HEX
Server: LiteSpeed
System: Linux php-prod-1.spaceapp.ru 5.15.0-157-generic #167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 x86_64
User: xnsbb3110 (1041)
PHP: 8.1.33
Disabled: NONE
Upload Files
File: //lib/python3/dist-packages/apparmor/rule/__pycache__/__init__.cpython-310.pyc
o

%`b�Q�@s|ddlmZddlmZmZddlmZe�ZGdd�de�Z	Gdd�de�Z
dd	d
�Zdd�Zd
d�Z
dd�Zdd�ZdS)�)�AARE)�AppArmorBug�type_is_str)�init_translationc@seZdZdZdZdZdZdZ		d7dd�Zdd�Z	d	d
�Z
edd��Zed
d��Z
edd��Zedd��Zd8dd�Zd8dd�Zd9dd�Zdd�Zdd�Zd:dd �Zd!d"�Zd;d#d$�Zd%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Zd3d4�Zd5d6�Z dS)<�BaseRulez,Base class to handle and store a single ruleF�NcCs(||_||_||_||_||_d|_dS)z-initialize variables needed by all rule typesN)�audit�deny�
allow_keyword�comment�	log_event�raw_rule)�selfrr	r
rr�r�8/usr/lib/python3/dist-packages/apparmor/rule/__init__.py�__init__4s
zBaseRule.__init__cCsp||jkrdSt|�r*t|���dkr!td||jjt|�d���t|||d�dfStd||jjt|�d���)a#checks rulepart and returns
           - (AARE, False) if rulepart is a (non-empty) string
           - (None, True) if rulepart is all_obj (typically *Rule.ALL)
           - raises AppArmorBug if rulepart is an empty string or has a wrong type

           Parameters:
           - rulepart: the rule part to check (string or *Rule.ALL object)
           - partname: the name of the rulepart (for example 'peer', used for exception messages)
           - is_path (passed through to AARE)
           - log_event (passed through to AARE)
           )NTrz8Passed empty %(partname)s to %(classname)s: %(rulepart)s)�partname�	classname�rulepart)�is_pathrFz:Passed unknown %(partname)s to %(classname)s: %(rulepart)s)	�ALLr�len�stripr�	__class__�__name__�strr)rrrrrrrr�_aare_or_all@s

��zBaseRule._aare_or_allcCs:|jj}z|��}d||fWStyd|YSw)Nz<%s> %sz9<%s (NotImplementedError - get_clean() not implemented?)>)rr�get_raw�NotImplementedError)rr�raw_contentrrr�__repr__Xs�zBaseRule.__repr__cCs|�|�rdSdS)z�return True if raw_rule matches the class (main) regex, False otherwise
           Note: This function just provides an answer to "is this your job?".
                 It does not guarantee that the rule is completely valid.TF)�_match��clsr
rrr�match`s
zBaseRule.matchcC�tdt|���)z,parse raw_rule and return regex match objectz,'%s' needs to implement _match(), but didn't�rrr"rrrr!l�zBaseRule._matchcCs|�|�}|��|_|S)z'parse raw_rule and return a rule object)�_parserr
)r#r
�rulerrr�parseqs

zBaseRule.parsecCr%)z�returns a Rule object created from parsing the raw rule.
           required to be implemented by subclasses; raise exception if notz,'%s' needs to implement _parse(), but didn'tr&r"rrrr(yszBaseRule._parsercCstdt|j���)zgreturn clean rule (with default formatting, and leading whitespace as specified in the depth parameter)z/'%s' needs to implement get_clean(), but didn't)rrr�r�depthrrr�	get_clean�szBaseRule.get_cleancCs"|jrdd||jfS|�|�S)zYreturn raw rule (with original formatting, and leading whitespace in the depth parameter)�%s%sz  )r
r-r+rrrr�s
zBaseRule.get_rawTcCszt|�t|�kstdt|�|jjf��|r|j|jkrdS|jr&|js&dS|r0|j|jkr0dS|jr8|js8dS|�|�S)z2check if other_rule is covered by this rule objectzPasses %s instead of %sF)�typerrrrr	r�is_covered_localvars)r�
other_rule�check_allow_deny�check_auditrrr�
is_covered�s
zBaseRule.is_coveredcCr%)zMcheck if the rule-specific parts of other_rule is covered by this rule objectz:'%s' needs to implement is_covered_localvars(), but didn'tr&)rr1rrrr0��zBaseRule.is_covered_localvarscCs8|s|std||jd���|s|rdS||krdSdS)z?check if other_* is covered by self_* - for plain str, int etc.�6No %(cond_name)s specified in other %(rule_name)s rule��	cond_name�	rule_nameFT)rr9�r�
self_value�self_all�other_value�	other_allr8rrr�_is_covered_plain�szBaseRule._is_covered_plaincCs>|r|s|std||jd���|s|rdS|�|�sdSdS)z1check if other_* is covered by self_* - for listsr6r7FT)rr9�issubset)rr;r<r=r>r8�sanity_checkrrr�_is_covered_list�s
zBaseRule._is_covered_listcCs:|s|std||jd���|s|rdS|�|�sdSdS)z0check if other_* is covered by self_* - for AAREr6r7FT)rr9r$r:rrr�_is_covered_aare�s
zBaseRule._is_covered_aarecCsT|j|jks|j|jkrdS|r$|j|jks"|j|jks"|j|jkr$dS|�||�S)zdcompare if rule_obj == self
           Calls is_equal_localvars() to compare rule-specific variablesF)rr	r
rr
�is_equal_localvars)r�rule_obj�strictrrr�is_equal�szBaseRule.is_equalcCs>|s|std||jd���||krdS|r|�|�sdSdS)z1check if other_* is the same as self_* - for AAREr6r7FT)rr9rGr:rrr�_is_equal_aare�szBaseRule._is_equal_aarecCr%)z,compare if rule-specific variables are equalz8'%s' needs to implement is_equal_localvars(), but didn'tr&)rr1rFrrrrD�r5zBaseRule.is_equal_localvarscCs|jS)a�return severity of this rule, which can be:
           - a number between 0 and 10, where 0 means harmless and 10 means critical,
           - "unknown" (to be exact: the value specified for "unknown" as set when loading the severity database), or
           - sev_db.NOT_IMPLEMENTED if no severity check is implemented for this rule type.
           sev_db must be an apparmor.severity.Severity object.)�NOT_IMPLEMENTED)r�sev_dbrrr�severity�szBaseRule.severitycCsdg}g}|jr|dg7}|jr|dg7}n|jr|dg7}|r*|td�d�|�g7}||��7}|S)��return the headers (human-readable version of the rule) to display in aa-logprof for this rule object
           returns {'label1': 'value1', 'label2': 'value2'} rr	�allow�	Qualifier� )rr	r
�_�join�logprof_header_localvars)r�headers�	qualifierrrr�logprof_header�s

zBaseRule.logprof_headercCr%)rLz4'%s' needs to implement logprof_header(), but didn'tr&�rrrrrRr'z!BaseRule.logprof_header_localvarscCr%)z?return the prompt for, and the path to edit when using '(N)ew' z1'%s' needs to implement edit_header(), but didn'tr&rVrrr�edit_headerr5zBaseRule.edit_headercCr%)zcvalidate the new path.
           Returns True if it covers the previous path, False if it doesn't.z3'%s' needs to implement validate_edit(), but didn'tr&�r�newpathrrr�
validate_edit r'zBaseRule.validate_editcCr%)zdstore the changed path.
           This is done even if the new path doesn't match the original one.z0'%s' needs to implement store_edit(), but didn'tr&rXrrr�
store_edit&r'zBaseRule.store_editcCs8|jrd}nd}|jrd}n|jrd}nd}d||fS)zGreturn the allow/deny and audit keyword as string, including whitespacezaudit rzdeny zallow r.)rr	r
)r�auditstr�allowstrrrr�
modifiers_str+szBaseRule.modifiers_str)FFFrN�r�TF)T�F)!r�
__module__�__qualname__�__doc__�can_glob�can_glob_ext�can_edit�	can_ownerrrr �classmethodr$r!r*r(r-rr4r0r?rBrCrGrHrDrKrUrRrWrZr[r^rrrrrsH
�








rc@s�eZdZdZdZdZdd�Zdd�Zdd	�Zdd
d�Z	dd
d�Z
ddd�Zddd�Zd dd�Z
dd�Zdd�Zdd�Zdd�ZdS)!�BaseRulesetz4Base class to handle and store a collection of rulesTFcCsg|_|��dS)z�initialize variables needed by all ruleset types
           Do not override in child class unless really needed - override _init_vars() insteadN)�rules�
_init_varsrVrrrrEszBaseRuleset.__init__cCsdS)zbcalled by __init__() and delete_all_rules() - override in child class to initialize more variablesNrrVrrrrlKszBaseRuleset._init_varscCs6|jj}|jrd|d�|�d��d|Sd|S)Nz<%s>
�
�z</%s>z<%s (empty) />)rrrkrQr)rrrrrr Os zBaseRuleset.__repr__cCsNd}|r|j}g|_|D]}|�|�s|j�|�q|d7}q|j�|�|S)aadd a rule object
           if cleanup is specified, delete rules that are covered by the new rule
           (the difference to delete_duplicates() is: cleanup only deletes rules that
           are covered by the new rule, but keeps other, unrelated superfluous rules)
        rrn�rkr4�append)rr)�cleanup�deleted�oldrules�oldrulerrr�addVs

zBaseRuleset.addrcC�2g}|jD]
}|�|�|��q|r|�d�|S)z�return all raw rules (if possible/not modified in their original formatting).
           Returns an array of lines, with depth * leading whitespacer)rkrpr)rr,�datar)rrrrls

zBaseRuleset.get_rawcCs�g}g}|jD]}|jr|�|�|��q|�|�|��q|��|��g}|r3||7}|�d�|r>||7}|�d�|S)ztreturn all rules (in clean/default formatting)
           Returns an array of lines, with depth * leading whitespacer)rkr	rpr-�sort)rr,�allow_rules�
deny_rulesr)�	cleandatarrrr-ys 


zBaseRuleset.get_cleancCrv)z�return all rules (in clean/default formatting) in original order
           Returns an array of lines, with depth * leading whitespacer)rkrpr-)rr,�	all_rulesr)rrr�get_clean_unsorted�s

zBaseRuleset.get_clean_unsortedcCs$|jD]}|�|||�rdSqdS)zAreturn True if rule is covered by existing rules, otherwise FalseTF)rkr4)rr)r2r3�rrrrr4�s

�zBaseRuleset.is_coveredcCsTd}d}|jD]}|�|�rd}n|d}q|r!|j�|�dStd|�d���)zDelete rule from rulesFrTrnz&Attempt to delete non-existing rule %sN)rkrG�poprr)rr)�rule_to_delete�ir~rrr�delete�s


zBaseRuleset.deletecCsrd}|r!|j}g|_|D]}|�|dd�r|d7}q|j�|�q||��7}|j��||��7}|j��|S)zQDelete duplicate rules.
           include_rules must be a *_rules object or NonerTFrn)rkr4rp�delete_in_profile_duplicates�reverse)r�
include_rulesrrrsr)rrr�delete_duplicates�s


zBaseRuleset.delete_duplicatescCsBd}|j}g|_|D]}|�|dd�s|j�|�q
|d7}q
|S)z'Delete duplicate rules inside a profilerTFrnro)rrrrsr)rrrr��s
z(BaseRuleset.delete_in_profile_duplicatescCstd��)z|returns the next possible glob with extension (for file rules only).
           For all other rule types, raise an exceptionz1get_glob_ext is not available for this rule type!)r)r�path_or_rulerrr�get_glob_ext�szBaseRuleset.get_glob_extNrar_r`)rrbrcrdrerfrrlr rurr-r}r4r�r�r�r�rrrrrj=s 




rjFc	Cs�||krdSt|�r|h}n$t|�tttfvr$t|�dks|r$t|�}ntdt|�|t|�d���t�}|D]}|��sFtd||d���||vrO|�	|�q7|d|fS)zIcheck if lst is all_obj or contains only items listed in allowed_keywords)NTNrzCPassed unknown %(type)s object to %(classname)s: %(unknown_object)s)r/r�unknown_objectz.Passed empty %(keyword_name)s to %(classname)s)�keyword_namerF)
rr/�list�tuple�setrrrrru)	�lst�allowed_keywords�all_objrr��allow_empty_list�result_list�
unknown_items�itemrrr�check_and_split_list�s&"
��
�
r�cCsT|rtd�St|�tkr|jSt|�tks!t|�tks!t|�tkr(d�t|��S|S)z�helper for logprof_header() to return 'all' (if all_values is True) or the specified value.
       For some types, the value is made more readable.rrO)	rPr/r�regexr�r�r�rQ�sorted)�value�
all_valuesrrr�logprof_value_or_alls$r�cCs d}|�d�rd|�d�}|S)zBreturns the comment (with a leading space) from the matches objectrrz %s)�group)�matchesrrrr�
parse_comments
r�cCsld}|�d�r	d}d}d}|�d�}|r,|��dkrd}n|��dkr&d}ntd|��t|�}||||fS)z�returns audit, deny, allow_keyword and comment from the matches object
       - audit, deny and allow_keyword are True/False
       - comment is the comment with a leading spaceFrTrMr	zInvalid allow/deny keyword %s)r�rrr�)r�rr	r
r]rrrr�parse_modifierss

r�cCsd|vr
d|d}|S)z$quote data if it contains whitespacerO�"r)rwrrr�quote_if_needed6sr�Nra)�
apparmor.aarer�apparmor.commonrr�apparmor.translationsrrP�objectrrjr�r�r�r�r�rrrr�<module>s'
5