def test_merge_noxperm(self):
"""Test merging two AVs without xperms"""
a = access.AccessVector(["foo", "bar", "file", "read", "write"])
b = access.AccessVector(["foo", "bar", "file", "append"])
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
def test_add_av_second(self):
"""Test adding second AV to the AV set with same source and target
context and class"""
avs = access.AccessVectorSet()
av1 = access.AccessVector(['foo', 'bar', 'file', 'read'])
av2 = access.AccessVector(['foo', 'bar', 'file', 'write'])
avs.add_av(av1)
avs.add_av(av2)
self.assertEqual(avs.to_list(),
[['foo', 'bar', 'file', 'read', 'write']])
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp = refpolicy.XpermSet()
xp.add(42)
xp.add(12345)
a.xperms = {"ioctl": xp}
b = access.AccessVector(["foo", "bar", "file", "read"])
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
def test_from_list(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = access.AccessVector()
l.from_list(['foo', 'bar', 'file', 'read', 'write'])
self.assertEqual(a.src_type, l.src_type)
self.assertEqual(a.tgt_type, l.tgt_type)
self.assertEqual(a.obj_class, l.obj_class)
self.assertEqual(a.perms, l.perms)
def test_add_av_first(self):
"""Test adding first AV to the AV set"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av)
self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read']])
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp1 = refpolicy.XpermSet()
xp1.add(23)
a.xperms = {"ioctl": xp1}
b = access.AccessVector(["foo", "bar", "file", "read"])
xp2 = refpolicy.XpermSet()
xp2.add(42)
xp2.add(12345)
b.xperms = {"ioctl": xp2}
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
def test_cmp(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
b = access.AccessVector()
b.src_type = "foo"
b.tgt_type = "bar"
b.obj_class = "file"
b.perms.update(["read", "write"])
self.assertEqual(a, b)
# Source Type
b.src_type = "baz"
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.src_type = "gaz"
self.assertNotEqual(a, b)
self.assertTrue(a < b)
# Target Type
b.src_type = "foo"
b.tgt_type = "aar"
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.tgt_type = "gaz"
self.assertNotEqual(a, b)
self.assertTrue(a < b)
# Perms
b.tgt_type = "bar"
b.perms = refpolicy.IdSet(["read"])
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.perms = refpolicy.IdSet(["read", "write", "append"])
self.assertNotEqual(a, b)
b.perms = refpolicy.IdSet(["read", "append"])
self.assertNotEqual(a, b)
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp1 = refpolicy.XpermSet()
xp1.add(23)
a.xperms = {"asdf": xp1}
b = access.AccessVector(["foo", "bar", "file", "read"])
xp2 = refpolicy.XpermSet()
xp2.add(42)
xp2.add(12345)
b.xperms = {"ioctl": xp2}
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_to_string(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
self.assertEquals(str(a), "allow foo bar:file { read write };")
self.assertEquals(a.to_string(), "allow foo bar:file { read write };")
def test_add_av_with_msg(self):
"""Test adding audit message"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av, 'test message')
self.assertEqual(avs.src['foo']['bar']['file', av.type].audit_msgs,
['test message'])
def test_av_rules(self):
""" Test generating of AV rules from access vectors. """
av1 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 1)
r = self.g.module.children[0]
self.assertIsInstance(r, refpolicy.AVRule)
self.assertEqual(
r.to_string(),
"allow test_src_t test_tgt_t:file { ioctl open read };")
def test_search(self):
h = refparser.parse(test_expansion)
i = interfaces.InterfaceSet()
i.add_headers(h)
a = access.AccessVector(["foo_t", "usr_t", "dir", "create"])
m = matching.AccessMatcher()
ml = matching.MatchList()
ans = m.search_ifs(i, a, ml)
pass
def test_init(self):
# Default construction
a = access.AccessVector()
self.assertEqual(a.src_type, None)
self.assertEqual(a.tgt_type, None)
self.assertEqual(a.obj_class, None)
self.assertTrue(isinstance(a.perms, refpolicy.IdSet))
self.assertTrue(isinstance(a.audit_msgs, type([])))
self.assertEqual(len(a.audit_msgs), 0)
# Construction from a list
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = access.AccessVector(['foo', 'bar', 'file', 'read', 'write'])
self.assertEqual(a.src_type, l.src_type)
self.assertEqual(a.tgt_type, l.tgt_type)
self.assertEqual(a.obj_class, l.obj_class)
self.assertEqual(a.perms, l.perms)
def test_to_list(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = a.to_list()
self.assertEqual(l[0], "foo")
self.assertEqual(l[1], "bar")
self.assertEqual(l[2], "file")
self.assertEqual(l[3], "read")
self.assertEqual(l[4], "write")
def test_from_av(self):
""" Test creating the rule from an access vector. """
av = access.AccessVector(["foo", "bar", "file", "ioctl"])
xp = refpolicy.XpermSet()
av.xperms = {"ioctl": xp}
a = refpolicy.AVExtRule()
a.from_av(av, "ioctl")
self.assertEqual(a.src_types, {"foo"})
self.assertEqual(a.tgt_types, {"bar"})
self.assertEqual(a.obj_classes, {"file"})
self.assertEqual(a.operation, "ioctl")
self.assertIs(a.xperms, xp)
def test(self):
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
params = {}
ret = interfaces.av_extract_params(av, params)
self.assertEqual(ret, 0)
self.assertEqual(params, {})
av.src_type = "$1"
ret = interfaces.av_extract_params(av, params)
self.assertEqual(ret, 0)
p = params["$1"]
self.assertEqual(p.name, "$1")
self.assertEqual(p.type, refpolicy.SRC_TYPE)
self.assertEqual(p.obj_classes, refpolicy.IdSet(["file"]))
params = {}
av.tgt_type = "$1"
av.obj_class = "process"
ret = interfaces.av_extract_params(av, params)
self.assertEqual(ret, 0)
p = params["$1"]
self.assertEqual(p.name, "$1")
self.assertEqual(p.type, refpolicy.SRC_TYPE)
self.assertEqual(p.obj_classes, refpolicy.IdSet(["process"]))
params = {}
av.tgt_type = "$1"
av.obj_class = "dir"
ret = interfaces.av_extract_params(av, params)
self.assertEqual(ret, 1)
p = params["$1"]
self.assertEqual(p.name, "$1")
self.assertEqual(p.type, refpolicy.SRC_TYPE)
self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"]))
av.src_type = "bar"
av.tgt_type = "$2"
av.obj_class = "dir"
ret = interfaces.av_extract_params(av, params)
self.assertEqual(ret, 0)
p = params["$2"]
self.assertEqual(p.name, "$2")
self.assertEqual(p.type, refpolicy.TGT_TYPE)
self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"]))
def test_to_string(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
first, second = str(a).split(':')
self.assertEqual(first, "allow foo bar")
second = second.split(' ')
second.sort()
expected = "file { read write };".split(' ')
expected.sort()
self.assertEqual(second, expected)
first, second = a.to_string().split(':')
self.assertEqual(first, "allow foo bar")
second = second.split(' ')
second.sort()
expected = "file { read write };".split(' ')
expected.sort()
self.assertEqual(second, expected)
def test_ext_av_rules(self):
""" Test generating of extended permission AV rules from access
vectors. """
self.g.set_gen_xperms(True)
av1 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av1.xperms['ioctl'] = refpolicy.XpermSet()
av1.xperms['ioctl'].add(42)
av2 = access.AccessVector(
["test_src_t", "test_tgt_t", "file", "ioctl"])
av2.xperms['ioctl'] = refpolicy.XpermSet()
av2.xperms['ioctl'].add(1234)
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
av3.xperms['ioctl'] = refpolicy.XpermSet()
av3.xperms['ioctl'].add(2345)
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 4)
# we cannot sort the rules, so find all rules manually
av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None
for r in self.g.module.children:
if isinstance(r, refpolicy.AVRule):
if 'file' in r.obj_classes:
av_rule1 = r
else:
av_rule2 = r
elif isinstance(r, refpolicy.AVExtRule):
if 'file' in r.obj_classes:
av_ext_rule1 = r
else:
av_ext_rule2 = r
else:
self.fail("Unexpected rule type '%s'" % type(r))
# check that all rules are present
self.assertNotIn(None,
(av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))
self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
self.assertEqual(av_rule1.src_types, {"test_src_t"})
self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule1.obj_classes, {"file"})
self.assertEqual(av_rule1.perms, {"ioctl"})
self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule1.obj_classes, {"file"})
self.assertEqual(av_ext_rule1.operation, "ioctl")
xp1 = refpolicy.XpermSet()
xp1.add(42)
xp1.add(1234)
self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)
self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
self.assertEqual(av_rule2.src_types, {"test_src_t"})
self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule2.obj_classes, {"dir"})
self.assertEqual(av_rule2.perms, {"ioctl"})
self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
self.assertEqual(av_ext_rule2.operation, "ioctl")
xp2 = refpolicy.XpermSet()
xp2.add(2345)
self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)
