[people/stevee/selinux-policy.git] / support / gennetfilter.py

#!/usr/bin/python

# Author: Chris PeBenito <cpebenito@tresys.com>
#
# Copyright (C) 2006 Tresys Technology, LLC
#      This program is free software; you can redistribute it and/or modify
#      it under the terms of the GNU General Public License as published by
#      the Free Software Foundation, version 2.

import sys,string,getopt,re

NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")

DEFAULT_INPUT_PACKET = "server_packet_t"
DEFAULT_OUTPUT_PACKET = "client_packet_t"
DEFAULT_MCS = "s0"
DEFAULT_MLS = "s0"

PACKET_INPUT = "_server_packet_t"
PACKET_OUTPUT = "_client_packet_t"

class Port:
	def __init__(self, proto, num, mls_sens, mcs_cats=""):
		# protocol of the port
		self.proto = proto

		# port number
		self.num = num

		# MLS sensitivity
		self.mls_sens = mls_sens

		# MCS categories
		# not currently supported, so we always get s0
		self.mcs_cats = DEFAULT_MCS

class Packet:
	def __init__(self, prefix, ports):
		# prefix
		self.prefix = prefix

		# A list of Ports
		self.ports = ports

def print_input_rules(packets,mls,mcs):
	line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
	if mls:
		line += ":"+DEFAULT_MLS
	elif mcs:
		line += ":"+DEFAULT_MCS

	print line

	for i in packets:
		for j in i.ports:
			line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
			if mls:
				line += ":"+j.mls_sens
			elif mcs:
				line += ":"+j.mcs_cats
			print line

	print "post -A selinux_new_input -j CONNSECMARK --save"
	print "post -A selinux_new_input -j RETURN"

def print_output_rules(packets,mls,mcs):
	line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
	if mls:
		line += ":"+DEFAULT_MLS
	elif mcs:
		line += ":"+DEFAULT_MCS
	print line

	for i in packets:
		for j in i.ports:
			line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
			if mls:
				line += ":"+j.mls_sens
			elif mcs:
				line += ":"+j.mcs_cats
			print line

	print "post -A selinux_new_output -j CONNSECMARK --save"
	print "post -A selinux_new_output -j RETURN"

def parse_corenet(file_name):
	packets = []

	corenet_te_in = open(file_name, "r")

	while True:
		corenet_line = corenet_te_in.readline()

		# If EOF has been reached:
		if not corenet_line:
			break

		if NETPORT.match(corenet_line):
			corenet_line = corenet_line.strip();

			# parse out the parameters
			openparen = string.find(corenet_line,'(')+1
			closeparen = string.find(corenet_line,')',openparen)
			parms = re.split('\W+',corenet_line[openparen:closeparen])
			name = parms[0]
			del parms[0];

			ports = []
			while len(parms) > 0:
				# add a port combination.
				ports.append(Port(parms[0],parms[1],parms[2]))
				del parms[:3]

			packets.append(Packet(name,ports))
		
	corenet_te_in.close()

	return packets

def print_netfilter_config(packets,mls,mcs):
	print "pre *mangle"
	print "pre :PREROUTING ACCEPT [0:0]"
	print "pre :INPUT ACCEPT [0:0]"
	print "pre :FORWARD ACCEPT [0:0]"
	print "pre :OUTPUT ACCEPT [0:0]"
	print "pre :POSTROUTING ACCEPT [0:0]"
	print "pre :selinux_input - [0:0]"
	print "pre :selinux_output - [0:0]"
	print "pre :selinux_new_input - [0:0]"
	print "pre :selinux_new_output - [0:0]"
	print "pre -A INPUT -j selinux_input"
	print "pre -A OUTPUT -j selinux_output"
	print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
	print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
	print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
	print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
	print_input_rules(packets,mls,mcs)
	print_output_rules(packets,mls,mcs)
	print "post COMMIT"

mls = False
mcs = False

try:
	opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
except getopt.GetoptError, error:
	print "Invalid options."
	sys.exit(1)

for o, a in opts:
	if o in ("-c","--mcs"):
		mcs = True
	if o in ("-m","--mls"):
		mls = True

if len(paths) == 0:
	sys.stderr.write("Need a path for corenetwork.te.in!\n")
	sys.exit(1)
elif len(paths) > 1:
	sys.stderr.write("Ignoring extra specified paths\n")

packets=parse_corenet(paths[0])
print_netfilter_config(packets,mls,mcs)
Commit	Line	Data
d24259b7	1	#!/usr/bin/python
d6c62e7d	2
d24259b7 CP	3	# Author: Chris PeBenito <cpebenito@tresys.com>
	4	#
	5	# Copyright (C) 2006 Tresys Technology, LLC
	6	# This program is free software; you can redistribute it and/or modify
	7	# it under the terms of the GNU General Public License as published by
	8	# the Free Software Foundation, version 2.
	9
	10	import sys,string,getopt,re
	11
	12	NETPORT = re.compile("^network_port\(\s\w+\s(\s,\s\w+\s,\s\w+\s,\s\w+\s)+\s\)\s*(#\|$)")
d6c62e7d	13
35a4b349 CP	14	DEFAULT_INPUT_PACKET = "server_packet_t"
35a4b349 CP	15	DEFAULT_OUTPUT_PACKET = "client_packet_t"
d6d8b703 CP	16	DEFAULT_MCS = "s0"
	17	DEFAULT_MLS = "s0"
	18
d6c62e7d CP	19	PACKET_INPUT = "_server_packet_t"
	20	PACKET_OUTPUT = "_client_packet_t"
	21
d6c62e7d CP	22	class Port:
	23	def __init__(self, proto, num, mls_sens, mcs_cats=""):
	24	# protocol of the port
	25	self.proto = proto
	26
	27	# port number
	28	self.num = num
	29
	30	# MLS sensitivity
	31	self.mls_sens = mls_sens
	32
	33	# MCS categories
	34	# not currently supported, so we always get s0
d6d8b703	35	self.mcs_cats = DEFAULT_MCS
d6c62e7d CP	36
	37	class Packet:
	38	def __init__(self, prefix, ports):
	39	# prefix
	40	self.prefix = prefix
	41
	42	# A list of Ports
	43	self.ports = ports
	44
d6d8b703	45	def print_input_rules(packets,mls,mcs):
5a7c06fd	46	line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
d6d8b703 CP	47	if mls:
	48	line += ":"+DEFAULT_MLS
	49	elif mcs:
	50	line += ":"+DEFAULT_MCS
	51
	52	print line
	53
d6c62e7d CP	54	for i in packets:
d6c62e7d CP	55	for j in i.ports:
5a7c06fd	56	line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
d6d8b703 CP	57	if mls:
	58	line += ":"+j.mls_sens
	59	elif mcs:
	60	line += ":"+j.mcs_cats
	61	print line
d6c62e7d	62
5a7c06fd CP	63	print "post -A selinux_new_input -j CONNSECMARK --save"
5a7c06fd CP	64	print "post -A selinux_new_input -j RETURN"
d6c62e7d	65
d6d8b703	66	def print_output_rules(packets,mls,mcs):
5a7c06fd	67	line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
d6d8b703 CP	68	if mls:
	69	line += ":"+DEFAULT_MLS
	70	elif mcs:
	71	line += ":"+DEFAULT_MCS
	72	print line
	73
d6c62e7d CP	74	for i in packets:
d6c62e7d CP	75	for j in i.ports:
5a7c06fd	76	line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
d6d8b703 CP	77	if mls:
	78	line += ":"+j.mls_sens
	79	elif mcs:
	80	line += ":"+j.mcs_cats
	81	print line
d6c62e7d	82
5a7c06fd CP	83	print "post -A selinux_new_output -j CONNSECMARK --save"
5a7c06fd CP	84	print "post -A selinux_new_output -j RETURN"
d6c62e7d CP	85
d6c62e7d CP	86	def parse_corenet(file_name):
d6d8b703 CP	87	packets = []
d6d8b703 CP	88
d6c62e7d CP	89	corenet_te_in = open(file_name, "r")
	90
	91	while True:
	92	corenet_line = corenet_te_in.readline()
	93
	94	# If EOF has been reached:
	95	if not corenet_line:
	96	break
	97
	98	if NETPORT.match(corenet_line):
	99	corenet_line = corenet_line.strip();
	100
	101	# parse out the parameters
d24259b7 CP	102	openparen = string.find(corenet_line,'(')+1
d24259b7 CP	103	closeparen = string.find(corenet_line,')',openparen)
d24259b7	104	parms = re.split('\W+',corenet_line[openparen:closeparen])
d6c62e7d CP	105	name = parms[0]
	106	del parms[0];
	107
	108	ports = []
	109	while len(parms) > 0:
	110	# add a port combination.
	111	ports.append(Port(parms[0],parms[1],parms[2]))
	112	del parms[:3]
	113
	114	packets.append(Packet(name,ports))
	115
	116	corenet_te_in.close()
	117
d6d8b703 CP	118	return packets
d6d8b703 CP	119
d24259b7	120	def print_netfilter_config(packets,mls,mcs):
5a7c06fd CP	121	print "pre *mangle"
	122	print "pre :PREROUTING ACCEPT [0:0]"
	123	print "pre :INPUT ACCEPT [0:0]"
	124	print "pre :FORWARD ACCEPT [0:0]"
	125	print "pre :OUTPUT ACCEPT [0:0]"
	126	print "pre :POSTROUTING ACCEPT [0:0]"
	127	print "pre :selinux_input - [0:0]"
	128	print "pre :selinux_output - [0:0]"
	129	print "pre :selinux_new_input - [0:0]"
	130	print "pre :selinux_new_output - [0:0]"
	131	print "pre -A INPUT -j selinux_input"
	132	print "pre -A OUTPUT -j selinux_output"
	133	print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
	134	print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
	135	print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
	136	print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
d6d8b703 CP	137	print_input_rules(packets,mls,mcs)
d6d8b703 CP	138	print_output_rules(packets,mls,mcs)
5a7c06fd	139	print "post COMMIT"
d6c62e7d	140
d6d8b703 CP	141	mls = False
	142	mcs = False
	143
	144	try:
	145	opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
	146	except getopt.GetoptError, error:
	147	print "Invalid options."
	148	sys.exit(1)
	149
	150	for o, a in opts:
	151	if o in ("-c","--mcs"):
	152	mcs = True
	153	if o in ("-m","--mls"):
	154	mls = True
	155
	156	if len(paths) == 0:
	157	sys.stderr.write("Need a path for corenetwork.te.in!\n")
	158	sys.exit(1)
	159	elif len(paths) > 1:
	160	sys.stderr.write("Ignoring extra specified paths\n")
	161
	162	packets=parse_corenet(paths[0])
d24259b7	163	print_netfilter_config(packets,mls,mcs)