from ctypes import * import re import os import sys import platform import fc_sort ### # Check whether the regex will match a file path starting with the provided # prefix # # Compares regex entries in file_contexts with a path prefix. Regex entries # are often more specific than this file prefix. For example, the regex could # be /system/bin/foo\.sh and the prefix could be /system. This function # loops over the regex removing characters from the end until # 1) there is a match - return True or 2) run out of characters - return # False. # def MatchPathPrefix(pathregex, prefix): for i in range(len(pathregex), 0, -1): try: pattern = re.compile('^' + pathregex[0:i] + "$") except: continue if pattern.match(prefix): return True return False def MatchPathPrefixes(pathregex, Prefixes): for Prefix in Prefixes: if MatchPathPrefix(pathregex, Prefix): return True return False class TERule: def __init__(self, rule): data = rule.split(',') self.flavor = data[0] self.sctx = data[1] self.tctx = data[2] self.tclass = data[3] self.perms = set((data[4].strip()).split(' ')) self.rule = rule class Policy: __ExpandedRules = set() __Rules = set() __FcDict = None __FcSorted = None __GenfsDict = None __libsepolwrap = None __policydbP = None __BUFSIZE = 2048 def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []): # Query policy for the types associated with Attr TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes) # Search file_contexts to find types associated with input paths. TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix) violators = TypesFc.intersection(TypesPol) ret = "" if len(violators) > 0: ret += "The following types on " ret += " ".join(str(x) for x in sorted(MatchPrefix)) ret += " must not be associated with the " ret += "\"" + Attr + "\" attribute: " ret += " ".join(str(x) for x in sorted(violators)) + "\n" ret += " corresponding to files: " ret += " ".join(str(x) for x in sorted(Files)) + "\n" return ret # Check that all types for "filesystem" have "attribute" associated with them # for types labeled in genfs_contexts. def AssertGenfsFilesystemTypesHaveAttr(self, Filesystem, Attr): TypesPol = self.QueryTypeAttribute(Attr, True) TypesGenfs = self.__GenfsDict[Filesystem] violators = TypesGenfs.difference(TypesPol) ret = "" if len(violators) > 0: ret += "The following types in " + Filesystem ret += " must be associated with the " ret += "\"" + Attr + "\" attribute: " ret += " ".join(str(x) for x in sorted(violators)) + "\n" return ret # Check that path prefixes that match MatchPrefix, and do not Match # DoNotMatchPrefix have the attribute Attr. # For example assert that all types in /sys, and not in /sys/kernel/debugfs # have the sysfs_type attribute. def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr): # Query policy for the types associated with Attr TypesPol = self.QueryTypeAttribute(Attr, True) # Search file_contexts to find paths/types that should be associated with # Attr. TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix) violators = TypesFc.difference(TypesPol) ret = "" if len(violators) > 0: ret += "The following types on " ret += " ".join(str(x) for x in sorted(MatchPrefix)) ret += " must be associated with the " ret += "\"" + Attr + "\" attribute: " ret += " ".join(str(x) for x in sorted(violators)) + "\n" ret += " corresponding to files: " ret += " ".join(str(x) for x in sorted(Files)) + "\n" return ret def AssertPropertyOwnersAreExclusive(self): systemProps = self.QueryTypeAttribute('system_property_type', True) vendorProps = self.QueryTypeAttribute('vendor_property_type', True) violators = systemProps.intersection(vendorProps) ret = "" if len(violators) > 0: ret += "The following types have both system_property_type " ret += "and vendor_property_type: " ret += " ".join(str(x) for x in sorted(violators)) + "\n" return ret # Return all file_contexts entries that map to the input Type. def QueryFc(self, Type): if Type in self.__FcDict: return self.__FcDict[Type] else: return None # Return all attributes associated with a type if IsAttr=False or # all types associated with an attribute if IsAttr=True def QueryTypeAttribute(self, Type, IsAttr): TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP, create_string_buffer(Type), IsAttr) if (TypeIterP == None): sys.exit("Failed to initialize type iterator") buf = create_string_buffer(self.__BUFSIZE) TypeAttr = set() while True: ret = self.__libsepolwrap.get_type(buf, self.__BUFSIZE, self.__policydbP, TypeIterP) if ret == 0: TypeAttr.add(buf.value) continue if ret == 1: break; # We should never get here. sys.exit("Failed to import policy") self.__libsepolwrap.destroy_type_iter(TypeIterP) return TypeAttr def __TERuleMatch(self, Rule, **kwargs): # Match source type if ("scontext" in kwargs and len(kwargs['scontext']) > 0 and Rule.sctx not in kwargs['scontext']): return False # Match target type if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0 and Rule.tctx not in kwargs['tcontext']): return False # Match target class if ("tclass" in kwargs and len(kwargs['tclass']) > 0 and not bool(set([Rule.tclass]) & kwargs['tclass'])): return False # Match any perms if ("perms" in kwargs and len(kwargs['perms']) > 0 and not bool(Rule.perms & kwargs['perms'])): return False return True # resolve a type to its attributes or # resolve an attribute to its types and attributes # For example if scontext is the domain attribute, then we need to # include all types with the domain attribute such as untrusted_app and # priv_app and all the attributes of those types such as appdomain. def ResolveTypeAttribute(self, Type): types = self.GetAllTypes(False) attributes = self.GetAllTypes(True) if Type in types: return self.QueryTypeAttribute(Type, False) elif Type in attributes: TypesAndAttributes = set() Types = self.QueryTypeAttribute(Type, True) TypesAndAttributes |= Types for T in Types: TypesAndAttributes |= self.QueryTypeAttribute(T, False) return TypesAndAttributes else: return set() # Return all TERules that match: # (any scontext) or (any tcontext) or (any tclass) or (any perms), # perms. # Any unspecified paramenter will match all. # # Example: QueryTERule(tcontext=["foo", "bar"], perms=["entrypoint"]) # Will return any rule with: # (tcontext="foo" or tcontext="bar") and ("entrypoint" in perms) def QueryTERule(self, **kwargs): if len(self.__Rules) == 0: self.__InitTERules() # add any matching types and attributes for scontext and tcontext if ("scontext" in kwargs and len(kwargs['scontext']) > 0): scontext = set() for sctx in kwargs['scontext']: scontext |= self.ResolveTypeAttribute(sctx) kwargs['scontext'] = scontext if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0): tcontext = set() for tctx in kwargs['tcontext']: tcontext |= self.ResolveTypeAttribute(tctx) kwargs['tcontext'] = tcontext for Rule in self.__Rules: if self.__TERuleMatch(Rule, **kwargs): yield Rule # Same as QueryTERule but only using the expanded ruleset. # i.e. all attributes have been expanded to their various types. def QueryExpandedTERule(self, **kwargs): if len(self.__ExpandedRules) == 0: self.__InitExpandedTERules() for Rule in self.__ExpandedRules: if self.__TERuleMatch(Rule, **kwargs): yield Rule def GetAllTypes(self, isAttr): TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP, None, isAttr) if (TypeIterP == None): sys.exit("Failed to initialize type iterator") buf = create_string_buffer(self.__BUFSIZE) AllTypes = set() while True: ret = self.__libsepolwrap.get_type(buf, self.__BUFSIZE, self.__policydbP, TypeIterP) if ret == 0: AllTypes.add(buf.value) continue if ret == 1: break; # We should never get here. sys.exit("Failed to import policy") self.__libsepolwrap.destroy_type_iter(TypeIterP) return AllTypes def __ExactMatchPathPrefix(self, pathregex, prefix): pattern = re.compile('^' + pathregex + "$") if pattern.match(prefix): return True return False # Return a tuple (prefix, i) where i is the index of the most specific # match of prefix in the sorted file_contexts. This is useful for limiting a # file_contexts search to matches that are more specific and omitting less # specific matches. For example, finding all matches to prefix /data/vendor # should not include /data(/.*)? if /data/vendor(/.*)? is also specified. def __FcSortedIndex(self, prefix): index = 0 for i in range(0, len(self.__FcSorted)): if self.__ExactMatchPathPrefix(self.__FcSorted[i].path, prefix): index = i return prefix, index # Return a tuple of (path, Type) for all matching paths. Use the sorted # file_contexts and index returned from __FcSortedIndex() to limit results # to results that are more specific than the prefix. def __MatchPathPrefixTypes(self, prefix, index): PathType = [] for i in range(index, len(self.__FcSorted)): if MatchPathPrefix(self.__FcSorted[i].path, prefix): PathType.append((self.__FcSorted[i].path, self.__FcSorted[i].Type)) return PathType # Return types that match MatchPrefixes but do not match # DoNotMatchPrefixes def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes): Types = set() Files = set() MatchPrefixesWithIndex = [] for MatchPrefix in MatchPrefixes: MatchPrefixesWithIndex.append(self.__FcSortedIndex(MatchPrefix)) for MatchPrefixWithIndex in MatchPrefixesWithIndex: PathTypes = self.__MatchPathPrefixTypes(*MatchPrefixWithIndex) for PathType in PathTypes: if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes): continue Types.add(PathType[1]) Files.add(PathType[0]) return Types, Files def __GetTERules(self, policydbP, avtabIterP, Rules): if Rules is None: Rules = set() buf = create_string_buffer(self.__BUFSIZE) ret = 0 while True: ret = self.__libsepolwrap.get_allow_rule(buf, self.__BUFSIZE, policydbP, avtabIterP) if ret == 0: Rule = TERule(buf.value) Rules.add(Rule) continue if ret == 1: break; # We should never get here. sys.exit("Failed to import policy") def __InitTERules(self): avtabIterP = self.__libsepolwrap.init_avtab(self.__policydbP) if (avtabIterP == None): sys.exit("Failed to initialize avtab") self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules) self.__libsepolwrap.destroy_avtab(avtabIterP) avtabIterP = self.__libsepolwrap.init_cond_avtab(self.__policydbP) if (avtabIterP == None): sys.exit("Failed to initialize conditional avtab") self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules) self.__libsepolwrap.destroy_avtab(avtabIterP) def __InitExpandedTERules(self): avtabIterP = self.__libsepolwrap.init_expanded_avtab(self.__policydbP) if (avtabIterP == None): sys.exit("Failed to initialize avtab") self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules) self.__libsepolwrap.destroy_expanded_avtab(avtabIterP) avtabIterP = self.__libsepolwrap.init_expanded_cond_avtab(self.__policydbP) if (avtabIterP == None): sys.exit("Failed to initialize conditional avtab") self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules) self.__libsepolwrap.destroy_expanded_avtab(avtabIterP) # load ctypes-ified libsepol wrapper def __InitLibsepolwrap(self, LibPath): lib = CDLL(LibPath) # int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp); lib.get_allow_rule.restype = c_int lib.get_allow_rule.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p]; # void *load_policy(const char *policy_path); lib.load_policy.restype = c_void_p lib.load_policy.argtypes = [c_char_p] # void destroy_policy(void *policydbp); lib.destroy_policy.argtypes = [c_void_p] # void *init_expanded_avtab(void *policydbp); lib.init_expanded_avtab.restype = c_void_p lib.init_expanded_avtab.argtypes = [c_void_p] # void *init_expanded_cond_avtab(void *policydbp); lib.init_expanded_cond_avtab.restype = c_void_p lib.init_expanded_cond_avtab.argtypes = [c_void_p] # void destroy_expanded_avtab(void *avtab_iterp); lib.destroy_expanded_avtab.argtypes = [c_void_p] # void *init_avtab(void *policydbp); lib.init_avtab.restype = c_void_p lib.init_avtab.argtypes = [c_void_p] # void *init_cond_avtab(void *policydbp); lib.init_cond_avtab.restype = c_void_p lib.init_cond_avtab.argtypes = [c_void_p] # void destroy_avtab(void *avtab_iterp); lib.destroy_avtab.argtypes = [c_void_p] # int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp); lib.get_type.restype = c_int lib.get_type.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p] # void *init_type_iter(void *policydbp, const char *type, bool is_attr); lib.init_type_iter.restype = c_void_p lib.init_type_iter.argtypes = [c_void_p, c_char_p, c_bool] # void destroy_type_iter(void *type_iterp); lib.destroy_type_iter.argtypes = [c_void_p] # void *init_genfs_iter(void *policydbp) lib.init_genfs_iter.restype = c_void_p lib.init_genfs_iter.argtypes = [c_void_p] # int get_genfs(char *out, size_t max_size, void *genfs_iterp); lib.get_genfs.restype = c_int lib.get_genfs.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p] # void destroy_genfs_iter(void *genfs_iterp) lib.destroy_genfs_iter.argtypes = [c_void_p] self.__libsepolwrap = lib def __GenfsDictAdd(self, Dict, buf): fs, path, context = buf.split(" ") Type = context.split(":")[2] if not fs in Dict: Dict[fs] = {Type} else: Dict[fs].add(Type) def __InitGenfsCon(self): self.__GenfsDict = {} GenfsIterP = self.__libsepolwrap.init_genfs_iter(self.__policydbP) if (GenfsIterP == None): sys.exit("Failed to retreive genfs entries") buf = create_string_buffer(self.__BUFSIZE) while True: ret = self.__libsepolwrap.get_genfs(buf, self.__BUFSIZE, self.__policydbP, GenfsIterP) if ret == 0: self.__GenfsDictAdd(self.__GenfsDict, buf.value) continue if ret == 1: self.__GenfsDictAdd(self.__GenfsDict, buf.value) break; # We should never get here. sys.exit("Failed to get genfs entries") self.__libsepolwrap.destroy_genfs_iter(GenfsIterP) # load file_contexts def __InitFC(self, FcPaths): if FcPaths is None: return fc = [] for path in FcPaths: if not os.path.exists(path): sys.exit("file_contexts file " + path + " does not exist.") fd = open(path, "r") fc += fd.readlines() fd.close() self.__FcDict = {} for i in fc: rec = i.split() try: t = rec[-1].split(":")[2] if t in self.__FcDict: self.__FcDict[t].append(rec[0]) else: self.__FcDict[t] = [rec[0]] except: pass self.__FcSorted = fc_sort.FcSort(FcPaths) # load policy def __InitPolicy(self, PolicyPath): cPolicyPath = create_string_buffer(PolicyPath) self.__policydbP = self.__libsepolwrap.load_policy(cPolicyPath) if (self.__policydbP is None): sys.exit("Failed to load policy") def __init__(self, PolicyPath, FcPaths, LibPath): self.__InitLibsepolwrap(LibPath) self.__InitFC(FcPaths) self.__InitPolicy(PolicyPath) self.__InitGenfsCon() def __del__(self): if self.__policydbP is not None: self.__libsepolwrap.destroy_policy(self.__policydbP)