Blame SOURCES/checkpolicy-rhel.patch

f6028d
diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
f6028d
index 98f5168..3b7ff8a 100644
f6028d
--- checkpolicy-2.5/Android.mk
f6028d
+++ checkpolicy-2.5/Android.mk
f6028d
@@ -12,10 +12,6 @@ common_cflags := \
f6028d
 	-Wall -Wshadow -O2 \
f6028d
 	-pipe -fno-strict-aliasing \
f6028d
 
f6028d
-ifeq ($(HOST_OS),darwin)
f6028d
-common_cflags += -DDARWIN
f6028d
-endif
f6028d
-
f6028d
 common_includes := \
f6028d
 	$(LOCAL_PATH)/ \
f6028d
 	$(LOCAL_PATH)/../libsepol/include/ \
f6028d
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
f6028d
index dfe4908..f2216ec 100644
f6028d
--- checkpolicy-2.5/ChangeLog
f6028d
+++ checkpolicy-2.5/ChangeLog
f6028d
@@ -1,3 +1,11 @@
f6028d
+	* Extend checkpolicy pathname matching, from Stephen Smalley.
f6028d
+	* Fix typos in test/dispol, from Petr Lautrbach.
f6028d
+	* Set flex as default lexer, from Julien Pivotto.
f6028d
+	* Fix checkmodule output message, from Petr Lautrbach.
f6028d
+	* Build policy on systems not supporting DCCP protocol, from Richard Haines.
f6028d
+	* Fail if module name different than output base filename, from James Carter
f6028d
+	* Add support for portcon dccp protocol, from Richard Haines
f6028d
+
f6028d
 2.5 2016-02-23
f6028d
 	* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
f6028d
 	* fix double free on name-based type transitions, from Stephen Smalley.
f6028d
diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
f6028d
index e5fae3d..53a3074 100644
f6028d
--- checkpolicy-2.5/Makefile
f6028d
+++ checkpolicy-2.5/Makefile
f6028d
@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
f6028d
 INCLUDEDIR ?= $(PREFIX)/include
f6028d
 TARGETS = checkpolicy checkmodule
f6028d
 
f6028d
+LEX = flex
f6028d
 YACC = bison -y
f6028d
 
f6028d
 CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
f6028d
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
f6028d
index 5957d29..53cc5a0 100644
f6028d
--- checkpolicy-2.5/checkmodule.c
f6028d
+++ checkpolicy-2.5/checkmodule.c
f6028d
@@ -19,6 +19,7 @@
f6028d
 #include <stdio.h>
f6028d
 #include <errno.h>
f6028d
 #include <sys/mman.h>
f6028d
+#include <libgen.h>
f6028d
 
f6028d
 #include <sepol/module_to_cil.h>
f6028d
 #include <sepol/policydb/policydb.h>
f6028d
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
f6028d
 		}
f6028d
 	}
f6028d
 
f6028d
+	if (policy_type != POLICY_BASE && outfile) {
f6028d
+		char *mod_name = modpolicydb.name;
f6028d
+		char *out_path = strdup(outfile);
f6028d
+		if (out_path == NULL) {
f6028d
+			fprintf(stderr, "%s:  out of memory\n", argv[0]);
f6028d
+			exit(1);
f6028d
+		}
f6028d
+		char *out_name = basename(out_path);
f6028d
+		char *separator = strrchr(out_name, '.');
f6028d
+		if (separator) {
f6028d
+			*separator = '\0';
f6028d
+		}
f6028d
+		if (strcmp(mod_name, out_name) != 0) {
f6028d
+			fprintf(stderr,	"%s:  Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
f6028d
+			exit(1);
f6028d
+		}
f6028d
+		free(out_path);
f6028d
+	}
f6028d
+
f6028d
 	if (modpolicydb.policy_type == POLICY_BASE && !cil) {
f6028d
 		/* Verify that we can successfully expand the base module. */
f6028d
 		policydb_t kernpolicydb;
f6028d
@@ -294,7 +314,7 @@ int main(int argc, char **argv)
f6028d
 
f6028d
 		if (!cil) {
f6028d
 			printf("%s:  writing binary representation (version %d) to %s\n",
f6028d
-				   argv[0], policyvers, file);
f6028d
+				   argv[0], policyvers, outfile);
f6028d
 
f6028d
 			if (write_binary_policy(&modpolicydb, outfp) != 0) {
f6028d
 				fprintf(stderr, "%s:  error writing %s\n", argv[0], outfile);
f6028d
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
e77f7e
index 9da661e..f682355 100644
f6028d
--- checkpolicy-2.5/checkpolicy.c
f6028d
+++ checkpolicy-2.5/checkpolicy.c
af5fb1
@@ -22,6 +22,7 @@
af5fb1
  *
af5fb1
  *	Policy Module support.
af5fb1
  *
af5fb1
+ * Copyright (C) 2017 Mellanox Technologies Inc.
af5fb1
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
af5fb1
  * Copyright (C) 2003 - 2005 Tresys Technology, LLC
af5fb1
  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
e77f7e
@@ -64,13 +65,19 @@
f6028d
 #include <sys/stat.h>
f6028d
 #include <sys/socket.h>
f6028d
 #include <netinet/in.h>
f6028d
+#ifndef IPPROTO_DCCP
f6028d
+#define IPPROTO_DCCP 33
f6028d
+#endif
e77f7e
+#ifndef IPPROTO_SCTP
e77f7e
+#define IPPROTO_SCTP 132
e77f7e
+#endif
f6028d
 #include <arpa/inet.h>
f6028d
 #include <fcntl.h>
f6028d
 #include <stdio.h>
f6028d
 #include <errno.h>
f6028d
 #include <sys/mman.h>
f6028d
 
f6028d
-#ifdef DARWIN
f6028d
+#ifdef __APPLE__
f6028d
 #include <ctype.h>
f6028d
 #endif
f6028d
 
e77f7e
@@ -679,6 +686,8 @@ int main(int argc, char **argv)
af5fb1
 	printf("h)  change a boolean value\n");
af5fb1
 	printf("i)  display constraint expressions\n");
af5fb1
 	printf("j)  display validatetrans expressions\n");
af5fb1
+	printf("k)  Call ibpkey_sid\n");
af5fb1
+	printf("l)  Call ibendport_sid\n");
af5fb1
 #ifdef EQUIVTYPES
af5fb1
 	printf("z)  Show equivalent types\n");
af5fb1
 #endif
e77f7e
@@ -919,6 +928,10 @@ int main(int argc, char **argv)
f6028d
 				protocol = IPPROTO_TCP;
f6028d
 			else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
f6028d
 				protocol = IPPROTO_UDP;
f6028d
+			else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
f6028d
+				protocol = IPPROTO_DCCP;
e77f7e
+			else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
e77f7e
+				protocol = IPPROTO_SCTP;
f6028d
 			else {
f6028d
 				printf("unknown protocol\n");
f6028d
 				break;
e77f7e
@@ -1198,6 +1211,50 @@ int main(int argc, char **argv)
af5fb1
 				    "\nNo validatetrans expressions found.\n");
af5fb1
 			}
af5fb1
 			break;
af5fb1
+		case 'k':
af5fb1
+			{
af5fb1
+				char *p;
af5fb1
+				struct in6_addr addr6;
af5fb1
+				uint64_t subnet_prefix;
af5fb1
+				unsigned int pkey;
af5fb1
+
af5fb1
+				printf("subnet prefix?  ");
af5fb1
+				FGETS(ans, sizeof(ans), stdin);
af5fb1
+				ans[strlen(ans) - 1] = 0;
af5fb1
+				p = (char *)&addr6;
af5fb1
+
af5fb1
+				if (inet_pton(AF_INET6, ans, p) < 1) {
af5fb1
+					printf("error parsing subnet prefix\n");
af5fb1
+					break;
af5fb1
+				}
af5fb1
+
af5fb1
+				memcpy(&subnet_prefix, p, sizeof(subnet_prefix));
af5fb1
+				printf("pkey? ");
af5fb1
+				FGETS(ans, sizeof(ans), stdin);
af5fb1
+				pkey = atoi(ans);
af5fb1
+				sepol_ibpkey_sid(subnet_prefix, pkey, &ssid);
af5fb1
+				printf("sid %d\n", ssid);
af5fb1
+			}
af5fb1
+			break;
af5fb1
+		case 'l':
af5fb1
+			printf("device name (eg. mlx4_0)?  ");
af5fb1
+			FGETS(ans, sizeof(ans), stdin);
af5fb1
+			ans[strlen(ans) - 1] = 0;
af5fb1
+
af5fb1
+			name = malloc((strlen(ans) + 1) * sizeof(char));
af5fb1
+			if (!name) {
af5fb1
+				fprintf(stderr, "couldn't malloc string.\n");
af5fb1
+				break;
af5fb1
+			}
af5fb1
+			strcpy(name, ans);
af5fb1
+
af5fb1
+			printf("port? ");
af5fb1
+			FGETS(ans, sizeof(ans), stdin);
af5fb1
+			port = atoi(ans);
af5fb1
+			sepol_ibendport_sid(name, port, &ssid);
af5fb1
+			printf("sid %d\n", ssid);
af5fb1
+			free(name);
af5fb1
+			break;
af5fb1
 #ifdef EQUIVTYPES
af5fb1
 		case 'z':
af5fb1
 			identify_equiv_types();
f6028d
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
e77f7e
index ee20fea..a275e33 100644
f6028d
--- checkpolicy-2.5/policy_define.c
f6028d
+++ checkpolicy-2.5/policy_define.c
af5fb1
@@ -20,6 +20,7 @@
af5fb1
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
af5fb1
  * Copyright (C) 2003 - 2008 Tresys Technology, LLC
af5fb1
  * Copyright (C) 2007 Red Hat Inc.
af5fb1
+ * Copyright (C) 2017 Mellanox Techonologies Inc.
af5fb1
  *	This program is free software; you can redistribute it and/or modify
af5fb1
  *  	it under the terms of the GNU General Public License as published by
af5fb1
  *	the Free Software Foundation, version 2.
e77f7e
@@ -36,6 +37,12 @@
f6028d
 #include <string.h>
f6028d
 #include <sys/socket.h>
f6028d
 #include <netinet/in.h>
f6028d
+#ifndef IPPROTO_DCCP
f6028d
+#define IPPROTO_DCCP 33
f6028d
+#endif
e77f7e
+#ifndef IPPROTO_SCTP
e77f7e
+#define IPPROTO_SCTP 132
e77f7e
+#endif
f6028d
 #include <arpa/inet.h>
f6028d
 #include <stdlib.h>
f6028d
 #include <limits.h>
e77f7e
@@ -4876,6 +4883,10 @@ int define_port_context(unsigned int low, unsigned int high)
f6028d
 		protocol = IPPROTO_TCP;
f6028d
 	} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
f6028d
 		protocol = IPPROTO_UDP;
f6028d
+	} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
f6028d
+		protocol = IPPROTO_DCCP;
e77f7e
+	} else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
e77f7e
+		protocol = IPPROTO_SCTP;
f6028d
 	} else {
f6028d
 		yyerror2("unrecognized protocol %s", id);
f6028d
 		free(newc);
e77f7e
@@ -4931,6 +4942,192 @@ int define_port_context(unsigned int low, unsigned int high)
af5fb1
 	return -1;
af5fb1
 }
af5fb1
 
af5fb1
+int define_ibpkey_context(unsigned int low, unsigned int high)
af5fb1
+{
af5fb1
+	ocontext_t *newc, *c, *l, *head;
af5fb1
+	struct in6_addr subnet_prefix;
af5fb1
+	char *id;
af5fb1
+	int rc = 0;
af5fb1
+
af5fb1
+	if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
af5fb1
+		yyerror("ibpkeycon not supported for target");
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (pass == 1) {
af5fb1
+		id = (char *)queue_remove(id_queue);
af5fb1
+		free(id);
af5fb1
+		parse_security_context(NULL);
af5fb1
+		return 0;
af5fb1
+	}
af5fb1
+
af5fb1
+	newc = malloc(sizeof(*newc));
af5fb1
+	if (!newc) {
af5fb1
+		yyerror("out of memory");
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+	memset(newc, 0, sizeof(*newc));
af5fb1
+
af5fb1
+	id = queue_remove(id_queue);
af5fb1
+	if (!id) {
af5fb1
+		yyerror("failed to read the subnet prefix");
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	rc = inet_pton(AF_INET6, id, &subnet_prefix);
af5fb1
+	free(id);
af5fb1
+	if (rc < 1) {
af5fb1
+		yyerror("failed to parse the subnet prefix");
af5fb1
+		if (rc == 0)
af5fb1
+			rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
af5fb1
+		yyerror("subnet prefix should be 0's in the low order 64 bits.");
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (low > 0xffff || high > 0xffff) {
af5fb1
+		yyerror("pkey value too large, pkeys are 16 bits.");
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	memcpy(&newc->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0],
af5fb1
+	       sizeof(newc->u.ibpkey.subnet_prefix));
af5fb1
+
af5fb1
+	newc->u.ibpkey.low_pkey = low;
af5fb1
+	newc->u.ibpkey.high_pkey = high;
af5fb1
+
af5fb1
+	if (low > high) {
af5fb1
+		yyerror2("low pkey %d exceeds high pkey %d", low, high);
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	rc = parse_security_context(&newc->context[0]);
af5fb1
+	if (rc)
af5fb1
+		goto out;
af5fb1
+
af5fb1
+	/* Preserve the matching order specified in the configuration. */
af5fb1
+	head = policydbp->ocontexts[OCON_IBPKEY];
af5fb1
+	for (l = NULL, c = head; c; l = c, c = c->next) {
af5fb1
+		unsigned int low2, high2;
af5fb1
+
af5fb1
+		low2 = c->u.ibpkey.low_pkey;
af5fb1
+		high2 = c->u.ibpkey.high_pkey;
af5fb1
+
af5fb1
+		if (low == low2 && high == high2 &&
af5fb1
+		    c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
af5fb1
+			yyerror2("duplicate ibpkeycon entry for %d-%d ",
af5fb1
+				 low, high);
af5fb1
+			rc = -1;
af5fb1
+			goto out;
af5fb1
+		}
af5fb1
+		if (low2 <= low && high2 >= high &&
af5fb1
+		    c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
af5fb1
+			yyerror2("ibpkeycon entry for %d-%d hidden by earlier entry for %d-%d",
af5fb1
+				 low, high, low2, high2);
af5fb1
+			rc = -1;
af5fb1
+			goto out;
af5fb1
+		}
af5fb1
+	}
af5fb1
+
af5fb1
+	if (l)
af5fb1
+		l->next = newc;
af5fb1
+	else
af5fb1
+		policydbp->ocontexts[OCON_IBPKEY] = newc;
af5fb1
+
af5fb1
+	return 0;
af5fb1
+
af5fb1
+out:
af5fb1
+	free(newc);
af5fb1
+	return rc;
af5fb1
+}
af5fb1
+
af5fb1
+int define_ibendport_context(unsigned int port)
af5fb1
+{
af5fb1
+	ocontext_t *newc, *c, *l, *head;
af5fb1
+	char *id;
af5fb1
+	int rc = 0;
af5fb1
+
af5fb1
+	if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
af5fb1
+		yyerror("ibendportcon not supported for target");
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (pass == 1) {
af5fb1
+		id = (char *)queue_remove(id_queue);
af5fb1
+		free(id);
af5fb1
+		parse_security_context(NULL);
af5fb1
+		return 0;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (port > 0xff || port == 0) {
af5fb1
+		yyerror("Invalid ibendport port number, should be 0 < port < 256");
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+
af5fb1
+	newc = malloc(sizeof(*newc));
af5fb1
+	if (!newc) {
af5fb1
+		yyerror("out of memory");
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+	memset(newc, 0, sizeof(*newc));
af5fb1
+
af5fb1
+	newc->u.ibendport.dev_name = queue_remove(id_queue);
af5fb1
+	if (!newc->u.ibendport.dev_name) {
af5fb1
+		yyerror("failed to read infiniband device name.");
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	if (strlen(newc->u.ibendport.dev_name) > IB_DEVICE_NAME_MAX - 1) {
af5fb1
+		yyerror("infiniband device name exceeds max length of 63.");
af5fb1
+		rc = -1;
af5fb1
+		goto out;
af5fb1
+	}
af5fb1
+
af5fb1
+	newc->u.ibendport.port = port;
af5fb1
+
af5fb1
+	if (parse_security_context(&newc->context[0])) {
af5fb1
+		free(newc);
af5fb1
+		return -1;
af5fb1
+	}
af5fb1
+
af5fb1
+	/* Preserve the matching order specified in the configuration. */
af5fb1
+	head = policydbp->ocontexts[OCON_IBENDPORT];
af5fb1
+	for (l = NULL, c = head; c; l = c, c = c->next) {
af5fb1
+		unsigned int port2;
af5fb1
+
af5fb1
+		port2 = c->u.ibendport.port;
af5fb1
+
af5fb1
+		if (port == port2 &&
af5fb1
+		    !strcmp(c->u.ibendport.dev_name,
af5fb1
+			     newc->u.ibendport.dev_name)) {
af5fb1
+			yyerror2("duplicate ibendportcon entry for %s port %u",
af5fb1
+				 newc->u.ibendport.dev_name, port);
af5fb1
+			rc = -1;
af5fb1
+			goto out;
af5fb1
+		}
af5fb1
+	}
af5fb1
+
af5fb1
+	if (l)
af5fb1
+		l->next = newc;
af5fb1
+	else
af5fb1
+		policydbp->ocontexts[OCON_IBENDPORT] = newc;
af5fb1
+
af5fb1
+	return 0;
af5fb1
+
af5fb1
+out:
af5fb1
+	free(newc->u.ibendport.dev_name);
af5fb1
+	free(newc);
af5fb1
+	return rc;
af5fb1
+}
af5fb1
+
af5fb1
 int define_netif_context(void)
af5fb1
 {
af5fb1
 	ocontext_t *newc, *c, *head;
e77f7e
@@ -5135,7 +5332,7 @@ int define_ipv6_node_context(void)
f6028d
 
f6028d
 	memset(newc, 0, sizeof(ocontext_t));
f6028d
 
f6028d
-#ifdef DARWIN
f6028d
+#ifdef __APPLE__
f6028d
 	memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
f6028d
 	memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
f6028d
 #else
af5fb1
diff --git checkpolicy-2.5/policy_define.h checkpolicy-2.5/policy_define.h
af5fb1
index 964baae..3282aed 100644
af5fb1
--- checkpolicy-2.5/policy_define.h
af5fb1
+++ checkpolicy-2.5/policy_define.h
af5fb1
@@ -43,6 +43,8 @@ int define_level(void);
af5fb1
 int define_netif_context(void);
af5fb1
 int define_permissive(void);
af5fb1
 int define_polcap(void);
af5fb1
+int define_ibpkey_context(unsigned int low, unsigned int high);
af5fb1
+int define_ibendport_context(unsigned int port);
af5fb1
 int define_port_context(unsigned int low, unsigned int high);
af5fb1
 int define_pirq_context(unsigned int pirq);
af5fb1
 int define_iomem_context(uint64_t low, uint64_t high);
af5fb1
diff --git checkpolicy-2.5/policy_parse.y checkpolicy-2.5/policy_parse.y
af5fb1
index 3b6a2f8..35b7a33 100644
af5fb1
--- checkpolicy-2.5/policy_parse.y
af5fb1
+++ checkpolicy-2.5/policy_parse.y
af5fb1
@@ -21,6 +21,7 @@
af5fb1
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
af5fb1
  * Copyright (C) 2003 - 2008 Tresys Technology, LLC
af5fb1
  * Copyright (C) 2007 Red Hat Inc.
af5fb1
+ * Copyright (C) 2017 Mellanox Technologies Inc.
af5fb1
  *	This program is free software; you can redistribute it and/or modify
af5fb1
  *  	it under the terms of the GNU General Public License as published by
af5fb1
  *	the Free Software Foundation, version 2.
af5fb1
@@ -134,6 +135,8 @@ typedef int (* require_func_t)(int pass);
af5fb1
 %token TARGET
af5fb1
 %token SAMEUSER
af5fb1
 %token FSCON PORTCON NETIFCON NODECON 
af5fb1
+%token IBPKEYCON
af5fb1
+%token IBENDPORTCON
af5fb1
 %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
af5fb1
 %token FSUSEXATTR FSUSETASK FSUSETRANS
af5fb1
 %token GENFSCON
af5fb1
@@ -169,7 +172,7 @@ base_policy             : { if (define_policy(pass, 0) == -1) return -1; }
af5fb1
 			  opt_default_rules opt_mls te_rbac users opt_constraints 
af5fb1
                          { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
af5fb1
 			   else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
af5fb1
-			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
af5fb1
+			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts
af5fb1
 			;
af5fb1
 classes			: class_def 
af5fb1
 			| classes class_def
af5fb1
@@ -695,7 +698,7 @@ fs_contexts		: fs_context_def
af5fb1
 fs_context_def		: FSCON number number security_context_def security_context_def
af5fb1
 			{if (define_fs_context($2,$3)) return -1;}
af5fb1
 			;
af5fb1
-net_contexts		: opt_port_contexts opt_netif_contexts opt_node_contexts 
af5fb1
+net_contexts		: opt_port_contexts opt_netif_contexts opt_node_contexts
af5fb1
 			;
af5fb1
 opt_port_contexts       : port_contexts
af5fb1
                         |
af5fb1
@@ -708,6 +711,26 @@ port_context_def	: PORTCON identifier number security_context_def
af5fb1
 			| PORTCON identifier number '-' number security_context_def
af5fb1
 			{if (define_port_context($3,$5)) return -1;}
af5fb1
 			;
af5fb1
+opt_ibpkey_contexts     : ibpkey_contexts
af5fb1
+                        |
af5fb1
+                        ;
af5fb1
+ibpkey_contexts		: ibpkey_context_def
af5fb1
+			| ibpkey_contexts ibpkey_context_def
af5fb1
+			;
af5fb1
+ibpkey_context_def	: IBPKEYCON ipv6_addr number security_context_def
af5fb1
+			{if (define_ibpkey_context($3,$3)) return -1;}
af5fb1
+			| IBPKEYCON ipv6_addr number '-' number security_context_def
af5fb1
+			{if (define_ibpkey_context($3,$5)) return -1;}
af5fb1
+			;
af5fb1
+opt_ibendport_contexts	: ibendport_contexts
af5fb1
+			|
af5fb1
+			;
af5fb1
+ibendport_contexts	: ibendport_context_def
af5fb1
+                        | ibendport_contexts ibendport_context_def
af5fb1
+                        ;
af5fb1
+ibendport_context_def	: IBENDPORTCON identifier number security_context_def
af5fb1
+                        {if (define_ibendport_context($3)) return -1;}
af5fb1
+                        ;
af5fb1
 opt_netif_contexts      : netif_contexts 
af5fb1
                         |
af5fb1
                         ;
f6028d
diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
af5fb1
index 22da338..f38dd22 100644
f6028d
--- checkpolicy-2.5/policy_scan.l
f6028d
+++ checkpolicy-2.5/policy_scan.l
af5fb1
@@ -12,6 +12,7 @@
af5fb1
  *	Added support for binary policy modules
af5fb1
  *
af5fb1
  * Copyright (C) 2003-5 Tresys Technology, LLC
af5fb1
+ * Copyright (C) 2017 Mellanox Technologies Inc.
af5fb1
  *	This program is free software; you can redistribute it and/or modify
af5fb1
  *  	it under the terms of the GNU General Public License as published by
af5fb1
  *	the Free Software Foundation, version 2.
af5fb1
@@ -181,6 +182,10 @@ INCOMP |
af5fb1
 incomp				{ return(INCOMP);}
af5fb1
 fscon |
af5fb1
 FSCON                           { return(FSCON);}
af5fb1
+ibpkeycon |
af5fb1
+IBPKEYCON			{ return(IBPKEYCON);}
af5fb1
+ibendportcon |
af5fb1
+IBENDPORTCON			{ return(IBENDPORTCON);}
af5fb1
 portcon |
af5fb1
 PORTCON				{ return(PORTCON);}
af5fb1
 netifcon |                     
af5fb1
@@ -249,9 +254,9 @@ high |
f6028d
 HIGH				{ return(HIGH); }
f6028d
 low |
f6028d
 LOW				{ return(LOW); }
f6028d
-"/"({alnum}|[_\.\-/])*	        { return(PATH); }
f6028d
-\""/"[ !#-~]*\" 		{ return(QPATH); }
f6028d
-\"({alnum}|[_\.\-\+\~\: ])+\"	{ return(FILENAME); }
f6028d
+"/"[^ \n\r\t\f]*	        { return(PATH); }
f6028d
+\""/"[^\"\n]*\" 		{ return(QPATH); }
f6028d
+\"[^"/"\"\n]+\"	{ return(FILENAME); }
f6028d
 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
f6028d
 {digit}+|0x{hexval}+            { return(NUMBER); }
f6028d
 {alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
af5fb1
diff --git checkpolicy-2.5/test/dismod.c checkpolicy-2.5/test/dismod.c
af5fb1
index 08b039d..c91ab93 100644
af5fb1
--- checkpolicy-2.5/test/dismod.c
af5fb1
+++ checkpolicy-2.5/test/dismod.c
af5fb1
@@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
af5fb1
 		}
af5fb1
 	} else if (avrule->specified & AVRULE_NEVERALLOW) {
af5fb1
 		fprintf(fp, "  neverallow");
af5fb1
+	} else if (avrule->specified & AVRULE_XPERMS) {
af5fb1
+		if (avrule->specified & AVRULE_XPERMS_ALLOWED)
af5fb1
+			fprintf(fp, "allowxperm ");
af5fb1
+		else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
af5fb1
+			fprintf(fp, "auditallowxperm ");
af5fb1
+		else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
af5fb1
+			fprintf(fp, "dontauditxperm ");
af5fb1
 	} else {
af5fb1
 		fprintf(fp, "     ERROR: no valid rule type specified\n");
af5fb1
 		return -1;
af5fb1
@@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
af5fb1
 				   policy, fp);
af5fb1
 	} else if (avrule->specified & AVRULE_TYPE) {
af5fb1
 		display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
af5fb1
+	} else if (avrule->specified & AVRULE_XPERMS) {
af5fb1
+		avtab_extended_perms_t xperms;
af5fb1
+		int i;
af5fb1
+
af5fb1
+		if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION)
af5fb1
+			xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
af5fb1
+		else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER)
af5fb1
+			xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
af5fb1
+		else {
af5fb1
+			fprintf(fp, "     ERROR: no valid xperms specified\n");
af5fb1
+			return -1;
af5fb1
+		}
af5fb1
+
af5fb1
+		xperms.driver = avrule->xperms->driver;
af5fb1
+		for (i = 0; i < EXTENDED_PERMS_LEN; i++)
af5fb1
+			xperms.perms[i] = avrule->xperms->perms[i];
af5fb1
+
af5fb1
+		fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms));
af5fb1
 	}
af5fb1
 
af5fb1
 	fprintf(fp, ";\n");
f6028d
diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
f6028d
index 86f5688..a78ce81 100644
f6028d
--- checkpolicy-2.5/test/dispol.c
f6028d
+++ checkpolicy-2.5/test/dispol.c
f6028d
@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
f6028d
 int display_handle_unknown(policydb_t * p, FILE * out_fp)
f6028d
 {
f6028d
 	if (p->handle_unknown == ALLOW_UNKNOWN)
f6028d
-		fprintf(out_fp, "Allow unknown classes and permisions\n");
f6028d
+		fprintf(out_fp, "Allow unknown classes and permissions\n");
f6028d
 	else if (p->handle_unknown == DENY_UNKNOWN)
f6028d
-		fprintf(out_fp, "Deny unknown classes and permisions\n");
f6028d
+		fprintf(out_fp, "Deny unknown classes and permissions\n");
f6028d
 	else if (p->handle_unknown == REJECT_UNKNOWN)
f6028d
-		fprintf(out_fp, "Reject unknown classes and permisions\n");
f6028d
+		fprintf(out_fp, "Reject unknown classes and permissions\n");
f6028d
 	return 0;
f6028d
 }
f6028d
 
f6028d
@@ -349,7 +349,7 @@ int menu(void)
f6028d
 	printf("\nSelect a command:\n");
f6028d
 	printf("1)  display unconditional AVTAB\n");
f6028d
 	printf("2)  display conditional AVTAB (entirely)\n");
f6028d
-	printf("3)  display conditional AVTAG (only ENABLED rules)\n");
f6028d
+	printf("3)  display conditional AVTAB (only ENABLED rules)\n");
f6028d
 	printf("4)  display conditional AVTAB (only DISABLED rules)\n");
f6028d
 	printf("5)  display conditional bools\n");
f6028d
 	printf("6)  display conditional expressions\n");