Simple policy evaluation is working I'm not going to walk through the code right now. It is incomplete, mostly the
command line parsing, and has XXXs all over the place. I pushed ahead just enough
to get some simple integers working:
% cat tests/hulk.txt
4, 25, 34k, uid == 1066
6, 40, 8k, gid == 500
6, 40, 8k, day == 10
% ./a.out -r tests/hulk.txt -d 10 -u 1066
4, 25, 34000 uid == 1066
6, 40, 8000 gid == 500
6, 40, 8000 day == 10
The matching policy is: 4, 25, 34000 uid == 1066
% ./a.out -r tests/hulk.txt -d 10
4, 25, 34000 uid == 1066
6, 40, 8000 gid == 500
6, 40, 8000 day == 10
The matching policy is: 6, 40, 8000 day == 10
BTW: Notice what I meant about duplicate ids. I still need to fix that.
If you are trying the current code out, avoid the strings for right now. That
would also include the networking tests.
What is in there now is the evaluation code, parsing of network and single machine addresses in the policies file, etc. I think I added 1k of code today and I can't figure out when. Well, 650 lines came in since the last blog entry.
The evaluation code stole the framework from the printing code. I'd love to abstract out the looping from the action to be performed. But, I think that may end up being more trouble than it is worth.
Hmm, I beefed up the tests just a bit and found that both '||' and '&&' are working:
% cat tests/hulk.txt
4, 25, 34k, uid == 1066
5, 30, 32k, uid == 1067 || uid == 1065
6, 15, 2k, uid == 1068 && gid == 500
7, 40, 8k, gid == 500
9, 40, 8k, day == 10
% ./a.out -r tests/hulk.txt -u 1067
4, 25, 34000 uid == 1066
5, 30, 32000 uid == 1067 || uid == 1065
6, 15, 2000 uid == 1068 && gid == 500
7, 40, 8000 gid == 500
9, 40, 8000 day == 10
The matching policy is: 5, 30, 32000 uid == 1067 || uid == 1065
% ./a.out -r tests/hulk.txt -u 1065
4, 25, 34000 uid == 1066
5, 30, 32000 uid == 1067 || uid == 1065
6, 15, 2000 uid == 1068 && gid == 500
7, 40, 8000 gid == 500
9, 40, 8000 day == 10
The matching policy is: 5, 30, 32000 uid == 1067 || uid == 1065
% ./a.out -r tests/hulk.txt -u 1068 -g 500
4, 25, 34000 uid == 1066
5, 30, 32000 uid == 1067 || uid == 1065
6, 15, 2000 uid == 1068 && gid == 500
7, 40, 8000 gid == 500
9, 40, 8000 day == 10
The matching policy is: 6, 15, 2000 uid == 1068 && gid == 500
% ./a.out -r tests/hulk.txt -u 1068 -g 501
4, 25, 34000 uid == 1066
5, 30, 32000 uid == 1067 || uid == 1065
6, 15, 2000 uid == 1068 && gid == 500
7, 40, 8000 gid == 500
9, 40, 8000 day == 10
No matching policy, default would apply.
What about '!'?
% ./a.out -r tests/hulk.txt -d 12 -u 1167
4, 25, 34000, uid == 1066
5, 30, 32000, uid == 1067 || uid == 1065
6, 15, 2000, uid == 1068 && gid == 500
7, 40, 8000, gid == 500
9, 40, 8000, day == 10
10, 30, 32000, !(uid == 1167 || uid == 1165)
15, 40, 8000, !(day == 11)
The matching policy is: 10, 30, 32000, !(uid == 1167 || uid == 1165)
Looks wrong (notice I fixed a missing ',' before the policy attribute-expression). Hmm, here is the bug:
bLHS = spe_eval_thunk(si->si_branches[0], pat, &sa);
/*
* Lazy, but only 1 op - which is '!'.
*/
if (b == TRUE) {
b = FALSE;
} else {
b = TRUE;
}
That should have been a test on bLHS. Again, quick coding leads to bugs.
With the fix:
% ./a.out -r tests/hulk.txt -d 12 -u 1167
4, 25, 34000, uid == 1066
5, 30, 32000, uid == 1067 || uid == 1065
6, 15, 2000, uid == 1068 && gid == 500
7, 40, 8000, gid == 500
9, 40, 8000, day == 10
10, 30, 32000, !(uid == 1167 || uid == 1165)
15, 40, 8000, !(day == 11)
The matching policy is: 15, 40, 8000, !(day == 11)
The latest code is at:
speadm.c and
speadm.h.
Trackback URL: http://blogs.sun.com/tdh/entry/simple_policy_evaluation_is_working
