Add initial SID query unit tests.

2025-03-22 11:06:30 +00:00 · 2014-10-10 10:28:09 -04:00 · 2014-10-10 10:28:09 -04:00 · cf0c64a757
commit cf0c64a757
parent e11b31de63
3 changed files with 311 additions and 0 deletions
--- a/tests/init.py
+++ b/tests/init.py
@ -18,6 +18,7 @@
 import boolquery
 import commonquery
 import dta
+import initsidquery
 import objclassquery
 import polcapquery
 import permissivequery
--- a/tests/initsidquery.conf
+++ b/tests/initsidquery.conf
@ -0,0 +1,215 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+
+sid test1
+sid test2a
+sid test2b
+sid test10
+sid test11a
+sid test11b
+sid test11c
+sid test20
+sid test21a
+sid test21b
+sid test21c
+sid test30
+sid test31a
+sid test31b
+sid test31c
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+
+dominance { s0 s1 s2 }
+
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+
+#level decl
+level s0:c0.c4;
+level s1:c0.c4;
+level s2:c0.c4;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+role role20_r;
+role role21a_r;
+role role21b_r;
+role role21c_r;
+
+role role20_r types system;
+role role21a_r types system;
+role role21b_r types system;
+role role21c_r types system;
+
+type type30;
+type type31a;
+type type31b;
+type type31c;
+role system types { type30 type31a type31b type31c };
+
+allow system self:infoflow hi_w;
+
+#users
+user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
+user user10 roles system level s0 range s0 - s2:c0.c4;
+user user11a roles system level s0 range s0 - s2:c0.c4;
+user user11b roles system level s0 range s0 - s2:c0.c4;
+user user11c roles system level s0 range s0 - s2:c0.c4;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#########################################
+#
+# Initial SID query tests
+#
+
+# test 1:
+# name: test1, exact
+# user: unset
+# role: unset
+# type: unset
+# range: unset
+sid test1 system:system:system:s0:c0.c4
+
+# test 2:
+# name: test2(a|b), regex
+# user: unset
+# role: unset
+# type: unset
+# range: unset
+sid test2a system:system:system:s0:c0.c1
+sid test2b system:system:system:s0:c2.c4
+
+# test 10:
+# name: unset
+# user: user10, exact
+# role: unset
+# type: unset
+# range: unset
+sid test10 user10:system:system:s0:c0.c1
+
+# test 11:
+# name: unset
+# user: user11(a|b), regex
+# role: unset
+# type: unset
+# range: unset
+sid test11a user11a:system:system:s0:c0.c1
+sid test11b user11b:system:system:s0:c0.c1
+sid test11c user11c:system:system:s0:c0.c1
+
+# test 20:
+# name: unset
+# user: unset
+# role: role20_r, exact
+# type: unset
+# range: unset
+sid test20 system:role20_r:system:s0:c0.c1
+
+# test 21:
+# name: unset
+# user: unset
+# role: role20(a|c)_r, regex
+# type: unset
+# range: unset
+sid test21a system:role21a_r:system:s0:c0.c1
+sid test21b system:role21b_r:system:s0:c0.c1
+sid test21c system:role21c_r:system:s0:c0.c1
+
+# test 30:
+# name: unset
+# user: unset
+# role: unset
+# type: type30
+# range: unset
+sid test30 system:system:type30:s0:c0.c1
+
+# test 31:
+# name: unset
+# user: unset
+# role: unset
+# type: type31(b|c)
+# range: unset
+sid test31a system:system:type31a:s0:c0.c1
+sid test31b system:system:type31b:s0:c0.c1
+sid test31c system:system:type31c:s0:c0.c1
+
+#fs_use
+fs_use_trans devpts system:object_r:system:s0;
+fs_use_xattr ext3 system:object_r:system:s0;
+fs_use_task pipefs system:object_r:system:s0;
+
+#genfscon
+genfscon proc / system:object_r:system:s1
+genfscon proc /sys system:object_r:system:s0
+genfscon selinuxfs / system:object_r:system:s2:c0.c4
+
+portcon tcp 80 system:object_r:system:s0
+
+netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
+
--- a/tests/initsidquery.py
+++ b/tests/initsidquery.py
@ -0,0 +1,95 @@
+# Copyright 2014, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+#
+import unittest
+
+from libapol import SELinuxPolicy
+from libapol.initsidquery import InitialSIDQuery
+
+
+class InitialSIDQueryTest(unittest.TestCase):
+
+    def setUp(self):
+        self.p = SELinuxPolicy("tests/initsidquery.conf")
+
+    def test_000_unset(self):
+        """Initial SID query with no criteria"""
+        # query with no parameters gets all SIDs.
+        for numrules, s in enumerate(self.p.initialsids(), start=1):
+            pass
+
+        q = InitialSIDQuery(self.p)
+        for q_numrules, s in enumerate(q.results(), start=1):
+            pass
+
+        self.assertEqual(numrules, q_numrules)
+
+    def test_001_name_exact(self):
+        """Initial SID query with exact match"""
+        q = InitialSIDQuery(self.p, name="test1", name_regex=False)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test1"], sids)
+
+    def test_002_name_regex(self):
+        """Initial SID query with regex match"""
+        q = InitialSIDQuery(self.p, name="test2(a|b)", name_regex=True)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test2a", "test2b"], sids)
+
+    def test_010_user_exact(self):
+        """Initial SID query with context user exact match"""
+        q = InitialSIDQuery(self.p, user="user10", user_regex=False)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test10"], sids)
+
+    def test_011_user_regex(self):
+        """Initial SID query with context user regex match"""
+        q = InitialSIDQuery(self.p, user="user11(a|b)", user_regex=True)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test11a", "test11b"], sids)
+
+    def test_020_role_exact(self):
+        """Initial SID query with context role exact match"""
+        q = InitialSIDQuery(self.p, role="role20_r", role_regex=False)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test20"], sids)
+
+    def test_021_role_regex(self):
+        """Initial SID query with context role regex match"""
+        q = InitialSIDQuery(self.p, role="role21(a|c)_r", role_regex=True)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test21a", "test21c"], sids)
+
+    def test_030_type_exact(self):
+        """Initial SID query with context type exact match"""
+        q = InitialSIDQuery(self.p, type_="type30", type_regex=False)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test30"], sids)
+
+    def test_031_type_regex(self):
+        """Initial SID query with context type regex match"""
+        q = InitialSIDQuery(self.p, type_="type31(b|c)", type_regex=True)
+
+        sids = sorted(str(s) for s in q.results())
+        self.assertListEqual(["test31b", "test31c"], sids)