From af5fb1e4cd69f5a6d140d28eba0c6de00872b01f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:28:50 +0000 Subject: import checkpolicy-2.5-6.el7 --- diff --git a/SOURCES/checkpolicy-rhel.patch b/SOURCES/checkpolicy-rhel.patch index 4b922a1..ad6666b 100644 --- a/SOURCES/checkpolicy-rhel.patch +++ b/SOURCES/checkpolicy-rhel.patch @@ -89,10 +89,18 @@ index 5957d29..53cc5a0 100644 if (write_binary_policy(&modpolicydb, outfp) != 0) { fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c -index 9da661e..2d68316 100644 +index 9da661e..5bc0c56 100644 --- checkpolicy-2.5/checkpolicy.c +++ checkpolicy-2.5/checkpolicy.c -@@ -64,13 +64,16 @@ +@@ -22,6 +22,7 @@ + * + * Policy Module support. + * ++ * Copyright (C) 2017 Mellanox Technologies Inc. + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * Copyright (C) 2003 - 2005 Tresys Technology, LLC + * Copyright (C) 2003 Red Hat, Inc., James Morris +@@ -64,13 +65,16 @@ #include #include #include @@ -110,7 +118,16 @@ index 9da661e..2d68316 100644 #include #endif -@@ -919,6 +922,8 @@ int main(int argc, char **argv) +@@ -679,6 +683,8 @@ int main(int argc, char **argv) + printf("h) change a boolean value\n"); + printf("i) display constraint expressions\n"); + printf("j) display validatetrans expressions\n"); ++ printf("k) Call ibpkey_sid\n"); ++ printf("l) Call ibendport_sid\n"); + #ifdef EQUIVTYPES + printf("z) Show equivalent types\n"); + #endif +@@ -919,6 +925,8 @@ int main(int argc, char **argv) protocol = IPPROTO_TCP; else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP")) protocol = IPPROTO_UDP; @@ -119,11 +136,70 @@ index 9da661e..2d68316 100644 else { printf("unknown protocol\n"); break; +@@ -1198,6 +1206,50 @@ int main(int argc, char **argv) + "\nNo validatetrans expressions found.\n"); + } + break; ++ case 'k': ++ { ++ char *p; ++ struct in6_addr addr6; ++ uint64_t subnet_prefix; ++ unsigned int pkey; ++ ++ printf("subnet prefix? "); ++ FGETS(ans, sizeof(ans), stdin); ++ ans[strlen(ans) - 1] = 0; ++ p = (char *)&addr6; ++ ++ if (inet_pton(AF_INET6, ans, p) < 1) { ++ printf("error parsing subnet prefix\n"); ++ break; ++ } ++ ++ memcpy(&subnet_prefix, p, sizeof(subnet_prefix)); ++ printf("pkey? "); ++ FGETS(ans, sizeof(ans), stdin); ++ pkey = atoi(ans); ++ sepol_ibpkey_sid(subnet_prefix, pkey, &ssid); ++ printf("sid %d\n", ssid); ++ } ++ break; ++ case 'l': ++ printf("device name (eg. mlx4_0)? "); ++ FGETS(ans, sizeof(ans), stdin); ++ ans[strlen(ans) - 1] = 0; ++ ++ name = malloc((strlen(ans) + 1) * sizeof(char)); ++ if (!name) { ++ fprintf(stderr, "couldn't malloc string.\n"); ++ break; ++ } ++ strcpy(name, ans); ++ ++ printf("port? "); ++ FGETS(ans, sizeof(ans), stdin); ++ port = atoi(ans); ++ sepol_ibendport_sid(name, port, &ssid); ++ printf("sid %d\n", ssid); ++ free(name); ++ break; + #ifdef EQUIVTYPES + case 'z': + identify_equiv_types(); diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c -index ee20fea..100e517 100644 +index ee20fea..f65958c 100644 --- checkpolicy-2.5/policy_define.c +++ checkpolicy-2.5/policy_define.c -@@ -36,6 +36,9 @@ +@@ -20,6 +20,7 @@ + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * Copyright (C) 2003 - 2008 Tresys Technology, LLC + * Copyright (C) 2007 Red Hat Inc. ++ * Copyright (C) 2017 Mellanox Techonologies Inc. + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. +@@ -36,6 +37,9 @@ #include #include #include @@ -133,7 +209,7 @@ index ee20fea..100e517 100644 #include #include #include -@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high) +@@ -4876,6 +4880,8 @@ int define_port_context(unsigned int low, unsigned int high) protocol = IPPROTO_TCP; } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { protocol = IPPROTO_UDP; @@ -142,7 +218,200 @@ index ee20fea..100e517 100644 } else { yyerror2("unrecognized protocol %s", id); free(newc); -@@ -5135,7 +5140,7 @@ int define_ipv6_node_context(void) +@@ -4931,6 +4937,192 @@ int define_port_context(unsigned int low, unsigned int high) + return -1; + } + ++int define_ibpkey_context(unsigned int low, unsigned int high) ++{ ++ ocontext_t *newc, *c, *l, *head; ++ struct in6_addr subnet_prefix; ++ char *id; ++ int rc = 0; ++ ++ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { ++ yyerror("ibpkeycon not supported for target"); ++ return -1; ++ } ++ ++ if (pass == 1) { ++ id = (char *)queue_remove(id_queue); ++ free(id); ++ parse_security_context(NULL); ++ return 0; ++ } ++ ++ newc = malloc(sizeof(*newc)); ++ if (!newc) { ++ yyerror("out of memory"); ++ return -1; ++ } ++ memset(newc, 0, sizeof(*newc)); ++ ++ id = queue_remove(id_queue); ++ if (!id) { ++ yyerror("failed to read the subnet prefix"); ++ rc = -1; ++ goto out; ++ } ++ ++ rc = inet_pton(AF_INET6, id, &subnet_prefix); ++ free(id); ++ if (rc < 1) { ++ yyerror("failed to parse the subnet prefix"); ++ if (rc == 0) ++ rc = -1; ++ goto out; ++ } ++ ++ if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) { ++ yyerror("subnet prefix should be 0's in the low order 64 bits."); ++ rc = -1; ++ goto out; ++ } ++ ++ if (low > 0xffff || high > 0xffff) { ++ yyerror("pkey value too large, pkeys are 16 bits."); ++ rc = -1; ++ goto out; ++ } ++ ++ memcpy(&newc->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0], ++ sizeof(newc->u.ibpkey.subnet_prefix)); ++ ++ newc->u.ibpkey.low_pkey = low; ++ newc->u.ibpkey.high_pkey = high; ++ ++ if (low > high) { ++ yyerror2("low pkey %d exceeds high pkey %d", low, high); ++ rc = -1; ++ goto out; ++ } ++ ++ rc = parse_security_context(&newc->context[0]); ++ if (rc) ++ goto out; ++ ++ /* Preserve the matching order specified in the configuration. */ ++ head = policydbp->ocontexts[OCON_IBPKEY]; ++ for (l = NULL, c = head; c; l = c, c = c->next) { ++ unsigned int low2, high2; ++ ++ low2 = c->u.ibpkey.low_pkey; ++ high2 = c->u.ibpkey.high_pkey; ++ ++ if (low == low2 && high == high2 && ++ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) { ++ yyerror2("duplicate ibpkeycon entry for %d-%d ", ++ low, high); ++ rc = -1; ++ goto out; ++ } ++ if (low2 <= low && high2 >= high && ++ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) { ++ yyerror2("ibpkeycon entry for %d-%d hidden by earlier entry for %d-%d", ++ low, high, low2, high2); ++ rc = -1; ++ goto out; ++ } ++ } ++ ++ if (l) ++ l->next = newc; ++ else ++ policydbp->ocontexts[OCON_IBPKEY] = newc; ++ ++ return 0; ++ ++out: ++ free(newc); ++ return rc; ++} ++ ++int define_ibendport_context(unsigned int port) ++{ ++ ocontext_t *newc, *c, *l, *head; ++ char *id; ++ int rc = 0; ++ ++ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { ++ yyerror("ibendportcon not supported for target"); ++ return -1; ++ } ++ ++ if (pass == 1) { ++ id = (char *)queue_remove(id_queue); ++ free(id); ++ parse_security_context(NULL); ++ return 0; ++ } ++ ++ if (port > 0xff || port == 0) { ++ yyerror("Invalid ibendport port number, should be 0 < port < 256"); ++ return -1; ++ } ++ ++ newc = malloc(sizeof(*newc)); ++ if (!newc) { ++ yyerror("out of memory"); ++ return -1; ++ } ++ memset(newc, 0, sizeof(*newc)); ++ ++ newc->u.ibendport.dev_name = queue_remove(id_queue); ++ if (!newc->u.ibendport.dev_name) { ++ yyerror("failed to read infiniband device name."); ++ rc = -1; ++ goto out; ++ } ++ ++ if (strlen(newc->u.ibendport.dev_name) > IB_DEVICE_NAME_MAX - 1) { ++ yyerror("infiniband device name exceeds max length of 63."); ++ rc = -1; ++ goto out; ++ } ++ ++ newc->u.ibendport.port = port; ++ ++ if (parse_security_context(&newc->context[0])) { ++ free(newc); ++ return -1; ++ } ++ ++ /* Preserve the matching order specified in the configuration. */ ++ head = policydbp->ocontexts[OCON_IBENDPORT]; ++ for (l = NULL, c = head; c; l = c, c = c->next) { ++ unsigned int port2; ++ ++ port2 = c->u.ibendport.port; ++ ++ if (port == port2 && ++ !strcmp(c->u.ibendport.dev_name, ++ newc->u.ibendport.dev_name)) { ++ yyerror2("duplicate ibendportcon entry for %s port %u", ++ newc->u.ibendport.dev_name, port); ++ rc = -1; ++ goto out; ++ } ++ } ++ ++ if (l) ++ l->next = newc; ++ else ++ policydbp->ocontexts[OCON_IBENDPORT] = newc; ++ ++ return 0; ++ ++out: ++ free(newc->u.ibendport.dev_name); ++ free(newc); ++ return rc; ++} ++ + int define_netif_context(void) + { + ocontext_t *newc, *c, *head; +@@ -5135,7 +5327,7 @@ int define_ipv6_node_context(void) memset(newc, 0, sizeof(ocontext_t)); @@ -151,11 +420,109 @@ index ee20fea..100e517 100644 memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); #else +diff --git checkpolicy-2.5/policy_define.h checkpolicy-2.5/policy_define.h +index 964baae..3282aed 100644 +--- checkpolicy-2.5/policy_define.h ++++ checkpolicy-2.5/policy_define.h +@@ -43,6 +43,8 @@ int define_level(void); + int define_netif_context(void); + int define_permissive(void); + int define_polcap(void); ++int define_ibpkey_context(unsigned int low, unsigned int high); ++int define_ibendport_context(unsigned int port); + int define_port_context(unsigned int low, unsigned int high); + int define_pirq_context(unsigned int pirq); + int define_iomem_context(uint64_t low, uint64_t high); +diff --git checkpolicy-2.5/policy_parse.y checkpolicy-2.5/policy_parse.y +index 3b6a2f8..35b7a33 100644 +--- checkpolicy-2.5/policy_parse.y ++++ checkpolicy-2.5/policy_parse.y +@@ -21,6 +21,7 @@ + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * Copyright (C) 2003 - 2008 Tresys Technology, LLC + * Copyright (C) 2007 Red Hat Inc. ++ * Copyright (C) 2017 Mellanox Technologies Inc. + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. +@@ -134,6 +135,8 @@ typedef int (* require_func_t)(int pass); + %token TARGET + %token SAMEUSER + %token FSCON PORTCON NETIFCON NODECON ++%token IBPKEYCON ++%token IBENDPORTCON + %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON + %token FSUSEXATTR FSUSETASK FSUSETRANS + %token GENFSCON +@@ -169,7 +172,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } + opt_default_rules opt_mls te_rbac users opt_constraints + { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} +- initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts ++ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts + ; + classes : class_def + | classes class_def +@@ -695,7 +698,7 @@ fs_contexts : fs_context_def + fs_context_def : FSCON number number security_context_def security_context_def + {if (define_fs_context($2,$3)) return -1;} + ; +-net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts ++net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts + ; + opt_port_contexts : port_contexts + | +@@ -708,6 +711,26 @@ port_context_def : PORTCON identifier number security_context_def + | PORTCON identifier number '-' number security_context_def + {if (define_port_context($3,$5)) return -1;} + ; ++opt_ibpkey_contexts : ibpkey_contexts ++ | ++ ; ++ibpkey_contexts : ibpkey_context_def ++ | ibpkey_contexts ibpkey_context_def ++ ; ++ibpkey_context_def : IBPKEYCON ipv6_addr number security_context_def ++ {if (define_ibpkey_context($3,$3)) return -1;} ++ | IBPKEYCON ipv6_addr number '-' number security_context_def ++ {if (define_ibpkey_context($3,$5)) return -1;} ++ ; ++opt_ibendport_contexts : ibendport_contexts ++ | ++ ; ++ibendport_contexts : ibendport_context_def ++ | ibendport_contexts ibendport_context_def ++ ; ++ibendport_context_def : IBENDPORTCON identifier number security_context_def ++ {if (define_ibendport_context($3)) return -1;} ++ ; + opt_netif_contexts : netif_contexts + | + ; diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l -index 22da338..2f7f221 100644 +index 22da338..f38dd22 100644 --- checkpolicy-2.5/policy_scan.l +++ checkpolicy-2.5/policy_scan.l -@@ -249,9 +249,9 @@ high | +@@ -12,6 +12,7 @@ + * Added support for binary policy modules + * + * Copyright (C) 2003-5 Tresys Technology, LLC ++ * Copyright (C) 2017 Mellanox Technologies Inc. + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. +@@ -181,6 +182,10 @@ INCOMP | + incomp { return(INCOMP);} + fscon | + FSCON { return(FSCON);} ++ibpkeycon | ++IBPKEYCON { return(IBPKEYCON);} ++ibendportcon | ++IBENDPORTCON { return(IBENDPORTCON);} + portcon | + PORTCON { return(PORTCON);} + netifcon | +@@ -249,9 +254,9 @@ high | HIGH { return(HIGH); } low | LOW { return(LOW); } @@ -168,6 +535,49 @@ index 22da338..2f7f221 100644 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); } +diff --git checkpolicy-2.5/test/dismod.c checkpolicy-2.5/test/dismod.c +index 08b039d..c91ab93 100644 +--- checkpolicy-2.5/test/dismod.c ++++ checkpolicy-2.5/test/dismod.c +@@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy, + } + } else if (avrule->specified & AVRULE_NEVERALLOW) { + fprintf(fp, " neverallow"); ++ } else if (avrule->specified & AVRULE_XPERMS) { ++ if (avrule->specified & AVRULE_XPERMS_ALLOWED) ++ fprintf(fp, "allowxperm "); ++ else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW) ++ fprintf(fp, "auditallowxperm "); ++ else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT) ++ fprintf(fp, "dontauditxperm "); + } else { + fprintf(fp, " ERROR: no valid rule type specified\n"); + return -1; +@@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy, + policy, fp); + } else if (avrule->specified & AVRULE_TYPE) { + display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, ""); ++ } else if (avrule->specified & AVRULE_XPERMS) { ++ avtab_extended_perms_t xperms; ++ int i; ++ ++ if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION) ++ xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION; ++ else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER) ++ xperms.specified = AVTAB_XPERMS_IOCTLDRIVER; ++ else { ++ fprintf(fp, " ERROR: no valid xperms specified\n"); ++ return -1; ++ } ++ ++ xperms.driver = avrule->xperms->driver; ++ for (i = 0; i < EXTENDED_PERMS_LEN; i++) ++ xperms.perms[i] = avrule->xperms->perms[i]; ++ ++ fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms)); + } + + fprintf(fp, ";\n"); diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c index 86f5688..a78ce81 100644 --- checkpolicy-2.5/test/dispol.c diff --git a/SPECS/checkpolicy.spec b/SPECS/checkpolicy.spec index a8fa080..22036f8 100644 --- a/SPECS/checkpolicy.spec +++ b/SPECS/checkpolicy.spec @@ -1,13 +1,13 @@ -%define libselinuxver 2.5-5 -%define libsepolver 2.5-6 +%define libselinuxver 2.5-12 +%define libsepolver 2.5-8 Summary: SELinux policy compiler Name: checkpolicy Version: 2.5 -Release: 4%{?dist} +Release: 6%{?dist} License: GPLv2 Group: Development/System Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz -# HEAD e7ab0f8b86a3f6234f264d3bf98ccfb070ebaca7 +# HEAD f4e2ab4e29496130bc89dddf8096e9367b25665b Patch1: checkpolicy-rhel.patch BuildRoot: %{_tmppath}/%{name}-buildroot @@ -59,6 +59,16 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Thu Oct 19 2017 Vit Mojzis - 2.5-6 +- Add ibendport ocontext handling +- Add support for ibendportcon labels +- Add ibpkey ocontext handling +- Add support for ibpkeycon labels +- Add binary module support for xperms + +* Mon Sep 25 2017 Vit Mojzis - 2.5-5 +- Rebuild to incorporate cgroup_seclabel capability introduced in libsepol (rhbz#1494179) + * Thu Aug 11 2016 Petr Lautrbach 2.5-4 - Extend checkpolicy pathname matching