def test_net_taint(bpf_program: BPFProgram, caplog): Commands.add_profile(NET_PATH, False) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET, BPFBOX_ACTION.TAINT) with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'create-inet6'])
def load(self, policy: Policy): super().load(policy) state = self.calculate_state_number(policy) for family in self.family: Commands.add_net_rule( policy.profile, NET_ACCESS.from_list(self.operation), NET_FAMILY.from_string(family), BPFBOX_ACTION.from_list(self.action), state, )
def test_net_socketpair(bpf_program: BPFProgram, caplog): Commands.add_profile(NET_PATH, False) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET, BPFBOX_ACTION.TAINT) with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'create-unix-socketpair']) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.UNIX, BPFBOX_ACTION.ALLOW) subprocess.check_call([NET_PATH, 'create-unix-socketpair'])
def test_net_create_rules(bpf_program: BPFProgram, caplog): Commands.add_profile(NET_PATH, False) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET, BPFBOX_ACTION.TAINT) # Creating an INET6 socket should fail with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'create-inet6']) # Creating a UNIX socket should fail with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'create-unix']) # Allow the creation of an INET6 socket Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET6, BPFBOX_ACTION.ALLOW) # Creating an INET6 socket should succeed subprocess.check_call([NET_PATH, 'create-inet6']) # Creating a UNIX socket should still fail with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'create-unix']) # Allow the creation of a UNIX socket Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.UNIX, BPFBOX_ACTION.ALLOW) # Both should now succeed subprocess.check_call([NET_PATH, 'create-inet6']) subprocess.check_call([NET_PATH, 'create-unix'])
def test_net_connect_rules(bpf_program: BPFProgram, caplog): Commands.add_profile(NET_PATH, False) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET, BPFBOX_ACTION.TAINT) with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'inet-create-and-connect']) Commands.add_net_rule(NET_PATH, NET_ACCESS.CREATE, NET_FAMILY.INET6, BPFBOX_ACTION.ALLOW) with pytest.raises(subprocess.CalledProcessError): subprocess.check_call([NET_PATH, 'inet-create-and-connect']) Commands.add_net_rule(NET_PATH, NET_ACCESS.CONNECT, NET_FAMILY.INET6, BPFBOX_ACTION.ALLOW) subprocess.check_call([NET_PATH, 'inet-create-and-connect'])
def __call__(self, profile: str) -> int: return Commands.add_net_rule(profile, self.access, self.family, self.action)