C++程序  |  531行  |  13.13 KB

#include <ctype.h>
#include <fcntl.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include "neverallow.h"

static int debug;
static int warn;

void neverallow_usage() {
    fprintf(stderr, "\tneverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]\n");
}

static int read_typeset(policydb_t *policydb, char **ptr, char *end,
                        type_set_t *typeset, uint32_t *flags)
{
    const char *keyword = "self";
    size_t keyword_size = strlen(keyword), len;
    char *p = *ptr;
    unsigned openparens = 0;
    char *start, *id;
    type_datum_t *type;
    struct ebitmap_node *n;
    unsigned int bit;
    bool negate = false;
    int rc;

    do {
        while (p < end && isspace(*p))
            p++;

        if (p == end)
            goto err;

        if (*p == '~') {
            if (debug)
                printf(" ~");
            typeset->flags = TYPE_COMP;
            p++;
            while (p < end && isspace(*p))
                p++;
            if (p == end)
                goto err;
        }

        if (*p == '{') {
            if (debug && !openparens)
                printf(" {");
            openparens++;
            p++;
            continue;
        }

        if (*p == '}') {
            if (debug && openparens == 1)
                printf(" }");
            if (openparens == 0)
                goto err;
            openparens--;
            p++;
            continue;
        }

        if (*p == '*') {
            if (debug)
                printf(" *");
            typeset->flags = TYPE_STAR;
            p++;
            continue;
        }

        if (*p == '-') {
            if (debug)
                printf(" -");
            negate = true;
            p++;
            continue;
        }

        if (*p == '#') {
            while (p < end && *p != '\n')
                p++;
            continue;
        }

        start = p;
        while (p < end && !isspace(*p) && *p != ':' && *p != ';' && *p != '{' && *p != '}' && *p != '#')
            p++;

        if (p == start)
            goto err;

        len = p - start;
        if (len == keyword_size && !strncmp(start, keyword, keyword_size)) {
            if (debug)
                printf(" self");
            *flags |= RULE_SELF;
            continue;
        }

        id = calloc(1, len + 1);
        if (!id)
            goto err;
        memcpy(id, start, len);
        if (debug)
            printf(" %s", id);
        type = hashtab_search(policydb->p_types.table, id);
        if (!type) {
            if (warn)
                fprintf(stderr, "Warning!  Type or attribute %s used in neverallow undefined in policy being checked.\n", id);
            negate = false;
            continue;
        }
        free(id);

        if (type->flavor == TYPE_ATTRIB) {
            if (negate)
                rc = ebitmap_union(&typeset->negset, &policydb->attr_type_map[type->s.value - 1]);
            else
                rc = ebitmap_union(&typeset->types, &policydb->attr_type_map[type->s.value - 1]);
        } else if (negate) {
            rc = ebitmap_set_bit(&typeset->negset, type->s.value - 1, 1);
        } else {
            rc = ebitmap_set_bit(&typeset->types, type->s.value - 1, 1);
        }

        negate = false;

        if (rc)
            goto err;

    } while (p < end && openparens);

    if (p == end)
        goto err;

    if (typeset->flags & TYPE_STAR) {
        for (bit = 0; bit < policydb->p_types.nprim; bit++) {
            if (ebitmap_get_bit(&typeset->negset, bit))
                continue;
            if (policydb->type_val_to_struct[bit] &&
                policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB)
                continue;
            if (ebitmap_set_bit(&typeset->types, bit, 1))
                goto err;
        }
    }

    ebitmap_for_each_bit(&typeset->negset, n, bit) {
        if (!ebitmap_node_get_bit(n, bit))
            continue;
        if (ebitmap_set_bit(&typeset->types, bit, 0))
            goto err;
    }

    if (typeset->flags & TYPE_COMP) {
        for (bit = 0; bit < policydb->p_types.nprim; bit++) {
            if (policydb->type_val_to_struct[bit] &&
                policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB)
                continue;
            if (ebitmap_get_bit(&typeset->types, bit))
                ebitmap_set_bit(&typeset->types, bit, 0);
            else {
                if (ebitmap_set_bit(&typeset->types, bit, 1))
                    goto err;
            }
        }
    }

    *ptr = p;
    return 0;
err:
    return -1;
}

static int read_classperms(policydb_t *policydb, char **ptr, char *end,
                           class_perm_node_t **perms)
{
    char *p = *ptr;
    unsigned openparens = 0;
    char *id, *start;
    class_datum_t *cls = NULL;
    perm_datum_t *perm = NULL;
    class_perm_node_t *classperms = NULL, *node = NULL;
    bool complement = false;

    while (p < end && isspace(*p))
        p++;

    if (p == end || *p != ':')
        goto err;
    p++;

    if (debug)
        printf(" :");

    do {
        while (p < end && isspace(*p))
            p++;

        if (p == end)
            goto err;

        if (*p == '{') {
            if (debug && !openparens)
                printf(" {");
            openparens++;
            p++;
            continue;
        }

        if (*p == '}') {
            if (debug && openparens == 1)
                printf(" }");
            if (openparens == 0)
                goto err;
            openparens--;
            p++;
            continue;
        }

        if (*p == '#') {
            while (p < end && *p != '\n')
                p++;
            continue;
        }

        start = p;
        while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#')
            p++;

        if (p == start)
            goto err;

        id = calloc(1, p - start + 1);
        if (!id)
            goto err;
        memcpy(id, start, p - start);
        if (debug)
            printf(" %s", id);
        cls = hashtab_search(policydb->p_classes.table, id);
        if (!cls) {
            if (warn)
                fprintf(stderr, "Warning!  Class %s used in neverallow undefined in policy being checked.\n", id);
            continue;
        }

        node = calloc(1, sizeof *node);
        if (!node)
            goto err;
        node->tclass = cls->s.value;
        node->next = classperms;
        classperms = node;
        free(id);
        id = NULL;
    } while (p < end && openparens);

    if (p == end)
        goto err;

    if (warn && !classperms)
        fprintf(stderr, "Warning!  Empty class set\n");

    do {
        while (p < end && isspace(*p))
            p++;

        if (p == end)
            goto err;

        if (*p == '~') {
            if (debug)
                printf(" ~");
            complement = true;
            p++;
            while (p < end && isspace(*p))
                p++;
            if (p == end)
                goto err;
        }

        if (*p == '{') {
            if (debug && !openparens)
                printf(" {");
            openparens++;
            p++;
            continue;
        }

        if (*p == '}') {
            if (debug && openparens == 1)
                printf(" }");
            if (openparens == 0)
                goto err;
            openparens--;
            p++;
            continue;
        }

        if (*p == '#') {
            while (p < end && *p != '\n')
                p++;
            continue;
        }

        start = p;
        while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#')
            p++;

        if (p == start)
            goto err;

        id = calloc(1, p - start + 1);
        if (!id)
            goto err;
        memcpy(id, start, p - start);
        if (debug)
            printf(" %s", id);

        if (!strcmp(id, "*")) {
            for (node = classperms; node; node = node->next)
                node->data = ~0;
            free(id);
            id = NULL;
            continue;
        }

        for (node = classperms; node; node = node->next) {
            cls = policydb->class_val_to_struct[node->tclass-1];
            perm = hashtab_search(cls->permissions.table, id);
            if (cls->comdatum && !perm)
                perm = hashtab_search(cls->comdatum->permissions.table, id);
            if (!perm) {
                if (warn)
                    fprintf(stderr, "Warning!  Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->tclass-1]);
                continue;
            }
            node->data |= 1U << (perm->s.value - 1);
        }
        free(id);
        id = NULL;
    } while (p < end && openparens);

    if (p == end)
        goto err;

    if (complement) {
        for (node = classperms; node; node = node->next)
            node->data = ~node->data;
    }

    if (warn) {
        for (node = classperms; node; node = node->next)
            if (!node->data)
                fprintf(stderr, "Warning!  Empty permission set\n");
    }

    *perms = classperms;
    *ptr = p;
    return 0;
err:
    // free classperms memory
    for (node = classperms; node; ) {
      class_perm_node_t *freeptr = node;
      node = node->next;
      free(freeptr);
    }
    return -1;
}

static int check_neverallows(policydb_t *policydb, char *text, char *end)
{
    const char *keyword = "neverallow";
    size_t keyword_size = strlen(keyword), len;
    struct avrule *neverallows = NULL, *avrule;
    char *p, *start;
    int result;

    p = text;
    while (p < end) {
        while (p < end && isspace(*p))
            p++;

        if (*p == '#') {
            while (p < end && *p != '\n')
                p++;
            continue;
        }

        start = p;
        while (p < end && !isspace(*p))
            p++;

        len = p - start;
        if (len != keyword_size || strncmp(start, keyword, keyword_size))
            continue;

        if (debug)
            printf("neverallow");

        avrule = calloc(1, sizeof *avrule);
        if (!avrule)
            goto err;

        avrule->specified = AVRULE_NEVERALLOW;

        if (read_typeset(policydb, &p, end, &avrule->stypes, &avrule->flags))
            goto err;

        if (read_typeset(policydb, &p, end, &avrule->ttypes, &avrule->flags))
            goto err;

        if (read_classperms(policydb, &p, end, &avrule->perms))
            goto err;

        while (p < end && *p != ';')
            p++;

        if (p == end || *p != ';')
            goto err;

        if (debug)
            printf(";\n");

        avrule->next = neverallows;
        neverallows = avrule;
    }

    if (!neverallows)
        goto err;

    result = check_assertions(NULL, policydb, neverallows);
    avrule_list_destroy(neverallows);
    return result;
err:
    if (errno == ENOMEM) {
        fprintf(stderr, "Out of memory while parsing neverallow rules\n");
    } else
        fprintf(stderr, "Error while parsing neverallow rules\n");

    avrule_list_destroy(neverallows);
    if (avrule != neverallows)
        avrule_destroy(avrule);

    return -1;
}

static int check_neverallows_file(policydb_t *policydb, const char *filename)
{
    int fd;
    struct stat sb;
    char *text, *end;

    fd = open(filename, O_RDONLY);
    if (fd < 0) {
        fprintf(stderr, "Could not open %s:  %s\n", filename, strerror(errno));
        return -1;
    }
    if (fstat(fd, &sb) < 0) {
        fprintf(stderr, "Can't stat '%s':  %s\n", filename, strerror(errno));
        close(fd);
        return -1;
    }
    text = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
    end = text + sb.st_size;
    if (text == MAP_FAILED) {
        fprintf(stderr, "Can't mmap '%s':  %s\n", filename, strerror(errno));
        close(fd);
        return -1;
    }
    close(fd);
    return check_neverallows(policydb, text, end);
}

static int check_neverallows_string(policydb_t *policydb, char *string, size_t len)
{
    char *text, *end;
    text = string;
    end = text + len;
    return check_neverallows(policydb, text, end);
}

int neverallow_func (int argc, char **argv, policydb_t *policydb) {
    char *rules = 0, *file = 0;
    char ch;

    struct option neverallow_options[] = {
        {"debug", no_argument, NULL, 'd'},
        {"file_input", required_argument, NULL, 'f'},
        {"neverallow", required_argument, NULL, 'n'},
        {"warn", no_argument, NULL, 'w'},
        {NULL, 0, NULL, 0}
    };

    while ((ch = getopt_long(argc, argv, "df:n:w", neverallow_options, NULL)) != -1) {
        switch (ch) {
        case 'd':
            debug = 1;
            break;
        case 'f':
            file = optarg;
            break;
        case 'n':
            rules = optarg;
            break;
        case 'w':
            warn = 1;
            break;
        default:
            USAGE_ERROR = true;
            return -1;
        }
    }

    if (!(rules || file) || (rules && file)){
        USAGE_ERROR = true;
        return -1;
    }
    if (file) {
        return check_neverallows_file(policydb, file);
    } else {
        return check_neverallows_string(policydb, rules, strlen(rules));
    }
}