Beispiel #1
0
def test_net_taint(bpf_program: BPFProgram, caplog):
    Commands.add_profile(NET_PATH, False)
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET,
                          BPFBOX_ACTION.TAINT)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'create-inet6'])
Beispiel #2
0
 def load(self, policy: Policy):
     super().load(policy)
     state = self.calculate_state_number(policy)
     for family in self.family:
         Commands.add_net_rule(
             policy.profile,
             NET_ACCESS.from_list(self.operation),
             NET_FAMILY.from_string(family),
             BPFBOX_ACTION.from_list(self.action),
             state,
         )
Beispiel #3
0
def test_net_socketpair(bpf_program: BPFProgram, caplog):
    Commands.add_profile(NET_PATH, False)
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET,
                          BPFBOX_ACTION.TAINT)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'create-unix-socketpair'])

    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.UNIX,
                          BPFBOX_ACTION.ALLOW)

    subprocess.check_call([NET_PATH, 'create-unix-socketpair'])
Beispiel #4
0
def test_net_create_rules(bpf_program: BPFProgram, caplog):
    Commands.add_profile(NET_PATH, False)
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET,
                          BPFBOX_ACTION.TAINT)

    # Creating an INET6 socket should fail
    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'create-inet6'])

    # Creating a UNIX socket should fail
    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'create-unix'])

    # Allow the creation of an INET6 socket
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET6,
                          BPFBOX_ACTION.ALLOW)

    # Creating an INET6 socket should succeed
    subprocess.check_call([NET_PATH, 'create-inet6'])

    # Creating a UNIX socket should still fail
    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'create-unix'])

    # Allow the creation of a UNIX socket
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.UNIX,
                          BPFBOX_ACTION.ALLOW)

    # Both should now succeed
    subprocess.check_call([NET_PATH, 'create-inet6'])
    subprocess.check_call([NET_PATH, 'create-unix'])
Beispiel #5
0
def test_net_connect_rules(bpf_program: BPFProgram, caplog):
    Commands.add_profile(NET_PATH, False)
    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET,
                          BPFBOX_ACTION.TAINT)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'inet-create-and-connect'])

    Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET6,
                          BPFBOX_ACTION.ALLOW)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([NET_PATH, 'inet-create-and-connect'])

    Commands.add_net_rule(NET_PATH, NET_ACCESS.CONNECT, NET_FAMILY.INET6,
                          BPFBOX_ACTION.ALLOW)

    subprocess.check_call([NET_PATH, 'inet-create-and-connect'])
Beispiel #6
0
 def __call__(self, profile: str) -> int:
     return Commands.add_net_rule(profile, self.access, self.family,
                                  self.action)