From 42451654bf67bf660087f80931ff722a2f90a643 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 11 Nov 2021 13:41:41 +0100
Subject: [PATCH 1/3] profiles: Update use flags for net-misc/iputils

The net-misc/iputils package never provided the traceroute binary,
only traceroute6, which is probably why the use flag got renamed to
traceroute6 too.
---
 .../third_party/coreos-overlay/profiles/coreos/base/package.use | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index a7abcfcb6e..3336776b96 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -12,7 +12,7 @@ dev-util/perf		tui -doc
 dev-vcs/git		webdav curl bash-completion
 # We don't want any driver/hw rendering on the host
 net-misc/curl		kerberos threads telnet
-net-misc/iputils	arping tracepath traceroute
+net-misc/iputils	arping tracepath traceroute6
 sys-devel/gettext	-git
 app-emulation/qemu	aio caps curl -doc ncurses png python threads uuid vhost-net virtfs vnc -xkb -slirp -jpeg qemu_softmmu_targets_x86_64 qemu_softmmu_targets_aarch64
 

From 6f3975b9b10b8a3f45624fc8e945b9638127efda Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 12 Jan 2022 18:06:59 +0100
Subject: [PATCH 2/3] sec-policy/selinux-base: Add patch for ping

The patch adds stuff that another patch in
sec-policy/selinux-base-policy will use to allow user to call "ping -I
<IPADDRESS>".

Patch based on:

https://github.com/fedora-selinux/selinux-policy/pull/403
---
 .../selinux-base/files/icmp-bind.patch        | 40 +++++++++++++++++++
 .../selinux-base-2.20200818-r2.ebuild         |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
new file mode 100644
index 0000000000..a2d653caf2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
@@ -0,0 +1,40 @@
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
+--- refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
++++ refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
+@@ -879,6 +879,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Bind ICMP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_icmp_bind_generic_node',`
++	gen_require(`
++		type node_t;
++	')
++
++	allow $1 node_t:icmp_socket node_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to generic nodes.
+ ## </summary>
+ ## <desc>
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
+--- refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
++++ refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
+@@ -373,7 +373,7 @@
+ 
+ # Bind to any network address.
+ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
++allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+ 
+ # Infiniband
+ corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 63859fde4d..50935ad704 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -43,6 +43,7 @@ BDEPEND="sys-devel/m4
 PATCHES=(
 	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
 	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
+	"${FILESDIR}"/icmp-bind.patch
 )
 
 S=${WORKDIR}/

From 2d5ef69eed6a8513eb14b8e95b6a8ce0f81303ec Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 11 Jan 2022 17:13:07 +0100
Subject: [PATCH 3/3] sec-policy/selinux-base-policy: Add a patch for ping

This is to allow users to run ping -I with some IP address or network
interface.

Patch based on:

https://github.com/fedora-selinux/selinux-policy/pull/403
---
 .../selinux-base-policy/files/ping.patch      | 19 +++++++++++++++++++
 .../selinux-base-policy-2.20200818-r2.ebuild  |  2 ++
 2 files changed, 21 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
new file mode 100644
index 0000000000..e6a31f6630
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
@@ -0,0 +1,19 @@
+diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
+--- refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
++++ refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
+@@ -117,6 +117,7 @@
+ corenet_raw_sendrecv_generic_node(ping_t)
+ corenet_tcp_sendrecv_generic_node(ping_t)
+ corenet_raw_bind_generic_node(ping_t)
++corenet_icmp_bind_generic_node(ping_t)
+ 
+ dev_read_urand(ping_t)
+ 
+@@ -189,6 +190,7 @@
+ corenet_tcp_connect_all_ports(traceroute_t)
+ corenet_sendrecv_all_client_packets(traceroute_t)
+ corenet_sendrecv_traceroute_server_packets(traceroute_t)
++corenet_icmp_bind_generic_node(traceroute_t)
+ 
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
index 0c920e702e..cd986fdb29 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@@ -43,6 +43,8 @@ PATCHES=(
 	# to fail if SELinux is enforced in early boot.
 	# It can be removed once we drop torcx support.
 	"${FILESDIR}/unlabeled.patch"
+	# This is to allow pings from some IP address.
+	"${FILESDIR}/ping.patch"
 )
 
 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on