| Server IP : 103.119.228.120 / Your IP : 3.129.216.15 Web Server : Apache System : Linux v8.techscape8.com 3.10.0-1160.119.1.el7.tuxcare.els2.x86_64 #1 SMP Mon Jul 15 12:09:18 UTC 2024 x86_64 User : nobody ( 99) PHP Version : 5.6.40 Disable Function : shell_exec,symlink,system,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinum cols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,parse_ini_filepopen,fpassthru,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /lib64/python2.7/site-packages/sepolgen/ |
Upload File : |
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
"""
This module provides knowledge object classes and permissions. It should
be used to keep this knowledge from leaking into the more generic parts of
the policy generation.
"""
# Objects that can be implicitly typed - these objects do
# not _have_ to be implicitly typed (e.g., sockets can be
# explicitly labeled), but they often are.
#
# File is in this list for /proc/self
#
# This list is useful when dealing with rules that have a
# type (or param) used as both a subject and object. For
# example:
#
# allow httpd_t httpd_t : socket read;
#
# This rule makes sense because the socket was (presumably) created
# by a process with the type httpd_t.
implicitly_typed_objects = ["socket", "fd", "process", "file", "lnk_file", "fifo_file",
"dbus", "capability", "unix_stream_socket"]
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
#Information Flow
#
# All of the permissions in SELinux can be described in terms of
# information flow. For example, a read of a file is a flow of
# information from that file to the process reading. Viewing
# permissions in these terms can be used to model a varity of
# security properties.
#
# Here we have some infrastructure for understanding permissions
# in terms of information flow
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
# Information flow deals with information either flowing from a subject
# to and object ("write") or to a subject from an object ("read"). Read
# or write is described from the subject point-of-view. It is also possible
# for a permission to represent both a read and write (though the flow is
# typical asymettric in terms of bandwidth). It is also possible for
# permission to not flow information (meaning that the result is pure
# side-effect).
#
# The following constants are for representing the directionality
# of information flow.
FLOW_NONE = 0
FLOW_READ = 1
FLOW_WRITE = 2
FLOW_BOTH = FLOW_READ | FLOW_WRITE
# These are used by the parser and for nice disply of the directions
str_to_dir = { "n" : FLOW_NONE, "r" : FLOW_READ, "w" : FLOW_WRITE, "b" : FLOW_BOTH }
dir_to_str = { FLOW_NONE : "n", FLOW_READ : "r", FLOW_WRITE : "w", FLOW_BOTH : "b" }
class PermMap:
"""A mapping between a permission and its information flow properties.
PermMap represents the information flow properties of a single permission
including the direction (read, write, etc.) and an abstract representation
of the bandwidth of the flow (weight).
"""
def __init__(self, perm, dir, weight):
self.perm = perm
self.dir = dir
self.weight = weight
def __repr__(self):
return "<sepolgen.objectmodel.PermMap %s %s %d>" % (self.perm,
dir_to_str[self.dir],
self.weight)
class PermMappings:
"""The information flow properties of a set of object classes and permissions.
PermMappings maps one or more classes and permissions to their PermMap objects
describing their information flow charecteristics.
"""
def __init__(self):
self.classes = { }
self.default_weight = 5
self.default_dir = FLOW_BOTH
def from_file(self, fd):
"""Read the permission mappings from a file. This reads the format used
by Apol in the setools suite.
"""
# This parsing is deliberitely picky and bails at the least error. It
# is assumed that the permission map file will be shipped as part
# of sepolgen and not user modified, so this is a reasonable design
# choice. If user supplied permission mappings are needed the parser
# should be made a little more robust and give better error messages.
cur = None
for line in fd:
fields = line.split()
if len(fields) == 0 or len(fields) == 1 or fields[0] == "#":
continue
if fields[0] == "class":
c = fields[1]
if c in self.classes:
raise ValueError("duplicate class in perm map")
self.classes[c] = { }
cur = self.classes[c]
else:
if len(fields) != 3:
raise ValueError("error in object classs permissions")
if cur is None:
raise ValueError("permission outside of class")
pm = PermMap(fields[0], str_to_dir[fields[1]], int(fields[2]))
cur[pm.perm] = pm
def get(self, obj, perm):
"""Get the permission map for the object permission.
Returns:
PermMap representing the permission
Raises:
KeyError if the object or permission is not defined
"""
return self.classes[obj][perm]
def getdefault(self, obj, perm):
"""Get the permission map for the object permission or a default.
getdefault is the same as get except that a default PermMap is
returned if the object class or permission is not defined. The
default is FLOW_BOTH with a weight of 5.
"""
try:
pm = self.classes[obj][perm]
except KeyError:
return PermMap(perm, self.default_dir, self.default_weight)
return pm
def getdefault_direction(self, obj, perms):
dir = FLOW_NONE
for perm in perms:
pm = self.getdefault(obj, perm)
dir = dir | pm.dir
return dir
def getdefault_distance(self, obj, perms):
total = 0
for perm in perms:
pm = self.getdefault(obj, perm)
total += pm.weight
return total