ACIL FM

Pilih semua

Nama	Ukuran	Aksi
__pycache__	-	Open
assertrbac.py	3.89 MB	View DL Edit
assertte.py	4.39 MB	View DL Edit
checker.py	5.22 MB	View DL Edit
checkermodule.py	3.9 MB	View DL Edit
descriptors.py	4.19 MB	View DL Edit
emptyattr.py	2.71 MB	View DL Edit
globalkeys.py	301 B	View DL Edit
roexec.py	3.53 MB	View DL Edit
util.py	344 B	View DL Edit
__init__.py	215 B	View DL Edit

Edit file: /usr/lib64/python3.9/site-packages/setools/checker/assertte.py

# Copyright 2020, Microsoft Corporation
# Copyright 2020, Chris PeBenito <pebenito@ieee.org>
#
# SPDX-License-Identifier: LGPL-2.1-only
#

import logging
from typing import List, Union

from ..exception import InvalidCheckValue
from ..policyrep import AnyTERule
from ..terulequery import TERuleQuery
from .checkermodule import CheckerModule
from .descriptors import ConfigDescriptor, ConfigSetDescriptor, ConfigPermissionSetDescriptor

SOURCE_OPT = "source"
TARGET_OPT = "target"
CLASS_OPT = "tclass"
PERMS_OPT = "perms"
EXEMPT_SRC_OPT = "exempt_source"
EXEMPT_TGT_OPT = "exempt_target"
EXPECT_SRC_OPT = "expect_source"
EXPECT_TGT_OPT = "expect_target"

class AssertTE(CheckerModule):

"""Checker module for asserting a type enforcement allow rule exists (or not)."""

check_type = "assert_te"
    check_config = frozenset((SOURCE_OPT, TARGET_OPT, CLASS_OPT, PERMS_OPT, EXEMPT_SRC_OPT,
                              EXEMPT_TGT_OPT, EXPECT_SRC_OPT, EXPECT_TGT_OPT))

source = ConfigDescriptor("lookup_type_or_attr")
    target = ConfigDescriptor("lookup_type_or_attr")
    tclass = ConfigSetDescriptor("lookup_class", strict=True, expand=False)
    perms = ConfigPermissionSetDescriptor()

exempt_source = ConfigSetDescriptor("lookup_type_or_attr", strict=False, expand=True)
    exempt_target = ConfigSetDescriptor("lookup_type_or_attr", strict=False, expand=True)
    expect_source = ConfigSetDescriptor("lookup_type_or_attr", strict=True, expand=True)
    expect_target = ConfigSetDescriptor("lookup_type_or_attr", strict=True, expand=True)

def __init__(self, policy, checkname, config) -> None:
        super().__init__(policy, checkname, config)
        self.log = logging.getLogger(__name__)

self.source = config.get(SOURCE_OPT)
        self.target = config.get(TARGET_OPT)
        self.tclass = config.get(CLASS_OPT)
        self.perms = config.get(PERMS_OPT)

self.exempt_source = config.get(EXEMPT_SRC_OPT)
        self.exempt_target = config.get(EXEMPT_TGT_OPT)
        self.expect_source = config.get(EXPECT_SRC_OPT)
        self.expect_target = config.get(EXPECT_TGT_OPT)

if not any((self.source, self.target, self.tclass, self.perms)):
            raise InvalidCheckValue(
                "At least one of source, target, tclass, or perms options must be set.")

source_exempt_expect_overlap = self.exempt_source & self.expect_source
        if source_exempt_expect_overlap:
            self.log.info("Overlap in expect_source and exempt_source: {}".
                          format(", ".join(i.name for i in source_exempt_expect_overlap)))

target_exempt_expect_overlap = self.exempt_target & self.expect_target
        if target_exempt_expect_overlap:
            self.log.info("Overlap in expect_target and exempt_target: {}".
                          format(", ".join(i.name for i in target_exempt_expect_overlap)))

def run(self) -> List:
        assert any((self.source, self.target, self.tclass, self.perms)), \
            "AssertTe no options set, this is a bug."

self.log.info("Checking TE allow rule assertion.")

query = TERuleQuery(self.policy,
                            source=self.source,
                            target=self.target,
                            tclass=self.tclass,
                            perms=self.perms,
                            ruletype=("allow",))

unseen_sources = set(self.expect_source)
        unseen_targets = set(self.expect_target)
        failures: List[Union[AnyTERule, str]] = []
        for rule in sorted(query.results()):
            srcs = set(rule.source.expand())
            tgts = set(rule.target.expand())

unseen_sources -= srcs
            unseen_targets -= tgts
            if (srcs - self.expect_source - self.exempt_source) and \
                    (tgts - self.expect_target - self.exempt_target):

self.log_fail(str(rule))
                failures.append(rule)
            else:
                self.log_ok(str(rule))

for item in unseen_sources:
            failure = "Expected rule with source \"{}\" not found.".format(item)
            self.log_fail(failure)
            failures.append(failure)

for item in unseen_targets:
            failure = "Expected rule with target \"{}\" not found.".format(item)
            self.log_fail(failure)
            failures.append(failure)

self.log.debug("{} failure(s)".format(failures))
        return failures

Batal

Isi Zip:

Create