diff --git a/sediff b/sediff index 4b33d06..96df5af 100755 --- a/sediff +++ b/sediff @@ -70,6 +70,14 @@ mlsrule = parser.add_argument_group("MLS rule differences") mlsrule.add_argument("--range_trans", action="store_true", help="Print range_transition rule differences") +constrain = parser.add_argument_group("Constraint differences") +constrain.add_argument("--constrain", action="store_true", help="Print constrain differences") +constrain.add_argument("--mlsconstrain", action="store_true", help="Print mlsconstrain differences") +constrain.add_argument("--validatetrans", action="store_true", + help="Print validatetrans differences") +constrain.add_argument("--mlsvalidatetrans", action="store_true", + help="Print mlsvalidatetrans differences") + labeling = parser.add_argument_group("labeling statement differences") labeling.add_argument("--initialsid", action="store_true", help="Print initial SID differences") labeling.add_argument("--fs_use", action="store_true", help="Print fs_use_* differences") @@ -92,7 +100,8 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute, args.type_trans, args.type_change, args.type_member, args.role_allow, args.role_trans, args.range_trans, args.initialsid, args.genfscon, args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap, - args.property, args.default)) + args.property, args.default, args.constrain, args.mlsconstrain, + args.validatetrans, args.mlsvalidatetrans)) if args.debug: logging.basicConfig(level=logging.DEBUG, @@ -797,6 +806,82 @@ try: print() + if all_differences or args.constrain: + if diff.added_constrains or diff.removed_constrains or args.constrain: + print("Constraints ({0} Added, {1} Removed)".format( + len(diff.added_constrains), len(diff.removed_constrains))) + + if diff.added_constrains and not args.stats: + print(" Added Constraints: {0}".format( + len(diff.added_constrains))) + for r in sorted(diff.added_constrains): + print(" + {0}".format(r)) + + if diff.removed_constrains and not args.stats: + print(" Removed Constraints: {0}".format( + len(diff.removed_constrains))) + for r in sorted(diff.removed_constrains): + print(" - {0}".format(r)) + + print() + + if all_differences or args.mlsconstrain: + if diff.added_mlsconstrains or diff.removed_mlsconstrains or args.mlsconstrain: + print("MLS Constraints ({0} Added, {1} Removed)".format( + len(diff.added_mlsconstrains), len(diff.removed_mlsconstrains))) + + if diff.added_mlsconstrains and not args.stats: + print(" Added MLS Constraints: {0}".format( + len(diff.added_mlsconstrains))) + for r in sorted(diff.added_mlsconstrains): + print(" + {0}".format(r)) + + if diff.removed_mlsconstrains and not args.stats: + print(" Removed MLS Constraints: {0}".format( + len(diff.removed_mlsconstrains))) + for r in sorted(diff.removed_mlsconstrains): + print(" - {0}".format(r)) + + print() + + if all_differences or args.validatetrans: + if diff.added_validatetrans or diff.removed_validatetrans or args.validatetrans: + print("Validatetrans ({0} Added, {1} Removed)".format( + len(diff.added_validatetrans), len(diff.removed_validatetrans))) + + if diff.added_validatetrans and not args.stats: + print(" Added Validatetrans: {0}".format( + len(diff.added_validatetrans))) + for r in sorted(diff.added_validatetrans): + print(" + {0}".format(r)) + + if diff.removed_validatetrans and not args.stats: + print(" Removed Validatetrans: {0}".format( + len(diff.removed_validatetrans))) + for r in sorted(diff.removed_validatetrans): + print(" - {0}".format(r)) + + print() + + if all_differences or args.mlsvalidatetrans: + if diff.added_mlsvalidatetrans or diff.removed_mlsvalidatetrans or args.mlsvalidatetrans: + print("MLS Validatetrans ({0} Added, {1} Removed)".format( + len(diff.added_mlsvalidatetrans), len(diff.removed_mlsvalidatetrans))) + + if diff.added_mlsvalidatetrans and not args.stats: + print(" Added MLS Validatetrans: {0}".format( + len(diff.added_mlsvalidatetrans))) + for r in sorted(diff.added_mlsvalidatetrans): + print(" + {0}".format(r)) + + if diff.removed_mlsvalidatetrans and not args.stats: + print(" Removed MLS Validatetrans: {0}".format( + len(diff.removed_mlsvalidatetrans))) + for r in sorted(diff.removed_mlsvalidatetrans): + print(" - {0}".format(r)) + + print() + if all_differences or args.initialsid: if diff.added_initialsids or diff.removed_initialsids or diff.modified_initialsids \ or args.initialsid: diff --git a/setools/diff/__init__.py b/setools/diff/__init__.py index 8d5900a..afc921a 100644 --- a/setools/diff/__init__.py +++ b/setools/diff/__init__.py @@ -18,6 +18,7 @@ # from .bool import BooleansDifference from .commons import CommonDifference +from .constraints import ConstraintsDifference from .default import DefaultsDifference from .fsuse import FSUsesDifference from .genfscon import GenfsconsDifference @@ -43,6 +44,7 @@ __all__ = ['PolicyDifference'] class PolicyDifference(BooleansDifference, CategoriesDifference, CommonDifference, + ConstraintsDifference, DefaultsDifference, FSUsesDifference, GenfsconsDifference, diff --git a/setools/diff/constraints.py b/setools/diff/constraints.py new file mode 100644 index 0000000..d2e50f4 --- /dev/null +++ b/setools/diff/constraints.py @@ -0,0 +1,220 @@ +# Copyright 2016, Tresys Technology, LLC +# +# This file is part of SETools. +# +# SETools is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as +# published by the Free Software Foundation, either version 2.1 of +# the License, or (at your option) any later version. +# +# SETools is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with SETools. If not, see +# . +# +from collections import namedtuple + +from .descriptors import DiffResultDescriptor +from .difference import Difference, SymbolWrapper, Wrapper + + +class ConstraintsDifference(Difference): + + """ + Determine the difference in constraints between two policies. + + Since the compiler does not union constraints, there may be multiple + constraints with the same ruletype, object class, and permission + set, so constraints can only be added or removed, not modified. + + The constraint expressions are compared only on a basic level. + Expressions that are logically equivalent but are structurally + different, for example, by associativity, will be considered + different. Type and role attributes are also not expanded, + so if there are changes to attribute members, it will not + be reflected as a difference. + """ + + added_constrains = DiffResultDescriptor("diff_constrains") + removed_constrains = DiffResultDescriptor("diff_constrains") + + added_mlsconstrains = DiffResultDescriptor("diff_mlsconstrains") + removed_mlsconstrains = DiffResultDescriptor("diff_mlsconstrains") + + added_validatetrans = DiffResultDescriptor("diff_validatetrans") + removed_validatetrans = DiffResultDescriptor("diff_validatetrans") + + added_mlsvalidatetrans = DiffResultDescriptor("diff_mlsvalidatetrans") + removed_mlsvalidatetrans = DiffResultDescriptor("diff_mlsvalidatetrans") + + # Lists of rules for each policy + _left_constrains = None + _right_constrains = None + + _left_mlsconstrains = None + _right_mlsconstrains = None + + _left_validatetrans = None + _right_validatetrans = None + + _left_mlsvalidatetrans = None + _right_mlsvalidatetrans = None + + def diff_constrains(self): + """Generate the difference in constraint rules between the policies.""" + + self.log.info("Generating constraint differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_constrains is None or self._right_constrains is None: + self._create_constrain_lists() + + self.added_constrains, self.removed_constrains, _ = self._set_diff( + (ConstraintWrapper(c) for c in self._left_constrains), + (ConstraintWrapper(c) for c in self._right_constrains)) + + def diff_mlsconstrains(self): + """Generate the difference in MLS constraint rules between the policies.""" + + self.log.info( + "Generating MLS constraint differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_mlsconstrains is None or self._right_mlsconstrains is None: + self._create_constrain_lists() + + self.added_mlsconstrains, self.removed_mlsconstrains, _ = self._set_diff( + (ConstraintWrapper(c) for c in self._left_mlsconstrains), + (ConstraintWrapper(c) for c in self._right_mlsconstrains)) + + def diff_validatetrans(self): + """Generate the difference in validatetrans rules between the policies.""" + + self.log.info( + "Generating validatetrans differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_validatetrans is None or self._right_validatetrans is None: + self._create_constrain_lists() + + self.added_validatetrans, self.removed_validatetrans, _ = self._set_diff( + (ConstraintWrapper(c) for c in self._left_validatetrans), + (ConstraintWrapper(c) for c in self._right_validatetrans)) + + def diff_mlsvalidatetrans(self): + """Generate the difference in MLS validatetrans rules between the policies.""" + + self.log.info( + "Generating mlsvalidatetrans differences from {0.left_policy} to {0.right_policy}". + format(self)) + + if self._left_mlsvalidatetrans is None or self._right_mlsvalidatetrans is None: + self._create_constrain_lists() + + self.added_mlsvalidatetrans, self.removed_mlsvalidatetrans, _ = self._set_diff( + (ConstraintWrapper(c) for c in self._left_mlsvalidatetrans), + (ConstraintWrapper(c) for c in self._right_mlsvalidatetrans)) + + # + # Internal functions + # + def _create_constrain_lists(self): + """Create rule lists for both policies.""" + self._left_constrains = [] + self._left_mlsconstrains = [] + self._left_validatetrans = [] + self._left_mlsvalidatetrans = [] + for rule in self.left_policy.constraints(): + if rule.ruletype == "constrain": + self._left_constrains.append(rule) + elif rule.ruletype == "mlsconstrain": + self._left_mlsconstrains.append(rule) + elif rule.ruletype == "validatetrans": + self._left_validatetrans.append(rule) + elif rule.ruletype == "mlsvalidatetrans": + self._left_mlsvalidatetrans.append(rule) + else: + self.log.error("Unknown rule type: {0} (This is an SETools bug)". + format(rule.ruletype)) + + self._right_constrains = [] + self._right_mlsconstrains = [] + self._right_validatetrans = [] + self._right_mlsvalidatetrans = [] + for rule in self.right_policy.constraints(): + if rule.ruletype == "constrain": + self._right_constrains.append(rule) + elif rule.ruletype == "mlsconstrain": + self._right_mlsconstrains.append(rule) + elif rule.ruletype == "validatetrans": + self._right_validatetrans.append(rule) + elif rule.ruletype == "mlsvalidatetrans": + self._right_mlsvalidatetrans.append(rule) + else: + self.log.error("Unknown rule type: {0} (This is an SETools bug)". + format(rule.ruletype)) + + def _reset_diff(self): + """Reset diff results on policy changes.""" + self.log.debug("Resetting all constraints differences") + self.added_constrains = None + self.removed_constrains = None + self.added_mlsconstrains = None + self.removed_mlsconstrains = None + self.added_validatetrans = None + self.removed_validatetrans = None + self.added_mlsvalidatetrans = None + self.removed_mlsvalidatetrans = None + + # Sets of rules for each policy + self._left_constrains = None + self._left_mlsconstrains = None + self._left_validatetrans = None + self._left_mlsvalidatetrans = None + self._right_constrains = None + self._right_mlsconstrains = None + self._right_validatetrans = None + self._right_mlsvalidatetrans = None + + +class ConstraintWrapper(Wrapper): + + """Wrap constraints for diff purposes.""" + + def __init__(self, rule): + self.origin = rule + self.ruletype = rule.ruletype + self.tclass = SymbolWrapper(rule.tclass) + + try: + self.perms = rule.perms + except AttributeError: + # (mls)validatetrans + self.perms = None + + self.key = hash(rule) + + self.expr = [] + for op in rule.postfix_expression(): + if isinstance(op, frozenset): + # lists of types/users/roles + self.expr.append(frozenset(SymbolWrapper(item) for item in op)) + else: + # strings in the expression such as u1/r1/t1 or "==" + self.expr.append(op) + + def __hash__(self): + return self.key + + def __lt__(self, other): + return self.key < other.key + + def __eq__(self, other): + return self.ruletype == other.ruletype and \ + self.tclass == other.tclass and \ + self.perms == other.perms and \ + self.expr == other.expr diff --git a/tests/diff.py b/tests/diff.py index 5bfbd52..1543387 100644 --- a/tests/diff.py +++ b/tests/diff.py @@ -1349,6 +1349,178 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase): self.assertIsNone(added_range) self.assertIsNone(removed_range) + # + # constrains + # + def test_added_constrains(self): + """Diff: added constrains.""" + l = sorted(self.diff.added_constrains) + self.assertEqual(2, len(l)) + + constrain = l[0] + self.assertEqual("constrain", constrain.ruletype) + self.assertEqual("infoflow3", constrain.tclass) + self.assertSetEqual(set(["null"]), constrain.perms) + self.assertListEqual(["u1", "u2", "!="], constrain.postfix_expression()) + + constrain = l[1] + self.assertEqual("constrain", constrain.ruletype) + self.assertEqual("infoflow5", constrain.tclass) + self.assertSetEqual(set(["hi_r"]), constrain.perms) + self.assertListEqual( + ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '!=', 'or'], + constrain.postfix_expression()) + + def test_removed_constrains(self): + """Diff: removed constrains.""" + l = sorted(self.diff.removed_constrains) + self.assertEqual(2, len(l)) + + constrain = l[0] + self.assertEqual("constrain", constrain.ruletype) + self.assertEqual("infoflow4", constrain.tclass) + self.assertSetEqual(set(["hi_w"]), constrain.perms) + self.assertListEqual(["u1", "u2", "!="], constrain.postfix_expression()) + + constrain = l[1] + self.assertEqual("constrain", constrain.ruletype) + self.assertEqual("infoflow5", constrain.tclass) + self.assertSetEqual(set(["hi_r"]), constrain.perms) + self.assertListEqual( + ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '==', 'or'], + constrain.postfix_expression()) + + # + # mlsconstrains + # + def test_added_mlsconstrains(self): + """Diff: added mlsconstrains.""" + l = sorted(self.diff.added_mlsconstrains) + self.assertEqual(2, len(l)) + + mlsconstrain = l[0] + self.assertEqual("mlsconstrain", mlsconstrain.ruletype) + self.assertEqual("infoflow3", mlsconstrain.tclass) + self.assertSetEqual(set(["null"]), mlsconstrain.perms) + self.assertListEqual( + ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', + 't1', set(["mls_exempt"]), '!=', 'or'], + mlsconstrain.postfix_expression()) + + mlsconstrain = l[1] + self.assertEqual("mlsconstrain", mlsconstrain.ruletype) + self.assertEqual("infoflow5", mlsconstrain.tclass) + self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms) + self.assertListEqual( + ['l1', 'l2', 'domby', 'h1', 'h2', 'incomp', + 'and', 't1', set(["mls_exempt"]), '==', 'or'], + mlsconstrain.postfix_expression()) + + def test_removed_mlsconstrains(self): + """Diff: removed mlsconstrains.""" + l = sorted(self.diff.removed_mlsconstrains) + self.assertEqual(2, len(l)) + + mlsconstrain = l[0] + self.assertEqual("mlsconstrain", mlsconstrain.ruletype) + self.assertEqual("infoflow4", mlsconstrain.tclass) + self.assertSetEqual(set(["hi_w"]), mlsconstrain.perms) + self.assertListEqual( + ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', + 't1', set(["mls_exempt"]), '==', 'or'], + mlsconstrain.postfix_expression()) + + mlsconstrain = l[1] + self.assertEqual("mlsconstrain", mlsconstrain.ruletype) + self.assertEqual("infoflow5", mlsconstrain.tclass) + self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms) + self.assertListEqual( + ['l1', 'l2', 'domby', 'h1', 'h2', 'dom', 'and', 't1', set(["mls_exempt"]), '==', 'or'], + mlsconstrain.postfix_expression()) + + # + # validatetrans + # + def test_added_validatetrans(self): + """Diff: added validatetrans.""" + l = sorted(self.diff.added_validatetrans) + self.assertEqual(2, len(l)) + + validatetrans = l[0] + self.assertEqual("validatetrans", validatetrans.ruletype) + self.assertEqual("infoflow3", validatetrans.tclass) + self.assertListEqual( + ['t1', 't2', '==', 't3', set(["system"]), '==', 'or'], + validatetrans.postfix_expression()) + + validatetrans = l[1] + self.assertEqual("validatetrans", validatetrans.ruletype) + self.assertEqual("infoflow5", validatetrans.tclass) + self.assertListEqual( + ['u1', 'u2', '!=', 'r1', 'r2', '==', 'and', 't3', set(["system"]), '==', 'or'], + validatetrans.postfix_expression()) + + def test_removed_validatetrans(self): + """Diff: removed validatetrans.""" + l = sorted(self.diff.removed_validatetrans) + self.assertEqual(2, len(l)) + + validatetrans = l[0] + self.assertEqual("validatetrans", validatetrans.ruletype) + self.assertEqual("infoflow4", validatetrans.tclass) + self.assertListEqual( + ['u1', 'u2', '==', 't3', set(["system"]), '==', 'or'], + validatetrans.postfix_expression()) + + validatetrans = l[1] + self.assertEqual("validatetrans", validatetrans.ruletype) + self.assertEqual("infoflow5", validatetrans.tclass) + self.assertListEqual( + ['u1', 'u2', '==', 'r1', 'r2', '!=', 'and', 't3', set(["system"]), '==', 'or'], + validatetrans.postfix_expression()) + + # + # mlsvalidatetrans + # + def test_added_mlsvalidatetrans(self): + """Diff: added mlsvalidatetrans.""" + l = sorted(self.diff.added_mlsvalidatetrans) + self.assertEqual(2, len(l)) + + mlsvalidatetrans = l[0] + self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype) + self.assertEqual("infoflow3", mlsvalidatetrans.tclass) + self.assertListEqual( + ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'], + mlsvalidatetrans.postfix_expression()) + + mlsvalidatetrans = l[1] + self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype) + self.assertEqual("infoflow5", mlsvalidatetrans.tclass) + self.assertListEqual( + ['l1', 'l2', 'incomp', 'h1', 'h2', 'domby', + 'and', 't3', set(["mls_exempt"]), '==', 'or'], + mlsvalidatetrans.postfix_expression()) + + def test_removed_mlsvalidatetrans(self): + """Diff: removed mlsvalidatetrans.""" + l = sorted(self.diff.removed_mlsvalidatetrans) + self.assertEqual(2, len(l)) + + mlsvalidatetrans = l[0] + self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype) + self.assertEqual("infoflow4", mlsvalidatetrans.tclass) + self.assertListEqual( + ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'], + mlsvalidatetrans.postfix_expression()) + + mlsvalidatetrans = l[1] + self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype) + self.assertEqual("infoflow5", mlsvalidatetrans.tclass) + self.assertListEqual( + ['l1', 'l2', 'dom', 'h1', 'h2', 'dom', 'and', 't3', set(["mls_exempt"]), '==', 'or'], + mlsvalidatetrans.postfix_expression()) + class PolicyDifferenceTestNoDiff(unittest.TestCase): @@ -1695,6 +1867,38 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase): """NoDiff: no modified defaults.""" self.assertFalse(self.diff.modified_defaults) + def test_added_constrains(self): + """NoDiff: no added constrains.""" + self.assertFalse(self.diff.added_constrains) + + def test_removed_constrains(self): + """NoDiff: no removed constrains.""" + self.assertFalse(self.diff.removed_constrains) + + def test_added_mlsconstrains(self): + """NoDiff: no added mlsconstrains.""" + self.assertFalse(self.diff.added_mlsconstrains) + + def test_removed_mlsconstrains(self): + """NoDiff: no removed mlsconstrains.""" + self.assertFalse(self.diff.removed_mlsconstrains) + + def test_added_validatetrans(self): + """NoDiff: no added validatetrans.""" + self.assertFalse(self.diff.added_validatetrans) + + def test_removed_validatetrans(self): + """NoDiff: no removed validatetrans.""" + self.assertFalse(self.diff.removed_validatetrans) + + def test_added_mlsvalidatetrans(self): + """NoDiff: no added mlsvalidatetrans.""" + self.assertFalse(self.diff.added_mlsvalidatetrans) + + def test_removed_mlsvalidatetrans(self): + """NoDiff: no removed mlsvalidatetrans.""" + self.assertFalse(self.diff.removed_mlsvalidatetrans) + class PolicyDifferenceTestMLStoStandard(unittest.TestCase): @@ -2054,3 +2258,39 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase): def test_modified_defaults(self): """MLSvsStandardDiff: no defaults modified.""" self.assertFalse(self.diff.modified_defaults) + + def test_added_constraints(self): + """MLSvsStandardDiff: no added constraints.""" + self.assertFalse(self.diff.added_constrains) + + def test_removed_constraints(self): + """MLSvsStandardDiff: no removed constraints.""" + self.assertFalse(self.diff.removed_constrains) + + def test_added_validatetrans(self): + """MLSvsStandardDiff: no added validatetrans.""" + self.assertFalse(self.diff.added_validatetrans) + + def test_removed_validatetrans(self): + """MLSvsStandardDiff: no removed validatetrans.""" + self.assertFalse(self.diff.removed_validatetrans) + + def test_added_mlsconstraints(self): + """MLSvsStandardDiff: no added mlsconstraints.""" + self.assertFalse(self.diff.added_mlsconstrains) + + def test_removed_mlsconstraints(self): + """MLSvsStandardDiff: all mlsconstraints removed.""" + self.assertEqual( + sum(1 for m in self.diff.left_policy.constraints() if m.ruletype == "mlsconstrain"), + len(self.diff.removed_mlsconstrains)) + + def test_added_mlsvalidatetrans(self): + """MLSvsStandardDiff: no added mlsvalidatetrans.""" + self.assertFalse(self.diff.added_mlsvalidatetrans) + + def test_removed_mlsvalidatetrans(self): + """MLSvsStandardDiff: all mlsvalidatetrans removed.""" + self.assertEqual( + sum(1 for m in self.diff.left_policy.constraints() if m.ruletype == "mlsvalidatetrans"), + len(self.diff.removed_mlsvalidatetrans)) diff --git a/tests/diff_left.conf b/tests/diff_left.conf index 5df2255..fe7b17f 100644 --- a/tests/diff_left.conf +++ b/tests/diff_left.conf @@ -151,9 +151,28 @@ level s44:c0.c4; level s45:c0.c4; level s47:c0.c4; -#some constraints +# matching mls constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); +# added mls constraint + +# removed mls constraint +mlsconstrain infoflow4 hi_w ((l1 domby l2 and h1 domby h2) or (t1 == mls_exempt)); + +# remove/add mls constraint (expression change) +mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 dom h2) or (t1 == mls_exempt)); + +# matching mls validatetrans +mlsvalidatetrans infoflow (h1 == h2 or t3 == system); + +# added mls validatetrans + +# removed mls validatetrans +mlsvalidatetrans infoflow4 ((l1 == l2 and h1 == h2) or t3 == mls_exempt); + +# remove/add mls validatetrans (expression change) +mlsvalidatetrans infoflow5 ((l1 dom l2 and h1 dom h2) or (t3 == mls_exempt)); + attribute mls_exempt; attribute an_attr; attribute removed_attr; @@ -631,8 +650,31 @@ user modified_remove_role roles { system removed_role } level s2 range s2; user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1; user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3; -#normal constraints -constrain infoflow hi_w (u1 == u2); +# matching constraints +constrain infoflow hi_w (u1 == u2 or t1 == system); +constrain infoflow hi_w (t1 == t2 or t1 == system); +constrain infoflow hi_r (r1 == r2 or t1 == system); + +# added constraint + +# removed constraint +constrain infoflow4 hi_w (u1 != u2); + +# remove/add constraint (expression change) +constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system)); + +# matching validatetrans +validatetrans infoflow (u1 == u2 or t3 == system); +validatetrans infoflow (r1 == r2 or t3 == system); +validatetrans infoflow2 (u1 == u2 or t3 == system); + +# added validatetrans + +# removed validatetrans +validatetrans infoflow4 (u1 == u2 or t3 == system); + +# remove/add validatetrans (expression change) +validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system)); #isids sid kernel system:system:system:s0 diff --git a/tests/diff_left_standard.conf b/tests/diff_left_standard.conf index 1c3068d..b270bd4 100644 --- a/tests/diff_left_standard.conf +++ b/tests/diff_left_standard.conf @@ -572,8 +572,31 @@ user modified_remove_role roles { system removed_role }; user modified_change_level roles system; user modified_change_range roles system; -#normal constraints -constrain infoflow hi_w (u1 == u2); +# matching constraints +constrain infoflow hi_w (u1 == u2 or t1 == system); +constrain infoflow hi_w (t1 == t2 or t1 == system); +constrain infoflow hi_r (r1 == r2 or t1 == system); + +# added constraint + +# removed constraint +constrain infoflow4 hi_w (u1 != u2); + +# remove/add constraint (expression change) +constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system)); + +# matching validatetrans +validatetrans infoflow (u1 == u2 or t3 == system); +validatetrans infoflow (r1 == r2 or t3 == system); +validatetrans infoflow2 (u1 == u2 or t3 == system); + +# added validatetrans + +# removed validatetrans +validatetrans infoflow4 (u1 == u2 or t3 == system); + +# remove/add validatetrans (expression change) +validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system)); #isids sid kernel system:system:system diff --git a/tests/diff_right.conf b/tests/diff_right.conf index 5eec8a1..29f1f21 100644 --- a/tests/diff_right.conf +++ b/tests/diff_right.conf @@ -151,9 +151,28 @@ level s44:c0.c4; level s45:c0.c4; level s46:c0.c4; -#some constraints +# matching mls constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); +# added mls constraint +mlsconstrain infoflow3 null ((l1 domby l2 and h1 domby h2) or (t1 != mls_exempt)); + +# removed mls constraint + +# remove/add mls constraint (expression change) +mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 incomp h2) or (t1 == mls_exempt)); + +# matching mls validatetrans +mlsvalidatetrans infoflow (h1 == h2 or t3 == system); + +# added mls validatetrans +mlsvalidatetrans infoflow3 ((l1 == l2 and h1 == h2) or t3 == mls_exempt); + +# removed mls validatetrans + +# remove/add mls validatetrans (expression change) +mlsvalidatetrans infoflow5 ((l1 incomp l2 and h1 domby h2) or (t3 == mls_exempt)); + attribute mls_exempt; attribute an_attr; attribute added_attr; @@ -631,8 +650,31 @@ user modified_remove_role roles system level s2 range s2; user modified_change_level roles system level s2:c1 range s2:c1 - s2:c0,c1; user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c4; -#normal constraints -constrain infoflow hi_w (u1 == u2); +# matching constraints +constrain infoflow hi_w (u1 == u2 or t1 == system); +constrain infoflow hi_w (t1 == t2 or t1 == system); +constrain infoflow hi_r (r1 == r2 or t1 == system); + +# added constraint +constrain infoflow3 null (u1 != u2); + +# removed constraint + +# remove/add constraint (expression change) +constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 != system)); + +# matching validatetrans +validatetrans infoflow (u1 == u2 or t3 == system); +validatetrans infoflow (r1 == r2 or t3 == system); +validatetrans infoflow2 (u1 == u2 or t3 == system); + +# added validatetrans +validatetrans infoflow3 (t1 == t2 or t3 == system); + +# removed validatetrans + +# remove/add validatetrans (expression change) +validatetrans infoflow5 ((u1 != u2 and r1 == r2) or (t3 == system)); #isids sid kernel system:system:system:s0