Re: [PATCH] selinux: Add support for the SCTP portcon keyword

2018-03-19 Thread jwcart2 

On 03/15/2018 01:09 PM, jwcart2 wrote:

On 03/11/2018 12:22 PM, Richard Haines via Selinux wrote:

Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines 


Acked-by: James Carter 



Applied.

Thanks,
Jim


---
  checkpolicy/checkpolicy.c  | 5 +
  checkpolicy/policy_define.c    | 5 +
  libsepol/cil/src/cil.c | 1 +
  libsepol/cil/src/cil_binary.c  | 6 ++
  libsepol/cil/src/cil_build_ast.c   | 2 ++
  libsepol/cil/src/cil_internal.h    | 4 +++-
  libsepol/cil/src/cil_policy.c  | 2 ++
  libsepol/cil/src/cil_tree.c    | 2 ++
  libsepol/include/sepol/port_record.h   | 1 +
  libsepol/src/kernel_to_cil.c   | 4 
  libsepol/src/kernel_to_common.c    | 3 +++
  libsepol/src/kernel_to_conf.c  | 4 
  libsepol/src/module_to_cil.c   | 4 
  libsepol/src/port_record.c | 2 ++
  libsepol/src/ports.c   | 7 +++
  secilc/docs/cil_network_labeling_statements.md | 5 +++--
  secilc/test/policy.cil | 1 +
  17 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 923b47c1..fbda4558 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -69,6 +69,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  #include 
  #include 
  #include 
@@ -944,6 +947,8 @@ int main(int argc, char **argv)
  protocol = IPPROTO_UDP;
  else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
  protocol = IPPROTO_DCCP;
+    else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
+    protocol = IPPROTO_SCTP;
  else {
  printf("unknown protocol\n");
  break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c5db55d..11fd37d8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -40,6 +40,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  #include 
  #include 
  #include 
@@ -5004,6 +5007,8 @@ int define_port_context(unsigned int low, unsigned int 
high)

  protocol = IPPROTO_UDP;
  } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
  protocol = IPPROTO_DCCP;
+    } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
+    protocol = IPPROTO_SCTP;
  } else {
  yyerror2("unrecognized protocol %s", id);
  goto bad;
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 5a64c2bc..2a7ec063 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -109,6 +109,7 @@ static void cil_init_keys(void)
  CIL_KEY_UDP = cil_strpool_add("udp");
  CIL_KEY_TCP = cil_strpool_add("tcp");
  CIL_KEY_DCCP = cil_strpool_add("dccp");
+    CIL_KEY_SCTP = cil_strpool_add("sctp");
  CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
  CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
  CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 431cd9cd..0cc6eeb1 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -34,6 +34,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  #include 
  #include 
@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct 
cil_sort *portcons)

  case CIL_PROTOCOL_DCCP:
  new_ocon->u.port.protocol = IPPROTO_DCCP;
  break;
+    case CIL_PROTOCOL_SCTP:
+    new_ocon->u.port.protocol = IPPROTO_SCTP;
+    break;
  default:
  /* should not get here */
  rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e84336bf..b90b0f60 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4405,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct 
cil_tree_node *parse_current, stru

  portcon->proto = CIL_PROTOCOL_TCP;
  } else if (proto == CIL_KEY_DCCP) {
  portcon->proto = CIL_PROTOCOL_DCCP;
+    } else if (proto == CIL_KEY_SCTP) {
+    portcon->proto = CIL_PROTOCOL_SCTP;
  } else {
  cil_log(CIL_ERR, "Invalid protocol\n");
  rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 8393e391..6ff32285 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -103,6 +103,7 @@ char *CIL_KEY_STAR;
  char

Re: [PATCH] selinux: Add support for the SCTP portcon keyword

2018-03-15 Thread jwcart2 

On 03/11/2018 12:22 PM, Richard Haines via Selinux wrote:

Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines 


Acked-by: James Carter 


---
  checkpolicy/checkpolicy.c  | 5 +
  checkpolicy/policy_define.c| 5 +
  libsepol/cil/src/cil.c | 1 +
  libsepol/cil/src/cil_binary.c  | 6 ++
  libsepol/cil/src/cil_build_ast.c   | 2 ++
  libsepol/cil/src/cil_internal.h| 4 +++-
  libsepol/cil/src/cil_policy.c  | 2 ++
  libsepol/cil/src/cil_tree.c| 2 ++
  libsepol/include/sepol/port_record.h   | 1 +
  libsepol/src/kernel_to_cil.c   | 4 
  libsepol/src/kernel_to_common.c| 3 +++
  libsepol/src/kernel_to_conf.c  | 4 
  libsepol/src/module_to_cil.c   | 4 
  libsepol/src/port_record.c | 2 ++
  libsepol/src/ports.c   | 7 +++
  secilc/docs/cil_network_labeling_statements.md | 5 +++--
  secilc/test/policy.cil | 1 +
  17 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 923b47c1..fbda4558 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -69,6 +69,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  #include 
  #include 
  #include 
@@ -944,6 +947,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_UDP;
else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
protocol = IPPROTO_DCCP;
+   else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
+   protocol = IPPROTO_SCTP;
else {
printf("unknown protocol\n");
break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c5db55d..11fd37d8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -40,6 +40,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  #include 
  #include 
  #include 
@@ -5004,6 +5007,8 @@ int define_port_context(unsigned int low, unsigned int 
high)
protocol = IPPROTO_UDP;
} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
protocol = IPPROTO_DCCP;
+   } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
+   protocol = IPPROTO_SCTP;
} else {
yyerror2("unrecognized protocol %s", id);
goto bad;
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 5a64c2bc..2a7ec063 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -109,6 +109,7 @@ static void cil_init_keys(void)
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
CIL_KEY_DCCP = cil_strpool_add("dccp");
+   CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 431cd9cd..0cc6eeb1 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -34,6 +34,9 @@
  #ifndef IPPROTO_DCCP
  #define IPPROTO_DCCP 33
  #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
  
  #include 

  #include 
@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct 
cil_sort *portcons)
case CIL_PROTOCOL_DCCP:
new_ocon->u.port.protocol = IPPROTO_DCCP;
break;
+   case CIL_PROTOCOL_SCTP:
+   new_ocon->u.port.protocol = IPPROTO_SCTP;
+   break;
default:
/* should not get here */
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e84336bf..b90b0f60 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4405,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct 
cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_TCP;
} else if (proto == CIL_KEY_DCCP) {
portcon->proto = CIL_PROTOCOL_DCCP;
+   } else if (proto == CIL_KEY_SCTP) {
+   portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");
rc = SEPOL_ERR;
diff --git

[PATCH] selinux: Add support for the SCTP portcon keyword

2018-03-11 Thread Richard Haines via Selinux 
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines 
---
 checkpolicy/checkpolicy.c  | 5 +
 checkpolicy/policy_define.c| 5 +
 libsepol/cil/src/cil.c | 1 +
 libsepol/cil/src/cil_binary.c  | 6 ++
 libsepol/cil/src/cil_build_ast.c   | 2 ++
 libsepol/cil/src/cil_internal.h| 4 +++-
 libsepol/cil/src/cil_policy.c  | 2 ++
 libsepol/cil/src/cil_tree.c| 2 ++
 libsepol/include/sepol/port_record.h   | 1 +
 libsepol/src/kernel_to_cil.c   | 4 
 libsepol/src/kernel_to_common.c| 3 +++
 libsepol/src/kernel_to_conf.c  | 4 
 libsepol/src/module_to_cil.c   | 4 
 libsepol/src/port_record.c | 2 ++
 libsepol/src/ports.c   | 7 +++
 secilc/docs/cil_network_labeling_statements.md | 5 +++--
 secilc/test/policy.cil | 1 +
 17 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 923b47c1..fbda4558 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -69,6 +69,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 #include 
 #include 
 #include 
@@ -944,6 +947,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_UDP;
else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
protocol = IPPROTO_DCCP;
+   else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
+   protocol = IPPROTO_SCTP;
else {
printf("unknown protocol\n");
break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c5db55d..11fd37d8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -40,6 +40,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 #include 
 #include 
 #include 
@@ -5004,6 +5007,8 @@ int define_port_context(unsigned int low, unsigned int 
high)
protocol = IPPROTO_UDP;
} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
protocol = IPPROTO_DCCP;
+   } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
+   protocol = IPPROTO_SCTP;
} else {
yyerror2("unrecognized protocol %s", id);
goto bad;
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 5a64c2bc..2a7ec063 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -109,6 +109,7 @@ static void cil_init_keys(void)
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
CIL_KEY_DCCP = cil_strpool_add("dccp");
+   CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 431cd9cd..0cc6eeb1 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -34,6 +34,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 
 #include 
 #include 
@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct 
cil_sort *portcons)
case CIL_PROTOCOL_DCCP:
new_ocon->u.port.protocol = IPPROTO_DCCP;
break;
+   case CIL_PROTOCOL_SCTP:
+   new_ocon->u.port.protocol = IPPROTO_SCTP;
+   break;
default:
/* should not get here */
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e84336bf..b90b0f60 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4405,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct 
cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_TCP;
} else if (proto == CIL_KEY_DCCP) {
portcon->proto = CIL_PROTOCOL_DCCP;
+   } else if (proto == CIL_KEY_SCTP) {
+   portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 8393e391..6ff32285 100644
--- a/libsepol/cil/src/cil_internal.h
+++