static void capability_test(const struct capability_answer *ca)
{
qpol_policy_t *q = NULL;
int policy_type = qpol_policy_open_from_file(ca->policy_name, &q, NULL, NULL, QPOL_POLICY_OPTION_NO_NEVERALLOWS);
CU_ASSERT_FATAL(policy_type >= 0);
CU_ASSERT_EQUAL(policy_type, ca->policy_type);
unsigned policy_version;
int retval;
retval = qpol_policy_get_policy_version(q, &policy_version);
CU_ASSERT_EQUAL_FATAL(retval, 0);
CU_ASSERT_EQUAL(policy_version, ca->policy_version);
bool cap;
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_ATTRIB_NAMES);
CU_ASSERT_EQUAL(cap, ca->has_attributes);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_SYN_RULES);
CU_ASSERT_EQUAL(cap, ca->has_syn_rules);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_LINE_NUMBERS);
CU_ASSERT_EQUAL(cap, ca->has_line_numbers);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_CONDITIONALS);
CU_ASSERT_EQUAL(cap, ca->has_conditionals);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_MLS);
CU_ASSERT_EQUAL(cap, ca->has_mls);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_POLCAPS);
CU_ASSERT_EQUAL(cap, ca->has_polcaps);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_SOURCE);
CU_ASSERT_EQUAL(cap, ca->has_source);
cap = (bool) qpol_policy_has_capability(q, QPOL_CAP_MODULES);
CU_ASSERT_EQUAL(cap, ca->has_modules);
unsigned char ispermissive;
const qpol_type_t *type;
if (ca->enforcing_type != NULL) {
retval = qpol_policy_get_type_by_name(q, ca->enforcing_type, &type);
CU_ASSERT(retval == 0 && type != NULL);
retval = qpol_type_get_ispermissive(q, type, &ispermissive);
CU_ASSERT(retval == 0 && ispermissive == 0);
}
if (ca->permissive_type != NULL) {
retval = qpol_policy_get_type_by_name(q, ca->permissive_type, &type);
CU_ASSERT(retval == 0 && type != NULL);
retval = qpol_type_get_ispermissive(q, type, &ispermissive);
CU_ASSERT(retval == 0 && ispermissive == 1);
}
qpol_policy_destroy(&q);
}
int apol_context_compare(const apol_policy_t * p, const apol_context_t * target, const apol_context_t * search,
unsigned int range_compare_type)
{
uint32_t value0, value1;
if (p == NULL || target == NULL || search == NULL) {
ERR(p, "%s", strerror(EINVAL));
errno = EINVAL;
return -1;
}
if (target->user != NULL && search->user != NULL) {
const qpol_user_t *user0, *user1;
if (qpol_policy_get_user_by_name(p->p,
target->user, &user0) < 0 ||
qpol_policy_get_user_by_name(p->p,
search->user, &user1) < 0 ||
qpol_user_get_value(p->p, user0, &value0) < 0 || qpol_user_get_value(p->p, user1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->role != NULL && search->role != NULL) {
const qpol_role_t *role0, *role1;
if (qpol_policy_get_role_by_name(p->p,
target->role, &role0) < 0 ||
qpol_policy_get_role_by_name(p->p,
search->role, &role1) < 0 ||
qpol_role_get_value(p->p, role0, &value0) < 0 || qpol_role_get_value(p->p, role1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->type != NULL && search->type != NULL) {
const qpol_type_t *type0, *type1;
if (qpol_policy_get_type_by_name(p->p,
target->type, &type0) < 0 ||
qpol_policy_get_type_by_name(p->p,
search->type, &type1) < 0 ||
qpol_type_get_value(p->p, type0, &value0) < 0 || qpol_type_get_value(p->p, type1, &value1) < 0) {
return -1;
}
if (value0 != value1) {
return 0;
}
}
if (target->range != NULL && search->range != NULL) {
return apol_mls_range_compare(p, target->range, search->range, range_compare_type);
}
return 1;
}
/**
* Get statistics regarding a policy's types.
* If this function is given a name, it will attempt to
* print statistics about a particular type; otherwise
* the function prints statistics about all of the policy's types.
*
* @param name Reference to a type's name; if NULL,
* all object classes will be considered
* @param policydb Reference to a policy
*
* @return 0 on success, < 0 on error.
*/
static PyObject* get_types(const char *name, const apol_policy_t * policydb)
{
const qpol_type_t *type_datum = NULL;
qpol_iterator_t *iter = NULL;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
int error = 0;
int rt;
PyObject *obj;
PyObject *list = PyList_New(0);
if (!list) goto err;
/* if name was provided, only print that name */
if (name != NULL) {
if (qpol_policy_get_type_by_name(q, name, &type_datum)) {
errno = EINVAL;
goto err;
}
obj = get_type(type_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
} else {
if (qpol_policy_get_type_iter(q, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&type_datum))
goto err;
obj = get_type(type_datum, policydb);
rt = py_append_obj(list, obj);
Py_DECREF(obj);
if (rt) goto err;
}
}
goto cleanup;
err:
error = errno;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
py_decref(list); list = NULL;
cleanup:
qpol_iterator_destroy(&iter);
errno = error;
return list;
}
int apol_context_validate_partial(const apol_policy_t * p, const apol_context_t * context)
{
apol_user_query_t *user_query = NULL;
apol_role_query_t *role_query = NULL;
apol_vector_t *user_v = NULL, *role_v = NULL;
const qpol_user_t *user;
const qpol_type_t *type;
const qpol_mls_range_t *user_range;
apol_mls_range_t *user_apol_range = NULL;
int retval = -1, retval2;
if (context == NULL) {
return 1;
}
if (context->user != NULL) {
if ((user_query = apol_user_query_create()) == NULL) {
ERR(p, "%s", strerror(ENOMEM));
}
if (apol_user_query_set_user(p, user_query, context->user) < 0 ||
(context->role != NULL && apol_user_query_set_role(p, user_query, context->role) < 0) ||
apol_user_get_by_query(p, user_query, &user_v) < 0) {
goto cleanup;
}
if (apol_vector_get_size(user_v) == 0) {
retval = 0;
goto cleanup;
}
}
if (context->role != NULL) {
if ((role_query = apol_role_query_create()) == NULL) {
ERR(p, "%s", strerror(ENOMEM));
}
if (apol_role_query_set_role(p, role_query, context->role) < 0 ||
(context->type != NULL && apol_role_query_set_type(p, role_query, context->type) < 0) ||
apol_role_get_by_query(p, role_query, &role_v) < 0) {
goto cleanup;
}
if (apol_vector_get_size(role_v) == 0) {
retval = 0;
goto cleanup;
}
}
if (context->type != NULL) {
if (qpol_policy_get_type_by_name(p->p, context->type, &type) < 0) {
retval = 0;
goto cleanup;
}
}
if (apol_policy_is_mls(p) && context->range != NULL) {
retval2 = apol_mls_range_validate(p, context->range);
if (retval2 != 1) {
retval = retval2;
goto cleanup;
}
/* next check that the user has access to this context */
if (context->user != NULL) {
if (qpol_policy_get_user_by_name(p->p, context->user, &user) < 0 ||
qpol_user_get_range(p->p, user, &user_range) < 0) {
goto cleanup;
}
user_apol_range = apol_mls_range_create_from_qpol_mls_range(p, user_range);
if (user_apol_range == NULL) {
ERR(p, "%s", strerror(ENOMEM));
goto cleanup;
}
retval2 = apol_mls_range_compare(p, user_apol_range, context->range, APOL_QUERY_SUB);
if (retval2 != 1) {
retval = retval2;
goto cleanup;
}
}
}
retval = 1;
cleanup:
apol_user_query_destroy(&user_query);
apol_role_query_destroy(&role_query);
apol_vector_destroy(&user_v);
apol_vector_destroy(&role_v);
apol_mls_range_destroy(&user_apol_range);
return retval;
}
