Пример #1
0
int terule_init()
{
	apol_policy_path_t *ppath = apol_policy_path_create(APOL_POLICY_PATH_TYPE_MONOLITHIC, BIN_POLICY, NULL);
	if (ppath == NULL) {
		return 1;
	}

	if ((bp = apol_policy_create_from_policy_path(ppath, 0, NULL, NULL)) == NULL) {
		apol_policy_path_destroy(&ppath);
		return 1;
	}
	apol_policy_path_destroy(&ppath);

	ppath = apol_policy_path_create(APOL_POLICY_PATH_TYPE_MONOLITHIC, SOURCE_POLICY, NULL);
	if (ppath == NULL) {
		return 1;
	}

	if ((sp = apol_policy_create_from_policy_path(ppath, 0, NULL, NULL)) == NULL) {
		apol_policy_path_destroy(&ppath);
		return 1;
	}
	apol_policy_path_destroy(&ppath);

	if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(sp)) != 0) {
		return 1;
	}

	return 0;
}
Пример #2
0
/**
 * Get a textual representation of a type, and
 * all of that type's attributes.
 *
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 */
static PyObject* get_type_attrs(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
	qpol_iterator_t *iter = NULL;
	const char *attr_name = NULL;
	const qpol_type_t *attr_datum = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	int error = 0;
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (qpol_type_get_attr_iter(q, type_datum, &iter))
		goto err;

	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		if (qpol_iterator_get_item(iter, (void **)&attr_datum))
			goto err;
		if (qpol_type_get_name(q, attr_datum, &attr_name))
			goto err;
		if (py_append_string(list, attr_name))
			goto err;
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;

cleanup:
	qpol_iterator_destroy(&iter);
	errno = error;
	return list;
}
Пример #3
0
/**
 * Compare two qpol_level_datum_t objects.
 * This function is meant to be passed to apol_vector_compare
 * as the callback for performing comparisons.
 *
 * @param datum1 Reference to a qpol_level_datum_t object
 * @param datum2 Reference to a qpol_level_datum_t object
 * @param data Reference to a policy
 * @return Greater than 0 if the first argument is less than the second argument,
 * less than 0 if the first argument is greater than the second argument,
 * 0 if the arguments are equal
 */
static int qpol_level_datum_compare(const void *datum1, const void *datum2, void *data)
{
	const qpol_level_t *lvl_datum1 = NULL, *lvl_datum2 = NULL;
	apol_policy_t *policydb = NULL;
	qpol_policy_t *q;
	uint32_t val1, val2;

	policydb = (apol_policy_t *) data;
	assert(policydb);
	q = apol_policy_get_qpol(policydb);

	if (!datum1 || !datum2)
		goto exit_err;
	lvl_datum1 = datum1;
	lvl_datum2 = datum2;

	if (qpol_level_get_value(q, lvl_datum1, &val1))
		goto exit_err;
	if (qpol_level_get_value(q, lvl_datum2, &val2))
		goto exit_err;

	return (val1 > val2) ? 1 : ((val1 == val2) ? 0 : -1);

      exit_err:
	assert(0);
	return 0;
}
Пример #4
0
/**
 * Gets a textual representation of a MLS category and
 * all of that category's sensitivies.
 *
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 */
static PyObject* get_cat_sens(const qpol_cat_t * cat_datum, const apol_policy_t * policydb)
{
	const char *cat_name, *lvl_name;
	apol_level_query_t *query = NULL;
	apol_vector_t *v = NULL;
	const qpol_level_t *lvl_datum = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	size_t i, n_sens = 0;
	int error = 0;
	PyObject *list = NULL;
	PyObject *dict = PyDict_New();
	if (!dict) goto err;
	if (!cat_datum || !policydb)
		goto err;

	/* get category name for apol query */
	if (qpol_cat_get_name(q, cat_datum, &cat_name))
		goto cleanup;

	query = apol_level_query_create();
	if (!query)
		goto err;
	if (apol_level_query_set_cat(policydb, query, cat_name))
		goto err;
	if (apol_level_get_by_query(policydb, query, &v))
		goto err;
	apol_vector_sort(v, &qpol_level_datum_compare, (void *)policydb);
	dict = PyDict_New();
	if (!dict) goto err;
	if (py_insert_string(dict, "name", cat_name))
		goto err;
	n_sens = apol_vector_get_size(v);
	list = PyList_New(0);
	if (!list) goto err;
	for (i = 0; i < n_sens; i++) {
		lvl_datum = (qpol_level_t *) apol_vector_get_element(v, i);
		if (!lvl_datum)
			goto err;
		if (qpol_level_get_name(q, lvl_datum, &lvl_name))
			goto err;
		if (py_append_string(list, lvl_name))
			goto err;
	}
	if (py_insert_obj(dict, "level", list))
		goto err;
	Py_DECREF(list);

	goto cleanup;
err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;
	py_decref(dict); dict = NULL;
cleanup:
	apol_level_query_destroy(&query);
	apol_vector_destroy(&v);
	errno = error;
	return dict;
}
Пример #5
0
/**
 * Gets a textual representation of an attribute, and 
 * all of that attribute's types.
 *
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 */
static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
	PyObject *list = NULL;
	const qpol_type_t *attr_datum = NULL;
	qpol_iterator_t *iter = NULL;
	const char *attr_name = NULL, *type_name = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	unsigned char isattr;
	int error = 0;
	int rt = 0;
	PyObject *dict = PyDict_New(); 
	if (!dict) goto err;

	if (qpol_type_get_name(q, type_datum, &attr_name))
		goto err;

	if (py_insert_string(dict, "name", attr_name))
		goto err;

	/* get an iterator over all types this attribute has */
	if (qpol_type_get_isattr(q, type_datum, &isattr))
		goto err;

	if (isattr) {	       /* sanity check */
		if (qpol_type_get_type_iter(q, type_datum, &iter))
			goto err;
		list = PyList_New(0);
		if (!list) goto err;
		
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&attr_datum))
				goto err;
			if (qpol_type_get_name(q, attr_datum, &type_name))
				goto err;
			if (py_append_string(list, type_name))
				goto err;
		}
		qpol_iterator_destroy(&iter);
		rt = PyDict_SetItemString(dict, "types", list);
		Py_DECREF(list); list = NULL;
		if (rt) goto err;
	} else		       /* this should never happen */
		goto err;
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(dict); dict = NULL;
	py_decref(list);

cleanup:
	qpol_iterator_destroy(&iter);
	errno =	error;
	return dict;
}
Пример #6
0
/**
 * Get a policy's MLS sensitivities.
 * If this function is given a name, it will attempt to
 * get statistics about a particular sensitivity; otherwise
 * the function gets statistics about all of the policy's
 * sensitivities.
 *
 * @param name Reference to a sensitivity's name; if NULL,
 * all sensitivities will be considered
 * @param policydb Reference to a policy
 *
 * @return 0 on success, < 0 on error.
 */
static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
{
	PyObject *dict = NULL;
	int error = 0;
	int rt = 0;
	size_t i;
	char *tmp = NULL;
	const char *lvl_name = NULL;
	apol_level_query_t *query = NULL;
	apol_vector_t *v = NULL;
	const qpol_level_t *level = NULL;
	apol_mls_level_t *ap_mls_lvl = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);

	query = apol_level_query_create();
	if (!query)
		goto cleanup;
	if (apol_level_query_set_sens(policydb, query, name))
		goto cleanup;
	if (apol_level_get_by_query(policydb, query, &v))
		goto cleanup;

	dict = PyDict_New();
	if (!dict) goto err;
	for (i = 0; i < apol_vector_get_size(v); i++) {
		level = apol_vector_get_element(v, i);
		if (qpol_level_get_name(q, level, &lvl_name))
			goto err;
		ap_mls_lvl = (apol_mls_level_t *) apol_mls_level_create_from_qpol_level_datum(policydb, level);
		tmp = apol_mls_level_render(policydb, ap_mls_lvl);
		apol_mls_level_destroy(&ap_mls_lvl);
		if (!tmp)
			goto cleanup;
		if (py_insert_string(dict, lvl_name, tmp))
			goto err;
		free(tmp); tmp = NULL;
		if (rt) goto err;
	}

	if (name && !apol_vector_get_size(v)) {
		goto cleanup;
	}

	goto cleanup;
err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	py_decref(dict); dict = NULL;
cleanup:
	free(tmp);
	apol_level_query_destroy(&query);
	apol_vector_destroy(&v);
	errno = error;
	return dict;
}
Пример #7
0
/**
 * Comparison function for two levels from the same policy.
 */
static int level_name_comp(const void *x, const void *y, void *arg)
{
	const qpol_level_t *s1 = x;
	const qpol_level_t *s2 = y;
	apol_policy_t *p = arg;
	qpol_policy_t *q = apol_policy_get_qpol(p);
	const char *name1, *name2;

	if (qpol_level_get_name(q, s1, &name1) < 0 || qpol_level_get_name(q, s2, &name2) < 0)
		return 0;
	return strcmp(name1, name2);
}
Пример #8
0
static PyObject* get_type( const qpol_type_t * type_datum, const apol_policy_t * policydb) {

	PyObject *obj;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	const char *type_name = NULL;
	int error = 0;
	int rt;
	unsigned char isalias, ispermissive, isattr;
	PyObject *dict = PyDict_New(); 
	if (!dict) goto err;

	if (qpol_type_get_name(q, type_datum, &type_name))
		goto err;
	if (qpol_type_get_isalias(q, type_datum, &isalias))
		goto err;
	if (qpol_type_get_isattr(q, type_datum, &isattr))
		goto err;
	if (qpol_type_get_ispermissive(q, type_datum, &ispermissive))
		goto err;

	if (py_insert_string(dict, "name", type_name))
		goto err;

	if (py_insert_bool(dict, "permissive", ispermissive))
		goto err;

	if (!isattr && !isalias) {
		obj = get_type_attrs(type_datum, policydb);
		rt = py_insert_obj(dict, "attributes", obj);
		Py_DECREF(obj);
		if (rt) goto err;
	}

	obj = get_type_aliases(type_datum, policydb);
	rt = py_insert_obj(dict, "aliases", obj);
	Py_DECREF(obj);
	if (rt) goto err;
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	py_decref(dict); dict = NULL;

cleanup:
	errno = error; 
	return dict;
}
Пример #9
0
static void terule_basic_syn(void)
{
	apol_terule_query_t *tq = apol_terule_query_create();
	CU_ASSERT_PTR_NOT_NULL_FATAL(tq);

	int retval;
	retval = apol_terule_query_set_rules(sp, tq, QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER);
	CU_ASSERT_EQUAL_FATAL(retval, 0);

	apol_vector_t *v = NULL;
	retval = apol_syn_terule_get_by_query(sp, tq, &v);
	CU_ASSERT_EQUAL_FATAL(retval, 0);
	CU_ASSERT_PTR_NOT_NULL(v);

	size_t num_trans = 0, num_changes = 0, num_members = 0;

	qpol_policy_t *q = apol_policy_get_qpol(sp);
	size_t i;
	for (i = 0; i < apol_vector_get_size(v); i++) {
		const qpol_syn_terule_t *syn = (const qpol_syn_terule_t *)apol_vector_get_element(v, i);
		uint32_t rule_type;
		retval = qpol_syn_terule_get_rule_type(q, syn, &rule_type);
		CU_ASSERT_EQUAL_FATAL(retval, 0);
		CU_ASSERT(rule_type == QPOL_RULE_TYPE_TRANS || rule_type == QPOL_RULE_TYPE_CHANGE ||
			  rule_type == QPOL_RULE_TYPE_MEMBER);

		if (rule_type == QPOL_RULE_TYPE_TRANS) {
			num_trans++;
		} else if (rule_type == QPOL_RULE_TYPE_CHANGE) {
			num_changes++;
		} else if (rule_type == QPOL_RULE_TYPE_MEMBER) {
			num_members++;
		}
	}
	CU_ASSERT(num_trans == 6 && num_changes == 3 && num_members == 4);
	apol_vector_destroy(&v);

	retval = apol_terule_query_append_class(sp, tq, "cursor");
	CU_ASSERT_EQUAL_FATAL(retval, 0);

	retval = apol_syn_terule_get_by_query(sp, tq, &v);
	CU_ASSERT_EQUAL_FATAL(retval, 0);
	CU_ASSERT(v != NULL && apol_vector_get_size(v) == 0);
	apol_vector_destroy(&v);
	apol_terule_query_destroy(&tq);
}
Пример #10
0
/**
 * Get statistics regarding a policy's roles.
 * If this function is given a name, it will attempt to
 * get statistics about a particular role; otherwise
 * the function get statistics about all of the policy's roles.
 *
 * @param name Reference to an role's name; if NULL,
 * all roles will be considered
 * @param policydb Reference to a policy
 *
 * @return 0 on success, < 0 on error.
 */
static PyObject*  get_roles(const char *name, const apol_policy_t * policydb)
{
	const qpol_role_t *role_datum = NULL;
	qpol_iterator_t *iter = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	int error = 0;
	int rt;
	PyObject *obj;
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (name != NULL) {
		if (qpol_policy_get_role_by_name(q, name, &role_datum)) {
			errno = EINVAL;
			goto err;
		}
		obj = get_role(role_datum, policydb);
		rt = py_append_obj(list, obj);
		Py_DECREF(obj); 
		if (rt) goto err;
	} else {
		if (qpol_policy_get_role_iter(q, &iter))
			goto err;

		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&role_datum))
				goto err;
			obj = get_role(role_datum, policydb);
			rt = py_append_obj(list, obj);
			Py_DECREF(obj); 
			if (rt) goto err;
		}
		qpol_iterator_destroy(&iter);
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;

cleanup:
	qpol_iterator_destroy(&iter);
	errno = error;
	return list;
}
Пример #11
0
/**
 * Get the alias of a type.
 *
 * @param fp Reference to a file to which to get type information
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 * attributes
 */
static PyObject* get_type_aliases(const qpol_type_t * type_datum, const apol_policy_t * policydb)
{
	qpol_iterator_t *iter = NULL;
	size_t alias_size;
	unsigned char isattr, isalias;
	const char *type_name = NULL;
	const char *alias_name;
	int error = 0;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (qpol_type_get_name(q, type_datum, &type_name))
		goto cleanup;
	if (qpol_type_get_isattr(q, type_datum, &isattr))
		goto cleanup;
	if (qpol_type_get_isalias(q, type_datum, &isalias))
		goto cleanup;

	if (qpol_type_get_alias_iter(q, type_datum, &iter))
		goto cleanup;
	if (qpol_iterator_get_size(iter, &alias_size))
		goto cleanup;
	if (alias_size >  0) {
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&alias_name))
				goto err;
			if (py_append_string(list, alias_name))
				goto err;
		}
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;

cleanup:
	qpol_iterator_destroy(&iter);
	errno = error;
	return list;
}
Пример #12
0
apol_vector_t *level_get_items(poldiff_t * diff, const apol_policy_t * policy)
{
	qpol_iterator_t *iter = NULL;
	apol_vector_t *v = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policy);
	int error = 0;
	if (qpol_policy_get_level_iter(q, &iter) < 0) {
		return NULL;
	}
	v = apol_vector_create_from_iter(iter, NULL);
	if (v == NULL) {
		error = errno;
		ERR(diff, "%s", strerror(error));
		qpol_iterator_destroy(&iter);
		errno = error;
		return NULL;
	}
	qpol_iterator_destroy(&iter);
	apol_vector_sort(v, level_name_comp, (void *)policy);
	return v;
}
Пример #13
0
/**
 * Display a vector of rules (either qpol_avrule_t or
 * qpol_syn_avrule_t) in the rules text buffer.
 */
static void policy_view_display_avrule_results(policy_view_t * pv, apol_vector_t * results, int is_syn_rules)
{
	apol_policy_t *policy = toplevel_get_policy(pv->top);
	qpol_policy_t *qp = apol_policy_get_qpol(policy);
	GtkTextIter start, end;
	char *string, buf[64];
	size_t i;

	gtk_text_buffer_get_start_iter(pv->rules_text, &start);
	gtk_text_buffer_get_end_iter(pv->rules_text, &end);
	gtk_text_buffer_delete(pv->rules_text, &start, &end);

	snprintf(buf, 64, "%zd rule(s) match the search criteria.\n\n", apol_vector_get_size(results));
	gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, buf, -1, "summary", NULL);
	for (i = 0; i < apol_vector_get_size(results); i++) {
		if (!is_syn_rules) {
			qpol_avrule_t *rule = apol_vector_get_element(results, i);
			string = apol_avrule_render(policy, rule);
		} else {
			qpol_syn_avrule_t *rule = apol_vector_get_element(results, i);
			string = apol_syn_avrule_render(policy, rule);
			unsigned long lineno;
			if (qpol_policy_has_capability(qp, QPOL_CAP_LINE_NUMBERS)) {
				qpol_syn_avrule_get_lineno(qp, rule, &lineno);
				sprintf(buf, "%ld", lineno);
				gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, "[", -1, "rule", NULL);
				gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, buf, -1, "line-number", NULL);
				gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, "] ", -1, "rule", NULL);
			}
		}
		if (string == NULL) {
			toplevel_ERR(pv->top, "Error displaying rule: %s", strerror(errno));
			return;
		}
		gtk_text_buffer_insert_with_tags_by_name(pv->rules_text, &end, string, -1, "rule", NULL);
		free(string);
		gtk_text_buffer_insert(pv->rules_text, &end, "\n", -1);
	}
}
Пример #14
0
/**
 * Perform the rule query within a thread.
 */
static gpointer policy_view_find_terules_runner(gpointer data)
{
	struct find_terules_datum *run = (struct find_terules_datum *)data;
	run->results = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(run->policy);
	if (!qpol_policy_has_capability(q, QPOL_CAP_SYN_RULES)) {
		progress_update(run->progress, "Searching AV rules");
		run->retval = apol_avrule_get_by_query(run->policy, run->query, &run->results);
		run->is_syn_rules = 0;
	} else {
		qpol_policy_build_syn_rule_table(q);
		progress_update(run->progress, "Searching syntactic AV rules");
		run->retval = apol_syn_avrule_get_by_query(run->policy, run->query, &run->results);
		run->is_syn_rules = 1;
	}
	if (run->retval == 0) {
		progress_done(run->progress);
	} else {
		progress_abort(run->progress, NULL);
	}
	return NULL;
}
Пример #15
0
/**
 * Given a level, return a vector of its allowed categories (in the
 * form of strings).  These will be sorted in policy order.
 *
 * @param diff Policy diff error handler.
 * @param p Policy from which the level came.
 * @param level Level whose categories to get.
 *
 * @return Vector of category strings for the level.  The caller is
 * responsible for calling apol_vector_destroy().  On error, return
 * NULL.
 */
static apol_vector_t *level_get_cats(const poldiff_t * diff, const apol_policy_t * p, const qpol_level_t * level)
{
	qpol_iterator_t *iter = NULL;
	const qpol_cat_t *cat;
	const char *cat_name;
	apol_vector_t *v = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(p);
	int retval = -1, error = 0;

	if ((v = apol_vector_create(NULL)) == NULL) {
		ERR(diff, "%s", strerror(errno));
		goto cleanup;
	}
	if (qpol_level_get_cat_iter(q, level, &iter) < 0) {
		goto cleanup;
	}
	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		if (qpol_iterator_get_item(iter, (void **)&cat) < 0 || qpol_cat_get_name(q, cat, &cat_name)) {
			error = errno;
			goto cleanup;
		}
		if (apol_vector_append(v, (void *)cat_name) < 0) {
			error = errno;
			ERR(diff, "%s", strerror(error));
			goto cleanup;
		}
	}

	retval = 0;
      cleanup:
	qpol_iterator_destroy(&iter);
	if (retval < 0) {
		apol_vector_destroy(&v);
		errno = error;
		return NULL;
	}
	return v;
}
Пример #16
0
static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
	size_t i, num_rules = 0;
	qpol_policy_t *q;
	const qpol_role_allow_t *rule = NULL;
	const char *tmp;
	PyObject *obj, *dict=NULL;
	const qpol_role_t *role = NULL;
	int error = 0;
	errno = EINVAL;
	int rt;

	if (!policy || !v) {
		errno = EINVAL;
		goto err;
	}

	if (!(num_rules = apol_vector_get_size(v)))
		return NULL;

	q = apol_policy_get_qpol(policy);

	for (i = 0; i < num_rules; i++) {
		dict = PyDict_New();
		if (!dict) goto err;
		if (!(rule = apol_vector_get_element(v, i)))
			goto err;

		if (qpol_role_allow_get_source_role(q, rule, &role)) {
			goto err;
		}
		if (qpol_role_get_name(q, role, &tmp)) {
			goto err;
		}
		obj = PyUnicode_FromString(tmp);
		if (py_insert_obj(dict, "source", obj))
			goto err;

		if (qpol_role_allow_get_target_role(q, rule, &role)) {
			goto err;
		}
		if (qpol_role_get_name(q, role, &tmp)) {
			goto err;
		}
		obj = PyUnicode_FromString(tmp);
		if (py_insert_obj(dict, "target", obj))
			goto err;

		rt = py_append_obj(output, dict);
		if (rt) goto err;
		py_decref(dict); dict=NULL;
	}
	goto cleanup;
err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	py_decref(dict);

cleanup:
	errno = error;
	return output;
}
Пример #17
0
/**
 * Get statistics regarding a policy's ports.
 * If this function is given a name, it will attempt to
 * get statistics about a particular port; otherwise
 * the function get statistics about all of the policy's ports.
 *
 * @param name Reference to an port's name; if NULL,
 * all ports will be considered
 * @param policydb Reference to a policy
 *
 * @return 0 on success, < 0 on error.
 */
static PyObject*  get_ports(const char *num, const apol_policy_t * policydb)
{
	const qpol_portcon_t *portcon = NULL;
	qpol_iterator_t *iter = NULL;
	uint16_t low_port, high_port;
	uint8_t ocon_proto;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	const qpol_context_t *ctxt = NULL;
	const char *proto_str = NULL;
	const char *type = NULL;
	const apol_mls_range_t *range = NULL;
	char *range_str = NULL;
	apol_context_t *c = NULL;
	int error = 0;
	int rt = 0;
	PyObject *dict = NULL;
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (qpol_policy_get_portcon_iter(q, &iter))
		goto err;

	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		if (qpol_iterator_get_item(iter, (void **)&portcon))
			goto err;
		if (qpol_portcon_get_low_port(q, portcon, &low_port))
			goto err;
		if (qpol_portcon_get_high_port(q, portcon, &high_port))
			goto err;
		if (qpol_portcon_get_protocol(q, portcon, &ocon_proto))
			goto err;
		if (num) {
			if (atoi(num) < low_port || atoi(num) > high_port)
				continue;
		}

		if ((ocon_proto != IPPROTO_TCP) &&
		    (ocon_proto != IPPROTO_UDP)) 
			goto err;

		if (qpol_portcon_get_context(q, portcon, &ctxt)) {
			PyErr_SetString(PyExc_RuntimeError, "Could not get for port context.");
			goto err;
		}

		if ((proto_str = apol_protocol_to_str(ocon_proto)) == NULL) {
			PyErr_SetString(PyExc_RuntimeError, "Invalid protocol for port");
			goto err;
		}

		if ((c = apol_context_create_from_qpol_context(policydb, ctxt)) == NULL) {
			goto err;
		}
		
		if((type = apol_context_get_type(c)) == NULL) {
			apol_context_destroy(&c);
			goto err;
		}
			
		dict = PyDict_New(); 
		if (!dict) goto err;
		if (py_insert_string(dict, "type", type))
			goto err;

		if((range = apol_context_get_range(c)) != NULL) {
			range_str = apol_mls_range_render(policydb, range);
			if (range_str == NULL) {
				goto err;
			}
			if (py_insert_string(dict, "range", range_str))
				goto err;
		}

		if (py_insert_string(dict, "protocol", proto_str))
			goto err;

		if (py_insert_long(dict, "high", high_port))
			goto err;

		if (py_insert_long(dict, "low", low_port))
			goto err;

		rt = py_append_obj(list, dict);
		Py_DECREF(dict); dict = NULL;
		if (rt) goto err;
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;
	py_decref(dict); dict = NULL;

cleanup:
	free(range_str);
	apol_context_destroy(&c);
	qpol_iterator_destroy(&iter);
	errno = error;
	return list;
}
Пример #18
0
	}
	fn_struct->fn = find_domains_get_list;
	apol_vector_append(mod->functions, fn_struct);

	return 0;
}

int find_domains_init(sechk_module_t * mod, apol_policy_t * policy, void *arg __attribute__ ((unused)))
{
	sechk_name_value_t *opt = NULL;
	find_domains_data_t *datum = NULL;
	size_t i, j;
	qpol_type_t *attr = NULL;
	apol_vector_t *attr_vector = NULL;
	apol_attr_query_t *attr_query = apol_attr_query_create();
	qpol_policy_t *q = apol_policy_get_qpol(policy);

	if (!mod || !policy) {
		ERR(policy, "%s", "Invalid parameters");
		errno = EINVAL;
		return -1;
	}
	if (strcmp(mod_name, mod->name)) {
		ERR(policy, "Wrong module (%s)", mod->name);
		errno = EINVAL;
		return -1;
	}

	datum = find_domains_data_new();
	if (!datum) {
		ERR(policy, "%s", strerror(ENOMEM));
Пример #19
0
/**
 * Prints a textual representation of an object class and possibly
 * all of that object class' permissions.
 *
 * @param fp Reference to a file to which to print object class information
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 * @param expand Flag indicating whether to print each object class'
 * permissions
 */
static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
{
	const char *class_name = NULL, *perm_name = NULL;
	qpol_iterator_t *iter = NULL;
	const qpol_common_t *common_datum = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	int error = 0;
	int rt;
	PyObject *list = NULL;
	PyObject *dict = PyDict_New();
	if (!dict) goto err;

	if (!class_datum)
		goto err;

	if (qpol_class_get_name(q, class_datum, &class_name))
		goto err;

	if (py_insert_string(dict, "name", class_name))
		goto err;
	/* get commons for this class */
	if (qpol_class_get_common(q, class_datum, &common_datum))
		goto err;

	list = PyList_New(0);
	if (!list) goto err;

	if (common_datum) {
		if (qpol_common_get_perm_iter(q, common_datum, &iter))
			goto err;
		/* print perms for the common */
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&perm_name))
				goto err;
			if (py_append_string(list, perm_name))
				goto err;
		}
	}
	/* print unique perms for this class */
	if (qpol_class_get_perm_iter(q, class_datum, &iter))
		goto err;
	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		if (qpol_iterator_get_item(iter, (void **)&perm_name))
			goto err;
		if (py_append_string(list, perm_name))
			goto err;
	}
	rt = py_insert_obj(dict, "permlist", list);
	Py_DECREF(list); list = NULL;
	if (rt) goto err;
	qpol_iterator_destroy(&iter);
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list=NULL;
	py_decref(dict); dict=NULL;

cleanup:
	errno = error;
	qpol_iterator_destroy(&iter);
	return dict;
}
Пример #20
0
apol_vector_t *apol_mls_range_get_levels(const apol_policy_t * p, const apol_mls_range_t * range)
{
	qpol_policy_t *q = apol_policy_get_qpol(p);
	apol_vector_t *v = NULL, *catv = NULL;
	const qpol_level_t *l;
	uint32_t low_value, high_value, value;
	int error = 0;
	qpol_iterator_t *iter = NULL, *catiter = NULL;

	if (p == NULL || range == NULL || range->low == NULL) {
		error = EINVAL;
		ERR(p, "%s", strerror(error));
		goto err;
	}
	apol_mls_level_t *low_level, *high_level;
	low_level = range->low;
	if (range->high == NULL) {
		high_level = low_level;
	} else {
		high_level = range->high;
	}
	if (qpol_policy_get_level_by_name(q, apol_mls_level_get_sens(low_level), &l) < 0 ||
	    qpol_level_get_value(q, l, &low_value) < 0) {
		error = errno;
		goto err;
	}
	if (qpol_policy_get_level_by_name(q, apol_mls_level_get_sens(high_level), &l) < 0 ||
	    qpol_level_get_value(q, l, &high_value) < 0) {
		error = errno;
		goto err;
	}
	assert(low_value <= high_value);
	if ((v = apol_vector_create(mls_level_free)) == NULL) {
		error = errno;
		ERR(p, "%s", strerror(error));
		goto err;
	}
	if (qpol_policy_get_level_iter(q, &iter) < 0) {
		error = errno;
		goto err;
	}
	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		const char *name;
		apol_mls_level_t *ml;
		if (qpol_iterator_get_item(iter, (void **)&l) < 0 ||
		    qpol_level_get_value(q, l, &value) < 0 || qpol_level_get_name(q, l, &name) < 0) {
			error = errno;
			goto err;
		}
		if (value < low_value || value > high_value) {
			continue;
		}
		if ((ml = apol_mls_level_create()) == NULL || (apol_mls_level_set_sens(p, ml, name) < 0)) {
			error = errno;
			apol_mls_level_destroy(&ml);
			ERR(p, "%s", strerror(error));
			goto err;
		}

		if (qpol_level_get_cat_iter(q, l, &catiter) < 0 || (catv = apol_vector_create_from_iter(catiter, NULL)) == NULL) {
			error = errno;
			goto err;
		}

		const apol_vector_t *high_cats = apol_mls_level_get_cats(high_level);
		for (size_t i = 0; i < apol_vector_get_size(high_cats); i++) {
			char *cat_name = apol_vector_get_element(high_cats, i);

			size_t j;
			/* do not add categories that are not members of
			   the level */
			if (apol_vector_get_index(catv, cat_name, mls_level_name_to_cat_comp, q, &j) < 0) {
				/* this category is not legal under the given policy */
				continue;
			}
			if (apol_mls_level_append_cats(p, ml, cat_name) < 0) {
				error = errno;
				apol_mls_level_destroy(&ml);
				ERR(p, "%s", strerror(error));
				goto err;
			}
		}

		qpol_iterator_destroy(&catiter);
		apol_vector_destroy(&catv);

		if (apol_vector_append(v, ml) < 0) {
			error = errno;
			apol_mls_level_destroy(&ml);
			ERR(p, "%s", strerror(error));
			goto err;
		}
	}
	apol_vector_sort(v, mls_range_comp, q);
	qpol_iterator_destroy(&iter);
	qpol_iterator_destroy(&catiter);
	apol_vector_destroy(&catv);
	return v;
      err:
	qpol_iterator_destroy(&iter);
	qpol_iterator_destroy(&catiter);
	apol_vector_destroy(&v);
	apol_vector_destroy(&catv);
	errno = error;
	return NULL;
}
Пример #21
0
static PyObject* get_av_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
	PyObject *obj, *dict=NULL;
	PyObject *permlist = NULL;
	PyObject *boollist = NULL;
	uint32_t rule_type = 0;
	int rt;
	int error = 0;
	qpol_policy_t *q;
	size_t i, num_rules = 0;
	const qpol_avrule_t *rule = NULL;
	char *tmp = NULL, *rule_str = NULL;
	qpol_cond_expr_node_t *expr = NULL;
	qpol_iterator_t *iter = NULL;
	const qpol_cond_t *cond = NULL;
	uint32_t enabled = 0;
	const qpol_type_t *type;
	const char *tmp_name;
	const qpol_class_t *obj_class = NULL;

	if (!policy || !v) {
		errno = EINVAL;
		goto err;
	}

	if (!(num_rules = apol_vector_get_size(v)))
		return NULL;

	q = apol_policy_get_qpol(policy);

	for (i = 0; i < num_rules; i++) {
		if (!(rule = apol_vector_get_element(v, i)))
			goto err;

		dict = PyDict_New();
		if (!dict) goto err;

		if (qpol_avrule_get_rule_type(q, rule, &rule_type))
			goto err;

		if (!(tmp_name = apol_rule_type_to_str(rule_type))) {
			PyErr_SetString(PyExc_RuntimeError, "Could not get TE rule type's string");
			errno = EINVAL;
			goto err;
		}

		if (py_insert_string(dict, "type", tmp_name))
			goto err;

		if (qpol_avrule_get_source_type(q, rule, &type)) {
			goto err;
		}

		if (qpol_type_get_name(q, type, &tmp_name)) {
			goto err;
		}

		if (py_insert_string(dict, "source", tmp_name))
			goto err;

		if (qpol_avrule_get_target_type(q, rule, &type)) {
			goto err;
		}
		if (qpol_type_get_name(q, type, &tmp_name)) {
			goto err;
		}

		if (py_insert_string(dict, "target", tmp_name))
			goto err;

		if (qpol_avrule_get_object_class(q, rule, &obj_class)) {
			goto err;
		}
		if (qpol_class_get_name(q, obj_class, &tmp_name)) {
			goto err;
		}

		if (py_insert_string(dict, "class", tmp_name))
			goto err;

		if (qpol_avrule_get_perm_iter(q, rule, &iter)) {
			goto err;
		}

		permlist = PyList_New(0);
		if (! permlist) goto err;

		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			const char *perm_name = NULL;
			if (qpol_iterator_get_item(iter, (void **)&perm_name))
				goto err;
			if (py_append_string(permlist, perm_name))
				goto err;
		}

		rt = PyDict_SetItemString(dict, "permlist", permlist);
		py_decref(permlist); permlist=NULL;
		if (rt) goto err;

		if (qpol_avrule_get_cond(q, rule, &cond))
			goto err;
		if (qpol_avrule_get_is_enabled(q, rule, &enabled))
			goto err;

		obj = PyBool_FromLong(enabled);
		rt = PyDict_SetItemString(dict, "enabled", obj);
		py_decref(obj);

		if (cond) {
			obj = get_bool(q, cond, enabled);
			if (!obj) goto err;
			rt = PyDict_SetItemString(dict, "boolean", obj);
			py_decref(obj);
		}

		rt = py_append_obj(output, dict);
		py_decref(dict); dict=NULL;
		if (rt) goto err;

		free(rule_str);	rule_str = NULL;
		free(expr); expr = NULL;
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(dict);
	py_decref(permlist);
	py_decref(boollist);

cleanup:
	free(tmp);
	free(rule_str);
	free(expr);
	errno = error;
	return output;
}
Пример #22
0
static PyObject* get_ft_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *list)
{
	PyObject *dict = NULL;
	size_t i, num_filename_trans = 0;
	const char *tmp_name;
	int error = 0;
	int rt;
	const qpol_filename_trans_t *filename_trans = NULL;
	const qpol_class_t *obj_class = NULL;
	char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL;
	qpol_policy_t *q;
	const qpol_type_t *type = NULL;

	if (!policy || !v) {
		errno = EINVAL;
		goto err;
	}

	if (!(num_filename_trans = apol_vector_get_size(v)))
		return NULL;

	q = apol_policy_get_qpol(policy);

	for (i = 0; i < num_filename_trans; i++) {
		if (!(filename_trans = apol_vector_get_element(v, i)))
			goto err;

		dict = PyDict_New();
		if (!dict) goto err;

		if (py_insert_string(dict, "type", "type_transition"))
			goto err;

		/* source type */
		if (qpol_filename_trans_get_source_type(q, filename_trans, &type)) {
			goto err;
		}
		if (qpol_type_get_name(q, type, &tmp_name)) {
			goto err;
		}

		if (py_insert_string(dict, "source", tmp_name))
			goto err;

		if (qpol_filename_trans_get_target_type(q, filename_trans, &type))
			goto err;

		if (qpol_type_get_name(q, type, &tmp_name))
			goto err;

		if (py_insert_string(dict, "target", tmp_name))
			goto err;

		if (qpol_filename_trans_get_object_class(q, filename_trans, &obj_class))
			goto err;

		if (qpol_class_get_name(q, obj_class, &tmp_name))
			goto err;

		if (py_insert_string(dict, "class", tmp_name))
			goto err;

		if (qpol_filename_trans_get_default_type(q, filename_trans, &type))
			goto err;
		if (qpol_type_get_name(q, type, &tmp_name))
			goto err;
		if (py_insert_string(dict, "transtype", tmp_name))
			goto err;

		if (! qpol_filename_trans_get_filename(q, filename_trans, &tmp_name)) {
			if (py_insert_string(dict, "filename", tmp_name))
				goto err;
		}

		rt = py_append_obj(list, dict);
		dict = NULL;
		if (rt) goto err;

		free(filename_trans_str); filename_trans_str = NULL;
		free(expr); expr = NULL;
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(dict);
cleanup:
	free(tmp);
	free(filename_trans_str);
	free(expr);
	errno = error;
	return list;
}
Пример #23
0
bool sechk_lib_check_requirement(sechk_name_value_t * req, sechk_lib_t * lib)
{
	struct stat stat_buf;

	if (!req) {
		fprintf(stderr, "Error: invalid requirement\n");
		errno = EINVAL;
		return false;
	}

	if (!lib || !lib->policy) {
		fprintf(stderr, "Error: invalid library\n");
		errno = EINVAL;
		return false;
	}

	if (!strcmp(req->name, SECHK_REQ_POLICY_CAP)) {
		if (!strcmp(req->value, SECHK_REQ_CAP_ATTRIB_NAMES)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_ATTRIB_NAMES)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_MLS)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_MLS)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_SYN_RULES)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_SYN_RULES)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_RULES_LOADED)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_RULES_LOADED)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_LINE_NOS)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_LINE_NUMBERS)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_CONDITIONALS)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_CONDITIONALS)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else if (!strcmp(req->value, SECHK_REQ_CAP_MODULES)) {
			if (!qpol_policy_has_capability(apol_policy_get_qpol(lib->policy), QPOL_CAP_MODULES)) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				}
				return false;
			}
		} else {
			ERR(lib->policy, "Unknown requirement: %s, %s", req->name, req->value);
			return false;
		}
	} else if (!strcmp(req->name, SECHK_REQ_DEFAULT_CONTEXTS)) {
#ifdef LIBSELINUX
		if (stat(selinux_default_context_path(), &stat_buf) < 0) {
			if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
				ERR(lib->policy, "Requirement %s not met.", req->name);
			}
			return false;
		}
#else
		if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
			ERR(lib->policy, "Checking requirement %s: %s", req->name, strerror(ENOTSUP));
		}
		return false;
#endif
	} else if (!strcmp(req->name, SECHK_REQ_FILE_CONTEXTS)) {
		if (!lib->fc_entries || !apol_vector_get_size(lib->fc_entries)) {
			if (lib->outputformat & ~(SECHK_OUT_QUIET)) {
				ERR(lib->policy, "Requirement %s not met.", req->name);
			}
		}
	} else if (!strcmp(req->name, SECHK_REQ_SYSTEM)) {
		if (!strcmp(req->value, SECHK_REQ_SYS_SELINUX)) {
#ifdef LIBSELINUX
			if (!is_selinux_mls_enabled() || !is_selinux_enabled()) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET))
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				return false;
			}
#else
			if (lib->outputformat & ~(SECHK_OUT_QUIET))
				ERR(lib->policy, "Checking requirement %s, %s: %s", req->name, req->value, strerror(ENOTSUP));
			return false;
#endif
		} else if (!strcmp(req->value, SECHK_REQ_SYS_MLS)) {
#ifdef LIBSELINUX
			if (!is_selinux_mls_enabled() || !is_selinux_enabled()) {
				if (lib->outputformat & ~(SECHK_OUT_QUIET))
					ERR(lib->policy, "Requirement %s, %s not met.", req->name, req->value);
				return false;
			}
#else
			if (lib->outputformat & ~(SECHK_OUT_QUIET))
				ERR(lib->policy, "Checking requirement %s, %s: %s", req->name, req->value, strerror(ENOTSUP));
			return false;
#endif
		} else {
			ERR(lib->policy, "Unknown requirement: %s, %s", req->name, req->value);
			return false;
		}
	} else {
		ERR(lib->policy, "Unknown requirement: %s, %s", req->name, req->value);
		return false;
	}

	return true;
}
Пример #24
0
static int perform_te_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
{
	apol_terule_query_t *teq = NULL;
	unsigned int rules = 0;
	int error = 0;
	size_t i;

	if (!policy || !opt || !v) {
		PyErr_SetString(PyExc_RuntimeError,strerror(EINVAL));
		errno = EINVAL;
		return -1;
	}

	if (opt->all || opt->type) {
		rules = (QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER);
	} else {
		*v = NULL;
		return 0;	       /* no search to do */
	}

	teq = apol_terule_query_create();
	if (!teq) {
		PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
		errno = ENOMEM;
		return -1;
	}

	apol_terule_query_set_rules(policy, teq, rules);
	apol_terule_query_set_regex(policy, teq, opt->useregex);

	if (opt->src_name)
		apol_terule_query_set_source(policy, teq, opt->src_name, opt->indirect);
	if (opt->tgt_name)
		apol_terule_query_set_target(policy, teq, opt->tgt_name, opt->indirect);
	if (opt->bool_name)
		apol_terule_query_set_bool(policy, teq, opt->bool_name);
	if (opt->class_name) {
		if (opt->class_vector == NULL) {
			if (apol_terule_query_append_class(policy, teq, opt->class_name)) {
				error = errno;
				goto err;
			}
		} else {
			for (i = 0; i < apol_vector_get_size(opt->class_vector); ++i) {
				char *class_name;
				class_name = apol_vector_get_element(opt->class_vector, i);
				if (!class_name)
					continue;
				if (apol_terule_query_append_class(policy, teq, class_name)) {
					error = errno;
					goto err;
				}
			}
		}
	}

	if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
		if (apol_syn_terule_get_by_query(policy, teq, v)) {
			goto err;
		}
	} else {
		if (apol_terule_get_by_query(policy, teq, v)) {
			goto err;
		}
	}

	apol_terule_query_destroy(&teq);
	return 0;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	apol_vector_destroy(v);
	apol_terule_query_destroy(&teq);
	errno = error;
	return -1;
}
Пример #25
0
static PyObject* get_te_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
{
	int error = 0;
	int rt = 0;
	PyObject *obj, *dict=NULL, *tuple = NULL;
	qpol_policy_t *q;
	uint32_t rule_type = 0;
	const qpol_type_t *type;
	size_t i, num_rules = 0;
	const qpol_terule_t *rule = NULL;
	char *tmp = NULL, *rule_str = NULL, *expr = NULL;
	const qpol_cond_t *cond = NULL;
	uint32_t enabled = 0;
	const char *tmp_name;
	const qpol_class_t *obj_class = NULL;

	if (!policy || !v) {
		errno = EINVAL;
		goto err;
	}

	if (!(num_rules = apol_vector_get_size(v)))
		return NULL;

	q = apol_policy_get_qpol(policy);

	for (i = 0; i < num_rules; i++) {
		dict = PyDict_New();
		if (!dict) goto err;
		if (!(rule = apol_vector_get_element(v, i)))
			goto err;
		if (qpol_terule_get_cond(q, rule, &cond))
			goto err;
		if (qpol_terule_get_is_enabled(q, rule, &enabled))
			goto err;

		if (cond) {
			obj = get_bool(q, cond, enabled);
			if (!obj) goto err;
			rt = PyDict_SetItemString(dict, "boolean", obj);
			py_decref(obj);
		}

		if (qpol_terule_get_rule_type(q, rule, &rule_type))
			goto err;

		if (!(rule_type &= (QPOL_RULE_TYPE_TRANS | QPOL_RULE_TYPE_CHANGE | QPOL_RULE_TYPE_MEMBER))) {
			PyErr_SetString(PyExc_RuntimeError,"Invalid TE rule type");
			errno = EINVAL;
			goto err;
		}
		if (!(tmp_name = apol_rule_type_to_str(rule_type))) {
			PyErr_SetString(PyExc_RuntimeError, "Could not get TE rule type's string");
			errno = EINVAL;
			goto err;
		}

		if (py_insert_string(dict, "type", tmp_name))
			goto err;

		if (qpol_terule_get_source_type(q, rule, &type))
			goto err;
		if (qpol_type_get_name(q, type, &tmp_name))
			goto err;
		if (py_insert_string(dict, "source", tmp_name))
			goto err;

		if (qpol_terule_get_target_type(q, rule, &type))
			goto err;
		if (qpol_type_get_name(q, type, &tmp_name))
			goto err;
		if (py_insert_string(dict, "target", tmp_name))
			goto err;

		if (qpol_terule_get_object_class(q, rule, &obj_class))
			goto err;
		if (qpol_class_get_name(q, obj_class, &tmp_name))
			goto err;
		if (py_insert_string(dict, "class", tmp_name))
			goto err;

		if (qpol_terule_get_default_type(q, rule, &type))
			goto err;
		if (qpol_type_get_name(q, type, &tmp_name))
			goto err;
		if (py_insert_string(dict, "transtype", tmp_name))
			goto err;

		rt = py_append_obj(output, dict);
		dict = NULL;
		if(rt) goto err;

		free(rule_str);	rule_str = NULL;
		free(expr); expr = NULL;
	}
	goto cleanup;

err:
	error = errno;
	py_decref(dict);
	py_decref(tuple);
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
cleanup:
	free(tmp);
	free(rule_str);
	free(expr);
	errno = error;
	return output;
}
Пример #26
0
/**
 * get a textual representation of a role, and 
 * all of that role's types.
 *
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 * types
 */
static PyObject* get_role(const qpol_role_t * role_datum, const apol_policy_t * policydb)
{
	const char *role_name = NULL, *type_name = NULL;
	const qpol_role_t *dom_datum = NULL;
	const qpol_type_t *type_datum = NULL;
	qpol_iterator_t *iter = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	size_t n_dom = 0, n_types = 0;
	int error = 0;
	int rt;
	PyObject *list = NULL;
	PyObject *dict = PyDict_New();
	if (!dict) goto err;

	if (qpol_role_get_name(q, role_datum, &role_name))
		goto err;
	if (py_insert_string(dict, "name", role_name))
		goto err;

	if (qpol_role_get_dominate_iter(q, role_datum, &iter))
		goto err;
	if (qpol_iterator_get_size(iter, &n_dom))
		goto err;
	if ((int)n_dom > 0) {
		list = PyList_New(0);
		if (!list) goto err;
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&dom_datum))
				goto err;
			if (qpol_role_get_name(q, dom_datum, &role_name))
				goto err;
			if (py_append_string(list, role_name))
				goto err;
		}
		rt = py_insert_obj(dict, "roles", list);
		Py_DECREF(list); list = NULL;
		if (rt) goto err;
	}
	qpol_iterator_destroy(&iter);
	
	if (qpol_role_get_type_iter(q, role_datum, &iter))
		goto err;
	if (qpol_iterator_get_size(iter, &n_types))
		goto err;
	if ((int)n_types > 0) {
		list = PyList_New(0);
		if (!list) goto err;
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&type_datum))
				goto err;
			if (qpol_type_get_name(q, type_datum, &type_name))
				goto err;
			if (py_append_string(list, type_name))
				goto err;
		}
		rt = py_insert_obj(dict, "types", list);
		Py_DECREF(list); list = NULL;
		if (rt) goto err;
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list = NULL;
	py_decref(dict); dict = NULL;

cleanup:
	qpol_iterator_destroy(&iter);
	errno =	error;
	return dict;
}
Пример #27
0
static int perform_av_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
{
	apol_avrule_query_t *avq = NULL;
	unsigned int rules = 0;
	int error = 0;
	char *tmp = NULL, *tok = NULL, *s = NULL;

	if (!policy || !opt || !v) {
		PyErr_SetString(PyExc_RuntimeError,strerror(EINVAL));
		errno = EINVAL;
		return -1;
	}

	if (!opt->all && !opt->allow && !opt->nallow && !opt->auditallow && !opt->dontaudit) {
		*v = NULL;
		return 0;	       /* no search to do */
	}

	avq = apol_avrule_query_create();
	if (!avq) {
		PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
		errno = ENOMEM;
		return -1;
	}

	if (opt->allow || opt->all)
		rules |= QPOL_RULE_ALLOW;
	if (opt->nallow || opt->all)	// Add this regardless of policy capabilities
		rules |= QPOL_RULE_NEVERALLOW;
	if (opt->auditallow || opt->all)
		rules |= QPOL_RULE_AUDITALLOW;
	if (opt->dontaudit || opt->all)
		rules |= QPOL_RULE_DONTAUDIT;
	if (rules != 0)	// Setting rules = 0 means you want all the rules
		apol_avrule_query_set_rules(policy, avq, rules);
	apol_avrule_query_set_regex(policy, avq, opt->useregex);
	if (opt->src_name)
		apol_avrule_query_set_source(policy, avq, opt->src_name, opt->indirect);
	if (opt->tgt_name)
		apol_avrule_query_set_target(policy, avq, opt->tgt_name, opt->indirect);
	if (opt->bool_name)
		apol_avrule_query_set_bool(policy, avq, opt->bool_name);
	if (opt->class_name) {
		if (opt->class_vector == NULL) {
			if (apol_avrule_query_append_class(policy, avq, opt->class_name)) {
				goto err;
			}
		} else {
			size_t i;
	    for (i = 0; i < apol_vector_get_size(opt->class_vector); ++i) {
				char *class_name;
				class_name = apol_vector_get_element(opt->class_vector, i);
				if (!class_name)
					continue;
				if (apol_avrule_query_append_class(policy, avq, class_name)) {
					goto err;
				}
			}
		}
	}

	if (opt->permlist) {
		tmp = strdup(opt->permlist);
		for (tok = strtok(tmp, ","); tok; tok = strtok(NULL, ",")) {
			if (apol_avrule_query_append_perm(policy, avq, tok)) {
				goto err;
			}
			if ((s = strdup(tok)) == NULL || apol_vector_append(opt->perm_vector, s) < 0) {
				goto err;
			}
			s = NULL;
		}
		free(tmp);
		tmp = NULL;
	}

	if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
		if (apol_syn_avrule_get_by_query(policy, avq, v)) {
			goto err;
		}
	} else {
		if (apol_avrule_get_by_query(policy, avq, v)) {
			goto err;
		}
	}

	apol_avrule_query_destroy(&avq);
	return 0;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	apol_vector_destroy(v);
	apol_avrule_query_destroy(&avq);
	free(tmp);
	free(s);
	errno = error;
	return -1;
}
Пример #28
0
/**
 * Gets statistics regarding a policy's booleans.
 * If this function is given a name, it will attempt to
 * get statistics about a particular boolean; otherwise
 * the function gets statistics about all of the policy's booleans.
 *
 * @param fp Reference to a file to which to print statistics
 * @param name Reference to a boolean's name; if NULL,
 * all booleans will be considered
 * @param expand Flag indicating whether to print each
 * boolean's default state
 * @param policydb Reference to a policy
 *
 * @return new reference, or NULL (setting an exception)
 */
static PyObject* get_booleans(const char *name, const apol_policy_t * policydb)
{
	PyObject *dict = NULL;
	int error = 0;
	int rt = 0;
	const char *bool_name = NULL;
	int state;
	qpol_bool_t *bool_datum = NULL;
	qpol_iterator_t *iter = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	size_t n_bools = 0;
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (name != NULL) {
		if (qpol_policy_get_bool_by_name(q, name, &bool_datum))
			goto err;
		if (qpol_bool_get_state(q, bool_datum, &state))
			goto err;

		dict = PyDict_New(); 
		if (!dict) goto err;
		if (py_insert_string(dict, "name", name))
			goto err;
		if (py_insert_bool(dict, "name", state))
			goto err;
		rt = py_append_obj(list, dict);
		Py_DECREF(dict); dict = NULL;
		if (rt) goto err;
	} else {
		if (qpol_policy_get_bool_iter(q, &iter))
			goto err;
		if (qpol_iterator_get_size(iter, &n_bools))
			goto err;
		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
			if (qpol_iterator_get_item(iter, (void **)&bool_datum))
				goto err;
			if (qpol_bool_get_name(q, bool_datum, &bool_name))
				goto err;
			if (qpol_bool_get_state(q, bool_datum, &state))
				goto err;

			dict = PyDict_New(); 
			if (!dict) goto err;
			if (py_insert_string(dict, "name", bool_name))
				goto err;
			if (py_insert_bool(dict, "state", state))
				goto err;
			rt = py_append_obj(list, dict);
			Py_DECREF(dict); dict = NULL;
			if (rt) goto err;
		}
		qpol_iterator_destroy(&iter);
	}
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(error));
	py_decref(list); list = NULL;
	py_decref(dict); dict = NULL;

cleanup:
	qpol_iterator_destroy(&iter);
	errno = error; 
	return list;
}
Пример #29
0
PyObject* search(bool allow,
		 bool neverallow,
		 bool auditallow,
		 bool dontaudit,
		 bool transition,
		 bool role_allow,
		 const char *src_name,
		 const char *tgt_name,
		 const char *class_name,
		 const char *permlist
	)
{
	options_t cmd_opts;
	PyObject *output = NULL;
	apol_vector_t *v = NULL;

	memset(&cmd_opts, 0, sizeof(cmd_opts));
	cmd_opts.indirect = true;
	cmd_opts.show_cond = true;
	cmd_opts.allow = allow;
	cmd_opts.nallow = neverallow;
	cmd_opts.auditallow = auditallow;
	cmd_opts.dontaudit = dontaudit;
	cmd_opts.type = transition;
	cmd_opts.role_allow = role_allow;
	if (src_name)
		cmd_opts.src_name = strdup(src_name);
	if (tgt_name)
		cmd_opts.tgt_name = strdup(tgt_name);
	if (class_name)
		cmd_opts.class_name = strdup(class_name);
	if (permlist){
		cmd_opts.perm_vector = apol_vector_create(free);
		cmd_opts.permlist = strdup(permlist);
	}
	if (!cmd_opts.semantic && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
		if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(policy))) {
			PyErr_SetString(PyExc_RuntimeError,"Query failed");
			goto cleanup;
		}
	}

	/* if syntactic rules are not available always do semantic search */
	if (!qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
		cmd_opts.semantic = 1;
	}

	/* supress line numbers if doing semantic search or not available */
	if (cmd_opts.semantic || !qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_LINE_NUMBERS)) {
		cmd_opts.lineno = 0;
	}
	if (perform_av_query(policy, &cmd_opts, &v)) {
		goto cleanup;
	}
	output = PyList_New(0);
	if (!output)
		goto cleanup;

	if (v) {
		get_av_results(policy, v, output);
	}

	apol_vector_destroy(&v);
	if (perform_te_query(policy, &cmd_opts, &v)) {
		goto cleanup;
	}
	if (v) {
		get_te_results(policy, v, output);
	}

	if (cmd_opts.all || cmd_opts.type) {
		apol_vector_destroy(&v);
		if (perform_ft_query(policy, &cmd_opts, &v)) {
			goto cleanup;
		}

		if (v) {
			get_ft_results(policy, v, output);
		}
	}

	if (cmd_opts.all || cmd_opts.role_allow) {
		apol_vector_destroy(&v);
		if (perform_ra_query(policy, &cmd_opts, &v)) {
			goto cleanup;
		}

		if (v) {
			get_ra_results(policy, v, output);
		}
	}

	apol_vector_destroy(&v);

      cleanup:
	free(cmd_opts.src_name);
	free(cmd_opts.tgt_name);
	free(cmd_opts.class_name);
	free(cmd_opts.permlist);
	free(cmd_opts.bool_name);
	free(cmd_opts.src_role_name);
	free(cmd_opts.tgt_role_name);
	apol_vector_destroy(&cmd_opts.perm_vector);
	apol_vector_destroy(&cmd_opts.class_vector);

	if (output && PyList_GET_SIZE(output) == 0) {
		py_decref(output);
		return Py_None;
	}
	return output;
}
Пример #30
0
/**
 * Gets a textual representation of a user, and
 * all of that user's roles.
 *
 * @param type_datum Reference to sepol type_datum
 * @param policydb Reference to a policy
 * roles
 */
static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t * policydb)
{
	int error = 0;
	int rt;
	const qpol_role_t *role_datum = NULL;
	qpol_iterator_t *iter = NULL;
	const qpol_mls_range_t *range = NULL;
	const qpol_mls_level_t *dflt_level = NULL;
	apol_mls_level_t *ap_lvl = NULL;
	apol_mls_range_t *ap_range = NULL;
	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	char *tmp = NULL;
	const char *user_name, *role_name;
	PyObject *dict = NULL;
	PyObject *list = PyList_New(0);
	if (!list) goto err;

	if (qpol_user_get_name(q, user_datum, &user_name))
		goto err;

	dict = PyDict_New(); 
	if (!dict) goto err;

	if (py_insert_string(dict, "name", user_name))
		goto err;

	if (qpol_policy_has_capability(q, QPOL_CAP_MLS)) {
		if (qpol_user_get_dfltlevel(q, user_datum, &dflt_level))
			goto err;
		ap_lvl = apol_mls_level_create_from_qpol_mls_level(policydb, dflt_level);
		tmp = apol_mls_level_render(policydb, ap_lvl);
		if (!tmp) goto err;
		if (py_insert_string(dict, "level", tmp))
		    goto err;
		free(tmp); tmp = NULL;

		if (qpol_user_get_range(q, user_datum, &range))
			goto err;
		ap_range = apol_mls_range_create_from_qpol_mls_range(policydb, range);
		tmp = apol_mls_range_render(policydb, ap_range);
		if (!tmp) goto err;
		if (py_insert_string(dict, "range", tmp))
		    goto err;
		free(tmp); tmp=NULL;
	}
	
	if (qpol_user_get_role_iter(q, user_datum, &iter))
		goto err;
	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
		if (qpol_iterator_get_item(iter, (void **)&role_datum))
			goto err;
		if (qpol_role_get_name(q, role_datum, &role_name))
			goto err;
		if (py_append_string(list, role_name))
			goto err;
	}

	rt = py_insert_obj(dict, "roles", list);
	Py_DECREF(list); list=NULL;
	if (rt) goto err;
	goto cleanup;

err:
	error = errno;
	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
	py_decref(list); list=NULL;
	py_decref(dict); dict=NULL;

cleanup:
	free(tmp);
	qpol_iterator_destroy(&iter);
	apol_mls_level_destroy(&ap_lvl);
	apol_mls_range_destroy(&ap_range);
	errno = error;
	return dict;
}