def get_entrypoint_types(setype):
q = TERuleQuery(_pol,
ruletype=[ALLOW],
source=setype,
tclass=["file"],
perms=["entrypoint"])
return [str(x.target) for x in q.results() if x.source == setype]
def test_000_unset(self):
"""TE rule query with no criteria."""
# query with no parameters gets all TE rules.
for numrules, r in enumerate(self.p.terules(), start=1):
pass
q = TERuleQuery(self.p)
for q_numrules, r in enumerate(q.results(), start=1):
pass
self.assertEqual(numrules, q_numrules)
def test_009_class(self):
"""TE rule query with exact object class match."""
q = TERuleQuery(self.p, tclass="infoflow2", tclass_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test9")
self.assertEqual(r[0].target, "test9")
self.assertEqual(r[0].tclass, "infoflow2")
self.assertSetEqual(set(["super_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def test_100_default(self):
"""TE rule query with default type exact match."""
q = TERuleQuery(self.p, default="test100d", default_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "type_transition")
self.assertEqual(r[0].source, "test100")
self.assertEqual(r[0].target, "test100")
self.assertEqual(r[0].tclass, "infoflow7")
self.assertEqual(r[0].default, "test100d")
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def test_005_target_direct(self):
"""TE rule query with exact, direct, target match."""
q = TERuleQuery(
self.p, target="test5a", target_indirect=False, target_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test5s")
self.assertEqual(r[0].target, "test5a")
self.assertEqual(r[0].tclass, "infoflow")
self.assertSetEqual(set(["hi_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def test_002_source_indirect(self):
"""TE rule query with exact, indirect, source match."""
q = TERuleQuery(
self.p, source="test2s", source_indirect=True, source_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test2a")
self.assertEqual(r[0].target, "test2t")
self.assertEqual(r[0].tclass, "infoflow")
self.assertSetEqual(set(["hi_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def test_003_source_direct_regex(self):
"""TE rule query with regex, direct, source match."""
q = TERuleQuery(
self.p, source="test3a.*", source_indirect=False, source_regex=True)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test3aS")
self.assertEqual(r[0].target, "test3t")
self.assertEqual(r[0].tclass, "infoflow")
self.assertSetEqual(set(["low_r"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def get_init_entrypoint(transtype):
q = TERuleQuery(_pol,
ruletype=["type_transition"],
source="init_t",
tclass=["process"])
entrypoints = []
for i in q.results():
try:
if i.default == transtype:
entrypoints.append(i.target)
except AttributeError:
continue
return entrypoints
def test_013_perms_equal(self):
"""TE rule query with permission set equality."""
q = TERuleQuery(
self.p, perms=["super_w", "super_none", "super_both"], perms_equal=True)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test13c")
self.assertEqual(r[0].target, "test13c")
self.assertEqual(r[0].tclass, "infoflow7")
self.assertSetEqual(
set(["super_w", "super_none", "super_both"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
def get_init_entrypoints_str():
q = TERuleQuery(_pol,
ruletype=["type_transition"],
source="init_t",
tclass=["process"])
entrypoints = {}
for i in q.results():
try:
transtype = str(i.default)
if transtype in entrypoints:
entrypoints[transtype].append(str(i.target))
else:
entrypoints[transtype] = [str(i.target)]
except AttributeError:
continue
return entrypoints
def test_011_class_regex(self):
"""TE rule query with object class regex match."""
q = TERuleQuery(self.p, tclass="infoflow(5|6)", tclass_regex=True)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test11")
self.assertEqual(r[0].target, "test11")
self.assertEqual(r[0].tclass, "infoflow5")
self.assertSetEqual(set(["low_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "allow")
self.assertEqual(r[1].source, "test11")
self.assertEqual(r[1].target, "test11")
self.assertEqual(r[1].tclass, "infoflow6")
self.assertSetEqual(set(["med_r"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_012_perms_any(self):
"""TE rule query with permission set intersection."""
q = TERuleQuery(self.p, perms=["super_r"], perms_equal=False)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test12a")
self.assertEqual(r[0].target, "test12a")
self.assertEqual(r[0].tclass, "infoflow7")
self.assertSetEqual(set(["super_r"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "allow")
self.assertEqual(r[1].source, "test12b")
self.assertEqual(r[1].target, "test12b")
self.assertEqual(r[1].tclass, "infoflow7")
self.assertSetEqual(set(["super_r", "super_none"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_101_default_regex(self):
"""TE rule query with default type regex match."""
q = TERuleQuery(self.p, default="test101.", default_regex=True)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "type_transition")
self.assertEqual(r[0].source, "test101")
self.assertEqual(r[0].target, "test101d")
self.assertEqual(r[0].tclass, "infoflow7")
self.assertEqual(r[0].default, "test101e")
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "type_transition")
self.assertEqual(r[1].source, "test101")
self.assertEqual(r[1].target, "test101e")
self.assertEqual(r[1].tclass, "infoflow7")
self.assertEqual(r[1].default, "test101d")
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_014_ruletype(self):
"""TE rule query with rule type match."""
q = TERuleQuery(self.p, ruletype=["auditallow", "dontaudit"])
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "auditallow")
self.assertEqual(r[0].source, "test14")
self.assertEqual(r[0].target, "test14")
self.assertEqual(r[0].tclass, "infoflow7")
self.assertSetEqual(set(["super_both"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "dontaudit")
self.assertEqual(r[1].source, "test14")
self.assertEqual(r[1].target, "test14")
self.assertEqual(r[1].tclass, "infoflow7")
self.assertSetEqual(set(["super_unmapped"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_006_target_indirect(self):
"""TE rule query with exact, indirect, target match."""
q = TERuleQuery(
self.p, target="test6t", target_indirect=True, target_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test6s")
self.assertEqual(r[0].target, "test6a")
self.assertEqual(r[0].tclass, "infoflow")
self.assertSetEqual(set(["hi_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "allow")
self.assertEqual(r[1].source, "test6s")
self.assertEqual(r[1].target, "test6t")
self.assertEqual(r[1].tclass, "infoflow")
self.assertSetEqual(set(["low_r"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_010_class_list(self):
"""TE rule query with object class list match."""
q = TERuleQuery(
self.p, tclass=["infoflow3", "infoflow4"], tclass_regex=False)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test10")
self.assertEqual(r[0].target, "test10")
self.assertEqual(r[0].tclass, "infoflow3")
self.assertSetEqual(set(["null"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "allow")
self.assertEqual(r[1].source, "test10")
self.assertEqual(r[1].target, "test10")
self.assertEqual(r[1].tclass, "infoflow4")
self.assertSetEqual(set(["hi_w"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def test_004_source_indirect_regex(self):
"""TE rule query with regex, indirect, source match."""
q = TERuleQuery(
self.p, source="test4(s|t)", source_indirect=True, source_regex=True)
r = sorted(q.results())
self.assertEqual(len(r), 2)
# verify first rule
self.assertEqual(r[0].ruletype, "allow")
self.assertEqual(r[0].source, "test4a1")
self.assertEqual(r[0].target, "test4a1")
self.assertEqual(r[0].tclass, "infoflow")
self.assertSetEqual(set(["hi_w"]), r[0].perms)
self.assertRaises(RuleNotConditional, getattr, r[0], "conditional")
# verify second rule
self.assertEqual(r[1].ruletype, "allow")
self.assertEqual(r[1].source, "test4a2")
self.assertEqual(r[1].target, "test4a2")
self.assertEqual(r[1].tclass, "infoflow")
self.assertSetEqual(set(["low_r"]), r[1].perms)
self.assertRaises(RuleNotConditional, getattr, r[1], "conditional")
def query_for_rule(policy, r):
u"""Query a policy for rules matching a given rule.
The rule may contain regex fields."""
# Mark whether a query parameter is a regex or a string
sr = r"[a-zA-Z0-9_-]+" in r.source
tr = r"[a-zA-Z0-9_-]+" in r.target
cr = r"[a-zA-Z0-9_-]+" in r.tclass
# Handle self
if r.target == u"self":
# Override the target to match everything
xtarget = VALID_ARG_R
tr = True
else:
xtarget = r.target
# Query for an AV rule
if r.rtype in policysource.mapping.AVRULES:
query = TERuleQuery(policy=policy.policy, ruletype=[r.rtype],
source=r.source, source_regex=sr,
source_indirect=False,
target=xtarget, target_regex=tr,
target_indirect=False,
tclass=[r.tclass], tclass_regex=cr,
perms=r.permset, perms_subset=True)
# Query for a TE rule
elif r.rtype in policysource.mapping.TERULES:
dr = r"[a-zA-Z0-9_-]+" in r.deftype
query = TERuleQuery(policy=policy.policy, ruletype=[r.rtype],
source=r.source, source_regex=sr,
source_indirect=False,
target=xtarget, target_regex=tr,
target_indirect=False,
tclass=[r.tclass], tclass_regex=cr,
default=r.deftype, default_regex=dr)
else:
# We should have no other rules, as they are already filtered
# when creating the list with the rule_factory method
LOG.warning(u"Unsupported rule: \"%s\"", r)
return None
# Filter all rules
if r.target == u"self":
# Discard rules whose mask contained "self" as a target,
# but whose result's source and target are different
results = [x for x in query.results() if x.source == x.target]
else:
results = list(query.results())
filtered_results = []
# Discard rules coming from explicitly ignored paths
for x in results:
x_str = str(x)
rule = MAPPER.rule_factory(x_str)
rutc = rule.up_to_class
# Get the MappedRule(s) corresponding to this rutc
rls = [y for y in policy.mapping.rules[rutc]]
if len(rls) == 1:
# If this rule comes from a single place, this is easy.
# Drop the rule if the path it comes from is ignored
if not rls[0].fileline.startswith(FULL_IGNORE_PATHS):
filtered_results.append(x)
NON_IGNORED_MAPPING[x_str] = [rls[0].fileline]
else:
# If this rule comes from multiple places, this is more complex.
# Check that all rules that make up the specific rule we found
# come from non-ignored paths. If not, drop the rule.
if rule.rtype in policysource.mapping.AVRULES:
# Check that the permission set of the "x" rule is covered by
# non-ignored rules. If not, drop the rule.
tmpset = set()
for each in rls:
if not each.fileline.startswith(FULL_IGNORE_PATHS):
prmstr = MAPPER.rule_split_after_class(each.rule)[1]
tmpset.update(prmstr.strip(u" {};").split())
if x_str in NON_IGNORED_MAPPING:
NON_IGNORED_MAPPING[x_str].append(each.fileline)
else:
NON_IGNORED_MAPPING[x_str] = [each.fileline]
if tmpset >= rule.permset:
# The set of permissions created by non-ignored rules is
# sufficient
filtered_results.append(x)
else:
NON_IGNORED_MAPPING.pop(x_str, None)
elif rule.rtype in policysource.mapping.TERULES:
# Check for every type_transition rule individually
for each in rls:
if not each.fileline.startswith(FULL_IGNORE_PATHS):
filtered_results.append(x)
if x_str in NON_IGNORED_MAPPING:
NON_IGNORED_MAPPING[x_str].append(each.fileline)
else:
NON_IGNORED_MAPPING[x_str] = [each.fileline]
return filtered_results
def search(types, seinfo=None):
global _pol
if not _pol:
init_policy()
if not seinfo:
seinfo = {}
valid_types = set(
[ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
for setype in types:
if setype not in valid_types:
raise ValueError("Type has to be in %s" % " ".join(valid_types))
source = None
if SOURCE in seinfo:
source = str(seinfo[SOURCE])
target = None
if TARGET in seinfo:
target = str(seinfo[TARGET])
tclass = None
if CLASS in seinfo:
tclass = str(seinfo[CLASS]).split(',')
toret = []
tertypes = []
if ALLOW in types:
tertypes.append(ALLOW)
if NEVERALLOW in types:
tertypes.append(NEVERALLOW)
if AUDITALLOW in types:
tertypes.append(AUDITALLOW)
if DONTAUDIT in types:
tertypes.append(DONTAUDIT)
if len(tertypes) > 0:
q = TERuleQuery(_pol,
ruletype=tertypes,
source=source,
target=target,
tclass=tclass)
if PERMS in seinfo:
q.perms = seinfo[PERMS]
toret += [_setools_rule_to_dict(x) for x in q.results()]
if TRANSITION in types:
rtypes = ['type_transition', 'type_change', 'type_member']
q = TERuleQuery(_pol,
ruletype=rtypes,
source=source,
target=target,
tclass=tclass)
if PERMS in seinfo:
q.perms = seinfo[PERMS]
toret += [_setools_rule_to_dict(x) for x in q.results()]
if ROLE_ALLOW in types:
ratypes = ['allow']
q = RBACRuleQuery(_pol,
ruletype=ratypes,
source=source,
target=target,
tclass=tclass)
for r in q.results():
toret.append({'source': str(r.source), 'target': str(r.target)})
return toret
def query_for_rule(policy, r):
u"""Query a policy for rules matching a given rule.
The rule may contain regex fields."""
# Mark whether a query parameter is a regex or a string
sr = r"[a-zA-Z0-9_-]+" in r.source
tr = r"[a-zA-Z0-9_-]+" in r.target
cr = r"[a-zA-Z0-9_-]+" in r.tclass
# Handle self
if r.target == u"self":
# Override the target to match everything
xtarget = VALID_ARG_R
tr = True
else:
xtarget = r.target
# Query for an AV rule
if r.rtype in policysource.mapping.AVRULES:
query = TERuleQuery(policy=policy.policy,
ruletype=[r.rtype],
source=r.source,
source_regex=sr,
source_indirect=False,
target=xtarget,
target_regex=tr,
target_indirect=False,
tclass=[r.tclass],
tclass_regex=cr,
perms=r.permset,
perms_subset=True)
# Query for a TE rule
elif r.rtype in policysource.mapping.TERULES:
dr = r"[a-zA-Z0-9_-]+" in r.deftype
query = TERuleQuery(policy=policy.policy,
ruletype=[r.rtype],
source=r.source,
source_regex=sr,
source_indirect=False,
target=xtarget,
target_regex=tr,
target_indirect=False,
tclass=[r.tclass],
tclass_regex=cr,
default=r.deftype,
default_regex=dr)
else:
# We should have no other rules, as they are already filtered
# when creating the list with the rule_factory method
LOG.warning(u"Unsupported rule: \"%s\"", r)
return None
# Filter all rules
if r.target == u"self":
# Discard rules whose mask contained "self" as a target,
# but whose result's source and target are different
results = [x for x in query.results() if x.source == x.target]
else:
results = list(query.results())
filtered_results = []
# Discard rules coming from explicitly ignored paths
for x in results:
x_str = str(x)
rule = MAPPER.rule_factory(x_str)
rutc = rule.up_to_class
# Get the MappedRule(s) corresponding to this rutc
rls = [y for y in policy.mapping.rules[rutc]]
if len(rls) == 1:
# If this rule comes from a single place, this is easy.
# Drop the rule if the path it comes from is ignored
if not rls[0].fileline.startswith(FULL_IGNORE_PATHS):
filtered_results.append(x)
NON_IGNORED_MAPPING[x_str] = [rls[0].fileline]
else:
# If this rule comes from multiple places, this is more complex.
# Check that all rules that make up the specific rule we found
# come from non-ignored paths. If not, drop the rule.
if rule.rtype in policysource.mapping.AVRULES:
# Check that the permission set of the "x" rule is covered by
# non-ignored rules. If not, drop the rule.
tmpset = set()
for each in rls:
if not each.fileline.startswith(FULL_IGNORE_PATHS):
prmstr = MAPPER.rule_split_after_class(each.rule)[1]
tmpset.update(prmstr.strip(u" {};").split())
if x_str in NON_IGNORED_MAPPING:
NON_IGNORED_MAPPING[x_str].append(each.fileline)
else:
NON_IGNORED_MAPPING[x_str] = [each.fileline]
if tmpset >= rule.permset:
# The set of permissions created by non-ignored rules is
# sufficient
filtered_results.append(x)
else:
NON_IGNORED_MAPPING.pop(x_str, None)
elif rule.rtype in policysource.mapping.TERULES:
# Check for every type_transition rule individually
for each in rls:
if not each.fileline.startswith(FULL_IGNORE_PATHS):
filtered_results.append(x)
if x_str in NON_IGNORED_MAPPING:
NON_IGNORED_MAPPING[x_str].append(each.fileline)
else:
NON_IGNORED_MAPPING[x_str] = [each.fileline]
return filtered_results