int apol_context_compare(const apol_policy_t * p, const apol_context_t * target, const apol_context_t * search, unsigned int range_compare_type) { uint32_t value0, value1; if (p == NULL || target == NULL || search == NULL) { ERR(p, "%s", strerror(EINVAL)); errno = EINVAL; return -1; } if (target->user != NULL && search->user != NULL) { const qpol_user_t *user0, *user1; if (qpol_policy_get_user_by_name(p->p, target->user, &user0) < 0 || qpol_policy_get_user_by_name(p->p, search->user, &user1) < 0 || qpol_user_get_value(p->p, user0, &value0) < 0 || qpol_user_get_value(p->p, user1, &value1) < 0) { return -1; } if (value0 != value1) { return 0; } } if (target->role != NULL && search->role != NULL) { const qpol_role_t *role0, *role1; if (qpol_policy_get_role_by_name(p->p, target->role, &role0) < 0 || qpol_policy_get_role_by_name(p->p, search->role, &role1) < 0 || qpol_role_get_value(p->p, role0, &value0) < 0 || qpol_role_get_value(p->p, role1, &value1) < 0) { return -1; } if (value0 != value1) { return 0; } } if (target->type != NULL && search->type != NULL) { const qpol_type_t *type0, *type1; if (qpol_policy_get_type_by_name(p->p, target->type, &type0) < 0 || qpol_policy_get_type_by_name(p->p, search->type, &type1) < 0 || qpol_type_get_value(p->p, type0, &value0) < 0 || qpol_type_get_value(p->p, type1, &value1) < 0) { return -1; } if (value0 != value1) { return 0; } } if (target->range != NULL && search->range != NULL) { return apol_mls_range_compare(p, target->range, search->range, range_compare_type); } return 1; }
/** * Gets statistics regarding a policy's users. * If this function is given a name, it will attempt to * get statistics about a particular user; otherwise * the function gets statistics about all of the policy's * users. * * @param name Reference to a user's name; if NULL, * all users will be considered * @param policydb Reference to a policy * * @return 0 on success, < 0 on error. */ static PyObject* get_users(const char *name, const apol_policy_t * policydb) { qpol_iterator_t *iter = NULL; const qpol_user_t *user_datum = NULL; qpol_policy_t *q = apol_policy_get_qpol(policydb); int error = 0; int rt; PyObject *obj; PyObject *list = PyList_New(0); if (!list) goto err; if (name != NULL) { if (qpol_policy_get_user_by_name(q, name, &user_datum)) { errno = EINVAL; goto err; } obj = get_user(user_datum, policydb); rt = py_append_obj(list, obj); Py_DECREF(obj); if (rt) goto err; } else { if (qpol_policy_get_user_iter(q, &iter)) goto err; for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&user_datum)) goto err; obj = get_user(user_datum, policydb); rt = py_append_obj(list, obj); Py_DECREF(obj); if (rt) goto err; } qpol_iterator_destroy(&iter); } goto cleanup; err: error = errno; PyErr_SetString(PyExc_RuntimeError,strerror(errno)); py_decref(list); list = NULL; cleanup: qpol_iterator_destroy(&iter); errno = error; return list; }
int apol_context_validate_partial(const apol_policy_t * p, const apol_context_t * context) { apol_user_query_t *user_query = NULL; apol_role_query_t *role_query = NULL; apol_vector_t *user_v = NULL, *role_v = NULL; const qpol_user_t *user; const qpol_type_t *type; const qpol_mls_range_t *user_range; apol_mls_range_t *user_apol_range = NULL; int retval = -1, retval2; if (context == NULL) { return 1; } if (context->user != NULL) { if ((user_query = apol_user_query_create()) == NULL) { ERR(p, "%s", strerror(ENOMEM)); } if (apol_user_query_set_user(p, user_query, context->user) < 0 || (context->role != NULL && apol_user_query_set_role(p, user_query, context->role) < 0) || apol_user_get_by_query(p, user_query, &user_v) < 0) { goto cleanup; } if (apol_vector_get_size(user_v) == 0) { retval = 0; goto cleanup; } } if (context->role != NULL) { if ((role_query = apol_role_query_create()) == NULL) { ERR(p, "%s", strerror(ENOMEM)); } if (apol_role_query_set_role(p, role_query, context->role) < 0 || (context->type != NULL && apol_role_query_set_type(p, role_query, context->type) < 0) || apol_role_get_by_query(p, role_query, &role_v) < 0) { goto cleanup; } if (apol_vector_get_size(role_v) == 0) { retval = 0; goto cleanup; } } if (context->type != NULL) { if (qpol_policy_get_type_by_name(p->p, context->type, &type) < 0) { retval = 0; goto cleanup; } } if (apol_policy_is_mls(p) && context->range != NULL) { retval2 = apol_mls_range_validate(p, context->range); if (retval2 != 1) { retval = retval2; goto cleanup; } /* next check that the user has access to this context */ if (context->user != NULL) { if (qpol_policy_get_user_by_name(p->p, context->user, &user) < 0 || qpol_user_get_range(p->p, user, &user_range) < 0) { goto cleanup; } user_apol_range = apol_mls_range_create_from_qpol_mls_range(p, user_range); if (user_apol_range == NULL) { ERR(p, "%s", strerror(ENOMEM)); goto cleanup; } retval2 = apol_mls_range_compare(p, user_apol_range, context->range, APOL_QUERY_SUB); if (retval2 != 1) { retval = retval2; goto cleanup; } } } retval = 1; cleanup: apol_user_query_destroy(&user_query); apol_role_query_destroy(&role_query); apol_vector_destroy(&user_v); apol_vector_destroy(&role_v); apol_mls_range_destroy(&user_apol_range); return retval; }