a qqe@ @sddlZddlZddlmZddlmZddlmZmZm Z m Z m Z m Z ddl Z ddlmZddlmZddlmZmZmZd ZdZd ZGd d d e Zeed ddZeedddZeeeeeee eeeffffZGdddZ GdddZ!dS)N) OrderedDict)suppress)castDictIterable NamedTupleOptionalUnion) exception)PermissionMapDescriptor)AVRule SELinuxPolicy TERuletype)rwbnu c@s"eZdZUdZeed<eed<dS) RuleWeightzDThe read and write weights for a rule, given all of its permissions.readwriteN)__name__ __module__ __qualname____doc__int__annotations__rr5/usr/lib64/python3.9/site-packages/setools/permmap.pyrs r)weightreturncCs(t|krtks$ntd||S)Nz$Permission weights must be 1-10: {0}) MIN_WEIGHT MAX_WEIGHT ValueErrorformat)r!rrr validate_weight!sr') directionr"cCs|tvrtd||S)Nz'Invalid information flow direction: {0})INFOFLOW_DIRECTIONSr%r&)r(rrr validate_direction(sr*c@sfeZdZUdZedeZedeZede Z e e d<e e d<de e e e dd d d Ze d d dZdS)Mappingz1A mapping for a permission in the permission map.r!r(enabledclass_permFN)perm_map classname permissioncreater"cCs||_||_||_|rD||jvr,t|j|<dddd|j||<n:||jvr^td|||j|vr~td||dS)Nrr T)r(r!r,{0} is not mapped.z{0}:{1} is not mapped.)Z _perm_mapr-r.rr UnmappedClassr&ZUnmappedPermission)selfr/r0r1r2rrr __init__=s    zMapping.__init__r"cCs$|j|jkr|j|jkS|j|jkSN)r-r.)r5otherrrr __lt__Ts  zMapping.__lt__)F)rrrrr r'r!r*r(boolr,strr MapStructr6r:rrrr r+3s     r+c@s8eZdZdZd.eeddddZedddZddd d Ze e dd d Z eddd dZ eddddZ e edddZee e dddZeee dddZeddddZeeddddZeddddZeeddd d!Zedd"d#d$Zeed%d&d'Zeeedd(d)d*Zeeedd+d,d-ZdS)/ PermissionMapz-Permission Map for information flow analysis.N) permmapfiler"cCsLtt|_t|_||r(||n td}d |j }||dS)\ Parameter: permmapfile The path to the permission map to load. Zsetoolsz{0}/setools/perm_mapN) loggingZ getLoggerrlogr_permmapload pkg_resourcesZget_distributionr&location)r5r?Zdistropathrrr r6_s    zPermissionMap.__init__r7cCs|jSr8) _permmapfiler5rrr __str__pszPermissionMap.__str__cCs8tt}|j|_t|j|_|j|_||t|<|Sr8)r>__new__rBcopydeepcopyrCrHid)r5memoZnewobjrrr __deepcopy__ss   zPermissionMap.__deepcopy__ccs(|D]}||D] }|VqqdSr8)classesperms)r5clsmappingrrr __iter__{s zPermissionMap.__iter__c Csv|jd|t|d}d}d}d}d}|jt|ddD]\}}|} t| dksF| dddkrvqF|dkrzt | d}Wn>t y} z&t d||| d| WYd} ~ n d} ~ 00|dkrt d ||| dd }qF|d krt| d ks| dd kr.t d ||| t | d} zt | d } Wn@t y} z&t d||| d | WYd} ~ n d} ~ 00| dkrt d||| d |d7}||krt d||| t|j| <d} d }qF|d krFt | d}t | d}|tvr,t d||| dzt | d }Wn@t y|} z&t d||| d | WYd} ~ n d} ~ 00t|krtksnt d||| d tt|jd| ||||dkr|jd| |t|j| |dd}||_||_|d7}| d7} | | krFd }qFWdn1s<0Y||_|jd||jd||dS)r@zOpening permission map "{0}"rrr )start#z&{0}:{1}:Invalid number of classes: {2}Nz/{0}:{1}:Number of classes must be positive: {2}classz&{0}:{1}:Invalid class declaration: {2}z*{0}:{1}:Invalid number of permissions: {2}z3{0}:{1}:Number of permissions must be positive: {2}z{0}:{1}:Extra class found: {2}z/{0}:{1}:Invalid information flow direction: {2}z&{0}:{1}:Invalid permission weight: {2}z.{0}:{1}:Permission weight must be {3}-{4}: {2}zRead {0}:{1} {2} {3}rzPermission {0}:{1} is unmapped.Tr2z(Successfully opened permission map "{0}"z+Read {0} classes and {1} total permissions.)rBinfor&openrCclear enumeratesplitlenrr%r ZPermissionMapParseErrorr<rr)r#r$debugr+r(r!rH)r5r?mapfileZ total_permsZ class_countZ num_classesstateZline_numlineentryex class_nameZ num_permsZ perm_count perm_nameZflow_directionr!rTrrr rDs                   & zPermissionMap.loadc Cst|d}|jd||dt|j|jD]\}}|d|t||D]T\}}tt |d}tt |d}|dkr|j d|||d |||qd|d q>|jd |Wd n1s0Yd S) z Save the permission map to the specified path. Existing files will be overwritten. Parameter: permmapfile The path to write the permission map. rzWriting permission map to "{0}"z{0} zclass {0} {1} r(r!rz1Warning: permission {0} in class {1} is unmapped.z{0:>20} {1:>9} {2:>9}  z*Successfully wrote permission map to "{0}"N) r]rBr\r&rrarCitemsrr<rZwarning) r5r?rcr0rRZpermnameZsettingsr(r!rrr saves    zPermissionMap.saveccs|jEdHdS)zw Generate class names in the permission map. Yield: class An object class name. N)rCkeysrIrrr rQszPermissionMap.classes)r-r"c csdz(|j|D]}t|j||VqWn6ty^}ztd||WYd}~n d}~00dS)z Generate permission mappings for the specified class. Parameter: class_ An object class name. Yield: Mapping A permission's complete map (weight, direction, enabled) r3N)rCrmr+KeyErrorr r4r&)r5r-r.rgrrr rRs zPermissionMap.perms)r-r.r"cCst|j||S)z)Retrieve a specific permission's mapping.)r+rCr5r-r.rrr rT/szPermissionMap.mappingcCs||D] }d|_q dS)a Exclude all permissions in an object class for calculating rule weights. Parameter: class_ The object class to exclude. Exceptions: UnmappedClass The specified object class is not mapped. FNrRr,rorrr exclude_class3s zPermissionMap.exclude_class)r-r1r"cCsdt|j||_dS)a Exclude a permission for calculating rule weights. Parameter: class_ The object class of the permission. permission The permission name to exclude. Exceptions: UnmappedClass The specified object class is not mapped. UnmappedPermission The specified permission is not mapped for the object class. FNr+rCr,r5r-r1rrr exclude_permission@s z PermissionMap.exclude_permissioncCs||D] }d|_q dS)a Include all permissions in an object class for calculating rule weights. Parameter: class_ The object class to include. Exceptions: UnmappedClass The specified object class is not mapped. TNrprorrr include_classNs zPermissionMap.include_classcCsdt|j||_dS)a Include a permission for calculating rule weights. Parameter: class_ The object class of the permission. permission The permission name to include. Exceptions: UnmappedClass The specified object class is not mapped. UnmappedPermission The specified permission is not mapped for the object class. TNrrrsrrr include_permission\s z PermissionMap.include_permission)policyr"c Cs|D]}t|}||jvr>|jd||t|j|<|j}tt j ||j jO}Wdn1sp0Y|D]:}||j|vr~|jd|||t |j||ddq~qdS)zHCreate mappings for all classes and permissions in the specified policy.z"Adding unmapped class {0} from {1}Nz.Adding unmapped permission {0} in {1} from {2}Tr[) rQr<rCrBrbr&rrRrr ZNoCommoncommonr+)r5rwr-rhrRrirrr map_policyks    * zPermissionMap.map_policy)ruler"cCsd}d}t|j}|jtjkr0td|j|jD]l}t |j ||}|j sPq6|j dkrht ||j}q6|j dkrt ||j}q6|j dkr6t ||j}t ||j}q6t||S)aT Get the type enforcement rule's information flow read and write weights. Parameter: rule A type enforcement rule. Return: Tuple(read_weight, write_weight) read_weight The type enforcement rule's read weight. write_weight The type enforcement rule's write weight. rz1{0} rules cannot be used for calculating a weightrrr)r<ZtclassZruletyperZallowr Z RuleTypeErrorr&rRr+rCr,r(maxr!r)r5rzZ write_weightZ read_weightrhrirTrrr rule_weights&        zPermissionMap.rule_weight)r-r1r(r"cCs|t|j||_dS)a Set the information flow direction of a permission. Parameter: class_ The object class of the permission. permission The permission name. direction The information flow direction the permission (r/w/b/n). Exceptions: UnmappedClass The specified object class is not mapped. UnmappedPermission The specified permission is not mapped for the object class. N)r+rCr()r5r-r1r(rrr set_directions zPermissionMap.set_direction)r-r1r!r"cCs|t|j||_dS)a Set the weight of a permission. Parameter: class_ The object class of the permission. permission The permission name. weight The weight of the permission (1-10). Exceptions: UnmappedClass The specified object class is not mapped. UnmappedPermission The specified permission is not mapped for the object class. N)r+rCr!)r5r-r1r!rrr set_weights zPermissionMap.set_weight)N)rrrrrr<r6rJrPrr+rUrDrlrQrRrTrqrtrurvrryr rr|r}rr~rrrr r>[s$q%  'r>)"rArL collectionsr contextlibrtypingrrrrrr rEr Z descriptorsr Z policyrepr rrr)r#r$rrr'r<r*r;r=r+r>rrrr s"      &(