From patchwork Wed Apr  6 11:44:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 8761521
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id D9B719F36E
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 11:47:41 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id AE2A4201D3
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 11:47:40 +0000 (UTC)
Received: from emvm-gh1-uea09.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id ED3FF20117
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 11:47:38 +0000 (UTC)
X-TM-IMSS-Message-ID: <5a599db000081dfd@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	5a599db000081dfd ; Wed, 6 Apr 2016 07:44:57 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36BitGZ012302;
	Wed, 6 Apr 2016 07:45:10 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u36BiqmW044424 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 6 Apr 2016 07:44:52 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36BiqZD012291
	for <selinux@tycho.nsa.gov>; Wed, 6 Apr 2016 07:44:52 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1AZAQBX9gRXk30AFEFcHYNtfagjA5AcgmuBIAQXCoVsghEBAQEBAQETAQEBAQkLCQkhhHQqGQEBNwGBUIgRAQMSBAquFoUoAQSBAIhBg3UkBoQYiRWERgtAgkOYBoV2iBePCgKPIYIYQQ0RCIFLa4hzAQEB
X-IPAS-Result: 
 A1AZAQBX9gRXk30AFEFcHYNtfagjA5AcgmuBIAQXCoVsghEBAQEBAQETAQEBAQkLCQkhhHQqGQEBNwGBUIgRAQMSBAquFoUoAQSBAIhBg3UkBoQYiRWERgtAgkOYBoV2iBePCgKPIYIYQQ0RCIFLa4hzAQEB
X-IronPort-AV: E=Sophos;i="5.24,447,1454994000"; d="scan'208";a="5354634"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 06 Apr 2016 07:44:51 -0400
X-TM-IMSS-Message-ID: <0e7a317900088777@nsa.gov>
Received: from rgout0105.bt.lon5.cpcloud.co.uk
	(rgout0105.bt.lon5.cpcloud.co.uk [65.20.0.125]) by nsa.gov
	([10.208.42.193])
	with ESMTP (TREND IMSS SMTP Service 7.1) id 0e7a317900088777 ;
	Wed, 6 Apr 2016 07:43:46 -0400
X-OWM-Source-IP: 86.153.160.202 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-CTCH-RefID: str=0001.0A090201.5704F6AF.009C, ss=1, re=0.000, recu=0.000,
	reip=0.000, cl=1, cld=1, fgs=0
X-Junkmail-Premium-Raw: score=33/50, refid=2.7.2:2016.4.6.102116:17:33.181,
	ip=86.153.160.202, rules=__HAS_FROM,
	__PHISH_FROM2, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME,
	__SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER,
	__TO_IN_SUBJECT,
	__ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __MIME_TEXT_ONLY,
	RDNS_GENERIC_POOLED, __URI_NS, SXL_IP_DYNAMIC[202.160.153.86.fur],
	HTML_00_01, HTML_00_10, RDNS_SUSP_GENERIC, __FRAUD_WEBMAIL,
	__PHISH_FROM,
	__PHISH_SPEAR_STRUCTURE_1, RDNS_SUSP, TO_IN_SUBJECT, NO_URI_HTTPS
X-CTCH-Spam: Unknown
Received: from localhost.localdomain (86.153.160.202) by
	rgout01.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as
	richard_c_haines@btinternet.com)
	id 5703C79D001B60F8; Wed, 6 Apr 2016 12:44:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
	s=btcpcloud; t=1459943089;
	bh=/k2EkOihuk9RMiAnBXVqDi6J2Ff/iANyCYbKRmN1na4=;
	h=From:To:Cc:Subject:Date:Message-Id:X-Mailer;
	b=WUF956qFnk+Gmt5lMZiZcKe8g3TI/OyUeIiYjXzzpHVZphHQyP+BhWBGRxVAZzrmVlXDjPO/FTUCLzfAsJN2X8SyvtM3zPfXIjx4g4J9WCvYbwgPZv5/X8AvVGpR5qSxBwsqOpX8YQdG0qTrsE58DBPSj5kV45IxtQhId9H3TcE=
From: Richard Haines <richard_c_haines@btinternet.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] selinux: Add support for portcon dccp protocol
Date: Wed,  6 Apr 2016 12:44:35 +0100
Message-Id: <1459943075-4050-1-git-send-email-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.5.5
X-TM-AS-MML: disable
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 checkpolicy/checkpolicy.c                      | 2 ++
 checkpolicy/policy_define.c                    | 2 ++
 libsepol/cil/src/cil.c                         | 1 +
 libsepol/cil/src/cil_binary.c                  | 3 +++
 libsepol/cil/src/cil_build_ast.c               | 2 ++
 libsepol/cil/src/cil_internal.h                | 4 +++-
 libsepol/cil/src/cil_policy.c                  | 2 ++
 libsepol/cil/src/cil_tree.c                    | 2 ++
 libsepol/include/sepol/port_record.h           | 1 +
 libsepol/src/module_to_cil.c                   | 1 +
 libsepol/src/port_record.c                     | 2 ++
 libsepol/src/ports.c                           | 4 ++++
 secilc/docs/cil_network_labeling_statements.md | 5 +++--
 secilc/test/policy.cil                         | 1 +
 14 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 9da661e..ea9ee00 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -919,6 +919,8 @@ int main(int argc, char **argv)
 				protocol = IPPROTO_TCP;
 			else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
 				protocol = IPPROTO_UDP;
+			else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
+				protocol = IPPROTO_DCCP;
 			else {
 				printf("unknown protocol\n");
 				break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index ee20fea..7a4d2f1 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -4876,6 +4876,8 @@ int define_port_context(unsigned int low, unsigned int high)
 		protocol = IPPROTO_TCP;
 	} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
 		protocol = IPPROTO_UDP;
+	} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
+		protocol = IPPROTO_DCCP;
 	} else {
 		yyerror2("unrecognized protocol %s", id);
 		free(newc);
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index afdc240..de7033a 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -108,6 +108,7 @@ static void cil_init_keys(void)
 	CIL_KEY_STAR = cil_strpool_add("*");
 	CIL_KEY_UDP = cil_strpool_add("udp");
 	CIL_KEY_TCP = cil_strpool_add("tcp");
+	CIL_KEY_DCCP = cil_strpool_add("dccp");
 	CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
 	CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
 	CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index f749e53..5d7e52e 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3035,6 +3035,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
 		case CIL_PROTOCOL_TCP:
 			new_ocon->u.port.protocol = IPPROTO_TCP;
 			break;
+		case CIL_PROTOCOL_DCCP:
+			new_ocon->u.port.protocol = IPPROTO_DCCP;
+			break;
 		default:
 			/* should not get here */
 			rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 1135e06..90fee8e 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4261,6 +4261,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
 		portcon->proto = CIL_PROTOCOL_UDP;
 	} else if (proto == CIL_KEY_TCP) {
 		portcon->proto = CIL_PROTOCOL_TCP;
+	} else if (proto == CIL_KEY_DCCP) {
+		portcon->proto = CIL_PROTOCOL_DCCP;
 	} else {
 		cil_log(CIL_ERR, "Invalid protocol\n");
 		rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index a0a5480..a75ddf8 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R;
 char *CIL_KEY_STAR;
 char *CIL_KEY_TCP;
 char *CIL_KEY_UDP;
+char *CIL_KEY_DCCP;
 char *CIL_KEY_AUDITALLOW;
 char *CIL_KEY_TUNABLEIF;
 char *CIL_KEY_ALLOW;
@@ -713,7 +714,8 @@ struct cil_filecon {
 
 enum cil_protocol {
 	CIL_PROTOCOL_UDP = 1,
-	CIL_PROTOCOL_TCP	
+	CIL_PROTOCOL_TCP,
+	CIL_PROTOCOL_DCCP
 };
 
 struct cil_portcon {
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index 2c9b158..382129b 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
 			fprintf(file_arr[NETIFCONS], "udp ");
 		} else if (portcon->proto == CIL_PROTOCOL_TCP) {
 			fprintf(file_arr[NETIFCONS], "tcp ");
+		} else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+			fprintf(file_arr[NETIFCONS], "dccp ");
 		}
 		fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
 		fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
index 1c23efc..563b817 100644
--- a/libsepol/cil/src/cil_tree.c
+++ b/libsepol/cil/src/cil_tree.c
@@ -1319,6 +1319,8 @@ void cil_tree_print_node(struct cil_tree_node *node)
 				cil_log(CIL_INFO, " udp");
 			} else if (portcon->proto == CIL_PROTOCOL_TCP) {
 				cil_log(CIL_INFO, " tcp");
+			} else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+				cil_log(CIL_INFO, " dccp");
 			}
 			cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high);
 
diff --git a/libsepol/include/sepol/port_record.h b/libsepol/include/sepol/port_record.h
index 697cea4..c07d1fa 100644
--- a/libsepol/include/sepol/port_record.h
+++ b/libsepol/include/sepol/port_record.h
@@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t;
 
 #define SEPOL_PROTO_UDP 0
 #define SEPOL_PROTO_TCP 1
+#define SEPOL_PROTO_DCCP 2
 
 /* Key */
 extern int sepol_port_compare(const sepol_port_t * port,
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 18ec6b9..b478d9f 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2537,6 +2537,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p
 		switch (portcon->u.port.protocol) {
 		case IPPROTO_TCP: protocol = "tcp"; break;
 		case IPPROTO_UDP: protocol = "udp"; break;
+		case IPPROTO_DCCP: protocol = "dccp"; break;
 		default:
 			log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
 			rc = -1;
diff --git a/libsepol/src/port_record.c b/libsepol/src/port_record.c
index 6a33d93..ed9093b 100644
--- a/libsepol/src/port_record.c
+++ b/libsepol/src/port_record.c
@@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto)
 		return "udp";
 	case SEPOL_PROTO_TCP:
 		return "tcp";
+	case SEPOL_PROTO_DCCP:
+		return "dccp";
 	default:
 		return "???";
 	}
diff --git a/libsepol/src/ports.c b/libsepol/src/ports.c
index 607a629..b1ee094 100644
--- a/libsepol/src/ports.c
+++ b/libsepol/src/ports.c
@@ -16,6 +16,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
 		return IPPROTO_TCP;
 	case SEPOL_PROTO_UDP:
 		return IPPROTO_UDP;
+	case SEPOL_PROTO_DCCP:
+		return IPPROTO_DCCP;
 	default:
 		ERR(handle, "unsupported protocol %u", proto);
 		return STATUS_ERR;
@@ -30,6 +32,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
 		return SEPOL_PROTO_TCP;
 	case IPPROTO_UDP:
 		return SEPOL_PROTO_UDP;
+	case IPPROTO_DCCP:
+		return SEPOL_PROTO_DCCP;
 	default:
 		ERR(handle, "invalid protocol %u " "found in policy", proto);
 		return STATUS_ERR;
diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md
index 183b350..b06dbcc 100644
--- a/secilc/docs/cil_network_labeling_statements.md
+++ b/secilc/docs/cil_network_labeling_statements.md
@@ -155,7 +155,7 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme
 portcon
 -------
 
-Label a udp or tcp port.
+Label a udp, tcp or dccp port.
 
 **Statement definition:**
 
@@ -175,7 +175,7 @@ Label a udp or tcp port.
 </tr>
 <tr class="even">
 <td align="left"><p><code>protocol</code></p></td>
-<td align="left"><p>The protocol keyword <code>tcp</code> or <code>udp</code>.</p></td>
+<td align="left"><p>The protocol keyword <code>tcp</code>, <code>udp</code> or <code>dccp</code>.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><code>port |</code></p>
@@ -199,3 +199,4 @@ These examples show named and anonymous [`portcon`](cil_network_labeling_stateme
     (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
     (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
     (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
+    (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2)))
diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil
index 884d2dc..2078399 100644
--- a/secilc/test/policy.cil
+++ b/secilc/test/policy.cil
@@ -270,6 +270,7 @@
 	(nodecon ip_v6 netmask_v6 system_u_bin_t_l2h)
 	(portcon udp 25 system_u_bin_t_l2h)
 	(portcon tcp 22 system_u_bin_t_l2h)
+	(portcon dccp (2048 2096) system_u_bin_t_l2h)
 	(genfscon - "/usr/bin" system_u_bin_t_l2h)
 	(netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts?
 	(fsuse xattr ext3 system_u_bin_t_l2h)