1# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
2#
3# Copyright (C) 2006 Red Hat
4# see file 'COPYING' for use and warranty information
5#
6# This program is free software; you can redistribute it and/or
7# modify it under the terms of the GNU General Public License as
8# published by the Free Software Foundation; version 2 only
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18#
19
20"""
21classes and algorithms for the generation of SELinux policy.
22"""
23
24import itertools
25import textwrap
26
27import selinux.audit2why as audit2why
28try:
29    from setools import *
30except:
31    pass
32
33from . import refpolicy
34from . import objectmodel
35from . import access
36from . import interfaces
37from . import matching
38from . import util
39# Constants for the level of explanation from the generation
40# routines
41NO_EXPLANATION    = 0
42SHORT_EXPLANATION = 1
43LONG_EXPLANATION  = 2
44
45class PolicyGenerator:
46    """Generate a reference policy module from access vectors.
47
48    PolicyGenerator generates a new reference policy module
49    or updates an existing module based on requested access
50    in the form of access vectors.
51
52    It generates allow rules and optionally module require
53    statements, reference policy interfaces, and extended
54    permission access vector rules. By default only allow rules
55    are generated. The methods .set_gen_refpol, .set_gen_requires
56    and .set_gen_xperms turns on interface generation,
57    requires generation, and xperms rules genration respectively.
58
59    PolicyGenerator can also optionally add comments explaining
60    why a particular access was allowed based on the audit
61    messages that generated the access. The access vectors
62    passed in must have the .audit_msgs field set correctly
63    and .explain set to SHORT|LONG_EXPLANATION to enable this
64    feature.
65
66    The module created by PolicyGenerator can be passed to
67    output.ModuleWriter to output a text representation.
68    """
69    def __init__(self, module=None):
70        """Initialize a PolicyGenerator with an optional
71        existing module.
72
73        If the module paramater is not None then access
74        will be added to the passed in module. Otherwise
75        a new reference policy module will be created.
76        """
77        self.ifgen = None
78        self.explain = NO_EXPLANATION
79        self.gen_requires = False
80        if module:
81            self.module = module
82        else:
83            self.module = refpolicy.Module()
84
85        self.dontaudit = False
86        self.xperms = False
87
88        self.domains = None
89    def set_gen_refpol(self, if_set=None, perm_maps=None):
90        """Set whether reference policy interfaces are generated.
91
92        To turn on interface generation pass in an interface set
93        to use for interface generation. To turn off interface
94        generation pass in None.
95
96        If interface generation is enabled requires generation
97        will also be enabled.
98        """
99        if if_set:
100            self.ifgen = InterfaceGenerator(if_set, perm_maps)
101            self.gen_requires = True
102        else:
103            self.ifgen = None
104        self.__set_module_style()
105
106
107    def set_gen_requires(self, status=True):
108        """Set whether module requires are generated.
109
110        Passing in true will turn on requires generation and
111        False will disable generation. If requires generation is
112        disabled interface generation will also be disabled and
113        can only be re-enabled via .set_gen_refpol.
114        """
115        self.gen_requires = status
116
117    def set_gen_explain(self, explain=SHORT_EXPLANATION):
118        """Set whether access is explained.
119        """
120        self.explain = explain
121
122    def set_gen_dontaudit(self, dontaudit):
123        self.dontaudit = dontaudit
124
125    def set_gen_xperms(self, xperms):
126        """Set whether extended permission access vector rules
127        are generated.
128        """
129        self.xperms = xperms
130
131    def __set_module_style(self):
132        if self.ifgen:
133            refpolicy = True
134        else:
135            refpolicy = False
136        for mod in self.module.module_declarations():
137            mod.refpolicy = refpolicy
138
139    def set_module_name(self, name, version="1.0"):
140        """Set the name of the module and optionally the version.
141        """
142        # find an existing module declaration
143        m = None
144        for mod in self.module.module_declarations():
145            m = mod
146        if not m:
147            m = refpolicy.ModuleDeclaration()
148            self.module.children.insert(0, m)
149        m.name = name
150        m.version = version
151        if self.ifgen:
152            m.refpolicy = True
153        else:
154            m.refpolicy = False
155
156    def get_module(self):
157        # Generate the requires
158        if self.gen_requires:
159            gen_requires(self.module)
160
161        """Return the generated module"""
162        return self.module
163
164    def __add_av_rule(self, av):
165        """Add access vector rule.
166        """
167        rule = refpolicy.AVRule(av)
168
169        if self.dontaudit:
170            rule.rule_type = rule.DONTAUDIT
171        rule.comment = ""
172        if self.explain:
173            rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
174
175        if av.type == audit2why.ALLOW:
176            rule.comment += "\n#!!!! This avc is allowed in the current policy"
177
178            if av.xperms:
179                rule.comment += "\n#!!!! This av rule may have been overridden by an extended permission av rule"
180
181        if av.type == audit2why.DONTAUDIT:
182            rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
183
184        if av.type == audit2why.BOOLEAN:
185            if len(av.data) > 1:
186                rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n#     %s" % ", ".join([x[0] for x in av.data])
187            else:
188                rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
189
190        if av.type == audit2why.CONSTRAINT:
191            rule.comment += "\n#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access."
192            rule.comment += "\n#Constraint rule: "
193            rule.comment += "\n#\t" + av.data[0]
194            for reason in av.data[1:]:
195                rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
196
197        try:
198            if ( av.type == audit2why.TERULE and
199                 "write" in av.perms and
200                 ( "dir" in av.obj_class or "open" in av.perms )):
201                if not self.domains:
202                    self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
203                types=[]
204
205                for i in [x[TCONTEXT] for x in sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})]:
206                    if i not in self.domains:
207                        types.append(i)
208                if len(types) == 1:
209                    rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
210                elif len(types) >= 1:
211                    rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
212        except:
213            pass
214
215        self.module.children.append(rule)
216
217    def __add_ext_av_rules(self, av):
218        """Add extended permission access vector rules.
219        """
220        for op in av.xperms.keys():
221            extrule = refpolicy.AVExtRule(av, op)
222
223            if self.dontaudit:
224                extrule.rule_type = extrule.DONTAUDITXPERM
225
226            self.module.children.append(extrule)
227
228    def add_access(self, av_set):
229        """Add the access from the access vector set to this
230        module.
231        """
232        # Use the interface generator to split the access
233        # into raw allow rules and interfaces. After this
234        # a will contain a list of access that should be
235        # used as raw allow rules and the interfaces will
236        # be added to the module.
237        if self.ifgen:
238            raw_allow, ifcalls = self.ifgen.gen(av_set, self.explain)
239            self.module.children.extend(ifcalls)
240        else:
241            raw_allow = av_set
242
243        # Generate the raw allow rules from the filtered list
244        for av in raw_allow:
245            self.__add_av_rule(av)
246            if self.xperms and av.xperms:
247                self.__add_ext_av_rules(av)
248
249    def add_role_types(self, role_type_set):
250        for role_type in role_type_set:
251            self.module.children.append(role_type)
252
253def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
254    """Explain why a policy statement was generated.
255
256    Return a string containing a text explanation of
257    why a policy statement was generated. The string is
258    commented and wrapped and can be directly inserted
259    into a policy.
260
261    Params:
262      av - access vector representing the access. Should
263       have .audit_msgs set appropriately.
264      verbosity - the amount of explanation provided. Should
265       be set to NO_EXPLANATION, SHORT_EXPLANATION, or
266       LONG_EXPLANATION.
267    Returns:
268      list of strings - strings explaining the access or an empty
269       string if verbosity=NO_EXPLANATION or there is not sufficient
270       information to provide an explanation.
271    """
272    s = []
273
274    def explain_interfaces():
275        if not ml:
276            return
277        s.append(" Interface options:")
278        for match in ml.all():
279            ifcall = call_interface(match.interface, ml.av)
280            s.append('   %s # [%d]' % (ifcall.to_string(), match.dist))
281
282
283    # Format the raw audit data to explain why the
284    # access was requested - either long or short.
285    if verbosity == LONG_EXPLANATION:
286        for msg in av.audit_msgs:
287            s.append(' %s' % msg.header)
288            s.append('  scontext="%s" tcontext="%s"' %
289                     (str(msg.scontext), str(msg.tcontext)))
290            s.append('  class="%s" perms="%s"' %
291                     (msg.tclass, refpolicy.list_to_space_str(msg.accesses)))
292            s.append('  comm="%s" exe="%s" path="%s"' % (msg.comm, msg.exe, msg.path))
293            s.extend(textwrap.wrap('message="' + msg.message + '"', 80, initial_indent="  ",
294                                   subsequent_indent="   "))
295        explain_interfaces()
296    elif verbosity:
297        s.append(' src="%s" tgt="%s" class="%s", perms="%s"' %
298                 (av.src_type, av.tgt_type, av.obj_class, av.perms.to_space_str()))
299        # For the short display we are only going to use the additional information
300        # from the first audit message. For the vast majority of cases this info
301        # will always be the same anyway.
302        if len(av.audit_msgs) > 0:
303            msg = av.audit_msgs[0]
304            s.append(' comm="%s" exe="%s" path="%s"' % (msg.comm, msg.exe, msg.path))
305        explain_interfaces()
306    return s
307
308def call_interface(interface, av):
309    params = []
310    args = []
311
312    params.extend(interface.params.values())
313    params.sort(key=lambda param: param.num, reverse=True)
314
315    ifcall = refpolicy.InterfaceCall()
316    ifcall.ifname = interface.name
317
318    for i in range(len(params)):
319        if params[i].type == refpolicy.SRC_TYPE:
320            ifcall.args.append(av.src_type)
321        elif params[i].type == refpolicy.TGT_TYPE:
322            ifcall.args.append(av.tgt_type)
323        elif params[i].type == refpolicy.OBJ_CLASS:
324            ifcall.args.append(av.obj_class)
325        else:
326            print(params[i].type)
327            assert(0)
328
329    assert(len(ifcall.args) > 0)
330
331    return ifcall
332
333class InterfaceGenerator:
334    def __init__(self, ifs, perm_maps=None):
335        self.ifs = ifs
336        self.hack_check_ifs(ifs)
337        self.matcher = matching.AccessMatcher(perm_maps)
338        self.calls = []
339
340    def hack_check_ifs(self, ifs):
341        # FIXME: Disable interfaces we can't call - this is a hack.
342        # Because we don't handle roles, multiple paramaters, etc.,
343        # etc., we must make certain we can actually use a returned
344        # interface.
345        for x in ifs.interfaces.values():
346            params = []
347            params.extend(x.params.values())
348            params.sort(key=lambda param: param.num, reverse=True)
349            for i in range(len(params)):
350                # Check that the paramater position matches
351                # the number (e.g., $1 is the first arg). This
352                # will fail if the parser missed something.
353                if (i + 1) != params[i].num:
354                    x.enabled = False
355                    break
356                # Check that we can handle the param type (currently excludes
357                # roles.
358                if params[i].type not in [refpolicy.SRC_TYPE, refpolicy.TGT_TYPE,
359                                          refpolicy.OBJ_CLASS]:
360                    x.enabled = False
361                    break
362
363    def gen(self, avs, verbosity):
364        raw_av = self.match(avs)
365        ifcalls = []
366        for ml in self.calls:
367            ifcall = call_interface(ml.best().interface, ml.av)
368            if verbosity:
369                ifcall.comment = refpolicy.Comment(explain_access(ml.av, ml, verbosity))
370            ifcalls.append((ifcall, ml))
371
372        d = []
373        for ifcall, ifs in ifcalls:
374            found = False
375            for o_ifcall in d:
376                if o_ifcall.matches(ifcall):
377                    if o_ifcall.comment and ifcall.comment:
378                        o_ifcall.comment.merge(ifcall.comment)
379                    found = True
380            if not found:
381                d.append(ifcall)
382
383        return (raw_av, d)
384
385
386    def match(self, avs):
387        raw_av = []
388        for av in avs:
389            ans = matching.MatchList()
390            self.matcher.search_ifs(self.ifs, av, ans)
391            if len(ans):
392                self.calls.append(ans)
393            else:
394                raw_av.append(av)
395
396        return raw_av
397
398
399def gen_requires(module):
400    """Add require statements to the module.
401    """
402    def collect_requires(node):
403        r = refpolicy.Require()
404        for avrule in node.avrules():
405            r.types.update(avrule.src_types)
406            r.types.update(avrule.tgt_types)
407            for obj in avrule.obj_classes:
408                r.add_obj_class(obj, avrule.perms)
409
410        for ifcall in node.interface_calls():
411            for arg in ifcall.args:
412                # FIXME - handle non-type arguments when we
413                # can actually figure those out.
414                r.types.add(arg)
415
416        for role_type in node.role_types():
417            r.roles.add(role_type.role)
418            r.types.update(role_type.types)
419
420        r.types.discard("self")
421
422        node.children.insert(0, r)
423
424    # FUTURE - this is untested on modules with any sort of
425    # nesting
426    for node in module.nodes():
427        collect_requires(node)
428
429
430