def test_parse_simple_with_arg(self): """Allow simple denylist policy files.""" path = self._write_file( 'test.policy', """ # Comment. @denylist read: return ENOSYS write: arg0 == 0 ; return ENOSYS """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy( default_action=bpf.Allow(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('read', 0), frequency=1, filters=[ parser.Filter( None, bpf.ReturnErrno( self.arch.constants['ENOSYS'])), ]), parser.FilterStatement( syscall=parser.Syscall('write', 1), frequency=1, filters=[ parser.Filter([[parser.Atom(0, '==', 0)]], bpf.ReturnErrno( self.arch.constants['ENOSYS'])), parser.Filter(None, bpf.Allow()), ]), ]))
def test_parse_simple_grouped(self): """Allow simple policy files.""" path = self._write_file( 'test.policy', """ # Comment. {read, write}: allow """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy(default_action=bpf.KillProcess(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('read', 0), frequency=1, filters=[ parser.Filter(None, bpf.Allow()), ]), parser.FilterStatement( syscall=parser.Syscall('write', 1), frequency=1, filters=[ parser.Filter(None, bpf.Allow()), ]), ]))
def test_parse_frequency(self): """Allow including frequency files.""" self._write_file( 'test.frequency', """ read: 2 write: 3 """) path = self._write_file( 'test.policy', """ @frequency ./test.frequency read: allow """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy( default_action=bpf.KillProcess(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('read', 0), frequency=2, filters=[ parser.Filter(None, bpf.Allow()), ]), ]))
def test_parse_default(self): """Allow defining a default action.""" path = self._write_file( 'test.policy', """ @default kill-thread read: allow """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy(default_action=bpf.KillThread(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('read', 0), frequency=1, filters=[ parser.Filter(None, bpf.Allow()), ]), ]))
def test_parse_other_arch(self): """Allow entries that only target another architecture.""" path = self._write_file( 'test.policy', """ # Comment. read[arch=nonexistent]: allow write: allow """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy(default_action=bpf.KillProcess(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('write', 1), frequency=1, filters=[ parser.Filter(None, bpf.Allow()), ]), ]))
def test_parse_include(self): """Allow including policy files.""" path = self._write_file( 'test.include.policy', """ {read, write}: arg0 == 0; allow """) path = self._write_file( 'test.policy', """ @include ./test.include.policy read: return ENOSYS """) self.assertEqual( self.parser.parse_file(path), parser.ParsedPolicy( default_action=bpf.KillProcess(), filter_statements=[ parser.FilterStatement( syscall=parser.Syscall('read', 0), frequency=1, filters=[ parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()), parser.Filter( None, bpf.ReturnErrno( self.arch.constants['ENOSYS'])), ]), parser.FilterStatement( syscall=parser.Syscall('write', 1), frequency=1, filters=[ parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()), parser.Filter(None, bpf.KillProcess()), ]), ]))