diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /policy/flask | |
parent | Initial commit (diff) | |
download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip |
Pushing 2.20120215 (current version)
Diffstat (limited to 'policy/flask')
-rw-r--r-- | policy/flask/Makefile | 51 | ||||
-rw-r--r-- | policy/flask/access_vectors | 864 | ||||
-rw-r--r-- | policy/flask/flask.py | 536 | ||||
-rw-r--r-- | policy/flask/initial_sids | 35 | ||||
-rw-r--r-- | policy/flask/security_classes | 134 |
5 files changed, 1620 insertions, 0 deletions
diff --git a/policy/flask/Makefile b/policy/flask/Makefile new file mode 100644 index 000000000..17dc1747c --- /dev/null +++ b/policy/flask/Makefile @@ -0,0 +1,51 @@ +PYTHON ?= python + +# flask needs to know where to export the libselinux headers. +LIBSELINUX_D ?= ../../libselinux + +# flask needs to know where to export the kernel headers. +LINUX_D ?= ../../../linux-2.6 + +ACCESS_VECTORS_F = access_vectors +INITIAL_SIDS_F = initial_sids +SECURITY_CLASSES_F = security_classes + +USER_D = userspace +KERN_D = kernel + +LIBSELINUX_INCLUDE_H = flask.h av_permissions.h +LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h + +FLASK_H = class_to_string.h flask.h initial_sid_to_string.h +ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H) + +USER_H = $(addprefix $(USER_D)/, $(ALL_H)) +KERN_H = $(addprefix $(KERN_D)/, $(ALL_H)) + +FLASK_NOWARNINGS = --nowarnings + +all: $(USER_H) $(KERN_H) + +$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F) + mkdir -p $(USER_D) + $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS) + +$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F) + mkdir -p $(KERN_D) + $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS) + +tolib: all + install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux + install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src + +tokern: all + install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include + +install: all + +relabel: + +clean: + rm -fr userspace + rm -fr kernel diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors new file mode 100644 index 000000000..bf241600e --- /dev/null +++ b/policy/flask/access_vectors @@ -0,0 +1,864 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common prefix for userspace database object access vectors. +# + +common database +{ + create + drop + getattr + setattr + relabelfrom + relabelto +} + +# +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir + open + audit_access + execmod +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class lnk_file +inherits file +{ + open + audit_access + execmod +} + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class blk_file +inherits file +{ + open + audit_access + execmod +} + +class sock_file +inherits file +{ + open + audit_access + execmod +} + +class fifo_file +inherits file +{ + open + audit_access + execmod +} + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest + dccp_recv + dccp_send + recvfrom + sendto +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + dccp_recv + dccp_send + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the capability2 class. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +class capability2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog +} + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class x_drawable +{ + create + destroy + read + write + blend + getattr + setattr + list_child + add_child + remove_child + list_property + get_property + set_property + manage + override + show + hide + send + receive +} + +class x_screen +{ + getattr + setattr + hide_cursor + show_cursor + saver_getattr + saver_setattr + saver_hide + saver_show +} + +class x_gc +{ + create + destroy + getattr + setattr + use +} + +class x_font +{ + create + destroy + getattr + add_glyph + remove_glyph + use +} + +class x_colormap +{ + create + destroy + read + write + getattr + add_color + remove_color + install + uninstall + use +} + +class x_property +{ + create + destroy + read + write + append + getattr + setattr +} + +class x_selection +{ + read + write + getattr + setattr +} + +class x_cursor +{ + create + destroy + read + write + getattr + setattr + use +} + +class x_client +{ + destroy + getattr + setattr + manage +} + +class x_device +inherits x_device + +class x_server +{ + getattr + setattr + record + debug + grab + manage +} + +class x_extension +{ + query + use +} + +class x_resource +{ + read + write +} + +class x_event +{ + send + receive +} + +class x_synthetic_event +{ + send + receive +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost + getserv + shmemserv +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + flow_in # deprecated + flow_out # deprecated + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class context +{ + translate + contains +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +class db_database +inherits database +{ + access + install_module + load_module + get_param # deprecated + set_param # deprecated +} + +class db_table +inherits database +{ + use # deprecated + select + update + insert + delete + lock +} + +class db_procedure +inherits database +{ + execute + entrypoint + install +} + +class db_column +inherits database +{ + use # deprecated + select + update + insert +} + +class db_tuple +{ + relabelfrom + relabelto + use # deprecated + select + update + insert + delete +} + +class db_blob +inherits database +{ + read + write + import + export +} + +# network peer labels +class peer +{ + recv +} + +class x_application_data +{ + paste + paste_after_confirm + copy +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device + +class db_schema +inherits database +{ + search + add_name + remove_name +} + +class db_view +inherits database +{ + expand +} + +class db_sequence +inherits database +{ + get_value + next_value + set_value +} + +class db_language +inherits database +{ + implement + execute +} diff --git a/policy/flask/flask.py b/policy/flask/flask.py new file mode 100644 index 000000000..8b4be503c --- /dev/null +++ b/policy/flask/flask.py @@ -0,0 +1,536 @@ +#!/usr/bin/python -E +# +# Author(s): Caleb Case <ccase@tresys.com> +# +# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh +# + +import getopt +import os +import sys +import re + +class ParseError(Exception): + def __init__(self, type, file, line): + self.type = type + self.file = file + self.line = line + def __str__(self): + typeS = self.type + if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] + return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file) + +class DuplicateError(Exception): + def __init__(self, type, file, line, symbol): + self.type = type + self.file = file + self.line = line + self.symbol = symbol + def __str__(self): + typeS = self.type + if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] + return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file) + +class UndefinedError(Exception): + def __init__(self, type, file, line, symbol): + self.type = type + self.file = file + self.line = line + self.symbol = symbol + def __str__(self): + typeS = self.type + if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] + return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file) + +class UnusedError(Exception): + def __init__(self, info): + self.info = info + def __str__(self): + return "Unused Error: %s" % self.info + +class Flask: + ''' + FLASK container class with utilities for parsing definition + files and creating c header files. + ''' + + #Constants used in definitions parsing. + WHITE = re.compile(r'^\s*$') + COMMENT = re.compile(r'^\s*#') + USERFLAG = re.compile(r'# userspace') + CLASS = re.compile(r'^class (?P<name>\w+)') + COMMON = re.compile(r'^common (?P<name>\w+)') + INHERITS = re.compile(r'^inherits (?P<name>\w+)') + OPENB = re.compile(r'^{') + VECTOR = re.compile(r'^\s*(?P<name>\w+)') + CLOSEB = re.compile(r'^}') + SID = re.compile(r'^sid (?P<name>\w+)') + EOF = "end of file" + + #Constants used in header generation. + USERSPACE = 0 + KERNEL = 1 + + CONSTANT_S = { \ + #parsing constants + WHITE : "whitespace", \ + COMMENT : "comment", \ + USERFLAG : "userspace flag", \ + CLASS : "class definition", \ + COMMON : "common definition", \ + INHERITS : "inherits definition", \ + OPENB : "'{'", \ + VECTOR : "access vector definition", \ + CLOSEB : "'}'", \ + SID : "security identifier", \ + EOF : "end of file", \ + #generation constants + USERSPACE : "userspace mode", \ + KERNEL : "kernel mode", \ + } + + def __init__(self, warn = True): + self.WARN = warn + self.autogen = "/* This file is automatically generated. Do not edit. */\n" + self.commons = [] + self.user_commons = [] + self.common = {} + self.classes = [] + self.vectors = [] + self.vector = {} + self.userspace = {} + self.sids = [] + self.inherits = {} + + def warning(self, msg): + ''' + Prints a warning message out to stderr if warnings are enabled. + ''' + if self.WARN: sys.stderr.write("Warning: %s\n" % msg) + + def parseClasses(self, path): + ''' + Parses security class definitions from the given path. + ''' + classes = [] + input = open(path, 'r') + + number = 0 + for line in input: + number += 1 + m = self.COMMENT.search(line) + if m: continue + + m = self.WHITE.search(line) + if m: continue + + m = self.CLASS.search(line) + if m: + g = m.groupdict() + c = g['name'] + if c in classes: raise DuplicateError, (self.CLASS, path, number, c) + classes.append(c) + if self.USERFLAG.search(line): + self.userspace[c] = True + else: + self.userspace[c] = False + continue + + raise ParseError, ("data. Was expecting either a comment, whitespace, or class definition. ", path, number) + + self.classes = classes + return classes + + def parseSids(self, path): + ''' + Parses initial SID definitions from the given path. + ''' + + sids = [] + input = open(path, 'r') + for line in input: + m = self.COMMENT.search(line) + if m: continue + + m = self.WHITE.search(line) + if m: continue + + m = self.SID.search(line) + if m: + g = m.groupdict() + s = g['name'] + if s in sids: raise DuplicateError, (self.SID, path, number, s) + sids.append(s) + continue + + raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number) + + self.sids = sids + return sids + + def parseVectors(self, path): + ''' + Parses access vector definitions from the given path. + ''' + vectors = [] + vector = {} + commons = [] + common = {} + inherits = {} + user_commons = {} + input = open(path, 'r') + + # states + NONE = 0 + COMMON = 1 + CLASS = 2 + INHERIT = 3 + OPEN = 4 + + state = NONE + state2 = NONE + number = 0 + for line in input: + number += 1 + m = self.COMMENT.search(line) + if m: continue + + m = self.WHITE.search(line) + if m: + if state == INHERIT: + state = NONE + continue + + m = self.COMMON.search(line) + if m: + if state != NONE: raise ParseError, (self.COMMON, path, number) + g = m.groupdict() + c = g['name'] + if c in commons: raise DuplicateError, (self.COMMON, path, number, c) + commons.append(c) + common[c] = [] + user_commons[c] = True + state = COMMON + continue + + m = self.CLASS.search(line) + if m: + if state != NONE: raise ParseError, (self.CLASS, number) + g = m.groupdict() + c = g['name'] + if c in vectors: raise DuplicateError, (self.CLASS, path, number, c) + if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c) + vectors.append(c) + vector[c] = [] + state = CLASS + continue + + m = self.INHERITS.search(line) + if m: + if state != CLASS: raise ParseError, (self.INHERITS, number) + g = m.groupdict() + i = g['name'] + if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c) + if i not in common: raise UndefinedError, (self.COMMON, path, number, i) + inherits[c] = i + state = INHERIT + if not self.userspace[c]: user_commons[i] = False + continue + + m = self.OPENB.search(line) + if m: + if (state != CLASS \ + and state != INHERIT \ + and state != COMMON) \ + or state2 != NONE: + raise ParseError, (self.OPENB, path, number) + state2 = OPEN + continue + + m = self.VECTOR.search(line) + if m: + if state2 != OPEN: raise ParseError, (self.VECTOR, path, number) + g = m.groupdict() + v = g['name'] + if state == CLASS or state == INHERIT: + if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v) + vector[c].append(v) + elif state == COMMON: + if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v) + common[c].append(v) + continue + + m = self.CLOSEB.search(line) + if m: + if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number) + state = NONE + state2 = NONE + c = None + continue + + raise ParseError, ("data", path, number) + + if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number) + + cvdiff = set(self.classes) - set(vectors) + if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error + + self.commons = commons + self.user_commons = user_commons + self.common = common + self.vectors = vectors + self.vector = vector + self.inherits = inherits + return vector + + def createHeaders(self, path, mode = USERSPACE): + ''' + Creates the C header files in the specified MODE and outputs + them to give PATH. + ''' + headers = { \ + 'av_inherit.h' : self.createAvInheritH(mode), \ + 'av_perm_to_string.h' : self.createAvPermToStringH(mode), \ + 'av_permissions.h' : self.createAvPermissionsH(mode), \ + 'class_to_string.h' : self.createClassToStringH(mode), \ + 'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \ + 'flask.h' : self.createFlaskH(mode), \ + 'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \ + } + + for key, value in headers.items(): + of = open(os.path.join(path, key), 'w') + of.writelines(value) + of.close() + + def createUL(self, count): + fields = [1, 2, 4, 8] + return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4)) + + def createAvInheritH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + for c in self.vectors: + if self.inherits.has_key(c): + i = self.inherits[c] + count = len(self.common[i]) + if not (mode == self.KERNEL and self.userspace[c]): + results.append(" S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count))) + return results + + def createAvPermToStringH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + for c in self.vectors: + for p in self.vector[c]: + if not (mode == self.KERNEL and self.userspace[c]): + results.append(" S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p)) + + return results + + def createAvPermissionsH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + + width = 57 + count = 0 + for common in self.commons: + count = 0 + shift = 0 + for p in self.common[common]: + if not (mode == self.KERNEL and self.user_commons[common]): + columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper()) + columnA += "".join([" " for i in range(width - len(columnA))]) + results.append("%s%s\n" % (columnA, self.createUL(count))) + count += 1 + + width = 50 # broken for old tools whitespace + for c in self.vectors: + count = 0 + + ps = [] + if self.inherits.has_key(c): + ps += self.common[self.inherits[c]] + ps += self.vector[c] + for p in ps: + columnA = "#define %s__%s " % (c.upper(), p.upper()) + columnA += "".join([" " for i in range(width - len(columnA))]) + if not (mode == self.KERNEL and self.userspace[c]): + results.append("%s%s\n" % (columnA, self.createUL(count))) + count += 1 + + return results + + def createClassToStringH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + results.append("/*\n * Security object class definitions\n */\n") + + if mode == self.KERNEL: + results.append(" S_(NULL)\n") + else: + results.append(" S_(\"null\")\n") + + for c in self.classes: + if mode == self.KERNEL and self.userspace[c]: + results.append(" S_(NULL)\n") + else: + results.append(" S_(\"%s\")\n" % c) + return results + + def createCommonPermToStringH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + for common in self.commons: + if not (mode == self.KERNEL and self.user_commons[common]): + results.append("TB_(common_%s_perm_to_string)\n" % common) + for p in self.common[common]: + results.append(" S_(\"%s\")\n" % p) + results.append("TE_(common_%s_perm_to_string)\n\n" % common) + return results + + def createFlaskH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + results.append("#ifndef _SELINUX_FLASK_H_\n") + results.append("#define _SELINUX_FLASK_H_\n") + results.append("\n") + results.append("/*\n") + results.append(" * Security object class definitions\n") + results.append(" */\n") + + count = 0 + width = 57 + for c in self.classes: + count += 1 + columnA = "#define SECCLASS_%s " % c.upper() + columnA += "".join([" " for i in range(width - len(columnA))]) + if not (mode == self.KERNEL and self.userspace[c]): + results.append("%s%d\n" % (columnA, count)) + + results.append("\n") + results.append("/*\n") + results.append(" * Security identifier indices for initial entities\n") + results.append(" */\n") + + count = 0 + width = 56 # broken for old tools whitespace + for s in self.sids: + count += 1 + columnA = "#define SECINITSID_%s " % s.upper() + columnA += "".join([" " for i in range(width - len(columnA))]) + results.append("%s%d\n" % (columnA, count)) + + results.append("\n") + columnA = "#define SECINITSID_NUM " + columnA += "".join([" " for i in range(width - len(columnA))]) + results.append("%s%d\n" % (columnA, count)) + + results.append("\n") + results.append("#endif\n") + return results + + + + def createInitialSidToStringH(self, mode = USERSPACE): + ''' + ''' + results = [] + results.append(self.autogen) + results.append("static char *initial_sid_to_string[] =\n") + results.append("{\n") + results.append(" \"null\",\n") + for s in self.sids: + results.append(" \"%s\",\n" % s) + results.append("};\n") + results.append("\n") + + return results + +def usage(): + ''' + Returns the usage string. + ''' + usage = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0]) + usage += '\n' + usage += ' -a --access_vectors\taccess vector definitions\n' + usage += ' -i --initial_sids\tinitial sid definitions\n' + usage += ' -s --security_classes\tsecurity class definitions\n' + usage += ' -o --output\toutput directory for generated files\n' + usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n' + usage += ' -u --user\toutput mode set to userspace\n' + usage += ' -w --nowarnings\tsupresses output of warning messages\n' + return usage + +########## MAIN ########## +if __name__ == '__main__': + + # Parse command line args + try: + opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help']) + except getopt.GetoptError: + print(usage()) + sys.exit(2) + + avec = None + isid = None + secc = None + outd = None + mode = None + warn = True + for o, a in opts: + if o in ('-h', '--help'): + print(usage()) + sys.exit(0) + elif o in ('-a', '--access_vectors'): + avec = a + elif o in ('-i', '--initial_sids'): + isid = a + elif o in ('-s', '--security_classes'): + secc = a + elif o in ('-o', '--output'): + outd = a + elif o in ('-k', '--kernel'): + if mode != None: + print(usage()) + sys.exit(2) + mode = Flask.KERNEL + elif o in ('-u', '--user'): + if mode != None: + print(usage()) + sys.exit(2) + mode = Flask.USERSPACE + elif o in ('-w', '--nowarnings'): + warn = False + else: + print(usage()) + sys.exit(2) + + if avec == None or \ + isid == None or \ + secc == None or \ + outd == None: + print(usage()) + sys.exit(2) + + try: + f = Flask(warn) + f.parseSids(isid) + f.parseClasses(secc) + f.parseVectors(avec) + f.createHeaders(outd, mode) + except Exception, e: + print(e) + sys.exit(2) diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids new file mode 100644 index 000000000..95894eb48 --- /dev/null +++ b/policy/flask/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/policy/flask/security_classes b/policy/flask/security_classes new file mode 100644 index 000000000..14a479911 --- /dev/null +++ b/policy/flask/security_classes @@ -0,0 +1,134 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd # userspace + +# SE-X Windows stuff (more classes below) +class x_drawable # userspace +class x_screen # userspace +class x_gc # userspace +class x_font # userspace +class x_colormap # userspace +class x_property # userspace +class x_selection # userspace +class x_cursor # userspace +class x_client # userspace +class x_device # userspace +class x_server # userspace +class x_extension # userspace + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus # userspace +class nscd # userspace + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +class appletalk_socket + +class packet + +# Kernel access key retention +class key + +class context # userspace + +class dccp_socket + +class memprotect + +class db_database # userspace +class db_table # userspace +class db_procedure # userspace +class db_column # userspace +class db_tuple # userspace +class db_blob # userspace + +# network peer labels +class peer + +# Capabilities >= 32 +class capability2 + +# More SE-X Windows stuff +class x_resource # userspace +class x_event # userspace +class x_synthetic_event # userspace +class x_application_data # userspace + +# kernel services that need to override task security, e.g. cachefiles +class kernel_service + +class tun_socket + +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + +# More Database stuff +class db_schema # userspace +class db_view # userspace +class db_sequence # userspace +class db_language # userspace + +# FLASK |