to_conf.c  | 41 +
  libsepol/src/libsepol.map.in   |  1 +
  libsepol/src/module_to_cil.c   | 14 ++
  libsepol/src/policydb.c| 26 +++---
  libsepol/src/services.c| 37 ++
  libsepol/src/write.c   | 14 ++
  10 files changed, 208 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index d0e46ba..94bf083 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -701,6 +701,7 @@ int main(int argc, char **argv)
printf("i)  display constraint expressions\n");
printf("j)  display validatetrans expressions\n");
printf("k)  Call ibpkey_sid\n");
+   printf("l)  Call ibendport_sid\n");
  #ifdef EQUIVTYPES
printf("z)  Show equivalent types\n");
  #endif
@@ -1245,6 +1246,25 @@ int main(int argc, char **argv)
printf("sid %d\n", ssid);
}
break;
+   case 'l':
+   printf("device name (eg. mlx4_0)?  ");
+   FGETS(ans, sizeof(ans), stdin);
+   ans[strlen(ans) - 1] = 0;
+
+   name = malloc((strlen(ans) + 1) * sizeof(char));
+   if (!name) {
+   fprintf(stderr, "couldn't malloc string.\n");
+   break;
+   }
+   strcpy(name, ans);
+
+   printf("port? ");
+   FGETS(ans, sizeof(ans), stdin);
+   port = atoi(ans);
+   sepol_ibendport_sid(name, port, );
+   printf("sid %d\n", ssid);
+   free(name);
+   break;
  #ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libsepol/include/sepol/policydb/services.h 
b/libsepol/include/sepol/policydb/services.h
index 459254e..e4f2f11 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -196,6 +196,14 @@ extern int sepol_ibpkey_sid(void *subnet_prefix_p,
sepol_security_id_t *out_sid);
  
  /*

+ * Return the SID of the ibendport specified by
+ * `dev_name', and `port'.
+ */
+extern int sepol_ibendport_sid(char *dev_name,
+  uint8_t port,
+  sepol_security_id_t *out_sid);
+
+/*
   * Return the SIDs to use for a network interface
   * with the name `name'.  The `if_sid' SID is returned for
   * the interface and the `msg_sid' SID is returned as
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index c45ecbe..061945e 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2226,6 +2226,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey;
n->u.ibpkey.high_pkey = c->u.ibpkey.high_pkey;
break;
+   case OCON_IBENDPORT:
+   n->u.ibendport.dev_name = 
strdup(c->u.ibendport.dev_name);
+   if (!n->u.ibendport.dev_name) {
+   ERR(state->handle, "Out of memory!");
+   return -1;
+   }
+   n->u.ibendport.port = c->u.ibendport.port;
+   break;
case OCON_PORT:
n->u.port.protocol = c->u.port.protocol;
n->u.port.low_port = c->u.port.low_port;
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index fcfd0e0..6587ff4 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c

[PATCH v1 5/9] libsepol: Add ibendport ocontext handling

2017-05-15 Thread Dan Jurgens 
From: Daniel Jurgens 

Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens 

---
v1:
Stephen Smalley:
- Removed unused domain and type params from sepol_ibendport_sid.
- Remove ibendport initial sid from ocontext_selinux_isid_to_cil
- Check the length provide for the device name in ocontext_read_selinux
- Used strcmp for dev_name comparison.

James Carter:
- Added ibendport handling to kernel_to_cil.c and kernel_to_conf.c

Signed-off-by: Daniel Jurgens 
---
 checkpolicy/checkpolicy.c  | 20 ++
 libsepol/include/sepol/policydb/services.h |  8 ++
 libsepol/src/expand.c  |  8 ++
 libsepol/src/kernel_to_cil.c   | 42 ++
 libsepol/src/kernel_to_conf.c  | 41 +
 libsepol/src/libsepol.map.in   |  1 +
 libsepol/src/module_to_cil.c   | 14 ++
 libsepol/src/policydb.c| 26 +++---
 libsepol/src/services.c| 37 ++
 libsepol/src/write.c   | 14 ++
 10 files changed, 208 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index d0e46ba..94bf083 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -701,6 +701,7 @@ int main(int argc, char **argv)
printf("i)  display constraint expressions\n");
printf("j)  display validatetrans expressions\n");
printf("k)  Call ibpkey_sid\n");
+   printf("l)  Call ibendport_sid\n");
 #ifdef EQUIVTYPES
printf("z)  Show equivalent types\n");
 #endif
@@ -1245,6 +1246,25 @@ int main(int argc, char **argv)
printf("sid %d\n", ssid);
}
break;
+   case 'l':
+   printf("device name (eg. mlx4_0)?  ");
+   FGETS(ans, sizeof(ans), stdin);
+   ans[strlen(ans) - 1] = 0;
+
+   name = malloc((strlen(ans) + 1) * sizeof(char));
+   if (!name) {
+   fprintf(stderr, "couldn't malloc string.\n");
+   break;
+   }
+   strcpy(name, ans);
+
+   printf("port? ");
+   FGETS(ans, sizeof(ans), stdin);
+   port = atoi(ans);
+   sepol_ibendport_sid(name, port, );
+   printf("sid %d\n", ssid);
+   free(name);
+   break;
 #ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libsepol/include/sepol/policydb/services.h 
b/libsepol/include/sepol/policydb/services.h
index 459254e..e4f2f11 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -196,6 +196,14 @@ extern int sepol_ibpkey_sid(void *subnet_prefix_p,
sepol_security_id_t *out_sid);
 
 /*
+ * Return the SID of the ibendport specified by
+ * `dev_name', and `port'.
+ */
+extern int sepol_ibendport_sid(char *dev_name,
+  uint8_t port,
+  sepol_security_id_t *out_sid);
+
+/*
  * Return the SIDs to use for a network interface
  * with the name `name'.  The `if_sid' SID is returned for 
  * the interface and the `msg_sid' SID is returned as
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index c45ecbe..061945e 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2226,6 +2226,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey;
n->u.ibpkey.high_pkey = c->u.ibpkey.high_pkey;
break;
+   case OCON_IBENDPORT:
+   n->u.ibendport.dev_name = 
strdup(c->u.ibendport.dev_name);
+   if (!n->u.ibendport.dev_name) {
+   ERR(state->handle, "Out of memory!");
+   return -1;
+   }
+   n->u.ibendport.port = c->u.ibendport.port;
+   break;
case OCON_PORT:
n->u.port.protocol = c->u.port.protocol;
n->u.port.low_port = c->u.port.low_port;
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index fcfd0e0..6587ff4 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -2837,6 +2837,43 @@ exit:
return rc;
 }
 
+static int