summaryrefslogtreecommitdiff
path: root/lib/python2.7/site-packages/setools/terulequery.py
diff options
context:
space:
mode:
Diffstat (limited to 'lib/python2.7/site-packages/setools/terulequery.py')
-rwxr-xr-x[-rw-r--r--]lib/python2.7/site-packages/setools/terulequery.py80
1 files changed, 70 insertions, 10 deletions
diff --git a/lib/python2.7/site-packages/setools/terulequery.py b/lib/python2.7/site-packages/setools/terulequery.py
index eff8df1..9935e4e 100644..100755
--- a/lib/python2.7/site-packages/setools/terulequery.py
+++ b/lib/python2.7/site-packages/setools/terulequery.py
@@ -21,7 +21,9 @@ import re
from . import mixins, query
from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor
+from .policyrep import ioctlSet
from .policyrep.exception import RuleUseError, RuleNotConditional
+from .util import match_regex, match_indirect_regex, match_regex_or_set
class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuery):
@@ -87,23 +89,54 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
target = CriteriaDescriptor("target_regex", "lookup_type_or_attr")
target_regex = False
target_indirect = True
- default = CriteriaDescriptor("default_regex", "lookup_type")
+ default = CriteriaDescriptor("default_regex", "lookup_type_or_attr")
default_regex = False
boolean = CriteriaSetDescriptor("boolean_regex", "lookup_boolean")
boolean_regex = False
boolean_equal = False
+ _xperms = None
+ xperms_equal = False
+
+ @property
+ def xperms(self):
+ return self._xperms
+
+ @xperms.setter
+ def xperms(self, value):
+ if value:
+ pending_xperms = ioctlSet()
+
+ for low, high in value:
+ if not (0 <= low <= 0xffff):
+ raise ValueError("{0:#07x} is not a valid ioctl.".format(low))
+
+ if not (0 <= high <= 0xffff):
+ raise ValueError("{0:#07x} is not a valid ioctl.".format(high))
+
+ if high < low:
+ high, low = low, high
+
+ pending_xperms.update(i for i in range(low, high+1))
+
+ self._xperms = pending_xperms
+ else:
+ self._xperms = None
+
+ def __init__(self, policy, **kwargs):
+ super(TERuleQuery, self).__init__(policy, **kwargs)
+ self.log = logging.getLogger(__name__)
def results(self):
"""Generator which yields all matching TE rules."""
- self.log.info("Generating results from {0.policy}".format(self))
+ self.log.info("Generating TE rule results from {0.policy}".format(self))
self.log.debug("Ruletypes: {0.ruletype}".format(self))
self.log.debug("Source: {0.source!r}, indirect: {0.source_indirect}, "
"regex: {0.source_regex}".format(self))
self.log.debug("Target: {0.target!r}, indirect: {0.target_indirect}, "
"regex: {0.target_regex}".format(self))
- self.log.debug("Class: {0.tclass!r}, regex: {0.tclass_regex}".format(self))
- self.log.debug("Perms: {0.perms!r}, regex: {0.perms_regex}, eq: {0.perms_equal}".
- format(self))
+ self._match_object_class_debug(self.log)
+ self._match_perms_debug(self.log)
+ self.log.debug("Xperms: {0.xperms!r}, eq: {0.xperms_equal}".format(self))
self.log.debug("Default: {0.default!r}, regex: {0.default_regex}".format(self))
self.log.debug("Boolean: {0.boolean!r}, eq: {0.boolean_equal}, "
"regex: {0.boolean_regex}".format(self))
@@ -119,7 +152,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
#
# Matching on source type
#
- if self.source and not self._match_indirect_regex(
+ if self.source and not match_indirect_regex(
rule.source,
self.source,
self.source_indirect,
@@ -129,7 +162,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
#
# Matching on target type
#
- if self.target and not self._match_indirect_regex(
+ if self.target and not match_indirect_regex(
rule.target,
self.target,
self.target_indirect,
@@ -146,19 +179,46 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
# Matching on permission set
#
try:
- if not self._match_perms(rule):
+ if self.perms and rule.extended:
+ if self.perms_equal and len(self.perms) > 1:
+ # if criteria is more than one standard permission,
+ # extended perm rules can never match if the
+ # permission set equality option is on.
+ continue
+
+ if rule.xperm_type not in self.perms:
+ continue
+ elif not self._match_perms(rule):
continue
except RuleUseError:
continue
#
+ # Matching on extended permissions
+ #
+ try:
+ if self.xperms and not match_regex_or_set(
+ rule.perms,
+ self.xperms,
+ self.xperms_equal,
+ False):
+ continue
+
+ except RuleUseError:
+ continue
+
+ #
# Matching on default type
#
if self.default:
try:
- if not self._match_regex(
+ # because default type is always a single
+ # type, hard-code indirect to True
+ # so the criteria can be an attribute
+ if not match_indirect_regex(
rule.default,
self.default,
+ True,
self.default_regex):
continue
except RuleUseError:
@@ -169,7 +229,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
#
if self.boolean:
try:
- if not self._match_regex_or_set(
+ if not match_regex_or_set(
rule.conditional.booleans,
self.boolean,
self.boolean_equal,
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 21:52:28 +0000