diff --git a/setools/diff/terules.py b/setools/diff/terules.py index 179e5ec..8827d58 100644 --- a/setools/diff/terules.py +++ b/setools/diff/terules.py @@ -18,6 +18,7 @@ # from collections import namedtuple +from ..policyrep import ioctlSet from ..policyrep.exception import RuleNotConditional, RuleUseError, TERuleNoFilename from .conditional import ConditionalExprWrapper @@ -56,6 +57,22 @@ class TERulesDifference(Difference): removed_dontaudits = DiffResultDescriptor("diff_dontaudits") modified_dontaudits = DiffResultDescriptor("diff_dontaudits") + added_allowxperms = DiffResultDescriptor("diff_allowxperms") + removed_allowxperms = DiffResultDescriptor("diff_allowxperms") + modified_allowxperms = DiffResultDescriptor("diff_allowxperms") + + added_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms") + removed_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms") + modified_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms") + + added_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms") + removed_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms") + modified_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms") + + added_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms") + removed_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms") + modified_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms") + added_type_transitions = DiffResultDescriptor("diff_type_transitions") removed_type_transitions = DiffResultDescriptor("diff_type_transitions") modified_type_transitions = DiffResultDescriptor("diff_type_transitions") @@ -81,6 +98,18 @@ class TERulesDifference(Difference): _left_dontaudits = None _right_dontaudits = None + _left_allowxperms = None + _right_allowxperms = None + + _left_auditallowxperms = None + _right_auditallowxperms = None + + _left_neverallowxperms = None + _right_neverallowxperms = None + + _left_dontauditxperms = None + _right_dontauditxperms = None + _left_type_transitions = None _right_type_transitions = None @@ -151,6 +180,70 @@ class TERulesDifference(Difference): self._expand_generator(self._left_dontaudits, AVRuleWrapper), self._expand_generator(self._right_dontaudits, AVRuleWrapper)) + def diff_allowxperms(self): + """Generate the difference in allowxperm rules between the policies.""" + + self.log.info( + "Generating allowxperm differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_allowxperms is None or self._right_allowxperms is None: + self._create_te_rule_lists() + + self.added_allowxperms, \ + self.removed_allowxperms, \ + self.modified_allowxperms = self._diff_avx_rules( + self._expand_generator(self._left_allowxperms, AVRuleXpermWrapper), + self._expand_generator(self._right_allowxperms, AVRuleXpermWrapper)) + + def diff_auditallowxperms(self): + """Generate the difference in auditallowxperm rules between the policies.""" + + self.log.info( + "Generating auditallowxperm differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_auditallowxperms is None or self._right_auditallowxperms is None: + self._create_te_rule_lists() + + self.added_auditallowxperms, \ + self.removed_auditallowxperms, \ + self.modified_auditallowxperms = self._diff_avx_rules( + self._expand_generator(self._left_auditallowxperms, AVRuleXpermWrapper), + self._expand_generator(self._right_auditallowxperms, AVRuleXpermWrapper)) + + def diff_neverallowxperms(self): + """Generate the difference in neverallowxperm rules between the policies.""" + + self.log.info( + "Generating neverallowxperm differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_neverallowxperms is None or self._right_neverallowxperms is None: + self._create_te_rule_lists() + + self.added_neverallowxperms, \ + self.removed_neverallowxperms, \ + self.modified_neverallowxperms = self._diff_avx_rules( + self._expand_generator(self._left_neverallowxperms, AVRuleXpermWrapper), + self._expand_generator(self._right_neverallowxperms, AVRuleXpermWrapper)) + + def diff_dontauditxperms(self): + """Generate the difference in dontauditxperm rules between the policies.""" + + self.log.info( + "Generating dontauditxperm differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_dontauditxperms is None or self._right_dontauditxperms is None: + self._create_te_rule_lists() + + self.added_dontauditxperms, \ + self.removed_dontauditxperms, \ + self.modified_dontauditxperms = self._diff_avx_rules( + self._expand_generator(self._left_dontauditxperms, AVRuleXpermWrapper), + self._expand_generator(self._right_dontauditxperms, AVRuleXpermWrapper)) + def diff_type_transitions(self): """Generate the difference in type_transition rules between the policies.""" @@ -209,6 +302,10 @@ class TERulesDifference(Difference): self._left_auditallows = [] self._left_neverallows = [] self._left_dontaudits = [] + self._left_allowxperms = [] + self._left_auditallowxperms = [] + self._left_neverallowxperms = [] + self._left_dontauditxperms = [] self._left_type_transitions = [] self._left_type_changes = [] self._left_type_members = [] @@ -223,6 +320,14 @@ class TERulesDifference(Difference): self._left_neverallows.append(rule) elif rule.ruletype == "dontaudit": self._left_dontaudits.append(rule) + elif rule.ruletype == "allowxperm": + self._left_allowxperms.append(rule) + elif rule.ruletype == "auditallowxperm": + self._left_auditallowxperms.append(rule) + elif rule.ruletype == "neverallowxperm": + self._left_neverallowxperms.append(rule) + elif rule.ruletype == "dontauditxperm": + self._left_dontauditxperms.append(rule) elif rule.ruletype == "type_transition": self._left_type_transitions.append(rule) elif rule.ruletype == "type_change": @@ -237,6 +342,10 @@ class TERulesDifference(Difference): self._right_auditallows = [] self._right_neverallows = [] self._right_dontaudits = [] + self._right_allowxperms = [] + self._right_auditallowxperms = [] + self._right_neverallowxperms = [] + self._right_dontauditxperms = [] self._right_type_transitions = [] self._right_type_changes = [] self._right_type_members = [] @@ -251,6 +360,14 @@ class TERulesDifference(Difference): self._right_neverallows.append(rule) elif rule.ruletype == "dontaudit": self._right_dontaudits.append(rule) + elif rule.ruletype == "allowxperm": + self._right_allowxperms.append(rule) + elif rule.ruletype == "auditallowxperm": + self._right_auditallowxperms.append(rule) + elif rule.ruletype == "neverallowxperm": + self._right_neverallowxperms.append(rule) + elif rule.ruletype == "dontauditxperm": + self._right_dontauditxperms.append(rule) elif rule.ruletype == "type_transition": self._right_type_transitions.append(rule) elif rule.ruletype == "type_change": @@ -284,6 +401,29 @@ class TERulesDifference(Difference): return added, removed, modified + def _diff_avx_rules(self, left_list, right_list): + """Common method for comparing extended permission access vector rules.""" + added, removed, matched = self._set_diff(left_list, right_list) + + modified = [] + + for left_rule, right_rule in matched: + # Criteria for modified rules + # 1. change to permissions + added_perms, removed_perms, matched_perms = self._set_diff(left_rule.perms, + right_rule.perms) + + # the final set comprehension is to avoid having lists + # like [("perm1", "perm1"), ("perm2", "perm2")], as the + # matched_perms return from _set_diff is a set of tuples + if added_perms or removed_perms: + modified.append(modified_avrule_record(left_rule, + ioctlSet(added_perms), + ioctlSet(removed_perms), + ioctlSet(p[0] for p in matched_perms))) + + return added, removed, modified + def _diff_te_rules(self, left_list, right_list): """Common method for comparing type_* rules.""" added, removed, matched = self._set_diff(left_list, right_list) @@ -315,6 +455,18 @@ class TERulesDifference(Difference): self.added_dontaudits = None self.removed_dontaudits = None self.modified_dontaudits = None + self.added_allowxperms = None + self.removed_allowxperms = None + self.modified_allowxperms = None + self.added_auditallowxperms = None + self.removed_auditallowxperms = None + self.modified_auditallowxperms = None + self.added_neverallowxperms = None + self.removed_neverallowxperms = None + self.modified_neverallowxperms = None + self.added_dontauditxperms = None + self.removed_dontauditxperms = None + self.modified_dontauditxperms = None self.added_type_transitions = None self.removed_type_transitions = None self.modified_type_transitions = None @@ -334,6 +486,14 @@ class TERulesDifference(Difference): self._right_neverallows = None self._left_dontaudits = None self._right_dontaudits = None + self._left_allowxperms = None + self._right_allowxperms = None + self._left_auditallowxperms = None + self._right_auditallowxperms = None + self._left_neverallowxperms = None + self._right_neverallowxperms = None + self._left_dontauditxperms = None + self._right_dontauditxperms = None self._left_type_transitions = None self._right_type_transitions = None self._left_type_changes = None @@ -377,6 +537,34 @@ class AVRuleWrapper(Wrapper): self.conditional_block == other.conditional_block +class AVRuleXpermWrapper(Wrapper): + + """Wrap extended permission access vector rules to allow set operations.""" + + def __init__(self, rule): + self.origin = rule + self.ruletype = rule.ruletype + self.source = SymbolWrapper(rule.source) + self.target = SymbolWrapper(rule.target) + self.tclass = SymbolWrapper(rule.tclass) + self.xperm_type = rule.xperm_type + self.key = hash(rule) + + def __hash__(self): + return self.key + + def __lt__(self, other): + return self.key < other.key + + def __eq__(self, other): + # because TERuleDifference groups rules by ruletype, + # the ruletype always matches. + return self.source == other.source and \ + self.target == other.target and \ + self.tclass == other.tclass and \ + self.xperm_type == other.xperm_type + + class TERuleWrapper(Wrapper): """Wrap type_* rules to allow set operations.""" diff --git a/tests/diff.py b/tests/diff.py index 08c7683..ea8b824 100644 --- a/tests/diff.py +++ b/tests/diff.py @@ -1555,6 +1555,262 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase): self.assertEqual("mod_parent_added", added_bound) self.assertEqual("mod_parent_removed", removed_bound) + # + # Allowxperm rules + # + def test_added_allowxperm_rules(self): + """Diff: added allowxperm rules.""" + rules = sorted(self.diff.added_allowxperms) + self.assertEqual(2, len(rules)) + + # added rule with new type + self.validate_rule(rules[0], "allowxperm", "added_type", "added_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + # added rule with existing types + self.validate_rule(rules[1], "allowxperm", "ax_added_rule_source", "ax_added_rule_target", + "infoflow", set([0x0002]), xperm="ioctl") + + def test_removed_allowxperm_rules(self): + """Diff: removed allowxperm rules.""" + rules = sorted(self.diff.removed_allowxperms) + self.assertEqual(2, len(rules)) + + # removed rule with existing types + self.validate_rule(rules[0], "allowxperm", "ax_removed_rule_source", + "ax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + # removed rule with new type + self.validate_rule(rules[1], "allowxperm", "removed_type", "removed_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + def test_modified_allowxperm_rules(self): + """Diff: modified allowxperm rules.""" + l = sorted(self.diff.modified_allowxperms, key=lambda x: x.rule) + self.assertEqual(3, len(l)) + + # add permissions + rule, added_perms, removed_perms, matched_perms = l[0] + self.assertEqual("allowxperm", rule.ruletype) + self.assertEqual("ax_modified_rule_add_perms", rule.source) + self.assertEqual("ax_modified_rule_add_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertSetEqual(set([0x000f]), added_perms) + self.assertFalse(removed_perms) + self.assertSetEqual(set([0x0004]), matched_perms) + + # add and remove permissions + rule, added_perms, removed_perms, matched_perms = l[1] + self.assertEqual("allowxperm", rule.ruletype) + self.assertEqual("ax_modified_rule_add_remove_perms", rule.source) + self.assertEqual("ax_modified_rule_add_remove_perms", rule.target) + self.assertEqual("infoflow2", rule.tclass) + self.assertSetEqual(set([0x0006]), added_perms) + self.assertSetEqual(set([0x0007]), removed_perms) + self.assertSetEqual(set([0x0008]), matched_perms) + + # remove permissions + rule, added_perms, removed_perms, matched_perms = l[2] + self.assertEqual("allowxperm", rule.ruletype) + self.assertEqual("ax_modified_rule_remove_perms", rule.source) + self.assertEqual("ax_modified_rule_remove_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertFalse(added_perms) + self.assertSetEqual(set([0x0006]), removed_perms) + self.assertSetEqual(set([0x0005]), matched_perms) + + # + # Auditallowxperm rules + # + def test_added_auditallowxperm_rules(self): + """Diff: added auditallowxperm rules.""" + rules = sorted(self.diff.added_auditallowxperms) + self.assertEqual(2, len(rules)) + + # added rule with existing types + self.validate_rule(rules[0], "auditallowxperm", "aax_added_rule_source", + "aax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + # added rule with new type + self.validate_rule(rules[1], "auditallowxperm", "added_type", "added_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + def test_removed_auditallowxperm_rules(self): + """Diff: removed auditallowxperm rules.""" + rules = sorted(self.diff.removed_auditallowxperms) + self.assertEqual(2, len(rules)) + + # removed rule with existing types + self.validate_rule(rules[0], "auditallowxperm", "aax_removed_rule_source", + "aax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + # removed rule with new type + self.validate_rule(rules[1], "auditallowxperm", "removed_type", "removed_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + def test_modified_auditallowxperm_rules(self): + """Diff: modified auditallowxperm rules.""" + l = sorted(self.diff.modified_auditallowxperms, key=lambda x: x.rule) + self.assertEqual(3, len(l)) + + # add permissions + rule, added_perms, removed_perms, matched_perms = l[0] + self.assertEqual("auditallowxperm", rule.ruletype) + self.assertEqual("aax_modified_rule_add_perms", rule.source) + self.assertEqual("aax_modified_rule_add_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertSetEqual(set([0x000f]), added_perms) + self.assertFalse(removed_perms) + self.assertSetEqual(set([0x0004]), matched_perms) + + # add and remove permissions + rule, added_perms, removed_perms, matched_perms = l[1] + self.assertEqual("auditallowxperm", rule.ruletype) + self.assertEqual("aax_modified_rule_add_remove_perms", rule.source) + self.assertEqual("aax_modified_rule_add_remove_perms", rule.target) + self.assertEqual("infoflow2", rule.tclass) + self.assertSetEqual(set([0x0006]), added_perms) + self.assertSetEqual(set([0x0007]), removed_perms) + self.assertSetEqual(set([0x0008]), matched_perms) + + # remove permissions + rule, added_perms, removed_perms, matched_perms = l[2] + self.assertEqual("auditallowxperm", rule.ruletype) + self.assertEqual("aax_modified_rule_remove_perms", rule.source) + self.assertEqual("aax_modified_rule_remove_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertFalse(added_perms) + self.assertSetEqual(set([0x0006]), removed_perms) + self.assertSetEqual(set([0x0005]), matched_perms) + + # + # Neverallowxperm rules + # + def test_added_neverallowxperm_rules(self): + """Diff: added neverallowxperm rules.""" + rules = sorted(self.diff.added_neverallowxperms) + self.assertEqual(2, len(rules)) + + # added rule with new type + self.validate_rule(rules[0], "neverallowxperm", "added_type", "added_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + # added rule with existing types + self.validate_rule(rules[1], "neverallowxperm", "nax_added_rule_source", + "nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + def test_removed_neverallowxperm_rules(self): + """Diff: removed neverallowxperm rules.""" + rules = sorted(self.diff.removed_neverallowxperms) + self.assertEqual(2, len(rules)) + + # removed rule with existing types + self.validate_rule(rules[0], "neverallowxperm", "nax_removed_rule_source", + "nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + # removed rule with new type + self.validate_rule(rules[1], "neverallowxperm", "removed_type", "removed_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + def test_modified_neverallowxperm_rules(self): + """Diff: modified neverallowxperm rules.""" + l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule) + self.assertEqual(3, len(l)) + + # add permissions + rule, added_perms, removed_perms, matched_perms = l[0] + self.assertEqual("neverallowxperm", rule.ruletype) + self.assertEqual("nax_modified_rule_add_perms", rule.source) + self.assertEqual("nax_modified_rule_add_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertSetEqual(set([0x000f]), added_perms) + self.assertFalse(removed_perms) + self.assertSetEqual(set([0x0004]), matched_perms) + + # add and remove permissions + rule, added_perms, removed_perms, matched_perms = l[1] + self.assertEqual("neverallowxperm", rule.ruletype) + self.assertEqual("nax_modified_rule_add_remove_perms", rule.source) + self.assertEqual("nax_modified_rule_add_remove_perms", rule.target) + self.assertEqual("infoflow2", rule.tclass) + self.assertSetEqual(set([0x0006]), added_perms) + self.assertSetEqual(set([0x0007]), removed_perms) + self.assertSetEqual(set([0x0008]), matched_perms) + + # remove permissions + rule, added_perms, removed_perms, matched_perms = l[2] + self.assertEqual("neverallowxperm", rule.ruletype) + self.assertEqual("nax_modified_rule_remove_perms", rule.source) + self.assertEqual("nax_modified_rule_remove_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertFalse(added_perms) + self.assertSetEqual(set([0x0006]), removed_perms) + self.assertSetEqual(set([0x0005]), matched_perms) + + # + # Dontauditxperm rules + # + def test_added_dontauditxperm_rules(self): + """Diff: added dontauditxperm rules.""" + rules = sorted(self.diff.added_dontauditxperms) + self.assertEqual(2, len(rules)) + + # added rule with new type + self.validate_rule(rules[0], "dontauditxperm", "added_type", "added_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + # added rule with existing types + self.validate_rule(rules[1], "dontauditxperm", "dax_added_rule_source", + "dax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + def test_removed_dontauditxperm_rules(self): + """Diff: removed dontauditxperm rules.""" + rules = sorted(self.diff.removed_dontauditxperms) + self.assertEqual(2, len(rules)) + + # removed rule with existing types + self.validate_rule(rules[0], "dontauditxperm", "dax_removed_rule_source", + "dax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + + # removed rule with new type + self.validate_rule(rules[1], "dontauditxperm", "removed_type", "removed_type", "infoflow7", + set([0x0009]), xperm="ioctl") + + def test_modified_dontauditxperm_rules(self): + """Diff: modified dontauditxperm rules.""" + l = sorted(self.diff.modified_dontauditxperms, key=lambda x: x.rule) + self.assertEqual(3, len(l)) + + # add permissions + rule, added_perms, removed_perms, matched_perms = l[0] + self.assertEqual("dontauditxperm", rule.ruletype) + self.assertEqual("dax_modified_rule_add_perms", rule.source) + self.assertEqual("dax_modified_rule_add_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertSetEqual(set([0x000f]), added_perms) + self.assertFalse(removed_perms) + self.assertSetEqual(set([0x0004]), matched_perms) + + # add and remove permissions + rule, added_perms, removed_perms, matched_perms = l[1] + self.assertEqual("dontauditxperm", rule.ruletype) + self.assertEqual("dax_modified_rule_add_remove_perms", rule.source) + self.assertEqual("dax_modified_rule_add_remove_perms", rule.target) + self.assertEqual("infoflow2", rule.tclass) + self.assertSetEqual(set([0x0006]), added_perms) + self.assertSetEqual(set([0x0007]), removed_perms) + self.assertSetEqual(set([0x0008]), matched_perms) + + # remove permissions + rule, added_perms, removed_perms, matched_perms = l[2] + self.assertEqual("dontauditxperm", rule.ruletype) + self.assertEqual("dax_modified_rule_remove_perms", rule.source) + self.assertEqual("dax_modified_rule_remove_perms", rule.target) + self.assertEqual("infoflow", rule.tclass) + self.assertFalse(added_perms) + self.assertSetEqual(set([0x0006]), removed_perms) + self.assertSetEqual(set([0x0005]), matched_perms) + class PolicyDifferenceTestNoDiff(unittest.TestCase): @@ -1945,6 +2201,54 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase): """NoDiff: no modified typebounds.""" self.assertFalse(self.diff.modified_typebounds) + def test_added_allowxperms(self): + """NoDiff: no added allowxperm rules.""" + self.assertFalse(self.diff.added_allowxperms) + + def test_removed_allowxperms(self): + """NoDiff: no removed allowxperm rules.""" + self.assertFalse(self.diff.removed_allowxperms) + + def test_modified_allowxperms(self): + """NoDiff: no modified allowxperm rules.""" + self.assertFalse(self.diff.modified_allowxperms) + + def test_added_auditallowxperms(self): + """NoDiff: no added auditallowxperm rules.""" + self.assertFalse(self.diff.added_auditallowxperms) + + def test_removed_auditallowxperms(self): + """NoDiff: no removed auditallowxperm rules.""" + self.assertFalse(self.diff.removed_auditallowxperms) + + def test_modified_auditallowxperms(self): + """NoDiff: no modified auditallowxperm rules.""" + self.assertFalse(self.diff.modified_auditallowxperms) + + def test_added_neverallowxperms(self): + """NoDiff: no added neverallowxperm rules.""" + self.assertFalse(self.diff.added_neverallowxperms) + + def test_removed_neverallowxperms(self): + """NoDiff: no removed neverallowxperm rules.""" + self.assertFalse(self.diff.removed_neverallowxperms) + + def test_modified_neverallowxperms(self): + """NoDiff: no modified neverallowxperm rules.""" + self.assertFalse(self.diff.modified_neverallowxperms) + + def test_added_dontauditxperms(self): + """NoDiff: no added dontauditxperm rules.""" + self.assertFalse(self.diff.added_dontauditxperms) + + def test_removed_dontauditxperms(self): + """NoDiff: no removed dontauditxperm rules.""" + self.assertFalse(self.diff.removed_dontauditxperms) + + def test_modified_dontauditxperms(self): + """NoDiff: no modified dontauditxperm rules.""" + self.assertFalse(self.diff.modified_dontauditxperms) + class PolicyDifferenceTestMLStoStandard(unittest.TestCase): @@ -2352,3 +2656,51 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase): def test_modified_typebounds(self): """MLSvsStandardDiff: no modified typebounds.""" self.assertFalse(self.diff.modified_typebounds) + + def test_added_allowxperms(self): + """NoDiff: no added allowxperm rules.""" + self.assertFalse(self.diff.added_allowxperms) + + def test_removed_allowxperms(self): + """NoDiff: no removed allowxperm rules.""" + self.assertFalse(self.diff.removed_allowxperms) + + def test_modified_allowxperms(self): + """NoDiff: no modified allowxperm rules.""" + self.assertFalse(self.diff.modified_allowxperms) + + def test_added_auditallowxperms(self): + """NoDiff: no added auditallowxperm rules.""" + self.assertFalse(self.diff.added_auditallowxperms) + + def test_removed_auditallowxperms(self): + """NoDiff: no removed auditallowxperm rules.""" + self.assertFalse(self.diff.removed_auditallowxperms) + + def test_modified_auditallowxperms(self): + """NoDiff: no modified auditallowxperm rules.""" + self.assertFalse(self.diff.modified_auditallowxperms) + + def test_added_neverallowxperms(self): + """NoDiff: no added neverallowxperm rules.""" + self.assertFalse(self.diff.added_neverallowxperms) + + def test_removed_neverallowxperms(self): + """NoDiff: no removed neverallowxperm rules.""" + self.assertFalse(self.diff.removed_neverallowxperms) + + def test_modified_neverallowxperms(self): + """NoDiff: no modified neverallowxperm rules.""" + self.assertFalse(self.diff.modified_neverallowxperms) + + def test_added_dontauditxperms(self): + """NoDiff: no added dontauditxperm rules.""" + self.assertFalse(self.diff.added_dontauditxperms) + + def test_removed_dontauditxperms(self): + """NoDiff: no removed dontauditxperm rules.""" + self.assertFalse(self.diff.removed_dontauditxperms) + + def test_modified_dontauditxperms(self): + """NoDiff: no modified dontauditxperm rules.""" + self.assertFalse(self.diff.modified_dontauditxperms) diff --git a/tests/diff_left.conf b/tests/diff_left.conf index 30fb777..bac370e 100644 --- a/tests/diff_left.conf +++ b/tests/diff_left.conf @@ -24,6 +24,7 @@ common infoflow low_r med_r hi_r + ioctl } common removed_common @@ -634,6 +635,146 @@ role role_tr_old_role; role role_tr_new_role; role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role; +# Allowxperm rule differences +type ax_matched_source; +type ax_matched_target; +allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001; + +type ax_removed_rule_source; +type ax_removed_rule_target; +allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002; + +type ax_added_rule_source; +type ax_added_rule_target; + +type ax_modified_rule_add_perms; +allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type ax_modified_rule_remove_perms; +allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type ax_modified_rule_add_remove_perms; +allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +allowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute ax_match_rule_by_attr; +type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr; +type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr; +allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr; +allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Auditallowxperm rule differences +type aax_matched_source; +type aax_matched_target; +auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001; + +type aax_removed_rule_source; +type aax_removed_rule_target; +auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002; + +type aax_added_rule_source; +type aax_added_rule_target; + +type aax_modified_rule_add_perms; +auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type aax_modified_rule_remove_perms; +auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type aax_modified_rule_add_remove_perms; +auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +auditallowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute aax_match_rule_by_attr; +type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr; +type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr; +auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr; +auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Neverallowxperm rule differences +type nax_matched_source; +type nax_matched_target; +neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001; + +type nax_removed_rule_source; +type nax_removed_rule_target; +neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002; + +type nax_added_rule_source; +type nax_added_rule_target; + +type nax_modified_rule_add_perms; +neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type nax_modified_rule_remove_perms; +neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type nax_modified_rule_add_remove_perms; +neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +neverallowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute nax_match_rule_by_attr; +type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr; +type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr; +neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr; +neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Dontauditxperm rule differences +type dax_matched_source; +type dax_matched_target; +dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001; + +type dax_removed_rule_source; +type dax_removed_rule_target; +dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002; + +type dax_added_rule_source; +type dax_added_rule_target; + +type dax_modified_rule_add_perms; +dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type dax_modified_rule_remove_perms; +dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type dax_modified_rule_add_remove_perms; +dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +dontauditxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute dax_match_rule_by_attr; +type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr; +type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr; +dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr; +dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + ################################################################################ # matching typebounds type match_parent; diff --git a/tests/diff_left_standard.conf b/tests/diff_left_standard.conf index 419885e..01864b7 100644 --- a/tests/diff_left_standard.conf +++ b/tests/diff_left_standard.conf @@ -24,6 +24,7 @@ common infoflow low_r med_r hi_r + ioctl } common removed_common @@ -556,6 +557,146 @@ role role_tr_old_role; role role_tr_new_role; role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role; +# Allowxperm rule differences +type ax_matched_source; +type ax_matched_target; +allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001; + +type ax_removed_rule_source; +type ax_removed_rule_target; +allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002; + +type ax_added_rule_source; +type ax_added_rule_target; + +type ax_modified_rule_add_perms; +allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type ax_modified_rule_remove_perms; +allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type ax_modified_rule_add_remove_perms; +allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +allowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute ax_match_rule_by_attr; +type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr; +type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr; +allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr; +allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Auditallowxperm rule differences +type aax_matched_source; +type aax_matched_target; +auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001; + +type aax_removed_rule_source; +type aax_removed_rule_target; +auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002; + +type aax_added_rule_source; +type aax_added_rule_target; + +type aax_modified_rule_add_perms; +auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type aax_modified_rule_remove_perms; +auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type aax_modified_rule_add_remove_perms; +auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +auditallowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute aax_match_rule_by_attr; +type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr; +type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr; +auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr; +auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Neverallowxperm rule differences +type nax_matched_source; +type nax_matched_target; +neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001; + +type nax_removed_rule_source; +type nax_removed_rule_target; +neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002; + +type nax_added_rule_source; +type nax_added_rule_target; + +type nax_modified_rule_add_perms; +neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type nax_modified_rule_remove_perms; +neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type nax_modified_rule_add_remove_perms; +neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +neverallowxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute nax_match_rule_by_attr; +type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr; +type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr; +neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr; +neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + +# Dontauditxperm rule differences +type dax_matched_source; +type dax_matched_target; +dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001; + +type dax_removed_rule_source; +type dax_removed_rule_target; +dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002; + +type dax_added_rule_source; +type dax_added_rule_target; + +type dax_modified_rule_add_perms; +dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004; + +type dax_modified_rule_remove_perms; +dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 }; + +type dax_modified_rule_add_remove_perms; +dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 }; + +dontauditxperm removed_type self:infoflow7 ioctl 0x0009; + +attribute dax_match_rule_by_attr; +type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr; +type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr; +dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a; + +attribute dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr; +dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b; +dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c; +dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d; + ################################################################################ # matching typebounds type match_parent; diff --git a/tests/diff_right.conf b/tests/diff_right.conf index eafea65..93788e0 100644 --- a/tests/diff_right.conf +++ b/tests/diff_right.conf @@ -24,6 +24,7 @@ common infoflow low_r med_r hi_r + ioctl } common added_common @@ -634,6 +635,146 @@ role role_tr_old_role; role role_tr_new_role; role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role; +# Allowxperm rule differences +type ax_matched_source; +type ax_matched_target; +allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001; + +type ax_removed_rule_source; +type ax_removed_rule_target; + +type ax_added_rule_source; +type ax_added_rule_target; +allowxperm ax_added_rule_source ax_added_rule_target:infoflow ioctl 0x0002; + +type ax_modified_rule_add_perms; +allowxperm ax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f }; + +type ax_modified_rule_remove_perms; +allowxperm ax_modified_rule_remove_perms self:infoflow ioctl 0x0005; + +type ax_modified_rule_add_remove_perms; +allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 }; + +allowxperm added_type self:infoflow7 ioctl 0x0009; + +attribute ax_match_rule_by_attr; +type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr; +type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr; +allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a; +allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a; + +attribute ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr; +type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr; +allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c }; +allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d }; + +# Auditallowxperm rule differences +type aax_matched_source; +type aax_matched_target; +auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001; + +type aax_removed_rule_source; +type aax_removed_rule_target; + +type aax_added_rule_source; +type aax_added_rule_target; +auditallowxperm aax_added_rule_source aax_added_rule_target:infoflow ioctl 0x0002; + +type aax_modified_rule_add_perms; +auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f }; + +type aax_modified_rule_remove_perms; +auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl 0x0005; + +type aax_modified_rule_add_remove_perms; +auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 }; + +auditallowxperm added_type self:infoflow7 ioctl 0x0009; + +attribute aax_match_rule_by_attr; +type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr; +type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr; +auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a; +auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a; + +attribute aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr; +type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr; +auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c }; +auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d }; + +# Neverallowxperm rule differences +type nax_matched_source; +type nax_matched_target; +neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001; + +type nax_removed_rule_source; +type nax_removed_rule_target; + +type nax_added_rule_source; +type nax_added_rule_target; +neverallowxperm nax_added_rule_source nax_added_rule_target:infoflow ioctl 0x0002; + +type nax_modified_rule_add_perms; +neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f }; + +type nax_modified_rule_remove_perms; +neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl 0x0005; + +type nax_modified_rule_add_remove_perms; +neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 }; + +neverallowxperm added_type self:infoflow7 ioctl 0x0009; + +attribute nax_match_rule_by_attr; +type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr; +type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr; +neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a; +neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a; + +attribute nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr; +type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr; +neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c }; +neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d }; + +# Dontauditxperm rule differences +type dax_matched_source; +type dax_matched_target; +dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001; + +type dax_removed_rule_source; +type dax_removed_rule_target; + +type dax_added_rule_source; +type dax_added_rule_target; +dontauditxperm dax_added_rule_source dax_added_rule_target:infoflow ioctl 0x0002; + +type dax_modified_rule_add_perms; +dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f }; + +type dax_modified_rule_remove_perms; +dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl 0x0005; + +type dax_modified_rule_add_remove_perms; +dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 }; + +dontauditxperm added_type self:infoflow7 ioctl 0x0009; + +attribute dax_match_rule_by_attr; +type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr; +type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr; +dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a; +dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a; + +attribute dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr; +type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr; +dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c }; +dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d }; + ################################################################################ # matching typebounds type match_parent;