Ejemplo n.º 1
0
    def sort_node(node):
        c = []

        # Module statement
        for mod in node.module_declarations():
            c.append(mod)
            c.append(refpolicy.Comment())

        # Requires
        for require in node.requires():
            c.append(require)
        c.append(refpolicy.Comment())

        # Rules
        #
        # We are going to group output by source type (which
        # we assume is the first argument for interfaces).
        rules = []
        rules.extend(node.avrules())
        rules.extend(node.interface_calls())
        rules.sort(rule_cmp)

        cur = None
        sep_rules = []
        for rule in rules:
            if isinstance(rule, refpolicy.InterfaceCall):
                x = rule.args[0]
            else:
                x = util.first(rule.src_types)

            if cur != x:
                if cur:
                    sep_rules.append(refpolicy.Comment())
                cur = x
                comment = refpolicy.Comment()
                comment.lines.append("============= %s ==============" % cur)
                sep_rules.append(comment)
            sep_rules.append(rule)

        c.extend(sep_rules)

        ras = []
        ras.extend(node.role_types())
        ras.sort(role_type_cmp)
        if len(ras):
            comment = refpolicy.Comment()
            comment.lines.append("============= ROLES ==============")
            c.append(comment)

        c.extend(ras)

        # Everything else
        for child in node.children:
            if child not in c:
                c.append(child)

        node.children = c
Ejemplo n.º 2
0
 def __add_allow_rules(self, avs):
     for av in avs:
         rule = refpolicy.AVRule(av)
         if self.explain:
             rule.comment = refpolicy.Comment(
                 explain_access(av, verbosity=self.explain))
         self.module.children.append(rule)
Ejemplo n.º 3
0
    def __add_allow_rules(self, avs):
        for av in avs:
            rule = refpolicy.AVRule(av)
            if self.dontaudit:
                rule.rule_type = rule.DONTAUDIT
            rule.comment = ""
            if self.explain:
                rule.comment = str(
                    refpolicy.Comment(
                        explain_access(av, verbosity=self.explain)))
            if av.type == audit2why.ALLOW:
                rule.comment += "#!!!! This avc is allowed in the current policy\n"
            if av.type == audit2why.DONTAUDIT:
                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"

            if av.type == audit2why.BOOLEAN:
                if len(av.data) > 1:
                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(
                        map(lambda x: x[0], av.data))
                else:
                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[
                        0][0]

            if av.type == audit2why.CONSTRAINT:
                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n"
                rule.comment += "#Constraint rule: "
                for reason in av.data:
                    rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason

            try:
                if (av.type == audit2why.TERULE and "write" in av.perms
                        and ("dir" in av.obj_class or "open" in av.perms)):
                    if not self.domains:
                        self.domains = seinfo(ATTRIBUTE,
                                              name="domain")[0]["types"]
                    types = []

                    for i in map(
                            lambda x: x[TCONTEXT],
                            sesearch(
                                [ALLOW], {
                                    SCONTEXT: av.src_type,
                                    CLASS: av.obj_class,
                                    PERMS: av.perms
                                })):
                        if i not in self.domains:
                            types.append(i)
                    if len(types) == 1:
                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % (
                            av.src_type, av.obj_class, ", ".join(types))
                    elif len(types) >= 1:
                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % (
                            av.src_type, av.obj_class, ", ".join(types))
            except:
                pass
            self.module.children.append(rule)
    def gen(self, avs, verbosity):
        raw_av = self.match(avs)
        ifcalls = []
        for ml in self.calls:
            ifcall = call_interface(ml.best().interface, ml.av)
            if verbosity:
                ifcall.comment = refpolicy.Comment(explain_access(ml.av, ml, verbosity))
            ifcalls.append((ifcall, ml))

        d = []
        for ifcall, ifs in ifcalls:
            found = False
            for o_ifcall in d:
                if o_ifcall.matches(ifcall):
                    if o_ifcall.comment and ifcall.comment:
                        o_ifcall.comment.merge(ifcall.comment)
                    found = True
            if not found:
                d.append(ifcall)

        return (raw_av, d)