RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-04-11 03:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

setools-V4: libqpol policy V30 updates (xen/xperm statements)

Browse Source 
Updated libqpol services to use the latest checkpolicy 2.4 source
files to support Xen and extended permissions (allowxperm etc.).

TODO: Add support for querying the xperm values.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This commit is contained in:
Richard Haines 2015-12-16 16:35:36 +00:00 committed by Chris PeBenito
parent faeccd0360
commit dd29dc9c43
19 changed files with 2741 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libqpol/config.h
View File

@ -61,6 +61,14 @@
/* if users and roles are mapped during policy expansion */
#define HAVE_SEPOL_USER_ROLE_MAPPING 1
/* if source policy Xen devicetreecon and iomemcon 64bit are present */
#define HAVE_SEPOL_XEN_DEVICETREE 1
/* OR */
/* #undef HAVE_SEPOL_XEN_DEVICETREE */
/* if source policy ioctl white listing */
#define HAVE_SEPOL_XPERM_IOCTL 1
/* Define to 1 if stdbool.h conforms to C99. */
#define HAVE_STDBOOL_H 1

16
libqpol/include/qpol/policy.h
View File

@ -63,6 +63,8 @@ extern "C"
#include <qpol/terule_query.h>
#include <qpol/type_query.h>
#include <qpol/user_query.h>
#include <qpol/xen_query.h>
#include <qpol/xperm_query.h>
typedef void (__attribute__ ((format(printf, 4, 0))) *qpol_callback_fn_t)
(void *varg, const struct qpol_policy * policy, int level,
@ -131,7 +133,9 @@ extern "C"
/** The policy supports filename type_transition rules. */
QPOL_CAP_FILENAME_TRANS,
/** The policy supports role transition rules. */
QPOL_CAP_ROLETRANS
QPOL_CAP_ROLETRANS,
/** The policy supports ioctl extended permissions. */
QPOL_CAP_XPERM_IOCTL
} qpol_capability_e;
/**
@ -278,6 +282,16 @@ extern "C"
*/
extern int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown);
/**
* Get target platform (SELinux or XEN) of the policy.
* @param policy The policy for which to get the target.
* @param target_platform Pointer to the target.
* @return Returns 0 on success and < 0 on failure; if the call fails,
* errno will be set and *target_platform will be 0.
*/
extern int qpol_policy_get_target_platform(const qpol_policy_t *policy,
int *target_platform);
#ifdef __cplusplus
}
#endif

307
libqpol/include/qpol/xen_query.h Normal file
View File

@ -0,0 +1,307 @@
/**
* @file
* Defines the public interface for searching and iterating over
* Xen statements.
*
* @author Richard Haines richard_c_haines@btinternet.com
* Derived from portcon_query.h
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#ifndef QPOL_XEN_QUERY_H
#define QPOL_XEN_QUERY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <stddef.h>
#include <stdint.h>
#include <qpol/iterator.h>
#include <qpol/policy.h>
typedef struct qpol_iomemcon qpol_iomemcon_t;
typedef struct qpol_ioportcon qpol_ioportcon_t;
typedef struct qpol_pcidevicecon qpol_pcidevicecon_t;
typedef struct qpol_pirqcon qpol_pirqcon_t;
typedef struct qpol_devicetreecon qpol_devicetreecon_t;
/******************************* iomemcon **************************/
/**
* Get a single iomemcon statement by range.
* @param policy The policy from which to get the iomemcon statement.
* @param low The low addr of the range of addrs (or single addr).
* @param high The high addr of the range of addrs; if searching for a
* single addr, set high equal to low.
* @param ocon Pointer in which to store the statement returned.
* The caller should not free this pointer.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *ocon will be NULL.
*/
extern int qpol_policy_get_iomemcon_by_addr(
const qpol_policy_t *policy,
uint64_t low, uint64_t high,
const qpol_iomemcon_t **ocon);
/**
* Get an iterator for the iomemcon statements in a policy.
* @param policy The policy from which to create the iterator.
* @param iter Iterator over items of type qpol_iomemcon_t returned.
* The caller is responsible for calling qpol_iterator_destroy
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long
* as the policy is unmodified.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_iomemcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter);
/**
* Get the low addr from a iomemcon statement.
* @param policy the policy associated with the iomemcon statement.
* @param ocon The iomemcon statement from which to get the low addr.
* @param addr Pointer to set to the addr.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *addr will be 0.
*/
extern int qpol_iomemcon_get_low_addr(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
uint64_t *addr);
/**
* Get the high addr from a iomemcon statement.
* @param policy the policy associated with the iomemcon statement.
* @param ocon The iomemcon statement from which to get the high addr.
* @param addr Pointer to set to the addr.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *addr will be 0.
*/
extern int qpol_iomemcon_get_high_addr(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
uint64_t *addr);
/**
* Get the context from a iomemcon statement.
* @param policy the policy associated with the iomemcon statement.
* @param ocon The iomemcon statement from which to get the context.
* @param context Pointer in which to store the context.
* The caller should not free this pointer.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *context will be NULL.
*/
extern int qpol_iomemcon_get_context(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
const qpol_context_t **context);
/******************************* ioportcon **************************/
/**
* Get a single ioportcon statement by range.
* @param policy The policy from which to get the ioportcon statement.
* @param low The low port of the range of ports (or single port).
* @param high The high port of the range of ports; if searching for a
* single port, set high equal to low.
* @param ocon Pointer in which to store the statement returned.
* The caller should not free this pointer.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *ocon will be NULL.
*/
extern int qpol_policy_get_ioportcon_by_port(
const qpol_policy_t *policy,
uint32_t low, uint32_t high,
const qpol_ioportcon_t **ocon);
/**
* Get an iterator for the ioportcon statements in a policy.
* @param policy The policy from which to create the iterator.
* @param iter Iterator over items of type qpol_ioportcon_t returned.
* The caller is responsible for calling qpol_iterator_destroy
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long
* as the policy is unmodified.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_ioportcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter);
/**
* Get the low port from a ioportcon statement.
* @param policy the policy associated with the ioportcon statement.
* @param ocon The ioportcon statement from which to get the low port.
* @param port Pointer to set to the port.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *port will be 0.
*/
extern int qpol_ioportcon_get_low_port(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
uint32_t *port);
/**
* Get the high port from a ioportcon statement.
* @param policy the policy associated with the ioportcon statement.
* @param ocon The ioportcon statement from which to get the high port.
* @param port Pointer to set to the port.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *port will be 0.32
*/
extern int qpol_ioportcon_get_high_port(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
uint32_t *port);
/**
* Get the context from a ioportcon statement.
* @param policy the policy associated with the ioportcon statement.
* @param ocon The ioportcon statement from which to get the context.
* @param context Pointer in which to store the context.
* The caller should not free this pointer.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *context will be NULL.
*/
extern int qpol_ioportcon_get_context(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
const qpol_context_t **context);
/******************************* pcidevicecon **************************/
/**
* Get an iterator for the pcidevicecon statements in a policy.
* @param policy The policy from which to create the iterator.
* @param iter Iterator over items of type qpol_pcidevicecon_t returned.
* The caller is responsible for calling qpol_iterator_destroy
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long
* as the policy is unmodified.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_pcidevicecon_iter(
const qpol_policy_t *policy,
qpol_iterator_t **iter);
/**
* Get the device id from a pcidevicecon statement.
* @param policy the policy associated with the pcidevicecon statement.
* @param ocon The pcidevicecon statement from which to get the low addr.
* @param device Pointer to set to the device.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *device will be 0.
*/
extern int qpol_pcidevicecon_get_device(const qpol_policy_t *policy,
const qpol_pcidevicecon_t *ocon,
uint32_t *device);
/**
* Get the context from a pcidevicecon statement.
* @param policy the policy associated with the pcidevicecon statement.
* @param ocon The pcidevicecon statement from which to get the context.
* @param context Pointer in which to store the context.
* The caller should not free this pointer.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *context will be NULL.
*/
extern int qpol_pcidevicecon_get_context(const qpol_policy_t *policy,
const qpol_pcidevicecon_t *ocon,
const qpol_context_t **context);
/************************* pirqcon *******************************/
/**
* Get an iterator for the pirqcon statements in a policy.
* @param policy The policy from which to create the iterator.
* @param iter Iterator over items of type qpol_pirqcon_t returned.
* The caller is responsible for calling qpol_iterator_destroy
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long
* as the policy is unmodified.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_pirqcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter);
/**
* Get the irq id from a pirqcon statement.
* @param policy the policy associated with the pirqcon statement.
* @param ocon The pirqcon statement from which to get the irq.
* @param irq Pointer to set to the irq.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *irq will be 0.
*/
extern int qpol_pirqcon_get_irq(const qpol_policy_t *policy,
const qpol_pirqcon_t *ocon,
uint16_t *irq);
/**
* Get the context from a pirqcon statement.
* @param policy the policy associated with the pirqcon statement.
* @param ocon The pirqcon statement from which to get the context.
* @param context Pointer in which to store the context.
* The caller should not free this pointer.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *context will be NULL.
*/
extern int qpol_pirqcon_get_context(const qpol_policy_t *policy,
const qpol_pirqcon_t *ocon,
const qpol_context_t **context);
/************************* devicetreecon *******************************/
/**
* Get an iterator for the devicetreecon statements in a policy.
* @param policy The policy from which to create the iterator.
* @param iter Iterator over items of type qpol_devicetreecon returned.
* The caller is responsible for calling qpol_iterator_destroy
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long
* as the policy is unmodified.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_devicetreecon_iter(
const qpol_policy_t *policy,
qpol_iterator_t **iter);
/**
* Get the path from a devicetreecon statement.
* @param policy the policy associated with the devicetreecon statement.
* @param ocon The devicetreecon statement from which to get the path.
* @param path Pointer to set to the path.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *path will be 0.
*/
extern int qpol_devicetreecon_get_path(const qpol_policy_t *policy,
const qpol_devicetreecon_t *ocon,
char **path);
/**
* Get the context from a devicetreecon statement.
* @param policy the policy associated with the devicetreecon statement.
* @param ocon The devicetreecon statement from which to get the context.
* @param context Pointer in which to store the context.
* The caller should not free this pointer.
* @return 0 on success < 0 on failure; if the call fails,
* errno will be set and *context will be NULL.
*/
extern int qpol_devicetreecon_get_context(const qpol_policy_t *policy,
const qpol_devicetreecon_t *ocon,
const qpol_context_t **context);
#ifdef __cplusplus
}
#endif
#endif /* QPOL_XEN_QUERY_H */

139
libqpol/include/qpol/xprule_query.h Normal file
View File

@ -0,0 +1,139 @@
/**
* @file
* Defines the public interface for searching and iterating over xperm rules.
*
* @author Richard Haines richard_c_haines@btinternet.com
* Derived from avrule_query.h
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#ifndef QPOL_XPRULE_QUERY_H
#define QPOL_XPRULE_QUERY_H
#ifdef __cplusplus
extern "C"
{
#endif
#include <qpol/policy.h>
#include <qpol/class_perm_query.h>
#include <qpol/type_query.h>
typedef struct qpol_xprule qpol_xprule_t;
/* rule type defines (values copied from "sepol/policydb/policydb.h") */
#define QPOL_RULE_ALLOWXPERM 0x0100
#define QPOL_RULE_AUDITALLOWXPERM 0x0200
#define QPOL_RULE_DONTAUDITXPERM 0x0400
#define QPOL_RULE_NEVERALLOWXPERM 0x0800
/**
* Get an iterator over all xperm rules in a policy of a rule type in
* rule_type_mask. It is an error to call this function if rules are
* not loaded. Likewise, it is an error if neverallows are requested
* but they were not loaded.
* @param policy Policy from which to get the av rules.
* @param rule_type_mask Bitwise or'ed set of QPOL_RULE_* values.
* @param iter Iterator over items of type qpol_xprule_t returned.
* The caller is responsible for calling qpol_iterator_destroy()
* to free memory used by this iterator.
* It is important to note that this iterator is only valid as long as
* the policy is unmodifed.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *iter will be NULL.
*/
extern int qpol_policy_get_xprule_iter(const qpol_policy_t *policy,
uint32_t rule_type_mask, qpol_iterator_t **iter);
/**
* Get the source type from an xperm rule.
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the source type.
* @param source Pointer in which to store the source type.
* The caller should not free this pointer.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *source will be NULL.
*/
extern int qpol_xprule_get_source_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_type_t **source);
/**
* Get the target type from an xperm rule.
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the target type.
* @param target Pointer in which to store the target type.
* The caller should not free this pointer.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *target will be NULL.
*/
extern int qpol_xprule_get_target_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_type_t **target);
/**
* Get the object class from an xperm rule.
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the object class.
* @param obj_class Pointer in which to store the object class.
* The caller should not free this pointer.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *obj_class will be NULL.
*/
extern int qpol_xprule_get_object_class(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_class_t **obj_class);
/**
* Get the extended permissions command from an xperm rule.
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the permissions.
* @param xprule command Pointer to set to the string.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *perms will be NULL.
*/
extern int qpol_xprule_get_command(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const char **xperm_command);
/**
* Get the extended IOCTL permissions from an xperm rule using
* sepol_extended_perms_to_string().
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the permissions.
* @param xperm_string Pointer to set to the string.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *perms will be NULL.
*/
extern int qpol_xprule_get_xperm_string(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
char **xperm_string);
/**
* Get the rule type value for an xperm rule.
* @param policy Policy from which the rule comes.
* @param rule The rule from which to get the rule type.
* @param rule_type Integer in which to store the rule type value.
* The value will be one of the QPOL_RULE_* values above.
* @returm 0 on success and < 0 on failure; if the call fails,
* errno will be set and *rule_type will be 0.
*/
extern int qpol_xprule_get_rule_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
uint32_t *rule_type);
#ifdef __cplusplus
}
#endif
#endif

6
libqpol/libqpol.map
View File

@ -76,6 +76,12 @@ VERS_1.5 {
qpol_policy_polcap_*;
qpol_polcap_*;
qpol_default_object_*;
qpol_iomemcon_*;
qpol_ioportcon_*;
qpol_pcidevicecon_*;
qpol_pirqcon_*;
qpol_devicetreecon_*;
qpol_xperm_*;
init_qpol;
PyInit__qpol;
} VERS_1.4;

43
libqpol/module_compiler.c
View File

@ -1,9 +1,8 @@
/**
* @file
*
* This file is a copy of module_compiler.c from NSA's CVS repository.
*
* Author : Joshua Brindle <jbrindle@tresys.com>
/* This file is a copy of module_compiler.c from checkpolicy 2.4 to support
* SETools.
*/
/* Author : Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@tresys.com>
* Jason Tang <jtang@tresys.com>
* Added support for binary policy modules
@ -308,7 +307,7 @@ role_datum_t *declare_role(unsigned char isattr)
return dest_role; /* role already declared for this block */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -371,7 +370,7 @@ type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
return typdatum;
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -507,7 +506,7 @@ user_datum_t *declare_user(void)
return dest_user; /* user already declared for this block */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -812,7 +811,7 @@ int require_class(int pass)
break;
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
@ -925,7 +924,7 @@ static int require_role_or_attribute(int pass, unsigned char isattr)
return 0; /* role already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -988,7 +987,7 @@ static int require_type_or_attribute(int pass, unsigned char isattr)
return 0; /* type already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -1049,7 +1048,7 @@ int require_user(int pass)
return 0; /* user already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -1100,7 +1099,7 @@ static int require_bool_tunable(int pass, int is_tunable)
return 0; /* boolean already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -1173,7 +1172,7 @@ int require_sens(int pass)
return 0; /* sensitivity already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -1226,7 +1225,7 @@ int require_cat(int pass)
return 0; /* category already required */
}
default:{
abort(); /* should never get here */
abort(); /* SETools - should never get here */
}
}
}
@ -1253,11 +1252,11 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
return is_scope_in_stack(scope, stack->parent);
}
int is_id_in_scope(uint32_t symbol_type, const char *id)
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
{
scope_datum_t *scope =
(scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
table, (hashtab_key_t)id);
table, id);
if (scope == NULL) {
return 1; /* id is not known, so return success */
}
@ -1300,17 +1299,17 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
return is_perm_in_stack(perm_value, class_value, stack->parent);
}
int is_perm_in_scope(hashtab_key_t perm_id, const char *class_id)
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
{
class_datum_t *cladatum =
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
(hashtab_key_t)class_id);
class_id);
perm_datum_t *perdatum;
if (cladatum == NULL) {
return 1;
}
perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
(hashtab_key_t)perm_id);
perm_id);
if (perdatum == NULL) {
return 1;
}
@ -1588,7 +1587,7 @@ static int push_stack(int stack_type, ...)
}
default:
/* invalid stack type given */
abort();
assert(0);
}
va_end(ap);
s->parent = stack_top;

17
libqpol/module_compiler.h
View File

@ -1,9 +1,8 @@
/**
* @file
*
* This file is a copy of module_compiler.h from NSA's CVS repository.
*
* Author : Joshua Brindle <jbrindle@tresys.com>
/* This file is a copy of module_compiler.h from checkpolicy 2.4 to support
* SETools.
*/
/* Author : Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@tresys.com>
* Jason Tang <jtang@tresys.com>
* Added support for binary policy modules
@ -12,6 +11,7 @@
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*
*/
#ifndef MODULE_COMPILER_H
@ -76,12 +76,12 @@ int require_cat(int pass);
/* Check if an identifier is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_id_in_scope(uint32_t symbol_type, const char * id);
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
/* Check if a particular permission is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_perm_in_scope(hashtab_key_t perm_id, const char * class_id);
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
/* Search the current avrules block for a conditional with the same
* expression as 'cond'. If the conditional does not exist then
@ -117,6 +117,7 @@ int begin_optional_else(int pass);
* return -1. */
int end_avrule_block(int pass);
/* Required for SETools libqpol services */
#ifdef __cplusplus
}
#endif

41
libqpol/policy.c
View File

@ -73,6 +73,7 @@ extern unsigned long policydb_lineno;
extern char source_file[];
extern policydb_t *policydbp;
extern int mlspol;
extern int xenpol;
#if __BYTE_ORDER == __LITTLE_ENDIAN
#define cpu_to_le16(x) (x)
@ -189,6 +190,7 @@ static int read_source_policy(qpol_policy_t * qpolicy, const char *progname, int
policydbp = &qpolicy->p->p;
mlspol = policydbp->mls;
xenpol = policydbp->target_platform;
INFO(qpolicy, "%s", "Parsing policy. (Step 1 of 5)");
init_scanner();
@ -416,8 +418,14 @@ static int infer_policy_version(qpol_policy_t * policy)
}
qpol_iterator_destroy(&iter);
/* Check each version change from 29 to 24 */
/* If this is available then just set version 29 */
/* Check each version change from 30 to 24 */
/* If these are available set version 30 */
#if defined(HAVE_SEPOL_XPERM_IOCTL) || defined(HAVE_SEPOL_XEN_DEVICETREE)
db->policyvers = 30;
return STATUS_SUCCESS;
#endif
/* If this is available then set version 29 */
#ifdef HAVE_SEPOL_CONSTRAINT_NAMES
db->policyvers = 29;
return STATUS_SUCCESS;
@ -1530,6 +1538,27 @@ int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned
return STATUS_SUCCESS;
}
int qpol_policy_get_target_platform(const qpol_policy_t *policy,
int *target_platform)
{
policydb_t *db;
if (target_platform != NULL)
*target_platform = 0;
if (policy == NULL || target_platform == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
*target_platform = db->target_platform;
return STATUS_SUCCESS;
}
int qpol_policy_get_type(const qpol_policy_t * policy, int *type)
{
if (!policy || !type) {
@ -1647,6 +1676,14 @@ int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e c
return 1;
break;
}
case QPOL_CAP_XPERM_IOCTL:
{
if (version >= 30 && policy->type != QPOL_POLICY_MODULE_BINARY)
return 1;
if (version >= 17 && policy->type == QPOL_POLICY_MODULE_BINARY)
return 1;
break;
}
case QPOL_CAP_RULES_LOADED:
{
if (!(policy->options & QPOL_POLICY_OPTION_NO_RULES))

846
libqpol/policy_define.c
View File

File diff suppressed because it is too large Load Diff

18
libqpol/policy_define.h
View File

@ -1,7 +1,6 @@
/**
* @file policy_define.h
* This file is based upon checkpolicy/policy_define.h from NSA's SVN
* repository.
/*
* This file is a copy of policy_define.h from checkpolicy 2.4 updated to
* support SETools.
*/
/* Functions used to define policy grammar components. */
@ -18,8 +17,10 @@
#define TRUE 1
#define FALSE 0
/* Used by SETools to determine if source MLS or not */
/* Used by SETools to determine if source has MLS and/or XEN support */
int define_mls(void);
int define_xen(void);
avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
@ -54,9 +55,15 @@ int define_permissive(void);
int define_polcap(void);
int define_port_context(unsigned int low, unsigned int high);
int define_pirq_context(unsigned int pirq);
/* Support SETools */
#ifdef HAVE_SEPOL_XEN_DEVICETREE
int define_iomem_context(uint64_t low, uint64_t high);
#else
int define_iomem_context(unsigned long low, unsigned long high);
#endif
int define_ioport_context(unsigned long low, unsigned long high);
int define_pcidevice_context(unsigned long device);
int define_devicetree_context(void);
int define_range_trans(int class_specified);
int define_role_allow(void);
int define_role_trans(int class_specified);
@ -66,6 +73,7 @@ int define_roleattribute(void);
int define_filename_trans(void);
int define_sens(void);
int define_te_avtab(int which);
int define_te_avtab_extended_perms(int which);
int define_typealias(void);
int define_typeattribute(void);
int define_typebounds(void);

4
libqpol/policy_extend.c
View File

@ -231,7 +231,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
}
/* Already exists */
else
else
tmp_name = db->p_type_val_to_name[i];
tmp_type = calloc(1, sizeof(type_datum_t));
@ -311,6 +311,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
* errno will be set. On failure, the policy state may be inconsistent
* especially in the case where the hashtab functions return the error.
*/
static int qpol_policy_fill_attr_holes(qpol_policy_t * policy)
{
policydb_t *db = NULL;
@ -1007,6 +1008,7 @@ int policy_extend(qpol_policy_t * policy)
error = errno;
goto err;
}
if (db->attr_type_map) {
retv = qpol_policy_build_attrs_from_map(policy);
if (retv) {

100
libqpol/policy_parse.y
View File

@ -1,10 +1,6 @@
/**
* @file policy_parse.y
*
* This file is based upon checkpolicy/policy_parse.y from NSA's SVN
* repository. It has been modified to support older policy formats.
* The older format just seems to be FSUSEPSID support (see fs_use_def
* entry.
/*
* This file is a copy of policy_parse.y from checkpolicy 2.4 updated to
* support SETools.
*/
/*
@ -37,7 +33,7 @@
/* FLASK */
%{
/* Add for SETools */
/* Required for SETools libqpol services */
#include <config.h>
#include <sys/types.h>
@ -61,7 +57,7 @@
#include <sepol/policydb/polcaps.h>
#include "queue.h"
/* #include "checkpolicy.h" - Remove for setools and replace with: */
/* #include "checkpolicy.h" - Remove for SETools and replace with: */
#include <qpol/policy.h>
#include "module_compiler.h"
@ -88,6 +84,7 @@ extern char *qpol_src_inputlim;/* end of data */
%union {
unsigned int val;
uint64_t val64;
uintptr_t valptr;
void *ptr;
require_func_t require_func;
@ -99,9 +96,11 @@ extern char *qpol_src_inputlim;/* end of data */
%type <ptr> role_def roles
%type <valptr> cexpr cexpr_prim op role_mls_op
%type <val> ipv4_addr_def number
%type <val64> number64
%type <require_func> require_decl_def
%token PATH
%token QPATH
%token FILENAME
%token CLONE
%token COMMON
@ -144,11 +143,15 @@ extern char *qpol_src_inputlim;/* end of data */
%token AUDITALLOW
%token AUDITDENY
%token DONTAUDIT
%token ALLOWXPERM
%token AUDITALLOWXPERM
%token DONTAUDITXPERM
%token NEVERALLOWXPERM
%token SOURCE
%token TARGET
%token SAMEUSER
%token FSCON PORTCON NETIFCON NODECON
%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON
%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
%token FSUSEXATTR FSUSETASK FSUSETRANS
%token GENFSCON
%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
@ -266,14 +269,8 @@ mls : sensitivities dominance opt_categories levels mlspolicy
sensitivities : sensitivity_def
| sensitivities sensitivity_def
;
/*sensitivity_def : SENSITIVITY identifier alias_def ';'
{if (define_sens()) return -1;}
| SENSITIVITY identifier ';'
{if (define_sens()) return -1;}
;
The above has been replaced by: */
/* Needed for SETools to call define_mls here, as we are working */
/* with files only, not command line options */
/* SETools - Add define_mls() to set MLS, as we are working with
* files only, not checkpolicy/module command line options */
sensitivity_def : SENSITIVITY identifier alias_def ';'
{if (define_mls() | define_sens()) return -1;}
| SENSITIVITY identifier ';'
@ -483,6 +480,10 @@ te_avtab_def : allow_def
| auditdeny_def
| dontaudit_def
| neverallow_def
| xperm_allow_def
| xperm_auditallow_def
| xperm_dontaudit_def
| xperm_neverallow_def
;
allow_def : ALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
@ -499,6 +500,18 @@ dontaudit_def : DONTAUDIT names names ':' names names ';'
neverallow_def : NEVERALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
;
xperm_allow_def : ALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_ALLOWED)) return -1; }
;
xperm_auditallow_def : AUDITALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_AUDITALLOW)) return -1; }
;
xperm_dontaudit_def : DONTAUDITXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_DONTAUDIT)) return -1; }
;
xperm_neverallow_def : NEVERALLOWXPERM names names ':' names identifier xperms ';'
{if (define_te_avtab_extended_perms(AVRULE_XPERMS_NEVERALLOW)) return -1; }
;
attribute_role_def : ATTRIBUTE_ROLE identifier ';'
{if (define_attrib_role()) return -1; }
;
@ -670,23 +683,29 @@ dev_contexts : dev_context_def
dev_context_def : pirq_context_def |
iomem_context_def |
ioport_context_def |
pci_context_def
pci_context_def |
dtree_context_def
;
/* SETools - Add define_xen() to set policy type, as we are working
* with files only, not checkpolicy/module command line options */
pirq_context_def : PIRQCON number security_context_def
{if (define_pirq_context($2)) return -1;}
{if (define_xen() | define_pirq_context($2)) return -1;}
;
iomem_context_def : IOMEMCON number security_context_def
{if (define_iomem_context($2,$2)) return -1;}
| IOMEMCON number '-' number security_context_def
{if (define_iomem_context($2,$4)) return -1;}
iomem_context_def : IOMEMCON number64 security_context_def
{if (define_xen() | define_iomem_context($2,$2)) return -1;}
| IOMEMCON number64 '-' number64 security_context_def
{if (define_xen() | define_iomem_context($2,$4)) return -1;}
;
ioport_context_def : IOPORTCON number security_context_def
{if (define_ioport_context($2,$2)) return -1;}
{if (define_xen() | define_ioport_context($2,$2)) return -1;}
| IOPORTCON number '-' number security_context_def
{if (define_ioport_context($2,$4)) return -1;}
{if (define_xen() | define_ioport_context($2,$4)) return -1;}
;
pci_context_def : PCIDEVICECON number security_context_def
{if (define_pcidevice_context($2)) return -1;}
{if (define_xen() | define_pcidevice_context($2)) return -1;}
;
dtree_context_def : DEVICETREECON path security_context_def
{if (define_xen() | define_devicetree_context()) return -1;}
;
opt_fs_contexts : fs_contexts
|
@ -759,6 +778,28 @@ genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
ipv4_addr_def : IPV4_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
xperms : xperm
{ if (insert_separator(0)) return -1; }
| nested_xperm_set
{ if (insert_separator(0)) return -1; }
| tilde xperm
{ if (insert_id("~", 0)) return -1; }
| tilde nested_xperm_set
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
;
nested_xperm_set : '{' nested_xperm_list '}'
;
nested_xperm_list : nested_xperm_element
| nested_xperm_list nested_xperm_element
;
nested_xperm_element: xperm '-' { if (insert_id("-", 0)) return -1; } xperm
| xperm
| nested_xperm_set
;
xperm : number
{ if (insert_id(yytext,0)) return -1; }
;
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
@ -834,6 +875,8 @@ filesystem : FILESYSTEM
;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
| QPATH
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
;
filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
@ -841,6 +884,9 @@ filename : FILENAME
number : NUMBER
{ $$ = strtoul(yytext,NULL,0); }
;
number64 : NUMBER
{ $$ = strtoull(yytext,NULL,0); }
;
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }
;

37
libqpol/policy_scan.l
View File

@ -1,14 +1,13 @@
/**
* @file policy_parse.y
*
* This file is based upon checkpolicy/policy_scan.l fram NSA's SVN
* repository. It has been modified to support older policy formats.
* The older format just seems to be FSUSEPSID support (see fs_use_psid
* entry.
*
/*
* This file is a copy of policy_scan.l from checkpolicy 2.4 updated to
* support SETools.
*/
/*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*
* Updated: David Caplan, <dac@tresys.com>
*/
/* Updated: David Caplan, <dac@tresys.com>
*
* Added conditional policy language extensions
*
@ -36,7 +35,7 @@
#include <stdint.h>
#include <string.h>
typedef int (* require_func_t)(int pass);
typedef int (* require_func_t)(void);
/* For SETools libqpol services leave this as policy_parse.h */
#include "policy_parse.h"
@ -44,7 +43,6 @@ typedef int (* require_func_t)(int pass);
static char linebuf[2][255];
static unsigned int lno = 0;
int yywarn(const char *msg);
int yyerror(const char *msg);
void set_source_file(const char *name);
@ -159,6 +157,14 @@ AUDITDENY |
auditdeny { return(AUDITDENY); }
DONTAUDIT |
dontaudit { return(DONTAUDIT); }
ALLOWXPERM |
allowxperm { return(ALLOWXPERM); }
AUDITALLOWXPERM |
auditallowxperm { return(AUDITALLOWXPERM); }
DONTAUDITXPERM |
dontauditxperm { return(DONTAUDITXPERM); }
NEVERALLOWXPERM |
neverallowxperm { return(NEVERALLOWXPERM); }
SOURCE |
source { return(SOURCE); }
TARGET |
@ -204,6 +210,8 @@ ioportcon |
IOPORTCON { return(IOPORTCON);}
pcidevicecon |
PCIDEVICECON { return(PCIDEVICECON);}
devicetreecon |
DEVICETREECON { return(DEVICETREECON);}
fs_use_xattr |
FS_USE_XATTR { return(FSUSEXATTR);}
fs_use_task |
@ -257,10 +265,11 @@ HIGH { return(HIGH); }
low |
LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
\""/"[ !#-~]*\" { return(QPATH); }
\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
@ -325,6 +334,8 @@ void set_source_file(const char *name)
source_lineno = 1;
strncpy(source_file, name, sizeof(source_file)-1);
source_file[sizeof(source_file)-1] = '\0';
if (strlen(source_file) && source_file[strlen(source_file)-1] == '"')
source_file[strlen(source_file)-1] = '\0';
}
/* Required for SETools libqpol services */

11
libqpol/queue.c
View File

@ -1,12 +1,9 @@
/**
* @file
*
* This file is a copy of queue.c from NSA's CVS repository.
*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
/*
* This file is a copy of queue.c from checkpolicy 2.4. There are
* NO updates required to support SETools.
*/
/* No changes for SETools libqpol services - Just the header */
/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
/* FLASK */

11
libqpol/queue.h
View File

@ -1,12 +1,9 @@
/**
* @file
*
* This file is a copy of queue.h from NSA's CVS repository.
*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
/*
* This file is a copy of queue.h from checkpolicy 2.4. There are
* NO updates required to support SETools.
*/
/* No changes for SETools libqpol services - Just the header */
/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
/* FLASK */

557
libqpol/xen_query.c Normal file
View File

@ -0,0 +1,557 @@
/**
* @file
* Defines the public interface for searching and iterating over
* Xen statements.
*
* @author Richard Haines richard_c_haines@btinternet.com
* Derived from portcon_query.c
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#include <config.h>
#include <stddef.h>
#include <stdlib.h>
#include <stdint.h>
#include <qpol/iterator.h>
#include <qpol/policy.h>
#include <qpol/context_query.h>
#include <qpol/xen_query.h>
#include <sepol/policydb/policydb.h>
#include "qpol_internal.h"
#include "iterator_internal.h"
/******************************* iomemcon **************************/
int qpol_policy_get_iomemcon_by_addr(const qpol_policy_t *policy,
uint64_t low, uint64_t high,
const qpol_iomemcon_t **ocon)
{
ocontext_t *tmp = NULL;
policydb_t *db = NULL;
if (ocon != NULL)
*ocon = NULL;
if (policy == NULL || ocon == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
for (tmp = db->ocontexts[OCON_XEN_IOMEM]; tmp; tmp = tmp->next) {
if (tmp->u.iomem.low_iomem == low &&
tmp->u.iomem.high_iomem == high)
break;
}
*ocon = (qpol_iomemcon_t *) tmp;
if (*ocon == NULL) {
ERR(policy, "could not find iomemcon statement for %lu-%lu",
low, high);
errno = ENOENT;
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_policy_get_iomemcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter)
{
policydb_t *db = NULL;
int error = 0;
ocon_state_t *os = NULL;
if (iter != NULL)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
os = calloc(1, sizeof(ocon_state_t));
if (os == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
os->head = os->cur = db->ocontexts[OCON_XEN_IOMEM];
if (qpol_iterator_create(policy, (void *)os, ocon_state_get_cur,
ocon_state_next, ocon_state_end, ocon_state_size,
free, iter)) {
free(os);
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_iomemcon_get_low_addr(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
uint64_t *addr)
{
ocontext_t *internal_ocon = NULL;
if (addr != NULL)
*addr = 0;
if (policy == NULL || ocon == NULL || addr == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*addr = internal_ocon->u.iomem.low_iomem;
return STATUS_SUCCESS;
}
int qpol_iomemcon_get_high_addr(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
uint64_t *addr)
{
ocontext_t *internal_ocon = NULL;
if (addr != NULL)
*addr = 0;
if (policy == NULL || ocon == NULL || addr == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*addr = internal_ocon->u.iomem.high_iomem;
return STATUS_SUCCESS;
}
int qpol_iomemcon_get_context(const qpol_policy_t *policy,
const qpol_iomemcon_t *ocon,
const qpol_context_t **context)
{
ocontext_t *internal_ocon = NULL;
if (context != NULL)
*context = NULL;
if (policy == NULL || ocon == NULL || context == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*context = (qpol_context_t *) &(internal_ocon->context[0]);
return STATUS_SUCCESS;
}
/******************************* ioportcon **************************/
int qpol_policy_get_ioportcon_by_port(const qpol_policy_t *policy,
uint32_t low, uint32_t high,
const qpol_ioportcon_t **ocon)
{
ocontext_t *tmp = NULL;
policydb_t *db = NULL;
if (ocon != NULL)
*ocon = NULL;
if (policy == NULL || ocon == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
for (tmp = db->ocontexts[OCON_XEN_IOPORT]; tmp; tmp = tmp->next) {
if (tmp->u.ioport.low_ioport == low &&
tmp->u.ioport.high_ioport == high)
break;
}
*ocon = (qpol_ioportcon_t *) tmp;
if (*ocon == NULL) {
ERR(policy, "could not find ioportcon statement for %u-%u",
low, high);
errno = ENOENT;
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_policy_get_ioportcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter)
{
policydb_t *db = NULL;
int error = 0;
ocon_state_t *os = NULL;
if (iter != NULL)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
os = calloc(1, sizeof(ocon_state_t));
if (os == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
os->head = os->cur = db->ocontexts[OCON_XEN_IOPORT];
if (qpol_iterator_create(policy, (void *)os, ocon_state_get_cur,
ocon_state_next, ocon_state_end,
ocon_state_size, free, iter)) {
free(os);
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_ioportcon_get_low_port(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
uint32_t *port)
{
ocontext_t *internal_ocon = NULL;
if (port != NULL)
*port = 0;
if (policy == NULL || ocon == NULL || port == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*port = internal_ocon->u.ioport.low_ioport;
return STATUS_SUCCESS;
}
int qpol_ioportcon_get_high_port(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
uint32_t *port)
{
ocontext_t *internal_ocon = NULL;
if (port != NULL)
*port = 0;
if (policy == NULL || ocon == NULL || port == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*port = internal_ocon->u.ioport.high_ioport;
return STATUS_SUCCESS;
}
int qpol_ioportcon_get_context(const qpol_policy_t *policy,
const qpol_ioportcon_t *ocon,
const qpol_context_t **context)
{
ocontext_t *internal_ocon = NULL;
if (context != NULL)
*context = NULL;
if (policy == NULL || ocon == NULL || context == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*context = (qpol_context_t *) &(internal_ocon->context[0]);
return STATUS_SUCCESS;
}
/******************************* pcidevicecon **************************/
int qpol_policy_get_pcidevicecon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter)
{
policydb_t *db = NULL;
int error = 0;
ocon_state_t *os = NULL;
if (iter != NULL)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
os = calloc(1, sizeof(ocon_state_t));
if (os == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
os->head = os->cur = db->ocontexts[OCON_XEN_PCIDEVICE];
if (qpol_iterator_create(policy, (void *)os, ocon_state_get_cur,
ocon_state_next, ocon_state_end,
ocon_state_size, free, iter)) {
free(os);
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_pcidevicecon_get_device(const qpol_policy_t *policy,
const qpol_pcidevicecon_t *ocon,
uint32_t *device)
{
ocontext_t *internal_ocon = NULL;
if (device != NULL)
*device = 0;
if (policy == NULL || ocon == NULL || device == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*device = internal_ocon->u.device;
return STATUS_SUCCESS;
}
int qpol_pcidevicecon_get_context(const qpol_policy_t *policy,
const qpol_pcidevicecon_t *ocon,
const qpol_context_t **context)
{
ocontext_t *internal_ocon = NULL;
if (context != NULL)
*context = NULL;
if (policy == NULL || ocon == NULL || context == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*context = (qpol_context_t *) &(internal_ocon->context[0]);
return STATUS_SUCCESS;
}
/******************************* pirqcon **************************/
int qpol_policy_get_pirqcon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter)
{
policydb_t *db = NULL;
int error = 0;
ocon_state_t *os = NULL;
if (iter != NULL)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
os = calloc(1, sizeof(ocon_state_t));
if (os == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
os->head = os->cur = db->ocontexts[OCON_XEN_PIRQ];
if (qpol_iterator_create(policy, (void *)os, ocon_state_get_cur,
ocon_state_next, ocon_state_end,
ocon_state_size, free, iter)) {
free(os);
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_pirqcon_get_irq(const qpol_policy_t *policy,
const qpol_pirqcon_t *ocon,
uint16_t *irq)
{
ocontext_t *internal_ocon = NULL;
if (irq != NULL)
*irq = 0;
if (policy == NULL || ocon == NULL || irq == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*irq = internal_ocon->u.pirq;
return STATUS_SUCCESS;
}
int qpol_pirqcon_get_context(const qpol_policy_t *policy,
const qpol_pirqcon_t *ocon,
const qpol_context_t **context)
{
ocontext_t *internal_ocon = NULL;
if (context != NULL)
*context = NULL;
if (policy == NULL || ocon == NULL || context == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*context = (qpol_context_t *) &(internal_ocon->context[0]);
return STATUS_SUCCESS;
}
/******************************* devicetreecon **************************/
int qpol_policy_get_devicetreecon_iter(const qpol_policy_t *policy,
qpol_iterator_t **iter)
{
policydb_t *db = NULL;
ocon_state_t *os = NULL;
int error = 0;
if (iter != NULL)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
os = calloc(1, sizeof(ocon_state_t));
if (os == NULL) {
error = errno;
ERR(policy, "%s", strerror(ENOMEM));
errno = error;
return STATUS_ERR;
}
os->head = os->cur = db->ocontexts[OCON_XEN_DEVICETREE];
if (qpol_iterator_create(policy, (void *)os, ocon_state_get_cur,
ocon_state_next, ocon_state_end,
ocon_state_size, free, iter)) {
free(os);
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_devicetreecon_get_path(const qpol_policy_t *policy,
const qpol_devicetreecon_t *ocon,
char **path)
{
ocontext_t *internal_ocon = NULL;
if (path != NULL)
*path = NULL;
if (policy == NULL || ocon == NULL || path == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*path = internal_ocon->u.name;
return STATUS_SUCCESS;
}
int qpol_devicetreecon_get_context(const qpol_policy_t *policy,
const qpol_devicetreecon_t *ocon,
const qpol_context_t **context)
{
ocontext_t *internal_ocon = NULL;
if (context != NULL)
*context = NULL;
if (policy == NULL || ocon == NULL || context == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
internal_ocon = (ocontext_t *) ocon;
*context = (qpol_context_t *) &(internal_ocon->context[0]);
return STATUS_SUCCESS;
}

235
libqpol/xprule_query.c Normal file
View File

@ -0,0 +1,235 @@
/**
* @file
* Implementation for the public interface for searching and iterating over
* xperm rules.
*
* @author Richard Haines richard_c_haines@btinternet.com
* Derived from avrule_query.c
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#include <stddef.h>
#include <stdlib.h>
#include <stdint.h>
#include "iterator_internal.h"
#include <qpol/iterator.h>
#include <qpol/policy.h>
#include <qpol/xprule_query.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/avtab.h>
#include <sepol/policydb/util.h>
#include <stdlib.h>
#include "qpol_internal.h"
int qpol_policy_get_xprule_iter(const qpol_policy_t *policy,
uint32_t rule_type_mask,
qpol_iterator_t **iter)
{
policydb_t *db;
avtab_state_t *state;
if (iter)
*iter = NULL;
if (policy == NULL || iter == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
if ((rule_type_mask & QPOL_RULE_NEVERALLOWXPERM) &&
!qpol_policy_has_capability(policy,
QPOL_CAP_NEVERALLOW)) {
ERR(policy, "%s", "Cannot get xperms: Neverallow rules requested but not available");
errno = ENOTSUP;
return STATUS_ERR;
}
db = &policy->p->p;
state = calloc(1, sizeof(avtab_state_t));
if (state == NULL) {
ERR(policy, "%s", strerror(ENOMEM));
errno = ENOMEM;
return STATUS_ERR;
}
state->ucond_tab = &db->te_avtab;
state->cond_tab = &db->te_cond_avtab;
state->rule_type_mask = rule_type_mask;
state->node = db->te_avtab.htable[0];
if (qpol_iterator_create
(policy, state, avtab_state_get_cur, avtab_state_next,
avtab_state_end, avtab_state_size, free, iter)) {
free(state);
return STATUS_ERR;
}
if (state->node == NULL ||
!(state->node->key.specified & state->rule_type_mask)) {
avtab_state_next(*iter);
}
return STATUS_SUCCESS;
}
int qpol_xprule_get_source_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_type_t **source)
{
policydb_t *db = NULL;
avtab_ptr_t xperm = NULL;
if (source)
*source = NULL;
if (!policy || !rule || !source) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
xperm = (avtab_ptr_t)rule;
*source = (qpol_type_t *)
db->type_val_to_struct[xperm->key.source_type - 1];
return STATUS_SUCCESS;
}
int qpol_xprule_get_target_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_type_t **target)
{
policydb_t *db = NULL;
avtab_ptr_t xperm = NULL;
if (target)
*target = NULL;
if (!policy || !rule || !target) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
xperm = (avtab_ptr_t)rule;
*target = (qpol_type_t *)
db->type_val_to_struct[xperm->key.target_type - 1];
return STATUS_SUCCESS;
}
int qpol_xprule_get_object_class(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const qpol_class_t **obj_class)
{
policydb_t *db = NULL;
avtab_ptr_t xperm = NULL;
if (obj_class)
*obj_class = NULL;
if (!policy || !rule || !obj_class) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
xperm = (avtab_ptr_t)rule;
*obj_class = (qpol_class_t *)
db->class_val_to_struct[xperm->key.target_class - 1];
return STATUS_SUCCESS;
}
int qpol_xprule_get_command(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
const char **xprule_command)
{
avtab_ptr_t xperm = NULL;
if (xprule_command)
*xprule_command = NULL;
if (!policy || !rule || !xprule_command) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
xperm = (avtab_ptr_t)rule;
switch (xperm->datum.xperms->specified) {
case AVRULE_XPERMS_IOCTLFUNCTION:
case AVRULE_XPERMS_IOCTLDRIVER:
*xprule_command = "ioctl";
break;
default:
return STATUS_ERR;
}
return STATUS_SUCCESS;
}
int qpol_xprule_get_xperm_string(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
char **xperm_string)
{
avtab_ptr_t xperm = NULL;
if (xperm_string)
*xperm_string = NULL;
if (!policy || !rule || !xperm_string) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
xperm = (avtab_ptr_t)rule;
*xperm_string = sepol_extended_perms_to_string(xperm->datum.xperms);
return STATUS_SUCCESS;
}
int qpol_xprule_get_rule_type(const qpol_policy_t *policy,
const qpol_xprule_t *rule,
uint32_t *rule_type)
{
avtab_ptr_t xperm = NULL;
if (rule_type)
*rule_type = 0;
if (!policy || !rule || !rule_type) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
xperm = (avtab_ptr_t)rule;
*rule_type = (xperm->key.specified & (
QPOL_RULE_ALLOWXPERM |
QPOL_RULE_NEVERALLOWXPERM |
QPOL_RULE_AUDITALLOWXPERM |
QPOL_RULE_DONTAUDITXPERM));
return STATUS_SUCCESS;
}

474
setools/policyrep/qpol.i
View File

@ -53,6 +53,8 @@
#include "include/qpol/type_query.h"
#include "include/qpol/user_query.h"
#include "include/qpol/util.h"
#include "include/qpol/xen_query.h"
#include "include/qpol/xprule_query.h"
/* Provide hooks so that language-specific modules can define the
* callback function, used by the handler in
@ -177,7 +179,8 @@ typedef enum qpol_capability
QPOL_CAP_DEFAULT_TYPE,
QPOL_CAP_PERMISSIVE,
QPOL_CAP_FILENAME_TRANS,
QPOL_CAP_ROLETRANS
QPOL_CAP_ROLETRANS,
QPOL_CAP_XPERM_IOCTL
} qpol_capability_e;
%exception qpol_policy {
$action
@ -224,6 +227,17 @@ typedef enum qpol_capability
}
};
/* This is whether SELinux or XEN policy */
const char *target_platform () {
int t;
(void)qpol_policy_get_target_platform(self, &t);
switch (t) {
case SEPOL_TARGET_SELINUX: return "selinux";
case SEPOL_TARGET_XEN: return "xen";
default: return "unknown";
}
};
int capability (qpol_capability_e cap) {
return qpol_policy_has_capability(self, cap);
};
@ -766,6 +780,75 @@ typedef enum qpol_capability
return 0;
};
%newobject xprule_iter(int);
%pythoncode %{ @QpolGenerator(_qpol.qpol_xprule_from_void) %}
qpol_iterator_t *xprule_iter() {
qpol_iterator_t *iter;
uint32_t rule_types = QPOL_RULE_ALLOWXPERM | QPOL_RULE_AUDITALLOWXPERM | QPOL_RULE_DONTAUDITXPERM;
if (qpol_policy_has_capability(self, QPOL_CAP_NEVERALLOW))
rule_types |= QPOL_RULE_NEVERALLOWXPERM;
if (qpol_policy_get_xprule_iter(self, rule_types, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t xprule_allow_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_xprule_iter(self, QPOL_RULE_ALLOWXPERM, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
size_t xprule_auditallow_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_xprule_iter(self, QPOL_RULE_AUDITALLOWXPERM, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
size_t xprule_neverallow_count() {
if (qpol_policy_has_capability(self, QPOL_CAP_NEVERALLOW)) {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_xprule_iter(self, QPOL_RULE_NEVERALLOWXPERM, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
} else {
return 0;
}
fail:
return 0;
};
size_t xprule_dontaudit_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_xprule_iter(self, QPOL_RULE_DONTAUDITXPERM, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
%newobject terule_iter(int);
%pythoncode %{ @QpolGenerator(_qpol.qpol_terule_from_void) %}
qpol_iterator_t *terule_iter() {
@ -934,6 +1017,122 @@ typedef enum qpol_capability
fail:
return NULL;
};
%newobject iomemcon_iter();
%pythoncode %{ @QpolGenerator(_qpol.qpol_iomemcon_from_void) %}
qpol_iterator_t *iomemcon_iter() {
qpol_iterator_t *iter;
if (qpol_policy_get_iomemcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t iomemcon_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_iomemcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
%newobject ioportcon_iter();
%pythoncode %{ @QpolGenerator(_qpol.qpol_ioportcon_from_void) %}
qpol_iterator_t *ioportcon_iter() {
qpol_iterator_t *iter;
if (qpol_policy_get_ioportcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t ioportcon_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_ioportcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
%newobject pcidevicecon_iter();
%pythoncode %{ @QpolGenerator(_qpol.qpol_pcidevicecon_from_void) %}
qpol_iterator_t *pcidevicecon_iter() {
qpol_iterator_t *iter;
if (qpol_policy_get_pcidevicecon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t pcidevicecon_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_pcidevicecon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
%newobject pirqcon_iter();
%pythoncode %{ @QpolGenerator(_qpol.qpol_pirqcon_from_void) %}
qpol_iterator_t *pirqcon_iter() {
qpol_iterator_t *iter;
if (qpol_policy_get_pirqcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t pirqcon_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_pirqcon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
%newobject devicetreecon_iter();
%pythoncode %{ @QpolGenerator(_qpol.qpol_devicetreecon_from_void) %}
qpol_iterator_t *devicetreecon_iter() {
qpol_iterator_t *iter;
if (qpol_policy_get_devicetreecon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
return iter;
fail:
return NULL;
};
size_t devicetreecon_count() {
qpol_iterator_t *iter;
size_t count = 0;
if (qpol_policy_get_devicetreecon_iter(self, &iter)) {
SWIG_exception(SWIG_MemoryError, "Out of Memory");
}
qpol_iterator_get_size(iter, &count);
return count;
fail:
return 0;
};
};
/* qpol iterator */
@ -2566,6 +2765,85 @@ typedef struct qpol_avrule {} qpol_avrule_t;
};
%}
/* qpol xperm rules */
#define QPOL_RULE_ALLOWXPERM 0x0100
#define QPOL_RULE_AUDITALLOWXPERM 0x0200
#define QPOL_RULE_DONTAUDITXPERM 0x0400
#define QPOL_RULE_NEVERALLOWXPERM 0x0800
typedef struct qpol_xprule {} qpol_xprule_t;
%extend qpol_xprule {
qpol_xprule() {
SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_xprule_t objects");
fail:
return NULL;
};
~qpol_xprule() {
/* no op */
return;
};
const char * rule_type(qpol_policy_t *p) {
uint32_t rt;
if (qpol_xprule_get_rule_type(p, self, &rt)) {
SWIG_exception(SWIG_ValueError, "Could not get rule type for xperm rule");
}
switch (rt) {
case QPOL_RULE_ALLOWXPERM: return "allowxperm"; break;
case QPOL_RULE_NEVERALLOWXPERM: return "neverallowxperm"; break;
case QPOL_RULE_AUDITALLOWXPERM: return "auditallowxperm"; break;
case QPOL_RULE_DONTAUDITXPERM: return "dontauditxperm"; break;
}
fail:
return NULL;
};
const qpol_type_t *source_type(qpol_policy_t *p) {
const qpol_type_t *t;
if (qpol_xprule_get_source_type(p, self, &t)) {
SWIG_exception(SWIG_ValueError, "Could not get source for xperm rule");
}
fail:
return t;
};
const qpol_type_t *target_type(qpol_policy_t *p) {
const qpol_type_t *t;
if (qpol_xprule_get_target_type(p, self, &t)) {
SWIG_exception(SWIG_ValueError, "Could not get target for xperm rule");
}
fail:
return t;
};
const qpol_class_t *object_class(qpol_policy_t *p) {
const qpol_class_t *cls;
if (qpol_xprule_get_object_class(p, self, &cls)) {
SWIG_exception(SWIG_ValueError, "Could not get class for xperm rule");
}
fail:
return cls;
};
/* This function gets the cmd (e.g. ioctl) and xperms via sepol_extended_perms_to_string() */
char *xprule_xperm_string(qpol_policy_t *p) {
char *xprule_xperm_string = NULL;
if (qpol_xprule_get_xperm_string(p, self, &xprule_xperm_string)) {
SWIG_exception(SWIG_ValueError, "Could not get extended permissions for xperm rule");
}
fail:
return xprule_xperm_string;
};
const char *xprule_command(qpol_policy_t *p) {
const char *xprule_command = NULL;
if (qpol_xprule_get_command(p, self, &xprule_command)) {
SWIG_exception(SWIG_ValueError, "Could not get command for xperm rule");
}
fail:
return xprule_command;
};
};
%inline %{
qpol_xprule_t *qpol_xprule_from_void(void *x) {
return (qpol_xprule_t*)x;
};
%}
/* qpol te rule */
#define QPOL_RULE_TYPE_TRANS 16
#define QPOL_RULE_TYPE_CHANGE 64
@ -3061,3 +3339,197 @@ typedef struct qpol_default_object {} qpol_default_object_t;
return (qpol_default_object_t*)x;
};
%}
/* qpol iomemcon */
typedef struct qpol_iomemcon {} qpol_iomemcon_t;
%extend qpol_iomemcon {
qpol_iomemcon(qpol_policy_t *p, uint64_t low, uint64_t high) {
const qpol_iomemcon_t *qp;
if (qpol_policy_get_iomemcon_by_addr(p, low, high, &qp)) {
SWIG_exception(SWIG_RuntimeError, "iomemcon statement does not exist");
}
fail:
return (qpol_iomemcon_t*)qp;
};
~qpol_iomemcon() {
/* no op */
return;
};
uint64_t low_addr(qpol_policy_t *p) {
uint64_t addr = 0;
if(qpol_iomemcon_get_low_addr(p, self, &addr)) {
SWIG_exception(SWIG_RuntimeError, "Could not get low addr for iomemcon statement");
}
fail:
return addr;
};
uint64_t high_addr(qpol_policy_t *p) {
uint64_t addr = 0;
if(qpol_iomemcon_get_high_addr(p, self, &addr)) {
SWIG_exception(SWIG_RuntimeError, "Could not get high addr for iomemcon statement");
}
fail:
return addr;
};
const qpol_context_t *context(qpol_policy_t *p) {
const qpol_context_t *ctx;
if (qpol_iomemcon_get_context(p, self, &ctx)) {
SWIG_exception(SWIG_ValueError, "Could not get context for iomemcon statement");
}
fail:
return ctx;
};
}
%inline %{
qpol_iomemcon_t *qpol_iomemcon_from_void(void *x) {
return (qpol_iomemcon_t*)x;
};
%}
/* qpol ioportcon */
typedef struct qpol_ioportcon {} qpol_ioportcon_t;
%extend qpol_ioportcon {
qpol_ioportcon(qpol_policy_t *p, uint32_t low, uint32_t high) {
const qpol_ioportcon_t *qp;
if (qpol_policy_get_ioportcon_by_port(p, low, high, &qp)) {
SWIG_exception(SWIG_RuntimeError, "ioportcon statement does not exist");
}
fail:
return (qpol_ioportcon_t*)qp;
};
~qpol_ioportcon() {
/* no op */
return;
};
uint32_t low_port(qpol_policy_t *p) {
uint32_t port = 0;
if(qpol_ioportcon_get_low_port(p, self, &port)) {
SWIG_exception(SWIG_RuntimeError, "Could not get low port for ioportcon statement");
}
fail:
return port;
};
uint32_t high_port(qpol_policy_t *p) {
uint32_t port = 0;
if(qpol_ioportcon_get_high_port(p, self, &port)) {
SWIG_exception(SWIG_RuntimeError, "Could not get high port for ioportcon statement");
}
fail:
return port;
};
const qpol_context_t *context(qpol_policy_t *p) {
const qpol_context_t *ctx;
if (qpol_ioportcon_get_context(p, self, &ctx)) {
SWIG_exception(SWIG_ValueError, "Could not get context for ioportcon statement");
}
fail:
return ctx;
};
}
%inline %{
qpol_ioportcon_t *qpol_ioportcon_from_void(void *x) {
return (qpol_ioportcon_t*)x;
};
%}
/* qpol pcidevicecon */
typedef struct qpol_pcidevicecon {} qpol_pcidevicecon_t;
%extend qpol_pcidevicecon {
qpol_pcidevicecon() {
SWIG_exception(SWIG_RuntimeError, "pcidevicecon statement does not exist");
fail:
return NULL;
};
~qpol_pcidevicecon() {
return;
};
uint32_t device(qpol_policy_t *p) {
uint32_t device = 0;
if(qpol_pcidevicecon_get_device(p, self, &device)) {
SWIG_exception(SWIG_RuntimeError, "Could not get device for pcidevicecon statement");
}
fail:
return device;
};
const qpol_context_t *context(qpol_policy_t *p) {
const qpol_context_t *ctx;
if (qpol_pcidevicecon_get_context(p, self, &ctx)) {
SWIG_exception(SWIG_ValueError, "Could not get context for pcidevicecon statement");
}
fail:
return ctx;
};
}
%inline %{
qpol_pcidevicecon_t *qpol_pcidevicecon_from_void(void *x) {
return (qpol_pcidevicecon_t*)x;
};
%}
/* qpol pirqcon */
typedef struct qpol_pirqcon {} qpol_pirqcon_t;
%extend qpol_pirqcon {
qpol_pirqcon() {
SWIG_exception(SWIG_RuntimeError, "pirqcon statement does not exist");
fail:
return NULL;
};
~qpol_pirqcon() {
return;
};
uint32_t irq(qpol_policy_t *p) {
uint16_t irq = 0;
if(qpol_pirqcon_get_irq(p, self, &irq)) {
SWIG_exception(SWIG_RuntimeError, "Could not get irq for pirqcon statement");
}
fail:
return irq;
};
const qpol_context_t *context(qpol_policy_t *p) {
const qpol_context_t *ctx;
if (qpol_pirqcon_get_context(p, self, &ctx)) {
SWIG_exception(SWIG_ValueError, "Could not get context for pirqcon statement");
}
fail:
return ctx;
};
}
%inline %{
qpol_pirqcon_t *qpol_pirqcon_from_void(void *x) {
return (qpol_pirqcon_t*)x;
};
%}
/* qpol devicetreecon */
typedef struct qpol_devicetreecon {} qpol_devicetreecon_t;
%extend qpol_devicetreecon {
qpol_devicetreecon() {
SWIG_exception(SWIG_RuntimeError, "devicetreecon statement does not exist");
fail:
return NULL;
};
char *path(qpol_policy_t *p) {
char *path = NULL;
if(qpol_devicetreecon_get_path(p, self, &path)) {
SWIG_exception(SWIG_RuntimeError, "Could not get path for devicetreecon statement");
}
fail:
return path;
};
const qpol_context_t *context(qpol_policy_t *p) {
const qpol_context_t *ctx;
if (qpol_devicetreecon_get_context(p, self, &ctx)) {
SWIG_exception(SWIG_ValueError, "Could not get context for devicetreecon statement");
}
fail:
return ctx;
};
}
%inline %{
qpol_devicetreecon_t *qpol_devicetreecon_from_void(void *x) {
return (qpol_devicetreecon_t*)x;
};
%}

4
setup.py
View File

@ -104,7 +104,9 @@ ext_py_mods = [Extension('setools.policyrep._qpol',
'libqpol/user_query.c',
'libqpol/util.c',
'libqpol/policy_parse.c',
'libqpol/policy_scan.c'],
'libqpol/policy_scan.c',
'libqpol/xen_query.c',
'libqpol/xprule_query.c'],
include_dirs=['libqpol', 'libqpol/include'],
libraries=['bz2', 'selinux', 'sepol'],
extra_compile_args=['-Werror', '-Wextra',