efa471
From 3ef6369a22691e8e11cbf63f37b114941b3577a1 Mon Sep 17 00:00:00 2001
efa471
From: Vit Mojzis <vmojzis@redhat.com>
efa471
Date: Mon, 16 Apr 2018 20:46:20 +0200
efa471
Subject: [PATCH] Add support for SCTP protocol
efa471
efa471
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1568333
efa471
efa471
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
efa471
---
efa471
 libqpol/include/qpol/linux_types.h |  1 +
efa471
 libqpol/policy_define.c            |  5 +++++
efa471
 setools/perm_map                   | 30 ++++++++++++++++++++++++++++++
efa471
 setools/policyrep/netcontext.py    |  5 +++++
efa471
 4 files changed, 41 insertions(+)
efa471
efa471
diff --git a/libqpol/include/qpol/linux_types.h b/libqpol/include/qpol/linux_types.h
efa471
index c3c056b..0985162 100644
efa471
--- a/libqpol/include/qpol/linux_types.h
efa471
+++ b/libqpol/include/qpol/linux_types.h
efa471
@@ -12,6 +12,7 @@ typedef uint16_t __u16;
efa471
 #define s6_addr32	__u6_addr32
efa471
 
efa471
 #define IPPROTO_DCCP 33
efa471
+#define IPPROTO_SCTP 132
efa471
 #endif
efa471
 
efa471
 #endif
efa471
diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c
efa471
index dcc69fc..1e623a3 100644
efa471
--- a/libqpol/policy_define.c
efa471
+++ b/libqpol/policy_define.c
efa471
@@ -44,6 +44,9 @@
efa471
 #ifndef IPPROTO_DCCP
efa471
 #define IPPROTO_DCCP 33
efa471
 #endif
efa471
+#ifndef IPPROTO_SCTP
efa471
+#define IPPROTO_SCTP 132
efa471
+#endif
efa471
 #include <arpa inet.h="">
efa471
 #include <stdlib.h>
efa471
 #include <limits.h>
efa471
@@ -4933,6 +4936,8 @@ int define_port_context(unsigned int low, unsigned int high)
efa471
 		protocol = IPPROTO_UDP;
efa471
 	} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
efa471
 		protocol = IPPROTO_DCCP;
efa471
+	} else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
efa471
+		protocol = IPPROTO_SCTP;
efa471
 	} else {
efa471
 		yyerror2("unrecognized protocol %s", id);
efa471
 		goto bad;
efa471
diff --git a/setools/perm_map b/setools/perm_map
efa471
index 0a9f91c..25fae09 100644
efa471
--- a/setools/perm_map
efa471
+++ b/setools/perm_map
efa471
@@ -385,6 +385,8 @@ class node 11
efa471
             udp_send         w        10
efa471
            dccp_recv         r        10
efa471
            dccp_send         w        10
efa471
+           sctp_recv         r        10
efa471
+           sctp_send         w        10
efa471
         enforce_dest         n         1
efa471
               sendto         w        10
efa471
             recvfrom         r        10
efa471
@@ -699,6 +701,32 @@ class dccp_socket 24
efa471
            relabelto         w        10
efa471
               listen         r         1
efa471
 
efa471
+class sctp_socket 24
efa471
+           node_bind         n         1
efa471
+        name_connect         w        10
efa471
+              append         w        10
efa471
+                bind         w         1
efa471
+             connect         w         1
efa471
+              create         w         1
efa471
+               write         w        10
efa471
+         relabelfrom         r        10
efa471
+               ioctl         n         1
efa471
+           name_bind         n         1
efa471
+              sendto         w        10
efa471
+            recv_msg         r        10
efa471
+            send_msg         w        10
efa471
+             getattr         r         7
efa471
+             setattr         w         7
efa471
+              accept         r         1
efa471
+              getopt         r         1
efa471
+                read         r        10
efa471
+              setopt         w         1
efa471
+            shutdown         w         1
efa471
+            recvfrom         r        10
efa471
+                lock         n         1
efa471
+           relabelto         w        10
efa471
+              listen         r         1
efa471
+
efa471
 class netlink_firewall_socket 24
efa471
          nlmsg_write         w        10
efa471
           nlmsg_read         r        10
efa471
@@ -984,6 +1012,8 @@ class netif 10
efa471
             udp_send         w        10
efa471
            dccp_recv         r        10
efa471
            dccp_send         w        10
efa471
+           sctp_recv         r        10
efa471
+           sctp_send         w        10
efa471
 
efa471
 class packet_socket 22
efa471
               append         w        10
efa471
diff --git a/setools/policyrep/netcontext.py b/setools/policyrep/netcontext.py
efa471
index c7076d2..2d890f3 100644
efa471
--- a/setools/policyrep/netcontext.py
efa471
+++ b/setools/policyrep/netcontext.py
efa471
@@ -38,6 +38,10 @@ try:
efa471
     IPPROTO_DCCP = getprotobyname("dccp")
efa471
 except socket.error:
efa471
     IPPROTO_DCCP = 33
efa471
+try:
efa471
+    IPPROTO_SCTP = getprotobyname("sctp")
efa471
+except socket.error:
efa471
+    IPPROTO_SCTP = 132
efa471
 
efa471
 
efa471
 def netifcon_factory(policy, name):
efa471
@@ -196,6 +200,7 @@ class PortconProtocol(int, PolicyEnum):
efa471
     tcp = IPPROTO_TCP
efa471
     udp = IPPROTO_UDP
efa471
     dccp = IPPROTO_DCCP
efa471
+    sctp = IPPROTO_SCTP
efa471
 
efa471
 
efa471
 class Portcon(NetContext):
efa471
-- 
efa471
2.14.3
efa471