int apol_context_compare(const apol_policy_t * p, const apol_context_t * target, const apol_context_t * search,
unsigned int range_compare_type)
{
uint32_t value0, value1;
if (p == NULL || target == NULL || search == NULL) {
ERR(p, "%s", strerror(EINVAL));
errno = EINVAL;
return -1;
}
if (target->user != NULL && search->user != NULL) {
const qpol_user_t *user0, *user1;
if (qpol_policy_get_user_by_name(p->p,
target->user, &user0) < 0 ||
qpol_policy_get_user_by_name(p->p,
search->user, &user1) < 0 ||
qpol_user_get_value(p->p, user0, &value0) < 0 || qpol_user_get_value(p->p, user1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->role != NULL && search->role != NULL) {
const qpol_role_t *role0, *role1;
if (qpol_policy_get_role_by_name(p->p,
target->role, &role0) < 0 ||
qpol_policy_get_role_by_name(p->p,
search->role, &role1) < 0 ||
qpol_role_get_value(p->p, role0, &value0) < 0 || qpol_role_get_value(p->p, role1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->type != NULL && search->type != NULL) {
const qpol_type_t *type0, *type1;
if (qpol_policy_get_type_by_name(p->p,
target->type, &type0) < 0 ||
qpol_policy_get_type_by_name(p->p,
search->type, &type1) < 0 ||
qpol_type_get_value(p->p, type0, &value0) < 0 || qpol_type_get_value(p->p, type1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->range != NULL && search->range != NULL) {
return apol_mls_range_compare(p, target->range, search->range, range_compare_type);
}
return 1;
}
/**
* Gets statistics regarding a policy's users.
* If this function is given a name, it will attempt to
* get statistics about a particular user; otherwise
* the function gets statistics about all of the policy's
* users.
*
* @param name Reference to a user's name; if NULL,
* all users will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_users(const char *name, const apol_policy_t * policydb)
{
qpol_iterator_t *iter = NULL;
const qpol_user_t *user_datum = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
int error = 0;
int rt;
PyObject *obj;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (name != NULL) {
if (qpol_policy_get_user_by_name(q, name, &user_datum)) {
errno = EINVAL;
goto err;
}
obj = get_user(user_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
} else {
if (qpol_policy_get_user_iter(q, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&user_datum))
goto err;
obj = get_user(user_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
int apol_context_validate_partial(const apol_policy_t * p, const apol_context_t * context)
{
apol_user_query_t *user_query = NULL;
apol_role_query_t *role_query = NULL;
apol_vector_t *user_v = NULL, *role_v = NULL;
const qpol_user_t *user;
const qpol_type_t *type;
const qpol_mls_range_t *user_range;
apol_mls_range_t *user_apol_range = NULL;
int retval = -1, retval2;
if (context == NULL) {
return 1;
}
if (context->user != NULL) {
if ((user_query = apol_user_query_create()) == NULL) {
ERR(p, "%s", strerror(ENOMEM));
}
if (apol_user_query_set_user(p, user_query, context->user) < 0 ||
(context->role != NULL && apol_user_query_set_role(p, user_query, context->role) < 0) ||
apol_user_get_by_query(p, user_query, &user_v) < 0) {
goto cleanup;
}
if (apol_vector_get_size(user_v) == 0) {
retval = 0;
goto cleanup;
}
}
if (context->role != NULL) {
if ((role_query = apol_role_query_create()) == NULL) {
ERR(p, "%s", strerror(ENOMEM));
}
if (apol_role_query_set_role(p, role_query, context->role) < 0 ||
(context->type != NULL && apol_role_query_set_type(p, role_query, context->type) < 0) ||
apol_role_get_by_query(p, role_query, &role_v) < 0) {
goto cleanup;
}
if (apol_vector_get_size(role_v) == 0) {
retval = 0;
goto cleanup;
}
}
if (context->type != NULL) {
if (qpol_policy_get_type_by_name(p->p, context->type, &type) < 0) {
retval = 0;
goto cleanup;
}
}
if (apol_policy_is_mls(p) && context->range != NULL) {
retval2 = apol_mls_range_validate(p, context->range);
if (retval2 != 1) {
retval = retval2;
goto cleanup;
}
/* next check that the user has access to this context */
if (context->user != NULL) {
if (qpol_policy_get_user_by_name(p->p, context->user, &user) < 0 ||
qpol_user_get_range(p->p, user, &user_range) < 0) {
goto cleanup;
}
user_apol_range = apol_mls_range_create_from_qpol_mls_range(p, user_range);
if (user_apol_range == NULL) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
retval2 = apol_mls_range_compare(p, user_apol_range, context->range, APOL_QUERY_SUB);
if (retval2 != 1) {
retval = retval2;
goto cleanup;
}
}
}
retval = 1;
cleanup:
apol_user_query_destroy(&user_query);
apol_role_query_destroy(&role_query);
apol_vector_destroy(&user_v);
apol_vector_destroy(&role_v);
apol_mls_range_destroy(&user_apol_range);
return retval;
}
