On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>
> Add checkpolicy support for scanning and parsing ibendportcon labels.
> Also create a new ocontext for IB end ports.
>
> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
> ---
> checkpolicy/policy_define.c | 70
> ++++++++++++++++++++++++++++
> checkpolicy/policy_define.h | 1 +
> checkpolicy/policy_parse.y | 14 +++++-
> checkpolicy/policy_scan.l | 2 +
> libsepol/include/sepol/policydb/policydb.h | 7 ++-
> 5 files changed, 91 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c
> b/checkpolicy/policy_define.c
> index 6f92bc5..2926f18 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5085,6 +5085,76 @@ out:
> return rc;
> }
>
> +int define_ibendport_context(unsigned int port)
> +{
> + ocontext_t *newc, *c, *l, *head;
> + char *id;
> + int rc = 0;
> +
> + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
> + yyerror("ibendportcon not supported for target");
> + return -1;
> + }
> +
> + if (pass == 1) {
> + id = (char *)queue_remove(id_queue);
> + free(id);
> + parse_security_context(NULL);
> + return 0;
> + }
> +
> + newc = malloc(sizeof(*newc));
> + if (!newc) {
> + yyerror("out of memory");
> + return -1;
> + }
> + memset(newc, 0, sizeof(*newc));
> +
> + newc->u.ibendport.dev_name = queue_remove(id_queue);
> + if (!newc->u.ibendport.dev_name) {
> + yyerror("failed to read subnet management interface
> device name.");
> + rc = -1;
> + goto out;
> + }
> +
> + newc->u.ibendport.port = port;
> +
> + if (parse_security_context(&newc->context[0])) {
> + free(newc);
> + return -1;
> + }
> +
> + /* Preserve the matching order specified in the
> configuration. */
> + head = policydbp->ocontexts[OCON_IBENDPORT];
> + for (l = NULL, c = head; c; l = c, c = c->next) {
> + unsigned int port2;
> +
> + port2 = c->u.ibendport.port;
> +
> + if (port == port2 &&
> + !strncmp(c->u.ibendport.dev_name,
> + newc->u.ibendport.dev_name,
> + 64)) {
> + yyerror2("duplicate ibendportcon entry for
> %s port %u",
> + newc->u.ibendport.dev_name, port);
> + rc = -1;
> + goto out;
> + }
> + }
> +
> + if (l)
> + l->next = newc;
> + else
> + policydbp->ocontexts[OCON_IBENDPORT] = newc;
> +
> + return 0;
> +
> +out:
> + free(newc->u.ibendport.dev_name);
> + free(newc);
> + return rc;
> +}
> +
> int define_netif_context(void)
> {
> ocontext_t *newc, *c, *head;
> diff --git a/checkpolicy/policy_define.h
> b/checkpolicy/policy_define.h
> index b019b1a..3282aed 100644
> --- a/checkpolicy/policy_define.h
> +++ b/checkpolicy/policy_define.h
> @@ -44,6 +44,7 @@ int define_netif_context(void);
> int define_permissive(void);
> int define_polcap(void);
> int define_ibpkey_context(unsigned int low, unsigned int high);
> +int define_ibendport_context(unsigned int port);
> int define_port_context(unsigned int low, unsigned int high);
> int define_pirq_context(unsigned int pirq);
> int define_iomem_context(uint64_t low, uint64_t high);
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index f50eab1..35b7a33 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -136,6 +136,7 @@ typedef int (* require_func_t)(int pass);
> %token SAMEUSER
> %token FSCON PORTCON NETIFCON NODECON
> %token IBPKEYCON
> +%token IBENDPORTCON
> %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
> %token FSUSEXATTR FSUSETASK FSUSETRANS
> %token GENFSCON
> @@ -171,7 +172,7 @@ base_policy : { if
> (define_policy(pass, 0) == -1) return -1; }
> opt_default_rules opt_mls te_rbac users
> opt_constraints
> { if (pass == 1) { if
> (policydb_index_bools(policydbp)) return -1;}
> else if (pass == 2) { if
> (policydb_index_others(NULL, policydbp, 0)) return -1;}}
> - initial_sid_contexts opt_fs_contexts
> opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
> opt_ibpkey_contexts
> + initial_sid_contexts opt_fs_contexts
> opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
> opt_ibpkey_contexts opt_ibendport_contexts
> ;
> classes : class_def
> | classes class_def
> @@ -697,7 +698,7 @@ fs_contexts : fs_context_def
> fs_context_def : FSCON number number
> security_context_def security_context_def
> {if (define_fs_context($2,$3)) return -1;}
> ;
> -net_contexts : opt_port_contexts opt_netif_contexts
> opt_node_contexts
> +net_contexts : opt_port_contexts opt_netif_contexts
> opt_node_contexts
> ;
> opt_port_contexts : port_contexts
> |
> @@ -721,6 +722,15 @@ ibpkey_context_def : IBPKEYCON ipv6_addr
> number security_context_def
> | IBPKEYCON ipv6_addr number '-' number
> security_context_def
> {if (define_ibpkey_context($3,$5)) return
> -1;}
> ;
> +opt_ibendport_contexts : ibendport_contexts
> + |
> + ;
> +ibendport_contexts : ibendport_context_def
> + | ibendport_contexts ibendport_context_def
> + ;
> +ibendport_context_def : IBENDPORTCON identifier number
> security_context_def
> + {if (define_ibendport_context($3)) return
> -1;}
> + ;
> opt_netif_contexts : netif_contexts
> |
> ;
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 07352cb..f38dd22 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -184,6 +184,8 @@ fscon |
> FSCON { return(FSCON);}
> ibpkeycon |
> IBPKEYCON { return(IBPKEYCON);}
> +ibendportcon |
> +IBENDPORTCON { return(IBENDPORTCON);}
> portcon |
> PORTCON { return(PORTCON);}
> netifcon |
> diff --git a/libsepol/include/sepol/policydb/policydb.h
> b/libsepol/include/sepol/policydb/policydb.h
> index 5ecc623..326a7bb 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -360,6 +360,10 @@ typedef struct ocontext {
> uint16_t low_pkey;
> uint16_t high_pkey;
> } ibpkey;
> + struct {
> + char *dev_name;
> + uint8_t port;
> + } ibendport;
These were pkey and ib_endport in the kernel patch, and port was
port_num. Either way is fine but they probably ought to be consistent.
> } u;
> union {
> uint32_t sclass; /* security class for genfs
> */
> @@ -396,6 +400,7 @@ typedef struct genfs {
> #define OCON_FSUSE 5 /* fs_use */
> #define OCON_NODE6 6 /* IPv6 nodes */
> #define OCON_IBPKEY 7 /* Infiniband PKEY */
> +#define OCON_IBENDPORT 8 /* Infiniband End Port */
These were OCON_PKEY and OCON_IB_ENDPORT in the last kernel patches I
saw. Ok either way but they probably ought to be consistent.
>
> /* object context array indices for Xen */
> #define OCON_XEN_ISID 0 /* initial SIDs */
> @@ -406,7 +411,7 @@ typedef struct genfs {
> #define OCON_XEN_DEVICETREE 5 /* device tree node */
>
> /* OCON_NUM needs to be the largest index in any platform's ocontext
> array */
> -#define OCON_NUM 8
> +#define OCON_NUM 9
>
> /* section: module information */
>
