|
|
f6028d |
diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
|
|
|
f6028d |
index 98f5168..3b7ff8a 100644
|
|
|
f6028d |
--- checkpolicy-2.5/Android.mk
|
|
|
f6028d |
+++ checkpolicy-2.5/Android.mk
|
|
|
f6028d |
@@ -12,10 +12,6 @@ common_cflags := \
|
|
|
f6028d |
-Wall -Wshadow -O2 \
|
|
|
f6028d |
-pipe -fno-strict-aliasing \
|
|
|
f6028d |
|
|
|
f6028d |
-ifeq ($(HOST_OS),darwin)
|
|
|
f6028d |
-common_cflags += -DDARWIN
|
|
|
f6028d |
-endif
|
|
|
f6028d |
-
|
|
|
f6028d |
common_includes := \
|
|
|
f6028d |
$(LOCAL_PATH)/ \
|
|
|
f6028d |
$(LOCAL_PATH)/../libsepol/include/ \
|
|
|
f6028d |
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
|
|
|
f6028d |
index dfe4908..f2216ec 100644
|
|
|
f6028d |
--- checkpolicy-2.5/ChangeLog
|
|
|
f6028d |
+++ checkpolicy-2.5/ChangeLog
|
|
|
f6028d |
@@ -1,3 +1,11 @@
|
|
|
f6028d |
+ * Extend checkpolicy pathname matching, from Stephen Smalley.
|
|
|
f6028d |
+ * Fix typos in test/dispol, from Petr Lautrbach.
|
|
|
f6028d |
+ * Set flex as default lexer, from Julien Pivotto.
|
|
|
f6028d |
+ * Fix checkmodule output message, from Petr Lautrbach.
|
|
|
f6028d |
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
|
|
|
f6028d |
+ * Fail if module name different than output base filename, from James Carter
|
|
|
f6028d |
+ * Add support for portcon dccp protocol, from Richard Haines
|
|
|
f6028d |
+
|
|
|
f6028d |
2.5 2016-02-23
|
|
|
f6028d |
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
|
|
|
f6028d |
* fix double free on name-based type transitions, from Stephen Smalley.
|
|
|
f6028d |
diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
|
|
|
f6028d |
index e5fae3d..53a3074 100644
|
|
|
f6028d |
--- checkpolicy-2.5/Makefile
|
|
|
f6028d |
+++ checkpolicy-2.5/Makefile
|
|
|
f6028d |
@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
|
|
|
f6028d |
INCLUDEDIR ?= $(PREFIX)/include
|
|
|
f6028d |
TARGETS = checkpolicy checkmodule
|
|
|
f6028d |
|
|
|
f6028d |
+LEX = flex
|
|
|
f6028d |
YACC = bison -y
|
|
|
f6028d |
|
|
|
f6028d |
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
|
|
|
f6028d |
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
|
|
|
f6028d |
index 5957d29..53cc5a0 100644
|
|
|
f6028d |
--- checkpolicy-2.5/checkmodule.c
|
|
|
f6028d |
+++ checkpolicy-2.5/checkmodule.c
|
|
|
f6028d |
@@ -19,6 +19,7 @@
|
|
|
f6028d |
#include <stdio.h>
|
|
|
f6028d |
#include <errno.h>
|
|
|
f6028d |
#include <sys/mman.h>
|
|
|
f6028d |
+#include <libgen.h>
|
|
|
f6028d |
|
|
|
f6028d |
#include <sepol/module_to_cil.h>
|
|
|
f6028d |
#include <sepol/policydb/policydb.h>
|
|
|
f6028d |
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
|
|
|
f6028d |
}
|
|
|
f6028d |
}
|
|
|
f6028d |
|
|
|
f6028d |
+ if (policy_type != POLICY_BASE && outfile) {
|
|
|
f6028d |
+ char *mod_name = modpolicydb.name;
|
|
|
f6028d |
+ char *out_path = strdup(outfile);
|
|
|
f6028d |
+ if (out_path == NULL) {
|
|
|
f6028d |
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
|
|
|
f6028d |
+ exit(1);
|
|
|
f6028d |
+ }
|
|
|
f6028d |
+ char *out_name = basename(out_path);
|
|
|
f6028d |
+ char *separator = strrchr(out_name, '.');
|
|
|
f6028d |
+ if (separator) {
|
|
|
f6028d |
+ *separator = '\0';
|
|
|
f6028d |
+ }
|
|
|
f6028d |
+ if (strcmp(mod_name, out_name) != 0) {
|
|
|
f6028d |
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
|
|
|
f6028d |
+ exit(1);
|
|
|
f6028d |
+ }
|
|
|
f6028d |
+ free(out_path);
|
|
|
f6028d |
+ }
|
|
|
f6028d |
+
|
|
|
f6028d |
if (modpolicydb.policy_type == POLICY_BASE && !cil) {
|
|
|
f6028d |
/* Verify that we can successfully expand the base module. */
|
|
|
f6028d |
policydb_t kernpolicydb;
|
|
|
f6028d |
@@ -294,7 +314,7 @@ int main(int argc, char **argv)
|
|
|
f6028d |
|
|
|
f6028d |
if (!cil) {
|
|
|
f6028d |
printf("%s: writing binary representation (version %d) to %s\n",
|
|
|
f6028d |
- argv[0], policyvers, file);
|
|
|
f6028d |
+ argv[0], policyvers, outfile);
|
|
|
f6028d |
|
|
|
f6028d |
if (write_binary_policy(&modpolicydb, outfp) != 0) {
|
|
|
f6028d |
fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
|
|
|
f6028d |
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
|
|
|
e77f7e |
index 9da661e..f682355 100644
|
|
|
f6028d |
--- checkpolicy-2.5/checkpolicy.c
|
|
|
f6028d |
+++ checkpolicy-2.5/checkpolicy.c
|
|
|
af5fb1 |
@@ -22,6 +22,7 @@
|
|
|
af5fb1 |
*
|
|
|
af5fb1 |
* Policy Module support.
|
|
|
af5fb1 |
*
|
|
|
af5fb1 |
+ * Copyright (C) 2017 Mellanox Technologies Inc.
|
|
|
af5fb1 |
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
|
|
|
af5fb1 |
* Copyright (C) 2003 - 2005 Tresys Technology, LLC
|
|
|
af5fb1 |
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
|
e77f7e |
@@ -64,13 +65,19 @@
|
|
|
f6028d |
#include <sys/stat.h>
|
|
|
f6028d |
#include <sys/socket.h>
|
|
|
f6028d |
#include <netinet/in.h>
|
|
|
f6028d |
+#ifndef IPPROTO_DCCP
|
|
|
f6028d |
+#define IPPROTO_DCCP 33
|
|
|
f6028d |
+#endif
|
|
|
e77f7e |
+#ifndef IPPROTO_SCTP
|
|
|
e77f7e |
+#define IPPROTO_SCTP 132
|
|
|
e77f7e |
+#endif
|
|
|
f6028d |
#include <arpa/inet.h>
|
|
|
f6028d |
#include <fcntl.h>
|
|
|
f6028d |
#include <stdio.h>
|
|
|
f6028d |
#include <errno.h>
|
|
|
f6028d |
#include <sys/mman.h>
|
|
|
f6028d |
|
|
|
f6028d |
-#ifdef DARWIN
|
|
|
f6028d |
+#ifdef __APPLE__
|
|
|
f6028d |
#include <ctype.h>
|
|
|
f6028d |
#endif
|
|
|
f6028d |
|
|
|
e77f7e |
@@ -679,6 +686,8 @@ int main(int argc, char **argv)
|
|
|
af5fb1 |
printf("h) change a boolean value\n");
|
|
|
af5fb1 |
printf("i) display constraint expressions\n");
|
|
|
af5fb1 |
printf("j) display validatetrans expressions\n");
|
|
|
af5fb1 |
+ printf("k) Call ibpkey_sid\n");
|
|
|
af5fb1 |
+ printf("l) Call ibendport_sid\n");
|
|
|
af5fb1 |
#ifdef EQUIVTYPES
|
|
|
af5fb1 |
printf("z) Show equivalent types\n");
|
|
|
af5fb1 |
#endif
|
|
|
e77f7e |
@@ -919,6 +928,10 @@ int main(int argc, char **argv)
|
|
|
f6028d |
protocol = IPPROTO_TCP;
|
|
|
f6028d |
else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
|
|
|
f6028d |
protocol = IPPROTO_UDP;
|
|
|
f6028d |
+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
|
|
|
f6028d |
+ protocol = IPPROTO_DCCP;
|
|
|
e77f7e |
+ else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
|
|
|
e77f7e |
+ protocol = IPPROTO_SCTP;
|
|
|
f6028d |
else {
|
|
|
f6028d |
printf("unknown protocol\n");
|
|
|
f6028d |
break;
|
|
|
e77f7e |
@@ -1198,6 +1211,50 @@ int main(int argc, char **argv)
|
|
|
af5fb1 |
"\nNo validatetrans expressions found.\n");
|
|
|
af5fb1 |
}
|
|
|
af5fb1 |
break;
|
|
|
af5fb1 |
+ case 'k':
|
|
|
af5fb1 |
+ {
|
|
|
af5fb1 |
+ char *p;
|
|
|
af5fb1 |
+ struct in6_addr addr6;
|
|
|
af5fb1 |
+ uint64_t subnet_prefix;
|
|
|
af5fb1 |
+ unsigned int pkey;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ printf("subnet prefix? ");
|
|
|
af5fb1 |
+ FGETS(ans, sizeof(ans), stdin);
|
|
|
af5fb1 |
+ ans[strlen(ans) - 1] = 0;
|
|
|
af5fb1 |
+ p = (char *)&addr6;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (inet_pton(AF_INET6, ans, p) < 1) {
|
|
|
af5fb1 |
+ printf("error parsing subnet prefix\n");
|
|
|
af5fb1 |
+ break;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ memcpy(&subnet_prefix, p, sizeof(subnet_prefix));
|
|
|
af5fb1 |
+ printf("pkey? ");
|
|
|
af5fb1 |
+ FGETS(ans, sizeof(ans), stdin);
|
|
|
af5fb1 |
+ pkey = atoi(ans);
|
|
|
af5fb1 |
+ sepol_ibpkey_sid(subnet_prefix, pkey, &ssid);
|
|
|
af5fb1 |
+ printf("sid %d\n", ssid);
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ break;
|
|
|
af5fb1 |
+ case 'l':
|
|
|
af5fb1 |
+ printf("device name (eg. mlx4_0)? ");
|
|
|
af5fb1 |
+ FGETS(ans, sizeof(ans), stdin);
|
|
|
af5fb1 |
+ ans[strlen(ans) - 1] = 0;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ name = malloc((strlen(ans) + 1) * sizeof(char));
|
|
|
af5fb1 |
+ if (!name) {
|
|
|
af5fb1 |
+ fprintf(stderr, "couldn't malloc string.\n");
|
|
|
af5fb1 |
+ break;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ strcpy(name, ans);
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ printf("port? ");
|
|
|
af5fb1 |
+ FGETS(ans, sizeof(ans), stdin);
|
|
|
af5fb1 |
+ port = atoi(ans);
|
|
|
af5fb1 |
+ sepol_ibendport_sid(name, port, &ssid);
|
|
|
af5fb1 |
+ printf("sid %d\n", ssid);
|
|
|
af5fb1 |
+ free(name);
|
|
|
af5fb1 |
+ break;
|
|
|
af5fb1 |
#ifdef EQUIVTYPES
|
|
|
af5fb1 |
case 'z':
|
|
|
af5fb1 |
identify_equiv_types();
|
|
|
f6028d |
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
|
|
|
e77f7e |
index ee20fea..a275e33 100644
|
|
|
f6028d |
--- checkpolicy-2.5/policy_define.c
|
|
|
f6028d |
+++ checkpolicy-2.5/policy_define.c
|
|
|
af5fb1 |
@@ -20,6 +20,7 @@
|
|
|
af5fb1 |
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
|
|
|
af5fb1 |
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
|
|
|
af5fb1 |
* Copyright (C) 2007 Red Hat Inc.
|
|
|
af5fb1 |
+ * Copyright (C) 2017 Mellanox Techonologies Inc.
|
|
|
af5fb1 |
* This program is free software; you can redistribute it and/or modify
|
|
|
af5fb1 |
* it under the terms of the GNU General Public License as published by
|
|
|
af5fb1 |
* the Free Software Foundation, version 2.
|
|
|
e77f7e |
@@ -36,6 +37,12 @@
|
|
|
f6028d |
#include <string.h>
|
|
|
f6028d |
#include <sys/socket.h>
|
|
|
f6028d |
#include <netinet/in.h>
|
|
|
f6028d |
+#ifndef IPPROTO_DCCP
|
|
|
f6028d |
+#define IPPROTO_DCCP 33
|
|
|
f6028d |
+#endif
|
|
|
e77f7e |
+#ifndef IPPROTO_SCTP
|
|
|
e77f7e |
+#define IPPROTO_SCTP 132
|
|
|
e77f7e |
+#endif
|
|
|
f6028d |
#include <arpa/inet.h>
|
|
|
f6028d |
#include <stdlib.h>
|
|
|
f6028d |
#include <limits.h>
|
|
|
e77f7e |
@@ -4876,6 +4883,10 @@ int define_port_context(unsigned int low, unsigned int high)
|
|
|
f6028d |
protocol = IPPROTO_TCP;
|
|
|
f6028d |
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
|
|
|
f6028d |
protocol = IPPROTO_UDP;
|
|
|
f6028d |
+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
|
|
|
f6028d |
+ protocol = IPPROTO_DCCP;
|
|
|
e77f7e |
+ } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
|
|
|
e77f7e |
+ protocol = IPPROTO_SCTP;
|
|
|
f6028d |
} else {
|
|
|
f6028d |
yyerror2("unrecognized protocol %s", id);
|
|
|
f6028d |
free(newc);
|
|
|
e77f7e |
@@ -4931,6 +4942,192 @@ int define_port_context(unsigned int low, unsigned int high)
|
|
|
af5fb1 |
return -1;
|
|
|
af5fb1 |
}
|
|
|
af5fb1 |
|
|
|
af5fb1 |
+int define_ibpkey_context(unsigned int low, unsigned int high)
|
|
|
af5fb1 |
+{
|
|
|
af5fb1 |
+ ocontext_t *newc, *c, *l, *head;
|
|
|
af5fb1 |
+ struct in6_addr subnet_prefix;
|
|
|
af5fb1 |
+ char *id;
|
|
|
af5fb1 |
+ int rc = 0;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
|
af5fb1 |
+ yyerror("ibpkeycon not supported for target");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (pass == 1) {
|
|
|
af5fb1 |
+ id = (char *)queue_remove(id_queue);
|
|
|
af5fb1 |
+ free(id);
|
|
|
af5fb1 |
+ parse_security_context(NULL);
|
|
|
af5fb1 |
+ return 0;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ newc = malloc(sizeof(*newc));
|
|
|
af5fb1 |
+ if (!newc) {
|
|
|
af5fb1 |
+ yyerror("out of memory");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ memset(newc, 0, sizeof(*newc));
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ id = queue_remove(id_queue);
|
|
|
af5fb1 |
+ if (!id) {
|
|
|
af5fb1 |
+ yyerror("failed to read the subnet prefix");
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ rc = inet_pton(AF_INET6, id, &subnet_prefix);
|
|
|
af5fb1 |
+ free(id);
|
|
|
af5fb1 |
+ if (rc < 1) {
|
|
|
af5fb1 |
+ yyerror("failed to parse the subnet prefix");
|
|
|
af5fb1 |
+ if (rc == 0)
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
|
|
|
af5fb1 |
+ yyerror("subnet prefix should be 0's in the low order 64 bits.");
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (low > 0xffff || high > 0xffff) {
|
|
|
af5fb1 |
+ yyerror("pkey value too large, pkeys are 16 bits.");
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ memcpy(&newc->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0],
|
|
|
af5fb1 |
+ sizeof(newc->u.ibpkey.subnet_prefix));
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ newc->u.ibpkey.low_pkey = low;
|
|
|
af5fb1 |
+ newc->u.ibpkey.high_pkey = high;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (low > high) {
|
|
|
af5fb1 |
+ yyerror2("low pkey %d exceeds high pkey %d", low, high);
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ rc = parse_security_context(&newc->context[0]);
|
|
|
af5fb1 |
+ if (rc)
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ /* Preserve the matching order specified in the configuration. */
|
|
|
af5fb1 |
+ head = policydbp->ocontexts[OCON_IBPKEY];
|
|
|
af5fb1 |
+ for (l = NULL, c = head; c; l = c, c = c->next) {
|
|
|
af5fb1 |
+ unsigned int low2, high2;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ low2 = c->u.ibpkey.low_pkey;
|
|
|
af5fb1 |
+ high2 = c->u.ibpkey.high_pkey;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (low == low2 && high == high2 &&
|
|
|
af5fb1 |
+ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
|
|
|
af5fb1 |
+ yyerror2("duplicate ibpkeycon entry for %d-%d ",
|
|
|
af5fb1 |
+ low, high);
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ if (low2 <= low && high2 >= high &&
|
|
|
af5fb1 |
+ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
|
|
|
af5fb1 |
+ yyerror2("ibpkeycon entry for %d-%d hidden by earlier entry for %d-%d",
|
|
|
af5fb1 |
+ low, high, low2, high2);
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (l)
|
|
|
af5fb1 |
+ l->next = newc;
|
|
|
af5fb1 |
+ else
|
|
|
af5fb1 |
+ policydbp->ocontexts[OCON_IBPKEY] = newc;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ return 0;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+out:
|
|
|
af5fb1 |
+ free(newc);
|
|
|
af5fb1 |
+ return rc;
|
|
|
af5fb1 |
+}
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+int define_ibendport_context(unsigned int port)
|
|
|
af5fb1 |
+{
|
|
|
af5fb1 |
+ ocontext_t *newc, *c, *l, *head;
|
|
|
af5fb1 |
+ char *id;
|
|
|
af5fb1 |
+ int rc = 0;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
|
|
|
af5fb1 |
+ yyerror("ibendportcon not supported for target");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (pass == 1) {
|
|
|
af5fb1 |
+ id = (char *)queue_remove(id_queue);
|
|
|
af5fb1 |
+ free(id);
|
|
|
af5fb1 |
+ parse_security_context(NULL);
|
|
|
af5fb1 |
+ return 0;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (port > 0xff || port == 0) {
|
|
|
af5fb1 |
+ yyerror("Invalid ibendport port number, should be 0 < port < 256");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ newc = malloc(sizeof(*newc));
|
|
|
af5fb1 |
+ if (!newc) {
|
|
|
af5fb1 |
+ yyerror("out of memory");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ memset(newc, 0, sizeof(*newc));
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ newc->u.ibendport.dev_name = queue_remove(id_queue);
|
|
|
af5fb1 |
+ if (!newc->u.ibendport.dev_name) {
|
|
|
af5fb1 |
+ yyerror("failed to read infiniband device name.");
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (strlen(newc->u.ibendport.dev_name) > IB_DEVICE_NAME_MAX - 1) {
|
|
|
af5fb1 |
+ yyerror("infiniband device name exceeds max length of 63.");
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ newc->u.ibendport.port = port;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (parse_security_context(&newc->context[0])) {
|
|
|
af5fb1 |
+ free(newc);
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ /* Preserve the matching order specified in the configuration. */
|
|
|
af5fb1 |
+ head = policydbp->ocontexts[OCON_IBENDPORT];
|
|
|
af5fb1 |
+ for (l = NULL, c = head; c; l = c, c = c->next) {
|
|
|
af5fb1 |
+ unsigned int port2;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ port2 = c->u.ibendport.port;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (port == port2 &&
|
|
|
af5fb1 |
+ !strcmp(c->u.ibendport.dev_name,
|
|
|
af5fb1 |
+ newc->u.ibendport.dev_name)) {
|
|
|
af5fb1 |
+ yyerror2("duplicate ibendportcon entry for %s port %u",
|
|
|
af5fb1 |
+ newc->u.ibendport.dev_name, port);
|
|
|
af5fb1 |
+ rc = -1;
|
|
|
af5fb1 |
+ goto out;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (l)
|
|
|
af5fb1 |
+ l->next = newc;
|
|
|
af5fb1 |
+ else
|
|
|
af5fb1 |
+ policydbp->ocontexts[OCON_IBENDPORT] = newc;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ return 0;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+out:
|
|
|
af5fb1 |
+ free(newc->u.ibendport.dev_name);
|
|
|
af5fb1 |
+ free(newc);
|
|
|
af5fb1 |
+ return rc;
|
|
|
af5fb1 |
+}
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
int define_netif_context(void)
|
|
|
af5fb1 |
{
|
|
|
af5fb1 |
ocontext_t *newc, *c, *head;
|
|
|
e77f7e |
@@ -5135,7 +5332,7 @@ int define_ipv6_node_context(void)
|
|
|
f6028d |
|
|
|
f6028d |
memset(newc, 0, sizeof(ocontext_t));
|
|
|
f6028d |
|
|
|
f6028d |
-#ifdef DARWIN
|
|
|
f6028d |
+#ifdef __APPLE__
|
|
|
f6028d |
memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
|
|
|
f6028d |
memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
|
|
|
f6028d |
#else
|
|
|
af5fb1 |
diff --git checkpolicy-2.5/policy_define.h checkpolicy-2.5/policy_define.h
|
|
|
af5fb1 |
index 964baae..3282aed 100644
|
|
|
af5fb1 |
--- checkpolicy-2.5/policy_define.h
|
|
|
af5fb1 |
+++ checkpolicy-2.5/policy_define.h
|
|
|
af5fb1 |
@@ -43,6 +43,8 @@ int define_level(void);
|
|
|
af5fb1 |
int define_netif_context(void);
|
|
|
af5fb1 |
int define_permissive(void);
|
|
|
af5fb1 |
int define_polcap(void);
|
|
|
af5fb1 |
+int define_ibpkey_context(unsigned int low, unsigned int high);
|
|
|
af5fb1 |
+int define_ibendport_context(unsigned int port);
|
|
|
af5fb1 |
int define_port_context(unsigned int low, unsigned int high);
|
|
|
af5fb1 |
int define_pirq_context(unsigned int pirq);
|
|
|
af5fb1 |
int define_iomem_context(uint64_t low, uint64_t high);
|
|
|
af5fb1 |
diff --git checkpolicy-2.5/policy_parse.y checkpolicy-2.5/policy_parse.y
|
|
|
af5fb1 |
index 3b6a2f8..35b7a33 100644
|
|
|
af5fb1 |
--- checkpolicy-2.5/policy_parse.y
|
|
|
af5fb1 |
+++ checkpolicy-2.5/policy_parse.y
|
|
|
af5fb1 |
@@ -21,6 +21,7 @@
|
|
|
af5fb1 |
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
|
|
|
af5fb1 |
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
|
|
|
af5fb1 |
* Copyright (C) 2007 Red Hat Inc.
|
|
|
af5fb1 |
+ * Copyright (C) 2017 Mellanox Technologies Inc.
|
|
|
af5fb1 |
* This program is free software; you can redistribute it and/or modify
|
|
|
af5fb1 |
* it under the terms of the GNU General Public License as published by
|
|
|
af5fb1 |
* the Free Software Foundation, version 2.
|
|
|
af5fb1 |
@@ -134,6 +135,8 @@ typedef int (* require_func_t)(int pass);
|
|
|
af5fb1 |
%token TARGET
|
|
|
af5fb1 |
%token SAMEUSER
|
|
|
af5fb1 |
%token FSCON PORTCON NETIFCON NODECON
|
|
|
af5fb1 |
+%token IBPKEYCON
|
|
|
af5fb1 |
+%token IBENDPORTCON
|
|
|
af5fb1 |
%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
|
|
|
af5fb1 |
%token FSUSEXATTR FSUSETASK FSUSETRANS
|
|
|
af5fb1 |
%token GENFSCON
|
|
|
af5fb1 |
@@ -169,7 +172,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
|
|
|
af5fb1 |
opt_default_rules opt_mls te_rbac users opt_constraints
|
|
|
af5fb1 |
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
|
|
|
af5fb1 |
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
|
|
|
af5fb1 |
- initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
|
|
|
af5fb1 |
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts
|
|
|
af5fb1 |
;
|
|
|
af5fb1 |
classes : class_def
|
|
|
af5fb1 |
| classes class_def
|
|
|
af5fb1 |
@@ -695,7 +698,7 @@ fs_contexts : fs_context_def
|
|
|
af5fb1 |
fs_context_def : FSCON number number security_context_def security_context_def
|
|
|
af5fb1 |
{if (define_fs_context($2,$3)) return -1;}
|
|
|
af5fb1 |
;
|
|
|
af5fb1 |
-net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
|
|
|
af5fb1 |
+net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
|
|
|
af5fb1 |
;
|
|
|
af5fb1 |
opt_port_contexts : port_contexts
|
|
|
af5fb1 |
|
|
|
|
af5fb1 |
@@ -708,6 +711,26 @@ port_context_def : PORTCON identifier number security_context_def
|
|
|
af5fb1 |
| PORTCON identifier number '-' number security_context_def
|
|
|
af5fb1 |
{if (define_port_context($3,$5)) return -1;}
|
|
|
af5fb1 |
;
|
|
|
af5fb1 |
+opt_ibpkey_contexts : ibpkey_contexts
|
|
|
af5fb1 |
+ |
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
+ibpkey_contexts : ibpkey_context_def
|
|
|
af5fb1 |
+ | ibpkey_contexts ibpkey_context_def
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
+ibpkey_context_def : IBPKEYCON ipv6_addr number security_context_def
|
|
|
af5fb1 |
+ {if (define_ibpkey_context($3,$3)) return -1;}
|
|
|
af5fb1 |
+ | IBPKEYCON ipv6_addr number '-' number security_context_def
|
|
|
af5fb1 |
+ {if (define_ibpkey_context($3,$5)) return -1;}
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
+opt_ibendport_contexts : ibendport_contexts
|
|
|
af5fb1 |
+ |
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
+ibendport_contexts : ibendport_context_def
|
|
|
af5fb1 |
+ | ibendport_contexts ibendport_context_def
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
+ibendport_context_def : IBENDPORTCON identifier number security_context_def
|
|
|
af5fb1 |
+ {if (define_ibendport_context($3)) return -1;}
|
|
|
af5fb1 |
+ ;
|
|
|
af5fb1 |
opt_netif_contexts : netif_contexts
|
|
|
af5fb1 |
|
|
|
|
af5fb1 |
;
|
|
|
f6028d |
diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
|
|
|
af5fb1 |
index 22da338..f38dd22 100644
|
|
|
f6028d |
--- checkpolicy-2.5/policy_scan.l
|
|
|
f6028d |
+++ checkpolicy-2.5/policy_scan.l
|
|
|
af5fb1 |
@@ -12,6 +12,7 @@
|
|
|
af5fb1 |
* Added support for binary policy modules
|
|
|
af5fb1 |
*
|
|
|
af5fb1 |
* Copyright (C) 2003-5 Tresys Technology, LLC
|
|
|
af5fb1 |
+ * Copyright (C) 2017 Mellanox Technologies Inc.
|
|
|
af5fb1 |
* This program is free software; you can redistribute it and/or modify
|
|
|
af5fb1 |
* it under the terms of the GNU General Public License as published by
|
|
|
af5fb1 |
* the Free Software Foundation, version 2.
|
|
|
af5fb1 |
@@ -181,6 +182,10 @@ INCOMP |
|
|
|
af5fb1 |
incomp { return(INCOMP);}
|
|
|
af5fb1 |
fscon |
|
|
|
af5fb1 |
FSCON { return(FSCON);}
|
|
|
af5fb1 |
+ibpkeycon |
|
|
|
af5fb1 |
+IBPKEYCON { return(IBPKEYCON);}
|
|
|
af5fb1 |
+ibendportcon |
|
|
|
af5fb1 |
+IBENDPORTCON { return(IBENDPORTCON);}
|
|
|
af5fb1 |
portcon |
|
|
|
af5fb1 |
PORTCON { return(PORTCON);}
|
|
|
af5fb1 |
netifcon |
|
|
|
af5fb1 |
@@ -249,9 +254,9 @@ high |
|
|
|
f6028d |
HIGH { return(HIGH); }
|
|
|
f6028d |
low |
|
|
|
f6028d |
LOW { return(LOW); }
|
|
|
f6028d |
-"/"({alnum}|[_\.\-/])* { return(PATH); }
|
|
|
f6028d |
-\""/"[ !#-~]*\" { return(QPATH); }
|
|
|
f6028d |
-\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
|
|
|
f6028d |
+"/"[^ \n\r\t\f]* { return(PATH); }
|
|
|
f6028d |
+\""/"[^\"\n]*\" { return(QPATH); }
|
|
|
f6028d |
+\"[^"/"\"\n]+\" { return(FILENAME); }
|
|
|
f6028d |
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
|
|
f6028d |
{digit}+|0x{hexval}+ { return(NUMBER); }
|
|
|
f6028d |
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
|
|
af5fb1 |
diff --git checkpolicy-2.5/test/dismod.c checkpolicy-2.5/test/dismod.c
|
|
|
af5fb1 |
index 08b039d..c91ab93 100644
|
|
|
af5fb1 |
--- checkpolicy-2.5/test/dismod.c
|
|
|
af5fb1 |
+++ checkpolicy-2.5/test/dismod.c
|
|
|
af5fb1 |
@@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
|
|
|
af5fb1 |
}
|
|
|
af5fb1 |
} else if (avrule->specified & AVRULE_NEVERALLOW) {
|
|
|
af5fb1 |
fprintf(fp, " neverallow");
|
|
|
af5fb1 |
+ } else if (avrule->specified & AVRULE_XPERMS) {
|
|
|
af5fb1 |
+ if (avrule->specified & AVRULE_XPERMS_ALLOWED)
|
|
|
af5fb1 |
+ fprintf(fp, "allowxperm ");
|
|
|
af5fb1 |
+ else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
|
|
|
af5fb1 |
+ fprintf(fp, "auditallowxperm ");
|
|
|
af5fb1 |
+ else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
|
|
|
af5fb1 |
+ fprintf(fp, "dontauditxperm ");
|
|
|
af5fb1 |
} else {
|
|
|
af5fb1 |
fprintf(fp, " ERROR: no valid rule type specified\n");
|
|
|
af5fb1 |
return -1;
|
|
|
af5fb1 |
@@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
|
|
|
af5fb1 |
policy, fp);
|
|
|
af5fb1 |
} else if (avrule->specified & AVRULE_TYPE) {
|
|
|
af5fb1 |
display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
|
|
|
af5fb1 |
+ } else if (avrule->specified & AVRULE_XPERMS) {
|
|
|
af5fb1 |
+ avtab_extended_perms_t xperms;
|
|
|
af5fb1 |
+ int i;
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION)
|
|
|
af5fb1 |
+ xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
|
|
|
af5fb1 |
+ else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER)
|
|
|
af5fb1 |
+ xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
|
|
|
af5fb1 |
+ else {
|
|
|
af5fb1 |
+ fprintf(fp, " ERROR: no valid xperms specified\n");
|
|
|
af5fb1 |
+ return -1;
|
|
|
af5fb1 |
+ }
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ xperms.driver = avrule->xperms->driver;
|
|
|
af5fb1 |
+ for (i = 0; i < EXTENDED_PERMS_LEN; i++)
|
|
|
af5fb1 |
+ xperms.perms[i] = avrule->xperms->perms[i];
|
|
|
af5fb1 |
+
|
|
|
af5fb1 |
+ fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms));
|
|
|
af5fb1 |
}
|
|
|
af5fb1 |
|
|
|
af5fb1 |
fprintf(fp, ";\n");
|
|
|
f6028d |
diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
|
|
|
f6028d |
index 86f5688..a78ce81 100644
|
|
|
f6028d |
--- checkpolicy-2.5/test/dispol.c
|
|
|
f6028d |
+++ checkpolicy-2.5/test/dispol.c
|
|
|
f6028d |
@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
|
|
|
f6028d |
int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
|
|
f6028d |
{
|
|
|
f6028d |
if (p->handle_unknown == ALLOW_UNKNOWN)
|
|
|
f6028d |
- fprintf(out_fp, "Allow unknown classes and permisions\n");
|
|
|
f6028d |
+ fprintf(out_fp, "Allow unknown classes and permissions\n");
|
|
|
f6028d |
else if (p->handle_unknown == DENY_UNKNOWN)
|
|
|
f6028d |
- fprintf(out_fp, "Deny unknown classes and permisions\n");
|
|
|
f6028d |
+ fprintf(out_fp, "Deny unknown classes and permissions\n");
|
|
|
f6028d |
else if (p->handle_unknown == REJECT_UNKNOWN)
|
|
|
f6028d |
- fprintf(out_fp, "Reject unknown classes and permisions\n");
|
|
|
f6028d |
+ fprintf(out_fp, "Reject unknown classes and permissions\n");
|
|
|
f6028d |
return 0;
|
|
|
f6028d |
}
|
|
|
f6028d |
|
|
|
f6028d |
@@ -349,7 +349,7 @@ int menu(void)
|
|
|
f6028d |
printf("\nSelect a command:\n");
|
|
|
f6028d |
printf("1) display unconditional AVTAB\n");
|
|
|
f6028d |
printf("2) display conditional AVTAB (entirely)\n");
|
|
|
f6028d |
- printf("3) display conditional AVTAG (only ENABLED rules)\n");
|
|
|
f6028d |
+ printf("3) display conditional AVTAB (only ENABLED rules)\n");
|
|
|
f6028d |
printf("4) display conditional AVTAB (only DISABLED rules)\n");
|
|
|
f6028d |
printf("5) display conditional bools\n");
|
|
|
f6028d |
printf("6) display conditional expressions\n");
|