From d66467f3b307615120578a3044f284728304b4ca Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Sun, 4 Oct 2015 11:03:41 -0400
Subject: [PATCH] MatchPermission: implement subset permission criteria

Useful for matches where a matching rule has all of the permission criteria
but may have more.

Closes #57
---
 setools/mixins.py      |  7 ++++++-
 setools/terulequery.py |  4 ++++
 tests/terulequery.py   | 21 +++++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/setools/mixins.py b/setools/mixins.py
index a31d420..99dc9ff 100644
--- a/setools/mixins.py
+++ b/setools/mixins.py
@@ -75,6 +75,7 @@ class MatchPermission(object):
     perms = CriteriaSetDescriptor("perms_regex")
     perms_equal = False
     perms_regex = False
+    perms_subset = False
 
     def _match_perms(self, obj):
         """
@@ -88,4 +89,8 @@ class MatchPermission(object):
             # if there is no criteria, everything matches.
             return True
 
-        return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal, self.perms_regex)
+        if self.perms_subset:
+            return obj.perms >= self.perms
+        else:
+            return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal,
+                                            self.perms_regex)
diff --git a/setools/terulequery.py b/setools/terulequery.py
index 7f3eccf..3694160 100644
--- a/setools/terulequery.py
+++ b/setools/terulequery.py
@@ -62,6 +62,10 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
                       Default is false.
     perms_regex       If true, regular expression matching will be used
                       on the permission names instead of set logic.
+                      Default is false.
+    perms_subset      If true, the rule matches if the permissions criteria
+                      is a subset of the rule's permission set.
+                      Default is false.
     default           The name of the default type to match.
     default_regex     If true, regular expression matching will be
                       used on the default type.
diff --git a/tests/terulequery.py b/tests/terulequery.py
index c22dfa9..f5e176d 100644
--- a/tests/terulequery.py
+++ b/tests/terulequery.py
@@ -176,6 +176,27 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
         self.validate_rule(r[1], "dontaudit", "test14", "test14", "infoflow7",
                            set(["super_unmapped"]))
 
+    def test_052_perms_subset1(self):
+        """TE rule query with permission subset."""
+        q = TERuleQuery(self.p, perms=["super_none", "super_both"], perms_subset=True)
+
+        r = sorted(q.results())
+        self.assertEqual(len(r), 2)
+        self.validate_rule(r[0], "allow", "test13c", "test13c", "infoflow7",
+                           set(["super_w", "super_none", "super_both"]))
+        self.validate_rule(r[1], "allow", "test13d", "test13d", "infoflow7",
+                           set(["super_w", "super_none", "super_both", "super_unmapped"]))
+
+    def test_052_perms_subset2(self):
+        """TE rule query with permission subset (equality)."""
+        q = TERuleQuery(self.p, perms=["super_w", "super_none", "super_both", "super_unmapped"],
+                        perms_subset=True)
+
+        r = sorted(q.results())
+        self.assertEqual(len(r), 1)
+        self.validate_rule(r[0], "allow", "test13d", "test13d", "infoflow7",
+                           set(["super_w", "super_none", "super_both", "super_unmapped"]))
+
     def test_100_default(self):
         """TE rule query with default type exact match."""
         q = TERuleQuery(self.p, default="test100d", default_regex=False)