a qqe]` @sddlZddlmZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZmZmZddlmZmZmZddlmZmZmZmZmZmZmZd d lmZd d l m!Z!d d l"m#Z#m$Z$d d l%m&Z&m'Z'd dlm(Z(d dl)m*Z*edZ+edZ,Gddde Z-Gddde Z.GdddeZ/Gddde Z0Gddde Z1Gddde Z2eee3fZ4ee5e3fZ6e e4e e6e e3e e3e e3e1fffffZ7e ee7e2e/dddd Z8e7dd!d"d#Z9e7e2ee ee ee e-fd$d%d&Z:e3e d'gdfd(d)d*Z;e ee d+d,d-d.ZGd3d'd'e#Z?Gd4d+d+e$eZ@Gd5d6d6e$ZAdS)7N) defaultdict)intern)Enum) AnyCallableDictIterableList NamedTupleOptionalSetTupleUnion)RuleNotConditional RuleUseErrorTERuleNoFilename) AnyTERuleAVRule AVRuleXperm ConditionalIoctlSet TERuletypeType)conditional_wrapper_factory)DiffResultDescriptor) DifferenceWrapper)type_wrapper_factorytype_or_attr_wrapper_factory)RuleList)class_wrapper_factoryz<>Truec@sVeZdZUdZeed<eeee fed<eeee fed<eeee fed<dS)ModifiedAVRulez5Difference details for a modified access vector rule.rule added_perms removed_perms matched_permsN) __name__ __module__ __qualname____doc__r__annotations__rr strrr/r/:/usr/lib64/python3.9/site-packages/setools/diff/terules.pyr$s r$c@s*eZdZUdZeed<eed<eed<dS)ModifiedTERulez.Difference details for a modified type_* rule.r%Z added_defaultZremoved_defaultN)r)r*r+r,rr-rr/r/r/r0r1$s r1c@seZdZdZdZdS)SiderrN)r)r*r+leftrightr/r/r/r0r20sr2c@s"eZdZUeeed<eed<dS)RuleDBSideDataRecordperms orig_ruleN)r)r*r+r r.r-rr/r/r/r0r55s  r5c@s&eZdZUeeed<eeed<dS)RuleDBSidesRecordr3r4N)r)r*r+r r5r-r/r/r/r0r8:s  r8c@s.eZdZUeeefed<eeefed<dS) TypeDBRecordr3r4N)r)r*r+rr.rr-r/r/r/r0r9?s r9) rule_listrule_dbtype_dbsidereturnc Cs|tjkr|j}n|j}|D]}z tt|j}tt|j}Wnty\t}t }Yn0||vrt ||<t |||<n|||vrt |||<|j j }t |j} t| |} |||} |jD]} | j } | |vr| || <| | vrt | | <|jD]}|j }||vr |||<|| | vrcCsR|tt}|D]6\}}|tkr(q|D]}|D]\}}||vrRq>|D]\}}|||vrpqZ|D]\} } | |||vrqx|||| } | j} | j} | jr| r| j| jj@}|r| j|}|rt|| j} nd} t | | || <| jrx| rx| j| jj@}|rx| j|}|r2t|| j} nd} t | | || <qxqZq>q0qdSN) rArBitemsvaluesr3r4r6r5r7r8)r;Z uncond_blockrL cond_blocksrNrOsrc_datarPtgt_datarDrMZuncond_side_datarQrRcrSr/r/r0_av_remove_redundant_rulessB      r\)r;r<r>c CsTg}g}g}|D]2}|D]"}|D]\}}|D]\} } | D]} | jr| jr| jj| jj@} | jj| } | jj| }| s|r| jj}||j||j| | jj}|t||| | qT| jr | jj}||j||j| | jj}||qT| jrT| jj}||j||j| | jj}||qTqBq0q"q|||fSrU) rWrVr3r4r6r7Zderive_expandedappendr$)r;r<addedremovedmodifiedrXrNrOrYrPrZrMZ common_permsZ left_permsZ right_permsZ original_ruler%r/r/r0_av_generate_diffssJ      raTERulesDifference)ruletyper>cs tddfdd }|S)z This is a template for the access vector diff functions. Parameters: ruletype The rule type, e.g. "allow". Nr>cs2|jd||jdus(|jdur0|ttt}t}t|t<t|tt <|jd|t |j||t j |jd|t |j||t j |jdt||jdt||\}}}|j |j |t|d|t|d|t|d |dS) 6Generate the difference in rules between the policies.CGenerating {0} differences from {1.left_policy} to {1.right_policy}Nz(Expanding AV rules from {0.left_policy}.z)Expanding AV rules from {0.right_policy}.zRemoving redundant AV rules.zGenerating AV rule diff. added_{0}s removed_{0}s modified_{0}s)loginfoformat_left_te_rules_right_te_rules_create_te_rule_listsr9rCrArBrTr2r3r4r\raclearsetattr)selfr<r;r^r_r`rcr/r0diffs2     zav_diff_template..diffrlookuprcrtr/rsr0av_diff_templates #rxAVRuleXpermWrapper)r:r>c Cst}|D]N}|D]@}t|}z||j|jO_WqtyT|||<Yq0qq |rzttd |t || S)z` Generator that yields wrapped, expanded, av(x) rules with unioned permission sets. z/Expanded {0.ruletype} rules for {0.policy}: {1}) rCrHryr6KeyErrorloggingZ getLoggerr)debugrllenkeys)r:rVrKZ expanded_ruleZexpanded_wrapped_ruler/r/r0_avxrule_expand_generator"s   rcs tddfdd }|S)z This is a template for the extended permission access vector diff functions. Parameters: ruletype The rule type, e.g. "allowxperm". Nrdc s|jd||jr |js(||jt|jt|jdd\}}}g}|D]V\}}|j|j|jdd\}}} |s|rZ| t |j t |t |t dd| DqZt |dtdd|Dt |dtd d|Dt |d |d S) rerfF)unwrapcss|]}|dVqdS)rNr/).0rSr/r/r0 fz2avx_diff_template..diff..rgcss|] }|jVqdSrUorigin)rar/r/r0rhrrhcss|] }|jVqdSrUr)rrr/r/r0rirriN)rjrkrlrmrnro _set_diffrr6r]r$rrrqrF) rrr^r_matchedr` left_rule right_ruler&r'r(rsr/r0rtHs6         zavx_diff_template..diffrurwr/rsr0avx_diff_template>s $rcs tddfdd }|S)z This is a template for the type_* diff functions. Parameters: ruletype The rule type, e.g. "type_transition". Nrdcs|jd||jdus(|jdur0||||jt||jt\}}}g}|D]2\}}t |j t |j krf| t ||j |j qft |d|t |d|t |d|dS)rerfNrgrhri)rjrkrlrmrnrorZ_expand_generator TERuleWrapperrdefaultr]r1rq)rrr^r_rr`rrrsr/r0rtys*  zte_diff_template..diffrurwr/rsr0te_diff_templateos rc@seZdZUdZedZedZedZedZ edZ edZ edZ edZ edZedZedZedZedZed Zed Zed Zed Zed Zed Zed Zed Zed Zed Zed ZedZedZ edZ!edZ"edZ#edZ$edZ%edZ&e'dZ(edZ)edZ*edZ+e'dZ,edZ-edZ.edZ/e'dZ0edZ1edZ2edZ3dZ4e5e6e7fe8d<dZ9e5e6e7fe8d<ddddZ:ddddZ;dS) rbzV Determine the difference in type enforcement rules between two policies. Zallow diff_allowsZ auditallowdiff_auditallowsZ neverallowdiff_neverallowsZ dontauditdiff_dontauditsZ allowxpermdiff_allowxpermsZauditallowxpermdiff_auditallowxpermsZneverallowxpermdiff_neverallowxpermsZdontauditxpermdiff_dontauditxpermsZtype_transitiondiff_type_transitionsZ type_changediff_type_changesZ type_memberdiff_type_membersNrmrnrdcCs|jd|tt|_|jD]}|j|j |q&|j D] \}}|jdt ||qH|jd|tt|_ |j D]}|j |j |q|j D] \}}|jdt ||q|jddS)z$Create rule lists for both policies.z+Building TE rule lists from {0.left_policy}zLoaded {0} {1} rules.z,Building TE rule lists from {0.right_policy}z!Completed building TE rule lists.N)rjr|rlrlistrmZ left_policyZterulesrcr]rVr}rnZ right_policy)rrr%rcZrulesr/r/r0ros  z'TERulesDifference._create_te_rule_listscCs|jdd|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_!d|_"d|_#d|_$dS)z%Reset diff results on policy changes.zResetting TE rule differencesN)%rjr| added_allowsremoved_allowsmodified_allowsadded_auditallowsremoved_auditallowsmodified_auditallowsadded_neverallowsremoved_neverallowsmodified_neverallowsadded_dontauditsremoved_dontauditsmodified_dontauditsadded_allowxpermsremoved_allowxpermsmodified_allowxpermsadded_auditallowxpermsremoved_auditallowxpermsmodified_auditallowxpermsadded_neverallowxpermsremoved_neverallowxpermsmodified_neverallowxpermsadded_dontauditxpermsremoved_dontauditxpermsmodified_dontauditxpermsadded_type_transitionsremoved_type_transitionsmodified_type_transitionsadded_type_changesremoved_type_changesmodified_type_changesadded_type_membersremoved_type_membersmodified_type_membersrmrnrrr/r/r0 _reset_diffsH zTERulesDifference._reset_diff)cCsL||_t|j|_t|j|_t|j|_|j|_t|j|_t ||_ dSrU) rr rGrIr"rDrrFr6hashkeyrrr%r/r/r0__init__!s    zAVRuleXpermWrapper.__init__cCs|jSrUrrr/r/r0__hash__*szAVRuleXpermWrapper.__hash__cCs |j|jkSrUrrrotherr/r/r0__lt__-szAVRuleXpermWrapper.__lt__cCs0|j|jko.|j|jko.|j|jko.|j|jkSrU)rGrIrDrrr/r/r0__eq__0s    zAVRuleXpermWrapper.__eq__) r)r*r+r, __slots__rrrrrr/r/r/r0rys  c@s4eZdZdZdZddZddZddZd d Zd S) rz*Wrap type_* rules to allow set operations.rGrIrDr?r@filenamec Cs||_t|j|_t|j|_t|j|_t||_zt|j |_ |j |_ Wnt yjd|_ d|_ Yn0z |j |_ Wnt tfyd|_ Yn0dSrU)rr rGrIr"rDrrrr?r@rrrrrr/r/r0r?s         zTERuleWrapper.__init__cCs|jSrUrrr/r/r0rRszTERuleWrapper.__hash__cCs |j|jkSrUrrr/r/r0rUszTERuleWrapper.__lt__cCsH|j|jkoF|j|jkoF|j|jkoF|j|jkoF|j|jkoF|j|jkSrUrrr/r/r0rXs      zTERuleWrapper.__eq__N) r)r*r+r,rrrrrr/r/r/r0r9s r)Br{ collectionsrsysrenumrtypingrrrrr r r r r r exceptionrrrZ policyreprrrrrrrr?rZ descriptorsr differencerrrJrr r!Zobjclassr"rArBr$r1r2r5r8r9r.ZCondExpboolZ CondBlockZRuleDBrTr\rarxrrrrbryrr/r/r/r0sL   0$        ,  [& '01(