1#!/usr/bin/env python
2# coding: utf-8
3
4"""
5Copyright (c) 2024 Huawei Device Co., Ltd.
6Licensed under the Apache License, Version 2.0 (the "License");
7you may not use this file except in compliance with the License.
8You may obtain a copy of the License at
9
10    http://www.apache.org/licenses/LICENSE-2.0
11
12Unless required by applicable law or agreed to in writing, software
13distributed under the License is distributed on an "AS IS" BASIS,
14WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15See the License for the specific language governing permissions and
16limitations under the License.
17
18"""
19
20import argparse
21import os
22from check_common import read_json_file, traverse_file_in_each_type
23
24WHITELIST_FILE_NAME = "permissive_whitelist.json"
25
26
27def simplify_string(string):
28    return string.strip().replace('(', '').replace(')', '')
29
30
31def deal_with_allow(cil_file, allow_set):
32    with open(cil_file, 'r', encoding='utf-8') as cil_read:
33        for line in cil_read:
34            if not line.startswith('(typepermissive '):
35                continue
36            sub_string = simplify_string(line)
37            elem_list = sub_string.split(' ')
38            # (typepermissive xx)
39            if len(elem_list) < 2:
40                continue
41            split_attribute(elem_list, allow_set)
42
43
44def split_attribute(elem_list, allow_set):
45    rulename = elem_list[0]
46    scontext = elem_list[1]
47    if rulename == 'typepermissive' :
48        allow_set.add(scontext)
49
50
51def get_permissive_set(args, with_developer):
52    allow_set = set()
53    if with_developer:
54        deal_with_allow(args.developer_cil_file, allow_set)
55    else:
56        deal_with_allow(args.cil_file, allow_set)
57    return allow_set
58
59
60def get_whitelist(args, with_developer):
61    whitelist_file_list = traverse_file_in_each_type(args.policy_dir_list, WHITELIST_FILE_NAME)
62    contexts_list = []
63    for path in whitelist_file_list:
64        white_list = read_json_file(path).get('whitelist')
65        contexts_list.extend(white_list.get('user'))
66        if with_developer:
67            contexts_list.extend(white_list.get('developer'))
68    return contexts_list
69
70
71def check(args, with_developer):
72    permissive_set = get_permissive_set(args, with_developer)
73    contexts_list = get_whitelist(args, with_developer)
74    notallow = permissive_set - set(contexts_list)
75    if len(notallow) > 0 :
76        print('check permissive rule in {} mode failed.'.format("developer" if with_developer else "user"))
77        print('violation list (scontext):')
78        for diff in sorted(list(notallow)):
79            print('\t{}'.format(diff))
80        print('There are two solutions:\n',
81              '\t1. Add the above list to whitelist file \'{}\' under \'{}\' in \'{}\' mode.\n'.format(
82                    WHITELIST_FILE_NAME, args.policy_dir_list, "developer" if with_developer else "user"),
83              '\t2. Change the policy to avoid violating rule.')
84    return len(notallow) > 0
85
86
87def parse_args():
88    parser = argparse.ArgumentParser()
89    parser.add_argument('--cil_file', help='the cil file path', required=True)
90    parser.add_argument('--developer_cil_file', help='the developer cil file path', required=True)
91    parser.add_argument('--policy-dir-list', help='policy dirs need to be included', required=True)
92
93    return parser.parse_args()
94
95
96if __name__ == '__main__':
97    input_args = parse_args()
98    print("check permissive input_args: {}".format(input_args))
99    result = check(input_args, False)
100    if result:
101        raise Exception(-1)
102    result = check(input_args, True)
103    if result:
104        raise Exception(-1)
105
106