mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-11 07:18:15 +00:00
RoleAllow/Transition: Convert to direct sepol structure access.
This commit is contained in:
parent
f3f174df9e
commit
71cfccce06
@ -1,381 +0,0 @@
|
|||||||
/**
|
|
||||||
* @file
|
|
||||||
* Defines public interface for iterating over RBAC rules.
|
|
||||||
*
|
|
||||||
* @author Jeremy A. Mowery jmowery@tresys.com
|
|
||||||
* @author Jason Tang jtang@tresys.com
|
|
||||||
*
|
|
||||||
* Copyright (C) 2006-2007 Tresys Technology, LLC
|
|
||||||
*
|
|
||||||
* This library is free software; you can redistribute it and/or
|
|
||||||
* modify it under the terms of the GNU Lesser General Public
|
|
||||||
* License as published by the Free Software Foundation; either
|
|
||||||
* version 2.1 of the License, or (at your option) any later version.
|
|
||||||
*
|
|
||||||
* This library is distributed in the hope that it will be useful,
|
|
||||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
* Lesser General Public License for more details.
|
|
||||||
*
|
|
||||||
* You should have received a copy of the GNU Lesser General Public
|
|
||||||
* License along with this library; if not, write to the Free Software
|
|
||||||
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <qpol/iterator.h>
|
|
||||||
#include <qpol/policy.h>
|
|
||||||
#include <qpol/rbacrule_query.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include "iterator_internal.h"
|
|
||||||
#include "qpol_internal.h"
|
|
||||||
#include <sepol/policydb/policydb.h>
|
|
||||||
|
|
||||||
typedef struct role_allow_state
|
|
||||||
{
|
|
||||||
role_allow_t *head;
|
|
||||||
role_allow_t *cur;
|
|
||||||
} role_allow_state_t;
|
|
||||||
|
|
||||||
static int role_allow_state_end(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_allow_state_t *ras = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(ras = qpol_iterator_state(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ras->cur ? 0 : 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void *role_allow_state_get_cur(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_allow_state_t *ras = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(ras = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || role_allow_state_end(iter)) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ras->cur;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int role_allow_state_next(qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_allow_state_t *ras = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(ras = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (role_allow_state_end(iter)) {
|
|
||||||
errno = ERANGE;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
ras->cur = ras->cur->next;
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
static size_t role_allow_state_size(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_allow_state_t *ras = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
role_allow_t *tmp = NULL;
|
|
||||||
size_t count = 0;
|
|
||||||
|
|
||||||
if (!iter || !(ras = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (tmp = ras->head; tmp; tmp = tmp->next)
|
|
||||||
count++;
|
|
||||||
|
|
||||||
return count;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_policy_get_role_allow_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_allow_state_t *ras = NULL;
|
|
||||||
int error = 0;
|
|
||||||
|
|
||||||
if (iter)
|
|
||||||
*iter = NULL;
|
|
||||||
|
|
||||||
if (!policy || !iter) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
|
|
||||||
ras = calloc(1, sizeof(role_allow_state_t));
|
|
||||||
if (!ras) {
|
|
||||||
/* errno set by calloc */
|
|
||||||
ERR(policy, "%s", strerror(errno));
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
ras->head = ras->cur = db->role_allow;
|
|
||||||
|
|
||||||
if (qpol_iterator_create
|
|
||||||
(policy, (void *)ras, role_allow_state_get_cur, role_allow_state_next, role_allow_state_end, role_allow_state_size,
|
|
||||||
free, iter)) {
|
|
||||||
error = errno;
|
|
||||||
free(ras);
|
|
||||||
errno = error;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_allow_get_source_role(const qpol_policy_t * policy, const qpol_role_allow_t * rule, const qpol_role_t ** source)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_allow_t *ra = NULL;
|
|
||||||
|
|
||||||
if (source) {
|
|
||||||
*source = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !source) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
ra = (role_allow_t *) rule;
|
|
||||||
|
|
||||||
*source = (qpol_role_t *) db->role_val_to_struct[ra->role - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_allow_get_target_role(const qpol_policy_t * policy, const qpol_role_allow_t * rule, const qpol_role_t ** target)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_allow_t *ra = NULL;
|
|
||||||
|
|
||||||
if (target) {
|
|
||||||
*target = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !target) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
ra = (role_allow_t *) rule;
|
|
||||||
|
|
||||||
*target = (qpol_role_t *) db->role_val_to_struct[ra->new_role - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
typedef struct role_trans_state
|
|
||||||
{
|
|
||||||
role_trans_t *head;
|
|
||||||
role_trans_t *cur;
|
|
||||||
} role_trans_state_t;
|
|
||||||
|
|
||||||
static int role_trans_state_end(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_trans_state_t *rts = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(rts = qpol_iterator_state(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
return rts->cur ? 0 : 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void *role_trans_state_get_cur(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_trans_state_t *rts = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(rts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || role_trans_state_end(iter)) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return rts->cur;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int role_trans_state_next(qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_trans_state_t *rts = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
|
|
||||||
if (!iter || !(rts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (role_trans_state_end(iter)) {
|
|
||||||
errno = ERANGE;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
rts->cur = rts->cur->next;
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
static size_t role_trans_state_size(const qpol_iterator_t * iter)
|
|
||||||
{
|
|
||||||
role_trans_state_t *rts = NULL;
|
|
||||||
const policydb_t *db = NULL;
|
|
||||||
role_trans_t *tmp = NULL;
|
|
||||||
size_t count = 0;
|
|
||||||
|
|
||||||
if (!iter || !(rts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (tmp = rts->head; tmp; tmp = tmp->next)
|
|
||||||
count++;
|
|
||||||
|
|
||||||
return count;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_policy_get_role_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_trans_state_t *rts = NULL;
|
|
||||||
int error = 0;
|
|
||||||
|
|
||||||
if (iter)
|
|
||||||
*iter = NULL;
|
|
||||||
|
|
||||||
if (!policy || !iter) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
|
|
||||||
rts = calloc(1, sizeof(role_trans_state_t));
|
|
||||||
if (!rts) {
|
|
||||||
/* errno set by calloc */
|
|
||||||
ERR(policy, "%s", strerror(errno));
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
rts->head = rts->cur = db->role_tr;
|
|
||||||
|
|
||||||
if (qpol_iterator_create
|
|
||||||
(policy, (void *)rts, role_trans_state_get_cur, role_trans_state_next, role_trans_state_end, role_trans_state_size,
|
|
||||||
free, iter)) {
|
|
||||||
error = errno;
|
|
||||||
free(rts);
|
|
||||||
errno = error;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_trans_get_source_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_role_t ** source)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_trans_t *rt = NULL;
|
|
||||||
|
|
||||||
if (source) {
|
|
||||||
*source = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !source) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
rt = (role_trans_t *) rule;
|
|
||||||
|
|
||||||
*source = (qpol_role_t *) db->role_val_to_struct[rt->role - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_trans_get_target_type(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_type_t ** target)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_trans_t *rt = NULL;
|
|
||||||
|
|
||||||
if (target) {
|
|
||||||
*target = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !target) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
rt = (role_trans_t *) rule;
|
|
||||||
|
|
||||||
*target = (qpol_type_t *) db->type_val_to_struct[rt->type - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_trans_get_object_class(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_class_t ** obj_class)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_trans_t *rt = NULL;
|
|
||||||
|
|
||||||
if (obj_class) {
|
|
||||||
*obj_class = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !obj_class) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
rt = (role_trans_t *) rule;
|
|
||||||
|
|
||||||
*obj_class = (qpol_class_t *) db->class_val_to_struct[rt->tclass - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qpol_role_trans_get_default_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_role_t ** dflt)
|
|
||||||
{
|
|
||||||
policydb_t *db = NULL;
|
|
||||||
role_trans_t *rt = NULL;
|
|
||||||
|
|
||||||
if (dflt) {
|
|
||||||
*dflt = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy || !rule || !dflt) {
|
|
||||||
ERR(policy, "%s", strerror(EINVAL));
|
|
||||||
errno = EINVAL;
|
|
||||||
return STATUS_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
db = &policy->p->p;
|
|
||||||
rt = (role_trans_t *) rule;
|
|
||||||
|
|
||||||
*dflt = (qpol_role_t *) db->role_val_to_struct[rt->new_role - 1];
|
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
|
@ -1,5 +1,5 @@
|
|||||||
# Copyright 2014, 2016, Tresys Technology, LLC
|
# Copyright 2014, 2016, Tresys Technology, LLC
|
||||||
# Copyright 2016-2017, Chris PeBenito <pebenito@ieee.org>
|
# Copyright 2016-2018, Chris PeBenito <pebenito@ieee.org>
|
||||||
#
|
#
|
||||||
# This file is part of SETools.
|
# This file is part of SETools.
|
||||||
#
|
#
|
||||||
@ -18,62 +18,6 @@
|
|||||||
# <http://www.gnu.org/licenses/>.
|
# <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
|
||||||
# Role allow factory functions
|
|
||||||
#
|
|
||||||
cdef inline RoleAllow role_allow_factory_iter(SELinuxPolicy policy, QpolIteratorItem symbol):
|
|
||||||
"""Factory function variant for iterating over RoleAllow objects."""
|
|
||||||
return role_allow_factory(policy, <const qpol_role_allow_t *> symbol.obj)
|
|
||||||
|
|
||||||
|
|
||||||
cdef inline RoleAllow role_allow_factory(SELinuxPolicy policy, const qpol_role_allow_t *symbol):
|
|
||||||
"""Factory function for creating RoleAllow objects."""
|
|
||||||
r = RoleAllow()
|
|
||||||
r.policy = policy
|
|
||||||
r.handle = symbol
|
|
||||||
return r
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Role transition factory functions
|
|
||||||
#
|
|
||||||
cdef inline RoleTransition role_trans_factory_iter(SELinuxPolicy policy, QpolIteratorItem symbol):
|
|
||||||
"""Factory function variant for iterating over RoleTransition objects."""
|
|
||||||
return role_trans_factory(policy, <const qpol_role_trans_t *> symbol.obj)
|
|
||||||
|
|
||||||
|
|
||||||
cdef inline RoleTransition role_trans_factory(SELinuxPolicy policy, const qpol_role_trans_t *symbol):
|
|
||||||
"""Factory function for creating RoleTransition objects."""
|
|
||||||
r = RoleTransition()
|
|
||||||
r.policy = policy
|
|
||||||
r.handle = symbol
|
|
||||||
return r
|
|
||||||
|
|
||||||
#
|
|
||||||
# Expanded RBAC rule factory functions
|
|
||||||
#
|
|
||||||
cdef inline ExpandedRoleAllow expanded_role_allow_factory(RoleAllow original, source, target):
|
|
||||||
"""Factory function for creating ExpandedRoleAllow objects."""
|
|
||||||
r = ExpandedRoleAllow()
|
|
||||||
r.policy = original.policy
|
|
||||||
r.handle = original.handle
|
|
||||||
r.source = source
|
|
||||||
r.target = target
|
|
||||||
r.origin = original
|
|
||||||
return r
|
|
||||||
|
|
||||||
|
|
||||||
cdef inline ExpandedRoleTransition expanded_role_trans_factory(RoleTransition original, source, target):
|
|
||||||
"""Factory function for creating ExpandedRoleTransition objects."""
|
|
||||||
r = ExpandedRoleTransition()
|
|
||||||
r.policy = original.policy
|
|
||||||
r.handle = original.handle
|
|
||||||
r.source = source
|
|
||||||
r.target = target
|
|
||||||
r.origin = original
|
|
||||||
return r
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Classes
|
# Classes
|
||||||
#
|
#
|
||||||
@ -90,9 +34,17 @@ cdef class RoleAllow(PolicyRule):
|
|||||||
"""A role allow rule."""
|
"""A role allow rule."""
|
||||||
|
|
||||||
cdef:
|
cdef:
|
||||||
const qpol_role_allow_t *handle
|
sepol.role_allow_t *handle
|
||||||
readonly object ruletype
|
readonly object ruletype
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
cdef factory(SELinuxPolicy policy, sepol.role_allow_t *symbol):
|
||||||
|
"""Factory function for creating RoleAllow objects."""
|
||||||
|
r = RoleAllow()
|
||||||
|
r.policy = policy
|
||||||
|
r.handle = symbol
|
||||||
|
return r
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.ruletype = RBACRuletype.allow
|
self.ruletype = RBACRuletype.allow
|
||||||
|
|
||||||
@ -106,26 +58,14 @@ cdef class RoleAllow(PolicyRule):
|
|||||||
@property
|
@property
|
||||||
def source(self):
|
def source(self):
|
||||||
"""The rule's source role."""
|
"""The rule's source role."""
|
||||||
cdef const qpol_role_t *r
|
return Role.factory(self.policy,
|
||||||
if qpol_role_allow_get_source_role(self.policy.handle, self.handle, &r):
|
self.policy.handle.p.p.role_val_to_struct[self.handle.role - 1])
|
||||||
ex = LowLevelPolicyError("Error reading source role for role allow rule: {}".format(
|
|
||||||
strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return Role.factory(self.policy, <sepol.role_datum_t *>r)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def target(self):
|
def target(self):
|
||||||
"""The rule's target role."""
|
"""The rule's target role."""
|
||||||
cdef const qpol_role_t *r
|
return Role.factory(self.policy,
|
||||||
if qpol_role_allow_get_target_role(self.policy.handle, self.handle, &r):
|
self.policy.handle.p.p.role_val_to_struct[self.handle.new_role - 1])
|
||||||
ex = LowLevelPolicyError("Error reading target role for role allow rule: {}".format(
|
|
||||||
strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return Role.factory(self.policy, <sepol.role_datum_t *>r)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def tclass(self):
|
def tclass(self):
|
||||||
@ -140,7 +80,14 @@ cdef class RoleAllow(PolicyRule):
|
|||||||
def expand(self):
|
def expand(self):
|
||||||
"""Expand the rule into an equivalent set of rules without attributes."""
|
"""Expand the rule into an equivalent set of rules without attributes."""
|
||||||
for s, t in itertools.product(self.source.expand(), self.target.expand()):
|
for s, t in itertools.product(self.source.expand(), self.target.expand()):
|
||||||
yield expanded_role_allow_factory(self, s, t)
|
"""Factory function for creating ExpandedRoleAllow objects."""
|
||||||
|
r = ExpandedRoleAllow()
|
||||||
|
r.policy = self.policy
|
||||||
|
r.handle = self.handle
|
||||||
|
r.source = s
|
||||||
|
r.target = t
|
||||||
|
r.origin = self
|
||||||
|
yield r
|
||||||
|
|
||||||
|
|
||||||
cdef class RoleTransition(PolicyRule):
|
cdef class RoleTransition(PolicyRule):
|
||||||
@ -148,9 +95,17 @@ cdef class RoleTransition(PolicyRule):
|
|||||||
"""A role_transition rule."""
|
"""A role_transition rule."""
|
||||||
|
|
||||||
cdef:
|
cdef:
|
||||||
const qpol_role_trans_t *handle
|
sepol.role_trans_t *handle
|
||||||
readonly object ruletype
|
readonly object ruletype
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
cdef factory(SELinuxPolicy policy, sepol.role_trans_t *symbol):
|
||||||
|
"""Factory function for creating RoleTransition objects."""
|
||||||
|
r = RoleTransition()
|
||||||
|
r.policy = policy
|
||||||
|
r.handle = symbol
|
||||||
|
return r
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.ruletype = RBACRuletype.role_transition
|
self.ruletype = RBACRuletype.role_transition
|
||||||
|
|
||||||
@ -164,55 +119,37 @@ cdef class RoleTransition(PolicyRule):
|
|||||||
@property
|
@property
|
||||||
def source(self):
|
def source(self):
|
||||||
"""The rule's source role."""
|
"""The rule's source role."""
|
||||||
cdef const qpol_role_t *r
|
return Role.factory(self.policy,
|
||||||
if qpol_role_trans_get_source_role(self.policy.handle, self.handle, &r):
|
self.policy.handle.p.p.role_val_to_struct[self.handle.role - 1])
|
||||||
ex = LowLevelPolicyError("Error reading source role for role_transition rule: {}".
|
|
||||||
format(strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return Role.factory(self.policy, <sepol.role_datum_t *>r)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def target(self):
|
def target(self):
|
||||||
"""The rule's target type/attribute."""
|
"""The rule's target type/attribute."""
|
||||||
cdef const qpol_type_t *t
|
return type_or_attr_factory(self.policy,
|
||||||
if qpol_role_trans_get_target_type(self.policy.handle, self.handle, &t):
|
self.policy.handle.p.p.type_val_to_struct[self.handle.type - 1])
|
||||||
ex = LowLevelPolicyError("Error reading target type/attr for role_transition rule: {}".
|
|
||||||
format(strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return type_or_attr_factory(self.policy, <sepol.type_datum_t *>t)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def tclass(self):
|
def tclass(self):
|
||||||
"""The rule's object class."""
|
"""The rule's object class."""
|
||||||
cdef const qpol_class_t *c
|
return ObjClass.factory(self.policy,
|
||||||
if qpol_role_trans_get_object_class(self.policy.handle, self.handle, &c):
|
self.policy.handle.p.p.class_val_to_struct[self.handle.tclass - 1])
|
||||||
ex = LowLevelPolicyError("Error reading class for role_transition rule: {}".format(
|
|
||||||
strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return ObjClass.factory(self.policy, <sepol.class_datum_t *>c)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def default(self):
|
def default(self):
|
||||||
"""The rule's default role."""
|
"""The rule's default role."""
|
||||||
cdef const qpol_role_t *r
|
return Role.factory(self.policy,
|
||||||
if qpol_role_trans_get_default_role(self.policy.handle, self.handle, &r):
|
self.policy.handle.p.p.role_val_to_struct[self.handle.new_role - 1])
|
||||||
ex = LowLevelPolicyError("Error reading default role for role_transition rule: {}".
|
|
||||||
format(strerror(errno)))
|
|
||||||
ex.errno = errno
|
|
||||||
raise ex
|
|
||||||
|
|
||||||
return Role.factory(self.policy, <sepol.role_datum_t *>r)
|
|
||||||
|
|
||||||
def expand(self):
|
def expand(self):
|
||||||
"""Expand the rule into an equivalent set of rules without attributes."""
|
"""Expand the rule into an equivalent set of rules without attributes."""
|
||||||
for s, t in itertools.product(self.source.expand(), self.target.expand()):
|
for s, t in itertools.product(self.source.expand(), self.target.expand()):
|
||||||
yield expanded_role_trans_factory(self, s, t)
|
r = ExpandedRoleTransition()
|
||||||
|
r.policy = self.policy
|
||||||
|
r.handle = self.handle
|
||||||
|
r.source = s
|
||||||
|
r.target = t
|
||||||
|
r.origin = self
|
||||||
|
yield r
|
||||||
|
|
||||||
|
|
||||||
cdef class ExpandedRoleAllow(RoleAllow):
|
cdef class ExpandedRoleAllow(RoleAllow):
|
||||||
@ -253,3 +190,90 @@ cdef class ExpandedRoleTransition(RoleTransition):
|
|||||||
|
|
||||||
def __lt__(self, other):
|
def __lt__(self, other):
|
||||||
return str(self) < str(other)
|
return str(self) < str(other)
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Iterators
|
||||||
|
#
|
||||||
|
cdef class RoleAllowIterator(PolicyIterator):
|
||||||
|
|
||||||
|
"""Role allow rule iterator."""
|
||||||
|
|
||||||
|
cdef:
|
||||||
|
sepol.role_allow_t *head
|
||||||
|
sepol.role_allow_t *curr
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
cdef factory(SELinuxPolicy policy, sepol.role_allow_t *head):
|
||||||
|
"""Role allow rule iterator factory."""
|
||||||
|
i = RoleAllowIterator()
|
||||||
|
i.policy = policy
|
||||||
|
i.head = head
|
||||||
|
i.reset()
|
||||||
|
return i
|
||||||
|
|
||||||
|
def __next__(self):
|
||||||
|
if self.curr == NULL:
|
||||||
|
raise StopIteration
|
||||||
|
|
||||||
|
item = RoleAllow.factory(self.policy, self.curr)
|
||||||
|
self.curr = self.curr.next
|
||||||
|
return item
|
||||||
|
|
||||||
|
def __len__(self):
|
||||||
|
cdef:
|
||||||
|
sepol.role_allow_t *curr
|
||||||
|
size_t count = 0
|
||||||
|
|
||||||
|
curr = self.head
|
||||||
|
while curr != NULL:
|
||||||
|
count += 1
|
||||||
|
curr = curr.next
|
||||||
|
|
||||||
|
return count
|
||||||
|
|
||||||
|
def reset(self):
|
||||||
|
"""Reset the iterator back to the start."""
|
||||||
|
self.curr = self.head
|
||||||
|
|
||||||
|
|
||||||
|
cdef class RoleTransitionIterator(PolicyIterator):
|
||||||
|
|
||||||
|
"""Role transition rule iterator."""
|
||||||
|
|
||||||
|
cdef:
|
||||||
|
sepol.role_trans_t *head
|
||||||
|
sepol.role_trans_t *curr
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
cdef factory(SELinuxPolicy policy, sepol.role_trans_t *head):
|
||||||
|
"""Role transition rule iterator factory."""
|
||||||
|
i = RoleTransitionIterator()
|
||||||
|
i.policy = policy
|
||||||
|
i.head = head
|
||||||
|
i.reset()
|
||||||
|
return i
|
||||||
|
|
||||||
|
def __next__(self):
|
||||||
|
if self.curr == NULL:
|
||||||
|
raise StopIteration
|
||||||
|
|
||||||
|
item = RoleTransition.factory(self.policy, self.curr)
|
||||||
|
self.curr = self.curr.next
|
||||||
|
return item
|
||||||
|
|
||||||
|
def __len__(self):
|
||||||
|
cdef:
|
||||||
|
sepol.role_trans_t *curr
|
||||||
|
size_t count = 0
|
||||||
|
|
||||||
|
curr = self.head
|
||||||
|
while curr != NULL:
|
||||||
|
count += 1
|
||||||
|
curr = curr.next
|
||||||
|
|
||||||
|
return count
|
||||||
|
|
||||||
|
def reset(self):
|
||||||
|
"""Reset the iterator back to the start."""
|
||||||
|
self.curr = self.head
|
||||||
|
@ -369,14 +369,12 @@ cdef class SELinuxPolicy:
|
|||||||
@property
|
@property
|
||||||
def role_allow_count(self):
|
def role_allow_count(self):
|
||||||
"""The number of role allow rules."""
|
"""The number of role allow rules."""
|
||||||
return sum(1 for r in self.rbacrules()
|
return len(RoleAllowIterator.factory(self, self.handle.p.p.role_allow))
|
||||||
if r.ruletype == RBACRuletype.allow)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def role_transition_count(self):
|
def role_transition_count(self):
|
||||||
"""The number of role_transition rules."""
|
"""The number of role_transition rules."""
|
||||||
return sum(1 for r in self.rbacrules()
|
return len(RoleTransitionIterator.factory(self, self.handle.p.p.role_tr))
|
||||||
if r.ruletype == RBACRuletype.role_transition)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def range_transition_count(self):
|
def range_transition_count(self):
|
||||||
@ -603,16 +601,8 @@ cdef class SELinuxPolicy:
|
|||||||
|
|
||||||
def rbacrules(self):
|
def rbacrules(self):
|
||||||
"""Iterator over all RBAC rules."""
|
"""Iterator over all RBAC rules."""
|
||||||
cdef qpol_iterator_t *ra_iter
|
return chain(RoleAllowIterator.factory(self, self.handle.p.p.role_allow),
|
||||||
if qpol_policy_get_role_allow_iter(self.handle, &ra_iter):
|
RoleTransitionIterator.factory(self, self.handle.p.p.role_tr))
|
||||||
raise MemoryError
|
|
||||||
|
|
||||||
cdef qpol_iterator_t *rt_iter
|
|
||||||
if qpol_policy_get_role_trans_iter(self.handle, &rt_iter):
|
|
||||||
raise MemoryError
|
|
||||||
|
|
||||||
return chain(qpol_iterator_factory(self, ra_iter, role_allow_factory_iter),
|
|
||||||
qpol_iterator_factory(self, rt_iter, role_trans_factory_iter))
|
|
||||||
|
|
||||||
def terules(self):
|
def terules(self):
|
||||||
"""Iterator over all type enforcement rules."""
|
"""Iterator over all type enforcement rules."""
|
||||||
|
1
setup.py
1
setup.py
@ -71,7 +71,6 @@ ext_py_mods = [Extension('setools.policyrep.libpolicyrep',
|
|||||||
'libqpol/iterator.c',
|
'libqpol/iterator.c',
|
||||||
'libqpol/policy.c',
|
'libqpol/policy.c',
|
||||||
'libqpol/policy_extend.c',
|
'libqpol/policy_extend.c',
|
||||||
'libqpol/rbacrule_query.c',
|
|
||||||
'libqpol/terule_query.c'],
|
'libqpol/terule_query.c'],
|
||||||
include_dirs=include_dirs,
|
include_dirs=include_dirs,
|
||||||
libraries=['selinux'],
|
libraries=['selinux'],
|
||||||
|
Loading…
Reference in New Issue
Block a user