RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-22 23:26:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement extended permission rule support in TERuleQueryTab.

Browse Source 
Related to #73
This commit is contained in:
Chris PeBenito 2016-03-28 09:33:24 -04:00
parent ab41dc81e6
commit 8e2c8ca372
3 changed files with 237 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

285
data/terulequery.ui
View File

@ -428,20 +428,6 @@
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="type_transition">
<property name="text">
<string>Type_transition</string>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QCheckBox" name="type_change">
<property name="text">
<string>Type_change</string>
</property>
</widget>
</item>
<item row="0" column="7">
<spacer name="horizontalSpacer">
<property name="orientation">
@ -465,13 +451,6 @@
</property>
</widget>
</item>
<item row="1" column="2">
<widget class="QCheckBox" name="type_member">
<property name="text">
<string>Type_member</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QCheckBox" name="neverallow">
<property name="text">
@ -489,6 +468,58 @@
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QCheckBox" name="neverallowxperm">
<property name="text">
<string>Neverallowxperms</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="allowxperm">
<property name="text">
<string>Allowxperms</string>
</property>
<property name="checked">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="2">
<widget class="QCheckBox" name="auditallowxperm">
<property name="text">
<string>Auditallowxperms</string>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="type_transition">
<property name="text">
<string>Type_transition</string>
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QCheckBox" name="type_change">
<property name="text">
<string>Type_change</string>
</property>
</widget>
</item>
<item row="2" column="2">
<widget class="QCheckBox" name="type_member">
<property name="text">
<string>Type_member</string>
</property>
</widget>
</item>
<item row="1" column="3">
<widget class="QCheckBox" name="dontauditxperm">
<property name="text">
<string>Dontauditxperms</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
@ -561,102 +592,6 @@
</layout>
</widget>
</item>
<item row="2" column="1">
<widget class="QGroupBox" name="perms_criteria">
<property name="title">
<string>Permission Set</string>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<property name="spacing">
<number>3</number>
</property>
<item row="1" column="2">
<widget class="QPushButton" name="invert_perms">
<property name="text">
<string>Invert</string>
</property>
</widget>
</item>
<item row="0" column="2">
<widget class="QPushButton" name="clear_perms">
<property name="text">
<string>Clear</string>
</property>
</widget>
</item>
<item row="0" column="4">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="3">
<widget class="QCheckBox" name="perms_equal">
<property name="toolTip">
<string>A matching rule will have all of the selected permissions.</string>
</property>
<property name="text">
<string>Match All</string>
</property>
</widget>
</item>
<item row="2" column="2">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="0" rowspan="3" colspan="2">
<widget class="QListView" name="perms">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize">
<size>
<width>250</width>
<height>16777215</height>
</size>
</property>
<property name="toolTip">
<string>The list of permissions common to selected object classes.</string>
</property>
<property name="selectionMode">
<enum>QAbstractItemView::ExtendedSelection</enum>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="source_criteria">
<property name="maximumSize">
@ -927,6 +862,119 @@
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QGroupBox" name="perms_criteria">
<property name="title">
<string>Permission Set</string>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<property name="spacing">
<number>3</number>
</property>
<item row="3" column="2">
<widget class="QCheckBox" name="xperms_equal">
<property name="toolTip">
<string>A matching rule will have all of the extended permissions.</string>
</property>
<property name="text">
<string>Match All</string>
</property>
</widget>
</item>
<item row="1" column="2">
<widget class="QPushButton" name="invert_perms">
<property name="text">
<string>Invert</string>
</property>
</widget>
</item>
<item row="0" column="2">
<widget class="QPushButton" name="clear_perms">
<property name="text">
<string>Clear</string>
</property>
</widget>
</item>
<item row="0" column="4">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="3">
<widget class="QCheckBox" name="perms_equal">
<property name="toolTip">
<string>A matching rule will have all of the selected permissions.</string>
</property>
<property name="text">
<string>Match All</string>
</property>
</widget>
</item>
<item row="2" column="2">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="0" rowspan="3" colspan="2">
<widget class="QListView" name="perms">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize">
<size>
<width>250</width>
<height>16777215</height>
</size>
</property>
<property name="toolTip">
<string>The list of permissions common to selected object classes.</string>
</property>
<property name="selectionMode">
<enum>QAbstractItemView::ExtendedSelection</enum>
</property>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QLineEdit" name="xperms">
<property name="placeholderText">
<string>Enter extended permissions here.</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
<zorder>ruletype_criteria</zorder>
<zorder>source_criteria</zorder>
@ -948,9 +996,6 @@
<tabstop>neverallow</tabstop>
<tabstop>auditallow</tabstop>
<tabstop>dontaudit</tabstop>
<tabstop>type_transition</tabstop>
<tabstop>type_change</tabstop>
<tabstop>type_member</tabstop>
<tabstop>clear_ruletypes</tabstop>
<tabstop>all_ruletypes</tabstop>
<tabstop>source</tabstop>

70
setoolsgui/apol/terulequery.py
View File

@ -74,6 +74,7 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
self.clear_source_error()
self.clear_target_error()
self.clear_default_error()
self.clear_xperm_error()
# populate class list
self.class_model = SEToolsListModel(self)
@ -121,11 +122,16 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
self.set_source_regex(self.source_regex.isChecked())
self.set_target_regex(self.target_regex.isChecked())
self.set_default_regex(self.default_regex.isChecked())
self.toggle_xperm_criteria()
self.criteria_frame.setHidden(not self.criteria_expander.isChecked())
self.notes.setHidden(not self.notes_expander.isChecked())
# connect signals
self.buttonBox.clicked.connect(self.run)
self.allowxperm.toggled.connect(self.toggle_xperm_criteria)
self.auditallowxperm.toggled.connect(self.toggle_xperm_criteria)
self.neverallowxperm.toggled.connect(self.toggle_xperm_criteria)
self.dontauditxperm.toggled.connect(self.toggle_xperm_criteria)
self.clear_ruletypes.clicked.connect(self.clear_all_ruletypes)
self.all_ruletypes.clicked.connect(self.set_all_ruletypes)
self.source.textEdited.connect(self.clear_source_error)
@ -138,6 +144,8 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
self.invert_class.clicked.connect(self.invert_tclass_selection)
self.perms.selectionModel().selectionChanged.connect(self.set_perms)
self.invert_perms.clicked.connect(self.invert_perms_selection)
self.xperms.textEdited.connect(self.clear_xperm_error)
self.xperms.editingFinished.connect(self.set_xperm)
self.default_type.textEdited.connect(self.clear_default_error)
self.default_type.editingFinished.connect(self.set_default_type)
self.default_regex.toggled.connect(self.set_default_regex)
@ -149,9 +157,13 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
def _set_ruletypes(self, value):
self.allow.setChecked(value)
self.allowxperm.setChecked(value)
self.auditallow.setChecked(value)
self.auditallowxperm.setChecked(value)
self.neverallow.setChecked(value)
self.neverallowxperm.setChecked(value)
self.dontaudit.setChecked(value)
self.dontauditxperm.setChecked(value)
self.type_transition.setChecked(value)
self.type_member.setChecked(value)
self.type_change.setChecked(value)
@ -235,6 +247,48 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
def invert_perms_selection(self):
invert_list_selection(self.perms.selectionModel())
#
# Extended permission criteria
#
def toggle_xperm_criteria(self):
mode = any((self.allowxperm.isChecked(),
self.auditallowxperm.isChecked(),
self.neverallowxperm.isChecked(),
self.dontauditxperm.isChecked()))
self.xperms.setEnabled(mode)
self.xperms_equal.setEnabled(mode)
def clear_xperm_error(self):
self.xperms.setToolTip("Match the extended permissions of the rule. Comma-separated "
"permissions or ranges of permissions.")
self.xperms.setPalette(self.orig_palette)
def set_xperm(self):
xperms = []
try:
text = self.xperms.text()
if text:
for item in self.xperms.text().split(","):
rng = item.split("-")
if len(rng) == 2:
xperms.append((int(rng[0], base=16), int(rng[1], base=16)))
elif len(rng) == 1:
xperms.append((int(rng[0], base=16), int(rng[0], base=16)))
else:
raise ValueError("Enter an extended permission or extended permission "
"range, e.g. 0x5411 or 0x8800-0x88ff.")
self.query.xperms = xperms
else:
self.query.xperms = None
except Exception as ex:
self.log.error("Extended permissions error: {0}".format(ex))
self.xperms.setToolTip("Error: " + str(ex))
self.xperms.setPalette(self.error_palette)
#
# Default criteria
#
@ -282,15 +336,27 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
if self.allow.isChecked():
rule_types.append("allow")
max_results += self.policy.allow_count
if self.allowxperm.isChecked():
rule_types.append("allowxperm")
max_results += self.policy.allowxperm_count
if self.auditallow.isChecked():
rule_types.append("auditallow")
max_results += self.policy.auditallow_count
if self.auditallowxperm.isChecked():
rule_types.append("auditallowxperm")
max_results += self.policy.auditallowxperm_count
if self.neverallow.isChecked():
rule_types.append("neverallow")
max_results += self.policy.neverallow_count
if self.neverallowxperm.isChecked():
rule_types.append("neverallowxperm")
max_results += self.policy.neverallowxperm_count
if self.dontaudit.isChecked():
rule_types.append("dontaudit")
max_results += self.policy.dontaudit_count
if self.dontauditxperm.isChecked():
rule_types.append("dontauditxperm")
max_results += self.policy.dontauditxperm_count
if self.type_transition.isChecked():
rule_types.append("type_transition")
max_results += self.policy.type_transition_count
@ -308,8 +374,8 @@ class TERuleQueryTab(SEToolsWidget, QScrollArea):
self.query.boolean_equal = self.bools_equal.isChecked()
# if query is broad, show warning.
if not self.query.source and not self.query.target and not self.query.tclass and \
not self.query.perms and not self.query.default and not self.query.boolean:
if not any((self.query.source, self.query.target, self.query.tclass, self.query.perms,
self.query.xperms, self.query.default, self.query.boolean)):
reply = QMessageBox.question(
self, "Continue?",
"This is a broad query, estimated to return {0} results. Continue?".

5
setoolsgui/rulemodels.py
View File

@ -177,7 +177,10 @@ class TERuleListModel(RuleListModel):
return str(self.resultlist[row].tclass)
elif col == 4:
try:
return ", ".join(sorted(self.resultlist[row].perms))
if self.resultlist[row].extended:
return "{0.xperm_type}: {0.perms:,}".format(self.resultlist[row])
else:
return ", ".join(sorted(self.resultlist[row].perms))
except RuleUseError:
return str(self.resultlist[row].default)
elif col == 5: