char *apol_role_allow_render(const apol_policy_t * policy, const qpol_role_allow_t * rule)
{
char *tmp = NULL;
const char *source_name = NULL, *target_name = NULL;
const qpol_role_t *role = NULL;
if (!policy || !rule) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return NULL;
}
/* source role */
if (qpol_role_allow_get_source_role(policy->p, rule, &role)) {
ERR(policy, "%s", strerror(errno));
return NULL;
}
if (qpol_role_get_name(policy->p, role, &source_name)) {
ERR(policy, "%s", strerror(errno));
return NULL;
}
/* target role */
if (qpol_role_allow_get_target_role(policy->p, rule, &role)) {
ERR(policy, "%s", strerror(errno));
return NULL;
}
if (qpol_role_get_name(policy->p, role, &target_name)) {
ERR(policy, "%s", strerror(errno));
return NULL;
}
if (asprintf(&tmp, "allow %s %s;", source_name, target_name) < 0) {
ERR(policy, "%s", strerror(errno));
return NULL;
}
return tmp;
}
static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
size_t i, num_rules = 0;
qpol_policy_t *q;
const qpol_role_allow_t *rule = NULL;
const char *tmp;
PyObject *obj, *dict=NULL;
const qpol_role_t *role = NULL;
int error = 0;
errno = EINVAL;
int rt;
if (!policy || !v) {
errno = EINVAL;
goto err;
}
if (!(num_rules = apol_vector_get_size(v)))
return NULL;
q = apol_policy_get_qpol(policy);
for (i = 0; i < num_rules; i++) {
dict = PyDict_New();
if (!dict) goto err;
if (!(rule = apol_vector_get_element(v, i)))
goto err;
if (qpol_role_allow_get_source_role(q, rule, &role)) {
goto err;
}
if (qpol_role_get_name(q, role, &tmp)) {
goto err;
}
obj = PyUnicode_FromString(tmp);
if (py_insert_obj(dict, "source", obj))
goto err;
if (qpol_role_allow_get_target_role(q, rule, &role)) {
goto err;
}
if (qpol_role_get_name(q, role, &tmp)) {
goto err;
}
obj = PyUnicode_FromString(tmp);
if (py_insert_obj(dict, "target", obj))
goto err;
rt = py_append_obj(output, dict);
if (rt) goto err;
py_decref(dict); dict=NULL;
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(error));
py_decref(dict);
cleanup:
errno = error;
return output;
}
int apol_role_allow_get_by_query(const apol_policy_t * p, const apol_role_allow_query_t * r, apol_vector_t ** v)
{
qpol_iterator_t *iter = NULL;
apol_vector_t *source_list = NULL, *target_list = NULL;
int retval = -1, source_as_any = 0;
*v = NULL;
if (r != NULL) {
if (r->source != NULL &&
(source_list = apol_query_create_candidate_role_list(p, r->source, r->flags & APOL_QUERY_REGEX)) == NULL) {
goto cleanup;
}
if ((r->flags & APOL_QUERY_SOURCE_AS_ANY) && r->source != NULL) {
target_list = source_list;
source_as_any = 1;
} else if (r->target != NULL &&
(target_list = apol_query_create_candidate_role_list(p, r->target, r->flags & APOL_QUERY_REGEX)) == NULL)
{
goto cleanup;
}
}
if (qpol_policy_get_role_allow_iter(p->p, &iter) < 0) {
goto cleanup;
}
if ((*v = apol_vector_create(NULL)) == NULL) {
ERR(p, "%s", strerror(errno));
goto cleanup;
}
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
qpol_role_allow_t *rule;
int match_source = 0, match_target = 0;
size_t i;
if (qpol_iterator_get_item(iter, (void **)&rule) < 0) {
goto cleanup;
}
if (source_list == NULL) {
match_source = 1;
} else {
const qpol_role_t *source_role;
if (qpol_role_allow_get_source_role(p->p, rule, &source_role) < 0) {
goto cleanup;
}
if (apol_vector_get_index(source_list, source_role, NULL, NULL, &i) == 0) {
match_source = 1;
}
}
/* if source did not match, but treating source symbol
* as any field, then delay rejecting this rule until
* the target has been checked */
if (!source_as_any && !match_source) {
continue;
}
if (target_list == NULL || (source_as_any && match_source)) {
match_target = 1;
} else {
const qpol_role_t *target_role;
if (qpol_role_allow_get_target_role(p->p, rule, &target_role) < 0) {
goto cleanup;
}
if (apol_vector_get_index(target_list, target_role, NULL, NULL, &i) == 0) {
match_target = 1;
}
}
if (!match_target) {
continue;
}
if (apol_vector_append(*v, rule)) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
}
retval = 0;
cleanup:
if (retval != 0) {
apol_vector_destroy(v);
}
apol_vector_destroy(&source_list);
if (!source_as_any) {
apol_vector_destroy(&target_list);
}
qpol_iterator_destroy(&iter);
return retval;
}
