def test_parse_simple_with_arg(self):
"""Allow simple denylist policy files."""
path = self._write_file(
'test.policy', """
# Comment.
@denylist
read: return ENOSYS
write: arg0 == 0 ; return ENOSYS
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(
default_action=bpf.Allow(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('read', 0),
frequency=1,
filters=[
parser.Filter(
None,
bpf.ReturnErrno(
self.arch.constants['ENOSYS'])),
]),
parser.FilterStatement(
syscall=parser.Syscall('write', 1),
frequency=1,
filters=[
parser.Filter([[parser.Atom(0, '==', 0)]],
bpf.ReturnErrno(
self.arch.constants['ENOSYS'])),
parser.Filter(None, bpf.Allow()),
]),
]))
def test_parse_simple_grouped(self):
"""Allow simple policy files."""
path = self._write_file(
'test.policy', """
# Comment.
{read, write}: allow
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(default_action=bpf.KillProcess(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('read', 0),
frequency=1,
filters=[
parser.Filter(None, bpf.Allow()),
]),
parser.FilterStatement(
syscall=parser.Syscall('write', 1),
frequency=1,
filters=[
parser.Filter(None, bpf.Allow()),
]),
]))
def test_parse_frequency(self):
"""Allow including frequency files."""
self._write_file(
'test.frequency', """
read: 2
write: 3
""")
path = self._write_file(
'test.policy', """
@frequency ./test.frequency
read: allow
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(
default_action=bpf.KillProcess(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('read', 0),
frequency=2,
filters=[
parser.Filter(None, bpf.Allow()),
]),
]))
def test_parse_default(self):
"""Allow defining a default action."""
path = self._write_file(
'test.policy', """
@default kill-thread
read: allow
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(default_action=bpf.KillThread(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('read', 0),
frequency=1,
filters=[
parser.Filter(None, bpf.Allow()),
]),
]))
def test_parse_other_arch(self):
"""Allow entries that only target another architecture."""
path = self._write_file(
'test.policy', """
# Comment.
read[arch=nonexistent]: allow
write: allow
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(default_action=bpf.KillProcess(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('write', 1),
frequency=1,
filters=[
parser.Filter(None, bpf.Allow()),
]),
]))
def test_parse_include(self):
"""Allow including policy files."""
path = self._write_file(
'test.include.policy', """
{read, write}: arg0 == 0; allow
""")
path = self._write_file(
'test.policy', """
@include ./test.include.policy
read: return ENOSYS
""")
self.assertEqual(
self.parser.parse_file(path),
parser.ParsedPolicy(
default_action=bpf.KillProcess(),
filter_statements=[
parser.FilterStatement(
syscall=parser.Syscall('read', 0),
frequency=1,
filters=[
parser.Filter([[parser.Atom(0, '==', 0)]],
bpf.Allow()),
parser.Filter(
None,
bpf.ReturnErrno(
self.arch.constants['ENOSYS'])),
]),
parser.FilterStatement(
syscall=parser.Syscall('write', 1),
frequency=1,
filters=[
parser.Filter([[parser.Atom(0, '==', 0)]],
bpf.Allow()),
parser.Filter(None, bpf.KillProcess()),
]),
]))
