A high level language for SELinux policy

Overview

Introduction

Cascade is a project to build a new high level language for defining SELinux policy.

The overall structure of the language is essentially object oriented, with types carrying knowledge of their use and a hierarchical inheritance tree of type definition which reflects real world usage in a variety of scenarios. The syntax is largely rust inspired, although inspiriation is taken from a variety of language with a focus on simplicity, consistency and familiarity to developers from a variety of backgrounds.

Getting Started

To build the executables run:

$ cargo build

To run tests, run:

$ cargo test

Cargo will automatically download all Rust crate dependencies. The tests depend on the secilc package.

casc

The Cascade compiler is named casc, and will be located at target/debug/casc after a successful build. It takes one argument, the name of a policy file to be built:

$ casc my_policy.cas

casc will create a file named out.cil, containing CIL policy. This CIL policy can then be compiled into final SELinux policy using secilc.

More arguments and configuration for casc will be added in future releases

audit2cascade

The current audit2cascade binary is a simple placeholder. Eventually this will be turned into a tool similar to audit2allow or audit2why which generates Cascade policy based on an output of AVC denial messages in the audit logs. It will take advantage of the semantic information present in the hll policy to aid the developer in making intelligent decisions about handling denials rather than simply adding raw allow rules.

Writing Cascade policy

For details on writing Cascade policy, see Type Enforcement.

Contribute

Thank you for your interest in contributing! There are several ways you can contribute to this project.

Reporting bugs and suggesting enhancements

If you see something wrong or have a suggestion for improvement, feel free to create an issue in the Issue tracker

Contributing code

We'd welcome your code contributions via GitHub PR. If you're planning on adding a major feature, it would probably be good to discuss it in the issue tracker prior to doing too much work so that we can all come to a consensus on how it should work. No advanced discussion is needed for smaller tweaks and bug fixes.

Comments
  • Fix clippy warnings

    Fix clippy warnings

    This PR fixes a lot of clippy warnings. Code is now much more idiomatic.

    No functional change intended. The code still builds and all tests pass after these changes.

    opened by liuw 10
  • Add dbus_contexts template

    Add dbus_contexts template

    Some info about dbus and SELinux: https://blog.siphos.be/2014/06/d-bus-and-selinux/

    SELinux policies ship a dbus_contexts file at /etc/selinux/[policyname]/contexts/dbus_contexts which provides mappings from dbus service names to SELinux label. If a mapping is not defined, dbus uses the label of the owning process.

    The common case is to leave this file empty as with this template and simply allow the default behavior.

    Dbus throws errors and has substantially degraded functionality if this file is not present at all, so we need to ship a file there.

    The current approach doesn't yet provide support for actually specifying the mappings, but it is full featured enough to make that straightforward when it is added. Presumably something like an @dbus() annotation will be a very straightforward way to specify this in Cascade, and it can then be plugged in to this machinery.

    opened by dburgener 8
  • Enable recursive directory traversal in casc

    Enable recursive directory traversal in casc

    This enables recursively discovering all policy files in the specified path(s), which is expected to be the most common use case.

    Additional ergonomics, like defaulting to CWD if no path is specified is future work.

    opened by dburgener 7
  • `system` is both a Cascade keyword and an object class

    `system` is both a Cascade keyword and an object class

    A rule like:

    allow(this, foo, system, [start]);
    

    Fails to compile currently, because system is parsed as the reserved keyword rather than some arbitrary string that will later be consumed as a valid object class.

    opened by dburgener 6
  • Prevent obvious duplicate inherits

    Prevent obvious duplicate inherits

    Previously we allow the user to do something like: resource baz inherits foo, foo, bar

    This is either a needless duplicate or a possible typo. The compiler will now produce an error if a duplicate inherit like this is present.

    opened by matt-sheets 4
  • Support named args passing with

    Support named args passing with "name=foo" in parser

    Nothing is actually done with these yet. Future work will need to override the default ordering assumptions.

    In our existing docs, we have used this syntax extensively in annotations, and (to my knowledge) never in function calls. For consistency, we should support both.

    The near term need is to support this syntax in annotations. A follow-on PR will add actual support here. Allowing these to work in the parser allows annotations that have no behavior defined yet, but use the "name=foo" syntax to at least parse correctly.

    opened by dburgener 3
  • Add --package argument to casc

    Add --package argument to casc

    --package takes the output files and packages them up into the contents to go in /etc/selinux

    Currently, we only package the compiled policy.32 and file_contexts. This commit assumes that the secilc version present generates a policy.32. That's an obviously broken assumption that should be fixed before merging this. Over the longer term, we should be able to take the infrastructure added here and add all the other files.

    For a policy built without specific system configuration, this names the final policy "out", which may not be desirable.

    opened by dburgener 2
  • Split collapsed object classes in outputted CIL.

    Split collapsed object classes in outputted CIL.

    The capability, process and cap_userns object classes have more than 32 permissions, which is the max permissions per class. Therefore SELinux has separate capability2, process2 and cap2_userns classes to handle this overflow. In Cascade, we just treat these "2" permissions as part of the main class.

    Previously, validation worked, but the outputted CIL didn't handle the mapping correctly. This commit correctly maps capability2, process2 and cap2_userns permissions back to the correct object class in the output.

    opened by dburgener 2
  • Detect whether we are writing to a terminal and conditionally enable color

    Detect whether we are writing to a terminal and conditionally enable color

    Detect whether we are writing to a terminal and conditionally enable color on error output

    I had assumed termcolor did this for us, but according to their documentation, they do not, and recommend using the atty crate for this purpose: https://docs.rs/termcolor/latest/termcolor/#detecting-presence-of-a-terminal

    The approach in this commit lets casc determine whether or not to use color, and then error.rs translates that boolean decision into the appropriate termcolor commands. Casc makes its decision in turn based on atty detecting a terminal. This architecture allows for future binaries to make different decisions if needed (eg a --nocolor flag).

    Reported-by: Matthew Sheets [email protected]

    opened by dburgener 2
  • Improve module and system documentation

    Improve module and system documentation

    • Add syntax examples
    • Remove mention that traits are future work (they have now been implemented)
    • Split paragraphs
    • Simplify wording around virtual modules
    opened by dburgener 2
  • Implement

    Implement "extend" keyword

    This keyword allows you to extend a type declared elsewhere.

    It is an error to use the extend keyword on an undeclared type.

    One minor note is that this moves aliases before associations in the compilation order. This is so aliases can be extended. I don't think there's any reason that associations need to be done first.

    opened by dburgener 2
  • Error messages for object class permissions with a

    Error messages for object class permissions with a "2" are reported against the "2" version of the class

    If you do something like:

    allow(this, this: resource, capability, foo);
    

    Then you will get a message that "foo" is not in the "capability2" object class. The expectation is that the error message should refer to the "capability" object class instead.

    opened by dburgener 0
  • @associated_call force Virtual Type

    @associated_call force Virtual Type

    Hello,

    The @associate_call expects a virtual function. This condition is not well stipulated in the documentation.

    The problem is generated by the method: apply_associate_annotations::inherit_annotations Caused by (as far as I saw): A new type is generated (mock.mock_conf in the example I have presented), which tries to inherit the mock_conf type. Since mock_conf is not virtual, an error is thrown.

    Code to reproduce the problem:

    • the following .CAS code could not be compiled:
    resource mock_conf  {
    	@associated_call
    	fn read(domain source) {
    		allow(source, this, file, [ read open getattr ]);
    	}
    	file_context("/home/csandu/Documents", [file dir], this);
    }
    
    @associate([mock_conf])
    domain mock {
    	mock_conf.read(this);
    }
    

    Is this the expected behavior? If so, why one should "expect" virtual when using @associated_call(s)?

    Thank you for your support, Cristian Sandu

    opened by TheMarshalMole 0
  • Redefining system's base declarations.

    Redefining system's base declarations.

    Hello,

    The resulting .CIL of a .CAS file has the definition all of the system's base classes, such as: "alg_socket", "anon_inode". This monolithic approach is problematic because the resulting .CIL require manual editing before being insert in the SE's Binary Tree of policies.

    I understand why this approach is desired, but shouldn't be any compilation option to disable these embeddings?

    Thank you for your support, Cristian

    opened by TheMarshalMole 3
  • `:` isn't lexed

    `:` isn't lexed

    file_context("/dev/log", socket, system_u:object_r:devlog_t:mls_systemhigh);

    Reports "invalid" character on the ":". At a quick glance, it looks like ":" is handled in context parsing, but not in the lexing. So perhaps just including this in the lexer will pass it on to the rest which is unit tested and should work. On the other hand, maybe we want to parse contexts as contexts? Needs a more comprehensive investigation.

    opened by dburgener 1
Owner
Daniel Burgener
Daniel Burgener
An interpreter for Rust's mid-level intermediate representation

Miri An experimental interpreter for Rust's mid-level intermediate representation (MIR). It can run binaries and test suites of cargo projects and det

The Rust Programming Language 2.9k Jan 8, 2023
Applied offensive security with the Rust programming language

Black Hat Rust Applied offensive security with the Rust programming language Buy the book now! While the Rust Book does an excellent job teaching What

Sylvain Kerkour 2.2k Jan 8, 2023
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
subscout is a simple, nimble subdomain enumeration tool written in Rust language

subscout is a simple, nimble subdomain enumeration tool written in Rust language. It is designed to help bug bounty hunters, security professionals and penetration testers discover subdomains of a given target domain.

Dom Sec 5 Apr 5, 2023
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Oso is an open source policy engine for authorization that’s embedded in your application

Oso What is Oso? Oso is an open source policy engine for authorization that’s embedded in your application. It provides a declarative policy language

oso 2.8k Jan 4, 2023
policy-driven signing service

SigningService (maybe we'll have a more clever name one day!) What is this? This repo has a little "serverless" (runs on lambda and some other service

null 4 Jul 15, 2022
A skeleton WinRT component that can serve as a substitute for the Region Policy Evaluator in Windows.

Region Policy Evaluator Skeleton A skeleton WinRT component that can serve as a substitute for the Region Policy Evaluator in Windows. Please note tha

Rafael Rivera 3 Nov 20, 2023
high (er) level language and compiler targeting the mindustry logic language

Copper Copper is a high level language and compiler that compiles to mindustry logic. The syntax is similar to rust, with some differences. (these wil

Rowan 2 Jun 27, 2022
A collection of compilers based around compiling a high level language to a Brainfuck dialect.

tf A collection of compilers based around compiling a high level language to a Brainfuck dialect. Built at, and for, the VolHacks V hackathon during O

adam mcdaniel 6 Nov 25, 2021
Gecko is a high-level, general-purpose programming language built on top of the LLVM project.

Gecko is a high-level, general-purpose programming language built on top of the LLVM project. Gecko Technology & principles Gecko is a general-purpose

Gecko 19 Oct 3, 2022
Zero-cost high-level lua 5.3 wrapper for Rust

td_rlua This library is a high-level binding for Lua 5.3. You don't have access to the Lua stack, all you can do is read/write variables (including ca

null 47 May 4, 2022
High-level Rust bindings to Perl XS API

Perl XS for Rust High-level Rust bindings to Perl XS API. Example xs! { package Array::Sum; sub sum_array(ctx, array: AV) { array.iter().map(|

Vickenty Fesunov 59 Oct 6, 2022
Facilitating high-level interactions between Wasm modules and JavaScript

wasm-bindgen Facilitating high-level interactions between Wasm modules and JavaScript. Guide | API Docs | Contributing | Chat Built with ?? ?? by The

Rust and WebAssembly 5.9k Jan 8, 2023
High-level PortMidi bindings and wrappers for Rust

portmidi-rs High-level PortMidi bindings for Rust. PortMidi website: http://portmedia.sourceforge.net/portmidi/ Installation Add this to your Cargo.to

Philippe Delrieu 69 Dec 1, 2022
High level FFI binding around the sys mount & umount2 calls, for Rust

sys-mount High level FFI bindings to the mount and umount2 system calls, for Rust. Examples Mount This is how the mount command could be written with

Pop!_OS 31 Dec 9, 2022
A high level diffing library for rust based on diffs

Similar: A Diffing Library Similar is a dependency free crate for Rust that implements different diffing algorithms and high level interfaces for it.

Armin Ronacher 617 Dec 30, 2022
High-level netCDF bindings for Rust

netcdf Medium-level netCDF bindings for Rust, allowing easy reading and writing of array-like structures to a file. netCDF can read and write hdf5 fil

GeoRust 54 Dec 18, 2022
Rust high level RTSP client

RRTSP Client Currently works, but a lot of work to do. PRs welcome! Examples, crates.io, better Readme.md and other things coming soon.

Lucas Zanela 13 Dec 26, 2022
Network-agnostic, high-level game networking library for client-side prediction and server reconciliation.

WARNING: This crate currently depends on nightly rust unstable and incomplete features. crystalorb Network-agnostic, high-level game networking librar

Ernest Wong 175 Dec 31, 2022