def get_domains_allowed_to(self, context): """Return a dictionary of domains allowed to access a given type, reversing the domain attributes relationships. The dictionary keys are the domain names, and the dictionary values are dictionaries of key "source type" and value "list of rules from type". This should probably be improved by incapsulation in a proper object. """ if context is None: return None allowed_types = defaultdict(list) allowed_domains = defaultdict(list) if not hasattr(self, '_types'): self._initialise_types() if not hasattr(self, '_domains'): self._initialise_domains() # Parse allow rules to find source types for r in self.allow: if r.target == context.type: allowed_types[r.source].append(r) # Go from source types to domains for dname, d in self._domains.iteritems(): attr_iter = d.get_attr_iter(self._qpolicy) src_types = {dname: d} while not attr_iter.end(): a = qpol.qpol_type_from_void(attr_iter.get_item()) src_types[a.get_name(self._qpolicy)] = a attr_iter.next() # src_types contains all types accessible by the domain d for tname in src_types.keys(): if tname in allowed_types: # If a type accessible by this domain can access the target # type, add the rules for that source type under the domain allowed_domains[dname].extend(allowed_types[tname]) return allowed_domains
def _initialise_attrs(self): """Initialise the policy attributes dictionary""" attr_query = apol.apol_attr_query_t() attrs_v = attr_query.run(self._policy) self._attrs = {} for i in range(attrs_v.get_size()): t = qpol.qpol_type_from_void(attrs_v.get_element(i)) self._attrs[t.get_name(self._qpolicy)] = t
def _initialise_domains(self): """Initialise the policy domains dictionary""" if not hasattr(self, '_attrs'): self._initialise_attrs() i = self._attrs["domain"].get_type_iter(self._qpolicy) self._domains = {} while not i.end(): d = qpol.qpol_type_from_void(i.get_item()) self._domains[d.get_name(self._qpolicy)] = d i.next()
def _initialise_types(self): """Initialise the policy types dictionary""" type_query = apol.apol_type_query_t() types_v = type_query.run(self._policy) self._types = {} for i in range(types_v.get_size()): t = qpol.qpol_type_from_void(types_v.get_element(i)) if (not t.get_isattr(self._qpolicy) and not t.get_isalias(self._qpolicy)): self._types[t.get_name(self._qpolicy)] = t
def get_types_accessible_by(self, context): """Return a dictionary of types accessible by a given domain, exploding the domain attributes. The types are filed in the dictionary by type context""" if context is None: return None accessible_types = defaultdict(list) if not hasattr(self, '_types'): self._initialise_types() src_type = self._types[context.type] attr_iter = src_type.get_attr_iter(self._qpolicy) src_types = {context.type: src_type} while not attr_iter.end(): a = qpol.qpol_type_from_void(attr_iter.get_item()) src_types[a.get_name(self._qpolicy)] = a attr_iter.next() # Parse allow rules to find target types for r in self.allow: if r.source in src_types: accessible_types[r.target].append(r) return accessible_types