Changeset 1963
- Timestamp:
- 02/29/08 11:57:55 (9 months ago)
- Files:
-
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/linkage/flnkage/FLNKParser.jj (modified) (2 diffs)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/BaseDomain.java (modified) (1 diff)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/Component.java (modified) (1 diff)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/IDomain.java (modified) (1 diff)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/UserDomain.java (modified) (1 diff)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/translator/Translator.java (modified) (2 diffs)
- branches/mls/framework-plugin/src/com/tresys/framework/compiler/translator/TranslatorSELinux.java (modified) (2 diffs)
- branches/mls/framework-plugin/src/com/tresys/framework/plugin/builder/AccessCheckVisitor.java (added)
- branches/mls/framework-plugin/src/com/tresys/framework/plugin/builder/FrameworkNature.java (modified) (5 diffs)
- branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/BaseDomainDataItem.java (modified) (2 diffs)
- branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/BaseDomainRolePart.java (modified) (1 diff)
- branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/FLNKGenerator.java (modified) (1 diff)
- branches/mls/libselinuxjava-plugin/swig/selinuxswig.i (modified) (11 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/mls/framework-plugin/src/com/tresys/framework/compiler/linkage/flnkage/FLNKParser.jj
r1878 r1963 482 482 <SEMICOLON> 483 483 { 484 domain. SetType(type.image);484 domain.setType(type.image); 485 485 Utility.Debug("Type " + type.image + " added to BaseDomain " + domain.getName()); 486 486 } … … 497 497 role = <ID> 498 498 { 499 domain. SetRole(role.image);499 domain.setRole(role.image); 500 500 } 501 501 <SEMICOLON> branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/BaseDomain.java
r1878 r1963 171 171 } 172 172 173 public void SetType(String i_sType)173 public void setType(String i_sType) 174 174 { 175 175 m_sType = i_sType; 176 176 } 177 177 178 public String GetRole()178 public String getRole() 179 179 { 180 180 return this.m_sRole; 181 181 } 182 182 183 public void SetRole(String role)183 public void setRole(String role) 184 184 { 185 185 this.m_sRole = role; branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/Component.java
r1878 r1963 192 192 } 193 193 194 /** 195 * Get the user portion of the context 196 * @return 197 */ 198 public String getUser () 199 { 200 return "system_u"; 201 } 202 203 /** 204 * Get the role portion of the context 205 * @return 206 */ 207 public String getRole () 208 { 209 return "object_r"; 210 } 211 212 /** 213 * get the sensitivity portion of the context 214 * @return 215 */ 216 public String getSensitivity () 217 { 218 return "s0"; 219 } 220 221 /** 222 * get the full context for this component 223 * @return 224 */ 225 public String getFullContext () 226 { 227 StringBuffer buf = new StringBuffer (); 228 buf.append (getUser ()); 229 buf.append (':'); 230 buf.append (getRole ()); 231 buf.append (':'); 232 buf.append (getType ()); 233 buf.append (':'); 234 buf.append (getSensitivity ()); 235 236 return buf.toString (); 237 } 238 194 239 public boolean Validate(Linkage linkage) 195 240 { branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/IDomain.java
r1878 r1963 64 64 65 65 public String getType(); 66 67 public String getFullContext (); 66 68 67 69 public Domain getParent(); branches/mls/framework-plugin/src/com/tresys/framework/compiler/policy/UserDomain.java
r1878 r1963 97 97 } 98 98 99 public String GetRole() {99 public String getRole() { 100 100 return getName() + "_r"; 101 101 } branches/mls/framework-plugin/src/com/tresys/framework/compiler/translator/Translator.java
r1956 r1963 166 166 "\tgen_require(`\n" + 167 167 "\t\ttype " + ((BaseDomain) dom).getType() + ";\n" + 168 "\t\trole " + ((BaseDomain) dom). GetRole() + ";\n" +168 "\t\trole " + ((BaseDomain) dom).getRole() + ";\n" + 169 169 "\t')\n"); 170 170 } … … 1165 1165 if(enter.getStartDomain() instanceof BaseDomain) { 1166 1166 PropogateRole(enter.getEndDomain(), ((BaseDomain) enter 1167 .getStartDomain()). GetRole());1167 .getStartDomain()).getRole()); 1168 1168 } else if(enter.getStartDomain() instanceof UserDomain) { 1169 1169 PropogateRole(enter.getEndDomain(), ((UserDomain) enter 1170 .getStartDomain()). GetRole());1170 .getStartDomain()).getRole()); 1171 1171 } 1172 1172 } branches/mls/framework-plugin/src/com/tresys/framework/compiler/translator/TranslatorSELinux.java
r1956 r1963 348 348 if(i_enter.getStartDomain() instanceof BaseDomain) 349 349 { 350 propogateRole(i_enter.getEndDomain(), ((BaseDomain) i_enter.getStartDomain()). GetRole());350 propogateRole(i_enter.getEndDomain(), ((BaseDomain) i_enter.getStartDomain()).getRole()); 351 351 } 352 352 else if(i_enter.getStartDomain() instanceof UserDomain) 353 353 { 354 propogateRole(i_enter.getEndDomain(), ((UserDomain) i_enter.getStartDomain()). GetRole());354 propogateRole(i_enter.getEndDomain(), ((UserDomain) i_enter.getStartDomain()).getRole()); 355 355 } 356 356 } … … 550 550 "\tgen_require(`\n" + 551 551 "\t\ttype " + domain.getType() + ";\n" + 552 "\t\trole " + domain. GetRole() + ";\n" +552 "\t\trole " + domain.getRole() + ";\n" + 553 553 "\t')\n" + "\n')\n"); 554 554 branches/mls/framework-plugin/src/com/tresys/framework/plugin/builder/FrameworkNature.java
r1961 r1963 15 15 import java.io.FileNotFoundException; 16 16 import java.io.IOException; 17 import java.io.InputStream;18 17 import java.io.InputStreamReader; 19 18 import java.net.URL; … … 22 21 import java.util.HashSet; 23 22 import java.util.Iterator; 24 import java.util.Map;25 23 import java.util.Set; 26 24 import java.util.Vector; … … 52 50 import com.tresys.framework.compiler.Utility; 53 51 import com.tresys.framework.compiler.dictionary.Dictionary; 54 import com.tresys.framework.compiler.dictionary.Rdef;55 52 import com.tresys.framework.compiler.linkage.flnkage.FLNKParser; 56 import com.tresys.framework.compiler.linkage.libselinuxjava.policy_file_t;57 import com.tresys.framework.compiler.linkage.libselinuxjava.policydb_t;58 import com.tresys.framework.compiler.linkage.libselinuxjava.sepol_access_vector_t;59 import com.tresys.framework.compiler.linkage.libselinuxjava.sepol_decision;60 import com.tresys.framework.compiler.linkage.libselinuxjava.sepol_security_class_t;61 import com.tresys.framework.compiler.linkage.libselinuxjava.sepol_security_id_t;62 import com.tresys.framework.compiler.linkage.libselinuxjava.sidtab_t;63 53 import com.tresys.framework.compiler.mls.MLSInitializationException; 64 54 import com.tresys.framework.compiler.mls.MLSLevel; 65 55 import com.tresys.framework.compiler.mls.MLSSupport; 66 import com.tresys.framework.compiler.policy.Access;67 import com.tresys.framework.compiler.policy.IDomain;68 56 import com.tresys.framework.compiler.policy.Policy; 69 import com.tresys.framework.compiler.policy.Resource;70 57 import com.tresys.framework.plugin.SEFramework_Plugin; 71 58 import com.tresys.framework.plugin.builder.FrameworkBuilder; … … 844 831 private void checkAccesses (IFile i_policy) 845 832 { 846 boolean bRunCheckAccess = false;833 boolean bRunCheckAccess = true; 847 834 if (!bRunCheckAccess) 848 835 return; … … 850 837 try 851 838 { 852 InputStream policyStream = i_policy.getContents (); 853 byte [] policyData = new byte [policyStream.available ()]; 854 policyStream.read (policyData); 855 856 policy_file_t pFile = new policy_file_t(policyData); 857 policydb_t policydb = new policydb_t (pFile); 858 859 sidtab_t sidtab = new sidtab_t(); 860 861 839 840 AccessCheckVisitor visitor = new AccessCheckVisitor (i_policy); 841 862 842 SELinuxSystem sys = getSystem (i_policy); 863 843 Policy policy = sys.getPolicy (); 864 844 865 Collection accesses = policy.getAllAccesses (); 866 for (Iterator itr = accesses.iterator (); itr.hasNext (); ) 867 { 868 Access access = (Access) itr.next (); 869 IDomain dom = access.getDomain (); 870 sepol_security_id_t ssid = new sepol_security_id_t ("system_u:object_r:" + dom.getType () + ":s0"); 871 872 com.tresys.framework.compiler.policy.IResource res = access.getResource (); 873 874 if (res instanceof Resource) 875 { 876 Map rdefs = ((Resource) res).GetRdefs (); 877 for (Iterator itr2 = rdefs.values ().iterator (); itr2.hasNext (); ) 878 { 879 Rdef rdef = (Rdef) itr2.next (); 880 881 String sType = res.getName () + "_" + rdef.GetName () + "_t"; 882 sepol_security_id_t tsid = new sepol_security_id_t ("system_u:object_r:" + sType + ":s0"); 883 884 sepol_security_class_t seclass = new sepol_security_class_t ("file"); 885 sepol_access_vector_t seav = new sepol_access_vector_t (seclass, "read"); 886 887 sepol_decision accessDecision = new sepol_decision (ssid, tsid, seclass, seav); 888 889 int nAllowed = accessDecision.getAllowed (); 890 891 System.out.println("Source ID : " + ssid.toString ()); 892 System.out.println("Target ID: " + tsid.toString ()); 893 894 System.out.println("Allowed: " + nAllowed); 895 896 } 897 } 898 } 899 } 900 catch (CoreException e) 845 policy.Accept (visitor); 846 847 } 848 catch (IOException e) 901 849 { 902 850 e.printStackTrace(); 903 851 } 904 catch (IOException e)905 {906 e.printStackTrace();907 }908 852 909 853 } branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/BaseDomainDataItem.java
r1878 r1963 56 56 57 57 BaseDomain dom = getCastedItem (); 58 dom. SetRole (m_rolePart.getData ());59 dom. SetType (m_typePart.getData ());58 dom.setRole (m_rolePart.getData ()); 59 dom.setType (m_typePart.getData ()); 60 60 } 61 61 … … 66 66 67 67 BaseDomain dom = getCastedItem (); 68 if (!dom. GetRole ().equals (m_rolePart.getData ()))68 if (!dom.getRole ().equals (m_rolePart.getData ())) 69 69 return true; 70 70 branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/BaseDomainRolePart.java
r1878 r1963 17 17 public BaseDomainRolePart (BaseDomain i_dom) 18 18 { 19 super (i_dom, i_dom. GetRole ());19 super (i_dom, i_dom.getRole ()); 20 20 } 21 21 branches/mls/framework-plugin/src/com/tresys/framework/plugin/editor/linkage/FLNKGenerator.java
r1878 r1963 89 89 m_buff.append (i_domain.getType ()); 90 90 m_buff.append (";\n\trole "); 91 m_buff.append (i_domain. GetRole ());91 m_buff.append (i_domain.getRole ()); 92 92 93 93 m_buff.append (";\n}\n"); branches/mls/libselinuxjava-plugin/swig/selinuxswig.i
r1960 r1963 1 %{ 2 /*\ 3 |*| Copyright (C) 2005-2008 Tresys Technology, LLC 4 |*| License: refer to COPYING file for license information. 5 |*| Authors: Brian Williams 6 |*| David Sugar <dsugar@tresys.com> 7 |*| 8 |*| $Rev$ 9 |*| $Date$ 10 \*/ 11 %} 12 1 13 %module selinux 14 2 15 %{ 3 16 #include <selinux/selinux.h> 4 17 #include <string.h> 18 #include <stdio.h> 5 19 #include <sepol/sepol.h> 6 20 #include <sepol/policydb/services.h> … … 13 27 14 28 %include "typemaps.i" 29 15 30 16 31 … … 22 37 int framework_ignore_invalid_con(); 23 38 24 %typemap(newfree) const char * "free($1);"; 39 %typemap(newfree) const char * 40 { 41 if ($1 != NULL) 42 freecon($1); 43 }; 44 25 45 %newobject matchpathconex; 26 const char * matchpathconex(const char *i_sName, int i_nMode);46 const char * matchpathconex(const char *i_sName, int i_nMode); 27 47 28 48 … … 45 65 int rc = matchpathcon(i_sName, i_nMode, &oCon); 46 66 if (rc == 0) 47 { 48 char * result = malloc (strlen (oCon) +1); 49 strncpy (result, oCon, strlen (oCon) +1); 50 freecon(oCon); 51 return result; 52 } 67 return oCon; 53 68 return NULL; 54 69 } 55 70 56 71 %} 72 57 73 58 74 // These constants are pulled from sys/stat.h 59 75 %constant long S_IFDIR = S_IFDIR; 76 77 %typemap(newfree) const char * 78 { 79 free($1); 80 } 60 81 61 82 /* … … 88 109 %typemap(freearg) (signed char *i_pData, int i_nLen) 89 110 { 90 //TODO: do I need to release this data?? It is quite a lot of data!! 91 // (*jenv)->ReleaseByteArrayElements(jenv, $input, $1, 0); 111 (*jenv)->ReleaseByteArrayElements(jenv, $input, $1, 0); 92 112 } 93 113 94 114 typedef struct policy_file {} policy_file_t; 95 115 116 117 %javaexception("java.lang.OutOfMemoryError") policy_file_t(signed char *i_pData, int i_nLen) 118 //%exception policy_file_t(signed char *i_pData, int i_nLen) 119 { 120 $action 121 if (result == NULL) 122 { 123 jclass clazz = (*jenv)->FindClass(jenv, "java/lang/OutOfMemoryError"); 124 (*jenv)->ThrowNew(jenv, clazz, "Out of memroy"); 125 return $null; 126 } 127 } 128 129 %javaexception("java.io.FileNotFoundException") policy_file_t(char *i_szFilePath) 130 //%exception policy_file_t(char *i_szFilePath) 131 { 132 $action 133 if (result == NULL) 134 { 135 jclass clazz = (*jenv)->FindClass(jenv, "java/io/FileNotFoundException"); 136 (*jenv)->ThrowNew(jenv, clazz, "File not found"); 137 return $null; 138 } 139 } 140 96 141 %extend policy_file_t 97 142 { 98 143 policy_file_t (signed char *i_pData, int i_nLen) 99 // policy_file_t (ByteArrayStruct bas)100 144 { 101 145 policy_file_t *result = malloc(sizeof (policy_file_t)); 146 if (result == NULL) 147 return NULL; 102 148 result->type = PF_USE_MEMORY; 103 149 result->data = (char *) i_pData; … … 107 153 } 108 154 155 policy_file_t (char *i_szFilePath) 156 { 157 policy_file_t *result = malloc(sizeof (policy_file_t)); 158 result->type = PF_USE_STDIO; 159 result->fp = fopen (i_szFilePath, "r"); 160 161 if (result->fp == NULL) 162 { 163 free (result); 164 result = NULL; 165 } 166 167 return result; 168 } 169 109 170 ~policy_file_t() 110 171 { 111 free(self); 112 } 113 114 void setPolicy (signed char *i_pData, int i_nLen) 115 { 116 self->type = PF_USE_MEMORY; 117 self->data = (char *) i_pData; 118 self->len = i_nLen; 172 if (self->type == PF_USE_STDIO && self->fp != NULL) 173 fclose (self->fp); 174 free(self); 119 175 } 120 176 }; … … 168 224 169 225 typedef struct sepol_security_id_t {} sepol_security_id_t; 170 %newobject sepol_security_id_t::toString;171 226 172 227 %extend sepol_security_id_t … … 186 241 } 187 242 243 %newobject toString; 188 244 const char *toString () 189 245 { 190 sepol_security_context_t outContext ;246 sepol_security_context_t outContext = NULL; 191 247 size_t outLen; 192 193 // int rc = 194 sepol_sid_to_context(*self, &outContext, &outLen); 195 //printf ("sepol_security_id_t to string len %ld context %s result: %d\n", outLen, outContext, rc); 196 197 char *result = calloc (sizeof (char), outLen + 1); 198 strncpy (result, outContext, outLen); 199 200 //TODO: how do I free the resutling string? 201 //free (&outContext); 202 203 return result; 204 } 205 }; 206 207 typedef struct sepol_access_vector_t { 208 //sepol_security_class_t m_class; 209 } sepol_access_vector_t; 210 211 %extend sepol_access_vector_t 212 { 213 // sepol_security_class_t m_class; 214 215 sepol_access_vector_t(sepol_security_class_t i_class, const char *i_szPerm) 216 { 217 // m_class = i_class; 218 sepol_access_vector_t *result = malloc(sizeof (sepol_access_vector_t)); 219 *result = string_to_av_perm(i_class, i_szPerm); 220 return result; 221 } 222 223 sepol_access_vector_t(sepol_access_vector_t *i_copy) 224 { 225 sepol_access_vector_t *result = malloc(sizeof (sepol_access_vector_t)); 226 *result = *i_copy; 248 char *result = NULL; 249 250 int rc = sepol_sid_to_context(*self, &outContext, &outLen); 251 252 // printf ("sepol_security_id_t to string result: %d", rc); 253 if (rc == 0) 254 { 255 // printf (" len %ld context %s", outLen, outContext); 256 result = calloc (sizeof (char), outLen + 1); 257 strncpy (result, outContext, outLen); 258 259 freecon (outContext); 260 261 } 262 // printf ("\n"); 263 264 return result; 265 } 266 }; 267 268 %{ 269 typedef struct my_sepol_access_vector { 270 sepol_access_vector_t m_vector; 271 sepol_security_class_t m_class; 272 } sepol_access_vector; 273 %} 274 275 typedef struct my_sepol_access_vector {} sepol_access_vector; 276 %extend sepol_access_vector 277 { 278 sepol_access_vector(sepol_security_class_t i_class) 279 { 280 sepol_access_vector *result = malloc(sizeof (sepol_access_vector)); 281 result->m_class = i_class; 282 result->m_vector = 0; 283 return result; 284 } 285 286 sepol_access_vector(sepol_security_class_t i_class, const char *i_szPerm) 287 { 288 sepol_access_vector *result = malloc(sizeof (sepol_access_vector)); 289 result->m_class = i_class; 290 result->m_vector = string_to_av_perm(i_class, i_szPerm); 291 return result; 292 } 293 294 sepol_access_vector(sepol_security_class_t i_class, sepol_access_vector_t i_nPerm) 295 { 296 sepol_access_vector *result = malloc(sizeof (sepol_access_vector)); 297 result->m_class = i_class; 298 result->m_vector = i_nPerm; 299 return result; 300 } 301 302 303 sepol_access_vector(sepol_access_vector *i_copy) 304 { 305 sepol_access_vector *result = malloc(sizeof (sepol_access_vector)); 306 memcpy (result, i_copy, sizeof (sepol_access_vector)); 227 307 return result; 228 308 } … … 235 315 int isValid () 236 316 { 237 return *self!= 0;238 } 239 240 sepol_access_vector _t *addPerm (sepol_access_vector_t*i_addMe)241 { 242 *self |= *i_addMe;317 return self->m_vector != 0; 318 } 319 320 sepol_access_vector *addPerm (sepol_access_vector *i_addMe) 321 { 322 self->m_vector |= i_addMe->m_vector; 243 323 return self; 244 324 } 245 246 /* 325 326 sepol_security_class_t getSecurityClass () 327 { 328 return self->m_class; 329 } 330 331 int intValue () 332 { 333 return self->m_vector; 334 } 335 336 %newobject toString; 247 337 const char *toString () 248 338 { 249 return security_av_perm_to_string(m_class, *self); 250 } 251 */ 339 const char *szClass = security_class_to_string (self->m_class); 340 char *szVector = NULL; 341 int rc = security_av_string (self->m_class, self->m_vector, &szVector); 342 343 char *szResult = NULL; 344 if (rc == 0) 345 { 346 const char *szFormat = "%s : %s"; 347 szResult = malloc (strlen (szClass) + strlen (szVector) + strlen(szFormat)); 348 sprintf (szResult, szFormat, szClass, szVector); 349 free (szVector); 350 } 351 352 return szResult; 353 } 252 354 }; 253 355 … … 275 377 276 378 277 //int sepol_compute_av_reason(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, sepol_access_vector_t requested, 278 279 280 typedef struct sepol_decision {} sepol_decision; 281 %extend sepol_decision 282 { 283 sepol_decision(sepol_security_id_t i_ssid, 379 //int sepol_compute_av_reason(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, sepol_access_vector requested, 380 381 %{ 382 typedef struct my_sepol_access_decision { 383 sepol_access_vector m_vector; 384 sepol_security_id_t m_ssid; 385 sepol_security_id_t m_tsid; 386 sepol_decision m_decision; 387 // sepol_access_vector_t m_vector; 388 // sepol_security_class_t m_class; 389 } sepol_access_decision; 390 %} 391 392 393 typedef struct my_sepol_access_decision {} sepol_access_decision; 394 %extend sepol_access_decision 395 { 396 sepol_access_decision(sepol_security_id_t i_ssid, 284 397 sepol_security_id_t i_tsid, 285 sepol_security_class_t i_tclass, 286 sepol_access_vector_t i_requested) 287 { 288 sepol_decision *result = malloc(sizeof(sepol_decision)); 289 sepol_compute_av(i_ssid, i_tsid, i_tclass, i_requested, result); 398 // sepol_security_class_t i_tclass, 399 sepol_access_vector *i_requested) 400 { 401 sepol_access_decision *result = malloc(sizeof(sepol_access_decision)); 402 result->m_vector = *i_requested; 403 result->m_ssid = i_ssid; 404 result->m_tsid = i_tsid; 405 406 sepol_compute_av(result->m_ssid, result->m_tsid, result->m_vector.m_class, result->m_vector.m_vector, &result->m_decision); 290 407 return result; 291 408 } … … 296 413 } 297 414 298 int getAllowed () 415 //TODO: there should be a better way to call the correct 'new' functions that SWIG generated 416 sepol_access_vector *getAllowed () 299 417 { 300 return self->allowed; 301 } 302 303 }; 418 return new_sepol_access_vector__SWIG_2(self->m_vector.m_class, self->m_decision.allowed); 419 } 420 421 sepol_access_vector *getDenyed () 422 { 423 return new_sepol_access_vector__SWIG_2(self->m_vector.m_class, self->m_decision.decided); 424 } 425 426 sepol_access_vector *getAuditAllowed () 427 { 428 return new_sepol_access_vector__SWIG_2(self->m_vector.m_class, self->m_decision.auditallow); 429 } 430 431 sepol_access_vector *getAuditDenyed () 432 { 433 return new_sepol_access_vector__SWIG_2(self->m_vector.m_class, self->m_decision.auditdeny); 434 } 435 };
