RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-03-22 19:16:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #131 from jbrindle/master

Browse Source 
MacOS support
This commit is contained in:
Chris PeBenito 2016-04-22 13:08:24 -04:00
commit ee4584ddc8
14 changed files with 62 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MANIFEST.in
View File

@ -11,3 +11,4 @@ include qhc/*
include tests/*.conf
include tests/*.py
include tests/perm_map
include include/*

18
include/linux_types.h Normal file
View File

@ -0,0 +1,18 @@
#ifndef linux_types_h
#define linux_types_h
#ifdef __linux__
# include "linux/types.h"
#else
# include <stdint.h>
typedef int32_t __s32;
typedef uint32_t __u32;
typedef uint8_t __u8;
typedef uint16_t __u16;
#define s6_addr32 __u6_addr32
#define IPPROTO_DCCP 33
#endif
#endif

6
libqpol/config.h
View File

@ -16,9 +16,6 @@
/* Define to 1 if you have the `bz2' library (-lbz2). */
#define HAVE_LIBBZ2 1
/* Define to 1 if you have the `selinux' library (-lselinux). */
#define HAVE_LIBSELINUX 1
/* Define to 1 if you have the `sepol' library (-lsepol). */
#define HAVE_LIBSEPOL 1
@ -111,9 +108,6 @@
/* libsefs version */
#define LIBSEFS_VERSION_STRING "4.0.4"
/* enable libselinux-specific code */
#define LIBSELINUX 1
/* link programs using shared libraries */
#define LINK_SHARED 1

8
libqpol/include/qpol/policy.h
View File

@ -85,14 +85,6 @@ extern "C"
*/
#define QPOL_POLICY_OPTION_NO_RULES 0x00000002
/**
* When loading the policy, attempt to interpret it as the way the
* running system would. If the policy is of a version higher than
* one supported by the system, then the policy will be downgraded to
* the system's maximum value.
*/
#define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004
/**
* List of capabilities a policy may have. This list represents
* features of policy that may differ from version to version or

87
libqpol/libqpol.map
View File

@ -1,87 +0,0 @@
VERS_1.2 {
global:
qpol_avrule_*;
qpol_bool_*;
qpol_cat_*;
qpol_class_*;
qpol_common_*;
qpol_cond_*;
qpol_constraint_*;
qpol_context_*;
qpol_default_policy_find;
qpol_fs_use_*;
qpol_genfscon_*;
qpol_isid_*;
qpol_iterator_end;
qpol_iterator_next;
qpol_iterator_get_*;
qpol_iterator_destroy;
qpol_level_*;
qpol_mls_*;
qpol_module_*;
qpol_netifcon_*;
qpol_nodecon_*;
qpol_perm_*;
qpol_policy_append_module;
qpol_policy_build_syn_rule_table;
qpol_policy_destroy;
qpol_policy_get_*;
qpol_policy_has_capability;
qpol_policy_open_from_file;
qpol_policy_open_from_file_no_rules;
qpol_policy_open_from_memory;
qpol_policy_rebuild;
qpol_policy_reevaluate_conds;
qpol_portcon_*;
qpol_range_trans_*;
qpol_filename_trans_*;
qpol_role_*;
qpol_syn_avrule_*;
qpol_syn_terule_*;
qpol_terule_*;
qpol_type_get_alias_iter;
qpol_type_get_attr_iter;
qpol_type_get_isalias;
qpol_type_get_isattr;
qpol_type_get_name;
qpol_type_get_type_iter;
qpol_type_get_value;
qpol_type_set_*;
qpol_user_*;
qpol_validatetrans_*;
libqpol_get_version;
local: *;
};
VERS_1.3 {
global:
qpol_policy_open_from_file;
qpol_policy_open_from_memory;
qpol_policy_rebuild;
} VERS_1.2;
VERS_1.4 {
global:
qpol_type_get_ispermissive;
qpol_type_get_parent_name;
} VERS_1.3;
VERS_1.5 {
global:
qpol_policy_permissive_*;
qpol_permissive_*;
qpol_typebounds_*;
qpol_rolebounds_*;
qpol_userbounds_*;
qpol_policy_polcap_*;
qpol_polcap_*;
qpol_default_object_*;
qpol_iomemcon_*;
qpol_ioportcon_*;
qpol_pcidevicecon_*;
qpol_pirqcon_*;
qpol_devicetreecon_*;
qpol_xperm_*;
init_qpol;
PyInit__qpol;
} VERS_1.4;

8
libqpol/module_compiler.c
View File

@ -152,7 +152,7 @@ int declare_symbol(uint32_t symbol_type,
assert(s != NULL);
if (symbol_type == SYM_LEVELS) {
*dest_value = ((level_datum_t *)s)->level->sens;
*dest_value = ((level_datum_t *)(void *)s)->level->sens;
} else {
*dest_value = s->value;
}
@ -647,7 +647,7 @@ int require_symbol(uint32_t symbol_type,
assert(s != NULL);
if (symbol_type == SYM_LEVELS) {
*dest_value = ((level_datum_t *)s)->level->sens;
*dest_value = ((level_datum_t *)(void *)s)->level->sens;
} else {
*dest_value = s->value;
}
@ -1074,7 +1074,7 @@ static int require_bool_tunable(int pass, int is_tunable)
if (is_tunable)
booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
retval =
require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) (void *) booldatum,
&booldatum->s.value, &booldatum->s.value);
if (retval != 0) {
cond_destroy_bool(id, booldatum, NULL);
@ -1198,7 +1198,7 @@ int require_cat(int pass)
}
cat_datum_init(cat);
retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) (void *)cat,
&cat->s.value, &cat->s.value);
if (retval != 0) {
free(id);

102
libqpol/policy.c
View File

@ -28,8 +28,6 @@
#include "qpol_internal.h"
#include <assert.h>
#include <byteswap.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
@ -37,7 +35,15 @@
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <asm/types.h>
#ifdef DARWIN
# include "linux_types.h"
# include <machine/endian.h>
# include <sys/types.h>
#else
# include <endian.h>
# include <asm/types.h>
#endif
#include <sepol/debug.h>
#include <sepol/handle.h>
@ -779,15 +785,6 @@ err:
struct qpol_extended_image;
extern void qpol_extended_image_destroy(struct qpol_extended_image **ext);
#if LINK_SHARED == 1
__asm__(".symver qpol_policy_open_from_file_old,qpol_policy_open_from_file@");
__asm__(".symver qpol_policy_open_from_file_opt,qpol_policy_open_from_file@@VERS_1.3");
__asm__(".symver qpol_policy_open_from_memory_old,qpol_policy_open_from_memory@");
__asm__(".symver qpol_policy_open_from_memory_opt,qpol_policy_open_from_memory@VERS_1.3");
__asm__(".symver qpol_policy_rebuild_old,qpol_policy_rebuild@");
__asm__(".symver qpol_policy_rebuild_opt,qpol_policy_rebuild@@VERS_1.3");
#endif
/**
* @brief Internal version of qpol_policy_rebuild() version 1.3
*
@ -795,7 +792,7 @@ __asm__(".symver qpol_policy_rebuild_opt,qpol_policy_rebuild@@VERS_1.3");
* for version 1.3; this symbol name is not exported.
* @see qpol_policy_rebuild()
*/
int qpol_policy_rebuild_opt(qpol_policy_t * policy, const int options)
int qpol_policy_rebuild(qpol_policy_t * policy, const int options)
{
sepol_policydb_t *old_p = NULL;
sepol_policydb_t **modules = NULL;
@ -928,39 +925,6 @@ int qpol_policy_rebuild_opt(qpol_policy_t * policy, const int options)
return STATUS_ERR;
}
#if LINK_SHARED == 0
int qpol_policy_rebuild(qpol_policy_t * policy, int options)
{
return qpol_policy_rebuild_opt(policy, options);
}
#endif
/**
* @brief Internal version of qpol_policy_rebuild() version 1.2 or earlier
* @deprecated use the 1.3 version.
* @see qpol_policy_rebuild()
*/
int qpol_policy_rebuild_old(qpol_policy_t * policy)
{
if (!policy) {
ERR(NULL, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
/* fail if not a modular policy */
if (policy->type != QPOL_POLICY_MODULE_BINARY) {
ERR(policy, "%s", strerror(ENOTSUP));
errno = ENOTSUP;
return STATUS_ERR;
}
if (!policy->modified)
return STATUS_SUCCESS;
return qpol_policy_rebuild_opt(policy, policy->options);
}
/**
* @brief Internal version of qpol_policy_open_from_file() version 1.3
*
@ -968,7 +932,7 @@ int qpol_policy_rebuild_old(qpol_policy_t * policy)
* for version 1.3; this symbol name is not exported.
* @see qpol_policy_open_from_file()
*/
int qpol_policy_open_from_file_opt(const char *path, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg, const int options)
int qpol_policy_open_from_file(const char *path, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg, const int options)
{
int error = 0, retv = -1;
FILE *infile = NULL;
@ -1057,7 +1021,7 @@ int qpol_policy_open_from_file_opt(const char *path, qpol_policy_t ** policy, qp
}
/* *policy now owns mod */
mod = NULL;
if (qpol_policy_rebuild_opt(*policy, options)) {
if (qpol_policy_rebuild(*policy, options)) {
error = errno;
goto err;
}
@ -1146,18 +1110,6 @@ int qpol_policy_open_from_file_opt(const char *path, qpol_policy_t ** policy, qp
return -1;
}
#if LINK_SHARED == 0
int qpol_policy_open_from_file(const char *path, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg, const int options)
{
return qpol_policy_open_from_file_opt(path, policy, fn, varg, options);
}
#endif
int qpol_policy_open_from_file_no_rules(const char *path, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg)
{
return qpol_policy_open_from_file_opt(path, policy, fn, varg, QPOL_POLICY_OPTION_NO_RULES);
}
/**
* @brief Internal version of qpol_policy_open_from_memory() version 1.3
*
@ -1165,7 +1117,7 @@ int qpol_policy_open_from_file_no_rules(const char *path, qpol_policy_t ** polic
* for version 1.3; this symbol name is not exported.
* @see qpol_policy_open_from_memory()
*/
int qpol_policy_open_from_memory_opt(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg,
int qpol_policy_open_from_memory(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg,
const int options)
{
int error = 0;
@ -1258,34 +1210,6 @@ int qpol_policy_open_from_memory_opt(qpol_policy_t ** policy, const char *fileda
}
#if LINK_SHARED == 0
int qpol_policy_open_from_memory(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg,
const int options)
{
return qpol_policy_open_from_memory_opt(policy, filedata, size, fn, varg, options);
}
#endif
/**
* @brief Internal version of qpol_policy_open_from_file() version 1.2 or earlier
* @deprecated use the 1.3 version.
* @see qpol_policy_open_from_file()
*/
int qpol_policy_open_from_file_old(const char *path, qpol_policy_t ** policy, qpol_callback_fn_t fn, void *varg)
{
return qpol_policy_open_from_file(path, policy, fn, varg, 0);
}
/**
* @brief Internal version of qpol_policy_open_from_memory() version 1.2 or earlier
* @deprecated use the 1.3 version.
* @see qpol_policy_open_from_memory()
*/
int qpol_policy_open_from_memory_old(qpol_policy_t ** policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg)
{
return qpol_policy_open_from_memory_opt(policy, filedata, size, fn, varg, 0);
}
void qpol_policy_destroy(qpol_policy_t ** policy)
{
if (policy != NULL && *policy != NULL) {

4
libqpol/policy_define.c
View File

@ -57,6 +57,10 @@
#include <sepol/policydb/polcaps.h>
#include "queue.h"
#ifdef DARWIN
#include "linux_types.h"
#endif
/* Required for SETools libqpol - Removed #include "checkpolicy.h"*/
#include <qpol/policy.h>

34
libqpol/policy_extend.c
View File

@ -39,7 +39,6 @@
#include <qpol/policy.h>
#include <qpol/policy_extend.h>
#include <qpol/iterator.h>
#include <selinux/selinux.h>
#include <errno.h>
#include <assert.h>
#include <stdio.h>
@ -446,35 +445,6 @@ static int qpol_policy_add_isid_names(qpol_policy_t * policy)
return 0;
}
/**
* If the given policy's version is higher than the running system's
* version, then mark it as different. In a future version of
* libqpol, accessors will return data as if the policy were really
* the new version rather than what it actually is.
*/
static int qpol_policy_match_system(qpol_policy_t * policy)
{
int kernvers = security_policyvers();
unsigned int currentvers = policy->p->p.policyvers;
int error;
if (kernvers < 0) {
error = errno;
ERR(policy, "%s", "Could not determine running system's policy version.");
errno = error;
return -1;
}
if (currentvers > (unsigned)kernvers) {
if (sepol_policydb_set_vers(policy->p, kernvers)) {
error = errno;
ERR(policy, "Could not downgrade policy to version %d.", kernvers);
errno = error;
return -1;
}
WARN(policy, "Policy would be downgraded from version %d to %d.", currentvers, kernvers);
}
return 0;
}
/**
* Walks the conditional list and adds links for reverse look up from
* a te/av rule to the conditional from which it came.
@ -1025,10 +995,6 @@ int policy_extend(qpol_policy_t * policy)
error = errno;
goto err;
}
if ((policy->options & QPOL_POLICY_OPTION_MATCH_SYSTEM) && qpol_policy_match_system(policy)) {
error = errno;
goto err;
}
if (policy->options & QPOL_POLICY_OPTION_NO_RULES)
return STATUS_SUCCESS;

130
libqpol/util.c
View File

@ -38,144 +38,14 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <selinux/selinux.h>
const char *libqpol_get_version(void)
{
return LIBQPOL_VERSION_STRING;
}
static int search_policy_source_file(char **path)
{
int error;
char *source_path;
if (asprintf(&source_path, "%s/src/policy/policy.conf", selinux_policy_root()) < 0) {
return -1;
}
if (access(source_path, R_OK) < 0) {
error = errno;
free(source_path);
errno = error;
return 1;
}
*path = source_path;
return 0;
}
static int get_binpol_version(const char *policy_fname)
{
FILE *policy_fp = NULL;
int ret_version, error;
policy_fp = fopen(policy_fname, "r");
if (policy_fp == NULL) {
return -1;
}
if (!qpol_is_file_binpol(policy_fp)) {
error = errno;
fclose(policy_fp);
errno = error;
return -1;
}
ret_version = qpol_binpol_version(policy_fp);
fclose(policy_fp);
return ret_version;
}
static int search_policy_binary_file(char **path)
{
const char *binary_path;
if ((binary_path = selinux_binary_policy_path()) == NULL) {
return -1;
}
int expected_version = -1, latest_version = -1;
#ifdef LIBSELINUX
/* if the system has SELinux enabled, prefer the policy whose
name matches the current policy version */
if ((expected_version = security_policyvers()) < 0) {
return -1;
}
#endif
glob_t glob_buf;
struct stat fs;
int rt, error = 0, retval = -1;
size_t i;
char *pattern = NULL;
if (asprintf(&pattern, "%s.*", binary_path) < 0) {
return -1;
}
glob_buf.gl_offs = 1;
glob_buf.gl_pathc = 0;
rt = glob(pattern, GLOB_DOOFFS, NULL, &glob_buf);
if (rt != 0 && rt != GLOB_NOMATCH) {
errno = EIO;
return -1;
}
for (i = 0; i < glob_buf.gl_pathc; i++) {
char *p = glob_buf.gl_pathv[i + glob_buf.gl_offs];
if (stat(p, &fs) != 0) {
error = errno;
goto cleanup;
}
if (S_ISDIR(fs.st_mode))
continue;
if ((rt = get_binpol_version(p)) < 0) {
error = errno;
goto cleanup;
}
if (rt > latest_version || rt == expected_version) {
free(*path);
if ((*path = strdup(p)) == NULL) {
error = errno;
goto cleanup;
}
if (rt == expected_version) {
break;
}
latest_version = rt;
}
}
if (*path == NULL) {
retval = 1;
} else {
retval = 0;
}
cleanup:
free(pattern);
globfree(&glob_buf);
if (retval == -1) {
errno = error;
}
return retval;
}
int qpol_default_policy_find(char **path)
{
int rt;
if (path == NULL) {
errno = EINVAL;
return -1;
}
*path = NULL;
/* Try default source policy first as a source policy contains
* more useful information. */
if ((rt = search_policy_source_file(path)) <= 0) {
return rt;
}
/* Try a binary policy */
return search_policy_binary_file(path);
}
#include <stdlib.h>
#include <bzlib.h>
#include <string.h>
#include <sys/sendfile.h>
#define BZ2_MAGICSTR "BZh"
#define BZ2_MAGICLEN (sizeof(BZ2_MAGICSTR)-1)

5
libqpol/xen_query.c
View File

@ -29,6 +29,9 @@
#include "qpol_internal.h"
#include "iterator_internal.h"
#define __STDC_FORMAT_MACROS
#include <inttypes.h>
/******************************* iomemcon **************************/
int qpol_policy_get_iomemcon_by_addr(const qpol_policy_t *policy,
uint64_t low, uint64_t high,
@ -56,7 +59,7 @@ int qpol_policy_get_iomemcon_by_addr(const qpol_policy_t *policy,
*ocon = (qpol_iomemcon_t *) tmp;
if (*ocon == NULL) {
ERR(policy, "could not find iomemcon statement for %lu-%lu",
ERR(policy, "could not find iomemcon statement for %" PRIu64 "-%" PRIu64,
low, high);
errno = ENOENT;
return STATUS_ERR;

7
setools/policyrep/netcontext.py
View File

@ -19,6 +19,8 @@
from socket import IPPROTO_TCP, IPPROTO_UDP, getprotobyname
from collections import namedtuple
import socket
from . import qpol
from . import symbol
from . import context
@ -27,7 +29,10 @@ port_range = namedtuple("port_range", ["low", "high"])
# Python does not have a constant
# for the DCCP protocol.
IPPROTO_DCCP = getprotobyname("dccp")
try:
IPPROTO_DCCP = getprotobyname("dccp")
except socket.error:
IPPROTO_DCCP = 33
def netifcon_factory(policy, name):

1
setools/policyrep/qpol.i
View File

@ -161,7 +161,6 @@ def qpol_policy_factory(path):
/* qpol_policy */
#define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
#define QPOL_POLICY_OPTION_NO_RULES 0x00000002
#define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004
/* add maximum and minimum policy versions supported by the statically linked libsepol */
%constant int QPOL_POLICY_MAX_VERSION = POLICYDB_VERSION_MAX;
%constant int QPOL_POLICY_MIN_VERSION = POLICYDB_VERSION_MIN;

19
setup.py
View File

@ -84,9 +84,14 @@ except KeyError:
# chooses dynamic libraries over static ones, so
# this assumes that the static lib is in the same directory
# as the dynamic lib.
dynamic_sepol = UnixCCompiler().find_library_file(['/usr/lib64', '/usr/lib'], 'sepol')
dynamic_sepol = UnixCCompiler().find_library_file(['.', '/usr/lib64', '/usr/lib'], 'sepol')
static_sepol = dynamic_sepol.replace(".so", ".a")
if sys.platform.startswith('darwin'):
macros=[('DARWIN',1)]
else:
macros=[]
ext_py_mods = [Extension('setools.policyrep._qpol',
['setools/policyrep/qpol.i',
'libqpol/avrule_query.c',
@ -126,8 +131,8 @@ ext_py_mods = [Extension('setools.policyrep._qpol',
'libqpol/policy_parse.c',
'libqpol/policy_scan.c',
'libqpol/xen_query.c'],
include_dirs=['libqpol', 'libqpol/include'],
libraries=['bz2', 'selinux', 'sepol'],
include_dirs=['libqpol', 'libqpol/include', 'include'],
libraries=['bz2'],
extra_compile_args=['-Werror', '-Wextra',
'-Waggregate-return',
'-Wcast-align',
@ -145,12 +150,12 @@ ext_py_mods = [Extension('setools.policyrep._qpol',
'-Wwrite-strings',
'-Wno-missing-field-initializers', # SWIG 3.0.2 generates partially-initialized structs
'-Wno-unused-parameter', # SWIG generates functions with unused parameters
'-Wno-cast-qual', # libsepol/libselinux uses const-to-nonconst casts
'-Wno-cast-qual', # libsepol uses const-to-nonconst casts
'-Wno-shadow', # SWIG generates shadow variables
'-fno-exceptions'],
extra_objects=[static_sepol],
extra_link_args=['-Wl,--version-script=libqpol/libqpol.map'],
swig_opts=['-Ilibqpol/include'])]
swig_opts=['-Ilibqpol/include'],
define_macros=macros,
extra_objects=[static_sepol])]
setup(name='setools',
version='4.0.0-beta',