Corenetwork policy size optimization from Dan Walsh.

2011-08-26 09:03:25 -04:00 · 2011-08-26 09:03:25 -04:00 · ec70a331ff
commit ec70a331ff
parent 697d0bbf4d
4 changed files with 25 additions and 13 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Corenetwork policy size optimization from Dan Walsh.
 - Silence spurious udp_socket listen denials.
 - Fix unexpanded MLS/MCS fields in monolithic seusers file.
 - Type transition fix in Postgresql database objects from KaiGai Kohei.
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -1255,11 +1255,11 @@ interface(`corenet_udp_sendrecv_generic_port',`
 interface(`corenet_tcp_bind_generic_port',`
 	gen_require(`
 		type port_t;
-		attribute port_type;
+		attribute defined_port_type;
 	')

 	allow $1 port_t:tcp_socket name_bind;
-	dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
 ')

 ########################################
@ -1293,11 +1293,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
 interface(`corenet_udp_bind_generic_port',`
 	gen_require(`
 		type port_t;
-		attribute port_type;
+		attribute defined_port_type;
 	')

 	allow $1 port_t:udp_socket name_bind;
-	dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+	dontaudit $1 defined_port_type:udp_socket name_bind;
 ')

 ########################################
@ -1856,10 +1856,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 #
 interface(`corenet_tcp_bind_all_unreserved_ports',`
 	gen_require(`
-		attribute port_type, reserved_port_type;
+		attribute unreserved_port_type;
 	')

-	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+	allow $1 unreserved_port_type:tcp_socket name_bind;
 ')

 ########################################
@ -1874,10 +1874,10 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
 #
 interface(`corenet_udp_bind_all_unreserved_ports',`
 	gen_require(`
-		attribute port_type, reserved_port_type;
+		attribute unreserved_port_type;
 	')

-	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+	allow $1 unreserved_port_type:udp_socket name_bind;
 ')

 ########################################
@ -1910,10 +1910,10 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
 #
 interface(`corenet_tcp_connect_all_unreserved_ports',`
 	gen_require(`
-		attribute port_type, reserved_port_type;
+		attribute unreserved_port_type;
 	')

-	allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+	allow $1 unreserved_port_type:tcp_socket name_connect;
 ')

 ########################################
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.16.0)
+policy_module(corenetwork, 1.16.1)

 ########################################
 #
@ -6,6 +6,8 @@ policy_module(corenetwork, 1.16.0)
 #

 attribute client_packet_type;
+# This is an optimization for { port_type -port_t }
+attribute defined_port_type;
 attribute ipsec_spd_type;
 attribute netif_type;
 attribute node_type;
@ -14,6 +16,8 @@ attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
 attribute server_packet_type;
+# This is an optimization for { port_type -reserved_port_type }
+attribute unreserved_port_type;

 attribute corenet_unconfined_type;

@ -49,6 +53,11 @@ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
 type port_t, port_type;
 sid port gen_context(system_u:object_r:port_t,s0)

+#
+# unreserved_port_t is the default type of INET port numbers above 1023
+#
+type unreserved_port_t, port_type, unreserved_port_type;
+
 #
 # reserved_port_t is the type of INET port numbers below 1024.
 #
@ -234,6 +243,8 @@ network_port(zope, tcp,8021,s0)
 # Defaults for reserved ports.	Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.

+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*))
 define(`declare_ports',`dnl
 ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
 ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
-',`dnl')
+',`typeattribute $1 unreserved_port_type;')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 ')
@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
 #
 define(`network_port',`
-type $1_port_t, port_type;
+type $1_port_t, port_type, defined_port_type;
 type $1_client_packet_t, packet_type, client_packet_type;
 type $1_server_packet_t, packet_type, server_packet_type;
 declare_ports($1_port_t,shift($*))dnl