From 308baad28c1468408977e1f4c4e74676c72bd7ac Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 26 May 2008 18:38:06 +0000
Subject: [PATCH] trunk: Patch for labeled networking controls in 2.6.25 from
 Paul Moore.

---
 Changelog                               |  1 +
 policy/modules/kernel/corenetwork.if.in | 80 +++++++++++++++----------
 policy/modules/kernel/corenetwork.if.m4 | 20 +++----
 policy/modules/kernel/corenetwork.te.in |  2 +-
 policy/modules/kernel/kernel.if         | 56 +++++++++++++++++
 policy/modules/kernel/kernel.te         |  5 +-
 6 files changed, 122 insertions(+), 42 deletions(-)

diff --git a/Changelog b/Changelog
index 4674ce52..3502a8c7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
 - Module loading now requires setsched on kernel threads.
 - Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
 - X application data class from Eamon Walsh and Ted Toth.
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 7dfaa8d0..2b473b30 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_if',`
 		type netif_t;
 	')
 
-	allow $1 netif_t:netif { tcp_send tcp_recv };
+	allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
 ')
 
 ########################################
@@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',`
 		type netif_t;
 	')
 
-	allow $1 netif_t:netif udp_send;
+	allow $1 netif_t:netif { udp_send egress };
 ')
 
 ########################################
@@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_generic_if',`
 		type netif_t;
 	')
 
-	dontaudit $1 netif_t:netif udp_send;
+	dontaudit $1 netif_t:netif { udp_send egress };
 ')
 
 ########################################
@@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_if',`
 		type netif_t;
 	')
 
-	allow $1 netif_t:netif udp_recv;
+	allow $1 netif_t:netif { udp_recv ingress };
 ')
 
 ########################################
@@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive_generic_if',`
 		type netif_t;
 	')
 
-	dontaudit $1 netif_t:netif udp_recv;
+	dontaudit $1 netif_t:netif { udp_recv ingress };
 ')
 
 ########################################
@@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',`
 		type netif_t;
 	')
 
-	allow $1 netif_t:netif rawip_send;
+	allow $1 netif_t:netif { rawip_send egress };
 ')
 
 ########################################
@@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_if',`
 		type netif_t;
 	')
 
-	allow $1 netif_t:netif rawip_recv;
+	allow $1 netif_t:netif { rawip_recv ingress };
 ')
 
 ########################################
@@ -328,7 +328,7 @@ interface(`corenet_tcp_sendrecv_all_if',`
 		attribute netif_type;
 	')
 
-	allow $1 netif_type:netif { tcp_send tcp_recv };
+	allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
 ')
 
 ########################################
@@ -346,7 +346,7 @@ interface(`corenet_udp_send_all_if',`
 		attribute netif_type;
 	')
 
-	allow $1 netif_type:netif udp_send;
+	allow $1 netif_type:netif { udp_send egress };
 ')
 
 ########################################
@@ -364,7 +364,7 @@ interface(`corenet_udp_receive_all_if',`
 		attribute netif_type;
 	')
 
-	allow $1 netif_type:netif udp_recv;
+	allow $1 netif_type:netif { udp_recv ingress };
 ')
 
 ########################################
@@ -397,7 +397,7 @@ interface(`corenet_raw_send_all_if',`
 		attribute netif_type;
 	')
 
-	allow $1 netif_type:netif rawip_send;
+	allow $1 netif_type:netif { rawip_send egress };
 ')
 
 ########################################
@@ -415,7 +415,7 @@ interface(`corenet_raw_receive_all_if',`
 		attribute netif_type;
 	')
 
-	allow $1 netif_type:netif rawip_recv;
+	allow $1 netif_type:netif { rawip_recv ingress };
 ')
 
 ########################################
@@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node { tcp_send tcp_recv };
+	allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
 ')
 
 ########################################
@@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node udp_send;
+	allow $1 node_t:node { udp_send sendto };
 ')
 
 ########################################
@@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node udp_recv;
+	allow $1 node_t:node { udp_recv recvfrom };
 ')
 
 ########################################
@@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node rawip_send;
+	allow $1 node_t:node { rawip_send sendto };
 ')
 
 ########################################
@@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node rawip_recv;
+	allow $1 node_t:node { rawip_recv recvfrom };
 ')
 
 ########################################
@@ -604,7 +604,7 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node { tcp_send tcp_recv };
+	allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
 ')
 
 ########################################
@@ -622,7 +622,7 @@ interface(`corenet_udp_send_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node udp_send;
+	allow $1 node_type:node { udp_send sendto };
 ')
 
 ########################################
@@ -641,7 +641,7 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
 		attribute node_type;
 	')
 
-	dontaudit $1 node_type:node udp_send;
+	dontaudit $1 node_type:node { udp_send sendto };
 ')
 
 ########################################
@@ -659,7 +659,7 @@ interface(`corenet_udp_receive_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node udp_recv;
+	allow $1 node_type:node { udp_recv recvfrom };
 ')
 
 ########################################
@@ -678,7 +678,7 @@ interface(`corenet_dontaudit_udp_receive_all_nodes',`
 		attribute node_type;
 	')
 
-	dontaudit $1 node_type:node udp_recv;
+	dontaudit $1 node_type:node { udp_recv recvfrom };
 ')
 
 ########################################
@@ -727,7 +727,7 @@ interface(`corenet_raw_send_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node rawip_send;
+	allow $1 node_type:node { rawip_send sendto };
 ')
 
 ########################################
@@ -745,7 +745,7 @@ interface(`corenet_raw_receive_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node rawip_recv;
+	allow $1 node_type:node { rawip_recv recvfrom };
 ')
 
 ########################################
@@ -1737,6 +1737,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	allow $1 netlabel_peer_t:peer recv;
 	allow $1 netlabel_peer_t:tcp_socket recvfrom;
 ')
 
@@ -1752,6 +1753,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 #
 interface(`corenet_tcp_recvfrom_unlabeled',`
 	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1791,6 +1793,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	dontaudit $1 netlabel_peer_t:peer recv;
 	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
 ')
 
@@ -1807,6 +1810,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
 #
 interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1844,6 +1848,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	allow $1 netlabel_peer_t:peer recv;
 	allow $1 netlabel_peer_t:udp_socket recvfrom;
 ')
 
@@ -1859,6 +1864,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
 #
 interface(`corenet_udp_recvfrom_unlabeled',`
 	kernel_udp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1898,6 +1904,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	dontaudit $1 netlabel_peer_t:peer recv;
 	dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
 ')
 
@@ -1914,6 +1921,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
 #
 interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1951,6 +1959,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	allow $1 netlabel_peer_t:peer recv;
 	allow $1 netlabel_peer_t:rawip_socket recvfrom;
 ')
 
@@ -1966,6 +1975,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
 #
 interface(`corenet_raw_recvfrom_unlabeled',`
 	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -2005,6 +2015,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	dontaudit $1 netlabel_peer_t:peer recv;
 	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
 ')
 
@@ -2021,6 +2032,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
 #
 interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -2042,6 +2054,7 @@ interface(`corenet_all_recvfrom_unlabeled',`
 	kernel_tcp_recvfrom_unlabeled($1)
 	kernel_udp_recvfrom_unlabeled($1)
 	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -2064,6 +2077,7 @@ interface(`corenet_all_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	allow $1 netlabel_peer_t:peer recv;
 	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
 ')
 
@@ -2081,6 +2095,7 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -2104,6 +2119,7 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
 		type netlabel_peer_t;
 	')
 
+	dontaudit $1 netlabel_peer_t:peer recv;
 	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
 ')
 
@@ -2135,8 +2151,10 @@ interface(`corenet_tcp_recvfrom_labeled',`
 	allow $1 $2:{ association tcp_socket } recvfrom;
 	allow $2 $1:{ association tcp_socket } recvfrom;
 
-	# Netlabel (CIPSO)-based labeled networking
-	# currently only supports MLS portion of label
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
 	corenet_tcp_recvfrom_netlabel($1)
 	corenet_tcp_recvfrom_netlabel($2)
 ')
@@ -2160,8 +2178,9 @@ interface(`corenet_udp_recvfrom_labeled',`
 	allow $2 self:association sendto;
 	allow $1 $2:{ association udp_socket } recvfrom;
 
-	# Netlabel (CIPSO)-based labeled networking
-	# currently only supports MLS portion of label
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
 	corenet_udp_recvfrom_netlabel($1)
 ')
 
@@ -2184,8 +2203,9 @@ interface(`corenet_raw_recvfrom_labeled',`
 	allow $2 self:association sendto;
 	allow $1 $2:{ association rawip_socket } recvfrom;
 
-	# Netlabel (CIPSO)-based labeled networking
-	# currently only supports MLS portion of label
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
 	corenet_raw_recvfrom_netlabel($1)
 ')
 
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index c20c7a45..a83e89fa 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -28,7 +28,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:netif { tcp_send tcp_recv };
+	allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
 ')
 
 ########################################
@@ -47,7 +47,7 @@ interface(`corenet_udp_send_$1_if',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:netif udp_send;
+	allow dollarsone $1_$2:netif { udp_send egress };
 ')
 
 ########################################
@@ -66,7 +66,7 @@ interface(`corenet_udp_receive_$1_if',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:netif udp_recv;
+	allow dollarsone $1_$2:netif { udp_recv ingress };
 ')
 
 ########################################
@@ -101,7 +101,7 @@ interface(`corenet_raw_send_$1_if',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:netif rawip_send;
+	allow dollarsone $1_$2:netif { rawip_send egress };
 ')
 
 ########################################
@@ -120,7 +120,7 @@ interface(`corenet_raw_receive_$1_if',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:netif rawip_recv;
+	allow dollarsone $1_$2:netif { rawip_recv ingress };
 ')
 
 ########################################
@@ -163,7 +163,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:node { tcp_send tcp_recv };
+	allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
 ')
 
 ########################################
@@ -182,7 +182,7 @@ interface(`corenet_udp_send_$1_node',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:node udp_send;
+	allow dollarsone $1_$2:node { udp_send sendto };
 ')
 
 ########################################
@@ -201,7 +201,7 @@ interface(`corenet_udp_receive_$1_node',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:node udp_recv;
+	allow dollarsone $1_$2:node { udp_recv recvfrom };
 ')
 
 ########################################
@@ -236,7 +236,7 @@ interface(`corenet_raw_send_$1_node',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:node rawip_send;
+	allow dollarsone $1_$2:node { rawip_send sendto };
 ')
 
 ########################################
@@ -255,7 +255,7 @@ interface(`corenet_raw_receive_$1_node',`
 		$3 $1_$2;
 	')
 
-	allow dollarsone $1_$2:node rawip_recv;
+	allow dollarsone $1_$2:node { rawip_recv recvfrom };
 ')
 
 ########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index a1811859..8ccf4672 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.15)
+policy_module(corenetwork,1.2.16)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 34e6292d..6142c2d4 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2495,6 +2495,62 @@ interface(`kernel_sendrecv_unlabeled_packets',`
 	allow $1 unlabeled_t:packet { send recv };
 ')
 
+########################################
+## <summary>
+##	Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##	<p>
+##	Receive packets from an unlabeled peer, these packets do not have any
+##      peer labeling information present.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive packets from an unlabeled peer,
+##      these packets do not have any peer labeling information present.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to kernel module resources.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d95440d..3714169c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.9.2)
+policy_module(kernel,1.9.3)
 
 ########################################
 #
@@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
 # connections with invalidated labels:
 allow kernel_t unlabeled_t:packet send;
 
+# Forwarded network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+
 corenet_all_recvfrom_unlabeled(kernel_t)
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies: