RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-03-11 07:18:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add ibendportcon and ibpkeycon queries.

Browse Source
This commit is contained in:
Chris PeBenito 2018-11-25 10:48:00 -05:00
parent a9620d8b2b
commit 832462fd0f
8 changed files with 1300 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
setools/__init__.py
View File

@ -29,7 +29,7 @@ import logging
# Python classes for policy representation # Python classes for policy representation
from .policyrep import SELinuxPolicy, BoundsRuletype, ConstraintRuletype, DefaultRuletype, \ from .policyrep import SELinuxPolicy, BoundsRuletype, ConstraintRuletype, DefaultRuletype, \
DefaultRangeValue, DefaultValue, FSUseRuletype, HandleUnknown, MLSRuletype, \ DefaultRangeValue, DefaultValue, FSUseRuletype, HandleUnknown, IbpkeyconRange, MLSRuletype, \
NodeconIPVersion, PolicyTarget, PortconProtocol, RBACRuletype, TERuletype NodeconIPVersion, PolicyTarget, PortconProtocol, RBACRuletype, TERuletype
# Exceptions # Exceptions
@ -62,6 +62,8 @@ from .defaultquery import DefaultQuery
# In-policy Context Queries # In-policy Context Queries
from .fsusequery import FSUseQuery from .fsusequery import FSUseQuery
from .genfsconquery import GenfsconQuery from .genfsconquery import GenfsconQuery
from .ibendportconquery import IbendportconQuery
from .ibpkeyconquery import IbpkeyconQuery
from .initsidquery import InitialSIDQuery from .initsidquery import InitialSIDQuery
from .netifconquery import NetifconQuery from .netifconquery import NetifconQuery
from .nodeconquery import NodeconQuery from .nodeconquery import NodeconQuery

85
setools/ibendportconquery.py Normal file
View File

@ -0,0 +1,85 @@
# Copyright 2018, Chris PeBenito <pebenito@ieee.org>
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import logging
from .mixins import MatchContext, MatchName
from .query import PolicyQuery
from .util import match_regex
class IbendportconQuery(MatchContext, MatchName, PolicyQuery):
"""
Infiniband endport context query.
Parameter:
policy The policy to query.
Keyword Parameters/Class attributes:
name The name of the network interface to match.
name_regex If true, regular expression matching will
be used for matching the name.
port The port number to match.
user The criteria to match the context's user.
user_regex If true, regular expression matching
will be used on the user.
role The criteria to match the context's role.
role_regex If true, regular expression matching
will be used on the role.
type_ The criteria to match the context's type.
type_regex If true, regular expression matching
will be used on the type.
range_ The criteria to match the context's range.
range_subset If true, the criteria will match if it is a subset
of the context's range.
range_overlap If true, the criteria will match if it overlaps
any of the context's range.
range_superset If true, the criteria will match if it is a superset
of the context's range.
range_proper If true, use proper superset/subset operations.
No effect if not using set operations.
"""
port = None
def __init__(self, policy, **kwargs):
super(IbendportconQuery, self).__init__(policy, **kwargs)
self.log = logging.getLogger(__name__)
def results(self):
"""Generator which yields all matching ibendportcons."""
self.log.info("Generating ibendportcon results from {0.policy}".format(self))
self._match_name_debug(self.log)
self.log.debug("Port: {0.port}".format(self))
self._match_context_debug(self.log)
for endport in self.policy.ibendportcons():
if self.name and not match_regex(
endport.name,
self.name,
self.name_regex):
continue
if self.port is not None and self.port != endport.port:
continue
if not self._match_context(endport.context):
continue
yield endport

141
setools/ibpkeyconquery.py Normal file
View File

@ -0,0 +1,141 @@
# Copyright 2018, Chris PeBenito <pebenito@ieee.org>
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import ipaddress
import logging
from .mixins import MatchContext
from .policyrep import IbpkeyconRange
from .query import PolicyQuery
from .util import match_range
class IbpkeyconQuery(MatchContext, PolicyQuery):
"""
Infiniband pkey context query.
Parameter:
policy The policy to query.
Keyword Parameters/Class attributes:
subnet_prefix A subnet prefix to match.
pkeys A 2-tuple of the pkey range to match. (Set both to
the same value for a single pkey)
pkeys_subset If true, the criteria will match if it is a subset
of the ibpkeycon's range.
pkeys_overlap If true, the criteria will match if it overlaps
any of the ibpkeycon's range.
pkeys_superset If true, the criteria will match if it is a superset
of the ibpkeycon's range.
pkeys_proper If true, use proper superset/subset operations.
No effect if not using set operations.
user The criteria to match the context's user.
user_regex If true, regular expression matching
will be used on the user.
role The criteria to match the context's role.
role_regex If true, regular expression matching
will be used on the role.
type_ The criteria to match the context's type.
type_regex If true, regular expression matching
will be used on the type.
range_ The criteria to match the context's range.
range_subset If true, the criteria will match if it is a subset
of the context's range.
range_overlap If true, the criteria will match if it overlaps
any of the context's range.
range_superset If true, the criteria will match if it is a superset
of the context's range.
range_proper If true, use proper superset/subset operations.
No effect if not using set operations.
"""
_subnet_prefix = None
_pkeys = None
pkeys_subset = False
pkeys_overlap = False
pkeys_superset = False
pkeys_proper = False
def __init__(self, policy, **kwargs):
super(IbpkeyconQuery, self).__init__(policy, **kwargs)
self.log = logging.getLogger(__name__)
@property
def pkeys(self):
return self._pkeys
@pkeys.setter
def pkeys(self, value):
if value is not None:
pending_pkeys = IbpkeyconRange(*value)
if pending_pkeys.low < 1 or pending_pkeys.high < 1:
raise ValueError("Pkeys must be positive: {0.low:#x}-{0.high:#x}".
format(pending_pkeys))
if pending_pkeys.low > 0xffff or pending_pkeys.high > 0xffff:
raise ValueError("Pkeys maximum is 0xffff: {0.low:#x}-{0.high:#x}".
format(pending_pkeys))
if pending_pkeys.low > pending_pkeys.high:
raise ValueError(
"The low pkey must be smaller than the high pkey: {0.low:#x}-{0.high:#x}".
format(pending_pkeys))
self._pkeys = pending_pkeys
else:
self._pkeys = None
@property
def subnet_prefix(self):
return self._subnet_prefix
@subnet_prefix.setter
def subnet_prefix(self, value):
if value:
self._subnet_prefix = ipaddress.IPv6Address(value)
else:
self._subnet_prefix = None
def results(self):
"""Generator which yields all matching ibpkeycons."""
self.log.info("Generating ibpkeycon results from {0.policy}".format(self))
self.log.debug("Subnet Prefix: {0.subnet_prefix}".format(self))
self.log.debug("Pkeys: {0.pkeys}, overlap: {0.pkeys_overlap}, "
"subset: {0.pkeys_subset}, superset: {0.pkeys_superset}, "
"proper: {0.pkeys_proper}".format(self))
self._match_context_debug(self.log)
for pk in self.policy.ibpkeycons():
if self.subnet_prefix is not None and self.subnet_prefix != pk.subnet_prefix:
continue
if self.pkeys and not match_range(
pk.pkeys,
self.pkeys,
self.pkeys_subset,
self.pkeys_overlap,
self.pkeys_superset,
self.pkeys_proper):
continue
if not self._match_context(pk.context):
continue
yield pk

2
tests/__init__.py
View File

@ -25,6 +25,8 @@ from . import diff
from . import dta from . import dta
from . import fsusequery from . import fsusequery
from . import genfsconquery from . import genfsconquery
from . import ibendportconquery
from . import ibpkeyconquery
from . import infoflow from . import infoflow
from . import initsidquery from . import initsidquery
from . import mlsrulequery from . import mlsrulequery

284
tests/ibendportconquery.conf Normal file
View File

@ -0,0 +1,284 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
category c2;
category c3;
category c4;
#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;
role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;
type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################
#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4
portcon tcp 80 system:object_r:system:s0
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
# test 1:
# name: test1, exact
# port: unset
# user: unset
# role: unset
# type: unset
# range: unset
ibendportcon test1 1 system:system:system:s0:c0.c1
# test 2:
# name: test2(a|b), regex
# port: unset
# user: unset
# role: unset
# type: unset
# range: unset
ibendportcon test2a 2 system:system:system:s0:c0.c1
ibendportcon test2b 3 system:system:system:s0:c0.c1
ibendportcon test2c 4 system:system:system:s0:c0.c1
# test 10:
# name: unset
# port: 10
# user: unset
# role: unset
# type: unset
# range: unset
ibendportcon test10 10 system:system:system:s0:c0.c1
# test 20:
# name: unset
# port: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
ibendportcon test20 20 user20:system:system:s0:c0.c1
# test 21:
# name: unset
# port: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
ibendportcon test21a 21 user21a:system:system:s0:c0.c1
ibendportcon test21b 22 user21b:system:system:s0:c0.c1
ibendportcon test21c 23 user21c:system:system:s0:c0.c1
# test 30:
# name: unset
# port: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
ibendportcon test30 30 system:role30_r:system:s0:c0.c1
# test 31:
# name: unset
# port: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
ibendportcon test31a 31 system:role31a_r:system:s0:c0.c1
ibendportcon test31b 32 system:role31b_r:system:s0:c0.c1
ibendportcon test31c 33 system:role31c_r:system:s0:c0.c1
# test 40:
# name: unset
# port: unset
# user: unset
# role: unset
# type: type40
# range: unset
ibendportcon test40 40 system:system:type40:s0:c0.c1
# test 41:
# name: unset
# port: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
ibendportcon test41a 41 system:system:type41a:s0:c0.c1
ibendportcon test41b 42 system:system:type41b:s0:c0.c1
ibendportcon test41c 43 system:system:type41c:s0:c0.c1
# test 50:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: equal
ibendportcon test50 50 system:system:system:s0:c1 - s0:c0.c4
# test 51:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: overlap
ibendportcon test51 51 system:system:system:s1:c1 - s1:c1.c3
# test 52:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: subset
ibendportcon test52 52 system:system:system:s2:c1 - s2:c1.c3
# test 53:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: superset
ibendportcon test53 53 system:system:system:s3:c1 - s3:c1.c3
# test 54:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
ibendportcon test54 54 system:system:system:s4:c1 - s4:c1.c3
# test 55:
# name: unset
# port: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
ibendportcon test55 55 system:system:system:s5:c1 - s5:c1.c3

233
tests/ibendportconquery.py Normal file
View File

@ -0,0 +1,233 @@
# Copyright 2018, Chris PeBenito <pebenito@ieee.org>
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import IbendportconQuery
from .policyrep.util import compile_policy
class IbendportconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/ibendportconquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Ibendportcon query with no criteria"""
# query with no parameters gets all ibendportcons.
ibendportcons = sorted(self.p.ibendportcons())
q = IbendportconQuery(self.p)
q_ibendportcons = sorted(q.results())
self.assertListEqual(ibendportcons, q_ibendportcons)
def test_001_name_exact(self):
"""Ibendportcon query with exact name match."""
q = IbendportconQuery(self.p, name="test1", name_regex=False)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test1"], ibendportcons)
def test_002_name_regext(self):
"""Ibendportcon query with regex name match."""
q = IbendportconQuery(self.p, name="test2(a|b)", name_regex=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test2a", "test2b"], ibendportcons)
def test_010_port(self):
"""Ibendportcon query with port match."""
q = IbendportconQuery(self.p, port=10)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test10"], ibendportcons)
def test_020_user_exact(self):
"""Ibendportcon query with context user exact match"""
q = IbendportconQuery(self.p, user="user20", user_regex=False)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test20"], ibendportcons)
def test_021_user_regex(self):
"""Ibendportcon query with context user regex match"""
q = IbendportconQuery(self.p, user="user21(a|b)", user_regex=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test21a", "test21b"], ibendportcons)
def test_030_role_exact(self):
"""Ibendportcon query with context role exact match"""
q = IbendportconQuery(self.p, role="role30_r", role_regex=False)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test30"], ibendportcons)
def test_031_role_regex(self):
"""Ibendportcon query with context role regex match"""
q = IbendportconQuery(self.p, role="role31(a|c)_r", role_regex=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test31a", "test31c"], ibendportcons)
def test_040_type_exact(self):
"""Ibendportcon query with context type exact match"""
q = IbendportconQuery(self.p, type_="type40", type_regex=False)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test40"], ibendportcons)
def test_041_type_regex(self):
"""Ibendportcon query with context type regex match"""
q = IbendportconQuery(self.p, type_="type41(b|c)", type_regex=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test41b", "test41c"], ibendportcons)
def test_050_range_exact(self):
"""Ibendportcon query with context range exact match"""
q = IbendportconQuery(self.p, range_="s0:c1 - s0:c0.c4")
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test50"], ibendportcons)
def test_051_range_overlap1(self):
"""Ibendportcon query with context range overlap match (equal)"""
q = IbendportconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test51"], ibendportcons)
def test_051_range_overlap2(self):
"""Ibendportcon query with context range overlap match (subset)"""
q = IbendportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test51"], ibendportcons)
def test_051_range_overlap3(self):
"""Ibendportcon query with context range overlap match (superset)"""
q = IbendportconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test51"], ibendportcons)
def test_051_range_overlap4(self):
"""Ibendportcon query with context range overlap match (overlap low level)"""
q = IbendportconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test51"], ibendportcons)
def test_051_range_overlap5(self):
"""Ibendportcon query with context range overlap match (overlap high level)"""
q = IbendportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test51"], ibendportcons)
def test_052_range_subset1(self):
"""Ibendportcon query with context range subset match"""
q = IbendportconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test52"], ibendportcons)
def test_052_range_subset2(self):
"""Ibendportcon query with context range subset match (equal)"""
q = IbendportconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test52"], ibendportcons)
def test_053_range_superset1(self):
"""Ibendportcon query with context range superset match"""
q = IbendportconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test53"], ibendportcons)
def test_053_range_superset2(self):
"""Ibendportcon query with context range superset match (equal)"""
q = IbendportconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test53"], ibendportcons)
def test_054_range_proper_subset1(self):
"""Ibendportcon query with context range proper subset match"""
q = IbendportconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test54"], ibendportcons)
def test_054_range_proper_subset2(self):
"""Ibendportcon query with context range proper subset match (equal)"""
q = IbendportconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual([], ibendportcons)
def test_054_range_proper_subset3(self):
"""Ibendportcon query with context range proper subset match (equal low only)"""
q = IbendportconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test54"], ibendportcons)
def test_054_range_proper_subset4(self):
"""Ibendportcon query with context range proper subset match (equal high only)"""
q = IbendportconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test54"], ibendportcons)
def test_055_range_proper_superset1(self):
"""Ibendportcon query with context range proper superset match"""
q = IbendportconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test55"], ibendportcons)
def test_055_range_proper_superset2(self):
"""Ibendportcon query with context range proper superset match (equal)"""
q = IbendportconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual([], ibendportcons)
def test_055_range_proper_superset3(self):
"""Ibendportcon query with context range proper superset match (equal low)"""
q = IbendportconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test55"], ibendportcons)
def test_055_range_proper_superset4(self):
"""Ibendportcon query with context range proper superset match (equal high)"""
q = IbendportconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
ibendportcons = sorted(n.name for n in q.results())
self.assertListEqual(["test55"], ibendportcons)

273
tests/ibpkeyconquery.conf Normal file
View File

@ -0,0 +1,273 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
category c2;
category c3;
category c4;
#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;
role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;
type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################
#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4
portcon tcp 80 system:object_r:system:s0
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
# test 1:
# subnet_prefix: fe81::
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: unset
ibpkeycon fe81:: 1 system:system:system:s0:c0.c1
# test 10:
# subnet_prefix: unset
# pkeys: 10, exact
# user: unset
# role: unset
# type: unset
# range: unset
ibpkeycon ffff:: 0x10c-0x10e system:system:system:s0:c0.c1
# test 20:
# subnet_prefix: unset
# pkeys: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
ibpkeycon ffff:: 20 user20:system:system:s0:c0.c1
# test 21:
# subnet_prefix: unset
# pkeys: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
ibpkeycon ffff:: 0x21a user21a:system:system:s0:c0.c1
ibpkeycon ffff:: 0x21b user21b:system:system:s0:c0.c1
ibpkeycon ffff:: 0x21c user21c:system:system:s0:c0.c1
# test 30:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
ibpkeycon ffff:: 30 system:role30_r:system:s0:c0.c1
# test 31:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
ibpkeycon ffff:: 0x31a system:role31a_r:system:s0:c0.c1
ibpkeycon ffff:: 0x31b system:role31b_r:system:s0:c0.c1
ibpkeycon ffff:: 0x31c system:role31c_r:system:s0:c0.c1
# test 40:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: type40
# range: unset
ibpkeycon ffff:: 40 system:system:type40:s0:c0.c1
# test 41:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
ibpkeycon ffff:: 0x41a system:system:type41a:s0:c0.c1
ibpkeycon ffff:: 0x41b system:system:type41b:s0:c0.c1
ibpkeycon ffff:: 0x41c system:system:type41c:s0:c0.c1
# test 50:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: equal
ibpkeycon ffff:: 50 system:system:system:s0:c1 - s0:c0.c4
# test 51:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: overlap
ibpkeycon ffff:: 51 system:system:system:s1:c1 - s1:c1.c3
# test 52:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: subset
ibpkeycon ffff:: 52 system:system:system:s2:c1 - s2:c1.c3
# test 53:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: superset
ibpkeycon ffff:: 53 system:system:system:s3:c1 - s3:c1.c3
# test 54:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
ibpkeycon ffff:: 54 system:system:system:s4:c1 - s4:c1.c3
# test 55:
# subnet_prefix: unset
# pkeys: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
ibpkeycon ffff:: 55 system:system:system:s5:c1 - s5:c1.c3

279
tests/ibpkeyconquery.py Normal file
View File

@ -0,0 +1,279 @@
# Copyright 2018, Chris PeBenito <pebenito@ieee.org>
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import IbpkeyconQuery
from .policyrep.util import compile_policy
class IbpkeyconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/ibpkeyconquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""ibpkeycon query with no criteria"""
# query with no parameters gets all ibpkeycons.
ibpkeycons = sorted(self.p.ibpkeycons())
q = IbpkeyconQuery(self.p)
q_ibpkeycons = sorted(q.results())
self.assertListEqual(ibpkeycons, q_ibpkeycons)
def test_001_subnet_mask(self):
"""Ibpkeycon query with subnet mask match."""
q = IbpkeyconQuery(self.p, subnet_prefix="fe81::")
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(1, 1)], ibpkeycons)
def test_010_pkey_exact(self):
"""Ibpkeycon query with exact pkey match."""
q = IbpkeyconQuery(self.p, pkeys=(0x10c, 0x10e))
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(0x10c, 0x10e)], ibpkeycons)
def test_020_user_exact(self):
"""ibpkeycon query with context user exact match"""
q = IbpkeyconQuery(self.p, user="user20", user_regex=False)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(20, 20)], ibpkeycons)
def test_021_user_regex(self):
"""ibpkeycon query with context user regex match"""
q = IbpkeyconQuery(self.p, user="user21(a|b)", user_regex=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(0x21a, 0x21a), (0x21b, 0x21b)], ibpkeycons)
def test_030_role_exact(self):
"""ibpkeycon query with context role exact match"""
q = IbpkeyconQuery(self.p, role="role30_r", role_regex=False)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(30, 30)], ibpkeycons)
def test_031_role_regex(self):
"""ibpkeycon query with context role regex match"""
q = IbpkeyconQuery(self.p, role="role31(a|c)_r", role_regex=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(0x31a, 0x31a), (0x31c, 0x31c)], ibpkeycons)
def test_040_type_exact(self):
"""ibpkeycon query with context type exact match"""
q = IbpkeyconQuery(self.p, type_="type40", type_regex=False)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(40, 40)], ibpkeycons)
def test_041_type_regex(self):
"""ibpkeycon query with context type regex match"""
q = IbpkeyconQuery(self.p, type_="type41(b|c)", type_regex=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(0x41b, 0x41b), (0x41c, 0x41c)], ibpkeycons)
def test_050_range_exact(self):
"""ibpkeycon query with context range exact match"""
q = IbpkeyconQuery(self.p, range_="s0:c1 - s0:c0.c4")
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(50, 50)], ibpkeycons)
def test_051_range_overlap1(self):
"""ibpkeycon query with context range overlap match (equal)"""
q = IbpkeyconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(51, 51)], ibpkeycons)
def test_051_range_overlap2(self):
"""ibpkeycon query with context range overlap match (subset)"""
q = IbpkeyconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(51, 51)], ibpkeycons)
def test_051_range_overlap3(self):
"""ibpkeycon query with context range overlap match (superset)"""
q = IbpkeyconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(51, 51)], ibpkeycons)
def test_051_range_overlap4(self):
"""ibpkeycon query with context range overlap match (overlap low level)"""
q = IbpkeyconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(51, 51)], ibpkeycons)
def test_051_range_overlap5(self):
"""ibpkeycon query with context range overlap match (overlap high level)"""
q = IbpkeyconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(51, 51)], ibpkeycons)
def test_052_range_subset1(self):
"""ibpkeycon query with context range subset match"""
q = IbpkeyconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(52, 52)], ibpkeycons)
def test_052_range_subset2(self):
"""ibpkeycon query with context range subset match (equal)"""
q = IbpkeyconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(52, 52)], ibpkeycons)
def test_053_range_superset1(self):
"""ibpkeycon query with context range superset match"""
q = IbpkeyconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(53, 53)], ibpkeycons)
def test_053_range_superset2(self):
"""ibpkeycon query with context range superset match (equal)"""
q = IbpkeyconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(53, 53)], ibpkeycons)
def test_054_range_proper_subset1(self):
"""ibpkeycon query with context range proper subset match"""
q = IbpkeyconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(54, 54)], ibpkeycons)
def test_054_range_proper_subset2(self):
"""ibpkeycon query with context range proper subset match (equal)"""
q = IbpkeyconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([], ibpkeycons)
def test_054_range_proper_subset3(self):
"""ibpkeycon query with context range proper subset match (equal low only)"""
q = IbpkeyconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(54, 54)], ibpkeycons)
def test_054_range_proper_subset4(self):
"""ibpkeycon query with context range proper subset match (equal high only)"""
q = IbpkeyconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(54, 54)], ibpkeycons)
def test_055_range_proper_superset1(self):
"""ibpkeycon query with context range proper superset match"""
q = IbpkeyconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(55, 55)], ibpkeycons)
def test_055_range_proper_superset2(self):
"""ibpkeycon query with context range proper superset match (equal)"""
q = IbpkeyconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([], ibpkeycons)
def test_055_range_proper_superset3(self):
"""ibpkeycon query with context range proper superset match (equal low)"""
q = IbpkeyconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(55, 55)], ibpkeycons)
def test_055_range_proper_superset4(self):
"""ibpkeycon query with context range proper superset match (equal high)"""
q = IbpkeyconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
ibpkeycons = sorted(n.pkeys for n in q.results())
self.assertListEqual([(55, 55)], ibpkeycons)
def test_900_invalid_subnet_prefix(self):
"""Ibpkeycon query with invalid subnet prefix"""
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, subnet_prefix="INVALID")
def test_910_invalid_pkey_negative(self):
"""Ibpkeycon query with negative pkey"""
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(-1, -1))
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(1, -1))
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(-1, 1))
def test_911_invalid_pkey_zero(self):
"""Ibpkeycon query with 0 pkey"""
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(0, 0))
def test_912_invalid_pkey_over_max(self):
"""Ibpkeycon query with pkey over maximum value"""
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(1, 0xfffff))
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(0xfffff, 1))
with self.assertRaises(ValueError):
IbpkeyconQuery(self.p, pkeys=(0xfffff, 0xfffff))
def test_913_invalid_pkey_not_a_number(self):
"""Ibpkeycon query with pkey is not a number"""
with self.assertRaises(TypeError):
IbpkeyconQuery(self.p, pkeys=(1, "INVALID"))
with self.assertRaises(TypeError):
IbpkeyconQuery(self.p, pkeys=("INVALID", 2))
def test_914_invalid_pkey_not_tuple(self):
"""Ibpkeycon query with pkey is not a tuple"""
with self.assertRaises(TypeError):
IbpkeyconQuery(self.p, pkeys=1)
def test_915_invalid_pkey_wrong_tuple_length(self):
"""Ibpkeycon query with pkey is not correct tuple size"""
with self.assertRaises(TypeError):
IbpkeyconQuery(self.p, pkeys=(1,))
with self.assertRaises(TypeError):
IbpkeyconQuery(self.p, pkeys=(1, 2, 3))