관리-도구
편집 파일: refpolicy.py
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # # Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import string import selinux # OVERVIEW # # This file contains objects and functions used to represent the reference # policy (including the headers, M4 macros, and policy language statements). # # This representation is very different from the semantic representation # used in libsepol. Instead, it is a more typical abstract representation # used by the first stage of compilers. It is basically a parse tree. # # This choice is intentional as it allows us to handle the unprocessed # M4 statements - including the $1 style arguments - and to more easily generate # the data structures that we need for policy generation. # # Constans for referring to fields SRC_TYPE = 0 TGT_TYPE = 1 OBJ_CLASS = 2 PERMS = 3 ROLE = 4 DEST_TYPE = 5 # String represenations of the above constants field_to_str = ["source", "target", "object", "permission", "role", "destination" ] str_to_field = { "source" : SRC_TYPE, "target" : TGT_TYPE, "object" : OBJ_CLASS, "permission" : PERMS, "role" : ROLE, "destination" : DEST_TYPE } # Base Classes class PolicyBase: def __init__(self, parent=None): self.parent = None self.comment = None class Node(PolicyBase): """Base class objects produced from parsing the reference policy. The Node class is used as the base class for any non-leaf object produced by parsing the reference policy. This object should contain a reference to its parent (or None for a top-level object) and 0 or more children. The general idea here is to have a very simple tree structure. Children are not separated out by type. Instead the tree structure represents fairly closely the real structure of the policy statements. The object should be iterable - by default over all children but subclasses are free to provide additional iterators over a subset of their childre (see Interface for example). """ def __init__(self, parent=None): PolicyBase.__init__(self, parent) self.children = [] def __iter__(self): return iter(self.children) # Not all of the iterators will return something on all Nodes, but # they won't explode either. Putting them here is just easier. # Top level nodes def nodes(self): return filter(lambda x: isinstance(x, Node), walktree(self)) def modules(self): return filter(lambda x: isinstance(x, Module), walktree(self)) def interfaces(self): return filter(lambda x: isinstance(x, Interface), walktree(self)) def templates(self): return filter(lambda x: isinstance(x, Template), walktree(self)) def support_macros(self): return filter(lambda x: isinstance(x, SupportMacros), walktree(self)) # Common policy statements def module_declarations(self): return filter(lambda x: isinstance(x, ModuleDeclaration), walktree(self)) def interface_calls(self): return filter(lambda x: isinstance(x, InterfaceCall), walktree(self)) def avrules(self): return filter(lambda x: isinstance(x, AVRule), walktree(self)) def typerules(self): return filter(lambda x: isinstance(x, TypeRule), walktree(self)) def typebounds(self): return filter(lambda x: isinstance(x, TypeBound), walktree(self)) def typeattributes(self): """Iterate over all of the TypeAttribute children of this Interface.""" return filter(lambda x: isinstance(x, TypeAttribute), walktree(self)) def roleattributes(self): """Iterate over all of the RoleAttribute children of this Interface.""" return filter(lambda x: isinstance(x, RoleAttribute), walktree(self)) def requires(self): return filter(lambda x: isinstance(x, Require), walktree(self)) def roles(self): return filter(lambda x: isinstance(x, Role), walktree(self)) def role_allows(self): return filter(lambda x: isinstance(x, RoleAllow), walktree(self)) def role_types(self): return filter(lambda x: isinstance(x, RoleType), walktree(self)) def __str__(self): if self.comment: return str(self.comment) + "\n" + self.to_string() else: return self.to_string() def __repr__(self): return "<%s(%s)>" % (self.__class__.__name__, self.to_string()) def to_string(self): return "" class Leaf(PolicyBase): def __init__(self, parent=None): PolicyBase.__init__(self, parent) def __str__(self): if self.comment: return str(self.comment) + "\n" + self.to_string() else: return self.to_string() def __repr__(self): return "<%s(%s)>" % (self.__class__.__name__, self.to_string()) def to_string(self): return "" # Utility functions def walktree(node, depthfirst=True, showdepth=False, type=None): """Iterate over a Node and its Children. The walktree function iterates over a tree containing Nodes and leaf objects. The iteration can perform a depth first or a breadth first traversal of the tree (controlled by the depthfirst paramater. The passed in node will be returned. This function will only work correctly for trees - arbitrary graphs will likely cause infinite looping. """ # We control depth first / versus breadth first by # how we pop items off of the node stack. if depthfirst: index = -1 else: index = 0 stack = [(node, 0)] while len(stack) > 0: cur, depth = stack.pop(index) if showdepth: yield cur, depth else: yield cur # If the node is not a Node instance it must # be a leaf - so no need to add it to the stack if isinstance(cur, Node): items = [] i = len(cur.children) - 1 while i >= 0: if type is None or isinstance(cur.children[i], type): items.append((cur.children[i], depth + 1)) i -= 1 stack.extend(items) def walknode(node, type=None): """Iterate over the direct children of a Node. The walktree function iterates over the children of a Node. Unlike walktree it does note return the passed in node or the children of any Node objects (that is, it does not go beyond the current level in the tree). """ for x in node: if type is None or isinstance(x, type): yield x def list_to_space_str(s, cont=('{', '}')): """Convert a set (or any sequence type) into a string representation formatted to match SELinux space separated list conventions. For example the list ['read', 'write'] would be converted into: '{ read write }' """ l = len(s) str = "" if l < 1: raise ValueError("cannot convert 0 len set to string") str = " ".join(s) if l == 1: return str else: return cont[0] + " " + str + " " + cont[1] def list_to_comma_str(s): l = len(s) if l < 1: raise ValueError("cannot conver 0 len set to comma string") return ", ".join(s) # Basic SELinux types class IdSet(set): def __init__(self, list=None): if list: set.__init__(self, list) else: set.__init__(self) self.compliment = False def to_space_str(self): return list_to_space_str(sorted(self)) def to_comma_str(self): return list_to_comma_str(sorted(self)) class SecurityContext(Leaf): """An SELinux security context with optional MCS / MLS fields.""" def __init__(self, context=None, parent=None): """Create a SecurityContext object, optionally from a string. Parameters: [context] - string representing a security context. Same format as a string passed to the from_string method. """ Leaf.__init__(self, parent) self.user = "" self.role = "" self.type = "" self.level = None if context is not None: self.from_string(context) def from_string(self, context): """Parse a string representing a context into a SecurityContext. The string should be in the standard format - e.g., 'user:role:type:level'. Raises ValueError if the string is not parsable as a security context. """ # try to translate the context string to raw form raw = selinux.selinux_trans_to_raw_context(context) if raw[0] == 0: context = raw[1] fields = context.split(":") if len(fields) < 3: raise ValueError("context string [%s] not in a valid format" % context) self.user = fields[0] self.role = fields[1] self.type = fields[2] if len(fields) > 3: # FUTURE - normalize level fields to allow more comparisons to succeed. self.level = ':'.join(fields[3:]) else: self.level = None def __eq__(self, other): """Compare two SecurityContext objects - all fields must be exactly the the same for the comparison to work. It is possible for the level fields to be semantically the same yet syntactically different - in this case this function will return false. """ return self.user == other.user and \ self.role == other.role and \ self.type == other.type and \ self.level == other.level def to_string(self, default_level=None): """Return a string representing this security context. By default, the string will contiain a MCS / MLS level potentially from the default which is passed in if none was set. Arguments: default_level - the default level to use if self.level is an empty string. Returns: A string represening the security context in the form 'user:role:type:level'. """ fields = [self.user, self.role, self.type] if self.level is None: if default_level is None: if selinux.is_selinux_mls_enabled() == 1: fields.append("s0") else: fields.append(default_level) else: fields.append(self.level) return ":".join(fields) class ObjectClass(Leaf): """SELinux object class and permissions. This class is a basic representation of an SELinux object class - it does not represent separate common permissions - just the union of the common and class specific permissions. It is meant to be convenient for policy generation. """ def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name self.perms = IdSet() # Basic statements class TypeAttribute(Leaf): """SElinux typeattribute statement. This class represents a typeattribute statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.attributes = IdSet() def to_string(self): return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str()) class RoleAttribute(Leaf): """SElinux roleattribute statement. This class represents a roleattribute statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.roleattributes = IdSet() def to_string(self): return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str()) class Role(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.types = IdSet() def to_string(self): s = "" for t in self.types: s += "role %s types %s;\n" % (self.role, t) return s class Type(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name self.attributes = IdSet() self.aliases = IdSet() def to_string(self): s = "type %s" % self.name if len(self.aliases) > 0: s = s + "alias %s" % self.aliases.to_space_str() if len(self.attributes) > 0: s = s + ", %s" % self.attributes.to_comma_str() return s + ";" class TypeAlias(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.aliases = IdSet() def to_string(self): return "typealias %s alias %s;" % (self.type, self.aliases.to_space_str()) class Attribute(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name def to_string(self): return "attribute %s;" % self.name class Attribute_Role(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name def to_string(self): return "attribute_role %s;" % self.name # Classes representing rules class AVRule(Leaf): """SELinux access vector (AV) rule. The AVRule class represents all varieties of AV rules including allow, dontaudit, and auditallow (indicated by the flags self.ALLOW, self.DONTAUDIT, and self.AUDITALLOW respectively). The source and target types, object classes, and perms are all represented by sets containing strings. Sets are used to make it simple to add strings repeatedly while avoiding duplicates. No checking is done to make certain that the symbols are valid or consistent (e.g., perms that don't match the object classes). It is even possible to put invalid types like '$1' into the rules to allow storage of the reference policy interfaces. """ ALLOW = 0 DONTAUDIT = 1 AUDITALLOW = 2 NEVERALLOW = 3 def __init__(self, av=None, parent=None): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.perms = IdSet() self.rule_type = self.ALLOW if av: self.from_av(av) def __rule_type_str(self): if self.rule_type == self.ALLOW: return "allow" elif self.rule_type == self.DONTAUDIT: return "dontaudit" else: return "auditallow" def from_av(self, av): """Add the access from an access vector to this allow rule. """ self.src_types.add(av.src_type) if av.src_type == av.tgt_type: self.tgt_types.add("self") else: self.tgt_types.add(av.tgt_type) self.obj_classes.add(av.obj_class) self.perms.update(av.perms) def to_string(self): """Return a string representation of the rule that is a valid policy language representation (assuming that the types, object class, etc. are valie). """ return "%s %s %s:%s %s;" % (self.__rule_type_str(), self.src_types.to_space_str(), self.tgt_types.to_space_str(), self.obj_classes.to_space_str(), self.perms.to_space_str()) class TypeRule(Leaf): """SELinux type rules. This class is very similar to the AVRule class, but is for representing the type rules (type_trans, type_change, and type_member). The major difference is the lack of perms and only and sing destination type. """ TYPE_TRANSITION = 0 TYPE_CHANGE = 1 TYPE_MEMBER = 2 def __init__(self, parent=None): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.dest_type = "" self.rule_type = self.TYPE_TRANSITION def __rule_type_str(self): if self.rule_type == self.TYPE_TRANSITION: return "type_transition" elif self.rule_type == self.TYPE_CHANGE: return "type_change" else: return "type_member" def to_string(self): return "%s %s %s:%s %s;" % (self.__rule_type_str(), self.src_types.to_space_str(), self.tgt_types.to_space_str(), self.obj_classes.to_space_str(), self.dest_type) class TypeBound(Leaf): """SElinux typebound statement. This class represents a typebound statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.tgt_types = IdSet() def to_string(self): return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str()) class RoleAllow(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.src_roles = IdSet() self.tgt_roles = IdSet() def to_string(self): return "allow %s %s;" % (self.src_roles.to_comma_str(), self.tgt_roles.to_comma_str()) class RoleType(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.types = IdSet() def to_string(self): s = "" for t in self.types: s += "role %s types %s;\n" % (self.role, t) return s class ModuleDeclaration(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.version = "" self.refpolicy = False def to_string(self): if self.refpolicy: return "policy_module(%s, %s)" % (self.name, self.version) else: return "module %s %s;" % (self.name, self.version) class Conditional(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.cond_expr = [] def to_string(self): return "[If %s]" % list_to_space_str(self.cond_expr, cont=("", "")) class Bool(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.state = False def to_string(self): s = "bool %s " % self.name if s.state: return s + "true" else: return s + "false" class InitialSid(Leaf): def __init(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.context = None def to_string(self): return "sid %s %s" % (self.name, str(self.context)) class GenfsCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.filesystem = "" self.path = "" self.context = None def to_string(self): return "genfscon %s %s %s" % (self.filesystem, self.path, str(self.context)) class FilesystemUse(Leaf): XATTR = 1 TRANS = 2 TASK = 3 def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = self.XATTR self.filesystem = "" self.context = None def to_string(self): s = "" if self.type == XATTR: s = "fs_use_xattr " elif self.type == TRANS: s = "fs_use_trans " elif self.type == TASK: s = "fs_use_task " return "%s %s %s;" % (s, self.filesystem, str(self.context)) class PortCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.port_type = "" self.port_number = "" self.context = None def to_string(self): return "portcon %s %s %s" % (self.port_type, self.port_number, str(self.context)) class NodeCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.start = "" self.end = "" self.context = None def to_string(self): return "nodecon %s %s %s" % (self.start, self.end, str(self.context)) class NetifCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.interface = "" self.interface_context = None self.packet_context = None def to_string(self): return "netifcon %s %s %s" % (self.interface, str(self.interface_context), str(self.packet_context)) class PirqCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.pirq_number = "" self.context = None def to_string(self): return "pirqcon %s %s" % (self.pirq_number, str(self.context)) class IomemCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.device_mem = "" self.context = None def to_string(self): return "iomemcon %s %s" % (self.device_mem, str(self.context)) class IoportCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.ioport = "" self.context = None def to_string(self): return "ioportcon %s %s" % (self.ioport, str(self.context)) class PciDeviceCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.device = "" self.context = None def to_string(self): return "pcidevicecon %s %s" % (self.device, str(self.context)) class DeviceTreeCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.path = "" self.context = None def to_string(self): return "devicetreecon %s %s" % (self.path, str(self.context)) # Reference policy specific types def print_tree(head): for node, depth in walktree(head, showdepth=True): s = "" for i in range(depth): s = s + "\t" print(s + str(node)) class Headers(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "[Headers]" class Module(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "" class Interface(Node): """A reference policy interface definition. This class represents a reference policy interface definition. """ def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Interface name: %s]" % self.name class TunablePolicy(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.cond_expr = [] def to_string(self): return "[Tunable Policy %s]" % list_to_space_str(self.cond_expr, cont=("", "")) class Template(Node): def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Template name: %s]" % self.name class IfDef(Node): def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Ifdef name: %s]" % self.name class InterfaceCall(Leaf): def __init__(self, ifname="", parent=None): Leaf.__init__(self, parent) self.ifname = ifname self.args = [] self.comments = [] def matches(self, other): if self.ifname != other.ifname: return False if len(self.args) != len(other.args): return False for a,b in zip(self.args, other.args): if a != b: return False return True def to_string(self): s = "%s(" % self.ifname i = 0 for a in self.args: if isinstance(a, list): str = list_to_space_str(a) else: str = a if i != 0: s = s + ", %s" % str else: s = s + str i += 1 return s + ")" class OptionalPolicy(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "[Optional Policy]" class SupportMacros(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.map = None def to_string(self): return "[Support Macros]" def __expand_perm(self, perm): # Recursive expansion - the assumption is that these # are ordered correctly so that no macro is used before # it is defined s = set() if perm in self.map: for p in self.by_name(perm): s.update(self.__expand_perm(p)) else: s.add(perm) return s def __gen_map(self): self.map = {} for x in self: exp_perms = set() for perm in x.perms: exp_perms.update(self.__expand_perm(perm)) self.map[x.name] = exp_perms def by_name(self, name): if not self.map: self.__gen_map() return self.map[name] def has_key(self, name): if not self.map: self.__gen_map() return name in self.map class Require(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.types = IdSet() self.obj_classes = { } self.roles = IdSet() self.data = IdSet() self.users = IdSet() def add_obj_class(self, obj_class, perms): p = self.obj_classes.setdefault(obj_class, IdSet()) p.update(perms) def to_string(self): s = [] s.append("require {") for type in self.types: s.append("\ttype %s;" % type) for obj_class, perms in self.obj_classes.items(): s.append("\tclass %s %s;" % (obj_class, perms.to_space_str())) for role in self.roles: s.append("\trole %s;" % role) for bool in self.data: s.append("\tbool %s;" % bool) for user in self.users: s.append("\tuser %s;" % user) s.append("}") # Handle empty requires if len(s) == 2: return "" return "\n".join(s) class ObjPermSet: def __init__(self, name): self.name = name self.perms = set() def to_string(self): return "define(`%s', `%s')" % (self.name, self.perms.to_space_str()) class ClassMap: def __init__(self, obj_class, perms): self.obj_class = obj_class self.perms = perms def to_string(self): return self.obj_class + ": " + self.perms class Comment: def __init__(self, l=None): if l: self.lines = l else: self.lines = [] def to_string(self): # If there are no lines, treat this as a spacer between # policy statements and return a new line. if len(self.lines) == 0: return "" else: out = [] for line in self.lines: out.append("#" + line) return "\n".join(out) def merge(self, other): if len(other.lines): for line in other.lines: if line != "": self.lines.append(line) def __str__(self): return self.to_string()