lib/python2.7/site-packages/setools/constraintquery.py - platform/prebuilts/python/linux-x86/2.7.5 - Git at Google

 # Copyright 2015, Tresys Technology, LLC
 #
 # This file is part of SETools.
 #
 # SETools is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as
 # published by the Free Software Foundation, either version 2.1 of
 # the License, or (at your option) any later version.
 #
 # SETools is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with SETools.  If not, see
 # <http://www.gnu.org/licenses/>.
 #
 import logging
 import re

 from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor
 from .mixins import MatchObjClass, MatchPermission
 from .policyrep.exception import ConstraintUseError
 from .query import PolicyQuery
 from .util import match_in_set


 class ConstraintQuery(MatchObjClass, MatchPermission, PolicyQuery):

     """
     Query constraint rules, (mls)constrain/(mls)validatetrans.

     Parameter:
     policy            The policy to query.

     Keyword Parameters/Class attributes:
     ruletype          The list of rule type(s) to match.
     tclass            The object class(es) to match.
     tclass_regex      If true, use a regular expression for
                       matching the rule's object class.
     perms             The permission(s) to match.
     perms_equal       If true, the permission set of the rule
                       must exactly match the permissions
                       criteria.  If false, any set intersection
                       will match.
     perms_regex       If true, regular expression matching will be used
                       on the permission names instead of set logic.
     role              The name of the role to match in the
                       constraint expression.
     role_indirect     If true, members of an attribute will be
                       matched rather than the attribute itself.
     role_regex        If true, regular expression matching will
                       be used on the role.
     type_             The name of the type/attribute to match in the
                       constraint expression.
     type_indirect     If true, members of an attribute will be
                       matched rather than the attribute itself.
     type_regex        If true, regular expression matching will
                       be used on the type/attribute.
     user              The name of the user to match in the
                       constraint expression.
     user_regex        If true, regular expression matching will
                       be used on the user.
     """

     ruletype = CriteriaSetDescriptor(lookup_function="validate_constraint_ruletype")
     user = CriteriaDescriptor("user_regex", "lookup_user")
     user_regex = False
     role = CriteriaDescriptor("role_regex", "lookup_role")
     role_regex = False
     role_indirect = True
     type_ = CriteriaDescriptor("type_regex", "lookup_type_or_attr")
     type_regex = False
     type_indirect = True

     def __init__(self, policy, **kwargs):
         super(ConstraintQuery, self).__init__(policy, **kwargs)
         self.log = logging.getLogger(__name__)

     def _match_expr(self, expr, criteria, indirect, regex):
         """
         Match roles/types/users in a constraint expression,
         optionally by expanding the contents of attributes.

         Parameters:
         expr        The expression to match.
         criteria    The criteria to match.
         indirect    If attributes in the expression should be expanded.
         regex       If regular expression matching should be used.
         """

         if indirect:
             obj = set()
             for item in expr:
                 obj.update(item.expand())
         else:
             obj = expr

         return match_in_set(obj, criteria, regex)

     def results(self):
         """Generator which yields all matching constraints rules."""
         self.log.info("Generating constraint results from {0.policy}".format(self))
         self.log.debug("Ruletypes: {0.ruletype}".format(self))
         self._match_object_class_debug(self.log)
         self._match_perms_debug(self.log)
         self.log.debug("User: {0.user!r}, regex: {0.user_regex}".format(self))
         self.log.debug("Role: {0.role!r}, regex: {0.role_regex}".format(self))
         self.log.debug("Type: {0.type_!r}, regex: {0.type_regex}".format(self))

         for c in self.policy.constraints():
             if self.ruletype:
                 if c.ruletype not in self.ruletype:
                     continue

             if not self._match_object_class(c):
                 continue

             try:
                 if not self._match_perms(c):
                     continue
             except ConstraintUseError:
                     continue

             if self.role and not self._match_expr(
                         c.roles,
                         self.role,
                         self.role_indirect,
                         self.role_regex):
                     continue

             if self.type_ and not self._match_expr(
                         c.types,
                         self.type_,
                         self.type_indirect,
                         self.type_regex):
                     continue

             if self.user and not self._match_expr(
                         c.users,
                         self.user,
                         False,
                         self.user_regex):
                     continue

             yield c
	# Copyright 2015, Tresys Technology, LLC
	#
	# This file is part of SETools.
	#
	# SETools is free software: you can redistribute it and/or modify
	# it under the terms of the GNU Lesser General Public License as
	# published by the Free Software Foundation, either version 2.1 of
	# the License, or (at your option) any later version.
	#
	# SETools is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU Lesser General Public License for more details.
	#
	# You should have received a copy of the GNU Lesser General Public
	# License along with SETools. If not, see
	# <http://www.gnu.org/licenses/>.
	#
	import logging
	import re

	from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor
	from .mixins import MatchObjClass, MatchPermission
	from .policyrep.exception import ConstraintUseError
	from .query import PolicyQuery
	from .util import match_in_set


	class ConstraintQuery(MatchObjClass, MatchPermission, PolicyQuery):

	"""
	Query constraint rules, (mls)constrain/(mls)validatetrans.

	Parameter:
	policy The policy to query.

	Keyword Parameters/Class attributes:
	ruletype The list of rule type(s) to match.
	tclass The object class(es) to match.
	tclass_regex If true, use a regular expression for
	matching the rule's object class.
	perms The permission(s) to match.
	perms_equal If true, the permission set of the rule
	must exactly match the permissions
	criteria. If false, any set intersection
	will match.
	perms_regex If true, regular expression matching will be used
	on the permission names instead of set logic.
	role The name of the role to match in the
	constraint expression.
	role_indirect If true, members of an attribute will be
	matched rather than the attribute itself.
	role_regex If true, regular expression matching will
	be used on the role.
	type_ The name of the type/attribute to match in the
	constraint expression.
	type_indirect If true, members of an attribute will be
	matched rather than the attribute itself.
	type_regex If true, regular expression matching will
	be used on the type/attribute.
	user The name of the user to match in the
	constraint expression.
	user_regex If true, regular expression matching will
	be used on the user.
	"""

	ruletype = CriteriaSetDescriptor(lookup_function="validate_constraint_ruletype")
	user = CriteriaDescriptor("user_regex", "lookup_user")
	user_regex = False
	role = CriteriaDescriptor("role_regex", "lookup_role")
	role_regex = False
	role_indirect = True
	type_ = CriteriaDescriptor("type_regex", "lookup_type_or_attr")
	type_regex = False
	type_indirect = True

	def __init__(self, policy, **kwargs):
	super(ConstraintQuery, self).__init__(policy, **kwargs)
	self.log = logging.getLogger(__name__)

	def _match_expr(self, expr, criteria, indirect, regex):
	"""
	Match roles/types/users in a constraint expression,
	optionally by expanding the contents of attributes.

	Parameters:
	expr The expression to match.
	criteria The criteria to match.
	indirect If attributes in the expression should be expanded.
	regex If regular expression matching should be used.
	"""

	if indirect:
	obj = set()
	for item in expr:
	obj.update(item.expand())
	else:
	obj = expr

	return match_in_set(obj, criteria, regex)

	def results(self):
	"""Generator which yields all matching constraints rules."""
	self.log.info("Generating constraint results from {0.policy}".format(self))
	self.log.debug("Ruletypes: {0.ruletype}".format(self))
	self._match_object_class_debug(self.log)
	self._match_perms_debug(self.log)
	self.log.debug("User: {0.user!r}, regex: {0.user_regex}".format(self))
	self.log.debug("Role: {0.role!r}, regex: {0.role_regex}".format(self))
	self.log.debug("Type: {0.type_!r}, regex: {0.type_regex}".format(self))

	for c in self.policy.constraints():
	if self.ruletype:
	if c.ruletype not in self.ruletype:
	continue

	if not self._match_object_class(c):
	continue

	try:
	if not self._match_perms(c):
	continue
	except ConstraintUseError:
	continue

	if self.role and not self._match_expr(
	c.roles,
	self.role,
	self.role_indirect,
	self.role_regex):
	continue

	if self.type_ and not self._match_expr(
	c.types,
	self.type_,
	self.type_indirect,
	self.type_regex):
	continue

	if self.user and not self._match_expr(
	c.users,
	self.user,
	False,
	self.user_regex):
	continue

	yield c