diff options
Diffstat (limited to 'lib/python2.7/site-packages/setools/terulequery.py')
-rwxr-xr-x[-rw-r--r--] | lib/python2.7/site-packages/setools/terulequery.py | 80 |
1 files changed, 70 insertions, 10 deletions
diff --git a/lib/python2.7/site-packages/setools/terulequery.py b/lib/python2.7/site-packages/setools/terulequery.py index eff8df1..9935e4e 100644..100755 --- a/lib/python2.7/site-packages/setools/terulequery.py +++ b/lib/python2.7/site-packages/setools/terulequery.py @@ -21,7 +21,9 @@ import re from . import mixins, query from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor +from .policyrep import ioctlSet from .policyrep.exception import RuleUseError, RuleNotConditional +from .util import match_regex, match_indirect_regex, match_regex_or_set class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuery): @@ -87,23 +89,54 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer target = CriteriaDescriptor("target_regex", "lookup_type_or_attr") target_regex = False target_indirect = True - default = CriteriaDescriptor("default_regex", "lookup_type") + default = CriteriaDescriptor("default_regex", "lookup_type_or_attr") default_regex = False boolean = CriteriaSetDescriptor("boolean_regex", "lookup_boolean") boolean_regex = False boolean_equal = False + _xperms = None + xperms_equal = False + + @property + def xperms(self): + return self._xperms + + @xperms.setter + def xperms(self, value): + if value: + pending_xperms = ioctlSet() + + for low, high in value: + if not (0 <= low <= 0xffff): + raise ValueError("{0:#07x} is not a valid ioctl.".format(low)) + + if not (0 <= high <= 0xffff): + raise ValueError("{0:#07x} is not a valid ioctl.".format(high)) + + if high < low: + high, low = low, high + + pending_xperms.update(i for i in range(low, high+1)) + + self._xperms = pending_xperms + else: + self._xperms = None + + def __init__(self, policy, **kwargs): + super(TERuleQuery, self).__init__(policy, **kwargs) + self.log = logging.getLogger(__name__) def results(self): """Generator which yields all matching TE rules.""" - self.log.info("Generating results from {0.policy}".format(self)) + self.log.info("Generating TE rule results from {0.policy}".format(self)) self.log.debug("Ruletypes: {0.ruletype}".format(self)) self.log.debug("Source: {0.source!r}, indirect: {0.source_indirect}, " "regex: {0.source_regex}".format(self)) self.log.debug("Target: {0.target!r}, indirect: {0.target_indirect}, " "regex: {0.target_regex}".format(self)) - self.log.debug("Class: {0.tclass!r}, regex: {0.tclass_regex}".format(self)) - self.log.debug("Perms: {0.perms!r}, regex: {0.perms_regex}, eq: {0.perms_equal}". - format(self)) + self._match_object_class_debug(self.log) + self._match_perms_debug(self.log) + self.log.debug("Xperms: {0.xperms!r}, eq: {0.xperms_equal}".format(self)) self.log.debug("Default: {0.default!r}, regex: {0.default_regex}".format(self)) self.log.debug("Boolean: {0.boolean!r}, eq: {0.boolean_equal}, " "regex: {0.boolean_regex}".format(self)) @@ -119,7 +152,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer # # Matching on source type # - if self.source and not self._match_indirect_regex( + if self.source and not match_indirect_regex( rule.source, self.source, self.source_indirect, @@ -129,7 +162,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer # # Matching on target type # - if self.target and not self._match_indirect_regex( + if self.target and not match_indirect_regex( rule.target, self.target, self.target_indirect, @@ -146,19 +179,46 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer # Matching on permission set # try: - if not self._match_perms(rule): + if self.perms and rule.extended: + if self.perms_equal and len(self.perms) > 1: + # if criteria is more than one standard permission, + # extended perm rules can never match if the + # permission set equality option is on. + continue + + if rule.xperm_type not in self.perms: + continue + elif not self._match_perms(rule): continue except RuleUseError: continue # + # Matching on extended permissions + # + try: + if self.xperms and not match_regex_or_set( + rule.perms, + self.xperms, + self.xperms_equal, + False): + continue + + except RuleUseError: + continue + + # # Matching on default type # if self.default: try: - if not self._match_regex( + # because default type is always a single + # type, hard-code indirect to True + # so the criteria can be an attribute + if not match_indirect_regex( rule.default, self.default, + True, self.default_regex): continue except RuleUseError: @@ -169,7 +229,7 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer # if self.boolean: try: - if not self._match_regex_or_set( + if not match_regex_or_set( rule.conditional.booleans, self.boolean, self.boolean_equal, |