int sechk_lib_check_module_requirements(sechk_lib_t * lib)
{
int retv = 0;
size_t i, j;
bool test = true;
sechk_name_value_t *nv = NULL;
sechk_module_t *mod = NULL;
/* check requirements for all selected modules */
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (!mod->selected)
continue;
for (j = 0; j < apol_vector_get_size(mod->requirements); j++) {
nv = apol_vector_get_element(mod->requirements, j);
test = false;
test = sechk_lib_check_requirement(nv, lib);
if (!test) {
/* if we're in quiet mode then we quit on a failed requirement */
if (lib->outputformat & (SECHK_OUT_QUIET)) {
errno = ENOTSUP;
return -1;
} else {
/* otherwise we just disable this module and keep testing */
ERR(lib->policy, "Requirements not met for %s.", mod->name);
mod->selected = false;
retv = -1;
break;
}
}
}
}
return retv;
}
int sechk_lib_check_module_dependencies(sechk_lib_t * lib)
{
int idx = 0;
size_t i, j;
bool test = true, done = false, *processed = NULL;
sechk_name_value_t *nv = NULL;
sechk_module_t *mod = NULL, *dep = NULL;
if (!lib) {
fprintf(stderr, "Error: invalid module library\n");
errno = EINVAL;
return -1;
}
processed = (bool *) calloc(apol_vector_get_size(lib->modules), sizeof(bool));
if (!processed) {
perror(NULL);
return -1;
}
/* check dependencies and select dependencies to be run */
while (!done) {
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
if (processed[i])
continue;
mod = apol_vector_get_element(lib->modules, i);
if (!mod->selected) {
processed[i] = true;
continue;
}
for (j = 0; j < apol_vector_get_size(mod->dependencies); j++) {
nv = apol_vector_get_element(mod->dependencies, j);
test = false;
test = sechk_lib_check_dependency(nv, lib);
if (!test) {
ERR(lib->policy, "Dependency %s not found for %s.", nv->name, mod->name);
free(processed);
errno = ENOENT;
return -1;
}
idx = sechk_lib_get_module_idx(nv->value, lib);
dep = apol_vector_get_element(lib->modules, idx);
if (!dep->selected) {
processed[idx] = false;
dep->selected = true;
}
}
processed[i] = true;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
if (!processed[i])
break;
}
if (i == apol_vector_get_size(lib->modules))
done = true;
}
free(processed);
return 0;
}
apol_policy_path_t *apol_policy_path_create_from_string(const char *path_string)
{
apol_policy_path_t *p = NULL;
apol_vector_t *tokens = NULL;
apol_policy_path_type_e path_type;
char *s;
size_t i;
if (path_string == NULL) {
errno = EINVAL;
return NULL;
}
if ((tokens = apol_str_split(path_string, ":")) == NULL) {
return NULL;
}
/* first token identifies the path type */
if (apol_vector_get_size(tokens) < 2) {
apol_vector_destroy(&tokens);
return NULL;
}
s = apol_vector_get_element(tokens, 0);
if (strcmp(s, "monolithic") == 0) {
path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
} else if (strcmp(s, "modular") == 0) {
path_type = APOL_POLICY_PATH_TYPE_MODULAR;
} else {
apol_vector_destroy(&tokens);
errno = EINVAL;
return NULL;
}
/* second token identifies gives base path */
s = apol_vector_get_element(tokens, 1);
if ((p = apol_policy_path_create(path_type, s, NULL)) == NULL) {
apol_vector_destroy(&tokens);
return NULL;
}
if (path_type == APOL_POLICY_PATH_TYPE_MODULAR) {
/* remainder are module paths */
for (i = 2; i < apol_vector_get_size(tokens); i++) {
s = apol_vector_get_element(tokens, i);
if ((s = strdup(s)) == NULL || apol_vector_append(p->modules, s) < 0) {
free(s);
apol_vector_destroy(&tokens);
apol_policy_path_destroy(&p);
return NULL;
}
}
apol_vector_sort_uniquify(p->modules, apol_str_strcmp, NULL);
}
return p;
}
int sechk_lib_run_modules(sechk_lib_t * lib)
{
int retv, num_selected = 0, rc = 0;
size_t i;
sechk_module_t *mod = NULL;
sechk_mod_fn_t run_fn = NULL;
if (!lib) {
fprintf(stderr, "Error: invalid library\n");
errno = EINVAL;
return -1;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (mod->selected)
num_selected++;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
/* if module is "off" do not run */
if (!mod->selected)
continue;
/* if module is below the minsev do not run unless its exactly one module */
if (lib->minsev && sechk_lib_compare_sev(mod->severity, lib->minsev) < 0 && num_selected != 1)
continue;
assert(mod->name);
run_fn = sechk_lib_get_module_function(mod->name, SECHK_MOD_FN_RUN, lib);
if (!run_fn) {
ERR(lib->policy, "Could not run module %s.", mod->name);
errno = ENOTSUP;
return -1;
}
retv = run_fn(mod, lib->policy, NULL);
if (retv < 0) {
/* module failure */
/* only put output failures if we are not in quiet mode */
if (lib->outputformat & ~(SECHK_OUT_QUIET))
ERR(lib->policy, "Module %s failed.", mod->name);
rc = -1;
} else if (retv > 0) {
/* a module looking for policy errors has found one
* if in quiet mode stop since running additional
* modules will not change the return code */
if (lib->outputformat & (SECHK_OUT_QUIET))
return -1;
}
}
return rc;
}
int sechk_lib_init_modules(sechk_lib_t * lib)
{
int retv, error = 0;
size_t i;
sechk_module_t *mod = NULL;
sechk_mod_fn_t init_fn = NULL;
if (lib == NULL || lib->modules == NULL) {
errno = EINVAL;
return -1;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (!mod->selected)
continue;
init_fn = sechk_lib_get_module_function(mod->name, SECHK_MOD_FN_INIT, lib);
if (!init_fn) {
error = errno;
fprintf(stderr, "Error: could not initialize module %s\n", mod->name);
errno = error;
return -1;
}
retv = init_fn(mod, lib->policy, NULL);
if (retv)
return retv;
}
return 0;
}
char *apol_policy_path_to_string(const apol_policy_path_t * path)
{
char *path_type;
char *s = NULL;
size_t len = 0, i;
if (path == NULL) {
errno = EINVAL;
return NULL;
}
if (path->path_type == APOL_POLICY_PATH_TYPE_MODULAR) {
path_type = "modular";
} else {
path_type = "monolithic";
}
if (apol_str_appendf(&s, &len, "%s:%s", path_type, path->base) < 0) {
return NULL;
}
if (path->path_type == APOL_POLICY_PATH_TYPE_MODULAR) {
for (i = 0; i < apol_vector_get_size(path->modules); i++) {
char *m = apol_vector_get_element(path->modules, i);
if (apol_str_appendf(&s, &len, ":%s", m) < 0) {
return NULL;
}
}
}
return s;
}
void seaudit_log_destroy(seaudit_log_t ** log)
{
size_t i;
if (log == NULL || *log == NULL) {
return;
}
for (i = 0; i < apol_vector_get_size((*log)->models); i++) {
seaudit_model_t *m = apol_vector_get_element((*log)->models, i);
model_remove_log(m, *log);
}
apol_vector_destroy(&(*log)->messages);
apol_vector_destroy(&(*log)->malformed_msgs);
apol_vector_destroy(&(*log)->models);
apol_bst_destroy(&(*log)->types);
apol_bst_destroy(&(*log)->classes);
apol_bst_destroy(&(*log)->roles);
apol_bst_destroy(&(*log)->users);
apol_bst_destroy(&(*log)->perms);
apol_bst_destroy(&(*log)->hosts);
apol_bst_destroy(&(*log)->bools);
apol_bst_destroy(&(*log)->managers);
apol_bst_destroy(&(*log)->mls_lvl);
apol_bst_destroy(&(*log)->mls_clr);
free(*log);
*log = NULL;
}
static void build_nomls_vecs()
{
const void *item;
const apol_vector_t *v = NULL;
size_t i, str_len = 0;
char *str = NULL;
v = poldiff_get_user_vector(diff);
for (i = 0; i < apol_vector_get_size(v); ++i) {
item = apol_vector_get_element(v, i);
poldiff_user_t *u = (poldiff_user_t *) item;
const char *name = poldiff_user_get_name(u);
const apol_vector_t *added_roles = poldiff_user_get_added_roles(u);
const apol_vector_t *removed_roles = poldiff_user_get_removed_roles(u);
if (apol_vector_get_size(added_roles) == 0 && apol_vector_get_size(removed_roles) == 0) {
apol_vector_append(unchanged_users_v, strdup(name));
} else {
char *added_roles_str = vector_to_string(added_roles, "", " +");
char *removed_roles_str = vector_to_string(removed_roles, "-", " ");
apol_str_appendf(&str, &str_len, "%s %s%s", name, added_roles_str, removed_roles_str);
free(added_roles_str);
free(removed_roles_str);
apol_str_trim(str);
apol_vector_append(changed_users_v, str);
str = NULL;
str_len = 0;
}
}
}
sechk_result_t *sechk_lib_get_module_result(const char *module_name, const sechk_lib_t * lib)
{
size_t i;
sechk_module_t *mod = NULL;
sechk_mod_fn_t run = NULL;
if (!module_name || !lib) {
fprintf(stderr, "Error: failed to get module result\n");
errno = EINVAL;
return NULL;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (!(mod->name))
continue;
if (strcmp(mod->name, module_name))
continue;
if (!(mod->result)) {
if (!(run = sechk_lib_get_module_function(module_name, SECHK_MOD_FN_RUN, lib)) ||
run(mod, lib->policy, NULL) < 0) {
return NULL; /* run or get function will set errno */
}
}
return mod->result;
}
fprintf(stderr, "Error: %s: no such module\n", module_name);
errno = ENOENT;
return NULL;
}
/**
* Gets a textual representation of a MLS category and
* all of that category's sensitivies.
*
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
*/
static PyObject* get_cat_sens(const qpol_cat_t * cat_datum, const apol_policy_t * policydb)
{
const char *cat_name, *lvl_name;
apol_level_query_t *query = NULL;
apol_vector_t *v = NULL;
const qpol_level_t *lvl_datum = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
size_t i, n_sens = 0;
int error = 0;
PyObject *list = NULL;
PyObject *dict = PyDict_New();
if (!dict) goto err;
if (!cat_datum || !policydb)
goto err;
/* get category name for apol query */
if (qpol_cat_get_name(q, cat_datum, &cat_name))
goto cleanup;
query = apol_level_query_create();
if (!query)
goto err;
if (apol_level_query_set_cat(policydb, query, cat_name))
goto err;
if (apol_level_get_by_query(policydb, query, &v))
goto err;
apol_vector_sort(v, &qpol_level_datum_compare, (void *)policydb);
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", cat_name))
goto err;
n_sens = apol_vector_get_size(v);
list = PyList_New(0);
if (!list) goto err;
for (i = 0; i < n_sens; i++) {
lvl_datum = (qpol_level_t *) apol_vector_get_element(v, i);
if (!lvl_datum)
goto err;
if (qpol_level_get_name(q, lvl_datum, &lvl_name))
goto err;
if (py_append_string(list, lvl_name))
goto err;
}
if (py_insert_obj(dict, "level", list))
goto err;
Py_DECREF(list);
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
py_decref(dict); dict = NULL;
cleanup:
apol_level_query_destroy(&query);
apol_vector_destroy(&v);
errno = error;
return dict;
}
int sechk_lib_print_modules_report(sechk_lib_t * lib)
{
int retv, num_selected = 0, rc = 0;
size_t i;
sechk_module_t *mod = NULL;
sechk_mod_fn_t print_fn = NULL;
if (!lib) {
fprintf(stderr, "Error: invalid library\n");
errno = EINVAL;
return -1;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (mod->selected)
num_selected++;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
/* if module is "off" or its output format is quiet continue */
if (!mod->selected || mod->outputformat & SECHK_OUT_QUIET)
continue;
/* if module is below the minsev do not print unless exactly one module is selected */
if (lib->minsev && sechk_lib_compare_sev(mod->severity, lib->minsev) < 0 && num_selected != 1)
continue;
/* if module is the only selected one make sure output is generated */
if (mod->outputformat == SECHK_OUT_NONE && num_selected == 1)
mod->outputformat = SECHK_OUT_SHORT;
assert(mod->name);
printf("\nModule name: %s\tSeverity: %s\n%s\n", mod->name, mod->severity, mod->detailed_description);
print_fn = sechk_lib_get_module_function(mod->name, SECHK_MOD_FN_PRINT, lib);
if (!print_fn) {
ERR(lib->policy, "Could not get print function for module %s.", mod->name);
errno = ENOTSUP;
return -1;
}
retv = print_fn(mod, lib->policy, NULL);
if (retv) {
fprintf(stderr, "Error: unable to print results for module %s \n", mod->name);
rc = -1;
}
}
return rc;
}
static void report_window_browse(GtkEntry * entry, GtkWindow * parent, const char *title)
{
const char *current_path = gtk_entry_get_text(entry);
apol_vector_t *new_paths = util_open_file(parent, title, current_path, 0);
if (new_paths != NULL) {
gtk_entry_set_text(entry, apol_vector_get_element(new_paths, 0));
apol_vector_destroy(&new_paths);
}
}
/**
* Get a policy's MLS sensitivities.
* If this function is given a name, it will attempt to
* get statistics about a particular sensitivity; otherwise
* the function gets statistics about all of the policy's
* sensitivities.
*
* @param name Reference to a sensitivity's name; if NULL,
* all sensitivities will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
{
PyObject *dict = NULL;
int error = 0;
int rt = 0;
size_t i;
char *tmp = NULL;
const char *lvl_name = NULL;
apol_level_query_t *query = NULL;
apol_vector_t *v = NULL;
const qpol_level_t *level = NULL;
apol_mls_level_t *ap_mls_lvl = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
query = apol_level_query_create();
if (!query)
goto cleanup;
if (apol_level_query_set_sens(policydb, query, name))
goto cleanup;
if (apol_level_get_by_query(policydb, query, &v))
goto cleanup;
dict = PyDict_New();
if (!dict) goto err;
for (i = 0; i < apol_vector_get_size(v); i++) {
level = apol_vector_get_element(v, i);
if (qpol_level_get_name(q, level, &lvl_name))
goto err;
ap_mls_lvl = (apol_mls_level_t *) apol_mls_level_create_from_qpol_level_datum(policydb, level);
tmp = apol_mls_level_render(policydb, ap_mls_lvl);
apol_mls_level_destroy(&ap_mls_lvl);
if (!tmp)
goto cleanup;
if (py_insert_string(dict, lvl_name, tmp))
goto err;
free(tmp); tmp = NULL;
if (rt) goto err;
}
if (name && !apol_vector_get_size(v)) {
goto cleanup;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(error));
py_decref(dict); dict = NULL;
cleanup:
free(tmp);
apol_level_query_destroy(&query);
apol_vector_destroy(&v);
errno = error;
return dict;
}
/**
* Display a vector of rules (either qpol_avrule_t or
* qpol_syn_avrule_t) in the rules text buffer.
*/
static void policy_view_display_avrule_results(policy_view_t * pv, apol_vector_t * results, int is_syn_rules)
{
apol_policy_t *policy = toplevel_get_policy(pv->top);
qpol_policy_t *qp = apol_policy_get_qpol(policy);
GtkTextIter start, end;
char *string, buf[64];
size_t i;
gtk_text_buffer_get_start_iter(pv->rules_text, &start);
gtk_text_buffer_get_end_iter(pv->rules_text, &end);
gtk_text_buffer_delete(pv->rules_text, &start, &end);
snprintf(buf, 64, "%zd rule(s) match the search criteria.\n\n", apol_vector_get_size(results));
gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, buf, -1, "summary", NULL);
for (i = 0; i < apol_vector_get_size(results); i++) {
if (!is_syn_rules) {
qpol_avrule_t *rule = apol_vector_get_element(results, i);
string = apol_avrule_render(policy, rule);
} else {
qpol_syn_avrule_t *rule = apol_vector_get_element(results, i);
string = apol_syn_avrule_render(policy, rule);
unsigned long lineno;
if (qpol_policy_has_capability(qp, QPOL_CAP_LINE_NUMBERS)) {
qpol_syn_avrule_get_lineno(qp, rule, &lineno);
sprintf(buf, "%ld", lineno);
gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, "[", -1, "rule", NULL);
gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, buf, -1, "line-number", NULL);
gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, "] ", -1, "rule", NULL);
}
}
if (string == NULL) {
toplevel_ERR(pv->top, "Error displaying rule: %s", strerror(errno));
return;
}
gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, string, -1, "rule", NULL);
free(string);
gtk_text_buffer_insert(pv->rules_text, &end, "\n", -1);
}
}
/**
* Prints statistics regarding a policy's MLS categories.
* If this function is given a name, it will attempt to
* get statistics about a particular category; otherwise
* the function gets statistics about all of the policy's
* categories.
*
* @param name Reference to a MLS category's name; if NULL,
* all categories will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_cats(const char *name, const apol_policy_t * policydb)
{
PyObject *obj = NULL;
apol_cat_query_t *query = NULL;
apol_vector_t *v = NULL;
const qpol_cat_t *cat_datum = NULL;
size_t i, n_cats;
int error = 0;
int rt;
PyObject *list = PyList_New(0);
if (!list) goto err;
query = apol_cat_query_create();
if (!query)
goto err;
if (apol_cat_query_set_cat(policydb, query, name))
goto err;
if (apol_cat_get_by_query(policydb, query, &v))
goto err;
n_cats = apol_vector_get_size(v);
apol_vector_sort(v, &qpol_cat_datum_compare, (void *)policydb);
for (i = 0; i < n_cats; i++) {
cat_datum = apol_vector_get_element(v, i);
if (!cat_datum)
goto err;
obj = get_cat_sens(cat_datum, policydb);
if (!obj)
goto err;
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
}
if (name && !n_cats) {
goto err;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
apol_cat_query_destroy(&query);
apol_vector_destroy(&v);
errno = error;
return list;
}
char *bool_message_to_misc_string(const seaudit_bool_message_t * boolm)
{
char *s = NULL;
size_t len = 0, i;
for (i = 0; i < apol_vector_get_size(boolm->changes); i++) {
seaudit_bool_message_change_t *bc = apol_vector_get_element(boolm->changes, i);
if (apol_str_appendf(&s, &len, "%s%s:%d", (i == 0 ? "" : ", "), bc->boolean, bc->value) < 0) {
return NULL;
}
}
if (s == NULL) {
return strdup("");
}
return s;
}
int apol_policy_path_to_file(const apol_policy_path_t * path, const char *filename)
{
FILE *f = NULL;
char *path_type;
size_t i;
int retval = -1, error = 0;
if (path == NULL || filename == NULL) {
errno = EINVAL;
goto cleanup;
}
if ((f = fopen(filename, "w")) == NULL) {
error = errno;
goto cleanup;
}
if (path->path_type == APOL_POLICY_PATH_TYPE_MODULAR) {
path_type = "modular";
} else {
path_type = "monolithic";
}
if (fprintf(f, "%s %d %s\n", POLICY_PATH_MAGIC, POLICY_PATH_MAX_VERSION, path_type) < 0) {
error = errno;
goto cleanup;
}
if (fprintf(f, "%s\n", path->base) < 0) {
error = errno;
goto cleanup;
}
if (path->path_type == APOL_POLICY_PATH_TYPE_MODULAR) {
for (i = 0; i < apol_vector_get_size(path->modules); i++) {
char *m = apol_vector_get_element(path->modules, i);
if (fprintf(f, "%s\n", m) < 0) {
error = errno;
goto cleanup;
}
}
}
retval = 0;
cleanup:
if (f != NULL) {
fclose(f);
}
if (retval != 0) {
error = errno;
}
return retval;
}
static void terule_basic_syn(void)
{
apol_terule_query_t *tq = apol_terule_query_create();
CU_ASSERT_PTR_NOT_NULL_FATAL(tq);
int retval;
retval = apol_terule_query_set_rules(sp, tq, QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER);
CU_ASSERT_EQUAL_FATAL(retval, 0);
apol_vector_t *v = NULL;
retval = apol_syn_terule_get_by_query(sp, tq, &v);
CU_ASSERT_EQUAL_FATAL(retval, 0);
CU_ASSERT_PTR_NOT_NULL(v);
size_t num_trans = 0, num_changes = 0, num_members = 0;
qpol_policy_t *q = apol_policy_get_qpol(sp);
size_t i;
for (i = 0; i < apol_vector_get_size(v); i++) {
const qpol_syn_terule_t *syn = (const qpol_syn_terule_t *)apol_vector_get_element(v, i);
uint32_t rule_type;
retval = qpol_syn_terule_get_rule_type(q, syn, &rule_type);
CU_ASSERT_EQUAL_FATAL(retval, 0);
CU_ASSERT(rule_type == QPOL_RULE_TYPE_TRANS || rule_type == QPOL_RULE_TYPE_CHANGE ||
rule_type == QPOL_RULE_TYPE_MEMBER);
if (rule_type == QPOL_RULE_TYPE_TRANS) {
num_trans++;
} else if (rule_type == QPOL_RULE_TYPE_CHANGE) {
num_changes++;
} else if (rule_type == QPOL_RULE_TYPE_MEMBER) {
num_members++;
}
}
CU_ASSERT(num_trans == 6 && num_changes == 3 && num_members == 4);
apol_vector_destroy(&v);
retval = apol_terule_query_append_class(sp, tq, "cursor");
CU_ASSERT_EQUAL_FATAL(retval, 0);
retval = apol_syn_terule_get_by_query(sp, tq, &v);
CU_ASSERT_EQUAL_FATAL(retval, 0);
CU_ASSERT(v != NULL && apol_vector_get_size(v) == 0);
apol_vector_destroy(&v);
apol_terule_query_destroy(&tq);
}
int sechk_lib_set_outputformat(unsigned char out, sechk_lib_t * lib)
{
size_t i;
sechk_module_t *mod = NULL;
if (!lib || !out) {
errno = EINVAL;
return -1;
}
lib->outputformat = out;
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
mod->outputformat = out;
}
return 0;
}
void result_item_print_linenos(GtkTextBuffer * tb, GtkTextIter * iter,
const gchar * prefix, const apol_vector_t * linenos, const gchar * tag, GString * string)
{
size_t i;
unsigned long lineno;
gtk_text_buffer_insert(tb, iter, " [", -1);
if (prefix != NULL) {
gtk_text_buffer_insert(tb, iter, prefix, -1);
}
for (i = 0; i < apol_vector_get_size(linenos); i++) {
lineno = (unsigned long)apol_vector_get_element(linenos, i);
if (i > 0) {
gtk_text_buffer_insert(tb, iter, ", ", -1);
}
g_string_printf(string, "%lu", lineno);
gtk_text_buffer_insert_with_tags_by_name(tb, iter, string->str, -1, tag, NULL);
}
gtk_text_buffer_insert(tb, iter, "]", -1);
}
void result_item_print_diff(result_item_t * item, GtkTextBuffer * tb, poldiff_form_e form)
{
GtkTextIter iter;
const apol_vector_t *v;
size_t i;
void *elem;
char *s = NULL;
gtk_text_buffer_get_end_iter(tb, &iter);
v = result_item_get_vector(item);
for (i = 0; i < apol_vector_get_size(v); i++) {
elem = apol_vector_get_element(v, i);
if (result_item_get_form(item, elem) == form) {
s = result_item_get_string(item, elem);
result_item_print_string(tb, &iter, s, 1);
free(s);
gtk_text_buffer_insert(tb, &iter, "\n", -1);
}
}
}
sechk_module_t *sechk_lib_get_module(const char *module_name, const sechk_lib_t * lib)
{
size_t i;
sechk_module_t *mod = NULL;
if (!module_name || !lib) {
fprintf(stderr, "Error: failed to get module\n");
errno = EINVAL;
return NULL;
}
for (i = 0; i < apol_vector_get_size(lib->modules); i++) {
mod = apol_vector_get_element(lib->modules, i);
if (!(mod->name))
continue;
if (!strcmp(mod->name, module_name))
return mod;
}
fprintf(stderr, "Error: %s: no such module\n", module_name);
errno = ENOENT;
return NULL;
}
void seaudit_log_clear(seaudit_log_t * log)
{
if (log == NULL) {
errno = EINVAL;
return;
}
apol_vector_destroy(&log->messages);
apol_vector_destroy(&log->malformed_msgs);
apol_bst_destroy(&log->types);
apol_bst_destroy(&log->classes);
apol_bst_destroy(&log->roles);
apol_bst_destroy(&log->users);
apol_bst_destroy(&log->perms);
apol_bst_destroy(&log->hosts);
apol_bst_destroy(&log->bools);
apol_bst_destroy(&log->managers);
apol_bst_destroy(&log->mls_lvl);
apol_bst_destroy(&log->mls_clr);
if ((log->messages = apol_vector_create(message_free)) == NULL ||
(log->malformed_msgs = apol_vector_create(free)) == NULL ||
(log->types = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->classes = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->roles = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->users = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->perms = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->mls_lvl = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->mls_clr = apol_bst_create(apol_str_strcmp, free)) == NULL ||
(log->hosts = apol_bst_create(apol_str_strcmp, free)) == NULL
|| (log->bools = apol_bst_create(apol_str_strcmp, free)) == NULL
|| (log->managers = apol_bst_create(apol_str_strcmp, free)) == NULL) {
/* hopefully will never get here... */
return;
}
for (size_t i = 0; i < apol_vector_get_size(log->models); i++) {
seaudit_model_t *m = apol_vector_get_element(log->models, i);
model_notify_log_changed(m, log);
}
}
void result_item_print_modified_range(result_item_t * item, const poldiff_range_t * range, GtkTextBuffer * tb, GtkTextIter * iter)
{
poldiff_t *diff = result_item_get_diff(item);
char *orig_s = poldiff_range_to_string_brief(diff, range);
char *next_s = orig_s;
GString *string = g_string_new("");
/* first line should always be printed with normal font */
char *s = strsep(&next_s, "\n");
result_item_print_string(tb, iter, s, 1);
gtk_text_buffer_insert(tb, iter, "\n", -1);
/* if the next line is minimum category set differences then
* display it */
if (strncmp(next_s, " minimum categories:", strlen(" minimum categories:")) == 0) {
s = strsep(&next_s, "\n");
result_item_print_string_inline(tb, iter, s, 1);
gtk_text_buffer_insert(tb, iter, "\n", -1);
}
/* all subsequent lines are printed as normal (yes, this
* discards lines from poldiff_range_to_string_brief() */
free(orig_s);
apol_vector_t *levels = poldiff_range_get_levels(range);
size_t i;
for (i = 0; i < apol_vector_get_size(levels); i++) {
poldiff_level_t *l = apol_vector_get_element(levels, i);
s = poldiff_level_to_string_brief(diff, l);
g_string_printf(string, " %s", s);
if (poldiff_level_get_form(l) != POLDIFF_FORM_MODIFIED) {
result_item_print_string(tb, iter, string->str, 1);
} else {
result_item_print_string_inline(tb, iter, string->str, 1);
}
free(s);
}
g_string_free(string, TRUE);
}
sechk_mod_fn_t sechk_lib_get_module_function(const char *module_name, const char *function_name, const sechk_lib_t * lib)
{
sechk_module_t *mod = NULL;
sechk_fn_t *fn_struct = NULL;
size_t i;
if (!module_name || !function_name || !lib) {
fprintf(stderr, "Error: failed to get function from module\n");
errno = EINVAL;
return NULL;
}
/* find the correct module */
mod = sechk_lib_get_module(module_name, lib);
if (!mod) {
fprintf(stderr, "Error: %s: no such module\n", module_name);
errno = ENOENT;
return NULL;
}
/* find function in module */
for (i = 0; i < apol_vector_get_size(mod->functions); i++) {
fn_struct = apol_vector_get_element(mod->functions, i);
if (!strcmp(fn_struct->name, function_name))
break;
else
fn_struct = NULL;
}
if (!fn_struct) {
fprintf(stderr, "Error: %s: no such function in module %s\n", function_name, module_name);
errno = ENOENT;
return NULL;
}
return fn_struct->fn;
}
static PyObject* get_av_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
PyObject *obj, *dict=NULL;
PyObject *permlist = NULL;
PyObject *boollist = NULL;
uint32_t rule_type = 0;
int rt;
int error = 0;
qpol_policy_t *q;
size_t i, num_rules = 0;
const qpol_avrule_t *rule = NULL;
char *tmp = NULL, *rule_str = NULL;
qpol_cond_expr_node_t *expr = NULL;
qpol_iterator_t *iter = NULL;
const qpol_cond_t *cond = NULL;
uint32_t enabled = 0;
const qpol_type_t *type;
const char *tmp_name;
const qpol_class_t *obj_class = NULL;
if (!policy || !v) {
errno = EINVAL;
goto err;
}
if (!(num_rules = apol_vector_get_size(v)))
return NULL;
q = apol_policy_get_qpol(policy);
for (i = 0; i < num_rules; i++) {
if (!(rule = apol_vector_get_element(v, i)))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (qpol_avrule_get_rule_type(q, rule, &rule_type))
goto err;
if (!(tmp_name = apol_rule_type_to_str(rule_type))) {
PyErr_SetString(PyExc_RuntimeError, "Could not get TE rule type's string");
errno = EINVAL;
goto err;
}
if (py_insert_string(dict, "type", tmp_name))
goto err;
if (qpol_avrule_get_source_type(q, rule, &type)) {
goto err;
}
if (qpol_type_get_name(q, type, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "source", tmp_name))
goto err;
if (qpol_avrule_get_target_type(q, rule, &type)) {
goto err;
}
if (qpol_type_get_name(q, type, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "target", tmp_name))
goto err;
if (qpol_avrule_get_object_class(q, rule, &obj_class)) {
goto err;
}
if (qpol_class_get_name(q, obj_class, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "class", tmp_name))
goto err;
if (qpol_avrule_get_perm_iter(q, rule, &iter)) {
goto err;
}
permlist = PyList_New(0);
if (! permlist) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
const char *perm_name = NULL;
if (qpol_iterator_get_item(iter, (void **)&perm_name))
goto err;
if (py_append_string(permlist, perm_name))
goto err;
}
rt = PyDict_SetItemString(dict, "permlist", permlist);
py_decref(permlist); permlist=NULL;
if (rt) goto err;
if (qpol_avrule_get_cond(q, rule, &cond))
goto err;
if (qpol_avrule_get_is_enabled(q, rule, &enabled))
goto err;
obj = PyBool_FromLong(enabled);
rt = PyDict_SetItemString(dict, "enabled", obj);
py_decref(obj);
if (cond) {
obj = get_bool(q, cond, enabled);
if (!obj) goto err;
rt = PyDict_SetItemString(dict, "boolean", obj);
py_decref(obj);
}
rt = py_append_obj(output, dict);
py_decref(dict); dict=NULL;
if (rt) goto err;
free(rule_str); rule_str = NULL;
free(expr); expr = NULL;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(dict);
py_decref(permlist);
py_decref(boollist);
cleanup:
free(tmp);
free(rule_str);
free(expr);
errno = error;
return output;
}
static int perform_av_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
{
apol_avrule_query_t *avq = NULL;
unsigned int rules = 0;
int error = 0;
char *tmp = NULL, *tok = NULL, *s = NULL;
if (!policy || !opt || !v) {
PyErr_SetString(PyExc_RuntimeError,strerror(EINVAL));
errno = EINVAL;
return -1;
}
if (!opt->all && !opt->allow && !opt->nallow && !opt->auditallow && !opt->dontaudit) {
*v = NULL;
return 0; /* no search to do */
}
avq = apol_avrule_query_create();
if (!avq) {
PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
errno = ENOMEM;
return -1;
}
if (opt->allow || opt->all)
rules |= QPOL_RULE_ALLOW;
if (opt->nallow || opt->all) // Add this regardless of policy capabilities
rules |= QPOL_RULE_NEVERALLOW;
if (opt->auditallow || opt->all)
rules |= QPOL_RULE_AUDITALLOW;
if (opt->dontaudit || opt->all)
rules |= QPOL_RULE_DONTAUDIT;
if (rules != 0) // Setting rules = 0 means you want all the rules
apol_avrule_query_set_rules(policy, avq, rules);
apol_avrule_query_set_regex(policy, avq, opt->useregex);
if (opt->src_name)
apol_avrule_query_set_source(policy, avq, opt->src_name, opt->indirect);
if (opt->tgt_name)
apol_avrule_query_set_target(policy, avq, opt->tgt_name, opt->indirect);
if (opt->bool_name)
apol_avrule_query_set_bool(policy, avq, opt->bool_name);
if (opt->class_name) {
if (opt->class_vector == NULL) {
if (apol_avrule_query_append_class(policy, avq, opt->class_name)) {
goto err;
}
} else {
size_t i;
for (i = 0; i < apol_vector_get_size(opt->class_vector); ++i) {
char *class_name;
class_name = apol_vector_get_element(opt->class_vector, i);
if (!class_name)
continue;
if (apol_avrule_query_append_class(policy, avq, class_name)) {
goto err;
}
}
}
}
if (opt->permlist) {
tmp = strdup(opt->permlist);
for (tok = strtok(tmp, ","); tok; tok = strtok(NULL, ",")) {
if (apol_avrule_query_append_perm(policy, avq, tok)) {
goto err;
}
if ((s = strdup(tok)) == NULL || apol_vector_append(opt->perm_vector, s) < 0) {
goto err;
}
s = NULL;
}
free(tmp);
tmp = NULL;
}
if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
if (apol_syn_avrule_get_by_query(policy, avq, v)) {
goto err;
}
} else {
if (apol_avrule_get_by_query(policy, avq, v)) {
goto err;
}
}
apol_avrule_query_destroy(&avq);
return 0;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(error));
apol_vector_destroy(v);
apol_avrule_query_destroy(&avq);
free(tmp);
free(s);
errno = error;
return -1;
}
static PyObject* get_ft_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *list)
{
PyObject *dict = NULL;
size_t i, num_filename_trans = 0;
const char *tmp_name;
int error = 0;
int rt;
const qpol_filename_trans_t *filename_trans = NULL;
const qpol_class_t *obj_class = NULL;
char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL;
qpol_policy_t *q;
const qpol_type_t *type = NULL;
if (!policy || !v) {
errno = EINVAL;
goto err;
}
if (!(num_filename_trans = apol_vector_get_size(v)))
return NULL;
q = apol_policy_get_qpol(policy);
for (i = 0; i < num_filename_trans; i++) {
if (!(filename_trans = apol_vector_get_element(v, i)))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "type", "type_transition"))
goto err;
/* source type */
if (qpol_filename_trans_get_source_type(q, filename_trans, &type)) {
goto err;
}
if (qpol_type_get_name(q, type, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "source", tmp_name))
goto err;
if (qpol_filename_trans_get_target_type(q, filename_trans, &type))
goto err;
if (qpol_type_get_name(q, type, &tmp_name))
goto err;
if (py_insert_string(dict, "target", tmp_name))
goto err;
if (qpol_filename_trans_get_object_class(q, filename_trans, &obj_class))
goto err;
if (qpol_class_get_name(q, obj_class, &tmp_name))
goto err;
if (py_insert_string(dict, "class", tmp_name))
goto err;
if (qpol_filename_trans_get_default_type(q, filename_trans, &type))
goto err;
if (qpol_type_get_name(q, type, &tmp_name))
goto err;
if (py_insert_string(dict, "transtype", tmp_name))
goto err;
if (! qpol_filename_trans_get_filename(q, filename_trans, &tmp_name)) {
if (py_insert_string(dict, "filename", tmp_name))
goto err;
}
rt = py_append_obj(list, dict);
dict = NULL;
if (rt) goto err;
free(filename_trans_str); filename_trans_str = NULL;
free(expr); expr = NULL;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(dict);
cleanup:
free(tmp);
free(filename_trans_str);
free(expr);
errno = error;
return list;
}
static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
{
apol_filename_trans_query_t *ftq = NULL;
size_t i;
int error = 0;
if (!policy || !opt || !v) {
PyErr_SetString(PyExc_RuntimeError,strerror(EINVAL));
errno = EINVAL;
return -1;
}
if (!opt->type && !opt->all) {
*v = NULL;
return 0; /* no search to do */
}
ftq = apol_filename_trans_query_create();
if (!ftq) {
PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
errno = ENOMEM;
return -1;
}
apol_filename_trans_query_set_regex(policy, ftq, opt->useregex);
if (opt->src_name) {
if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name, opt->indirect)) {
goto err;
}
}
if (opt->tgt_name) {
if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) {
goto err;
}
}
if (opt->class_name) {
if (opt->class_vector == NULL) {
if (apol_filename_trans_query_append_class(policy, ftq, opt->class_name)) {
goto err;
}
} else {
for (i = 0; i < apol_vector_get_size(opt->class_vector); ++i) {
char *class_name;
class_name = apol_vector_get_element(opt->class_vector, i);
if (!class_name)
continue;
if (apol_filename_trans_query_append_class(policy, ftq, class_name)) {
goto err;
}
}
}
}
if (apol_filename_trans_get_by_query(policy, ftq, v))
goto err;
apol_filename_trans_query_destroy(&ftq);
return 0;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
apol_vector_destroy(v);
apol_filename_trans_query_destroy(&ftq);
errno = error;
return -1;
}
static PyObject* get_te_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
int error = 0;
int rt = 0;
PyObject *obj, *dict=NULL, *tuple = NULL;
qpol_policy_t *q;
uint32_t rule_type = 0;
const qpol_type_t *type;
size_t i, num_rules = 0;
const qpol_terule_t *rule = NULL;
char *tmp = NULL, *rule_str = NULL, *expr = NULL;
const qpol_cond_t *cond = NULL;
uint32_t enabled = 0;
const char *tmp_name;
const qpol_class_t *obj_class = NULL;
if (!policy || !v) {
errno = EINVAL;
goto err;
}
if (!(num_rules = apol_vector_get_size(v)))
return NULL;
q = apol_policy_get_qpol(policy);
for (i = 0; i < num_rules; i++) {
dict = PyDict_New();
if (!dict) goto err;
if (!(rule = apol_vector_get_element(v, i)))
goto err;
if (qpol_terule_get_cond(q, rule, &cond))
goto err;
if (qpol_terule_get_is_enabled(q, rule, &enabled))
goto err;
if (cond) {
obj = get_bool(q, cond, enabled);
if (!obj) goto err;
rt = PyDict_SetItemString(dict, "boolean", obj);
py_decref(obj);
}
if (qpol_terule_get_rule_type(q, rule, &rule_type))
goto err;
if (!(rule_type &= (QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER))) {
PyErr_SetString(PyExc_RuntimeError,"Invalid TE rule type");
errno = EINVAL;
goto err;
}
if (!(tmp_name = apol_rule_type_to_str(rule_type))) {
PyErr_SetString(PyExc_RuntimeError, "Could not get TE rule type's string");
errno = EINVAL;
goto err;
}
if (py_insert_string(dict, "type", tmp_name))
goto err;
if (qpol_terule_get_source_type(q, rule, &type))
goto err;
if (qpol_type_get_name(q, type, &tmp_name))
goto err;
if (py_insert_string(dict, "source", tmp_name))
goto err;
if (qpol_terule_get_target_type(q, rule, &type))
goto err;
if (qpol_type_get_name(q, type, &tmp_name))
goto err;
if (py_insert_string(dict, "target", tmp_name))
goto err;
if (qpol_terule_get_object_class(q, rule, &obj_class))
goto err;
if (qpol_class_get_name(q, obj_class, &tmp_name))
goto err;
if (py_insert_string(dict, "class", tmp_name))
goto err;
if (qpol_terule_get_default_type(q, rule, &type))
goto err;
if (qpol_type_get_name(q, type, &tmp_name))
goto err;
if (py_insert_string(dict, "transtype", tmp_name))
goto err;
rt = py_append_obj(output, dict);
dict = NULL;
if(rt) goto err;
free(rule_str); rule_str = NULL;
free(expr); expr = NULL;
}
goto cleanup;
err:
error = errno;
py_decref(dict);
py_decref(tuple);
PyErr_SetString(PyExc_RuntimeError,strerror(error));
cleanup:
free(tmp);
free(rule_str);
free(expr);
errno = error;
return output;
}
