1 #include <netinet/in.h> 2 #ifndef IPPROTO_DCCP 3 #define IPPROTO_DCCP 33 4 #endif 5 #include <stdlib.h> 6 7 #include "debug.h" 8 #include "context.h" 9 #include "handle.h" 10 11 #include <sepol/policydb/policydb.h> 12 #include "port_internal.h" 13 sepol2ipproto(sepol_handle_t * handle,int proto)14 static inline int sepol2ipproto(sepol_handle_t * handle, int proto) 15 { 16 17 switch (proto) { 18 case SEPOL_PROTO_TCP: 19 return IPPROTO_TCP; 20 case SEPOL_PROTO_UDP: 21 return IPPROTO_UDP; 22 case SEPOL_PROTO_DCCP: 23 return IPPROTO_DCCP; 24 default: 25 ERR(handle, "unsupported protocol %u", proto); 26 return STATUS_ERR; 27 } 28 } 29 ipproto2sepol(sepol_handle_t * handle,int proto)30 static inline int ipproto2sepol(sepol_handle_t * handle, int proto) 31 { 32 33 switch (proto) { 34 case IPPROTO_TCP: 35 return SEPOL_PROTO_TCP; 36 case IPPROTO_UDP: 37 return SEPOL_PROTO_UDP; 38 case IPPROTO_DCCP: 39 return SEPOL_PROTO_DCCP; 40 default: 41 ERR(handle, "invalid protocol %u " "found in policy", proto); 42 return STATUS_ERR; 43 } 44 } 45 46 /* Create a low level port structure from 47 * a high level representation */ port_from_record(sepol_handle_t * handle,const policydb_t * policydb,ocontext_t ** port,const sepol_port_t * data)48 static int port_from_record(sepol_handle_t * handle, 49 const policydb_t * policydb, 50 ocontext_t ** port, const sepol_port_t * data) 51 { 52 53 ocontext_t *tmp_port = NULL; 54 context_struct_t *tmp_con = NULL; 55 int tmp_proto; 56 57 int low = sepol_port_get_low(data); 58 int high = sepol_port_get_high(data); 59 int proto = sepol_port_get_proto(data); 60 61 tmp_port = (ocontext_t *) calloc(1, sizeof(ocontext_t)); 62 if (!tmp_port) 63 goto omem; 64 65 /* Process protocol */ 66 tmp_proto = sepol2ipproto(handle, proto); 67 if (tmp_proto < 0) 68 goto err; 69 tmp_port->u.port.protocol = tmp_proto; 70 71 /* Port range */ 72 tmp_port->u.port.low_port = low; 73 tmp_port->u.port.high_port = high; 74 if (tmp_port->u.port.low_port > tmp_port->u.port.high_port) { 75 ERR(handle, "low port %d exceeds high port %d", 76 tmp_port->u.port.low_port, tmp_port->u.port.high_port); 77 goto err; 78 } 79 80 /* Context */ 81 if (context_from_record(handle, policydb, &tmp_con, 82 sepol_port_get_con(data)) < 0) 83 goto err; 84 context_cpy(&tmp_port->context[0], tmp_con); 85 context_destroy(tmp_con); 86 free(tmp_con); 87 tmp_con = NULL; 88 89 *port = tmp_port; 90 return STATUS_SUCCESS; 91 92 omem: 93 ERR(handle, "out of memory"); 94 95 err: 96 if (tmp_port != NULL) { 97 context_destroy(&tmp_port->context[0]); 98 free(tmp_port); 99 } 100 context_destroy(tmp_con); 101 free(tmp_con); 102 ERR(handle, "could not create port structure for range %u:%u (%s)", 103 low, high, sepol_port_get_proto_str(proto)); 104 return STATUS_ERR; 105 } 106 port_to_record(sepol_handle_t * handle,const policydb_t * policydb,ocontext_t * port,sepol_port_t ** record)107 static int port_to_record(sepol_handle_t * handle, 108 const policydb_t * policydb, 109 ocontext_t * port, sepol_port_t ** record) 110 { 111 112 int proto = port->u.port.protocol; 113 int low = port->u.port.low_port; 114 int high = port->u.port.high_port; 115 context_struct_t *con = &port->context[0]; 116 int rec_proto = -1; 117 118 sepol_context_t *tmp_con = NULL; 119 sepol_port_t *tmp_record = NULL; 120 121 if (sepol_port_create(handle, &tmp_record) < 0) 122 goto err; 123 124 rec_proto = ipproto2sepol(handle, proto); 125 if (rec_proto < 0) 126 goto err; 127 128 sepol_port_set_proto(tmp_record, rec_proto); 129 sepol_port_set_range(tmp_record, low, high); 130 131 if (context_to_record(handle, policydb, con, &tmp_con) < 0) 132 goto err; 133 134 if (sepol_port_set_con(handle, tmp_record, tmp_con) < 0) 135 goto err; 136 137 sepol_context_free(tmp_con); 138 *record = tmp_record; 139 return STATUS_SUCCESS; 140 141 err: 142 ERR(handle, "could not convert port range %u - %u (%s) " 143 "to record", low, high, sepol_port_get_proto_str(rec_proto)); 144 sepol_context_free(tmp_con); 145 sepol_port_free(tmp_record); 146 return STATUS_ERR; 147 } 148 149 /* Return the number of ports */ sepol_port_count(sepol_handle_t * handle,const sepol_policydb_t * p,unsigned int * response)150 extern int sepol_port_count(sepol_handle_t * handle __attribute__ ((unused)), 151 const sepol_policydb_t * p, unsigned int *response) 152 { 153 154 unsigned int count = 0; 155 ocontext_t *c, *head; 156 const policydb_t *policydb = &p->p; 157 158 head = policydb->ocontexts[OCON_PORT]; 159 for (c = head; c != NULL; c = c->next) 160 count++; 161 162 *response = count; 163 164 return STATUS_SUCCESS; 165 } 166 167 /* Check if a port exists */ sepol_port_exists(sepol_handle_t * handle,const sepol_policydb_t * p,const sepol_port_key_t * key,int * response)168 int sepol_port_exists(sepol_handle_t * handle, 169 const sepol_policydb_t * p, 170 const sepol_port_key_t * key, int *response) 171 { 172 173 const policydb_t *policydb = &p->p; 174 ocontext_t *c, *head; 175 176 int low, high, proto; 177 const char *proto_str; 178 sepol_port_key_unpack(key, &low, &high, &proto); 179 proto_str = sepol_port_get_proto_str(proto); 180 proto = sepol2ipproto(handle, proto); 181 if (proto < 0) 182 goto err; 183 184 head = policydb->ocontexts[OCON_PORT]; 185 for (c = head; c; c = c->next) { 186 int proto2 = c->u.port.protocol; 187 int low2 = c->u.port.low_port; 188 int high2 = c->u.port.high_port; 189 190 if (proto == proto2 && low2 == low && high2 == high) { 191 *response = 1; 192 return STATUS_SUCCESS; 193 } 194 } 195 196 *response = 0; 197 return STATUS_SUCCESS; 198 199 err: 200 ERR(handle, "could not check if port range %u - %u (%s) exists", 201 low, high, proto_str); 202 return STATUS_ERR; 203 } 204 205 /* Query a port */ sepol_port_query(sepol_handle_t * handle,const sepol_policydb_t * p,const sepol_port_key_t * key,sepol_port_t ** response)206 int sepol_port_query(sepol_handle_t * handle, 207 const sepol_policydb_t * p, 208 const sepol_port_key_t * key, sepol_port_t ** response) 209 { 210 211 const policydb_t *policydb = &p->p; 212 ocontext_t *c, *head; 213 214 int low, high, proto; 215 const char *proto_str; 216 sepol_port_key_unpack(key, &low, &high, &proto); 217 proto_str = sepol_port_get_proto_str(proto); 218 proto = sepol2ipproto(handle, proto); 219 if (proto < 0) 220 goto err; 221 222 head = policydb->ocontexts[OCON_PORT]; 223 for (c = head; c; c = c->next) { 224 int proto2 = c->u.port.protocol; 225 int low2 = c->u.port.low_port; 226 int high2 = c->u.port.high_port; 227 228 if (proto == proto2 && low2 == low && high2 == high) { 229 if (port_to_record(handle, policydb, c, response) < 0) 230 goto err; 231 return STATUS_SUCCESS; 232 } 233 } 234 235 *response = NULL; 236 return STATUS_SUCCESS; 237 238 err: 239 ERR(handle, "could not query port range %u - %u (%s)", 240 low, high, proto_str); 241 return STATUS_ERR; 242 243 } 244 245 /* Load a port into policy */ sepol_port_modify(sepol_handle_t * handle,sepol_policydb_t * p,const sepol_port_key_t * key,const sepol_port_t * data)246 int sepol_port_modify(sepol_handle_t * handle, 247 sepol_policydb_t * p, 248 const sepol_port_key_t * key, const sepol_port_t * data) 249 { 250 251 policydb_t *policydb = &p->p; 252 ocontext_t *port = NULL; 253 254 int low, high, proto; 255 const char *proto_str; 256 257 sepol_port_key_unpack(key, &low, &high, &proto); 258 proto_str = sepol_port_get_proto_str(proto); 259 proto = sepol2ipproto(handle, proto); 260 if (proto < 0) 261 goto err; 262 263 if (port_from_record(handle, policydb, &port, data) < 0) 264 goto err; 265 266 /* Attach to context list */ 267 port->next = policydb->ocontexts[OCON_PORT]; 268 policydb->ocontexts[OCON_PORT] = port; 269 270 return STATUS_SUCCESS; 271 272 err: 273 ERR(handle, "could not load port range %u - %u (%s)", 274 low, high, proto_str); 275 if (port != NULL) { 276 context_destroy(&port->context[0]); 277 free(port); 278 } 279 return STATUS_ERR; 280 } 281 sepol_port_iterate(sepol_handle_t * handle,const sepol_policydb_t * p,int (* fn)(const sepol_port_t * port,void * fn_arg),void * arg)282 int sepol_port_iterate(sepol_handle_t * handle, 283 const sepol_policydb_t * p, 284 int (*fn) (const sepol_port_t * port, 285 void *fn_arg), void *arg) 286 { 287 288 const policydb_t *policydb = &p->p; 289 ocontext_t *c, *head; 290 sepol_port_t *port = NULL; 291 292 head = policydb->ocontexts[OCON_PORT]; 293 for (c = head; c; c = c->next) { 294 int status; 295 296 if (port_to_record(handle, policydb, c, &port) < 0) 297 goto err; 298 299 /* Invoke handler */ 300 status = fn(port, arg); 301 if (status < 0) 302 goto err; 303 304 sepol_port_free(port); 305 port = NULL; 306 307 /* Handler requested exit */ 308 if (status > 0) 309 break; 310 } 311 312 return STATUS_SUCCESS; 313 314 err: 315 ERR(handle, "could not iterate over ports"); 316 sepol_port_free(port); 317 return STATUS_ERR; 318 } 319