Re: [PATCH v1 5/9] libsepol: Add ibendport ocontext handling
On 5/17/2017 8:53 AM, James Carter wrote: > On 05/15/2017 04:42 PM, Dan Jurgens wrote: >> From: Daniel Jurgens>> >> >> +exit: >> +if (rc != 0) { >> +sepol_log_err("Error writing ibendportcon rules to CIL\n"); >> +} >> + >> +return rc; >> +} >> + > You need to have the ibendport rules sorted like I mentioned for ibpkey in > patch 2. > > Jim Done for both patches.
Re: [PATCH v1 5/9] libsepol: Add ibendport ocontext handling
On 05/15/2017 04:42 PM, Dan Jurgens wrote: From: Daniel JurgensAdd support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type params from sepol_ibendport_sid. - Remove ibendport initial sid from ocontext_selinux_isid_to_cil - Check the length provide for the device name in ocontext_read_selinux - Used strcmp for dev_name comparison. James Carter: - Added ibendport handling to kernel_to_cil.c and kernel_to_conf.c Signed-off-by: Daniel Jurgens --- checkpolicy/checkpolicy.c | 20 ++ libsepol/include/sepol/policydb/services.h | 8 ++ libsepol/src/expand.c | 8 ++ libsepol/src/kernel_to_cil.c | 42 ++ libsepol/src/kernel_to_conf.c | 41 + libsepol/src/libsepol.map.in | 1 + libsepol/src/module_to_cil.c | 14 ++ libsepol/src/policydb.c| 26 +++--- libsepol/src/services.c| 37 ++ libsepol/src/write.c | 14 ++ 10 files changed, 208 insertions(+), 3 deletions(-) diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index d0e46ba..94bf083 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -701,6 +701,7 @@ int main(int argc, char **argv) printf("i) display constraint expressions\n"); printf("j) display validatetrans expressions\n"); printf("k) Call ibpkey_sid\n"); + printf("l) Call ibendport_sid\n"); #ifdef EQUIVTYPES printf("z) Show equivalent types\n"); #endif @@ -1245,6 +1246,25 @@ int main(int argc, char **argv) printf("sid %d\n", ssid); } break; + case 'l': + printf("device name (eg. mlx4_0)? "); + FGETS(ans, sizeof(ans), stdin); + ans[strlen(ans) - 1] = 0; + + name = malloc((strlen(ans) + 1) * sizeof(char)); + if (!name) { + fprintf(stderr, "couldn't malloc string.\n"); + break; + } + strcpy(name, ans); + + printf("port? "); + FGETS(ans, sizeof(ans), stdin); + port = atoi(ans); + sepol_ibendport_sid(name, port, ); + printf("sid %d\n", ssid); + free(name); + break; #ifdef EQUIVTYPES case 'z': identify_equiv_types(); diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 459254e..e4f2f11 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -196,6 +196,14 @@ extern int sepol_ibpkey_sid(void *subnet_prefix_p, sepol_security_id_t *out_sid); /* + * Return the SID of the ibendport specified by + * `dev_name', and `port'. + */ +extern int sepol_ibendport_sid(char *dev_name, + uint8_t port, + sepol_security_id_t *out_sid); + +/* * Return the SIDs to use for a network interface * with the name `name'. The `if_sid' SID is returned for * the interface and the `msg_sid' SID is returned as diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index c45ecbe..061945e 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -2226,6 +2226,14 @@ static int ocontext_copy_selinux(expand_state_t *state) n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey; n->u.ibpkey.high_pkey = c->u.ibpkey.high_pkey; break; + case OCON_IBENDPORT: + n->u.ibendport.dev_name = strdup(c->u.ibendport.dev_name); + if (!n->u.ibendport.dev_name) { + ERR(state->handle, "Out of memory!"); + return -1; + } + n->u.ibendport.port = c->u.ibendport.port; + break; case OCON_PORT: n->u.port.protocol = c->u.port.protocol; n->u.port.low_port = c->u.port.low_port; diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index fcfd0e0..6587ff4 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c
[PATCH v1 5/9] libsepol: Add ibendport ocontext handling
From: Daniel JurgensAdd support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type params from sepol_ibendport_sid. - Remove ibendport initial sid from ocontext_selinux_isid_to_cil - Check the length provide for the device name in ocontext_read_selinux - Used strcmp for dev_name comparison. James Carter: - Added ibendport handling to kernel_to_cil.c and kernel_to_conf.c Signed-off-by: Daniel Jurgens --- checkpolicy/checkpolicy.c | 20 ++ libsepol/include/sepol/policydb/services.h | 8 ++ libsepol/src/expand.c | 8 ++ libsepol/src/kernel_to_cil.c | 42 ++ libsepol/src/kernel_to_conf.c | 41 + libsepol/src/libsepol.map.in | 1 + libsepol/src/module_to_cil.c | 14 ++ libsepol/src/policydb.c| 26 +++--- libsepol/src/services.c| 37 ++ libsepol/src/write.c | 14 ++ 10 files changed, 208 insertions(+), 3 deletions(-) diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index d0e46ba..94bf083 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -701,6 +701,7 @@ int main(int argc, char **argv) printf("i) display constraint expressions\n"); printf("j) display validatetrans expressions\n"); printf("k) Call ibpkey_sid\n"); + printf("l) Call ibendport_sid\n"); #ifdef EQUIVTYPES printf("z) Show equivalent types\n"); #endif @@ -1245,6 +1246,25 @@ int main(int argc, char **argv) printf("sid %d\n", ssid); } break; + case 'l': + printf("device name (eg. mlx4_0)? "); + FGETS(ans, sizeof(ans), stdin); + ans[strlen(ans) - 1] = 0; + + name = malloc((strlen(ans) + 1) * sizeof(char)); + if (!name) { + fprintf(stderr, "couldn't malloc string.\n"); + break; + } + strcpy(name, ans); + + printf("port? "); + FGETS(ans, sizeof(ans), stdin); + port = atoi(ans); + sepol_ibendport_sid(name, port, ); + printf("sid %d\n", ssid); + free(name); + break; #ifdef EQUIVTYPES case 'z': identify_equiv_types(); diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 459254e..e4f2f11 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -196,6 +196,14 @@ extern int sepol_ibpkey_sid(void *subnet_prefix_p, sepol_security_id_t *out_sid); /* + * Return the SID of the ibendport specified by + * `dev_name', and `port'. + */ +extern int sepol_ibendport_sid(char *dev_name, + uint8_t port, + sepol_security_id_t *out_sid); + +/* * Return the SIDs to use for a network interface * with the name `name'. The `if_sid' SID is returned for * the interface and the `msg_sid' SID is returned as diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index c45ecbe..061945e 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -2226,6 +2226,14 @@ static int ocontext_copy_selinux(expand_state_t *state) n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey; n->u.ibpkey.high_pkey = c->u.ibpkey.high_pkey; break; + case OCON_IBENDPORT: + n->u.ibendport.dev_name = strdup(c->u.ibendport.dev_name); + if (!n->u.ibendport.dev_name) { + ERR(state->handle, "Out of memory!"); + return -1; + } + n->u.ibendport.port = c->u.ibendport.port; + break; case OCON_PORT: n->u.port.protocol = c->u.port.protocol; n->u.port.low_port = c->u.port.low_port; diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index fcfd0e0..6587ff4 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -2837,6 +2837,43 @@ exit: return rc; } +static int