Main Page | Namespace List | Class Hierarchy | Alphabetical List | Class List | Directories | File List | Class Members | File Members | Related Pages | Search for 

sefs_filesystem Class Reference

#include <filesystem.hh>

Inheritance diagram for sefs_filesystem:

sefs_fclist List of all members.

Detailed Description

This class represents the SELinux file contexts on a local on-disk filesystem.

Be aware that the object will recurse beginning from the root directory, so if there are circular mounts (e.g., via something mounted with the 'bind' option) then queries against the filesystem will never terminate.

Definition at line 49 of file filesystem.hh.


Public Member Functions

 sefs_filesystem (const char *new_root, sefs_callback_fn_t msg_callback, void *varg) throw (std::bad_alloc, std::invalid_argument, std::runtime_error)
 Allocate and return a new sefs filesystem structure representing the filesystem rooted at directory root.
 ~sefs_filesystem ()
int runQueryMap (sefs_query *query, sefs_fclist_map_fn_t fn, void *data) throw (std::runtime_error, std::invalid_argument)
 Perform a sefs query on the given file context list object, and then invoke a callback upon each matching entry.
bool isMLS () const
 Determine if the contexts stored in this filesystem contain MLS fields.
const char * root () const
 Get the root directory of a sefs filesystem structure.
const char * getDevName (const dev_t dev) throw (std::runtime_error)
 Look up the given device number on the currently running system, and convert it to its device name.
apol_vector_trunQuery (sefs_query *query) throw (std::bad_alloc, std::runtime_error, std::invalid_argument)
 Perform a sefs query on the given file context list object and return a list of matching entries.
void associatePolicy (apol_policy_t *new_policy)
 Associate a policy with the fclist.
apol_policy_tassociatePolicy () const
 Return the policy currently associated with this fclist.
sefs_fclist_type_e fclist_type () const
 Get the type of fclist object represented by fclist.

Protected Member Functions

sefs_context_nodegetContext (const char *user, const char *role, const char *type, const char *range) throw (std::bad_alloc)
 Given the parts of a context, return a context node (which would contain an apol_context_t).
sefs_context_nodegetContext (const security_context_t scon) throw (std::bad_alloc)
 Given a SELinux security context, return a context node (which would contain an apol_context_t).

Protected Attributes

apol_policy_tpolicy
apol_bstuser_tree
apol_bstrole_tree
apol_bsttype_tree
apol_bstrange_tree
apol_bstpath_tree
apol_bstdev_tree
apol_bstcontext_tree

Private Member Functions

apol_vector_tbuildDevMap (void) throw (std::runtime_error)
 For each entry in /etc/mtab, record the device number and the name of the mounted file system.
bool isQueryMatch (const sefs_query *query, const char *path, const char *dev, const struct stat64 *sb, apol_vector_t *type_list, apol_mls_range_t *range) throw (std::runtime_error)
sefs_entrygetEntry (const struct sefs_context_node *context, uint32_t objectClass, const char *path, ino64_t ino, const char *dev_name) throw (std::bad_alloc)

Private Attributes

char * _root
bool _rw
bool _mls

Friends

struct sefs_context_nodefilesystem_get_context (sefs_filesystem *, security_context_t) throw (std::bad_alloc)
sefs_entryfilesystem_get_entry (sefs_filesystem *, const struct sefs_context_node *, uint32_t, const char *, ino64_t, const char *) throw (std::bad_alloc)
bool filesystem_is_query_match (sefs_filesystem *, const sefs_query *, const char *, const char *, const struct stat64 *, apol_vector_t *, apol_mls_range_t *) throw (std::runtime_error)

Constructor & Destructor Documentation

sefs_filesystem::sefs_filesystem const char *  new_root,
sefs_callback_fn_t  msg_callback,
void *  varg
throw (std::bad_alloc, std::invalid_argument, std::runtime_error)
 

Allocate and return a new sefs filesystem structure representing the filesystem rooted at directory root.

Be aware that the constructor is not thread-safe.

Parameters:
new_root Directory to use as the root of the filesystem. This object represents this directory and all subdirectories, including other mounted filesystems.
msg_callback Callback to invoke as errors/warnings are generated. If NULL, write messages to standard error.
varg Value to be passed as the first parameter to the callback function.
Exceptions:
bad_alloc Out of memory.
invalid_argument Root directory does not exist.
runtime_error Could not open root directory or /etc/mtab.

Definition at line 158 of file filesystem.cc.

References filesystem_lgetfilecon(), and SEFS_ERR.

00158                                                                                                                                                            :sefs_fclist(SEFS_FCLIST_TYPE_FILESYSTEM,
00159             msg_callback,
00160             varg)
00161 {
00162         if (new_root == NULL)
00163         {
00164                 SEFS_ERR(this, "%s", strerror(EINVAL));
00165                 errno = EINVAL;
00166                 throw std::invalid_argument(strerror(EINVAL));
00167         }
00168         _root = NULL;
00169         _mls = false;
00170         try
00171         {
00172                 // check that root exists and is readable
00173                 struct stat64 sb;
00174                 if (stat64(new_root, &sb) != 0 && !S_ISDIR(sb.st_mode))
00175                 {
00176                         SEFS_ERR(this, "%s", strerror(EINVAL));
00177                         errno = EINVAL;
00178                         throw std::invalid_argument(strerror(EINVAL));
00179                 }
00180 
00181                 // determine if filesystem is MLS or not
00182                 security_context_t scon;
00183                 if (filesystem_lgetfilecon(new_root, &scon) < 0)
00184                 {
00185                         SEFS_ERR(this, "Could not read SELinux file context for %s.", new_root);
00186                         throw std::runtime_error(strerror(errno));
00187                 }
00188                 context_t con;
00189                 if ((con = context_new(scon)) == 0)
00190                 {
00191                         SEFS_ERR(this, "%s", strerror(errno));
00192                         freecon(scon);
00193                         throw std::runtime_error(strerror(errno));
00194                 }
00195                 freecon(scon);
00196                 const char *range = context_range_get(con);
00197                 if (range != NULL && range[0] != '\0')
00198                 {
00199                         _mls = true;
00200                 }
00201                 context_free(con);
00202 
00203                 if ((_root = strdup(new_root)) == NULL)
00204                 {
00205                         SEFS_ERR(this, "%s", strerror(errno));
00206                         throw std::bad_alloc();
00207                 }
00208         }
00209         catch(...)
00210         {
00211                 free(_root);
00212                 throw;
00213         }
00214 }

sefs_filesystem::~sefs_filesystem  ) 
 

Definition at line 216 of file filesystem.cc.

References _root.

00217 {
00218         free(_root);
00219 }

Member Function Documentation

int sefs_filesystem::runQueryMap sefs_query query,
sefs_fclist_map_fn_t  fn,
void *  data
throw (std::runtime_error, std::invalid_argument) [virtual]
 

Perform a sefs query on the given file context list object, and then invoke a callback upon each matching entry.

Mapping occurs in the order of entries as specified by the file context list.

Parameters:
query Query object containing search parameters. If NULL, invoke the callback on all entries.
fn Function to invoke upon matching entries. This function will be called with three parameters: a pointer to this fclist, pointer to a matching entry, and an arbitrary data pointer. It should return a non-negative value upon success, negative value upon error and to abort the mapping. Be aware that the entry may go out of scope upon conclusion of runQueryMap(), so fn will need to clone the entry if it needs it later.
This function must not throw any exceptions. Doing so will most likely corrupt fclist's internal state. Instead, return a negative value to abort processing.
Parameters:
data Arbitrary pointer to be passed into fn as a third parameter.
Returns:
Last value returned by fn() (i.e., >= on success, < 0 on failure). If the fclist has no entries then return 0.
Exceptions:
std::runtime_error Error while reading contexts from the fclist.
std::invalid_argument One or more query arguments is invalid.

Implements sefs_fclist.

Definition at line 383 of file filesystem.cc.

References filesystem_ftw_struct::aborted, apol_mls_range_create_from_string(), apol_mls_range_destroy(), apol_vector_destroy(), filesystem_ftw_struct::data, filesystem_ftw_struct::dev_map, filesystem_ftw_handler(), filesystem_ftw_struct::fn, filesystem_ftw_struct::fs, filesystem_ftw_struct::query, query_create_candidate_type(), filesystem_ftw_struct::range, filesystem_ftw_struct::retval, SEFS_ERR, and filesystem_ftw_struct::type_list.

00385 {
00386         struct filesystem_ftw_struct s;
00387         s.dev_map = NULL;
00388         s.type_list = NULL;
00389         s.range = NULL;
00390         try
00391         {
00392                 s.dev_map = buildDevMap();
00393                 if (query != NULL)
00394                 {
00395                         query->compile();
00396                         if (policy != NULL)
00397                         {
00398                                 if (query->_type != NULL && query->_indirect &&
00399                                     (s.type_list =
00400                                      query_create_candidate_type(policy, query->_type, query->_retype, query->_regex,
00401                                                                  query->_indirect)) == NULL)
00402                                 {
00403                                         SEFS_ERR(this, "%s", strerror(errno));
00404                                         throw std::runtime_error(strerror(errno));
00405                                 }
00406                                 if (query->_range != NULL && query->_rangeMatch != 0 &&
00407                                     (s.range = apol_mls_range_create_from_string(policy, query->_range)) == NULL)
00408                                 {
00409                                         SEFS_ERR(this, "%s", strerror(errno));
00410                                         throw std::runtime_error(strerror(errno));
00411                                 }
00412                         }
00413                 }
00414         }
00415         catch(...)
00416         {
00417                 apol_vector_destroy(&s.dev_map);
00418                 apol_vector_destroy(&s.type_list);
00419                 apol_mls_range_destroy(&s.range);
00420                 throw;
00421         }
00422         s.fs = this;
00423         s.query = query;
00424         s.fn = fn;
00425         s.data = data;
00426         s.aborted = false;
00427         s.retval = 0;
00428 
00429         int retval = new_nftw64(_root, filesystem_ftw_handler, 1024, 0, &s);
00430         apol_vector_destroy(&s.dev_map);
00431         apol_vector_destroy(&s.type_list);
00432         apol_mls_range_destroy(&s.range);
00433         if (retval != 0 && !s.aborted)
00434         {
00435                 // error was generated by new_nftw64() itself, not
00436                 // from callback
00437                 return retval;
00438         }
00439         return s.retval;
00440 }

bool sefs_filesystem::isMLS  )  const [virtual]
 

Determine if the contexts stored in this filesystem contain MLS fields.

Returns:
true if MLS fields are present, false if not or undeterminable.

Implements sefs_fclist.

Definition at line 442 of file filesystem.cc.

00443 {
00444         return _mls;
00445 }

const char * sefs_filesystem::root  )  const
 

Get the root directory of a sefs filesystem structure.

Returns:
The root directory of the filesystem or NULL on error. Do not free() this string.

Definition at line 447 of file filesystem.cc.

Referenced by sefs_filesystem_get_root().

00448 {
00449         return _root;
00450 }

const char * sefs_filesystem::getDevName const dev_t  dev  )  throw (std::runtime_error)
 

Look up the given device number on the currently running system, and convert it to its device name.

Parameters:
dev Device number to look up.
Returns:
Name of the device, or NULL if the device number was not found. Do not free() this pointer.
Exceptions:
std::runtime_error Error while querying system.

Definition at line 465 of file filesystem.cc.

References apol_vector_destroy(), apol_vector_get_element(), apol_vector_get_index(), apol_vector_t, filesystem_dev::dev_name, and filesystem_dev_cmp().

Referenced by sefs_filesystem_get_dev_name().

00466 {
00467         apol_vector_t *dev_map = buildDevMap();
00468         size_t i;
00469         void *devp = const_cast < dev_t * >(&dev);
00470         int rc = apol_vector_get_index(dev_map, NULL, filesystem_dev_cmp, devp, &i);
00471         if (rc < 0)
00472         {
00473                 apol_vector_destroy(&dev_map);
00474                 return NULL;
00475         }
00476         struct filesystem_dev *d = static_cast < struct filesystem_dev *>(apol_vector_get_element(dev_map, i));
00477         const char *dev_name = d->dev_name;     // this is pointing into this->_dev_tree
00478         apol_vector_destroy(&dev_map);
00479         return dev_name;
00480 }

apol_vector_t * sefs_filesystem::buildDevMap void   )  throw (std::runtime_error) [private]
 

For each entry in /etc/mtab, record the device number and the name of the mounted file system.

This provides the mapping between a device number and its source device.

Returns:
Vector of filesystem_dev entries. The caller must call apol_vector_destroy() upon the vector afterwards.
Exceptions:
If error allocating space, unable to open /etc/mtab, or unable to parse mtab file.

Definition at line 492 of file filesystem.cc.

References apol_bst_insert_and_get(), apol_vector_append(), apol_vector_create(), apol_vector_destroy(), apol_vector_t, filesystem_dev_free(), and SEFS_ERR.

00493 {
00494         apol_vector_t *dev_map;
00495         if ((dev_map = apol_vector_create(filesystem_dev_free)) == NULL)
00496         {
00497                 SEFS_ERR(this, "%s", strerror(errno));
00498                 throw std::runtime_error(strerror(errno));
00499         }
00500         FILE *f = NULL;
00501         try
00502         {
00503                 if ((f = fopen("/etc/mtab", "r")) == NULL)
00504                 {
00505                         SEFS_ERR(this, "%s", strerror(errno));
00506                         throw std::runtime_error(strerror(errno));
00507                 }
00508                 char buf[256];
00509                 struct mntent mntbuf;
00510                 while (getmntent_r(f, &mntbuf, buf, 256) != NULL)
00511                 {
00512                         struct stat sb;
00513                         if (stat(mntbuf.mnt_dir, &sb) == -1)
00514                         {
00515                                 // could not open this device, so skip
00516                                 // it (and hope it won't be examined
00517                                 // during runQuery())
00518                                 continue;
00519                         }
00520                         else
00521                         {
00522                                 struct filesystem_dev *d = static_cast < struct filesystem_dev *>(calloc(1, sizeof(*d)));
00523                                 if (d == NULL)
00524                                 {
00525                                         SEFS_ERR(this, "%s", strerror(errno));
00526                                         throw std::runtime_error(strerror(errno));
00527                                 }
00528                                 if (apol_vector_append(dev_map, d) < 0)
00529                                 {
00530                                         SEFS_ERR(this, "%s", strerror(errno));
00531                                         filesystem_dev_free(d);
00532                                         throw std::runtime_error(strerror(errno));
00533                                 }
00534                                 d->dev = sb.st_dev;
00535                                 char *mnt_fsname = strdup(mntbuf.mnt_fsname);
00536                                 if (mnt_fsname == NULL)
00537                                 {
00538                                         SEFS_ERR(this, "%s", strerror(errno));
00539                                         throw std::runtime_error(strerror(errno));
00540                                 }
00541                                 if (apol_bst_insert_and_get(dev_tree, (void **)&mnt_fsname, NULL) < 0)
00542                                 {
00543                                         SEFS_ERR(this, "%s", strerror(errno));
00544                                         free(mnt_fsname);
00545                                         throw std::runtime_error(strerror(errno));
00546                                 }
00547                                 d->dev_name = mnt_fsname;
00548                         }
00549                 }
00550         }
00551         catch(...)
00552         {
00553                 apol_vector_destroy(&dev_map);
00554                 if (f != NULL)
00555                 {
00556                         fclose(f);
00557                 }
00558                 throw;
00559         }
00560         fclose(f);
00561         return dev_map;
00562 }

bool sefs_filesystem::isQueryMatch const sefs_query query,
const char *  path,
const char *  dev,
const struct stat64 *  sb,
apol_vector_t type_list,
apol_mls_range_t range
throw (std::runtime_error) [private]
 

Definition at line 564 of file filesystem.cc.

References apol_mls_range_compare(), apol_mls_range_create_from_string(), apol_mls_range_destroy(), apol_mls_range_t, apol_str_strcmp(), apol_vector_get_index(), apol_vector_t, filesystem_lgetfilecon(), filesystem_stat_to_objclass(), query_str_compare(), and SEFS_ERR.

00566 {
00567         if (query == NULL)
00568         {
00569                 return true;
00570         }
00571         security_context_t scon;
00572         if (filesystem_lgetfilecon(path, &scon) < 0)
00573         {
00574                 SEFS_ERR(this, "%s", strerror(errno));
00575                 throw std::runtime_error(strerror(errno));
00576         }
00577         context_t con;
00578         if ((con = context_new(scon)) == 0)
00579         {
00580                 SEFS_ERR(this, "%s", strerror(errno));
00581                 freecon(scon);
00582                 throw std::runtime_error(strerror(errno));
00583         }
00584         freecon(scon);
00585 
00586         if (!query_str_compare(context_user_get(con), query->_user, query->_reuser, query->_regex))
00587         {
00588                 context_free(con);
00589                 return false;
00590         }
00591         if (!query_str_compare(context_role_get(con), query->_role, query->_rerole, query->_regex))
00592         {
00593                 context_free(con);
00594                 return false;
00595         }
00596 
00597         bool str_matched = false, pol_matched = false;
00598         str_matched = query_str_compare(context_type_get(con), query->_type, query->_retype, query->_regex);
00599         if (type_list != NULL && !str_matched)
00600         {
00601                 size_t index;
00602                 pol_matched = (apol_vector_get_index(type_list, context_type_get(con), apol_str_strcmp, NULL, &index) < 0);
00603         }
00604         if (!str_matched && !pol_matched)
00605         {
00606                 context_free(con);
00607                 return false;
00608         }
00609 
00610         if (isMLS())
00611         {
00612                 if (range == NULL)
00613                 {
00614                         if (!query_str_compare(context_range_get(con), query->_range, query->_rerange, query->_regex))
00615                         {
00616                                 context_free(con);
00617                                 return false;
00618                         }
00619                 }
00620                 else
00621                 {
00622                         assert(policy != NULL);
00623                         apol_mls_range_t *context_range = apol_mls_range_create_from_string(policy, context_range_get(con));
00624                         if (context_range == NULL)
00625                         {
00626                                 SEFS_ERR(this, "%s", strerror(errno));
00627                                 context_free(con);
00628                                 throw std::runtime_error(strerror(errno));
00629                         }
00630                         int ret;
00631                         ret = apol_mls_range_compare(policy, range, context_range, query->_rangeMatch);
00632                         apol_mls_range_destroy(&context_range);
00633                         if (ret <= 0)
00634                         {
00635                                 context_free(con);
00636                                 return false;
00637                         }
00638                 }
00639         }
00640 
00641         context_free(con);
00642 
00643         if (query->_objclass != 0 && query->_objclass != filesystem_stat_to_objclass(sb))
00644         {
00645                 return false;
00646         }
00647 
00648         if (!query_str_compare(path, query->_path, query->_repath, query->_regex))
00649         {
00650                 return false;
00651         }
00652 
00653         if (query->_inode != 0 && query->_inode != sb->st_ino)
00654         {
00655                 return false;
00656         }
00657 
00658         if (!query_str_compare(dev, query->_dev, query->_redev, query->_regex))
00659         {
00660                 return false;
00661         }
00662 
00663         return true;
00664 }

sefs_entry * sefs_filesystem::getEntry const struct sefs_context_node context,
uint32_t  objectClass,
const char *  path,
ino64_t  ino,
const char *  dev_name
throw (std::bad_alloc) [private]
 

Definition at line 666 of file filesystem.cc.

References sefs_entry::_dev, sefs_entry::_inode, apol_bst_insert_and_get(), and SEFS_ERR.

00668 {
00669         char *s = strdup(path);
00670         if (s == NULL)
00671         {
00672                 SEFS_ERR(this, "%s", strerror(errno));
00673                 throw std::bad_alloc();
00674         }
00675         if (apol_bst_insert_and_get(path_tree, (void **)&s, NULL) < 0)
00676         {
00677                 SEFS_ERR(this, "%s", strerror(errno));
00678                 free(s);
00679                 throw std::bad_alloc();
00680         }
00681         sefs_entry *e = new sefs_entry(this, context, objectClass, s);
00682         e->_inode = ino;
00683         e->_dev = dev_name;
00684         return e;
00685 }

apol_vector_t * sefs_fclist::runQuery sefs_query query  )  throw (std::bad_alloc, std::runtime_error, std::invalid_argument) [inherited]
 

Perform a sefs query on the given file context list object and return a list of matching entries.

Parameters:
query Query object containing search parameters. If NULL, return all contexts.
Returns:
A newly allocated unsorted vector (of class sefs_entry *) containing all entries matching the query. Do not modify the returned entries. Note that the vector may be empty. The caller is responsible for calling apol_vector_destroy() on the returned vector.
Exceptions:
std::bad_alloc Out of memory.
std::runtime_error Error while reading contexts from the fclist.
std::invalid_argument One or more query arguments is invalid.

Definition at line 156 of file fclist.cc.

References apol_vector_create(), apol_vector_destroy(), apol_vector_t, fclist_entry_free(), and map_to_vector().

Referenced by fcfile_query(), and sefs_fclist_run_query().

00157 {
00158         apol_vector_t *v = NULL;
00159         try
00160         {
00161                 if ((v = apol_vector_create(fclist_entry_free)) == NULL)
00162                 {
00163                         throw std::bad_alloc();
00164                 }
00165                 if (runQueryMap(query, map_to_vector, v) < 0)
00166                 {
00167                         throw std::bad_alloc();
00168                 }
00169         }
00170         catch(...)
00171         {
00172                 apol_vector_destroy(&v);
00173                 throw;
00174         }
00175         return v;
00176 }

void sefs_fclist::associatePolicy apol_policy_t new_policy  )  [inherited]
 

Associate a policy with the fclist.

This is needed to resolve attributes and MLS ranges in queries. If a policy is already associated, then calling this function removes that previous association.

Parameters:
policy Policy to associate with fclist. If NULL, remove any policy association. While policy is associated with fclist the caller should not destroy policy.
See also:
sefs_query_set_type()

sefs_query_set_range()

Definition at line 178 of file fclist.cc.

References apol_bst_inorder_map(), apol_policy_t, sefs_fclist::context_tree, fclist_sefs_node_convert(), and sefs_fclist::policy.

Referenced by fclist_sefs_node_convert(), and sefs_fclist_associate_policy().

00179 {
00180         policy = new_policy;
00181         if (policy != NULL)
00182         {
00183                 if (apol_bst_inorder_map(context_tree, fclist_sefs_node_convert, policy) < 0)
00184                 {
00185                         throw new std::bad_alloc();
00186                 }
00187         }
00188 }

apol_policy_t * sefs_fclist::associatePolicy  )  const [inherited]
 

Return the policy currently associated with this fclist.

Do not destroy the policy without first unassociating it (via call to sefs_fclist::associatePolicy(NULL)).

Returns:
Currently associated policy, or NULL if none is set.

Definition at line 190 of file fclist.cc.

References apol_policy_t.

00191 {
00192         return policy;
00193 }

sefs_fclist_type_e sefs_fclist::fclist_type  )  const [inherited]
 

Get the type of fclist object represented by fclist.

Returns:
The type of fclist object or SEFS_FCLIST_TYPE_NONE on error.

Definition at line 195 of file fclist.cc.

References sefs_fclist_type_e.

Referenced by sefs_fclist_get_fclist_type().

00196 {
00197         return _fclist_type;
00198 }

struct sefs_context_node * sefs_fclist::getContext const char *  user,
const char *  role,
const char *  type,
const char *  range
throw (std::bad_alloc) [protected, inherited]
 

Given the parts of a context, return a context node (which would contain an apol_context_t).

If the context already exists, then a pointer to the existing one is returned.

Parameters:
user User component of the context. The string will be duplicated.
role Role component of the context. The string will be duplicated.
type Type component of the context. The string will be duplicated.
range Range component of the context. The string will be duplicated, or NULL if no range exists.
Returns:
A context node. Do not free() it.

Definition at line 282 of file fclist.cc.

References apol_bst_get_element(), apol_bst_insert(), apol_bst_insert_and_get(), apol_context_create(), apol_context_destroy(), apol_context_set_range(), apol_context_set_role(), apol_context_set_type(), apol_context_set_user(), apol_context_t, apol_mls_range_create_from_literal(), apol_mls_range_destroy(), apol_mls_range_t, fclist_sefs_context_node_free(), fclist_sefs_node_make_string(), and SEFS_ERR.

00284 {
00285         char *u = NULL, *r = NULL, *t = NULL, *m = NULL;
00286         if ((u = strdup(user)) == NULL)
00287         {
00288                 SEFS_ERR(this, "%s", strerror(errno));
00289                 throw std::runtime_error(strerror(errno));
00290         }
00291         if (apol_bst_insert_and_get(user_tree, (void **)&u, NULL) < 0)
00292         {
00293                 free(u);
00294                 SEFS_ERR(this, "%s", strerror(errno));
00295                 throw std::runtime_error(strerror(errno));
00296         }
00297 
00298         if ((r = strdup(role)) == NULL)
00299         {
00300                 SEFS_ERR(this, "%s", strerror(errno));
00301                 throw std::runtime_error(strerror(errno));
00302         }
00303         if (apol_bst_insert_and_get(role_tree, (void **)&r, NULL) < 0)
00304         {
00305                 free(r);
00306                 SEFS_ERR(this, "%s", strerror(errno));
00307                 throw std::runtime_error(strerror(errno));
00308         }
00309 
00310         if ((t = strdup(type)) == NULL)
00311         {
00312                 SEFS_ERR(this, "%s", strerror(errno));
00313                 throw std::runtime_error(strerror(errno));
00314         }
00315         if (apol_bst_insert_and_get(type_tree, (void **)&t, NULL) < 0)
00316         {
00317                 free(t);
00318                 SEFS_ERR(this, "%s", strerror(errno));
00319                 throw std::runtime_error(strerror(errno));
00320         }
00321 
00322         if (range == NULL || range[0] == '\0')
00323         {
00324                 m = NULL;
00325         }
00326         else
00327         {
00328                 if ((m = strdup(range)) == NULL)
00329                 {
00330                         SEFS_ERR(this, "%s", strerror(errno));
00331                         throw std::runtime_error(strerror(errno));
00332                 }
00333                 if (apol_bst_insert_and_get(range_tree, (void **)&m, NULL) < 0)
00334                 {
00335                         free(m);
00336                         SEFS_ERR(this, "%s", strerror(errno));
00337                         throw std::runtime_error(strerror(errno));
00338                 }
00339         }
00340 
00341         struct sefs_context_node *node = NULL;
00342         apol_context_t *context = NULL;
00343         try
00344         {
00345                 if ((node = static_cast < struct sefs_context_node * >(calloc(1, sizeof(*node)))) == NULL)
00346                 {
00347                         SEFS_ERR(this, "%s", strerror(errno));
00348                         throw std::runtime_error(strerror(errno));
00349                 }
00350 
00351                 node->user = u;
00352                 node->role = r;
00353                 node->type = t;
00354                 node->range = m;
00355 
00356                 void *v;
00357                 if (apol_bst_get_element(context_tree, node, NULL, &v) == 0)
00358                 {
00359                         // context already exists
00360                         fclist_sefs_context_node_free(node);
00361                         return static_cast < struct sefs_context_node *>(v);
00362                 }
00363 
00364                 apol_mls_range_t *apol_range = NULL;
00365                 if (m != NULL)
00366                 {
00367                         if ((apol_range = apol_mls_range_create_from_literal(m)) == NULL)
00368                         {
00369                                 SEFS_ERR(this, "%s", strerror(errno));
00370                                 throw std::bad_alloc();
00371                         }
00372                 }
00373 
00374                 if ((context = apol_context_create()) == NULL)
00375                 {
00376                         SEFS_ERR(this, "%s", strerror(errno));
00377                         apol_mls_range_destroy(&apol_range);
00378                         throw std::runtime_error(strerror(errno));
00379                 }
00380                 if (apol_context_set_user(NULL, context, u) < 0 ||
00381                     apol_context_set_role(NULL, context, r) < 0 || apol_context_set_type(NULL, context, t) < 0 ||
00382                     apol_context_set_range(NULL, context, apol_range) < 0)
00383                 {
00384                         SEFS_ERR(this, "%s", strerror(errno));
00385                         apol_mls_range_destroy(&apol_range);
00386                         throw std::runtime_error(strerror(errno));
00387                 }
00388 
00389                 node->context = context;
00390                 context = NULL;
00391 
00392                 if (fclist_sefs_node_make_string(node) < 0)
00393                 {
00394                         SEFS_ERR(this, "%s", strerror(errno));
00395                         throw std::runtime_error(strerror(errno));
00396                 }
00397 
00398                 if (apol_bst_insert(context_tree, node, NULL) != 0)
00399                 {
00400                         SEFS_ERR(this, "%s", strerror(errno));
00401                         throw std::runtime_error(strerror(errno));
00402                 }
00403         }
00404         catch(...)
00405         {
00406                 fclist_sefs_context_node_free(node);
00407                 apol_context_destroy(&context);
00408                 throw;
00409         }
00410 
00411         return node;
00412 }

struct sefs_context_node * sefs_fclist::getContext const security_context_t  scon  )  throw (std::bad_alloc) [protected, inherited]
 

Given a SELinux security context, return a context node (which would contain an apol_context_t).

If the context already exists, then a pointer to the existing one is returned.

Parameters:
scon Security context from which to obtain a node.
Returns:
A context node. Do not free() it.

Definition at line 414 of file fclist.cc.

00415 {
00416         context_t con;
00417         if ((con = context_new(scon)) == 0)
00418         {
00419                 throw std::bad_alloc();
00420         }
00421         const char *user = context_user_get(con);
00422         const char *role = context_role_get(con);
00423         const char *type = context_type_get(con);
00424         const char *range = context_range_get(con);
00425         struct sefs_context_node *node = NULL;
00426         try
00427         {
00428                 node = getContext(user, role, type, range);
00429         }
00430         catch(...)
00431         {
00432                 context_free(con);
00433                 throw;
00434         }
00435         context_free(con);
00436         return node;
00437 }

Friends And Related Function Documentation

struct sefs_context_node* filesystem_get_context sefs_filesystem fs,
security_context_t  scon
throw (std::bad_alloc) [friend]
 

Definition at line 236 of file filesystem.cc.

00237 {
00238         return fs->getContext(scon);
00239 }

sefs_entry* filesystem_get_entry sefs_filesystem fs,
const struct sefs_context_node node,
uint32_t  objClass,
const char *  path,
ino64_t  ino,
const char *  dev_name
throw (std::bad_alloc) [friend]
 

Definition at line 241 of file filesystem.cc.

00243 {
00244         return fs->getEntry(node, objClass, path, ino, dev_name);
00245 }

bool filesystem_is_query_match sefs_filesystem fs,
const sefs_query query,
const char *  path,
const char *  dev,
const struct stat64 *  sb,
apol_vector_t type_list,
apol_mls_range_t range
throw (std::runtime_error) [friend]
 

Definition at line 247 of file filesystem.cc.

00250 {
00251         return fs->isQueryMatch(query, path, dev, sb, type_list, range);
00252 }

Member Data Documentation

char* sefs_filesystem::_root [private]
 

Definition at line 141 of file filesystem.hh.

Referenced by ~sefs_filesystem().

bool sefs_filesystem::_rw [private]
 

Definition at line 142 of file filesystem.hh.

bool sefs_filesystem::_mls [private]
 

Definition at line 142 of file filesystem.hh.

apol_policy_t* sefs_fclist::policy [protected, inherited]
 

Definition at line 239 of file fclist.hh.

Referenced by sefs_fclist::associatePolicy().

struct apol_bst* sefs_fclist::user_tree [protected, inherited]
 

Definition at line 240 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst * sefs_fclist::role_tree [protected, inherited]
 

Definition at line 240 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst * sefs_fclist::type_tree [protected, inherited]
 

Definition at line 240 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst * sefs_fclist::range_tree [protected, inherited]
 

Definition at line 240 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst * sefs_fclist::path_tree [protected, inherited]
 

Definition at line 240 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst* sefs_fclist::dev_tree [protected, inherited]
 

Definition at line 241 of file fclist.hh.

Referenced by sefs_fclist::~sefs_fclist().

struct apol_bst* sefs_fclist::context_tree [protected, inherited]
 

Definition at line 242 of file fclist.hh.

Referenced by sefs_fclist::associatePolicy(), and sefs_fclist::~sefs_fclist().

The documentation for this class was generated from the following files: