Server IP : 103.119.228.120 / Your IP : 13.58.188.166 Web Server : Apache System : Linux v8.techscape8.com 3.10.0-1160.119.1.el7.tuxcare.els2.x86_64 #1 SMP Mon Jul 15 12:09:18 UTC 2024 x86_64 User : nobody ( 99) PHP Version : 5.6.40 Disable Function : shell_exec,symlink,system,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinum cols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,parse_ini_filepopen,fpassthru,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/local/ssl/local/ssl/lib64/python2.7/site-packages/sepolgen/ |
Upload File : |
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # # Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # """ This module provides knowledge object classes and permissions. It should be used to keep this knowledge from leaking into the more generic parts of the policy generation. """ # Objects that can be implicitly typed - these objects do # not _have_ to be implicitly typed (e.g., sockets can be # explicitly labeled), but they often are. # # File is in this list for /proc/self # # This list is useful when dealing with rules that have a # type (or param) used as both a subject and object. For # example: # # allow httpd_t httpd_t : socket read; # # This rule makes sense because the socket was (presumably) created # by a process with the type httpd_t. implicitly_typed_objects = ["socket", "fd", "process", "file", "lnk_file", "fifo_file", "dbus", "capability", "unix_stream_socket"] #:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: # #Information Flow # # All of the permissions in SELinux can be described in terms of # information flow. For example, a read of a file is a flow of # information from that file to the process reading. Viewing # permissions in these terms can be used to model a varity of # security properties. # # Here we have some infrastructure for understanding permissions # in terms of information flow # #:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: # Information flow deals with information either flowing from a subject # to and object ("write") or to a subject from an object ("read"). Read # or write is described from the subject point-of-view. It is also possible # for a permission to represent both a read and write (though the flow is # typical asymettric in terms of bandwidth). It is also possible for # permission to not flow information (meaning that the result is pure # side-effect). # # The following constants are for representing the directionality # of information flow. FLOW_NONE = 0 FLOW_READ = 1 FLOW_WRITE = 2 FLOW_BOTH = FLOW_READ | FLOW_WRITE # These are used by the parser and for nice disply of the directions str_to_dir = { "n" : FLOW_NONE, "r" : FLOW_READ, "w" : FLOW_WRITE, "b" : FLOW_BOTH } dir_to_str = { FLOW_NONE : "n", FLOW_READ : "r", FLOW_WRITE : "w", FLOW_BOTH : "b" } class PermMap: """A mapping between a permission and its information flow properties. PermMap represents the information flow properties of a single permission including the direction (read, write, etc.) and an abstract representation of the bandwidth of the flow (weight). """ def __init__(self, perm, dir, weight): self.perm = perm self.dir = dir self.weight = weight def __repr__(self): return "<sepolgen.objectmodel.PermMap %s %s %d>" % (self.perm, dir_to_str[self.dir], self.weight) class PermMappings: """The information flow properties of a set of object classes and permissions. PermMappings maps one or more classes and permissions to their PermMap objects describing their information flow charecteristics. """ def __init__(self): self.classes = { } self.default_weight = 5 self.default_dir = FLOW_BOTH def from_file(self, fd): """Read the permission mappings from a file. This reads the format used by Apol in the setools suite. """ # This parsing is deliberitely picky and bails at the least error. It # is assumed that the permission map file will be shipped as part # of sepolgen and not user modified, so this is a reasonable design # choice. If user supplied permission mappings are needed the parser # should be made a little more robust and give better error messages. cur = None for line in fd: fields = line.split() if len(fields) == 0 or len(fields) == 1 or fields[0] == "#": continue if fields[0] == "class": c = fields[1] if c in self.classes: raise ValueError("duplicate class in perm map") self.classes[c] = { } cur = self.classes[c] else: if len(fields) != 3: raise ValueError("error in object classs permissions") if cur is None: raise ValueError("permission outside of class") pm = PermMap(fields[0], str_to_dir[fields[1]], int(fields[2])) cur[pm.perm] = pm def get(self, obj, perm): """Get the permission map for the object permission. Returns: PermMap representing the permission Raises: KeyError if the object or permission is not defined """ return self.classes[obj][perm] def getdefault(self, obj, perm): """Get the permission map for the object permission or a default. getdefault is the same as get except that a default PermMap is returned if the object class or permission is not defined. The default is FLOW_BOTH with a weight of 5. """ try: pm = self.classes[obj][perm] except KeyError: return PermMap(perm, self.default_dir, self.default_weight) return pm def getdefault_direction(self, obj, perms): dir = FLOW_NONE for perm in perms: pm = self.getdefault(obj, perm) dir = dir | pm.dir return dir def getdefault_distance(self, obj, perms): total = 0 for perm in perms: pm = self.getdefault(obj, perm) total += pm.weight return total