RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #237 from topimiettinen/gennetfilter-add-icmp-rules 

gennetfilter: add rules for ICMP/ICMPv6 packets
This commit is contained in:
Chris PeBenito 2020-04-22 10:23:08 -04:00 committed by GitHub
parent 01990a484e 4e1979a66b
commit 466b59f447
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
support/gennetfilter.py
View File

@ -18,6 +18,7 @@ DEFAULT_MLS = "s0"
PACKET_INPUT = "_server_packet_t" PACKET_INPUT = "_server_packet_t"
PACKET_OUTPUT = "_client_packet_t" PACKET_OUTPUT = "_client_packet_t"
ICMP_PACKET = "icmp_packet_t"
class Port: class Port:
def __init__(self, proto, num, mls_sens): def __init__(self, proto, num, mls_sens):
@ -55,6 +56,13 @@ def print_nft_secmarks(packets,mls,mcs):
line += ":"+DEFAULT_MLS line += ":"+DEFAULT_MLS
line += '"\n\t}' line += '"\n\t}'
print(line) print(line)
line = '\tsecmark icmp_packet {\n\t\t"system_u:object_r:'+ICMP_PACKET
if mcs:
line += ":"+DEFAULT_MCS
elif mls:
line += ":"+DEFAULT_MLS
line += '"\n\t}'
print(line)
for i in packets: for i in packets:
line = "\tsecmark "+i.prefix+'_input {\n\t\t"system_u:object_r:'+i.prefix+PACKET_INPUT line = "\tsecmark "+i.prefix+'_input {\n\t\t"system_u:object_r:'+i.prefix+PACKET_INPUT
if mcs: if mcs:
@ -73,6 +81,8 @@ def print_nft_rules(packets,mls,mcs,direction):
for i in packets: for i in packets:
for j in i.ports: for j in i.ports:
print("\t\tct state new "+j.proto+" dport "+j.num+' meta secmark set "'+i.prefix+'_'+direction+'"') print("\t\tct state new "+j.proto+" dport "+j.num+' meta secmark set "'+i.prefix+'_'+direction+'"')
print('\t\tip protocol icmp meta secmark set "icmp_packet"')
print('\t\tip6 nexthdr icmpv6 meta secmark set "icmp_packet"')
def print_input_rules(packets,mls,mcs): def print_input_rules(packets,mls,mcs):
line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
@ -83,6 +93,20 @@ def print_input_rules(packets,mls,mcs):
print(line) print(line)
line = "base -A selinux_new_input -p icmp -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
line = "base -A selinux_new_input -p icmpv6 -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
for i in packets: for i in packets:
for j in i.ports: for j in i.ports:
line="base -A selinux_new_input -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT line="base -A selinux_new_input -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
@ -103,6 +127,20 @@ def print_output_rules(packets,mls,mcs):
line += ":"+DEFAULT_MCS line += ":"+DEFAULT_MCS
print(line) print(line)
line = "base -A selinux_new_output -p icmp -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
line = "base -A selinux_new_output -p icmpv6 -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
for i in packets: for i in packets:
for j in i.ports: for j in i.ports:
line = "base -A selinux_new_output -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT line = "base -A selinux_new_output -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT