def testExpandAvcRule(self):
#TODO: add more examples here to cover different cases
expanded_allow_list = SELinux_CTS.expand_avc_rule(
self.test_policy, self.test_policy.allow_rules[0])
for a in expected_final_allow_list[0]:
self.failUnless(a in expanded_allow_list)
expanded_neverallow_list = SELinux_CTS.expand_avc_rule(
self.test_policy, self.test_policy.neverallow_rules[0])
for n in expected_final_neverallow_list[0]:
self.failUnless(n in expanded_neverallow_list)
def testExpandBrackets(self):
#test position without bracket:
self.test_file.seek(279)
self.failIf(SELinux_CTS.expand_brackets(self.test_file))
#test position with bracket:
self.test_file.seek(26123)
self.failUnless(
SELinux_CTS.expand_brackets(self.test_file) ==
" entrypoint read execute ")
#test position with nested brackets:
self.test_file.seek(26873)
self.failUnless(
SELinux_CTS.expand_brackets(self.test_file) ==
" dir chr_file blk_file file lnk_file sock_file fifo_file ")
def testIsMultiLine(self):
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER))
def testGetLineType(self):
self.failUnless(
SELinux_CTS.get_line_type('type bluetooth, domain;') ==
SELinux_CTS.TYPE)
self.failUnless(
SELinux_CTS.get_line_type('attribute unconfineddomain;') ==
SELinux_CTS.ATTRIBUTE)
self.failUnless(
SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;') ==
SELinux_CTS.TYPEATTRIBUTE)
self.failUnless(
SELinux_CTS.get_line_type('class file') == SELinux_CTS.CLASS)
self.failUnless(
SELinux_CTS.get_line_type('common file') == SELinux_CTS.COMMON)
self.failUnless(
SELinux_CTS.get_line_type(
'allow healthd healthd_exec:file { entrypoint read execute };')
== SELinux_CTS.ALLOW_RULE)
self.failUnless(
SELinux_CTS.get_line_type(
'neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;'
) == SELinux_CTS.NEVERALLOW_RULE)
self.failUnless(
SELinux_CTS.get_line_type('# FLASK') == SELinux_CTS.OTHER)
if __name__ == "__main__":
# check usage
if len(sys.argv) != 3:
print usage
exit()
input_file = sys.argv[1]
output_file = sys.argv[2]
policy = SELinuxPolicy()
policy.from_file_name(input_file) #load data from file
# expand rules into 4-tuples for SELinux.h checkAccess() check
xml_root = Element('SELinux_AVC_Rules')
count = 1
for a in policy.allow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
count = 1
for n in policy.neverallow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
#print out the xml file
s = tostring(xml_root)
s_parsed = minidom.parseString(s)
output = s_parsed.toprettyxml(indent=" ")
with open(output_file, 'w') as out_file:
def testProcessInheritsSegment(self):
inherit_offset = 448 # needs changing if file changes
self.test_file.seek(inherit_offset, 0)
inherit_result = SELinux_CTS.process_inherits_segment(self.test_file)
self.failUnless(inherit_result == 'file')
return
def testGetAvcRuleComponent(self):
#test against normal ('allow healthd healthd_exec:file ...)
self.test_file.seek(26096)
normal_src = {'flags': {'complement': False}, 'set': set(['healthd'])}
normal_tgt = {
'flags': {
'complement': False
},
'set': set(['healthd_exec'])
}
normal_class = {'flags': {'complement': False}, 'set': set(['file'])}
normal_perm = {
'flags': {
'complement': False
},
'set': set(['entrypoint', 'read', 'execute'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_tgt)
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_perm)
#test against 'hard' ('init {fs_type ...' )
self.test_file.seek(26838)
hard_src = {'flags': {'complement': False}, 'set': set(['init'])}
hard_tgt = {
'flags': {
'complement': False
},
'set': set(['fs_type', 'dev_type', 'file_type'])
}
hard_class = {
'flags': {
'complement': False
},
'set':
set([
'dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file',
'fifo_file'
])
}
hard_perm = {'flags': {'complement': False}, 'set': set(['relabelto'])}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_tgt)
#mimic ':' check:
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_perm)
#test against 'multi-line' ('init {fs_type ...' )
self.test_file.seek(26967)
multi_src = {
'flags': {
'complement': False
},
'set': set(['appdomain', '-unconfineddomain'])
}
multi_tgt = {
'flags': {
'complement': False
},
'set':
set([
'audio_device', 'camera_device', 'dm_device', 'radio_device',
'gps_device', 'rpmsg_device'
])
}
multi_class = {
'flags': {
'complement': False
},
'set': set(['chr_file'])
}
multi_perm = {
'flags': {
'complement': False
},
'set': set(['read', 'write'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_tgt)
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_perm)
#test against 'complement'
self.test_file.seek(26806)
complement = {
'flags': {
'complement': True
},
'set': set(['entrypoint', 'relabelto'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == complement)
if __name__ == "__main__":
# check usage
if len(sys.argv) != 3:
print usage
exit()
input_file = sys.argv[1]
output_file = sys.argv[2]
policy = SELinuxPolicy()
policy.from_file_name(input_file) #load data from file
# expand rules into 4-tuples for SELinux.h checkAccess() check
xml_root = Element('SELinux_AVC_Rules')
count = 1
for a in policy.allow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(
policy, a, str(count), 'allow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
count = 1
for n in policy.neverallow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(
policy, n, str(count), 'neverallow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
#print out the xml file
s = tostring(xml_root)
s_parsed = minidom.parseString(s)
output = s_parsed.toprettyxml(indent=" ")
