Implement NodeconQuery.

2025-03-11 07:18:15 +00:00 · 2014-11-08 22:40:42 -05:00 · 2014-11-08 22:40:42 -05:00 · 669bc5194a
commit 669bc5194a
parent 248df414ab
5 changed files with 378 additions and 0 deletions
--- a/setools/init.py
+++ b/setools/init.py
@ -46,6 +46,7 @@ from . import mlsrulequery
 from . import fsusequery
 from . import genfsconquery
 from . import initsidquery
+from . import netifconquery
 from . import nodeconquery

 # Information Flow Analysis
--- a/setools/netifconquery.py
+++ b/setools/netifconquery.py
@ -0,0 +1,82 @@
+# Copyright 2014, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+from . import compquery
+from . import contextquery
+
+
+class NetifconQuery(compquery.ComponentQuery, contextquery.ContextQuery):
+
+    """Network interface context query."""
+
+    def __init__(self, policy,
+                 name="", name_regex=False,
+                 user="", user_regex=False,
+                 role="", role_regex=False,
+                 type_="", type_regex=False,
+                 range_=""):
+        """
+        Parameters:
+        policy          The policy to query.
+
+        user            The criteria to match the context's user.
+        user_regex      If true, regular expression matching
+                        will be used on the user.
+        role            The criteria to match the context's role.
+        role_regex      If true, regular expression matching
+                        will be used on the role.
+        type_           The criteria to match the context's type.
+        type_regex      If true, regular expression matching
+                        will be used on the type.
+        range_          The criteria to match the context's range.
+        """
+
+        self.policy = policy
+
+        self.set_name(name, regex=name_regex)
+        self.set_user(user, regex=user_regex)
+        self.set_role(role, regex=role_regex)
+        self.set_type(type_, regex=type_regex)
+        self.set_range(range_)
+
+    def results(self):
+        """Generator which yields all matching netifcons."""
+
+        for netif in self.policy.netifcons():
+            if self.name and not self._match_regex(
+                    netif.netif,
+                    self.name,
+                    self.name_regex,
+                    self.name_cmp):
+                continue
+
+            if not self._match_context(
+                    netif.context,
+                    self.user,
+                    self.user_regex,
+                    self.user_cmp,
+                    self.role,
+                    self.role_regex,
+                    self.role_cmp,
+                    self.type_,
+                    self.type_regex,
+                    self.type_cmp,
+                    self.range_):
+                continue
+
+            yield netif
--- a/tests/init.py
+++ b/tests/init.py
@ -22,6 +22,7 @@ from . import fsusequery
 from . import genfsconquery
 from . import initsidquery
 from . import mlsrulequery
+from . import netifconquery
 from . import nodeconquery
 from . import objclassquery
 from . import polcapquery
--- a/tests/netifconquery.conf
+++ b/tests/netifconquery.conf
@ -0,0 +1,199 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+
+dominance { s0 s1 s2 }
+
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+
+#level decl
+level s0:c0.c4;
+level s1:c0.c4;
+level s2:c0.c4;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+role role20_r;
+role role21a_r;
+role role21b_r;
+role role21c_r;
+
+role role20_r types system;
+role role21a_r types system;
+role role21b_r types system;
+role role21c_r types system;
+
+type type30;
+type type31a;
+type type31b;
+type type31c;
+role system types { type30 type31a type31b type31c };
+
+allow system self:infoflow hi_w;
+
+#users
+user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
+user user10 roles system level s0 range s0 - s2:c0.c4;
+user user11a roles system level s0 range s0 - s2:c0.c4;
+user user11b roles system level s0 range s0 - s2:c0.c4;
+user user11c roles system level s0 range s0 - s2:c0.c4;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:s0
+sid security system:system:system:s0
+
+#fs_use
+fs_use_trans devpts system:object_r:system:s0;
+fs_use_xattr ext3 system:object_r:system:s0;
+fs_use_task pipefs system:object_r:system:s0;
+
+#genfscon
+genfscon proc / system:object_r:system:s1
+genfscon proc /sys system:object_r:system:s0
+genfscon selinuxfs / system:object_r:system:s2:c0.c4
+
+portcon tcp 80 system:object_r:system:s0
+
+# test 1:
+# name: test1, exact
+# user: unset
+# role: unset
+# type: unset
+# range: unset
+netifcon test1 system:system:system:s0:c0.c4 system:object_r:system:s0
+
+# test 2:
+# name: test2(a|b), regex
+# user: unset
+# role: unset
+# type: unset
+# range: unset
+netifcon test2a system:system:system:s0:c0.c1 system:object_r:system:s0
+netifcon test2b system:system:system:s0:c2.c4 system:object_r:system:s0
+
+# test 10:
+# name: unset
+# user: user10, exact
+# role: unset
+# type: unset
+# range: unset
+netifcon test10 user10:system:system:s0:c0.c1 system:object_r:system:s0
+
+# test 11:
+# name: unset
+# user: user11(a|b), regex
+# role: unset
+# type: unset
+# range: unset
+netifcon test11a user11a:system:system:s0:c0.c1 system:object_r:system:s0
+netifcon test11b user11b:system:system:s0:c0.c1 system:object_r:system:s0
+netifcon test11c user11c:system:system:s0:c0.c1 system:object_r:system:s0
+
+# test 20:
+# name: unset
+# user: unset
+# role: role20_r, exact
+# type: unset
+# range: unset
+netifcon test20 system:role20_r:system:s0:c0.c1 system:object_r:system:s0
+
+# test 21:
+# name: unset
+# user: unset
+# role: role20(a|c)_r, regex
+# type: unset
+# range: unset
+netifcon test21a system:role21a_r:system:s0:c0.c1 system:object_r:system:s0
+netifcon test21b system:role21b_r:system:s0:c0.c1 system:object_r:system:s0
+netifcon test21c system:role21c_r:system:s0:c0.c1 system:object_r:system:s0
+
+# test 30:
+# name: unset
+# user: unset
+# role: unset
+# type: type30
+# range: unset
+netifcon test30 system:system:type30:s0:c0.c1 system:object_r:system:s0
+
+# test 31:
+# name: unset
+# user: unset
+# role: unset
+# type: type31(b|c)
+# range: unset
+netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0
+netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0
+netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
+
--- a/tests/netifconquery.py
+++ b/tests/netifconquery.py
@ -0,0 +1,95 @@
+# Copyright 2014, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+#
+import unittest
+
+from setools import SELinuxPolicy
+from setools.netifconquery import NetifconQuery
+
+
+class NetifconQueryTest(unittest.TestCase):
+
+    def setUp(self):
+        self.p = SELinuxPolicy("tests/netifconquery.conf")
+
+    def test_000_unset(self):
+        """Netifcon query with no criteria"""
+        # query with no parameters gets all netifs.
+        for numrules, s in enumerate(self.p.netifcons(), start=1):
+            pass
+
+        q = NetifconQuery(self.p)
+        for q_numrules, s in enumerate(q.results(), start=1):
+            pass
+
+        self.assertEqual(numrules, q_numrules)
+
+    def test_001_name_exact(self):
+        """Netifcon query with exact match"""
+        q = NetifconQuery(self.p, name="test1", name_regex=False)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test1"], netifs)
+
+    def test_002_name_regex(self):
+        """Netifcon query with regex match"""
+        q = NetifconQuery(self.p, name="test2(a|b)", name_regex=True)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test2a", "test2b"], netifs)
+
+    def test_010_user_exact(self):
+        """Netifcon query with context user exact match"""
+        q = NetifconQuery(self.p, user="user10", user_regex=False)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test10"], netifs)
+
+    def test_011_user_regex(self):
+        """Netifcon query with context user regex match"""
+        q = NetifconQuery(self.p, user="user11(a|b)", user_regex=True)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test11a", "test11b"], netifs)
+
+    def test_020_role_exact(self):
+        """Netifcon query with context role exact match"""
+        q = NetifconQuery(self.p, role="role20_r", role_regex=False)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test20"], netifs)
+
+    def test_021_role_regex(self):
+        """Netifcon query with context role regex match"""
+        q = NetifconQuery(self.p, role="role21(a|c)_r", role_regex=True)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test21a", "test21c"], netifs)
+
+    def test_030_type_exact(self):
+        """Netifcon query with context type exact match"""
+        q = NetifconQuery(self.p, type_="type30", type_regex=False)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test30"], netifs)
+
+    def test_031_type_regex(self):
+        """Netifcon query with context type regex match"""
+        q = NetifconQuery(self.p, type_="type31(b|c)", type_regex=True)
+
+        netifs = sorted(s.netif for s in q.results())
+        self.assertListEqual(["test31b", "test31c"], netifs)