nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gennetfilter: add rules for ICMP/ICMPv6 packets 

Generate rules for SECMARKing ICMP and ICMPv6 packets as
icmp_packet_t.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This commit is contained in:
Topi Miettinen 2020-04-22 17:03:28 +03:00
parent 24e1e2c8a3
commit 4e1979a66b
No known key found for this signature in database
GPG Key ID: 87E1A51C590B0577
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
support/gennetfilter.py
View File

@ -18,6 +18,7 @@ DEFAULT_MLS = "s0"
PACKET_INPUT = "_server_packet_t"
PACKET_OUTPUT = "_client_packet_t"
ICMP_PACKET = "icmp_packet_t"
class Port:
def __init__(self, proto, num, mls_sens):
@ -55,6 +56,13 @@ def print_nft_secmarks(packets,mls,mcs):
line += ":"+DEFAULT_MLS
line += '"\n\t}'
print(line)
line = '\tsecmark icmp_packet {\n\t\t"system_u:object_r:'+ICMP_PACKET
if mcs:
line += ":"+DEFAULT_MCS
elif mls:
line += ":"+DEFAULT_MLS
line += '"\n\t}'
print(line)
for i in packets:
line = "\tsecmark "+i.prefix+'_input {\n\t\t"system_u:object_r:'+i.prefix+PACKET_INPUT
if mcs:
@ -73,6 +81,8 @@ def print_nft_rules(packets,mls,mcs,direction):
for i in packets:
for j in i.ports:
print("\t\tct state new "+j.proto+" dport "+j.num+' meta secmark set "'+i.prefix+'_'+direction+'"')
print('\t\tip protocol icmp meta secmark set "icmp_packet"')
print('\t\tip6 nexthdr icmpv6 meta secmark set "icmp_packet"')
def print_input_rules(packets,mls,mcs):
line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
@ -83,6 +93,20 @@ def print_input_rules(packets,mls,mcs):
print(line)
line = "base -A selinux_new_input -p icmp -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
line = "base -A selinux_new_input -p icmpv6 -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
for i in packets:
for j in i.ports:
line="base -A selinux_new_input -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
@ -103,6 +127,20 @@ def print_output_rules(packets,mls,mcs):
line += ":"+DEFAULT_MCS
print(line)
line = "base -A selinux_new_output -p icmp -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
line = "base -A selinux_new_output -p icmpv6 -j SECMARK --selctx system_u:object_r:"+ICMP_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
line += ":"+DEFAULT_MCS
print(line)
for i in packets:
for j in i.ports:
line = "base -A selinux_new_output -p "+j.proto+" --dport "+re.sub('-', ':', j.num)+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT