def test_merge_noxperm(self): """Test merging two AVs without xperms""" a = access.AccessVector(["foo", "bar", "file", "read", "write"]) b = access.AccessVector(["foo", "bar", "file", "append"]) a.merge(b) self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
def test_add_av_second(self): """Test adding second AV to the AV set with same source and target context and class""" avs = access.AccessVectorSet() av1 = access.AccessVector(['foo', 'bar', 'file', 'read']) av2 = access.AccessVector(['foo', 'bar', 'file', 'write']) avs.add_av(av1) avs.add_av(av2) self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read', 'write']])
def text_merge_xperm2(self): """Test merging AV that does not contain xperms with AV that does""" a = access.AccessVector(["foo", "bar", "file", "read"]) xp = refpolicy.XpermSet() xp.add(42) xp.add(12345) a.xperms = {"ioctl": xp} b = access.AccessVector(["foo", "bar", "file", "read"]) a.merge(b) self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"]) self.assertEqual(list(a.xperms.keys()), ["ioctl"]) self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
def test_from_list(self): a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) l = access.AccessVector() l.from_list(['foo', 'bar', 'file', 'read', 'write']) self.assertEqual(a.src_type, l.src_type) self.assertEqual(a.tgt_type, l.tgt_type) self.assertEqual(a.obj_class, l.obj_class) self.assertEqual(a.perms, l.perms)
def test_add_av_first(self): """Test adding first AV to the AV set""" avs = access.AccessVectorSet() av = access.AccessVector(['foo', 'bar', 'file', 'read']) avs.add_av(av) self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read']])
def test_merge_xperm_same_op(self): """Test merging two AVs that contain xperms with same operation""" a = access.AccessVector(["foo", "bar", "file", "read"]) xp1 = refpolicy.XpermSet() xp1.add(23) a.xperms = {"ioctl": xp1} b = access.AccessVector(["foo", "bar", "file", "read"]) xp2 = refpolicy.XpermSet() xp2.add(42) xp2.add(12345) b.xperms = {"ioctl": xp2} a.merge(b) self.assertEqual(list(a.perms), ["read"]) self.assertEqual(list(a.xperms.keys()), ["ioctl"]) self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
def test_cmp(self): a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) b = access.AccessVector() b.src_type = "foo" b.tgt_type = "bar" b.obj_class = "file" b.perms.update(["read", "write"]) self.assertEqual(a, b) # Source Type b.src_type = "baz" self.assertNotEqual(a, b) self.assertTrue(a > b) b.src_type = "gaz" self.assertNotEqual(a, b) self.assertTrue(a < b) # Target Type b.src_type = "foo" b.tgt_type = "aar" self.assertNotEqual(a, b) self.assertTrue(a > b) b.tgt_type = "gaz" self.assertNotEqual(a, b) self.assertTrue(a < b) # Perms b.tgt_type = "bar" b.perms = refpolicy.IdSet(["read"]) self.assertNotEqual(a, b) self.assertTrue(a > b) b.perms = refpolicy.IdSet(["read", "write", "append"]) self.assertNotEqual(a, b) b.perms = refpolicy.IdSet(["read", "append"]) self.assertNotEqual(a, b)
def test_merge_xperm_diff_op(self): """Test merging two AVs that contain xperms with different operation""" a = access.AccessVector(["foo", "bar", "file", "read"]) xp1 = refpolicy.XpermSet() xp1.add(23) a.xperms = {"asdf": xp1} b = access.AccessVector(["foo", "bar", "file", "read"]) xp2 = refpolicy.XpermSet() xp2.add(42) xp2.add(12345) b.xperms = {"ioctl": xp2} a.merge(b) self.assertEqual(list(a.perms), ["read"]) self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"]) self.assertEqual(a.xperms["asdf"].to_string(), "0x17") self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_to_string(self): a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) self.assertEquals(str(a), "allow foo bar:file { read write };") self.assertEquals(a.to_string(), "allow foo bar:file { read write };")
def test_add_av_with_msg(self): """Test adding audit message""" avs = access.AccessVectorSet() av = access.AccessVector(['foo', 'bar', 'file', 'read']) avs.add_av(av, 'test message') self.assertEqual(avs.src['foo']['bar']['file', av.type].audit_msgs, ['test message'])
def test_av_rules(self): """ Test generating of AV rules from access vectors. """ av1 = access.AccessVector( ["test_src_t", "test_tgt_t", "file", "ioctl"]) av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"]) av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"]) avs = access.AccessVectorSet() avs.add_av(av1) avs.add_av(av2) avs.add_av(av3) self.g.add_access(avs) self.assertEqual(len(self.g.module.children), 1) r = self.g.module.children[0] self.assertIsInstance(r, refpolicy.AVRule) self.assertEqual( r.to_string(), "allow test_src_t test_tgt_t:file { ioctl open read };")
def test_search(self): h = refparser.parse(test_expansion) i = interfaces.InterfaceSet() i.add_headers(h) a = access.AccessVector(["foo_t", "usr_t", "dir", "create"]) m = matching.AccessMatcher() ml = matching.MatchList() ans = m.search_ifs(i, a, ml) pass
def test_init(self): # Default construction a = access.AccessVector() self.assertEqual(a.src_type, None) self.assertEqual(a.tgt_type, None) self.assertEqual(a.obj_class, None) self.assertTrue(isinstance(a.perms, refpolicy.IdSet)) self.assertTrue(isinstance(a.audit_msgs, type([]))) self.assertEqual(len(a.audit_msgs), 0) # Construction from a list a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) l = access.AccessVector(['foo', 'bar', 'file', 'read', 'write']) self.assertEqual(a.src_type, l.src_type) self.assertEqual(a.tgt_type, l.tgt_type) self.assertEqual(a.obj_class, l.obj_class) self.assertEqual(a.perms, l.perms)
def test_to_list(self): a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) l = a.to_list() self.assertEqual(l[0], "foo") self.assertEqual(l[1], "bar") self.assertEqual(l[2], "file") self.assertEqual(l[3], "read") self.assertEqual(l[4], "write")
def test_from_av(self): """ Test creating the rule from an access vector. """ av = access.AccessVector(["foo", "bar", "file", "ioctl"]) xp = refpolicy.XpermSet() av.xperms = {"ioctl": xp} a = refpolicy.AVExtRule() a.from_av(av, "ioctl") self.assertEqual(a.src_types, {"foo"}) self.assertEqual(a.tgt_types, {"bar"}) self.assertEqual(a.obj_classes, {"file"}) self.assertEqual(a.operation, "ioctl") self.assertIs(a.xperms, xp)
def test(self): av = access.AccessVector(['foo', 'bar', 'file', 'read']) params = {} ret = interfaces.av_extract_params(av, params) self.assertEqual(ret, 0) self.assertEqual(params, {}) av.src_type = "$1" ret = interfaces.av_extract_params(av, params) self.assertEqual(ret, 0) p = params["$1"] self.assertEqual(p.name, "$1") self.assertEqual(p.type, refpolicy.SRC_TYPE) self.assertEqual(p.obj_classes, refpolicy.IdSet(["file"])) params = {} av.tgt_type = "$1" av.obj_class = "process" ret = interfaces.av_extract_params(av, params) self.assertEqual(ret, 0) p = params["$1"] self.assertEqual(p.name, "$1") self.assertEqual(p.type, refpolicy.SRC_TYPE) self.assertEqual(p.obj_classes, refpolicy.IdSet(["process"])) params = {} av.tgt_type = "$1" av.obj_class = "dir" ret = interfaces.av_extract_params(av, params) self.assertEqual(ret, 1) p = params["$1"] self.assertEqual(p.name, "$1") self.assertEqual(p.type, refpolicy.SRC_TYPE) self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"])) av.src_type = "bar" av.tgt_type = "$2" av.obj_class = "dir" ret = interfaces.av_extract_params(av, params) self.assertEqual(ret, 0) p = params["$2"] self.assertEqual(p.name, "$2") self.assertEqual(p.type, refpolicy.TGT_TYPE) self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"]))
def test_to_string(self): a = access.AccessVector() a.src_type = "foo" a.tgt_type = "bar" a.obj_class = "file" a.perms.update(["read", "write"]) first, second = str(a).split(':') self.assertEqual(first, "allow foo bar") second = second.split(' ') second.sort() expected = "file { read write };".split(' ') expected.sort() self.assertEqual(second, expected) first, second = a.to_string().split(':') self.assertEqual(first, "allow foo bar") second = second.split(' ') second.sort() expected = "file { read write };".split(' ') expected.sort() self.assertEqual(second, expected)
def test_ext_av_rules(self): """ Test generating of extended permission AV rules from access vectors. """ self.g.set_gen_xperms(True) av1 = access.AccessVector( ["test_src_t", "test_tgt_t", "file", "ioctl"]) av1.xperms['ioctl'] = refpolicy.XpermSet() av1.xperms['ioctl'].add(42) av2 = access.AccessVector( ["test_src_t", "test_tgt_t", "file", "ioctl"]) av2.xperms['ioctl'] = refpolicy.XpermSet() av2.xperms['ioctl'].add(1234) av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"]) av3.xperms['ioctl'] = refpolicy.XpermSet() av3.xperms['ioctl'].add(2345) avs = access.AccessVectorSet() avs.add_av(av1) avs.add_av(av2) avs.add_av(av3) self.g.add_access(avs) self.assertEqual(len(self.g.module.children), 4) # we cannot sort the rules, so find all rules manually av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None for r in self.g.module.children: if isinstance(r, refpolicy.AVRule): if 'file' in r.obj_classes: av_rule1 = r else: av_rule2 = r elif isinstance(r, refpolicy.AVExtRule): if 'file' in r.obj_classes: av_ext_rule1 = r else: av_ext_rule2 = r else: self.fail("Unexpected rule type '%s'" % type(r)) # check that all rules are present self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2)) self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW) self.assertEqual(av_rule1.src_types, {"test_src_t"}) self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"}) self.assertEqual(av_rule1.obj_classes, {"file"}) self.assertEqual(av_rule1.perms, {"ioctl"}) self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM) self.assertEqual(av_ext_rule1.src_types, {"test_src_t"}) self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"}) self.assertEqual(av_ext_rule1.obj_classes, {"file"}) self.assertEqual(av_ext_rule1.operation, "ioctl") xp1 = refpolicy.XpermSet() xp1.add(42) xp1.add(1234) self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges) self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW) self.assertEqual(av_rule2.src_types, {"test_src_t"}) self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"}) self.assertEqual(av_rule2.obj_classes, {"dir"}) self.assertEqual(av_rule2.perms, {"ioctl"}) self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM) self.assertEqual(av_ext_rule2.src_types, {"test_src_t"}) self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"}) self.assertEqual(av_ext_rule2.obj_classes, {"dir"}) self.assertEqual(av_ext_rule2.operation, "ioctl") xp2 = refpolicy.XpermSet() xp2.add(2345) self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)