Improve 0004-Add-support-for-SCTP-protocol.patch

The previous version was missing some definitions of IPPROTO_SCTP and IPPROTO_DCCP, which caused policy.info(policy.PORT) to fail when the policy contained SCTP or DCCP portcon definitions. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1568333
2018-07-23 15:55:34 +02:00 · 2018-07-23 15:55:34 +02:00 · 287067263c
parent efa4712a7b
commit 287067263c
1 changed files with 84 additions and 9 deletions
--- a/0004-Add-support-for-SCTP-protocol.patch
+++ b/0004-Add-support-for-SCTP-protocol.patch
@ -1,4 +1,4 @@
-From 3ef6369a22691e8e11cbf63f37b114941b3577a1 Mon Sep 17 00:00:00 2001
+From 5b08107d3f336e44e43fa3383b409a4cb1e963ed Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Mon, 16 Apr 2018 20:46:20 +0200
 Subject: [PATCH] Add support for SCTP protocol
@ -7,11 +7,14 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1568333

 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
- libqpol/include/qpol/linux_types.h |  1 +
- libqpol/policy_define.c            |  5 +++++
- setools/perm_map                   | 30 ++++++++++++++++++++++++++++++
- setools/policyrep/netcontext.py    |  5 +++++
- 4 files changed, 41 insertions(+)
+ libqpol/include/qpol/linux_types.h   |  1 +
+ libqpol/include/qpol/portcon_query.h |  7 +++++++
+ libqpol/policy_define.c              |  5 +++++
+ setools/perm_map                     | 30 ++++++++++++++++++++++++++++++
+ setools/policyrep/netcontext.py      |  5 +++++
+ setools/policyrep/qpol.i             |  2 ++
+ setools/portconquery.py              | 17 ++++++++++++++---
+ 7 files changed, 64 insertions(+), 3 deletions(-)

 diff --git a/libqpol/include/qpol/linux_types.h b/libqpol/include/qpol/linux_types.h
 index c3c056b..0985162 100644
@ -25,6 +28,24 @@ index c3c056b..0985162 100644
 #endif
 
 #endif
+diff --git a/libqpol/include/qpol/portcon_query.h b/libqpol/include/qpol/portcon_query.h
+index 63210fe..61b9dd3 100644
+--- a/libqpol/include/qpol/portcon_query.h
+++ b/libqpol/include/qpol/portcon_query.h
+@@ -37,6 +37,13 @@ extern "C"
+ #include <qpol/iterator.h>
+ #include <qpol/policy.h>
+ 
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
+
+ 	typedef struct qpol_portcon qpol_portcon_t;
+ 
+ /**
 diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c
 index dcc69fc..1e623a3 100644
 --- a/libqpol/policy_define.c
@ -104,10 +125,10 @@ index 0a9f91c..25fae09 100644
 class packet_socket 22
               append         w        10
 diff --git a/setools/policyrep/netcontext.py b/setools/policyrep/netcontext.py
-index c7076d2..2d890f3 100644
+index 9a01fc5..630b42c 100644
 --- a/setools/policyrep/netcontext.py
 +++ b/setools/policyrep/netcontext.py
-@@ -38,6 +38,10 @@ try:
+@@ -35,6 +35,10 @@ try:
     IPPROTO_DCCP = getprotobyname("dccp")
 except socket.error:
     IPPROTO_DCCP = 33
@ -118,7 +139,7 @@ index c7076d2..2d890f3 100644
 
 
 def netifcon_factory(policy, name):
-@@ -196,6 +200,7 @@ class PortconProtocol(int, PolicyEnum):
+@@ -161,6 +165,7 @@ class PortconProtocol(int, PolicyEnum):
     tcp = IPPROTO_TCP
     udp = IPPROTO_UDP
     dccp = IPPROTO_DCCP
@ -126,6 +147,60 @@ index c7076d2..2d890f3 100644
 
 
 class Portcon(NetContext):
+diff --git a/setools/policyrep/qpol.i b/setools/policyrep/qpol.i
+index ecd6957..9c29619 100644
+--- a/setools/policyrep/qpol.i
+++ b/setools/policyrep/qpol.i
+@@ -2280,6 +2280,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
+ /* from netinet/in.h */
+ #define IPPROTO_TCP 6
+ #define IPPROTO_UDP 17
+#define IPPROTO_DCCP 33
+#define IPPROTO_SCTP 132
+ typedef struct qpol_portcon {} qpol_portcon_t;
+ %extend qpol_portcon {
+     qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
+diff --git a/setools/portconquery.py b/setools/portconquery.py
+index 896e00d..1fe3674 100644
+--- a/setools/portconquery.py
+++ b/setools/portconquery.py
+@@ -17,14 +17,24 @@
+ # <http://www.gnu.org/licenses/>.
+ #
+ import logging
+-from socket import IPPROTO_TCP, IPPROTO_UDP
+from socket import IPPROTO_TCP, IPPROTO_UDP, getprotobyname
+
+# Python does not have a constant
+# for the DCCP protocol.
+try:
+    IPPROTO_DCCP = getprotobyname("dccp")
+except socket.error:
+    IPPROTO_DCCP = 33
+try:
+    IPPROTO_SCTP = getprotobyname("sctp")
+except socket.error:
+    IPPROTO_SCTP = 132
+ 
+ from .mixins import MatchContext
+ from .query import PolicyQuery
+ from .policyrep import PortconRange, PortconProtocol
+ from .util import match_range
+ 
+-
+ class PortconQuery(MatchContext, PolicyQuery):
+ 
+     """
+@@ -35,7 +45,8 @@ class PortconQuery(MatchContext, PolicyQuery):
+ 
+     Keyword Parameters/Class attributes:
+     protocol        The protocol to match (socket.IPPROTO_TCP for
+-                    TCP or socket.IPPROTO_UDP for UDP)
+                    TCP, socket.IPPROTO_UDP for UDP, socket.IPPROTO_DCCP
+                    for DCCP or socket.IPPROTO_SCTP for SCTP)
+ 
+     ports           A 2-tuple of the port range to match. (Set both to
+                     the same value for a single port)
 -- 
 2.14.3