3
Kl�f�;��������������� ���@���s����d�Z�ddlZddlZddljZy
ddlT�W�n
���Y�nX�ddlmZ�ddlmZ�ddlm Z �ddlm
Z
�dd lm
Z
�dd
lm
Z
�dZ
dZd
ZG�d
d
��d
�Zdefdd�Zdd��ZG�dd��d�Zdd��ZdS�)z>
classes and algorithms for the generation of SELinux policy.
�����N)�*����)� refpolicy)�
objectmodel)�access)�
interfaces)�matching)�util����c���������������@���s����e�Zd�ZdZd dd�Zd dd�Zd!dd �Zefd
d
�Zd
d
��Z dd��Z
dd��Z
d"dd�Z
dd��Z
dd��Zdd��Zdd
��Zd
d
��ZdS�)#�PolicyGeneratora���Generate a reference policy module from access vectors.
PolicyGenerator generates a new reference policy module
or updates an existing module based on requested access
in the form of access vectors.
It generates allow rules and optionally module require
statements, reference policy interfaces, and extended
permission access vector rules. By default only allow rules
are generated. The methods .set_gen_refpol, .set_gen_requires
and .set_gen_xperms turns on interface generation,
requires generation, and xperms rules genration respectively.
PolicyGenerator can also optionally add comments explaining
why a particular access was allowed based on the audit
messages that generated the access. The access vectors
passed in must have the .audit_msgs field set correctly
and .explain set to SHORT|LONG_EXPLANATION to enable this
feature.
The module created by PolicyGenerator can be passed to
output.ModuleWriter to output a text representation.
Nc�������������C���s>���d|�_�t|�_d|�_|r
||�_n
tj��|�_d|�_d|�_d|�_ dS�)z�Initialize a PolicyGenerator with an optional
existing module.
If the module paramater is not None then access
will be added to the passed in module. Otherwise
a new reference policy module will be created.
NF)
�ifgen�NO_EXPLANATION�explain�
gen_requires�moduler���ZModule� dontaudit�xperms�domains)�selfr�����r���� /usr/lib/python3.6/policygen.py�__init__E���s����
zPolicyGenerator.__init__c�������������C���s*���|rt�||�|�_d|�_nd|�_|�j���dS�)a?��Set whether reference policy interfaces are generated.
To turn on interface generation pass in an interface set
to use for interface generation. To turn off interface
generation pass in None.
If interface generation is enabled requires generation
will also be enabled.
TN)�InterfaceGeneratorr
���r����"_PolicyGenerator__set_module_style)r���Zif_set� perm_mapsr���r���r����set_gen_refpolY���s
����
z
PolicyGenerator.set_gen_refpolTc�������������C���s
���||�_�dS�)a&��Set whether module requires are generated.
Passing in true will turn on requires generation and
False will disable generation. If requires generation is
disabled interface generation will also be disabled and
can only be re-enabled via .set_gen_refpol.
N)r���)r���Zstatusr���r���r����set_gen_requiresk���s����z PolicyGenerator.set_gen_requiresc�������������C���s
���||�_�dS�)z)Set whether access is explained.
N)r���)r���r���r���r���r����set_gen_explainu���s����z PolicyGenerator.set_gen_explainc�������������C���s
���||�_�d�S�)N)r���)r���r���r���r���r����set_gen_dontauditz���s����z!PolicyGenerator.set_gen_dontauditc�������������C���s
���||�_�dS�)zSSet whether extended permission access vector rules
are generated.
N)r���)r���r���r���r���r����set_gen_xperms}���s����z
PolicyGenerator.set_gen_xpermsc�������������C���s.���|�j�r
d}nd}x|�jj��D�]
}||_q
W�d�S�)NTF)r
���r����module_declarationsr���)r���r����modr���r���r���Z__set_module_style����s
����z"PolicyGenerator.__set_module_style�1.0c�������������C���s\���d}x|�j�j��D�]}|}qW�|s8tj��}|�j�jjd|��||_||_|�jrRd|_nd|_dS�)z?Set the name of the module and optionally the version.
Nr���TF) r���r ���r���ZModuleDeclaration�children�insert�name�versionr
���)r���r%���r&����mr!���r���r���r����set_module_name����s����z PolicyGenerator.set_module_namec�������������C���s���|�j�rt�|�j��|�jS�)N)r���r���)r���r���r���r����
get_module����s����
zPolicyGenerator.get_modulec�������������C���sv��t�j|�}|�jr|j|_d|_|�jr>tt�jt ||�jd���|_|j
t
j
krl|�jd7��_|j
rl|�jd7��_|j
t
jkr�|�jd7��_|j
t
jkr�t|j�dkr�|�jddjd d
��|jD����7��_n
|�jd
|jd
�d
��7��_|j
t
jk�rP|�jd
7��_|�jd7��_|�jd|jd
��7��_x*|jdd��D�]}|�jd|�7��_�q4W��y|j
t
jk�rTd|jk�rTd|jk�s�d|jk�rT|�j�s�ttdd�d
�d�|�_g�}xHdd
��tt
gt|jt
|jt
|ji�D��D�]
}||�jk�r�|j
|���q�W�t|�dk�r$|�jd|j|jdj|�f�7��_n0t|�dk�rT|�jd|j|jdj|�f�7��_W�n
���Y�nX�|�j j j
|��dS�)z Add access vector rule.
��)� verbosityz0
#!!!! This avc is allowed in the current policyzN
#!!!! This av rule may have been overridden by an extended permission av rulez:
#!!!! This avc has a dontaudit rule in the current policyr���zH
#!!!! This avc can be allowed using one of the these booleans:
# %sz, c�������������S���s���g�|�]
}|d���qS�)r���r���)�.0�xr���r���r����
<listcomp>����s����z1PolicyGenerator.__add_av_rule.<locals>.<listcomp>z5
#!!!! This avc can be allowed using the boolean '%s'r���z�
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.z
#Constraint rule: z
# Nz?
# Possible cause is the source %s and target %s are different.�write�dir�openZdomain)r%����typesc�������������S���s���g�|�]
}|t���qS�r���)ZTCONTEXT)r,���r-���r���r���r���r.�������s����zL
#!!!! The source type '%s' can write to a '%s' of the following type:
# %s
zM
#!!!! The source type '%s' can write to a '%s' of the following types:
# %s
)!r���ZAVRuler���Z DONTAUDIT� rule_type�commentr����str�Comment�explain_access�type� audit2whyZALLOWr���ZBOOLEAN�len�data�joinZ
CONSTRAINTZTERULE�perms� obj_classr���ZseinfoZ ATTRIBUTEZsesearchZSCONTEXT�src_typeZCLASSZPERMS�appendr���r#���)r����avZrule�reasonr2����ir���r���r���Z
__add_av_rule����sN����
&
.
$&z
PolicyGenerator.__add_av_rulec�������������C���s@���x:|j�j��D�],}tj||�}|�jr*|j|_|�jjj |��q
W�dS�)z5Add extended permission access vector rules.
N)
r����keysr���Z AVExtRuler���ZDONTAUDITXPERMr3���r���r#���r@���)r���rA����opZextruler���r���r���Z__add_ext_av_rules����s
����
z"PolicyGenerator.__add_ext_av_rulesc�������������C���s`���|�j�r*|�j�j||�j�\}}|�jjj|��n|}x,|D�]$}|�j|��|�jr4|jr4|�j|��q4W�dS�)zJAdd the access from the access vector set to this
module.
N) r
����genr���r���r#����extend�
_PolicyGenerator__add_av_ruler����"_PolicyGenerator__add_ext_av_rules)r���Zav_setZ raw_allow�ifcallsrA���r���r���r����
add_access����s����
zPolicyGenerator.add_accessc�������������C���s ���x|D�]}|�j�jj|��qW�d�S�)N)r���r#���r@���)r���Z
role_type_set� role_typer���r���r����add_role_types����s����
z
PolicyGenerator.add_role_types)N)NN)T)r"���)�__name__�
__module__�
__qualname__�__doc__r���r���r
����SHORT_EXPLANATIONr
���r
���r ���r���r(���r)���rH���rI���rK���rM���r���r���r���r���r
���-���s
���
5
r
���c����������������s
��g�����fdd�}|t�kr�x�|�jD�]�}�jd|j����jdt|j�t|j�f����jd|jtj |j
�f����jd|j
|j
|j
f����jtjd|j�d�d d
d
d
���q"W�|���nb|�r�jd
|�j|�j|�j|�jj��f���t|�j�dk�r|�jd�}�jd|j
|j
|j
f���|����S�)a���Explain why a policy statement was generated.
Return a string containing a text explanation of
why a policy statement was generated. The string is
commented and wrapped and can be directly inserted
into a policy.
Params:
av - access vector representing the access. Should
have .audit_msgs set appropriately.
verbosity - the amount of explanation provided. Should
be set to NO_EXPLANATION, SHORT_EXPLANATION, or
LONG_EXPLANATION.
Returns:
list of strings - strings explaining the access or an empty
string if verbosity=NO_EXPLANATION or there is not sufficient
information to provide an explanation.
c�����������������sN�����sd�S��j�d��x6��j��D�]*}�t|�j��j�}�j�d|j��|�jf���q
W�d�S�)Nz Interface options:z
%s # [%d])r@����all�call_interface� interfacerA���Z to_stringZdist)�match�ifcall)�ml�sr���r����explain_interfaces��s
����
z*explain_access.<locals>.explain_interfacesz %sz
scontext="%s" tcontext="%s"z class="%s" perms="%s"z
comm="%s" exe="%s" path="%s"z message="�"�P���z z )Zinitial_indentZsubsequent_indentz) src="%s" tgt="%s" class="%s", perms="%s"r���z
comm="%s" exe="%s" path="%s")�LONG_EXPLANATIONZ
audit_msgsr@����headerr5���ZscontextZtcontextZtclassr���Zlist_to_space_strZaccessesZcommZexe�pathrG����textwrapZwrap�messager?����tgt_typer>���r=���Z
to_space_strr:���)rA���rX���r+���rZ����msgr���)rX���rY���r���r7�������s*����
r7���c�������������C���s����g�}g�}|j�|�jj����|jdd��dd��tj��}|�j|_x�tt |��D�]r}||�j
tj
krl|j
j
|j��qH||�j
tjkr�|j
j
|j��qH||�j
tjkr�|j
j
|j��qHt||�j
��qHW�|S�)Nc�������������S���s���|�j�S�)N)�num)�paramr���r���r����<lambda>9��s����z call_interface.<locals>.<lambda>T)�key�reverse)rG����params�values�sortr���Z
InterfaceCallr%���Zifname�ranger:���r8����SRC_TYPE�argsr@���r?����TGT_TYPErb���� OBJ_CLASSr>����print)rU���rA���ri���rn���rW���rC���r���r���r���rT���4��s ����rT���c���������������@���s.���e�Zd�Zd
dd�Zdd��Zdd��Zdd ��ZdS�)
r���Nc�������������C���s&���||�_�|�j|��tj|�|�_g�|�_d�S�)N)�ifs�hack_check_ifsr���Z
AccessMatcher�matcher�calls)r���rr���r���r���r���r���r���N��s����
zInterfaceGenerator.__init__c�������������C���s����x�|j�j��D�]|}g�}|j|jj����|jdd��dd��xPtt|��D�]@}|d�||�jkrbd|_P�||�j t
j
t
j
t
j
gkrDd|_P�qDW�q
W�d�S�)Nc�������������S���s���|�j�S�)N)rd���)re���r���r���r���rf���\��s����z3InterfaceGenerator.hack_check_ifs.<locals>.<lambda>T)rg���rh���r���F)r���rj���rG���ri���rk���rl���r:���rd���Zenabledr8���r���rm���ro���rp���)r���rr���r-���ri���rC���r���r���r���rs���T��s����
z!InterfaceGenerator.hack_check_ifsc�������
������C���s����|�j�|�}g�}xH|�jD�]>}t|j��j|j�}|rFtjt|j||��|_ |j
||f��qW�g�}xX|D�]P\}}d} x4|D�],}
|
j
|�rt|
j r�|j r�|
j j
|j ��d} qtW�| sb|j
|��qbW�||fS�)NFT)
rV���ru���rT���ZbestrU���rA���r���r6���r7���r4���r@���Zmatches�merge)
r����avsr+����raw_avrJ���rX���rW����drr����foundZo_ifcallr���r���r���rF���k��s$����
zInterfaceGenerator.genc�������������C���sP���g�}xF|D�]>}t�j��}|�jj|�j||��t|�r>|�jj|��q
|j|��q
W�|S�)N)r���Z MatchListrt���Z
search_ifsrr���r:���ru���r@���)r���rw���rx���rA���Zansr���r���r���rV������s����
zInterfaceGenerator.match)N)rN���rO���rP���r���rs���rF���rV���r���r���r���r���r���M��s���
r���c�������������C���s&���dd��}x|�j���D�]
}||��qW�dS�)z*Add require statements to the module.
c�������������S���s����t�j��}xJ|�j��D�]>}|jj|j��|jj|j��x
|jD�]}|j||j ��q:W�qW�x,|�j
��D�] }x|j
D�]}|jj
|��qjW�q^W�x,|�j
��D�] }|jj
|j��|jj|j��q�W�|jjd��|�jjd|��d�S�)Nr���r���)r���ZRequireZavrulesr2����updateZ src_typesZ tgt_typesZ
obj_classesZ
add_obj_classr=���Zinterface_callsrn����addZ
role_typesZrolesZrole�discardr#���r$���)�node�rZavrule�objrW����argrL���r���r���r����collect_requires���s
����
z&gen_requires.<locals>.collect_requiresN)Znodes)r���r����r~���r���r���r���r������s����r���)rQ���� itertoolsr`���Zselinux.audit2whyr9���Zsetoolsr*���r���r���r���r���r���r ���r
���rR���r]���r
���r7���rT���r���r���r���r���r���r����<module>���s,���
�Q7B