3
�^j@������������������@���s����d�dl�Z�d�dlZd�dlZd�dlmZ�d�dlmZ�d�dlmZ�d�dl Z ddl
m
Z
�ddl
m
Z
�ddl
mZ�dd l
mZ�d
d
d
d
dgZdZdZG�dd��d�Zdd��Zdd��Zdd��ZG�dd��d�ZdS�)�����N)�
OrderedDict)�ENOENT)�suppress����)� exception)� policyrep)�PermissionMapDescriptor)�
TERuletype�r�w�b�n�u�
���c���������������@���s����e�Zd�ZdZd%dd�Zdd��Zdd��Zd d
��Zd
d
��Zd
d��Z dd��Z
dd��Z
dd��Z
dd��Z
dd��Zdd��Zdd
��Zd
d
��Zd d ��Zd!d"��Zd#d$��ZdS�)&�
PermissionMapz-Permission Map for information flow analysis.Nc�������������C���sN���t�jt�|�_t��|�_d|�_|r*|�j|��n tj d�}dj
|j
�}|�j|��dS�)z\
Parameter:
permmapfile The path to the permission map to load.
NZsetoolsz{0}/setools/perm_map)
�loggingZ getLogger�__name__�logr����permmap�
permmapfile�load�
pkg_resourcesZget_distribution�format�location)�selfr���Zdistro�path��r
���� /usr/lib64/python3.6/permmap.py�__init__*���s����
zPermissionMap.__init__c�������������C���s���|�j�S�)N)r���)r���r
���r
���r
����__str__;���s����zPermissionMap.__str__c�������������C���s8���t�jt��}|�j|_tj|�j�|_|�j|_||t|��<�|S�)N)r����__new__r����copy�deepcopyr���r����id)r����memoZnewobjr
���r
���r
����
__deepcopy__>���s
����
zPermissionMap.__deepcopy__c�������������c���s0���x*|�j���D�]
}x|�j|�D�]
}|V��qW�q
W�d�S�)N)�classes�perms)r����cls�mappingr
���r
���r
����__iter__F���s����zPermissionMap.__iter__c����������
���C���sb��|�j�jdj|���t|d���}d}d}d}d}|�jj����x�t|dd�D��]�\}}|j��} t| �dksJ| d�d�dkrzqJ|dkr�yt | d��}W�n<�t
k
r��}
�z t
j
dj||| d���|
�W�Y�dd}
~
X�nX�|dk�r�t
j
d j||| d����d
}qJ|d
k�r�t| �d
k�s
| d�d
k�r0t
j
d
j||| ���t
| d��}
yt | d
��}
W�n>�t
k
�r��}
�z t
j
dj||| d
���|
�W�Y�dd}
~
X�nX�|
dk��r�t
j
dj||| d
����|d7�}||k�r�t
j
dj|||
���t��|�j|
<�d}
d
}qJ|d
krJt
| d��}t
| d��}|tk�r,t
j
dj||| d����yt | d
��}W�n>�t
k
�rz�}
�z t
j
dj||| d
���|
�W�Y�dd}
~
X�nX�t|��k�o�tkn���s�t
j
dj||| d
�tt���|�j�jdj|
|||���|dk�r�|�j�jdj|
|���t|�j|
|dd�}||_||_|d7�}|
d7�}
|
|
krJd
}qJW�W�dQ�R�X�||�_|�j�jdj|���|�j�jdj||���dS�)z\
Parameter:
permmapfile The path to the permission map to load.
z
Opening permission map "{0}"r
���r���r���)�start�#z&{0}:{1}:Invalid number of classes: {2}Nz/{0}:{1}:Number of classes must be positive: {2}���������classz&{0}:{1}:Invalid class declaration: {2}z*{0}:{1}:Invalid number of permissions: {2}z3{0}:{1}:Number of permissions must be positive: {2}z
{0}:{1}:Extra class found: {2}z/{0}:{1}:Invalid information flow direction: {2}z&{0}:{1}:Invalid permission weight: {2}z.{0}:{1}:Permission weight must be {3}-{4}: {2}zRead {0}:{1} {2} {3}r���z Permission {0}:{1} is unmapped.T)�createz(Successfully opened permission map "{0}"z+Read {0} classes and {1} total permissions.)r����infor����openr����clear� enumerate�split�len�int�
ValueErrorr���ZPermissionMapParseError�strr����infoflow_directions�
min_weight�
max_weight�debug�Mapping� direction�weightr���)r���r����mapfileZ
total_permsZ
class_countZ
num_classes�stateZline_num�line�entry�ex�
class_nameZ num_permsZ
perm_count� perm_nameZflow_directionr@���r)���r
���r
���r
���r���K���s�����
$
$
$
zPermissionMap.loadc������� ������C���s����t�|d���}|�jjdj|���|jdjt|�j����x�|�jj��D�]~\}}|jdj|t|����xT|j��D�]H\}}|d�}|d�}|dkr�|�jjdj||���|jd j|||���qhW�|jd
��q@W�|�jjd
j|���W�d
Q�R�X�d
S�)
z�
Save the permission map to the specified path. Existing files
will be overwritten.
Parameter:
permmapfile The path to write the permission map.
r
���z Writing permission map to "{0}"z{0}
zclass {0} {1}
r?���r@���r���z1Warning: permission {0} in class {1} is unmapped.z{0:>20} {1:>9} {2:>9}
�
z*Successfully wrote permission map to "{0}"N) r2���r���r1���r����writer6���r����itemsZwarning) r���r���rA���� classnamer'���ZpermnameZsettingsr?���r@���r
���r
���r
����save����s
����
zPermissionMap.savec�������������c���s���|�j�j��E�dH��dS�)zw
Generate class names in the permission map.
Yield:
class An object class name.
N)r����keys)r���r
���r
���r
���r&�������s����zPermissionMap.classesc�������������c���sf���y,x&|�j�|�j��D�]}t|�j�||�V��qW�W�n4�tk
r`�}�ztjdj|��|�W�Y�dd}~X�nX�dS�)z�
Generate permission mappings for the specified class.
Parameter:
class_ An object class name.
Yield:
Mapping A permission's complete map (weight, direction, enabled)
z{0} is not mapped.N)r���rM���r>����KeyErrorr����
UnmappedClassr���)r����class_�permrE���r
���r
���r
���r'�������s
����
zPermissionMap.permsc�������������C���s���t�|�j||�S�)z)Retrieve a specific permission's mapping.)r>���r���)r���rP���rQ���r
���r
���r
���r)�������s����zPermissionMap.mappingc�������������C���s
���x|�j�|�D�]
}d|_q
W�dS�)a��
Exclude all permissions in an object class for calculating rule weights.
Parameter:
class_ The object class to exclude.
Exceptions:
UnmappedClass The specified object class is not mapped.
FN)r'����enabled)r���rP���rQ���r
���r
���r
����
exclude_class����s����
zPermissionMap.exclude_classc�������������C���s���dt�|�j||�_dS�)a���
Exclude a permission for calculating rule weights.
Parameter:
class_ The object class of the permission.
permission The permission name to exclude.
Exceptions:
UnmappedClass The specified object class is not mapped.
UnmappedPermission The specified permission is not mapped for the object class.
FN)r>���r���rR���)r���rP����
permissionr
���r
���r
����exclude_permission
��s����
z PermissionMap.exclude_permissionc�������������C���s
���x|�j�|�D�]
}d|_q
W�dS�)a��
Include all permissions in an object class for calculating rule weights.
Parameter:
class_ The object class to include.
Exceptions:
UnmappedClass The specified object class is not mapped.
TN)r'���rR���)r���rP���rQ���r
���r
���r
����
include_class��s����
zPermissionMap.include_classc�������������C���s���dt�|�j||�_dS�)a���
Include a permission for calculating rule weights.
Parameter:
class_ The object class of the permission.
permission The permission name to include.
Exceptions:
UnmappedClass The specified object class is not mapped.
UnmappedPermission The specified permission is not mapped for the object class.
TN)r>���r���rR���)r���rP���rT���r
���r
���r
����include_permission'��s����
z PermissionMap.include_permissionc�������������C���s����x�|j���D�]�}t|�}||�jkr@|�jjdj||���t��|�j|<�|j}tt j
���||j
jO�}W�dQ�R�X�xB|D�]:}||�j|�krn|�jjdj|||���t
|�j||dd��qnW�q
W�dS�)zHCreate mappings for all classes and permissions in the specified policy.z"Adding unmapped class {0} from {1}Nz.Adding unmapped permission {0} in {1} from {2}T)r0���)
r&���r9���r���r���r=���r���r���r'���r���r���ZNoCommon�commonr>���)r���ZpolicyrP���rF���r'���rG���r
���r
���r
����
map_policy6��s����
zPermissionMap.map_policyc�������������C���s����d}d}t�|j�}|jtjkr0tjdj|j���xv|jD�]l}t |�j
||�}|j
sRq8|j
dkrjt
||j�}q8|j
dkr�t
||j�}q8|j
dkr8t
||j�}t
||j�}q8W�||fS�)aT��
Get the type enforcement rule's information flow read and write weights.
Parameter:
rule A type enforcement rule.
Return: Tuple(read_weight, write_weight)
read_weight The type enforcement rule's read weight.
write_weight The type enforcement rule's write weight.
r���z1{0} rules cannot be used for calculating a weightr
���r
���r
���)r9���ZtclassZruletyper ���Zallowr���Z
RuleTypeErrorr���r'���r>���r���rR���r?����maxr@���)r���ZruleZ
write_weightZ
read_weightrF���rG���r)���r
���r
���r
����
rule_weightJ��s$����
zPermissionMap.rule_weightc�������������C���s���|t�|�j||�_dS�)a���
Set the information flow direction of a permission.
Parameter:
class_ The object class of the permission.
permission The permission name.
direction The information flow direction the permission (r/w/b/n).
Exceptions:
UnmappedClass The specified object class is not mapped.
UnmappedPermission The specified permission is not mapped for the object class.
N)r>���r���r?���)r���rP���rT���r?���r
���r
���r
����
set_directionq��s����
zPermissionMap.set_directionc�������������C���s���|t�|�j||�_dS�)a���
Set the weight of a permission.
Parameter:
class_ The object class of the permission.
permission The permission name.
weight The weight of the permission (1-10).
Exceptions:
UnmappedClass The specified object class is not mapped.
UnmappedPermission The specified permission is not mapped for the object class.
N)r>���r���r@���)r���rP���rT���r@���r
���r
���r
����
set_weight���s����
zPermissionMap.set_weight)N)r����
__module__�
__qualname__�__doc__r
���r ���r%���r*���r���rL���r&���r'���r)���rS���rU���rV���rW���rY���r[���r\���r]���r
���r
���r
���r
���r���&���s$���
q%
'r���c�������������C���s*���t�|���kotkn��s&tdj|����|�S�)Nz$Permission weights must be 1-10: {0})r;���r<���r8���r���)r@���r
���r
���r
����validate_weight���s����ra���c�������������C���s���|�t�krtdj|����|�S�)Nz'Invalid information flow direction: {0})r:���r8���r���)r?���r
���r
���r
����validate_direction���s����rb���c�������������C���s���t�|��S�)N)�bool)rR���r
���r
���r
����validate_enabled���s����rd���c���������������@���s@���e�Zd�ZdZede�Zede�Zede �Z
d
dd�Z
dd ��Z
d
S�)
r>���z1A mapping for a permission in the permission map.r@���r?���rR���Fc�������������C���s����||�_�||�_||�_|rD||�j�kr,t��|�j�|<�dddd�|�j�|�|<�n:||�j�kr^tjdj|���||�j�|�kr~tjdj||���d�S�)Nr���r���T)r?���r@���rR���z{0} is not mapped.z{0}:{1} is not mapped.)�perm_maprP���rQ���r���r���rO���r���ZUnmappedPermission)r���re���rK���rT���r0���r
���r
���r
���r
������s
����
zMapping.__init__c�������������C���s(���|�j�|j�kr|�j|jk�S�|�j�|j�k�S�d�S�)N)rP���rQ���)r����otherr
���r
���r
����__lt__���s����
zMapping.__lt__N)F)
r���r^���r_���r`���r���ra���r@���rb���r?���rd���rR���r
���rg���r
���r
���r
���r
���r>������s
���
r>���)�sysr���r!����
collectionsr����errnor����
contextlibr���r�����r���r���Z
descriptorsr���r ���r:���r;���r<���r���ra���rb���rd���r>���r
���r
���r
���r
����<module>���s(���
��o