def test_list(self):
a = access.AccessVectorSet()
a.add("$1", "foo", "file", refpolicy.IdSet(["read", "write"]))
a.add("$1", "bar", "file", refpolicy.IdSet(["read", "write"]))
a.add("what", "bar", "file", refpolicy.IdSet(["read", "write"]))
avl = a.to_list()
avl.sort()
test_l = [['what', 'bar', 'file', 'read', 'write'],
['$1', 'foo', 'file', 'read', 'write'],
['$1', 'bar', 'file', 'read', 'write']]
test_l.sort()
for a, b in zip(test_l, avl):
self.assertEqual(len(a), len(b))
for x, y in list(zip(a, b))[:3]:
self.assertEqual(x, y)
perms1 = a[3:]
perms2 = b[3:]
perms1.sort()
perms2.sort()
self.assertEqual(perms1, perms2)
b = access.AccessVectorSet()
b.from_list(avl)
self.assertEqual(len(b), 3)
def test_add_av_first(self):
"""Test adding first AV to the AV set"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av)
self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read']])
def test_add_av_with_msg(self):
"""Test adding audit message"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av, 'test message')
self.assertEqual(avs.src['foo']['bar']['file', av.type].audit_msgs,
['test message'])
def test_add_av_second(self):
"""Test adding second AV to the AV set with same source and target
context and class"""
avs = access.AccessVectorSet()
av1 = access.AccessVector(['foo', 'bar', 'file', 'read'])
av2 = access.AccessVector(['foo', 'bar', 'file', 'write'])
avs.add_av(av1)
avs.add_av(av2)
self.assertEqual(avs.to_list(),
[['foo', 'bar', 'file', 'read', 'write']])
def setUp(self):
rule = refpolicy.AVRule()
rule.src_types.add("foo")
rule.src_types.add("baz")
rule.tgt_types.add("bar")
rule.tgt_types.add("what")
rule.obj_classes.add("file")
rule.obj_classes.add("dir")
rule.perms.add("read")
rule.perms.add("write")
s = access.AccessVectorSet()
avs = access.avrule_to_access_vectors(rule)
for av in avs:
s.add_av(av)
self.s = s
def compare_avsets(l, avs_b):
avs_a = access.AccessVectorSet()
avs_a.from_list(l)
a = list(avs_a)
b = list(avs_b)
a.sort()
b.sort()
if len(a) != len(b):
return False
for av_a, av_b in zip(a, b):
if av_a != av_b:
return False
return True
def test_av_rules(self):
""" Test generating of AV rules from access vectors. """
av1 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 1)
r = self.g.module.children[0]
self.assertIsInstance(r, refpolicy.AVRule)
self.assertEqual(
r.to_string(),
"allow test_src_t test_tgt_t:file { ioctl open read };")
def test_add(self):
"""Test adding AV to the set"""
s = access.AccessVectorSet()
def test_add_av(av, audit_msg=None):
self.assertEqual(av.src_type, 'foo')
self.assertEqual(av.tgt_type, 'bar')
self.assertEqual(av.obj_class, 'file')
self.assertEqual(list(av.perms), ['read'])
self.assertEqual(av.data, 'test data')
self.assertEqual(av.type, 42)
self.assertEqual(audit_msg, 'test message')
s.add_av = test_add_av
s.add("foo",
"bar",
"file",
refpolicy.IdSet(["read"]),
audit_msg='test message',
avc_type=42,
data='test data')
def test_ext_av_rules(self):
""" Test generating of extended permission AV rules from access
vectors. """
self.g.set_gen_xperms(True)
av1 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av1.xperms['ioctl'] = refpolicy.XpermSet()
av1.xperms['ioctl'].add(42)
av2 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av2.xperms['ioctl'] = refpolicy.XpermSet()
av2.xperms['ioctl'].add(1234)
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
av3.xperms['ioctl'] = refpolicy.XpermSet()
av3.xperms['ioctl'].add(2345)
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 4)
# we cannot sort the rules, so find all rules manually
av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None
for r in self.g.module.children:
if isinstance(r, refpolicy.AVRule):
if 'file' in r.obj_classes:
av_rule1 = r
else:
av_rule2 = r
elif isinstance(r, refpolicy.AVExtRule):
if 'file' in r.obj_classes:
av_ext_rule1 = r
else:
av_ext_rule2 = r
else:
self.fail("Unexpected rule type '%s'" % type(r))
# check that all rules are present
self.assertNotIn(None,
(av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))
self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
self.assertEqual(av_rule1.src_types, {"test_src_t"})
self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule1.obj_classes, {"file"})
self.assertEqual(av_rule1.perms, {"ioctl"})
self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule1.obj_classes, {"file"})
self.assertEqual(av_ext_rule1.operation, "ioctl")
xp1 = refpolicy.XpermSet()
xp1.add(42)
xp1.add(1234)
self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)
self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
self.assertEqual(av_rule2.src_types, {"test_src_t"})
self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule2.obj_classes, {"dir"})
self.assertEqual(av_rule2.perms, {"ioctl"})
self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
self.assertEqual(av_ext_rule2.operation, "ioctl")
xp2 = refpolicy.XpermSet()
xp2.add(2345)
self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)
def test_init(self):
a = access.AccessVectorSet()
