From 9939f5241e918c095cc3b536f96d3a0aadd40d69 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 24 Feb 2015 15:50:08 -0500 Subject: [PATCH] Implement MLS range tests on several context-based queries. --- tests/genfsconquery.conf | 72 +++++++++++++++++++++- tests/genfsconquery.py | 127 ++++++++++++++++++++++++++++++++++++++ tests/initsidquery.conf | 66 +++++++++++++++++++- tests/initsidquery.py | 129 +++++++++++++++++++++++++++++++++++++++ tests/netifconquery.conf | 61 +++++++++++++++++- tests/netifconquery.py | 127 ++++++++++++++++++++++++++++++++++++++ tests/nodeconquery.conf | 60 +++++++++++++++++- tests/nodeconquery.py | 126 ++++++++++++++++++++++++++++++++++++++ tests/portconquery.conf | 66 +++++++++++++++++++- tests/portconquery.py | 126 ++++++++++++++++++++++++++++++++++++++ 10 files changed, 950 insertions(+), 10 deletions(-) diff --git a/tests/genfsconquery.conf b/tests/genfsconquery.conf index d459675..f71a917 100644 --- a/tests/genfsconquery.conf +++ b/tests/genfsconquery.conf @@ -56,8 +56,12 @@ inherits infoflow sensitivity s0; sensitivity s1; sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; -dominance { s0 s1 s2 } +dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; @@ -69,6 +73,10 @@ category c4; level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; +level s3:c0.c4; +level s4:c0.c4; +level s5:c0.c4; +level s6:c0.c4; #some constraints @@ -104,7 +112,7 @@ role system types { type40 type41a type41b type41c }; ################################################################################ #users -user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4; +user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4; user user20 roles system level s0 range s0 - s2:c0.c4; user user21a roles system level s0 range s0 - s2:c0.c4; user user21b roles system level s0 range s0 - s2:c0.c4; @@ -238,6 +246,66 @@ genfscon test50l / -l system:system:system:s0:c0.c4 genfscon test50p / -p system:system:system:s0:c0.c4 genfscon test50d / -d system:system:system:s0:c0.c4 +# test 60: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: equal +genfscon test60 / system:system:system:s0:c1 - s0:c0.c4 + +# test 61: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: overlap +genfscon test61 / system:system:system:s1:c1 - s1:c1.c3 + +# test 62: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: subset +genfscon test62 / system:system:system:s2:c1 - s2:c1.c3 + +# test 63: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: superset +genfscon test63 / system:system:system:s3:c1 - s3:c1.c3 + +# test 64: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: proper subset +genfscon test64 / system:system:system:s4:c1 - s4:c1.c3 + +# test 65: +# fs: unset +# filetype: unset +# path: unset +# user: unset +# role: unset +# type: unset +# range: proper superset +genfscon test65 / system:system:system:s5:c1 - s5:c1.c3 + portcon tcp 80 system:object_r:system:s0 netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 diff --git a/tests/genfsconquery.py b/tests/genfsconquery.py index 5330018..8d9d117 100644 --- a/tests/genfsconquery.py +++ b/tests/genfsconquery.py @@ -113,3 +113,130 @@ class GenfsconQueryTest(unittest.TestCase): genfs = sorted(s.fs for s in q.results()) self.assertListEqual(["test50b"], genfs) + + def test_060_range_exact(self): + """Genfscon query with context range exact match""" + q = GenfsconQuery(self.p, range_="s0:c1 - s0:c0.c4") + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test60"], genfs) + + def test_061_range_overlap1(self): + """Genfscon query with context range overlap match (equal)""" + q = GenfsconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test61"], genfs) + + def test_061_range_overlap2(self): + """Genfscon query with context range overlap match (subset)""" + q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test61"], genfs) + + def test_061_range_overlap3(self): + """Genfscon query with context range overlap match (superset)""" + q = GenfsconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test61"], genfs) + + def test_061_range_overlap4(self): + """Genfscon query with context range overlap match (overlap low level)""" + q = GenfsconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test61"], genfs) + + def test_061_range_overlap5(self): + """Genfscon query with context range overlap match (overlap high level)""" + q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test61"], genfs) + + def test_062_range_subset1(self): + """Genfscon query with context range subset match""" + q = GenfsconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test62"], genfs) + + def test_062_range_subset2(self): + """Genfscon query with context range subset match (equal)""" + q = GenfsconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test62"], genfs) + + def test_063_range_superset1(self): + """Genfscon query with context range superset match""" + q = GenfsconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test63"], genfs) + + def test_063_range_superset2(self): + """Genfscon query with context range superset match (equal)""" + q = GenfsconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test63"], genfs) + + def test_064_range_proper_subset1(self): + """Genfscon query with context range proper subset match""" + q = GenfsconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test64"], genfs) + + def test_064_range_proper_subset2(self): + """Genfscon query with context range proper subset match (equal)""" + q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual([], genfs) + + def test_064_range_proper_subset3(self): + """Genfscon query with context range proper subset match (equal low only)""" + q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test64"], genfs) + + def test_064_range_proper_subset4(self): + """Genfscon query with context range proper subset match (equal high only)""" + q = GenfsconQuery(self.p, + range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test64"], genfs) + + def test_065_range_proper_superset1(self): + """Genfscon query with context range proper superset match""" + q = GenfsconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test65"], genfs) + + def test_065_range_proper_superset2(self): + """Genfscon query with context range proper superset match (equal)""" + q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual([], genfs) + + def test_065_range_proper_superset3(self): + """Genfscon query with context range proper superset match (equal low)""" + q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test65"], genfs) + + def test_065_range_proper_superset4(self): + """Genfscon query with context range proper superset match (equal high)""" + q = GenfsconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + + genfs = sorted(s.fs for s in q.results()) + self.assertListEqual(["test65"], genfs) diff --git a/tests/initsidquery.conf b/tests/initsidquery.conf index 59313cc..5156903 100644 --- a/tests/initsidquery.conf +++ b/tests/initsidquery.conf @@ -21,6 +21,12 @@ sid test30 sid test31a sid test31b sid test31c +sid test40 +sid test41 +sid test42 +sid test43 +sid test44 +sid test45 common infoflow { @@ -69,8 +75,12 @@ inherits infoflow sensitivity s0; sensitivity s1; sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; -dominance { s0 s1 s2 } +dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; @@ -82,6 +92,10 @@ category c4; level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; +level s3:c0.c4; +level s4:c0.c4; +level s5:c0.c4; +level s6:c0.c4; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); @@ -111,7 +125,7 @@ role system types { type30 type31a type31b type31c }; allow system self:infoflow hi_w; #users -user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4; user user10 roles system level s0 range s0 - s2:c0.c4; user user11a roles system level s0 range s0 - s2:c0.c4; user user11b roles system level s0 range s0 - s2:c0.c4; @@ -196,6 +210,54 @@ sid test31a system:system:type31a:s0:c0.c1 sid test31b system:system:type31b:s0:c0.c1 sid test31c system:system:type31c:s0:c0.c1 +# test 40: +# name: unset +# user: unset +# role: unset +# type: unset +# range: equal +sid test40 system:system:system:s0:c1 - s0:c0.c4 + +# test 41: +# name: unset +# user: unset +# role: unset +# type: unset +# range: overlap +sid test41 system:system:system:s1:c1 - s1:c1.c3 + +# test 42: +# name: unset +# user: unset +# role: unset +# type: unset +# range: subset +sid test42 system:system:system:s2:c1 - s2:c1.c3 + +# test 43: +# name: unset +# user: unset +# role: unset +# type: unset +# range: superset +sid test43 system:system:system:s3:c1 - s3:c1.c3 + +# test 44: +# name: unset +# user: unset +# role: unset +# type: unset +# range: proper subset +sid test44 system:system:system:s4:c1 - s4:c1.c3 + +# test 45: +# name: unset +# user: unset +# role: unset +# type: unset +# range: proper superset +sid test45 system:system:system:s5:c1 - s5:c1.c3 + #fs_use fs_use_trans devpts system:object_r:system:s0; fs_use_xattr ext3 system:object_r:system:s0; diff --git a/tests/initsidquery.py b/tests/initsidquery.py index 0ce23f3..32d0d4a 100644 --- a/tests/initsidquery.py +++ b/tests/initsidquery.py @@ -91,3 +91,132 @@ class InitialSIDQueryTest(unittest.TestCase): sids = sorted(str(s) for s in q.results()) self.assertListEqual(["test31b", "test31c"], sids) + + def test_040_range_exact(self): + """Initial SID query with context range exact match""" + q = InitialSIDQuery(self.p, range_="s0:c1 - s0:c0.c4") + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test40"], sids) + + def test_041_range_overlap1(self): + """Initial SID query with context range overlap match (equal)""" + q = InitialSIDQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test41"], sids) + + def test_041_range_overlap2(self): + """Initial SID query with context range overlap match (subset)""" + q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test41"], sids) + + def test_041_range_overlap3(self): + """Initial SID query with context range overlap match (superset)""" + q = InitialSIDQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test41"], sids) + + def test_041_range_overlap4(self): + """Initial SID query with context range overlap match (overlap low level)""" + q = InitialSIDQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test41"], sids) + + def test_041_range_overlap5(self): + """Initial SID query with context range overlap match (overlap high level)""" + q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test41"], sids) + + def test_042_range_subset1(self): + """Initial SID query with context range subset match""" + q = InitialSIDQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test42"], sids) + + def test_042_range_subset2(self): + """Initial SID query with context range subset match (equal)""" + q = InitialSIDQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test42"], sids) + + def test_043_range_superset1(self): + """Initial SID query with context range superset match""" + q = InitialSIDQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test43"], sids) + + def test_043_range_superset2(self): + """Initial SID query with context range superset match (equal)""" + q = InitialSIDQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test43"], sids) + + def test_044_range_proper_subset1(self): + """Initial SID query with context range proper subset match""" + q = InitialSIDQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test44"], sids) + + def test_044_range_proper_subset2(self): + """Initial SID query with context range proper subset match (equal)""" + q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual([], sids) + + def test_044_range_proper_subset3(self): + """Initial SID query with context range proper subset match (equal low only)""" + q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test44"], sids) + + def test_044_range_proper_subset4(self): + """Initial SID query with context range proper subset match (equal high only)""" + q = InitialSIDQuery(self.p, + range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test44"], sids) + + def test_045_range_proper_superset1(self): + """Initial SID query with context range proper superset match""" + q = InitialSIDQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test45"], sids) + + def test_045_range_proper_superset2(self): + """Initial SID query with context range proper superset match (equal)""" + q = InitialSIDQuery(self.p, + range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual([], sids) + + def test_045_range_proper_superset3(self): + """Initial SID query with context range proper superset match (equal low)""" + q = InitialSIDQuery(self.p, + range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test45"], sids) + + def test_045_range_proper_superset4(self): + """Initial SID query with context range proper superset match (equal high)""" + q = InitialSIDQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test45"], sids) diff --git a/tests/netifconquery.conf b/tests/netifconquery.conf index dea63b5..7c24b67 100644 --- a/tests/netifconquery.conf +++ b/tests/netifconquery.conf @@ -56,8 +56,12 @@ inherits infoflow sensitivity s0; sensitivity s1; sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; -dominance { s0 s1 s2 } +dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; @@ -69,6 +73,10 @@ category c4; level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; +level s3:c0.c4; +level s4:c0.c4; +level s5:c0.c4; +level s6:c0.c4; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); @@ -98,7 +106,7 @@ role system types { type30 type31a type31b type31c }; allow system self:infoflow hi_w; #users -user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4; user user10 roles system level s0 range s0 - s2:c0.c4; user user11a roles system level s0 range s0 - s2:c0.c4; user user11b roles system level s0 range s0 - s2:c0.c4; @@ -194,6 +202,55 @@ netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0 netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0 netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0 +# test 40: +# name: unset +# user: unset +# role: unset +# type: unset +# range: equal +netifcon test40 system:system:system:s0:c1 - s0:c0.c4 system:object_r:system:s0 + +# test 41: +# name: unset +# user: unset +# role: unset +# type: unset +# range: overlap +netifcon test41 system:system:system:s1:c1 - s1:c1.c3 system:object_r:system:s0 + +# test 42: +# name: unset +# ruletype: unset +# user: unset +# role: unset +# type: unset +# range: subset +netifcon test42 system:system:system:s2:c1 - s2:c1.c3 system:object_r:system:s0 + +# test 43: +# name: unset +# user: unset +# role: unset +# type: unset +# range: superset +netifcon test43 system:system:system:s3:c1 - s3:c1.c3 system:object_r:system:s0 + +# test 44: +# name: unset +# user: unset +# role: unset +# type: unset +# range: proper subset +netifcon test44 system:system:system:s4:c1 - s4:c1.c3 system:object_r:system:s0 + +# test 45: +# name: unset +# user: unset +# role: unset +# type: unset +# range: proper superset +netifcon test45 system:system:system:s5:c1 - s5:c1.c3 system:object_r:system:s0 + nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0 diff --git a/tests/netifconquery.py b/tests/netifconquery.py index 78df6d9..5fd8dcb 100644 --- a/tests/netifconquery.py +++ b/tests/netifconquery.py @@ -91,3 +91,130 @@ class NetifconQueryTest(unittest.TestCase): netifs = sorted(s.netif for s in q.results()) self.assertListEqual(["test31b", "test31c"], netifs) + + def test_040_range_exact(self): + """Netifcon query with context range exact match""" + q = NetifconQuery(self.p, range_="s0:c1 - s0:c0.c4") + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test40"], netifs) + + def test_041_range_overlap1(self): + """Netifcon query with context range overlap match (equal)""" + q = NetifconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test41"], netifs) + + def test_041_range_overlap2(self): + """Netifcon query with context range overlap match (subset)""" + q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test41"], netifs) + + def test_041_range_overlap3(self): + """Netifcon query with context range overlap match (superset)""" + q = NetifconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test41"], netifs) + + def test_041_range_overlap4(self): + """Netifcon query with context range overlap match (overlap low level)""" + q = NetifconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test41"], netifs) + + def test_041_range_overlap5(self): + """Netifcon query with context range overlap match (overlap high level)""" + q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test41"], netifs) + + def test_042_range_subset1(self): + """Netifcon query with context range subset match""" + q = NetifconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test42"], netifs) + + def test_042_range_subset2(self): + """Netifcon query with context range subset match (equal)""" + q = NetifconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test42"], netifs) + + def test_043_range_superset1(self): + """Netifcon query with context range superset match""" + q = NetifconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test43"], netifs) + + def test_043_range_superset2(self): + """Netifcon query with context range superset match (equal)""" + q = NetifconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test43"], netifs) + + def test_044_range_proper_subset1(self): + """Netifcon query with context range proper subset match""" + q = NetifconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test44"], netifs) + + def test_044_range_proper_subset2(self): + """Netifcon query with context range proper subset match (equal)""" + q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual([], netifs) + + def test_044_range_proper_subset3(self): + """Netifcon query with context range proper subset match (equal low only)""" + q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test44"], netifs) + + def test_044_range_proper_subset4(self): + """Netifcon query with context range proper subset match (equal high only)""" + q = NetifconQuery(self.p, + range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test44"], netifs) + + def test_045_range_proper_superset1(self): + """Netifcon query with context range proper superset match""" + q = NetifconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test45"], netifs) + + def test_045_range_proper_superset2(self): + """Netifcon query with context range proper superset match (equal)""" + q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual([], netifs) + + def test_045_range_proper_superset3(self): + """Netifcon query with context range proper superset match (equal low)""" + q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test45"], netifs) + + def test_045_range_proper_superset4(self): + """Netifcon query with context range proper superset match (equal high)""" + q = NetifconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + + netifs = sorted(s.netif for s in q.results()) + self.assertListEqual(["test45"], netifs) diff --git a/tests/nodeconquery.conf b/tests/nodeconquery.conf index 4de4cd4..8942c11 100644 --- a/tests/nodeconquery.conf +++ b/tests/nodeconquery.conf @@ -56,8 +56,12 @@ inherits infoflow sensitivity s0; sensitivity s1; sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; -dominance { s0 s1 s2 } +dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; @@ -69,6 +73,10 @@ category c4; level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; +level s3:c0.c4; +level s4:c0.c4; +level s5:c0.c4; +level s6:c0.c4; #some constraints @@ -104,7 +112,7 @@ role system types { type40 type41a type41b type41c }; ################################################################################ #users -user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4; +user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4; user user20 roles system level s0 range s0 - s2:c0.c4; user user21a roles system level s0 range s0 - s2:c0.c4; user user21b roles system level s0 range s0 - s2:c0.c4; @@ -185,6 +193,54 @@ nodecon 10.1.41.1 255.255.255.255 system:system:type41a:s0:c0.c1 nodecon 10.1.41.2 255.255.255.255 system:system:type41b:s0:c0.c1 nodecon 10.1.41.3 255.255.255.255 system:system:type41c:s0:c0.c1 +# test 50: +# network: unset +# user: unset +# role: unset +# type: unset +# range: equal +nodecon 10.1.50.1 255.255.255.255 system:system:system:s0:c1 - s0:c0.c4 + +# test 51: +# network: unset +# user: unset +# role: unset +# type: unset +# range: overlap +nodecon 10.1.51.1 255.255.255.255 system:system:system:s1:c1 - s1:c1.c3 + +# test 52: +# network: unset +# user: unset +# role: unset +# type: unset +# range: subset +nodecon 10.1.52.1 255.255.255.255 system:system:system:s2:c1 - s2:c1.c3 + +# test 53: +# network: unset +# user: unset +# role: unset +# type: unset +# range: superset +nodecon 10.1.53.1 255.255.255.255 system:system:system:s3:c1 - s3:c1.c3 + +# test 54: +# network: unset +# user: unset +# role: unset +# type: unset +# range: proper subset +nodecon 10.1.54.1 255.255.255.255 system:system:system:s4:c1 - s4:c1.c3 + +# test 55: +# network: unset +# user: unset +# role: unset +# type: unset +# range: proper superset +nodecon 10.1.55.1 255.255.255.255 system:system:system:s5:c1 - s5:c1.c3 + # test 100: # network: 10.1.100.0/24, equal # user: unset diff --git a/tests/nodeconquery.py b/tests/nodeconquery.py index eb0e478..59fd35d 100644 --- a/tests/nodeconquery.py +++ b/tests/nodeconquery.py @@ -87,6 +87,132 @@ class NodeconQueryTest(unittest.TestCase): nodecons = sorted(n.address for n in q.results()) self.assertListEqual(["10.1.41.2", "10.1.41.3"], nodecons) + def test_050_range_exact(self): + """Nodecon query with context range exact match""" + q = NodeconQuery(self.p, range_="s0:c1 - s0:c0.c4") + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.50.1"], nodecons) + + def test_051_range_overlap1(self): + """Nodecon query with context range overlap match (equal)""" + q = NodeconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.51.1"], nodecons) + + def test_051_range_overlap2(self): + """Nodecon query with context range overlap match (subset)""" + q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.51.1"], nodecons) + + def test_051_range_overlap3(self): + """Nodecon query with context range overlap match (superset)""" + q = NodeconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.51.1"], nodecons) + + def test_051_range_overlap4(self): + """Nodecon query with context range overlap match (overlap low level)""" + q = NodeconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.51.1"], nodecons) + + def test_051_range_overlap5(self): + """Nodecon query with context range overlap match (overlap high level)""" + q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.51.1"], nodecons) + + def test_052_range_subset1(self): + """Nodecon query with context range subset match""" + q = NodeconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.52.1"], nodecons) + + def test_052_range_subset2(self): + """Nodecon query with context range subset match (equal)""" + q = NodeconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.52.1"], nodecons) + + def test_053_range_superset1(self): + """Nodecon query with context range superset match""" + q = NodeconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.53.1"], nodecons) + + def test_053_range_superset2(self): + """Nodecon query with context range superset match (equal)""" + q = NodeconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.53.1"], nodecons) + + def test_054_range_proper_subset1(self): + """Nodecon query with context range proper subset match""" + q = NodeconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.54.1"], nodecons) + + def test_054_range_proper_subset2(self): + """Nodecon query with context range proper subset match (equal)""" + q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual([], nodecons) + + def test_054_range_proper_subset3(self): + """Nodecon query with context range proper subset match (equal low only)""" + q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.54.1"], nodecons) + + def test_054_range_proper_subset4(self): + """Nodecon query with context range proper subset match (equal high only)""" + q = NodeconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.54.1"], nodecons) + + def test_055_range_proper_superset1(self): + """Nodecon query with context range proper superset match""" + q = NodeconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.55.1"], nodecons) + + def test_055_range_proper_superset2(self): + """Nodecon query with context range proper superset match (equal)""" + q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual([], nodecons) + + def test_055_range_proper_superset3(self): + """Nodecon query with context range proper superset match (equal low)""" + q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.55.1"], nodecons) + + def test_055_range_proper_superset4(self): + """Nodecon query with context range proper superset match (equal high)""" + q = NodeconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + + nodecons = sorted(n.address for n in q.results()) + self.assertListEqual(["10.1.55.1"], nodecons) + def test_100_v4network_equal(self): """Nodecon query with IPv4 equal network""" if sys.version_info < (3, 3): diff --git a/tests/portconquery.conf b/tests/portconquery.conf index 47dff9c..c9e35ec 100644 --- a/tests/portconquery.conf +++ b/tests/portconquery.conf @@ -56,8 +56,12 @@ inherits infoflow sensitivity s0; sensitivity s1; sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; -dominance { s0 s1 s2 } +dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; @@ -69,6 +73,10 @@ category c4; level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; +level s3:c0.c4; +level s4:c0.c4; +level s5:c0.c4; +level s6:c0.c4; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); @@ -98,7 +106,7 @@ role system types { type30 type31a type31b type31c }; allow system self:infoflow hi_w; #users -user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4; user user10 roles system level s0 range s0 - s2:c0.c4; user user11a roles system level s0 range s0 - s2:c0.c4; user user11b roles system level s0 range s0 - s2:c0.c4; @@ -190,6 +198,60 @@ portcon tcp 31 system:system:type31a:s0:c0.c1 portcon tcp 31000 system:system:type31b:s0:c0.c1 portcon tcp 31001 system:system:type31c:s0:c0.c1 +# test 40: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: equal +portcon tcp 40 system:system:system:s0:c1 - s0:c0.c4 + +# test 41: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: overlap +portcon tcp 41 system:system:system:s1:c1 - s1:c1.c3 + +# test 42: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: subset +portcon tcp 42 system:system:system:s2:c1 - s2:c1.c3 + +# test 43: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: superset +portcon tcp 43 system:system:system:s3:c1 - s3:c1.c3 + +# test 44: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: proper subset +portcon tcp 44 system:system:system:s4:c1 - s4:c1.c3 + +# test 45: +# protocol: unset +# ports: unset +# user: unset +# role: unset +# type: unset +# range: proper superset +portcon tcp 45 system:system:system:s5:c1 - s5:c1.c3 + # test 50: # protocol: unset # ports: (50, 50) diff --git a/tests/portconquery.py b/tests/portconquery.py index c116c94..9e73642 100644 --- a/tests/portconquery.py +++ b/tests/portconquery.py @@ -86,6 +86,132 @@ class PortconQueryTest(unittest.TestCase): ports = sorted(p.ports for p in q.results()) self.assertListEqual([(31000, 31000), (31001, 31001)], ports) + def test_040_range_exact(self): + """Portcon query with context range exact match""" + q = PortconQuery(self.p, range_="s0:c1 - s0:c0.c4") + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(40, 40)], ports) + + def test_041_range_overlap1(self): + """Portcon query with context range overlap match (equal)""" + q = PortconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(41, 41)], ports) + + def test_041_range_overlap2(self): + """Portcon query with context range overlap match (subset)""" + q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(41, 41)], ports) + + def test_041_range_overlap3(self): + """Portcon query with context range overlap match (superset)""" + q = PortconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(41, 41)], ports) + + def test_041_range_overlap4(self): + """Portcon query with context range overlap match (overlap low level)""" + q = PortconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(41, 41)], ports) + + def test_041_range_overlap5(self): + """Portcon query with context range overlap match (overlap high level)""" + q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(41, 41)], ports) + + def test_042_range_subset1(self): + """Portcon query with context range subset match""" + q = PortconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(42, 42)], ports) + + def test_042_range_subset2(self): + """Portcon query with context range subset match (equal)""" + q = PortconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(42, 42)], ports) + + def test_043_range_superset1(self): + """Portcon query with context range superset match""" + q = PortconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(43, 43)], ports) + + def test_043_range_superset2(self): + """Portcon query with context range superset match (equal)""" + q = PortconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(43, 43)], ports) + + def test_044_range_proper_subset1(self): + """Portcon query with context range proper subset match""" + q = PortconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(44, 44)], ports) + + def test_044_range_proper_subset2(self): + """Portcon query with context range proper subset match (equal)""" + q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([], ports) + + def test_044_range_proper_subset3(self): + """Portcon query with context range proper subset match (equal low only)""" + q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(44, 44)], ports) + + def test_044_range_proper_subset4(self): + """Portcon query with context range proper subset match (equal high only)""" + q = PortconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(44, 44)], ports) + + def test_045_range_proper_superset1(self): + """Portcon query with context range proper superset match""" + q = PortconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(45, 45)], ports) + + def test_045_range_proper_superset2(self): + """Portcon query with context range proper superset match (equal)""" + q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([], ports) + + def test_045_range_proper_superset3(self): + """Portcon query with context range proper superset match (equal low)""" + q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(45, 45)], ports) + + def test_045_range_proper_superset4(self): + """Portcon query with context range proper superset match (equal high)""" + q = PortconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + + ports = sorted(p.ports for p in q.results()) + self.assertListEqual([(45, 45)], ports) + def test_050_single_equal(self): """Portcon query with single port exact match""" q = PortconQuery(self.p, ports=(50, 50))