Skip to content

Commit

Permalink
audit2allow: CIL output mode
Browse files Browse the repository at this point in the history
New flag -C for audit2allow sets output format to CIL instead of
Policy Language.

Example:
;============= mozilla_t ==============

;!!!! This avc is allowed in the current policy
(allow mozilla_t user_sudo_t (fd (use)))

;============= user_t ==============

;!!!! This avc can be allowed using the boolean 'allow_execmem'
(allow user_t self (process (execmem)))
(allow user_t chromium_t (process (noatsecure rlimitinh siginh)))

;!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
;Constraint rule:
;       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u1 == unconfined_u -Fail-)  or (u1 == sysadm_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

;       Possible cause is the source user (user_u) and target user (sysadm_u) are different.
(allow user_t user_home_dir_t (dir (getattr relabelto)))

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
  • Loading branch information
topimiettinen authored and jwcart2 committed Mar 20, 2024
1 parent af543f1 commit 5937e9b
Show file tree
Hide file tree
Showing 5 changed files with 298 additions and 90 deletions.
14 changes: 13 additions & 1 deletion python/audit2allow/audit2allow
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ class AuditToPolicy:
help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
parser.add_option("-C", "--cil", action="store_true", dest="cil", help="generate CIL output")

parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
default=False, help="do not generate refpolicy style output")
Expand Down Expand Up @@ -114,14 +115,17 @@ class AuditToPolicy:
sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n')
sys.exit(2)

# Make -M and -o conflict
# Make -M and -o or -C conflict
if options.module_package:
if options.output:
sys.stderr.write("error: --module-package conflicts with --output\n")
sys.exit(2)
if options.module:
sys.stderr.write("error: --module-package conflicts with --module\n")
sys.exit(2)
if options.cil:
sys.stderr.write("error: --module-package conflicts with --cil\n")
sys.exit(2)

self.__options = options

Expand Down Expand Up @@ -341,13 +345,21 @@ semodule -i {packagename}
if self.__options.requires:
g.set_gen_requires(True)

# CIL output
if self.__options.cil:
g.set_gen_cil(True)

# Generate the policy
g.add_access(self.__avs)
g.add_role_types(self.__role_types)

# Output
writer = output.ModuleWriter()

# CIL output
if self.__options.cil:
writer.set_gen_cil(True)

# Module package
if self.__options.module_package:
self.__output_modulepackage(writer, g)
Expand Down
3 changes: 3 additions & 0 deletions python/audit2allow/audit2allow.1
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ Generate module/require output <modulename>
.B "\-M <modulename>"
Generate loadable module package, conflicts with \-o
.TP
.B "\-C"
Generate CIL output, conflicts with \-M
.TP
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
.TP
Expand Down
5 changes: 5 additions & 0 deletions python/sepolgen/src/sepolgen/output.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ def __init__(self):
self.module = None
self.sort = True
self.requires = True
self.gen_cil = False

def write(self, module, fd):
self.module = module
Expand All @@ -49,8 +50,12 @@ def write(self, module, fd):

# FIXME - make this handle nesting
for node, depth in refpolicy.walktree(self.module, showdepth=True):
node.set_gen_cil(self.gen_cil)
fd.write("%s\n" % str(node))

def set_gen_cil(self, gen_cil):
self.gen_cil = gen_cil

# Helper functions for sort_filter - this is all done old school
# C style rather than with polymorphic methods because this sorting
# is specific to output. It is not necessarily the comparison you
Expand Down
32 changes: 21 additions & 11 deletions python/sepolgen/src/sepolgen/policygen.py
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ def __init__(self, module=None):
self.xperms = False

self.domains = None
self.gen_cil = False
self.comment_start = '#'
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
Expand Down Expand Up @@ -128,6 +130,13 @@ def set_gen_xperms(self, xperms):
"""
self.xperms = xperms

def set_gen_cil(self, gen_cil):
self.gen_cil = gen_cil
if gen_cil:
self.comment_start = ';'
else:
self.comment_start = '#'

def __set_module_style(self):
if self.ifgen:
refpolicy = True
Expand Down Expand Up @@ -173,26 +182,27 @@ def __add_av_rule(self, av):
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))

if av.type == audit2why.ALLOW:
rule.comment += "\n#!!!! This avc is allowed in the current policy"
rule.comment += "\n%s!!!! This avc is allowed in the current policy" % self.comment_start

if av.xperms:
rule.comment += "\n#!!!! This av rule may have been overridden by an extended permission av rule"
rule.comment += "\n%s!!!! This av rule may have been overridden by an extended permission av rule" % self.comment_start

if av.type == audit2why.DONTAUDIT:
rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
rule.comment += "\n%s!!!! This avc has a dontaudit rule in the current policy" % self.comment_start

if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join([x[0] for x in av.data])
rule.comment += "\n%s!!!! This avc can be allowed using one of the these booleans:\n%s %s" % (self.comment_start, self.comment_start, ", ".join([x[0] for x in av.data]))
else:
rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
rule.comment += "\n%s!!!! This avc can be allowed using the boolean '%s'" % (self.comment_start, av.data[0][0])

if av.type == audit2why.CONSTRAINT:
rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access."
rule.comment += "\n#Constraint rule: "
rule.comment += "\n#\t" + av.data[0]
rule.comment += "\n%s!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access." % self.comment_start
rule.comment += "\n%sConstraint rule: " % self.comment_start
rule.comment += "\n%s\t" % self.comment_start + av.data[0]
for reason in av.data[1:]:
rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
rule.comment += "\n%s" % self.comment_start
rule.comment += "\tPossible cause is the source %s and target %s are different." % reason

try:
if ( av.type == audit2why.TERULE and
Expand All @@ -206,9 +216,9 @@ def __add_av_rule(self, av):
if i not in self.domains:
types.append(i)
if len(types) == 1:
rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following type:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
elif len(types) >= 1:
rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following types:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
except:
pass

Expand Down
Loading

0 comments on commit 5937e9b

Please sign in to comment.