Improve 0004-Add-support-for-SCTP-protocol.patch
The previous version was missing some definitions of IPPROTO_SCTP and IPPROTO_DCCP, which caused policy.info(policy.PORT) to fail when the policy contained SCTP or DCCP portcon definitions. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1568333
This commit is contained in:
parent
efa4712a7b
commit
287067263c
@ -1,4 +1,4 @@
|
|||||||
From 3ef6369a22691e8e11cbf63f37b114941b3577a1 Mon Sep 17 00:00:00 2001
|
From 5b08107d3f336e44e43fa3383b409a4cb1e963ed Mon Sep 17 00:00:00 2001
|
||||||
From: Vit Mojzis <vmojzis@redhat.com>
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
Date: Mon, 16 Apr 2018 20:46:20 +0200
|
Date: Mon, 16 Apr 2018 20:46:20 +0200
|
||||||
Subject: [PATCH] Add support for SCTP protocol
|
Subject: [PATCH] Add support for SCTP protocol
|
||||||
@ -8,10 +8,13 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1568333
|
|||||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
---
|
---
|
||||||
libqpol/include/qpol/linux_types.h | 1 +
|
libqpol/include/qpol/linux_types.h | 1 +
|
||||||
|
libqpol/include/qpol/portcon_query.h | 7 +++++++
|
||||||
libqpol/policy_define.c | 5 +++++
|
libqpol/policy_define.c | 5 +++++
|
||||||
setools/perm_map | 30 ++++++++++++++++++++++++++++++
|
setools/perm_map | 30 ++++++++++++++++++++++++++++++
|
||||||
setools/policyrep/netcontext.py | 5 +++++
|
setools/policyrep/netcontext.py | 5 +++++
|
||||||
4 files changed, 41 insertions(+)
|
setools/policyrep/qpol.i | 2 ++
|
||||||
|
setools/portconquery.py | 17 ++++++++++++++---
|
||||||
|
7 files changed, 64 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/libqpol/include/qpol/linux_types.h b/libqpol/include/qpol/linux_types.h
|
diff --git a/libqpol/include/qpol/linux_types.h b/libqpol/include/qpol/linux_types.h
|
||||||
index c3c056b..0985162 100644
|
index c3c056b..0985162 100644
|
||||||
@ -25,6 +28,24 @@ index c3c056b..0985162 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
diff --git a/libqpol/include/qpol/portcon_query.h b/libqpol/include/qpol/portcon_query.h
|
||||||
|
index 63210fe..61b9dd3 100644
|
||||||
|
--- a/libqpol/include/qpol/portcon_query.h
|
||||||
|
+++ b/libqpol/include/qpol/portcon_query.h
|
||||||
|
@@ -37,6 +37,13 @@ extern "C"
|
||||||
|
#include <qpol/iterator.h>
|
||||||
|
#include <qpol/policy.h>
|
||||||
|
|
||||||
|
+#ifndef IPPROTO_DCCP
|
||||||
|
+#define IPPROTO_DCCP 33
|
||||||
|
+#endif
|
||||||
|
+#ifndef IPPROTO_SCTP
|
||||||
|
+#define IPPROTO_SCTP 132
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
typedef struct qpol_portcon qpol_portcon_t;
|
||||||
|
|
||||||
|
/**
|
||||||
diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c
|
diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c
|
||||||
index dcc69fc..1e623a3 100644
|
index dcc69fc..1e623a3 100644
|
||||||
--- a/libqpol/policy_define.c
|
--- a/libqpol/policy_define.c
|
||||||
@ -104,10 +125,10 @@ index 0a9f91c..25fae09 100644
|
|||||||
class packet_socket 22
|
class packet_socket 22
|
||||||
append w 10
|
append w 10
|
||||||
diff --git a/setools/policyrep/netcontext.py b/setools/policyrep/netcontext.py
|
diff --git a/setools/policyrep/netcontext.py b/setools/policyrep/netcontext.py
|
||||||
index c7076d2..2d890f3 100644
|
index 9a01fc5..630b42c 100644
|
||||||
--- a/setools/policyrep/netcontext.py
|
--- a/setools/policyrep/netcontext.py
|
||||||
+++ b/setools/policyrep/netcontext.py
|
+++ b/setools/policyrep/netcontext.py
|
||||||
@@ -38,6 +38,10 @@ try:
|
@@ -35,6 +35,10 @@ try:
|
||||||
IPPROTO_DCCP = getprotobyname("dccp")
|
IPPROTO_DCCP = getprotobyname("dccp")
|
||||||
except socket.error:
|
except socket.error:
|
||||||
IPPROTO_DCCP = 33
|
IPPROTO_DCCP = 33
|
||||||
@ -118,7 +139,7 @@ index c7076d2..2d890f3 100644
|
|||||||
|
|
||||||
|
|
||||||
def netifcon_factory(policy, name):
|
def netifcon_factory(policy, name):
|
||||||
@@ -196,6 +200,7 @@ class PortconProtocol(int, PolicyEnum):
|
@@ -161,6 +165,7 @@ class PortconProtocol(int, PolicyEnum):
|
||||||
tcp = IPPROTO_TCP
|
tcp = IPPROTO_TCP
|
||||||
udp = IPPROTO_UDP
|
udp = IPPROTO_UDP
|
||||||
dccp = IPPROTO_DCCP
|
dccp = IPPROTO_DCCP
|
||||||
@ -126,6 +147,60 @@ index c7076d2..2d890f3 100644
|
|||||||
|
|
||||||
|
|
||||||
class Portcon(NetContext):
|
class Portcon(NetContext):
|
||||||
|
diff --git a/setools/policyrep/qpol.i b/setools/policyrep/qpol.i
|
||||||
|
index ecd6957..9c29619 100644
|
||||||
|
--- a/setools/policyrep/qpol.i
|
||||||
|
+++ b/setools/policyrep/qpol.i
|
||||||
|
@@ -2280,6 +2280,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t;
|
||||||
|
/* from netinet/in.h */
|
||||||
|
#define IPPROTO_TCP 6
|
||||||
|
#define IPPROTO_UDP 17
|
||||||
|
+#define IPPROTO_DCCP 33
|
||||||
|
+#define IPPROTO_SCTP 132
|
||||||
|
typedef struct qpol_portcon {} qpol_portcon_t;
|
||||||
|
%extend qpol_portcon {
|
||||||
|
qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
|
||||||
|
diff --git a/setools/portconquery.py b/setools/portconquery.py
|
||||||
|
index 896e00d..1fe3674 100644
|
||||||
|
--- a/setools/portconquery.py
|
||||||
|
+++ b/setools/portconquery.py
|
||||||
|
@@ -17,14 +17,24 @@
|
||||||
|
# <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
import logging
|
||||||
|
-from socket import IPPROTO_TCP, IPPROTO_UDP
|
||||||
|
+from socket import IPPROTO_TCP, IPPROTO_UDP, getprotobyname
|
||||||
|
+
|
||||||
|
+# Python does not have a constant
|
||||||
|
+# for the DCCP protocol.
|
||||||
|
+try:
|
||||||
|
+ IPPROTO_DCCP = getprotobyname("dccp")
|
||||||
|
+except socket.error:
|
||||||
|
+ IPPROTO_DCCP = 33
|
||||||
|
+try:
|
||||||
|
+ IPPROTO_SCTP = getprotobyname("sctp")
|
||||||
|
+except socket.error:
|
||||||
|
+ IPPROTO_SCTP = 132
|
||||||
|
|
||||||
|
from .mixins import MatchContext
|
||||||
|
from .query import PolicyQuery
|
||||||
|
from .policyrep import PortconRange, PortconProtocol
|
||||||
|
from .util import match_range
|
||||||
|
|
||||||
|
-
|
||||||
|
class PortconQuery(MatchContext, PolicyQuery):
|
||||||
|
|
||||||
|
"""
|
||||||
|
@@ -35,7 +45,8 @@ class PortconQuery(MatchContext, PolicyQuery):
|
||||||
|
|
||||||
|
Keyword Parameters/Class attributes:
|
||||||
|
protocol The protocol to match (socket.IPPROTO_TCP for
|
||||||
|
- TCP or socket.IPPROTO_UDP for UDP)
|
||||||
|
+ TCP, socket.IPPROTO_UDP for UDP, socket.IPPROTO_DCCP
|
||||||
|
+ for DCCP or socket.IPPROTO_SCTP for SCTP)
|
||||||
|
|
||||||
|
ports A 2-tuple of the port range to match. (Set both to
|
||||||
|
the same value for a single port)
|
||||||
--
|
--
|
||||||
2.14.3
|
2.14.3
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user