mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-18 08:35:19 +00:00
MatchPermission: implement subset permission criteria
Useful for matches where a matching rule has all of the permission criteria but may have more. Closes #57
This commit is contained in:
parent
a899206ab6
commit
d66467f3b3
@ -75,6 +75,7 @@ class MatchPermission(object):
|
||||
perms = CriteriaSetDescriptor("perms_regex")
|
||||
perms_equal = False
|
||||
perms_regex = False
|
||||
perms_subset = False
|
||||
|
||||
def _match_perms(self, obj):
|
||||
"""
|
||||
@ -88,4 +89,8 @@ class MatchPermission(object):
|
||||
# if there is no criteria, everything matches.
|
||||
return True
|
||||
|
||||
return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal, self.perms_regex)
|
||||
if self.perms_subset:
|
||||
return obj.perms >= self.perms
|
||||
else:
|
||||
return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal,
|
||||
self.perms_regex)
|
||||
|
@ -62,6 +62,10 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
|
||||
Default is false.
|
||||
perms_regex If true, regular expression matching will be used
|
||||
on the permission names instead of set logic.
|
||||
Default is false.
|
||||
perms_subset If true, the rule matches if the permissions criteria
|
||||
is a subset of the rule's permission set.
|
||||
Default is false.
|
||||
default The name of the default type to match.
|
||||
default_regex If true, regular expression matching will be
|
||||
used on the default type.
|
||||
|
@ -176,6 +176,27 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
|
||||
self.validate_rule(r[1], "dontaudit", "test14", "test14", "infoflow7",
|
||||
set(["super_unmapped"]))
|
||||
|
||||
def test_052_perms_subset1(self):
|
||||
"""TE rule query with permission subset."""
|
||||
q = TERuleQuery(self.p, perms=["super_none", "super_both"], perms_subset=True)
|
||||
|
||||
r = sorted(q.results())
|
||||
self.assertEqual(len(r), 2)
|
||||
self.validate_rule(r[0], "allow", "test13c", "test13c", "infoflow7",
|
||||
set(["super_w", "super_none", "super_both"]))
|
||||
self.validate_rule(r[1], "allow", "test13d", "test13d", "infoflow7",
|
||||
set(["super_w", "super_none", "super_both", "super_unmapped"]))
|
||||
|
||||
def test_052_perms_subset2(self):
|
||||
"""TE rule query with permission subset (equality)."""
|
||||
q = TERuleQuery(self.p, perms=["super_w", "super_none", "super_both", "super_unmapped"],
|
||||
perms_subset=True)
|
||||
|
||||
r = sorted(q.results())
|
||||
self.assertEqual(len(r), 1)
|
||||
self.validate_rule(r[0], "allow", "test13d", "test13d", "infoflow7",
|
||||
set(["super_w", "super_none", "super_both", "super_unmapped"]))
|
||||
|
||||
def test_100_default(self):
|
||||
"""TE rule query with default type exact match."""
|
||||
q = TERuleQuery(self.p, default="test100d", default_regex=False)
|
||||
|
Loading…
Reference in New Issue
Block a user