MatchPermission: implement subset permission criteria

Useful for matches where a matching rule has all of the permission criteria
but may have more.

Closes #57

setools/mixins.py

@@ -75,6 +75,7 @@ class MatchPermission(object):
     perms = CriteriaSetDescriptor("perms_regex")
     perms_equal = False
     perms_regex = False
+    perms_subset = False
 
     def _match_perms(self, obj):
         """
@@ -88,4 +89,8 @@ class MatchPermission(object):
             # if there is no criteria, everything matches.
             return True
 
-        return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal, self.perms_regex)
+        if self.perms_subset:
+            return obj.perms >= self.perms
+        else:
+            return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal,
+                                            self.perms_regex)

setools/terulequery.py

@@ -62,6 +62,10 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
                       Default is false.
     perms_regex       If true, regular expression matching will be used
                       on the permission names instead of set logic.
+                      Default is false.
+    perms_subset      If true, the rule matches if the permissions criteria
+                      is a subset of the rule's permission set.
+                      Default is false.
     default           The name of the default type to match.
     default_regex     If true, regular expression matching will be
                       used on the default type.

tests/terulequery.py

@@ -176,6 +176,27 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
         self.validate_rule(r[1], "dontaudit", "test14", "test14", "infoflow7",
                            set(["super_unmapped"]))
 
+    def test_052_perms_subset1(self):
+        """TE rule query with permission subset."""
+        q = TERuleQuery(self.p, perms=["super_none", "super_both"], perms_subset=True)
+
+        r = sorted(q.results())
+        self.assertEqual(len(r), 2)
+        self.validate_rule(r[0], "allow", "test13c", "test13c", "infoflow7",
+                           set(["super_w", "super_none", "super_both"]))
+        self.validate_rule(r[1], "allow", "test13d", "test13d", "infoflow7",
+                           set(["super_w", "super_none", "super_both", "super_unmapped"]))
+
+    def test_052_perms_subset2(self):
+        """TE rule query with permission subset (equality)."""
+        q = TERuleQuery(self.p, perms=["super_w", "super_none", "super_both", "super_unmapped"],
+                        perms_subset=True)
+
+        r = sorted(q.results())
+        self.assertEqual(len(r), 1)
+        self.validate_rule(r[0], "allow", "test13d", "test13d", "infoflow7",
+                           set(["super_w", "super_none", "super_both", "super_unmapped"]))
+
     def test_100_default(self):
         """TE rule query with default type exact match."""
         q = TERuleQuery(self.p, default="test100d", default_regex=False)