trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project.

Changelog

@@ -1,3 +1,5 @@
+- Add support for network interfaces with access controlled by a Boolean
+  from the CLIP project.
 - Several fixes from the CLIP project.
 - Add support for labeled Booleans.
 - Remove node definitions and change node usage to generic nodes.

Makefile

@@ -397,7 +397,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
 	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
 	@echo "#" >> $@
 	$(verbose) cat $@.in >> $@
-	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
+	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
 		| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
 		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
 

policy/modules/kernel/corenetwork.if.m4

@@ -140,6 +140,147 @@ interface(`corenet_raw_sendrecv_$1_if',`
 ')
 '') dnl end create_netif_interfaces
 
+# create confined network interfaces controlled by the network_enabled boolean
+# do not call this macro for loop back
+define(`create_netif_interfaces_controlled',``
+########################################
+## <summary>
+##	Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { udp_send egress };
+	}
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { udp_recv ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+	corenet_udp_send_$1_if(dollarsone)
+	corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { rawip_send egress };
+	}
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { rawip_recv ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+	corenet_raw_send_$1_if(dollarsone)
+	corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces_controlled
+
 ########################################
 #
 # Network node generated macros 
@@ -641,9 +782,15 @@ interface(`corenet_relabelto_$1_packets',`
 define(`create_netif_type_interfaces',`
 create_netif_interfaces($1,netif_t,type)
 ')
+define(`create_netif_type_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif_t,type)
+')
 define(`create_netif_attrib_interfaces',`
 create_netif_interfaces($1,netif,attribute)
 ')
+define(`create_netif_attrib_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif,attribute)
+')
 
 #
 # network_interface(linux_interfacename,mls_sensitivity)
@@ -652,6 +799,10 @@ define(`network_interface',`
 create_netif_type_interfaces($1)
 ')
 
+define(`network_interface_controlled',`
+create_netif_type_interfaces_controlled($1)
+')
+
 #
 # create_node_*_interfaces(node_name)
 #

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.11.1)
+policy_module(corenetwork, 1.11.2)
 
 ########################################
 #

policy/modules/kernel/corenetwork.te.m4

@@ -39,6 +39,21 @@ type $1_netif_t alias netif_$1_t, netif_type;
 declare_netifs($1_netif_t,shift($*))
 ')
 
+define(`network_interface_controlled',`
+ifdef(`__network_enabled_declared__',`',`
+## <desc>
+## <p>
+## Enable network traffic on all controlled interfaces.
+## </p>
+## </desc>
+gen_bool(network_enabled, true)
+define(`__network_enabled_declared__')
+')
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
 define(`declare_nodes',`dnl
 nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
 ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl