mirror of
https://github.com/SELinuxProject/setools
synced 2025-04-01 22:58:12 +00:00
Chris PeBenito
parent
7840f98afd
commit
47d8eda957
@ -18,6 +18,7 @@
|
||||
#
|
||||
from collections import namedtuple
|
||||
|
||||
from ..policyrep import ioctlSet
|
||||
from ..policyrep.exception import RuleNotConditional, RuleUseError, TERuleNoFilename
|
||||
|
||||
from .conditional import ConditionalExprWrapper
|
||||
@ -56,6 +57,22 @@ class TERulesDifference(Difference):
|
||||
removed_dontaudits = DiffResultDescriptor("diff_dontaudits")
|
||||
modified_dontaudits = DiffResultDescriptor("diff_dontaudits")
|
||||
|
||||
added_allowxperms = DiffResultDescriptor("diff_allowxperms")
|
||||
removed_allowxperms = DiffResultDescriptor("diff_allowxperms")
|
||||
modified_allowxperms = DiffResultDescriptor("diff_allowxperms")
|
||||
|
||||
added_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
|
||||
removed_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
|
||||
modified_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
|
||||
|
||||
added_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
|
||||
removed_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
|
||||
modified_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
|
||||
|
||||
added_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
|
||||
removed_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
|
||||
modified_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
|
||||
|
||||
added_type_transitions = DiffResultDescriptor("diff_type_transitions")
|
||||
removed_type_transitions = DiffResultDescriptor("diff_type_transitions")
|
||||
modified_type_transitions = DiffResultDescriptor("diff_type_transitions")
|
||||
@ -81,6 +98,18 @@ class TERulesDifference(Difference):
|
||||
_left_dontaudits = None
|
||||
_right_dontaudits = None
|
||||
|
||||
_left_allowxperms = None
|
||||
_right_allowxperms = None
|
||||
|
||||
_left_auditallowxperms = None
|
||||
_right_auditallowxperms = None
|
||||
|
||||
_left_neverallowxperms = None
|
||||
_right_neverallowxperms = None
|
||||
|
||||
_left_dontauditxperms = None
|
||||
_right_dontauditxperms = None
|
||||
|
||||
_left_type_transitions = None
|
||||
_right_type_transitions = None
|
||||
|
||||
@ -151,6 +180,70 @@ class TERulesDifference(Difference):
|
||||
self._expand_generator(self._left_dontaudits, AVRuleWrapper),
|
||||
self._expand_generator(self._right_dontaudits, AVRuleWrapper))
|
||||
|
||||
def diff_allowxperms(self):
|
||||
"""Generate the difference in allowxperm rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating allowxperm differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_allowxperms is None or self._right_allowxperms is None:
|
||||
self._create_te_rule_lists()
|
||||
|
||||
self.added_allowxperms, \
|
||||
self.removed_allowxperms, \
|
||||
self.modified_allowxperms = self._diff_avx_rules(
|
||||
self._expand_generator(self._left_allowxperms, AVRuleXpermWrapper),
|
||||
self._expand_generator(self._right_allowxperms, AVRuleXpermWrapper))
|
||||
|
||||
def diff_auditallowxperms(self):
|
||||
"""Generate the difference in auditallowxperm rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating auditallowxperm differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_auditallowxperms is None or self._right_auditallowxperms is None:
|
||||
self._create_te_rule_lists()
|
||||
|
||||
self.added_auditallowxperms, \
|
||||
self.removed_auditallowxperms, \
|
||||
self.modified_auditallowxperms = self._diff_avx_rules(
|
||||
self._expand_generator(self._left_auditallowxperms, AVRuleXpermWrapper),
|
||||
self._expand_generator(self._right_auditallowxperms, AVRuleXpermWrapper))
|
||||
|
||||
def diff_neverallowxperms(self):
|
||||
"""Generate the difference in neverallowxperm rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating neverallowxperm differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_neverallowxperms is None or self._right_neverallowxperms is None:
|
||||
self._create_te_rule_lists()
|
||||
|
||||
self.added_neverallowxperms, \
|
||||
self.removed_neverallowxperms, \
|
||||
self.modified_neverallowxperms = self._diff_avx_rules(
|
||||
self._expand_generator(self._left_neverallowxperms, AVRuleXpermWrapper),
|
||||
self._expand_generator(self._right_neverallowxperms, AVRuleXpermWrapper))
|
||||
|
||||
def diff_dontauditxperms(self):
|
||||
"""Generate the difference in dontauditxperm rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating dontauditxperm differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_dontauditxperms is None or self._right_dontauditxperms is None:
|
||||
self._create_te_rule_lists()
|
||||
|
||||
self.added_dontauditxperms, \
|
||||
self.removed_dontauditxperms, \
|
||||
self.modified_dontauditxperms = self._diff_avx_rules(
|
||||
self._expand_generator(self._left_dontauditxperms, AVRuleXpermWrapper),
|
||||
self._expand_generator(self._right_dontauditxperms, AVRuleXpermWrapper))
|
||||
|
||||
def diff_type_transitions(self):
|
||||
"""Generate the difference in type_transition rules between the policies."""
|
||||
|
||||
@ -209,6 +302,10 @@ class TERulesDifference(Difference):
|
||||
self._left_auditallows = []
|
||||
self._left_neverallows = []
|
||||
self._left_dontaudits = []
|
||||
self._left_allowxperms = []
|
||||
self._left_auditallowxperms = []
|
||||
self._left_neverallowxperms = []
|
||||
self._left_dontauditxperms = []
|
||||
self._left_type_transitions = []
|
||||
self._left_type_changes = []
|
||||
self._left_type_members = []
|
||||
@ -223,6 +320,14 @@ class TERulesDifference(Difference):
|
||||
self._left_neverallows.append(rule)
|
||||
elif rule.ruletype == "dontaudit":
|
||||
self._left_dontaudits.append(rule)
|
||||
elif rule.ruletype == "allowxperm":
|
||||
self._left_allowxperms.append(rule)
|
||||
elif rule.ruletype == "auditallowxperm":
|
||||
self._left_auditallowxperms.append(rule)
|
||||
elif rule.ruletype == "neverallowxperm":
|
||||
self._left_neverallowxperms.append(rule)
|
||||
elif rule.ruletype == "dontauditxperm":
|
||||
self._left_dontauditxperms.append(rule)
|
||||
elif rule.ruletype == "type_transition":
|
||||
self._left_type_transitions.append(rule)
|
||||
elif rule.ruletype == "type_change":
|
||||
@ -237,6 +342,10 @@ class TERulesDifference(Difference):
|
||||
self._right_auditallows = []
|
||||
self._right_neverallows = []
|
||||
self._right_dontaudits = []
|
||||
self._right_allowxperms = []
|
||||
self._right_auditallowxperms = []
|
||||
self._right_neverallowxperms = []
|
||||
self._right_dontauditxperms = []
|
||||
self._right_type_transitions = []
|
||||
self._right_type_changes = []
|
||||
self._right_type_members = []
|
||||
@ -251,6 +360,14 @@ class TERulesDifference(Difference):
|
||||
self._right_neverallows.append(rule)
|
||||
elif rule.ruletype == "dontaudit":
|
||||
self._right_dontaudits.append(rule)
|
||||
elif rule.ruletype == "allowxperm":
|
||||
self._right_allowxperms.append(rule)
|
||||
elif rule.ruletype == "auditallowxperm":
|
||||
self._right_auditallowxperms.append(rule)
|
||||
elif rule.ruletype == "neverallowxperm":
|
||||
self._right_neverallowxperms.append(rule)
|
||||
elif rule.ruletype == "dontauditxperm":
|
||||
self._right_dontauditxperms.append(rule)
|
||||
elif rule.ruletype == "type_transition":
|
||||
self._right_type_transitions.append(rule)
|
||||
elif rule.ruletype == "type_change":
|
||||
@ -284,6 +401,29 @@ class TERulesDifference(Difference):
|
||||
|
||||
return added, removed, modified
|
||||
|
||||
def _diff_avx_rules(self, left_list, right_list):
|
||||
"""Common method for comparing extended permission access vector rules."""
|
||||
added, removed, matched = self._set_diff(left_list, right_list)
|
||||
|
||||
modified = []
|
||||
|
||||
for left_rule, right_rule in matched:
|
||||
# Criteria for modified rules
|
||||
# 1. change to permissions
|
||||
added_perms, removed_perms, matched_perms = self._set_diff(left_rule.perms,
|
||||
right_rule.perms)
|
||||
|
||||
# the final set comprehension is to avoid having lists
|
||||
# like [("perm1", "perm1"), ("perm2", "perm2")], as the
|
||||
# matched_perms return from _set_diff is a set of tuples
|
||||
if added_perms or removed_perms:
|
||||
modified.append(modified_avrule_record(left_rule,
|
||||
ioctlSet(added_perms),
|
||||
ioctlSet(removed_perms),
|
||||
ioctlSet(p[0] for p in matched_perms)))
|
||||
|
||||
return added, removed, modified
|
||||
|
||||
def _diff_te_rules(self, left_list, right_list):
|
||||
"""Common method for comparing type_* rules."""
|
||||
added, removed, matched = self._set_diff(left_list, right_list)
|
||||
@ -315,6 +455,18 @@ class TERulesDifference(Difference):
|
||||
self.added_dontaudits = None
|
||||
self.removed_dontaudits = None
|
||||
self.modified_dontaudits = None
|
||||
self.added_allowxperms = None
|
||||
self.removed_allowxperms = None
|
||||
self.modified_allowxperms = None
|
||||
self.added_auditallowxperms = None
|
||||
self.removed_auditallowxperms = None
|
||||
self.modified_auditallowxperms = None
|
||||
self.added_neverallowxperms = None
|
||||
self.removed_neverallowxperms = None
|
||||
self.modified_neverallowxperms = None
|
||||
self.added_dontauditxperms = None
|
||||
self.removed_dontauditxperms = None
|
||||
self.modified_dontauditxperms = None
|
||||
self.added_type_transitions = None
|
||||
self.removed_type_transitions = None
|
||||
self.modified_type_transitions = None
|
||||
@ -334,6 +486,14 @@ class TERulesDifference(Difference):
|
||||
self._right_neverallows = None
|
||||
self._left_dontaudits = None
|
||||
self._right_dontaudits = None
|
||||
self._left_allowxperms = None
|
||||
self._right_allowxperms = None
|
||||
self._left_auditallowxperms = None
|
||||
self._right_auditallowxperms = None
|
||||
self._left_neverallowxperms = None
|
||||
self._right_neverallowxperms = None
|
||||
self._left_dontauditxperms = None
|
||||
self._right_dontauditxperms = None
|
||||
self._left_type_transitions = None
|
||||
self._right_type_transitions = None
|
||||
self._left_type_changes = None
|
||||
@ -377,6 +537,34 @@ class AVRuleWrapper(Wrapper):
|
||||
self.conditional_block == other.conditional_block
|
||||
|
||||
|
||||
class AVRuleXpermWrapper(Wrapper):
|
||||
|
||||
"""Wrap extended permission access vector rules to allow set operations."""
|
||||
|
||||
def __init__(self, rule):
|
||||
self.origin = rule
|
||||
self.ruletype = rule.ruletype
|
||||
self.source = SymbolWrapper(rule.source)
|
||||
self.target = SymbolWrapper(rule.target)
|
||||
self.tclass = SymbolWrapper(rule.tclass)
|
||||
self.xperm_type = rule.xperm_type
|
||||
self.key = hash(rule)
|
||||
|
||||
def __hash__(self):
|
||||
return self.key
|
||||
|
||||
def __lt__(self, other):
|
||||
return self.key < other.key
|
||||
|
||||
def __eq__(self, other):
|
||||
# because TERuleDifference groups rules by ruletype,
|
||||
# the ruletype always matches.
|
||||
return self.source == other.source and \
|
||||
self.target == other.target and \
|
||||
self.tclass == other.tclass and \
|
||||
self.xperm_type == other.xperm_type
|
||||
|
||||
|
||||
class TERuleWrapper(Wrapper):
|
||||
|
||||
"""Wrap type_* rules to allow set operations."""
|
||||
|
||||
352
tests/diff.py
352
tests/diff.py
@ -1555,6 +1555,262 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
|
||||
self.assertEqual("mod_parent_added", added_bound)
|
||||
self.assertEqual("mod_parent_removed", removed_bound)
|
||||
|
||||
#
|
||||
# Allowxperm rules
|
||||
#
|
||||
def test_added_allowxperm_rules(self):
|
||||
"""Diff: added allowxperm rules."""
|
||||
rules = sorted(self.diff.added_allowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# added rule with new type
|
||||
self.validate_rule(rules[0], "allowxperm", "added_type", "added_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
# added rule with existing types
|
||||
self.validate_rule(rules[1], "allowxperm", "ax_added_rule_source", "ax_added_rule_target",
|
||||
"infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
def test_removed_allowxperm_rules(self):
|
||||
"""Diff: removed allowxperm rules."""
|
||||
rules = sorted(self.diff.removed_allowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# removed rule with existing types
|
||||
self.validate_rule(rules[0], "allowxperm", "ax_removed_rule_source",
|
||||
"ax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
# removed rule with new type
|
||||
self.validate_rule(rules[1], "allowxperm", "removed_type", "removed_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
def test_modified_allowxperm_rules(self):
|
||||
"""Diff: modified allowxperm rules."""
|
||||
l = sorted(self.diff.modified_allowxperms, key=lambda x: x.rule)
|
||||
self.assertEqual(3, len(l))
|
||||
|
||||
# add permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[0]
|
||||
self.assertEqual("allowxperm", rule.ruletype)
|
||||
self.assertEqual("ax_modified_rule_add_perms", rule.source)
|
||||
self.assertEqual("ax_modified_rule_add_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertSetEqual(set([0x000f]), added_perms)
|
||||
self.assertFalse(removed_perms)
|
||||
self.assertSetEqual(set([0x0004]), matched_perms)
|
||||
|
||||
# add and remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[1]
|
||||
self.assertEqual("allowxperm", rule.ruletype)
|
||||
self.assertEqual("ax_modified_rule_add_remove_perms", rule.source)
|
||||
self.assertEqual("ax_modified_rule_add_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow2", rule.tclass)
|
||||
self.assertSetEqual(set([0x0006]), added_perms)
|
||||
self.assertSetEqual(set([0x0007]), removed_perms)
|
||||
self.assertSetEqual(set([0x0008]), matched_perms)
|
||||
|
||||
# remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[2]
|
||||
self.assertEqual("allowxperm", rule.ruletype)
|
||||
self.assertEqual("ax_modified_rule_remove_perms", rule.source)
|
||||
self.assertEqual("ax_modified_rule_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertFalse(added_perms)
|
||||
self.assertSetEqual(set([0x0006]), removed_perms)
|
||||
self.assertSetEqual(set([0x0005]), matched_perms)
|
||||
|
||||
#
|
||||
# Auditallowxperm rules
|
||||
#
|
||||
def test_added_auditallowxperm_rules(self):
|
||||
"""Diff: added auditallowxperm rules."""
|
||||
rules = sorted(self.diff.added_auditallowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# added rule with existing types
|
||||
self.validate_rule(rules[0], "auditallowxperm", "aax_added_rule_source",
|
||||
"aax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
# added rule with new type
|
||||
self.validate_rule(rules[1], "auditallowxperm", "added_type", "added_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
def test_removed_auditallowxperm_rules(self):
|
||||
"""Diff: removed auditallowxperm rules."""
|
||||
rules = sorted(self.diff.removed_auditallowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# removed rule with existing types
|
||||
self.validate_rule(rules[0], "auditallowxperm", "aax_removed_rule_source",
|
||||
"aax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
# removed rule with new type
|
||||
self.validate_rule(rules[1], "auditallowxperm", "removed_type", "removed_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
def test_modified_auditallowxperm_rules(self):
|
||||
"""Diff: modified auditallowxperm rules."""
|
||||
l = sorted(self.diff.modified_auditallowxperms, key=lambda x: x.rule)
|
||||
self.assertEqual(3, len(l))
|
||||
|
||||
# add permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[0]
|
||||
self.assertEqual("auditallowxperm", rule.ruletype)
|
||||
self.assertEqual("aax_modified_rule_add_perms", rule.source)
|
||||
self.assertEqual("aax_modified_rule_add_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertSetEqual(set([0x000f]), added_perms)
|
||||
self.assertFalse(removed_perms)
|
||||
self.assertSetEqual(set([0x0004]), matched_perms)
|
||||
|
||||
# add and remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[1]
|
||||
self.assertEqual("auditallowxperm", rule.ruletype)
|
||||
self.assertEqual("aax_modified_rule_add_remove_perms", rule.source)
|
||||
self.assertEqual("aax_modified_rule_add_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow2", rule.tclass)
|
||||
self.assertSetEqual(set([0x0006]), added_perms)
|
||||
self.assertSetEqual(set([0x0007]), removed_perms)
|
||||
self.assertSetEqual(set([0x0008]), matched_perms)
|
||||
|
||||
# remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[2]
|
||||
self.assertEqual("auditallowxperm", rule.ruletype)
|
||||
self.assertEqual("aax_modified_rule_remove_perms", rule.source)
|
||||
self.assertEqual("aax_modified_rule_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertFalse(added_perms)
|
||||
self.assertSetEqual(set([0x0006]), removed_perms)
|
||||
self.assertSetEqual(set([0x0005]), matched_perms)
|
||||
|
||||
#
|
||||
# Neverallowxperm rules
|
||||
#
|
||||
def test_added_neverallowxperm_rules(self):
|
||||
"""Diff: added neverallowxperm rules."""
|
||||
rules = sorted(self.diff.added_neverallowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# added rule with new type
|
||||
self.validate_rule(rules[0], "neverallowxperm", "added_type", "added_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
# added rule with existing types
|
||||
self.validate_rule(rules[1], "neverallowxperm", "nax_added_rule_source",
|
||||
"nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
def test_removed_neverallowxperm_rules(self):
|
||||
"""Diff: removed neverallowxperm rules."""
|
||||
rules = sorted(self.diff.removed_neverallowxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# removed rule with existing types
|
||||
self.validate_rule(rules[0], "neverallowxperm", "nax_removed_rule_source",
|
||||
"nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
# removed rule with new type
|
||||
self.validate_rule(rules[1], "neverallowxperm", "removed_type", "removed_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
def test_modified_neverallowxperm_rules(self):
|
||||
"""Diff: modified neverallowxperm rules."""
|
||||
l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule)
|
||||
self.assertEqual(3, len(l))
|
||||
|
||||
# add permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[0]
|
||||
self.assertEqual("neverallowxperm", rule.ruletype)
|
||||
self.assertEqual("nax_modified_rule_add_perms", rule.source)
|
||||
self.assertEqual("nax_modified_rule_add_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertSetEqual(set([0x000f]), added_perms)
|
||||
self.assertFalse(removed_perms)
|
||||
self.assertSetEqual(set([0x0004]), matched_perms)
|
||||
|
||||
# add and remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[1]
|
||||
self.assertEqual("neverallowxperm", rule.ruletype)
|
||||
self.assertEqual("nax_modified_rule_add_remove_perms", rule.source)
|
||||
self.assertEqual("nax_modified_rule_add_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow2", rule.tclass)
|
||||
self.assertSetEqual(set([0x0006]), added_perms)
|
||||
self.assertSetEqual(set([0x0007]), removed_perms)
|
||||
self.assertSetEqual(set([0x0008]), matched_perms)
|
||||
|
||||
# remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[2]
|
||||
self.assertEqual("neverallowxperm", rule.ruletype)
|
||||
self.assertEqual("nax_modified_rule_remove_perms", rule.source)
|
||||
self.assertEqual("nax_modified_rule_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertFalse(added_perms)
|
||||
self.assertSetEqual(set([0x0006]), removed_perms)
|
||||
self.assertSetEqual(set([0x0005]), matched_perms)
|
||||
|
||||
#
|
||||
# Dontauditxperm rules
|
||||
#
|
||||
def test_added_dontauditxperm_rules(self):
|
||||
"""Diff: added dontauditxperm rules."""
|
||||
rules = sorted(self.diff.added_dontauditxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# added rule with new type
|
||||
self.validate_rule(rules[0], "dontauditxperm", "added_type", "added_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
# added rule with existing types
|
||||
self.validate_rule(rules[1], "dontauditxperm", "dax_added_rule_source",
|
||||
"dax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
def test_removed_dontauditxperm_rules(self):
|
||||
"""Diff: removed dontauditxperm rules."""
|
||||
rules = sorted(self.diff.removed_dontauditxperms)
|
||||
self.assertEqual(2, len(rules))
|
||||
|
||||
# removed rule with existing types
|
||||
self.validate_rule(rules[0], "dontauditxperm", "dax_removed_rule_source",
|
||||
"dax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
|
||||
|
||||
# removed rule with new type
|
||||
self.validate_rule(rules[1], "dontauditxperm", "removed_type", "removed_type", "infoflow7",
|
||||
set([0x0009]), xperm="ioctl")
|
||||
|
||||
def test_modified_dontauditxperm_rules(self):
|
||||
"""Diff: modified dontauditxperm rules."""
|
||||
l = sorted(self.diff.modified_dontauditxperms, key=lambda x: x.rule)
|
||||
self.assertEqual(3, len(l))
|
||||
|
||||
# add permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[0]
|
||||
self.assertEqual("dontauditxperm", rule.ruletype)
|
||||
self.assertEqual("dax_modified_rule_add_perms", rule.source)
|
||||
self.assertEqual("dax_modified_rule_add_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertSetEqual(set([0x000f]), added_perms)
|
||||
self.assertFalse(removed_perms)
|
||||
self.assertSetEqual(set([0x0004]), matched_perms)
|
||||
|
||||
# add and remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[1]
|
||||
self.assertEqual("dontauditxperm", rule.ruletype)
|
||||
self.assertEqual("dax_modified_rule_add_remove_perms", rule.source)
|
||||
self.assertEqual("dax_modified_rule_add_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow2", rule.tclass)
|
||||
self.assertSetEqual(set([0x0006]), added_perms)
|
||||
self.assertSetEqual(set([0x0007]), removed_perms)
|
||||
self.assertSetEqual(set([0x0008]), matched_perms)
|
||||
|
||||
# remove permissions
|
||||
rule, added_perms, removed_perms, matched_perms = l[2]
|
||||
self.assertEqual("dontauditxperm", rule.ruletype)
|
||||
self.assertEqual("dax_modified_rule_remove_perms", rule.source)
|
||||
self.assertEqual("dax_modified_rule_remove_perms", rule.target)
|
||||
self.assertEqual("infoflow", rule.tclass)
|
||||
self.assertFalse(added_perms)
|
||||
self.assertSetEqual(set([0x0006]), removed_perms)
|
||||
self.assertSetEqual(set([0x0005]), matched_perms)
|
||||
|
||||
|
||||
class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
|
||||
@ -1945,6 +2201,54 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
"""NoDiff: no modified typebounds."""
|
||||
self.assertFalse(self.diff.modified_typebounds)
|
||||
|
||||
def test_added_allowxperms(self):
|
||||
"""NoDiff: no added allowxperm rules."""
|
||||
self.assertFalse(self.diff.added_allowxperms)
|
||||
|
||||
def test_removed_allowxperms(self):
|
||||
"""NoDiff: no removed allowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_allowxperms)
|
||||
|
||||
def test_modified_allowxperms(self):
|
||||
"""NoDiff: no modified allowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_allowxperms)
|
||||
|
||||
def test_added_auditallowxperms(self):
|
||||
"""NoDiff: no added auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.added_auditallowxperms)
|
||||
|
||||
def test_removed_auditallowxperms(self):
|
||||
"""NoDiff: no removed auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_auditallowxperms)
|
||||
|
||||
def test_modified_auditallowxperms(self):
|
||||
"""NoDiff: no modified auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_auditallowxperms)
|
||||
|
||||
def test_added_neverallowxperms(self):
|
||||
"""NoDiff: no added neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.added_neverallowxperms)
|
||||
|
||||
def test_removed_neverallowxperms(self):
|
||||
"""NoDiff: no removed neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_neverallowxperms)
|
||||
|
||||
def test_modified_neverallowxperms(self):
|
||||
"""NoDiff: no modified neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_neverallowxperms)
|
||||
|
||||
def test_added_dontauditxperms(self):
|
||||
"""NoDiff: no added dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.added_dontauditxperms)
|
||||
|
||||
def test_removed_dontauditxperms(self):
|
||||
"""NoDiff: no removed dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.removed_dontauditxperms)
|
||||
|
||||
def test_modified_dontauditxperms(self):
|
||||
"""NoDiff: no modified dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.modified_dontauditxperms)
|
||||
|
||||
|
||||
class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
|
||||
|
||||
@ -2352,3 +2656,51 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
|
||||
def test_modified_typebounds(self):
|
||||
"""MLSvsStandardDiff: no modified typebounds."""
|
||||
self.assertFalse(self.diff.modified_typebounds)
|
||||
|
||||
def test_added_allowxperms(self):
|
||||
"""NoDiff: no added allowxperm rules."""
|
||||
self.assertFalse(self.diff.added_allowxperms)
|
||||
|
||||
def test_removed_allowxperms(self):
|
||||
"""NoDiff: no removed allowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_allowxperms)
|
||||
|
||||
def test_modified_allowxperms(self):
|
||||
"""NoDiff: no modified allowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_allowxperms)
|
||||
|
||||
def test_added_auditallowxperms(self):
|
||||
"""NoDiff: no added auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.added_auditallowxperms)
|
||||
|
||||
def test_removed_auditallowxperms(self):
|
||||
"""NoDiff: no removed auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_auditallowxperms)
|
||||
|
||||
def test_modified_auditallowxperms(self):
|
||||
"""NoDiff: no modified auditallowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_auditallowxperms)
|
||||
|
||||
def test_added_neverallowxperms(self):
|
||||
"""NoDiff: no added neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.added_neverallowxperms)
|
||||
|
||||
def test_removed_neverallowxperms(self):
|
||||
"""NoDiff: no removed neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.removed_neverallowxperms)
|
||||
|
||||
def test_modified_neverallowxperms(self):
|
||||
"""NoDiff: no modified neverallowxperm rules."""
|
||||
self.assertFalse(self.diff.modified_neverallowxperms)
|
||||
|
||||
def test_added_dontauditxperms(self):
|
||||
"""NoDiff: no added dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.added_dontauditxperms)
|
||||
|
||||
def test_removed_dontauditxperms(self):
|
||||
"""NoDiff: no removed dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.removed_dontauditxperms)
|
||||
|
||||
def test_modified_dontauditxperms(self):
|
||||
"""NoDiff: no modified dontauditxperm rules."""
|
||||
self.assertFalse(self.diff.modified_dontauditxperms)
|
||||
|
||||
@ -24,6 +24,7 @@ common infoflow
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
ioctl
|
||||
}
|
||||
|
||||
common removed_common
|
||||
@ -634,6 +635,146 @@ role role_tr_old_role;
|
||||
role role_tr_new_role;
|
||||
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
|
||||
|
||||
# Allowxperm rule differences
|
||||
type ax_matched_source;
|
||||
type ax_matched_target;
|
||||
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type ax_removed_rule_source;
|
||||
type ax_removed_rule_target;
|
||||
allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type ax_added_rule_source;
|
||||
type ax_added_rule_target;
|
||||
|
||||
type ax_modified_rule_add_perms;
|
||||
allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type ax_modified_rule_remove_perms;
|
||||
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type ax_modified_rule_add_remove_perms;
|
||||
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
allowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
type aax_matched_target;
|
||||
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type aax_removed_rule_source;
|
||||
type aax_removed_rule_target;
|
||||
auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type aax_added_rule_source;
|
||||
type aax_added_rule_target;
|
||||
|
||||
type aax_modified_rule_add_perms;
|
||||
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type aax_modified_rule_remove_perms;
|
||||
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type aax_modified_rule_add_remove_perms;
|
||||
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
type nax_matched_target;
|
||||
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type nax_removed_rule_source;
|
||||
type nax_removed_rule_target;
|
||||
neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type nax_added_rule_source;
|
||||
type nax_added_rule_target;
|
||||
|
||||
type nax_modified_rule_add_perms;
|
||||
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type nax_modified_rule_remove_perms;
|
||||
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type nax_modified_rule_add_remove_perms;
|
||||
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
type dax_matched_target;
|
||||
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type dax_removed_rule_source;
|
||||
type dax_removed_rule_target;
|
||||
dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type dax_added_rule_source;
|
||||
type dax_added_rule_target;
|
||||
|
||||
type dax_modified_rule_add_perms;
|
||||
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type dax_modified_rule_remove_perms;
|
||||
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type dax_modified_rule_add_remove_perms;
|
||||
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
type match_parent;
|
||||
|
||||
@ -24,6 +24,7 @@ common infoflow
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
ioctl
|
||||
}
|
||||
|
||||
common removed_common
|
||||
@ -556,6 +557,146 @@ role role_tr_old_role;
|
||||
role role_tr_new_role;
|
||||
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
|
||||
|
||||
# Allowxperm rule differences
|
||||
type ax_matched_source;
|
||||
type ax_matched_target;
|
||||
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type ax_removed_rule_source;
|
||||
type ax_removed_rule_target;
|
||||
allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type ax_added_rule_source;
|
||||
type ax_added_rule_target;
|
||||
|
||||
type ax_modified_rule_add_perms;
|
||||
allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type ax_modified_rule_remove_perms;
|
||||
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type ax_modified_rule_add_remove_perms;
|
||||
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
allowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
type aax_matched_target;
|
||||
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type aax_removed_rule_source;
|
||||
type aax_removed_rule_target;
|
||||
auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type aax_added_rule_source;
|
||||
type aax_added_rule_target;
|
||||
|
||||
type aax_modified_rule_add_perms;
|
||||
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type aax_modified_rule_remove_perms;
|
||||
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type aax_modified_rule_add_remove_perms;
|
||||
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
type nax_matched_target;
|
||||
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type nax_removed_rule_source;
|
||||
type nax_removed_rule_target;
|
||||
neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type nax_added_rule_source;
|
||||
type nax_added_rule_target;
|
||||
|
||||
type nax_modified_rule_add_perms;
|
||||
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type nax_modified_rule_remove_perms;
|
||||
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type nax_modified_rule_add_remove_perms;
|
||||
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
type dax_matched_target;
|
||||
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type dax_removed_rule_source;
|
||||
type dax_removed_rule_target;
|
||||
dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type dax_added_rule_source;
|
||||
type dax_added_rule_target;
|
||||
|
||||
type dax_modified_rule_add_perms;
|
||||
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
||||
|
||||
type dax_modified_rule_remove_perms;
|
||||
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
||||
|
||||
type dax_modified_rule_add_remove_perms;
|
||||
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
||||
|
||||
dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
type match_parent;
|
||||
|
||||
@ -24,6 +24,7 @@ common infoflow
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
ioctl
|
||||
}
|
||||
|
||||
common added_common
|
||||
@ -634,6 +635,146 @@ role role_tr_old_role;
|
||||
role role_tr_new_role;
|
||||
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role;
|
||||
|
||||
# Allowxperm rule differences
|
||||
type ax_matched_source;
|
||||
type ax_matched_target;
|
||||
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type ax_removed_rule_source;
|
||||
type ax_removed_rule_target;
|
||||
|
||||
type ax_added_rule_source;
|
||||
type ax_added_rule_target;
|
||||
allowxperm ax_added_rule_source ax_added_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type ax_modified_rule_add_perms;
|
||||
allowxperm ax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
||||
|
||||
type ax_modified_rule_remove_perms;
|
||||
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
||||
|
||||
type ax_modified_rule_add_remove_perms;
|
||||
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
||||
|
||||
allowxperm added_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
type aax_matched_target;
|
||||
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type aax_removed_rule_source;
|
||||
type aax_removed_rule_target;
|
||||
|
||||
type aax_added_rule_source;
|
||||
type aax_added_rule_target;
|
||||
auditallowxperm aax_added_rule_source aax_added_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type aax_modified_rule_add_perms;
|
||||
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
||||
|
||||
type aax_modified_rule_remove_perms;
|
||||
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
||||
|
||||
type aax_modified_rule_add_remove_perms;
|
||||
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
||||
|
||||
auditallowxperm added_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
type nax_matched_target;
|
||||
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type nax_removed_rule_source;
|
||||
type nax_removed_rule_target;
|
||||
|
||||
type nax_added_rule_source;
|
||||
type nax_added_rule_target;
|
||||
neverallowxperm nax_added_rule_source nax_added_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type nax_modified_rule_add_perms;
|
||||
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
||||
|
||||
type nax_modified_rule_remove_perms;
|
||||
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
||||
|
||||
type nax_modified_rule_add_remove_perms;
|
||||
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
||||
|
||||
neverallowxperm added_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
type dax_matched_target;
|
||||
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
|
||||
|
||||
type dax_removed_rule_source;
|
||||
type dax_removed_rule_target;
|
||||
|
||||
type dax_added_rule_source;
|
||||
type dax_added_rule_target;
|
||||
dontauditxperm dax_added_rule_source dax_added_rule_target:infoflow ioctl 0x0002;
|
||||
|
||||
type dax_modified_rule_add_perms;
|
||||
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
||||
|
||||
type dax_modified_rule_remove_perms;
|
||||
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
||||
|
||||
type dax_modified_rule_add_remove_perms;
|
||||
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
||||
|
||||
dontauditxperm added_type self:infoflow7 ioctl 0x0009;
|
||||
|
||||
attribute dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
type match_parent;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user