ACIL FM

Pilih semua

Nama	Ukuran	Aksi
__pycache__	-	Open
assertrbac.py	3.89 MB	View DL Edit
assertte.py	4.39 MB	View DL Edit
checker.py	5.22 MB	View DL Edit
checkermodule.py	3.9 MB	View DL Edit
descriptors.py	4.19 MB	View DL Edit
emptyattr.py	2.71 MB	View DL Edit
globalkeys.py	301 B	View DL Edit
roexec.py	3.53 MB	View DL Edit
util.py	344 B	View DL Edit
__init__.py	215 B	View DL Edit

Edit file: /usr/lib64/python3.9/site-packages/setools/checker/roexec.py

# Copyright 2020, Microsoft Corporation
#
# SPDX-License-Identifier: LGPL-2.1-only
#

import logging
from collections import defaultdict
from typing import Dict, List, Set

from ..policyrep import AnyTERule, Type
from ..terulequery import TERuleQuery

from .checkermodule import CheckerModule
from .descriptors import ConfigSetDescriptor

EXEMPT_WRITE = "exempt_write_domain"
EXEMPT_EXEC = "exempt_exec_domain"
EXEMPT_FILE = "exempt_file"

class ReadOnlyExecutables(CheckerModule):

"""Checker module for asserting all executable files are read-only."""

check_type = "ro_execs"
    check_config = frozenset((EXEMPT_WRITE, EXEMPT_EXEC, EXEMPT_FILE))

exempt_write_domain = ConfigSetDescriptor("lookup_type_or_attr", strict=False, expand=True)
    exempt_file = ConfigSetDescriptor("lookup_type_or_attr", strict=False, expand=True)
    exempt_exec_domain = ConfigSetDescriptor("lookup_type_or_attr", strict=False, expand=True)

def __init__(self, policy, checkname, config) -> None:
        super().__init__(policy, checkname, config)
        self.log = logging.getLogger(__name__)

self.exempt_write_domain = config.get(EXEMPT_WRITE)
        self.exempt_file = config.get(EXEMPT_FILE)
        self.exempt_exec_domain = config.get(EXEMPT_EXEC)

def _collect_executables(self) -> Dict[Type, Set[AnyTERule]]:
        self.log.debug("Collecting list of executable file types.")
        self.log.debug("Ignore exec domains: {!r}".format(self.exempt_exec_domain))
        query = TERuleQuery(self.policy,
                            ruletype=("allow",),
                            tclass=("file",),
                            perms=("execute", "execute_no_trans"))

collected = defaultdict(set)
        for rule in query.results():
            sources = set(rule.source.expand()) - self.exempt_exec_domain
            targets = set(rule.target.expand()) - self.exempt_file

# ignore rule if source or target is an empty attr
            if not sources or not targets:
                self.log.debug("Ignoring execute rule: {}".format(rule))
                continue

for t in targets:
                self.log.debug("Determined {} is executable by: {}".format(t, rule))
                collected[t].add(rule)

return collected

def run(self) -> List:
        self.log.info("Checking executables are read-only.")

query = TERuleQuery(self.policy,
                            ruletype=("allow",),
                            tclass=("file",),
                            perms=("write", "append"))
        executables = self._collect_executables()
        failures = defaultdict(set)

for exec_type in executables.keys():
            self.log.debug("Checking if executable type {} is writable.".format(exec_type))

query.target = exec_type
            for rule in sorted(query.results()):
                if set(rule.source.expand()) - self.exempt_write_domain:
                    failures[exec_type].add(rule)

for exec_type in sorted(failures.keys()):
            self.output.write("\n------------\n\n")
            self.output.write("Executable type {} is writable.\n\n".format(exec_type))
            self.output.write("Execute rules:\n")
            for rule in sorted(executables[exec_type]):
                self.output.write("    * {}\n".format(rule))

self.output.write("\nWrite rules:\n")
            for rule in sorted(failures[exec_type]):
                self.log_fail(str(rule))

self.log.debug("{} failure(s)".format(len(failures)))
        return sorted(failures.keys())

Batal

Isi Zip:

Create