/**
* Get a textual representation of a type, and
* all of that type's attributes.
*
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
*/
static PyObject* get_type_attrs(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
qpol_iterator_t *iter = NULL;
const char *attr_name = NULL;
const qpol_type_t *attr_datum = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
int error = 0;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (qpol_type_get_attr_iter(q, type_datum, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&attr_datum))
goto err;
if (qpol_type_get_name(q, attr_datum, &attr_name))
goto err;
if (py_append_string(list, attr_name))
goto err;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
int apol_userbounds_get_by_query(const apol_policy_t * p, apol_userbounds_query_t * q, apol_vector_t ** v)
{
qpol_iterator_t *iter;
int retval = -1;
*v = NULL;
if (qpol_policy_get_userbounds_iter(p->p, &iter) < 0) {
return -1;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
const qpol_userbounds_t *userbounds;
if (qpol_iterator_get_item(iter, (void **)&userbounds) < 0) {
goto cleanup;
}
if (q != NULL) {
if (apol_vector_append(*v, (void *)userbounds)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
qpol_iterator_destroy(&iter);
return retval;
}
int apol_portcon_get_by_query(const apol_policy_t * p, const apol_portcon_query_t * po, apol_vector_t ** v)
{
qpol_iterator_t *iter;
int retval = -1, retval2;
*v = NULL;
if (qpol_policy_get_portcon_iter(p->p, &iter) < 0) {
return -1;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
qpol_portcon_t *portcon;
if (qpol_iterator_get_item(iter, (void **)&portcon) < 0) {
goto cleanup;
}
if (po != NULL) {
uint16_t low, high;
uint8_t proto;
const qpol_context_t *context;
if (qpol_portcon_get_low_port(p->p,
portcon, &low) < 0 ||
qpol_portcon_get_high_port(p->p,
portcon, &high) < 0 ||
qpol_portcon_get_protocol(p->p,
portcon, &proto) < 0 || qpol_portcon_get_context(p->p, portcon, &context) < 0)
{
goto cleanup;
}
if ((po->low >= 0 && ((uint16_t) po->low) != low) ||
(po->high >= 0 && ((uint16_t) po->high) != high) || (po->proto >= 0 && ((uint8_t) po->proto) != proto))
{
continue;
}
retval2 = apol_compare_context(p, context, po->context, po->flags);
if (retval2 < 0) {
goto cleanup;
} else if (retval2 == 0) {
continue;
}
}
if (apol_vector_append(*v, portcon)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
qpol_iterator_destroy(&iter);
return retval;
}
/**
* Gets a textual representation of an attribute, and
* all of that attribute's types.
*
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
*/
static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
PyObject *list = NULL;
const qpol_type_t *attr_datum = NULL;
qpol_iterator_t *iter = NULL;
const char *attr_name = NULL, *type_name = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
unsigned char isattr;
int error = 0;
int rt = 0;
PyObject *dict = PyDict_New();
if (!dict) goto err;
if (qpol_type_get_name(q, type_datum, &attr_name))
goto err;
if (py_insert_string(dict, "name", attr_name))
goto err;
/* get an iterator over all types this attribute has */
if (qpol_type_get_isattr(q, type_datum, &isattr))
goto err;
if (isattr) { /* sanity check */
if (qpol_type_get_type_iter(q, type_datum, &iter))
goto err;
list = PyList_New(0);
if (!list) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&attr_datum))
goto err;
if (qpol_type_get_name(q, attr_datum, &type_name))
goto err;
if (py_append_string(list, type_name))
goto err;
}
qpol_iterator_destroy(&iter);
rt = PyDict_SetItemString(dict, "types", list);
Py_DECREF(list); list = NULL;
if (rt) goto err;
} else /* this should never happen */
goto err;
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(dict); dict = NULL;
py_decref(list);
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return dict;
}
int qpol_policy_get_typebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter)
{
policydb_t *db;
int error = 0;
hash_state_t *hs = NULL;
if (policy == NULL || iter == NULL) {
if (iter != NULL)
*iter = NULL;
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
hs = calloc(1, sizeof(hash_state_t));
if (hs == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
hs->table = &db->p_types.table;
hs->node = (*(hs->table))->htable[0];
if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur,
hash_state_next_typebounds, hash_state_end, hash_state_size, free, iter)) {
free(hs);
return STATUS_ERR;
}
if (hs->node == NULL)
hash_state_next_typebounds(*iter);
/* since we are iterating over all types, ensure our first item is actually bounded. */
if (!qpol_iterator_end(*iter)) {
void *datum = NULL;
type_datum_t *internal_datum = NULL;
qpol_iterator_get_item(*iter, &datum);
internal_datum = (type_datum_t *) datum;
if (internal_datum -> flavor != TYPE_TYPE || internal_datum->bounds == 0)
hash_state_next_typebounds(*iter);
}
return STATUS_SUCCESS;
}
/**
* Get statistics regarding a policy's roles.
* If this function is given a name, it will attempt to
* get statistics about a particular role; otherwise
* the function get statistics about all of the policy's roles.
*
* @param name Reference to an role's name; if NULL,
* all roles will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_roles(const char *name, const apol_policy_t * policydb)
{
const qpol_role_t *role_datum = NULL;
qpol_iterator_t *iter = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
int error = 0;
int rt;
PyObject *obj;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (name != NULL) {
if (qpol_policy_get_role_by_name(q, name, &role_datum)) {
errno = EINVAL;
goto err;
}
obj = get_role(role_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
} else {
if (qpol_policy_get_role_iter(q, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&role_datum))
goto err;
obj = get_role(role_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
static size_t hash_perm_state_size_common(const qpol_iterator_t * iter)
{
perm_hash_state_t *hs = NULL;
uint32_t tmp_bucket = 0;
size_t count = 0;
hashtab_node_t *tmp_node;
sepol_policydb_t sp;
qpol_policy_t qp;
qpol_iterator_t *internal_perms;
common_datum_t *internal_common;
char *tmp = NULL;
if (iter == NULL || qpol_iterator_state(iter) == NULL) {
errno = EINVAL;
return STATUS_ERR;
}
hs = (perm_hash_state_t *) qpol_iterator_state(iter);
if (hs == NULL) {
errno = EINVAL;
return STATUS_ERR;
}
/* shallow copy ok here as only internal values are used */
sp.p = *qpol_iterator_policy(iter);
if (&sp.p == NULL) {
errno = EINVAL;
return STATUS_ERR;
}
qp.p = &sp;
qp.fn = NULL;
for (tmp_bucket = 0; tmp_bucket < (*(hs->table))->size; tmp_bucket++) {
for (tmp_node = (*(hs->table))->htable[tmp_bucket]; tmp_node; tmp_node = tmp_node->next) {
internal_common = tmp_node ? ((common_datum_t *) tmp_node->datum) : NULL;
qpol_common_get_perm_iter(&qp, (qpol_common_t *) internal_common, &internal_perms);
for (; !qpol_iterator_end(internal_perms); qpol_iterator_next(internal_perms)) {
qpol_iterator_get_item(internal_perms, (void **)&tmp);
if (!strcmp(tmp, hs->perm_name)) {
count++;
break;
}
}
qpol_iterator_destroy(&internal_perms);
}
}
return count;
}
static int hash_state_next_class_w_perm(qpol_iterator_t * iter)
{
class_datum_t *internal_class = NULL;
qpol_iterator_t *internal_perms = NULL;
unsigned char has_perm = 0;
perm_hash_state_t *hs = NULL;
sepol_policydb_t sp;
qpol_policy_t qp;
char *tmp = NULL;
hs = (perm_hash_state_t *) qpol_iterator_state(iter);
if (hs == NULL) {
errno = EINVAL;
return STATUS_ERR;
}
if (hs->bucket >= (*(hs->table))->size) {
errno = ERANGE;
return STATUS_ERR;
}
/* shallow copy ok here as only internal values are used */
sp.p = *qpol_iterator_policy(iter);
qp.p = &sp;
qp.fn = NULL;
do {
hash_state_next(iter);
if (hash_state_end(iter))
break;
internal_class = hs->node ? (class_datum_t *) hs->node->datum : NULL;
qpol_class_get_perm_iter(&qp, (qpol_class_t *) internal_class, &internal_perms);
for (; !qpol_iterator_end(internal_perms); qpol_iterator_next(internal_perms)) {
qpol_iterator_get_item(internal_perms, (void **)&tmp);
if (!strcmp(tmp, hs->perm_name)) {
has_perm = 1;
break;
}
}
qpol_iterator_destroy(&internal_perms);
} while (!has_perm && !hash_state_end(iter));
return STATUS_SUCCESS;
}
/**
* Get the alias of a type.
*
* @param fp Reference to a file to which to get type information
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
* attributes
*/
static PyObject* get_type_aliases(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
qpol_iterator_t *iter = NULL;
size_t alias_size;
unsigned char isattr, isalias;
const char *type_name = NULL;
const char *alias_name;
int error = 0;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
PyObject *list = PyList_New(0);
if (!list) goto err;
if (qpol_type_get_name(q, type_datum, &type_name))
goto cleanup;
if (qpol_type_get_isattr(q, type_datum, &isattr))
goto cleanup;
if (qpol_type_get_isalias(q, type_datum, &isalias))
goto cleanup;
if (qpol_type_get_alias_iter(q, type_datum, &iter))
goto cleanup;
if (qpol_iterator_get_size(iter, &alias_size))
goto cleanup;
if (alias_size > 0) {
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&alias_name))
goto err;
if (py_append_string(list, alias_name))
goto err;
}
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
int apol_permissive_get_by_query(const apol_policy_t * p, apol_permissive_query_t * q, apol_vector_t ** v)
{
qpol_iterator_t *iter;
int retval = -1;
*v = NULL;
if (qpol_policy_get_permissive_iter(p->p, &iter) < 0) {
return -1;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
const qpol_permissive_t *permissive;
if (qpol_iterator_get_item(iter, (void **)&permissive) < 0) {
goto cleanup;
}
if (q != NULL) {
int compval = apol_compare_permissive(p,
permissive, q->permissive_name,
q->flags, &(q->regex));
if (compval < 0) {
goto cleanup;
} else if (compval == 0) {
continue;
}
}
if (apol_vector_append(*v, (void *)permissive)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
qpol_iterator_destroy(&iter);
return retval;
}
static int hash_state_next_typebounds(qpol_iterator_t * iter)
{
void *datum = NULL;
type_datum_t *internal_datum = NULL;
do {
hash_state_next(iter);
if (qpol_iterator_end(iter))
break;
qpol_iterator_get_item(iter, &datum);
internal_datum = (type_datum_t *) datum;
/* keep going on attributes */
if (internal_datum -> flavor != TYPE_TYPE)
continue;
/* keep going if type has no bounding */
} while (internal_datum->bounds == 0);
return STATUS_SUCCESS;
}
/**
* Given a level, return a vector of its allowed categories (in the
* form of strings). These will be sorted in policy order.
*
* @param diff Policy diff error handler.
* @param p Policy from which the level came.
* @param level Level whose categories to get.
*
* @return Vector of category strings for the level. The caller is
* responsible for calling apol_vector_destroy(). On error, return
* NULL.
*/
static apol_vector_t *level_get_cats(const poldiff_t * diff, const apol_policy_t * p, const qpol_level_t * level)
{
qpol_iterator_t *iter = NULL;
const qpol_cat_t *cat;
const char *cat_name;
apol_vector_t *v = NULL;
qpol_policy_t *q = apol_policy_get_qpol(p);
int retval = -1, error = 0;
if ((v = apol_vector_create(NULL)) == NULL) {
ERR(diff, "%s", strerror(errno));
goto cleanup;
}
if (qpol_level_get_cat_iter(q, level, &iter) < 0) {
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&cat) < 0 || qpol_cat_get_name(q, cat, &cat_name)) {
error = errno;
goto cleanup;
}
if (apol_vector_append(v, (void *)cat_name) < 0) {
error = errno;
ERR(diff, "%s", strerror(error));
goto cleanup;
}
}
retval = 0;
cleanup:
qpol_iterator_destroy(&iter);
if (retval < 0) {
apol_vector_destroy(&v);
errno = error;
return NULL;
}
return v;
}
static PyObject* get_av_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
PyObject *obj, *dict=NULL;
PyObject *permlist = NULL;
PyObject *boollist = NULL;
uint32_t rule_type = 0;
int rt;
int error = 0;
qpol_policy_t *q;
size_t i, num_rules = 0;
const qpol_avrule_t *rule = NULL;
char *tmp = NULL, *rule_str = NULL;
qpol_cond_expr_node_t *expr = NULL;
qpol_iterator_t *iter = NULL;
const qpol_cond_t *cond = NULL;
uint32_t enabled = 0;
const qpol_type_t *type;
const char *tmp_name;
const qpol_class_t *obj_class = NULL;
if (!policy || !v) {
errno = EINVAL;
goto err;
}
if (!(num_rules = apol_vector_get_size(v)))
return NULL;
q = apol_policy_get_qpol(policy);
for (i = 0; i < num_rules; i++) {
if (!(rule = apol_vector_get_element(v, i)))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (qpol_avrule_get_rule_type(q, rule, &rule_type))
goto err;
if (!(tmp_name = apol_rule_type_to_str(rule_type))) {
PyErr_SetString(PyExc_RuntimeError, "Could not get TE rule type's string");
errno = EINVAL;
goto err;
}
if (py_insert_string(dict, "type", tmp_name))
goto err;
if (qpol_avrule_get_source_type(q, rule, &type)) {
goto err;
}
if (qpol_type_get_name(q, type, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "source", tmp_name))
goto err;
if (qpol_avrule_get_target_type(q, rule, &type)) {
goto err;
}
if (qpol_type_get_name(q, type, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "target", tmp_name))
goto err;
if (qpol_avrule_get_object_class(q, rule, &obj_class)) {
goto err;
}
if (qpol_class_get_name(q, obj_class, &tmp_name)) {
goto err;
}
if (py_insert_string(dict, "class", tmp_name))
goto err;
if (qpol_avrule_get_perm_iter(q, rule, &iter)) {
goto err;
}
permlist = PyList_New(0);
if (! permlist) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
const char *perm_name = NULL;
if (qpol_iterator_get_item(iter, (void **)&perm_name))
goto err;
if (py_append_string(permlist, perm_name))
goto err;
}
rt = PyDict_SetItemString(dict, "permlist", permlist);
py_decref(permlist); permlist=NULL;
if (rt) goto err;
if (qpol_avrule_get_cond(q, rule, &cond))
goto err;
if (qpol_avrule_get_is_enabled(q, rule, &enabled))
goto err;
obj = PyBool_FromLong(enabled);
rt = PyDict_SetItemString(dict, "enabled", obj);
py_decref(obj);
if (cond) {
obj = get_bool(q, cond, enabled);
if (!obj) goto err;
rt = PyDict_SetItemString(dict, "boolean", obj);
py_decref(obj);
}
rt = py_append_obj(output, dict);
py_decref(dict); dict=NULL;
if (rt) goto err;
free(rule_str); rule_str = NULL;
free(expr); expr = NULL;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(dict);
py_decref(permlist);
py_decref(boollist);
cleanup:
free(tmp);
free(rule_str);
free(expr);
errno = error;
return output;
}
static PyObject* get_bool(const qpol_policy_t *q, const qpol_cond_t * cond, int enabled)
{
qpol_iterator_t *iter = NULL;
qpol_cond_expr_node_t *expr = NULL;
char *tmp = NULL;
const char *bool_name = NULL;
int error = 0;
uint32_t expr_type = 0;
qpol_bool_t *cond_bool = NULL;
PyObject *obj, *tuple = NULL;
PyObject *boollist = NULL;
if (!q || !cond) {
errno = EINVAL;
return NULL;
}
if (qpol_cond_get_expr_node_iter(q, cond, &iter) < 0) {
goto err;
}
boollist = PyList_New(0);
if (! boollist) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&expr)) {
goto err;
}
if (qpol_cond_expr_node_get_expr_type(q, expr, &expr_type)) {
goto err;
}
if (expr_type != QPOL_COND_EXPR_BOOL) {
obj = PyUnicode_FromString(apol_cond_expr_type_to_str(expr_type));
if (!obj) goto err;
if (py_append_obj(boollist, obj))
goto err;
} else {
tuple = PyTuple_New(2);
if (!tuple) goto err;
if (qpol_cond_expr_node_get_bool(q, expr, &cond_bool)) {
goto err;
}
if (qpol_bool_get_name(q, cond_bool, &bool_name)) {
goto err;
}
obj = PyUnicode_FromString(bool_name);
if (py_tuple_insert_obj(tuple, 0, obj))
goto err;
obj = PyBool_FromLong(enabled);
if (py_tuple_insert_obj(tuple, 1, obj))
goto err;
if (py_append_obj(boollist, tuple))
goto err;
tuple=NULL;
}
}
qpol_iterator_destroy(&iter);
return boollist;
err:
error = errno;
qpol_iterator_destroy(&iter);
py_decref(tuple);
py_decref(boollist);
free(tmp);
errno = error;
return NULL;
}
int apol_role_allow_get_by_query(const apol_policy_t * p, const apol_role_allow_query_t * r, apol_vector_t ** v)
{
qpol_iterator_t *iter = NULL;
apol_vector_t *source_list = NULL, *target_list = NULL;
int retval = -1, source_as_any = 0;
*v = NULL;
if (r != NULL) {
if (r->source != NULL &&
(source_list = apol_query_create_candidate_role_list(p, r->source, r->flags & APOL_QUERY_REGEX)) == NULL) {
goto cleanup;
}
if ((r->flags & APOL_QUERY_SOURCE_AS_ANY) && r->source != NULL) {
target_list = source_list;
source_as_any = 1;
} else if (r->target != NULL &&
(target_list = apol_query_create_candidate_role_list(p, r->target, r->flags & APOL_QUERY_REGEX)) == NULL)
{
goto cleanup;
}
}
if (qpol_policy_get_role_allow_iter(p->p, &iter) < 0) {
goto cleanup;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
qpol_role_allow_t *rule;
int match_source = 0, match_target = 0;
size_t i;
if (qpol_iterator_get_item(iter, (void **)&rule) < 0) {
goto cleanup;
}
if (source_list == NULL) {
match_source = 1;
} else {
const qpol_role_t *source_role;
if (qpol_role_allow_get_source_role(p->p, rule, &source_role) < 0) {
goto cleanup;
}
if (apol_vector_get_index(source_list, source_role, NULL, NULL, &i) == 0) {
match_source = 1;
}
}
/* if source did not match, but treating source symbol
* as any field, then delay rejecting this rule until
* the target has been checked */
if (!source_as_any && !match_source) {
continue;
}
if (target_list == NULL || (source_as_any && match_source)) {
match_target = 1;
} else {
const qpol_role_t *target_role;
if (qpol_role_allow_get_target_role(p->p, rule, &target_role) < 0) {
goto cleanup;
}
if (apol_vector_get_index(target_list, target_role, NULL, NULL, &i) == 0) {
match_target = 1;
}
}
if (!match_target) {
continue;
}
if (apol_vector_append(*v, rule)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
apol_vector_destroy(&source_list);
if (!source_as_any) {
apol_vector_destroy(&target_list);
}
qpol_iterator_destroy(&iter);
return retval;
}
/**
* Get statistics regarding a policy's ports.
* If this function is given a name, it will attempt to
* get statistics about a particular port; otherwise
* the function get statistics about all of the policy's ports.
*
* @param name Reference to an port's name; if NULL,
* all ports will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_ports(const char *num, const apol_policy_t * policydb)
{
const qpol_portcon_t *portcon = NULL;
qpol_iterator_t *iter = NULL;
uint16_t low_port, high_port;
uint8_t ocon_proto;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
const qpol_context_t *ctxt = NULL;
const char *proto_str = NULL;
const char *type = NULL;
const apol_mls_range_t *range = NULL;
char *range_str = NULL;
apol_context_t *c = NULL;
int error = 0;
int rt = 0;
PyObject *dict = NULL;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (qpol_policy_get_portcon_iter(q, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&portcon))
goto err;
if (qpol_portcon_get_low_port(q, portcon, &low_port))
goto err;
if (qpol_portcon_get_high_port(q, portcon, &high_port))
goto err;
if (qpol_portcon_get_protocol(q, portcon, &ocon_proto))
goto err;
if (num) {
if (atoi(num) < low_port || atoi(num) > high_port)
continue;
}
if ((ocon_proto != IPPROTO_TCP) &&
(ocon_proto != IPPROTO_UDP))
goto err;
if (qpol_portcon_get_context(q, portcon, &ctxt)) {
PyErr_SetString(PyExc_RuntimeError, "Could not get for port context.");
goto err;
}
if ((proto_str = apol_protocol_to_str(ocon_proto)) == NULL) {
PyErr_SetString(PyExc_RuntimeError, "Invalid protocol for port");
goto err;
}
if ((c = apol_context_create_from_qpol_context(policydb, ctxt)) == NULL) {
goto err;
}
if((type = apol_context_get_type(c)) == NULL) {
apol_context_destroy(&c);
goto err;
}
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "type", type))
goto err;
if((range = apol_context_get_range(c)) != NULL) {
range_str = apol_mls_range_render(policydb, range);
if (range_str == NULL) {
goto err;
}
if (py_insert_string(dict, "range", range_str))
goto err;
}
if (py_insert_string(dict, "protocol", proto_str))
goto err;
if (py_insert_long(dict, "high", high_port))
goto err;
if (py_insert_long(dict, "low", low_port))
goto err;
rt = py_append_obj(list, dict);
Py_DECREF(dict); dict = NULL;
if (rt) goto err;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
py_decref(dict); dict = NULL;
cleanup:
free(range_str);
apol_context_destroy(&c);
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
/**
* get a textual representation of a role, and
* all of that role's types.
*
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
* types
*/
static PyObject* get_role(const qpol_role_t * role_datum, const apol_policy_t * policydb)
{
const char *role_name = NULL, *type_name = NULL;
const qpol_role_t *dom_datum = NULL;
const qpol_type_t *type_datum = NULL;
qpol_iterator_t *iter = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
size_t n_dom = 0, n_types = 0;
int error = 0;
int rt;
PyObject *list = NULL;
PyObject *dict = PyDict_New();
if (!dict) goto err;
if (qpol_role_get_name(q, role_datum, &role_name))
goto err;
if (py_insert_string(dict, "name", role_name))
goto err;
if (qpol_role_get_dominate_iter(q, role_datum, &iter))
goto err;
if (qpol_iterator_get_size(iter, &n_dom))
goto err;
if ((int)n_dom > 0) {
list = PyList_New(0);
if (!list) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&dom_datum))
goto err;
if (qpol_role_get_name(q, dom_datum, &role_name))
goto err;
if (py_append_string(list, role_name))
goto err;
}
rt = py_insert_obj(dict, "roles", list);
Py_DECREF(list); list = NULL;
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
if (qpol_role_get_type_iter(q, role_datum, &iter))
goto err;
if (qpol_iterator_get_size(iter, &n_types))
goto err;
if ((int)n_types > 0) {
list = PyList_New(0);
if (!list) goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&type_datum))
goto err;
if (qpol_type_get_name(q, type_datum, &type_name))
goto err;
if (py_append_string(list, type_name))
goto err;
}
rt = py_insert_obj(dict, "types", list);
Py_DECREF(list); list = NULL;
if (rt) goto err;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
py_decref(dict); dict = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return dict;
}
/**
* Prints a textual representation of an object class and possibly
* all of that object class' permissions.
*
* @param fp Reference to a file to which to print object class information
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
* @param expand Flag indicating whether to print each object class'
* permissions
*/
static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
{
const char *class_name = NULL, *perm_name = NULL;
qpol_iterator_t *iter = NULL;
const qpol_common_t *common_datum = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
int error = 0;
int rt;
PyObject *list = NULL;
PyObject *dict = PyDict_New();
if (!dict) goto err;
if (!class_datum)
goto err;
if (qpol_class_get_name(q, class_datum, &class_name))
goto err;
if (py_insert_string(dict, "name", class_name))
goto err;
/* get commons for this class */
if (qpol_class_get_common(q, class_datum, &common_datum))
goto err;
list = PyList_New(0);
if (!list) goto err;
if (common_datum) {
if (qpol_common_get_perm_iter(q, common_datum, &iter))
goto err;
/* print perms for the common */
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&perm_name))
goto err;
if (py_append_string(list, perm_name))
goto err;
}
}
/* print unique perms for this class */
if (qpol_class_get_perm_iter(q, class_datum, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&perm_name))
goto err;
if (py_append_string(list, perm_name))
goto err;
}
rt = py_insert_obj(dict, "permlist", list);
Py_DECREF(list); list = NULL;
if (rt) goto err;
qpol_iterator_destroy(&iter);
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list=NULL;
py_decref(dict); dict=NULL;
cleanup:
errno = error;
qpol_iterator_destroy(&iter);
return dict;
}
/**
* Gets a textual representation of a user, and
* all of that user's roles.
*
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
* roles
*/
static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t * policydb)
{
int error = 0;
int rt;
const qpol_role_t *role_datum = NULL;
qpol_iterator_t *iter = NULL;
const qpol_mls_range_t *range = NULL;
const qpol_mls_level_t *dflt_level = NULL;
apol_mls_level_t *ap_lvl = NULL;
apol_mls_range_t *ap_range = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
char *tmp = NULL;
const char *user_name, *role_name;
PyObject *dict = NULL;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (qpol_user_get_name(q, user_datum, &user_name))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", user_name))
goto err;
if (qpol_policy_has_capability(q, QPOL_CAP_MLS)) {
if (qpol_user_get_dfltlevel(q, user_datum, &dflt_level))
goto err;
ap_lvl = apol_mls_level_create_from_qpol_mls_level(policydb, dflt_level);
tmp = apol_mls_level_render(policydb, ap_lvl);
if (!tmp) goto err;
if (py_insert_string(dict, "level", tmp))
goto err;
free(tmp); tmp = NULL;
if (qpol_user_get_range(q, user_datum, &range))
goto err;
ap_range = apol_mls_range_create_from_qpol_mls_range(policydb, range);
tmp = apol_mls_range_render(policydb, ap_range);
if (!tmp) goto err;
if (py_insert_string(dict, "range", tmp))
goto err;
free(tmp); tmp=NULL;
}
if (qpol_user_get_role_iter(q, user_datum, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&role_datum))
goto err;
if (qpol_role_get_name(q, role_datum, &role_name))
goto err;
if (py_append_string(list, role_name))
goto err;
}
rt = py_insert_obj(dict, "roles", list);
Py_DECREF(list); list=NULL;
if (rt) goto err;
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list=NULL;
py_decref(dict); dict=NULL;
cleanup:
free(tmp);
qpol_iterator_destroy(&iter);
apol_mls_level_destroy(&ap_lvl);
apol_mls_range_destroy(&ap_range);
errno = error;
return dict;
}
/**
* Gets statistics regarding a policy's booleans.
* If this function is given a name, it will attempt to
* get statistics about a particular boolean; otherwise
* the function gets statistics about all of the policy's booleans.
*
* @param fp Reference to a file to which to print statistics
* @param name Reference to a boolean's name; if NULL,
* all booleans will be considered
* @param expand Flag indicating whether to print each
* boolean's default state
* @param policydb Reference to a policy
*
* @return new reference, or NULL (setting an exception)
*/
static PyObject* get_booleans(const char *name, const apol_policy_t * policydb)
{
PyObject *dict = NULL;
int error = 0;
int rt = 0;
const char *bool_name = NULL;
int state;
qpol_bool_t *bool_datum = NULL;
qpol_iterator_t *iter = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
size_t n_bools = 0;
PyObject *list = PyList_New(0);
if (!list) goto err;
if (name != NULL) {
if (qpol_policy_get_bool_by_name(q, name, &bool_datum))
goto err;
if (qpol_bool_get_state(q, bool_datum, &state))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", name))
goto err;
if (py_insert_bool(dict, "name", state))
goto err;
rt = py_append_obj(list, dict);
Py_DECREF(dict); dict = NULL;
if (rt) goto err;
} else {
if (qpol_policy_get_bool_iter(q, &iter))
goto err;
if (qpol_iterator_get_size(iter, &n_bools))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&bool_datum))
goto err;
if (qpol_bool_get_name(q, bool_datum, &bool_name))
goto err;
if (qpol_bool_get_state(q, bool_datum, &state))
goto err;
dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", bool_name))
goto err;
if (py_insert_bool(dict, "state", state))
goto err;
rt = py_append_obj(list, dict);
Py_DECREF(dict); dict = NULL;
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(error));
py_decref(list); list = NULL;
py_decref(dict); dict = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v)
{
apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL;
int retval = -1, source_as_any = 0, is_regex = 0;
*v = NULL;
qpol_iterator_t *iter = NULL;
if (t != NULL) {
is_regex = t->flags & APOL_QUERY_REGEX;
if (t->source != NULL &&
(source_list =
apol_query_create_candidate_type_list(p, t->source, is_regex,
t->flags & APOL_QUERY_SOURCE_INDIRECT,
((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) /
APOL_QUERY_SOURCE_TYPE))) == NULL) {
goto cleanup;
}
if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) {
default_list = target_list = source_list;
source_as_any = 1;
} else {
if (t->target != NULL &&
(target_list =
apol_query_create_candidate_type_list(p, t->target, is_regex,
t->flags & APOL_QUERY_TARGET_INDIRECT,
((t->
flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE))
/ APOL_QUERY_TARGET_TYPE))) == NULL) {
goto cleanup;
}
if (t->default_type != NULL &&
(default_list =
apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0,
APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) {
goto cleanup;
}
}
if (t->classes != NULL &&
apol_vector_get_size(t->classes) > 0 &&
(class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) {
goto cleanup;
}
}
if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) {
goto cleanup;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
int match_source = 0, match_target = 0, match_default = 0;
size_t i;
qpol_filename_trans_t *filename_trans;
if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) {
goto cleanup;
}
if (source_list == NULL) {
match_source = 1;
} else {
const qpol_type_t *source_type;
if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) {
goto cleanup;
}
if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) {
match_source = 1;
}
}
/* if source did not match, but treating source symbol
* as any field, then delay rejecting this filename_trans until
* the target and default have been checked */
if (!source_as_any && !match_source) {
continue;
}
if (target_list == NULL || (source_as_any && match_source)) {
match_target = 1;
} else {
const qpol_type_t *target_type;
if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) {
goto cleanup;
}
if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) {
match_target = 1;
}
}
if (!source_as_any && !match_target) {
continue;
}
if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) {
match_default = 1;
} else {
const qpol_type_t *default_type;
if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) {
goto cleanup;
}
if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) {
match_default = 1;
}
}
if (!source_as_any && !match_default) {
continue;
}
/* at least one thing must match if source_as_any was given */
if (source_as_any && (!match_source && !match_target && !match_default)) {
continue;
}
if (class_list != NULL) {
const qpol_class_t *obj_class;
if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) {
goto cleanup;
}
if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) {
continue;
}
}
if (apol_vector_append(*v, filename_trans)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
apol_vector_destroy(&source_list);
if (!source_as_any) {
apol_vector_destroy(&target_list);
apol_vector_destroy(&default_list);
}
apol_vector_destroy(&class_list);
qpol_iterator_destroy(&iter);
return retval;
}
apol_vector_t *apol_mls_range_get_levels(const apol_policy_t * p, const apol_mls_range_t * range)
{
qpol_policy_t *q = apol_policy_get_qpol(p);
apol_vector_t *v = NULL, *catv = NULL;
const qpol_level_t *l;
uint32_t low_value, high_value, value;
int error = 0;
qpol_iterator_t *iter = NULL, *catiter = NULL;
if (p == NULL || range == NULL || range->low == NULL) {
error = EINVAL;
ERR(p, "%s", strerror(error));
goto err;
}
apol_mls_level_t *low_level, *high_level;
low_level = range->low;
if (range->high == NULL) {
high_level = low_level;
} else {
high_level = range->high;
}
if (qpol_policy_get_level_by_name(q, apol_mls_level_get_sens(low_level), &l) < 0 ||
qpol_level_get_value(q, l, &low_value) < 0) {
error = errno;
goto err;
}
if (qpol_policy_get_level_by_name(q, apol_mls_level_get_sens(high_level), &l) < 0 ||
qpol_level_get_value(q, l, &high_value) < 0) {
error = errno;
goto err;
}
assert(low_value <= high_value);
if ((v = apol_vector_create(mls_level_free)) == NULL) {
error = errno;
ERR(p, "%s", strerror(error));
goto err;
}
if (qpol_policy_get_level_iter(q, &iter) < 0) {
error = errno;
goto err;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
const char *name;
apol_mls_level_t *ml;
if (qpol_iterator_get_item(iter, (void **)&l) < 0 ||
qpol_level_get_value(q, l, &value) < 0 || qpol_level_get_name(q, l, &name) < 0) {
error = errno;
goto err;
}
if (value < low_value || value > high_value) {
continue;
}
if ((ml = apol_mls_level_create()) == NULL || (apol_mls_level_set_sens(p, ml, name) < 0)) {
error = errno;
apol_mls_level_destroy(&ml);
ERR(p, "%s", strerror(error));
goto err;
}
if (qpol_level_get_cat_iter(q, l, &catiter) < 0 || (catv = apol_vector_create_from_iter(catiter, NULL)) == NULL) {
error = errno;
goto err;
}
const apol_vector_t *high_cats = apol_mls_level_get_cats(high_level);
for (size_t i = 0; i < apol_vector_get_size(high_cats); i++) {
char *cat_name = apol_vector_get_element(high_cats, i);
size_t j;
/* do not add categories that are not members of
the level */
if (apol_vector_get_index(catv, cat_name, mls_level_name_to_cat_comp, q, &j) < 0) {
/* this category is not legal under the given policy */
continue;
}
if (apol_mls_level_append_cats(p, ml, cat_name) < 0) {
error = errno;
apol_mls_level_destroy(&ml);
ERR(p, "%s", strerror(error));
goto err;
}
}
qpol_iterator_destroy(&catiter);
apol_vector_destroy(&catv);
if (apol_vector_append(v, ml) < 0) {
error = errno;
apol_mls_level_destroy(&ml);
ERR(p, "%s", strerror(error));
goto err;
}
}
apol_vector_sort(v, mls_range_comp, q);
qpol_iterator_destroy(&iter);
qpol_iterator_destroy(&catiter);
apol_vector_destroy(&catv);
return v;
err:
qpol_iterator_destroy(&iter);
qpol_iterator_destroy(&catiter);
apol_vector_destroy(&v);
apol_vector_destroy(&catv);
errno = error;
return NULL;
}
