diff options
Diffstat (limited to 'sechecker/modules/imp_range_trans.c')
-rw-r--r-- | sechecker/modules/imp_range_trans.c | 513 |
1 files changed, 513 insertions, 0 deletions
diff --git a/sechecker/modules/imp_range_trans.c b/sechecker/modules/imp_range_trans.c new file mode 100644 index 0000000..8fbf361 --- /dev/null +++ b/sechecker/modules/imp_range_trans.c @@ -0,0 +1,513 @@ +/** + * @file + * Implementation of the impossible range_transition module. + * + * @author Kevin Carr kcarr@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author: David Windsor dwindsor@tresys.com + * + * Copyright (C) 2005-2007 Tresys Technology, LLC + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "imp_range_trans.h" + +#include <stdio.h> +#include <string.h> +#include <errno.h> + +#define SECHK_NO_ROLES 0x000002 +#define SECHK_BAD_USER_MLS_LOW 0x000040 +#define SECHK_BAD_USER_MLS_HIGH 0x000600 +#define SECHK_NO_USERS 0x008000 +#define SECHK_NO_EXEC_PERMS 0x020000 + +static const char *const mod_name = "imp_range_trans"; + +int imp_range_trans_register(sechk_lib_t * lib) +{ + sechk_module_t *mod = NULL; + sechk_fn_t *fn_struct = NULL; + + if (!lib) { + ERR(NULL, "%s", "No library"); + errno = EINVAL; + return -1; + } + + mod = sechk_lib_get_module(mod_name, lib); + if (!mod) { + ERR(NULL, "%s", "Module unknown"); + errno = EINVAL; + return -1; + } + mod->parent_lib = lib; + + /* assign the descriptions */ + mod->brief_description = "finds impossible range transitions"; + mod->detailed_description = + "--------------------------------------------------------------------------------\n" + "This module finds impossible range transitions in a policy.\n" + "A range transition is possible if and only if all of the following conditions\n" + "are satisfied:\n" + " 1) there exist TE rules allowing the range transition to occur\n" + " 2) there exist RBAC rules allowing the range transition to occur\n" + " 3) at least one user must be able to transition to the target MLS range\n"; + mod->opt_description = + " Module requirements:\n" " MLS policy\n" " Module dependencies:\n" " none\n" " Module options:\n" + " none\n"; + mod->severity = SECHK_SEV_MED; + + /* assign requirements */ + if (apol_vector_append(mod->requirements, sechk_name_value_new(SECHK_REQ_POLICY_CAP, SECHK_REQ_CAP_MLS)) < 0) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + /* register functions */ + fn_struct = sechk_fn_new(); + if (!fn_struct) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->name = strdup(SECHK_MOD_FN_INIT); + if (!fn_struct->name) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->fn = imp_range_trans_init; + if (apol_vector_append(mod->functions, (void *)fn_struct) < 0) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + + fn_struct = sechk_fn_new(); + if (!fn_struct) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->name = strdup(SECHK_MOD_FN_RUN); + if (!fn_struct->name) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->fn = imp_range_trans_run; + if (apol_vector_append(mod->functions, (void *)fn_struct) < 0) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + + mod->data_free = NULL; + + fn_struct = sechk_fn_new(); + if (!fn_struct) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->name = strdup(SECHK_MOD_FN_PRINT); + if (!fn_struct->name) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + fn_struct->fn = imp_range_trans_print; + if (apol_vector_append(mod->functions, (void *)fn_struct) < 0) { + ERR(NULL, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + + return 0; +} + +/* The init function creates the module's private data storage object + * and initializes its values based on the options parsed in the config + * file. */ +int imp_range_trans_init(sechk_module_t * mod, apol_policy_t * policy, void *arg __attribute__ ((unused))) +{ + if (!mod || !policy) { + ERR(policy, "%s", "Invalid parameters"); + errno = EINVAL; + return -1; + } + if (strcmp(mod_name, mod->name)) { + ERR(policy, "Wrong module (%s)", mod->name); + errno = EINVAL; + return -1; + } + + mod->data = NULL; + + return 0; +} + +/* The run function performs the check. This function runs only once + * even if called multiple times. All test logic should be placed below + * as instructed. This function allocates the result structure and fills + * in all relavant item and proof data. + * Return Values: + * -1 System error + * 0 The module "succeeded" - no negative results found + * 1 The module "failed" - some negative results found */ +int imp_range_trans_run(sechk_module_t * mod, apol_policy_t * policy, void *arg __attribute__ ((unused))) +{ + sechk_result_t *res = NULL; + sechk_item_t *item = NULL; + sechk_proof_t *proof = NULL; + size_t i, j; + apol_vector_t *range_trans_vector = NULL, *role_vector = NULL, *tmp_v = NULL; + apol_vector_t *user_vector = NULL, *users_w_roles = NULL, *users_w_range = NULL; + apol_vector_t *rule_vector = NULL; + const qpol_range_trans_t *rule; + const qpol_type_t *source = NULL; + const qpol_type_t *target = NULL; + const qpol_role_t *role = NULL; + const char *source_name = NULL, *target_name = NULL, *role_name = NULL; + apol_role_query_t *role_query = NULL; + apol_user_query_t *user_query = NULL; + apol_avrule_query_t *avrule_query = NULL; + apol_mls_range_t *range; + const qpol_mls_range_t *qpol_range; + qpol_policy_t *q = apol_policy_get_qpol(policy); + int error = 0; + + if (!mod || !policy) { + ERR(policy, "%s", strerror(EINVAL)); + errno = EINVAL; + return -1; + } + if (strcmp(mod_name, mod->name)) { + ERR(policy, "Wrong module (%s)", mod->name); + errno = EINVAL; + return -1; + } + + /* if already run return */ + if (mod->result) + return 0; + + res = sechk_result_new(); + if (!res) { + error = errno; + ERR(policy, "%s", strerror(error)); + errno = error; + return -1; + } + res->test_name = strdup(mod_name); + if (!res->test_name) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + res->item_type = SECHK_ITEM_RANGETRANS; + if (!(res->items = apol_vector_create(sechk_item_free))) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + + if (apol_range_trans_get_by_query(policy, NULL, &range_trans_vector) < 0) { + error = errno; + ERR(policy, "%s", "Unable to retrieve range transitions"); + goto imp_range_trans_run_fail; + } + + for (i = 0; i < apol_vector_get_size(range_trans_vector); i++) { + /* collect information about the rule */ + rule = apol_vector_get_element(range_trans_vector, i); + qpol_range_trans_get_source_type(q, rule, &source); + qpol_range_trans_get_target_type(q, rule, &target); + qpol_type_get_name(q, source, &source_name); + qpol_type_get_name(q, target, &target_name); + qpol_range_trans_get_range(q, rule, &qpol_range); + range = apol_mls_range_create_from_qpol_mls_range(policy, qpol_range); + + /* find roles possible for source */ + role_query = apol_role_query_create(); + apol_role_query_set_type(policy, role_query, source_name); + apol_role_get_by_query(policy, role_query, &role_vector); + apol_role_query_destroy(&role_query); + + /* find users with the possible roles */ + if ((users_w_roles = apol_vector_create(NULL)) == NULL) { + error = errno; + goto imp_range_trans_run_fail; + } + user_query = apol_user_query_create(); + for (j = 0; j < apol_vector_get_size(role_vector); j++) { + role = apol_vector_get_element(role_vector, j); + qpol_role_get_name(q, role, &role_name); + apol_user_query_set_role(policy, user_query, role_name); + apol_user_get_by_query(policy, user_query, &tmp_v); + apol_vector_cat(users_w_roles, tmp_v); + apol_vector_destroy(&tmp_v); + } + apol_vector_sort_uniquify(users_w_roles, NULL, NULL); + apol_user_query_destroy(&user_query); + + /* find users with the transition range */ + user_query = apol_user_query_create(); + apol_user_query_set_range(policy, user_query, range, APOL_QUERY_SUB); + apol_user_get_by_query(policy, user_query, &users_w_range); + apol_user_query_destroy(&user_query); + + /* find intersection of user sets */ + user_vector = apol_vector_create_from_intersection(users_w_roles, users_w_range, NULL, NULL); + + /* find avrules for allow <source> <target> : file execute; */ + avrule_query = apol_avrule_query_create(); + apol_avrule_query_set_rules(policy, avrule_query, QPOL_RULE_ALLOW); + apol_avrule_query_set_source(policy, avrule_query, source_name, 1); + apol_avrule_query_set_target(policy, avrule_query, target_name, 1); + apol_avrule_query_append_class(policy, avrule_query, "file"); + apol_avrule_query_append_perm(policy, avrule_query, "execute"); + apol_avrule_get_by_query(policy, avrule_query, &rule_vector); + apol_avrule_query_destroy(&avrule_query); + + /* check avrules */ + if (!apol_vector_get_size(rule_vector)) { + proof = sechk_proof_new(NULL); + if (!proof) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + proof->type = SECHK_ITEM_NONE; + asprintf(&proof->text, "Missing: allow %s %s : file execute;", source_name, target_name); + if (!proof->text) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + item = sechk_item_new(NULL); + if (!item) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + item->item = (void *)rule; + item->test_result = 1; + if (!item->proof) { + if (!(item->proof = apol_vector_create(sechk_proof_free))) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + } + if (apol_vector_append(item->proof, (void *)proof) < 0) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + proof = NULL; + } + apol_vector_destroy(&rule_vector); + + /* check RBAC */ + if (!apol_vector_get_size(role_vector)) { + proof = sechk_proof_new(NULL); + if (!proof) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + proof->type = SECHK_ITEM_NONE; + asprintf(&proof->text, "No role associated with type %s", source_name); + if (!proof->text) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + if (!item) { + item = sechk_item_new(NULL); + if (!item) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + item->item = (void *)rule; + item->test_result = 1; + } + if (!item->proof) { + if (!(item->proof = apol_vector_create(sechk_proof_free))) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + } + if (apol_vector_append(item->proof, (void *)proof) < 0) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + proof = NULL; + } + + /* check users */ + if (!apol_vector_get_size(user_vector)) { + proof = sechk_proof_new(NULL); + if (!proof) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + proof->type = SECHK_ITEM_NONE; + if (!apol_vector_get_size(role_vector)) { + proof->text = strdup("No role also means no user"); + } else if (!apol_vector_get_size(users_w_roles)) { + asprintf(&proof->text, "No users associated with roles for %s", source_name); + } else if (!apol_vector_get_size(users_w_range)) { + proof->text = strdup("No user has access to specified MLS range"); + } else { + proof->text = strdup("No user meets MLS and RBAC requirements."); + } + if (!proof->text) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + if (!item) { + item = sechk_item_new(NULL); + if (!item) { + ERR(policy, "%s", strerror(ENOMEM)); + error = ENOMEM; + goto imp_range_trans_run_fail; + } + item->item = (void *)rule; + item->test_result = 1; + } + if (!item->proof) { + if (!(item->proof = apol_vector_create(sechk_proof_free))) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + } + if (apol_vector_append(item->proof, (void *)proof) < 0) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto imp_range_trans_run_fail; + } + } + apol_vector_destroy(&role_vector); + apol_vector_destroy(&user_vector); + apol_vector_destroy(&users_w_roles); + apol_vector_destroy(&users_w_range); + + if (item) { + if (apol_vector_append(res->items, (void *)item) < 0) { + error = errno; + ERR(policy, "%s", strerror(ENOMEM)); + goto imp_range_trans_run_fail; + } + } + item = NULL; + } + apol_vector_destroy(&range_trans_vector); + mod->result = res; + + if (apol_vector_get_size(res->items)) + return 1; + return 0; + + imp_range_trans_run_fail: + apol_vector_destroy(&range_trans_vector); + apol_vector_destroy(&role_vector); + apol_vector_destroy(&rule_vector); + apol_vector_destroy(&user_vector); + apol_vector_destroy(&users_w_roles); + apol_vector_destroy(&users_w_range); + sechk_proof_free(proof); + sechk_item_free(item); + sechk_result_destroy(&res); + errno = error; + return -1; +} + +/* The print output function generates the text and prints the + * results to stdout. */ +int imp_range_trans_print(sechk_module_t * mod, apol_policy_t * policy, void *arg __attribute__ ((unused))) +{ + unsigned char outformat = 0x00; + sechk_item_t *item = NULL; + sechk_proof_t *proof = NULL; + qpol_range_trans_t *rt; + char *tmp; + size_t i = 0, k = 0, j = 0, num_items; + + if (!mod || !policy) { + ERR(policy, "%s", "Invalid parameters"); + errno = EINVAL; + return -1; + } + if (strcmp(mod_name, mod->name)) { + ERR(policy, "Wrong module (%s)", mod->name); + errno = EINVAL; + return -1; + } + + outformat = mod->outputformat; + num_items = apol_vector_get_size(mod->result->items); + + if (!mod->result) { + ERR(policy, "%s", "Module has not been run"); + errno = EINVAL; + return -1; + } + + if (!outformat || (outformat & SECHK_OUT_QUIET)) + return 0; /* not an error - no output is requested */ + + if (outformat & SECHK_OUT_STATS) { + printf("Found %i impossible range transitions.\n", num_items); + } + + if (outformat & SECHK_OUT_LIST) { + printf("\n"); + for (i = 0; i < num_items; i++) { + item = apol_vector_get_element(mod->result->items, i); + rt = item->item; + printf("%s\n", (tmp = apol_range_trans_render(policy, rt))); + free(tmp); + } + printf("\n"); + } + + if (outformat & SECHK_OUT_PROOF) { + printf("\n"); + for (k = 0; k < num_items; k++) { + item = apol_vector_get_element(mod->result->items, k); + rt = item->item; + printf("%s\n", (tmp = apol_range_trans_render(policy, rt))); + free(tmp); + for (j = 0; j < apol_vector_get_size(item->proof); j++) { + proof = apol_vector_get_element(item->proof, j); + printf("\t%s\n", proof->text); + } + } + printf("\n"); + } + + return 0; +} |