diff --git a/Makefile b/Makefile index d4d3c6f..d9ff594 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ GRSEC_DIR=/etc/grsec LLEX=/usr/bin/lex FLEX=/usr/bin/flex LEX := $(shell if [ -x $(FLEX) ]; then echo $(FLEX); else echo $(LLEX); fi) -LEXFLAGS=-B +LEXFLAGS=-Cfa -B #ubuntu broke byacc for who knows why, disable it #BYACC=/usr/bin/byacc BISON=/usr/bin/bison diff --git a/gradm.l b/gradm.l index 0b811d5..8a46bc9 100644 --- a/gradm.l +++ b/gradm.l @@ -35,13 +35,16 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} %x INCLUDE_STATE IPNETMASK_STATE IPPORT_STATE ROLETRANS_STATE UMASK_STATE %x VAR_STATE VAR_OBJ_STATE IDTRANS_STATE DOMAIN_STATE DOMAINTYPE_STATE %x DOMAINLIST_STATE IPIP_STATE IPONLY_STATE REP_STATE CAP_STATE FAMILY_STATE - +%x VAR_IPIP_STATE VAR_CAP_STATE VAR_IPNETMASK_STATE VAR_IP_STATE VAR_IPPORT_STATE %% <*>"\n" { lineno++; if (YYSTATE == COMMENT_STATE) BEGIN(old_state2); + if (YYSTATE == VAR_IPIP_STATE || YYSTATE == VAR_CAP_STATE || YYSTATE == VAR_IPNETMASK_STATE || + YYSTATE == VAR_IP_STATE || YYSTATE == VAR_IPPORT_STATE) + BEGIN(VAR_OBJ_STATE); if (YYSTATE != VAR_STATE && YYSTATE != VAR_OBJ_STATE) BEGIN(INITIAL); } @@ -133,11 +136,14 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} return RES_SOFTHARD; } -"!" { +"!" { return NOT; } -[-a-zA-Z0-9_]{1,7}("#"[0-9]{1,3})? { - BEGIN(IP_STATE); +[-a-zA-Z0-9_]{1,7}("#"[0-9]{1,3})? { + if (YYSTATE == IPIP_STATE) + BEGIN(IP_STATE); + else + BEGIN(VAR_IP_STATE); gr_line = yytext; gradmlval.string = gr_strdup(gr_line); gr_line = strchr(gradmlval.string, '#'); @@ -145,11 +151,14 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} *gr_line = ':'; return INTERFACE; } -"disabled" { +"disabled" { return DISABLED; } -[-0-9a-zA-Z.]*[a-zA-Z][-0-9a-zA-Z.]* { - BEGIN(IP_STATE); +[-0-9a-zA-Z.]*[a-zA-Z][-0-9a-zA-Z.]* { + if (YYSTATE == IPIP_STATE) + BEGIN(IP_STATE); + else + BEGIN(VAR_IP_STATE); gradmlval.string = gr_strdup(yytext); return HOSTNAME; } @@ -157,24 +166,33 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} gradmlval.num = get_ip(yytext); return IPADDR; } -{IP} { - BEGIN(IP_STATE); +{IP} { + if (YYSTATE == IPIP_STATE) + BEGIN(IP_STATE); + else + BEGIN(VAR_IP_STATE); gradmlval.num = get_ip(yytext); return IPADDR; } -[/] { - BEGIN(IPNETMASK_STATE); +[/] { + if (YYSTATE == IP_STATE) + BEGIN(IPNETMASK_STATE); + else + BEGIN(VAR_IPNETMASK_STATE); return *yytext; } -[:-] { - BEGIN(IPPORT_STATE); +[:-] { + if (YYSTATE == IP_STATE) + BEGIN(IPPORT_STATE); + else + BEGIN(VAR_IPPORT_STATE); return *yytext; } -"raw_sock"|"dgram"|"rdm"|"stream"|"any_sock" { +"raw_sock"|"dgram"|"rdm"|"stream"|"any_sock" { gradmlval.string = gr_strdup(yytext); return IPTYPE; } -[a-z_-]+ { +[a-z_-]+ { gradmlval.string = gr_strdup(yytext); return IPPROTO; } @@ -183,18 +201,24 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} return SOCKFAMILY; } -[0-9]{1,2} { +[0-9]{1,2} { unsigned int bits = atoi(yytext); - BEGIN(IP_STATE); + if (YYSTATE == IPNETMASK_STATE) + BEGIN(IP_STATE); + else + BEGIN(VAR_IP_STATE); if (!bits) gradmlval.num = 0; else gradmlval.num = 0xffffffff << (32 - bits); return IPNETMASK; } -[0-9]{1,5} { +[0-9]{1,5} { unsigned int portcheck = atoi(yytext); - BEGIN(IP_STATE); + if (YYSTATE == IPPORT_STATE) + BEGIN(IP_STATE); + else + BEGIN(VAR_IP_STATE); if (portcheck > 65535) gradmerror("invalid port number error"); gradmlval.shortnum = portcheck; @@ -307,12 +331,18 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} BEGIN(SUBJECT_STATE); return SUBJECT; } -"connect" { - BEGIN(IPIP_STATE); +"connect" { + if (YYSTATE == INITIAL) + BEGIN(IPIP_STATE); + else + BEGIN(VAR_IPIP_STATE); return CONNECT; } -"bind" { - BEGIN(IPIP_STATE); +"bind" { + if (YYSTATE == INITIAL) + BEGIN(IPIP_STATE); + else + BEGIN(VAR_IPIP_STATE); return BIND; } "ip_override" { @@ -328,12 +358,15 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} *(gr_line + strlen(gr_line) - 1) = '\0'; add_include(gr_line); } -"audit"|"suppress" { +"audit"|"suppress" { gradmlval.string = gr_strdup(yytext); return AUDIT; } -[+-]"CAP_"[_A-Z]+ { - BEGIN(CAP_STATE); +[+-]"CAP_"[_A-Z]+ { + if (YYSTATE == INITIAL) + BEGIN(CAP_STATE); + else + BEGIN(VAR_CAP_STATE); gradmlval.string = gr_strdup(yytext); return CAP_NAME; } @@ -347,13 +380,13 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} return RES_NAME; } -([/]|$[(])[^ \t\n]* { +([/]|$[(])[^ \t\n]* { gradmlval.string = process_string_replace(yytext); if (strstr(gradmlval.string, "//") || strstr(gradmlval.string, "/./") || strstr(gradmlval.string, "/../")) gradmerror("invalid pathname error"); return OBJ_NAME; } -["]([/]|$[(]).*["] { +["]([/]|$[(]).*["] { gr_line = yytext; gr_line++; *(gr_line + strlen(gr_line) - 1) = '\0'; @@ -362,13 +395,13 @@ IP [0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3}"."[0-9]{1,3} gradmerror("invalid pathname error"); return OBJ_NAME; } -$HOME[/]?[^ \t\n]* { +$HOME[/]?[^ \t\n]* { gradmlval.string = gr_strdup(yytext); if (strstr(gradmlval.string, "//") || strstr(gradmlval.string, "/./") || strstr(gradmlval.string, "/../")) gradmerror("invalid pathname error"); return OBJ_NAME; } -["]$HOME[/]?.*["] { +["]$HOME[/]?.*["] { gr_line = yytext; gr_line++; *(gr_line + strlen(gr_line) - 1) = '\0'; @@ -377,7 +410,7 @@ $HOME[/]?[^ \t\n]* { gradmerror("invalid pathname error"); return OBJ_NAME; } -[rwxahitmlLFRWXAIMcCdDspof]+ { +[rwxahitmlLFRWXAIMcCdDspof]+ { gradmlval.num = proc_object_mode_conv(yytext); return OBJ_MODE; } diff --git a/gradm.y b/gradm.y index e46706b..68de76e 100644 --- a/gradm.y +++ b/gradm.y @@ -108,16 +108,80 @@ variable_object: DEFINE DEFINE_NAME '{' var_object_list '}' } ; -var_object_list: OBJ_NAME obj_mode +var_object_file: OBJ_NAME obj_mode { - add_var_object(&var_obj, $1, $2); + add_file_var_object(&var_obj, $1, $2); } - | var_object_list OBJ_NAME obj_mode + ; + +var_object_cap: CAP_NAME AUDIT + { + add_cap_var_object(&var_obj, $1, $2); + free($1); + free($2); + } + | CAP_NAME + { + add_cap_var_object(&var_obj, $1, NULL); + free($1); + } + ; + + +var_object_net: CONNECT invert_socket IPADDR ip_netmask ip_ports ip_typeproto + { + ip.addr = $3; + ip.netmask = $4; + add_net_var_object(&var_obj, &ip, GR_IP_CONNECT | $2, NULL); + memset(&ip, 0, sizeof(ip)); + } + | CONNECT invert_socket HOSTNAME ip_netmask ip_ports ip_typeproto + { + ip.netmask = $4; + add_net_var_object(&var_obj, &ip, GR_IP_CONNECT | $2, $3); + memset(&ip, 0, sizeof(ip)); + free($3); + } + | + CONNECT DISABLED + { + add_net_var_object(&var_obj, &ip, GR_IP_CONNECT, NULL); + } + | BIND invert_socket IPADDR ip_netmask ip_ports ip_typeproto + { + ip.addr = $3; + ip.netmask = $4; + add_net_var_object(&var_obj, &ip, GR_IP_BIND | $2, NULL); + memset(&ip, 0, sizeof(ip)); + } + | BIND invert_socket HOSTNAME ip_netmask ip_ports ip_typeproto + { + ip.netmask = $4; + add_net_var_object(&var_obj, &ip, GR_IP_BIND | $2, $3); + memset(&ip, 0, sizeof(ip)); + free($3); + } + | BIND invert_socket INTERFACE ip_ports ip_typeproto + { + ip.iface = $3; + add_net_var_object(&var_obj, &ip, GR_IP_BIND | $2, NULL); + memset(&ip, 0, sizeof(ip)); + } + | + BIND DISABLED { - add_var_object(&var_obj, $2, $3); + add_net_var_object(&var_obj, &ip, GR_IP_BIND, NULL); } ; +var_object_list: var_object_file + | var_object_net + | var_object_cap + | var_object_list var_object_file + | var_object_list var_object_net + | var_object_list var_object_cap + ; + domain_label: DOMAIN ROLE_NAME DOMAIN_TYPE { add_role_acl(¤t_role, $2, GR_ROLE_DOMAIN | role_mode_conv($3), 1); diff --git a/gradm_defs.h b/gradm_defs.h index fc91c3b..cc0a457 100644 --- a/gradm_defs.h +++ b/gradm_defs.h @@ -303,9 +303,29 @@ struct file_acl { struct file_acl *next; }; +enum { + VAR_FILE_OBJECT = 0, + VAR_NET_OBJECT = 1, + VAR_CAP_OBJECT = 2 +}; + struct var_object { - char *filename; - u_int32_t mode; + union { + struct { + char *filename; + u_int32_t mode; + } file_obj; + struct { + struct ip_acl ip; + u_int8_t mode; + char *host; + } net_obj; + struct { + char *cap; + char *audit; + } cap_obj; + }; + unsigned int type; struct var_object *prev; struct var_object *next; diff --git a/gradm_func.h b/gradm_func.h index 90446d1..f830932 100644 --- a/gradm_func.h +++ b/gradm_func.h @@ -67,7 +67,10 @@ void start_grlearn(char *logfile); void stop_grlearn(void); void sym_store(char *symname, struct var_object *object); struct var_object *sym_retrieve(char *symname); -void add_var_object(struct var_object **object, char *name, u_int32_t mode); +void add_file_var_object(struct var_object **object, char *name, u_int32_t mode); +void add_var_object(struct var_object **object, struct var_object *var); +void add_net_var_object(struct var_object **object, struct ip_acl *ip, u_int8_t mode, char *host); +void add_cap_var_object(struct var_object **object, char *name, char *audit); void interpret_variable(struct var_object *var); struct var_object *union_objects(struct var_object *var1, struct var_object *var2); struct var_object *intersect_objects(struct var_object *var1, struct var_object *var2); diff --git a/gradm_sym.c b/gradm_sym.c index 16b71bf..a644ca6 100644 --- a/gradm_sym.c +++ b/gradm_sym.c @@ -15,7 +15,22 @@ void interpret_variable(struct var_object *var) ; for (; tmp; tmp = tmp->next) { - add_proc_object_acl(current_subject, tmp->filename, tmp->mode, GR_FEXIST); + switch (tmp->type) { + case VAR_FILE_OBJECT: + add_proc_object_acl(current_subject, tmp->file_obj.filename, tmp->file_obj.mode, GR_FEXIST); + break; + case VAR_NET_OBJECT: + if (tmp->net_obj.host) + add_host_acl(current_subject, tmp->net_obj.mode, tmp->net_obj.host, &tmp->net_obj.ip); + else + add_ip_acl(current_subject, tmp->net_obj.mode, &tmp->net_obj.ip); + break; + case VAR_CAP_OBJECT: + add_cap_acl(current_subject, tmp->cap_obj.cap, tmp->cap_obj.audit); + break; + default: + break; + } } return; @@ -26,11 +41,23 @@ struct var_object * intersect_objects(struct var_object *var1, struct var_object struct var_object *tmpvar1, *tmpvar2, *retvar = NULL; for (tmpvar1 = var1; tmpvar1; tmpvar1 = tmpvar1->prev) { - for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { - if (!strcmp(tmpvar1->filename, tmpvar2->filename)) { - add_var_object(&retvar, tmpvar1->filename, tmpvar1->mode & tmpvar2->mode); - break; + switch (tmpvar1->type) { + case VAR_FILE_OBJECT: + for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { + switch (tmpvar2->type) { + case VAR_FILE_OBJECT: + if (!strcmp(tmpvar1->file_obj.filename, tmpvar2->file_obj.filename)) { + add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode & tmpvar2->file_obj.mode); + break; + } + break; + default: + break; + } } + break; + default: + break; } } @@ -43,28 +70,53 @@ struct var_object * union_objects(struct var_object *var1, struct var_object *va int found_dupe = 0; for (tmpvar1 = var1; tmpvar1; tmpvar1 = tmpvar1->prev) { - found_dupe = 0; - for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { - if (!strcmp(tmpvar1->filename, tmpvar2->filename)) { - add_var_object(&retvar, tmpvar1->filename, tmpvar1->mode | tmpvar2->mode); - found_dupe = 1; - break; + switch (tmpvar1->type) { + case VAR_FILE_OBJECT: + found_dupe = 0; + for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { + switch (tmpvar2->type) { + case VAR_FILE_OBJECT: + if (!strcmp(tmpvar1->file_obj.filename, tmpvar2->file_obj.filename)) { + add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode | tmpvar2->file_obj.mode); + found_dupe = 1; + break; + } + break; + default: + break; + } } + if (!found_dupe) + add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode); + break; + default: + break; } - if (!found_dupe) - add_var_object(&retvar, tmpvar1->filename, tmpvar1->mode); } for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { - found_dupe = 0; - for (tmpvar1 = var1; tmpvar1; tmpvar1 = tmpvar1->prev) { - if (!strcmp(tmpvar1->filename, tmpvar2->filename)) { - found_dupe = 1; - break; + switch (tmpvar2->type) { + case VAR_FILE_OBJECT: + found_dupe = 0; + for (tmpvar1 = var1; tmpvar1; tmpvar1 = tmpvar1->prev) { + switch (tmpvar1->type) { + case VAR_FILE_OBJECT: + if (!strcmp(tmpvar1->file_obj.filename, tmpvar2->file_obj.filename)) { + found_dupe = 1; + break; + } + break; + default: + break; + } } + + if (!found_dupe) + add_file_var_object(&retvar, tmpvar2->file_obj.filename, tmpvar2->file_obj.mode); + break; + default: + break; } - if (!found_dupe) - add_var_object(&retvar, tmpvar2->filename, tmpvar2->mode); } return retvar; @@ -77,30 +129,42 @@ struct var_object * differentiate_objects(struct var_object *var1, struct var_ob char *path; for (tmpvar1 = var1; tmpvar1; tmpvar1 = tmpvar1->prev) { - path = calloc(strlen(tmpvar1->filename) + 1, sizeof(char)); - if (!path) - failure("calloc"); - strcpy(path, tmpvar1->filename); - found_dupe = 0; - do { - for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { - if (!strcmp(path, tmpvar2->filename)) { - found_dupe = 1; - add_var_object(&retvar, tmpvar1->filename, tmpvar1->mode &= ~tmpvar2->mode); - goto done; + switch (tmpvar1->type) { + case VAR_FILE_OBJECT: + path = calloc(strlen(tmpvar1->file_obj.filename) + 1, sizeof(char)); + if (!path) + failure("calloc"); + strcpy(path, tmpvar1->file_obj.filename); + found_dupe = 0; + do { + for (tmpvar2 = var2; tmpvar2; tmpvar2 = tmpvar2->prev) { + switch (tmpvar2->type) { + case VAR_FILE_OBJECT: + if (!strcmp(path, tmpvar2->file_obj.filename)) { + found_dupe = 1; + add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode &= ~tmpvar2->file_obj.mode); + goto done; + } + break; + default: + break; + } } - } - } while(parent_dir(tmpvar1->filename, &path)); + } while(parent_dir(tmpvar1->file_obj.filename, &path)); done: - if (!found_dupe) - add_var_object(&retvar, tmpvar1->filename, tmpvar1->mode); - free(path); + if (!found_dupe) + add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode); + free(path); + break; + default: + break; + } } return retvar; } -void add_var_object(struct var_object **object, char *name, u_int32_t mode) +void add_var_object(struct var_object **object, struct var_object *var) { struct var_object *v; @@ -112,16 +176,50 @@ void add_var_object(struct var_object **object, char *name, u_int32_t mode) if (*object) (*object)->next = v; - v->prev = *object; + memcpy(v, var, sizeof(struct var_object)); - v->filename = name; - v->mode = mode; + v->prev = *object; + v->next = NULL; *object = v; return; } +void add_file_var_object(struct var_object **object, char *name, u_int32_t mode) +{ + struct var_object var; + + var.type = VAR_FILE_OBJECT; + var.file_obj.filename = name; + var.file_obj.mode = mode; + + add_var_object(object, &var); +} + +void add_net_var_object(struct var_object **object, struct ip_acl *ip, u_int8_t mode, char *host) +{ + struct var_object var; + + var.type = VAR_NET_OBJECT; + memcpy(&var.net_obj.ip, ip, sizeof(struct ip_acl)); + var.net_obj.mode = mode; + var.net_obj.host = host ? gr_strdup(host) : NULL; + + add_var_object(object, &var); +} + +void add_cap_var_object(struct var_object **object, char *name, char *audit) +{ + struct var_object var; + + var.type = VAR_CAP_OBJECT; + var.cap_obj.cap = name ? gr_strdup(name) : NULL; + var.cap_obj.audit = audit ? gr_strdup(audit) : NULL; + + add_var_object(object, &var); +} + struct var_object * sym_retrieve(char *symname) { unsigned int i; diff --git a/policy b/policy index f8c368a..df21c6d 100644 --- a/policy +++ b/policy @@ -236,6 +236,8 @@ # Commonly-used objects can be defined and used in multiple subjects # As an example, we'll create a variable out of a list of objects # and their associated permissions that RBAC enforces +# files, connect/bind rules, and capabilities can currently be added to a define + define grsec_denied { /boot h /dev/grsec h