mirror of
https://github.com/SELinuxProject/selinux
synced 2025-02-02 10:52:04 +00:00
42b4a44b74
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.
AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.
Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.
PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.
With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
315 lines
11 KiB
Python
315 lines
11 KiB
Python
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2006 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
import unittest
|
|
import sepolgen.refpolicy as refpolicy
|
|
import sepolgen.access as access
|
|
import selinux
|
|
|
|
class TestIdSet(unittest.TestCase):
|
|
def test_set_to_str(self):
|
|
s = refpolicy.IdSet(["read", "write", "getattr"])
|
|
s = s.to_space_str().split(' ')
|
|
s.sort()
|
|
expected = "{ read write getattr }".split(' ')
|
|
expected.sort()
|
|
self.assertEqual(s, expected)
|
|
s = refpolicy.IdSet()
|
|
s.add("read")
|
|
self.assertEqual(s.to_space_str(), "read")
|
|
|
|
class TestXpermSet(unittest.TestCase):
|
|
def test_init(self):
|
|
""" Test that all atttributes are correctly initialized. """
|
|
s1 = refpolicy.XpermSet()
|
|
self.assertEqual(s1.complement, False)
|
|
self.assertEqual(s1.ranges, [])
|
|
|
|
s2 = refpolicy.XpermSet(True)
|
|
self.assertEqual(s2.complement, True)
|
|
self.assertEqual(s2.ranges, [])
|
|
|
|
def test_normalize_ranges(self):
|
|
""" Test that ranges that are overlapping or neighboring are correctly
|
|
merged into one range. """
|
|
s = refpolicy.XpermSet()
|
|
s.ranges = [(1, 7), (5, 10), (100, 110), (102, 107), (200, 205),
|
|
(205, 210), (300, 305), (306, 310), (400, 405), (407, 410),
|
|
(500, 502), (504, 508), (500, 510)]
|
|
s._XpermSet__normalize_ranges()
|
|
|
|
i = 0
|
|
r = list(sorted(s.ranges))
|
|
while i < len(r) - 1:
|
|
# check that range low bound is less than equal than the upper bound
|
|
self.assertLessEqual(r[i][0], r[i][1])
|
|
# check that two ranges are not overlapping or neighboring
|
|
self.assertGreater(r[i + 1][0] - r[i][1], 1)
|
|
i += 1
|
|
|
|
def test_add(self):
|
|
""" Test adding new values or ranges to the set. """
|
|
s = refpolicy.XpermSet()
|
|
s.add(1, 7)
|
|
s.add(5, 10)
|
|
s.add(42)
|
|
self.assertEqual(s.ranges, [(1,10), (42,42)])
|
|
|
|
def test_extend(self):
|
|
""" Test adding ranges from another XpermSet object. """
|
|
a = refpolicy.XpermSet()
|
|
a.add(1, 7)
|
|
|
|
b = refpolicy.XpermSet()
|
|
b.add(5, 10)
|
|
|
|
a.extend(b)
|
|
self.assertEqual(a.ranges, [(1,10)])
|
|
|
|
def test_to_string(self):
|
|
""" Test printing the values to a string. """
|
|
a = refpolicy.XpermSet()
|
|
a.complement = False
|
|
self.assertEqual(a.to_string(), "")
|
|
a.complement = True
|
|
self.assertEqual(a.to_string(), "")
|
|
a.add(1234)
|
|
self.assertEqual(a.to_string(), "~ 1234")
|
|
a.complement = False
|
|
self.assertEqual(a.to_string(), "1234")
|
|
a.add(2345)
|
|
self.assertEqual(a.to_string(), "{ 1234 2345 }")
|
|
a.complement = True
|
|
self.assertEqual(a.to_string(), "~ { 1234 2345 }")
|
|
a.add(42,64)
|
|
self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
|
|
a.complement = False
|
|
self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
|
|
|
|
class TestSecurityContext(unittest.TestCase):
|
|
def test_init(self):
|
|
sc = refpolicy.SecurityContext()
|
|
sc = refpolicy.SecurityContext("user_u:object_r:foo_t")
|
|
|
|
def test_from_string(self):
|
|
context = "user_u:object_r:foo_t"
|
|
sc = refpolicy.SecurityContext()
|
|
sc.from_string(context)
|
|
self.assertEqual(sc.user, "user_u")
|
|
self.assertEqual(sc.role, "object_r")
|
|
self.assertEqual(sc.type, "foo_t")
|
|
self.assertEqual(sc.level, None)
|
|
if selinux.is_selinux_mls_enabled():
|
|
self.assertEqual(str(sc), context + ":s0")
|
|
else:
|
|
self.assertEqual(str(sc), context)
|
|
self.assertEqual(sc.to_string(default_level="s1"), context + ":s1")
|
|
|
|
context = "user_u:object_r:foo_t:s0-s0:c0-c255"
|
|
sc = refpolicy.SecurityContext()
|
|
sc.from_string(context)
|
|
self.assertEqual(sc.user, "user_u")
|
|
self.assertEqual(sc.role, "object_r")
|
|
self.assertEqual(sc.type, "foo_t")
|
|
self.assertEqual(sc.level, "s0-s0:c0-c255")
|
|
self.assertEqual(str(sc), context)
|
|
self.assertEqual(sc.to_string(), context)
|
|
|
|
sc = refpolicy.SecurityContext()
|
|
self.assertRaises(ValueError, sc.from_string, "abc")
|
|
|
|
def test_equal(self):
|
|
sc1 = refpolicy.SecurityContext("user_u:object_r:foo_t")
|
|
sc2 = refpolicy.SecurityContext("user_u:object_r:foo_t")
|
|
sc3 = refpolicy.SecurityContext("user_u:object_r:foo_t:s0")
|
|
sc4 = refpolicy.SecurityContext("user_u:object_r:bar_t")
|
|
|
|
self.assertEqual(sc1, sc2)
|
|
self.assertNotEqual(sc1, sc3)
|
|
self.assertNotEqual(sc1, sc4)
|
|
|
|
class TestObjecClass(unittest.TestCase):
|
|
def test_init(self):
|
|
o = refpolicy.ObjectClass(name="file")
|
|
self.assertEqual(o.name, "file")
|
|
self.assertTrue(isinstance(o.perms, set))
|
|
|
|
class TestAVRule(unittest.TestCase):
|
|
def test_init(self):
|
|
a = refpolicy.AVRule()
|
|
self.assertEqual(a.rule_type, a.ALLOW)
|
|
self.assertTrue(isinstance(a.src_types, set))
|
|
self.assertTrue(isinstance(a.tgt_types, set))
|
|
self.assertTrue(isinstance(a.obj_classes, set))
|
|
self.assertTrue(isinstance(a.perms, set))
|
|
|
|
def test_to_string(self):
|
|
a = refpolicy.AVRule()
|
|
a.src_types.add("foo_t")
|
|
a.tgt_types.add("bar_t")
|
|
a.obj_classes.add("file")
|
|
a.perms.add("read")
|
|
self.assertEqual(a.to_string(), "allow foo_t bar_t:file read;")
|
|
|
|
a.rule_type = a.DONTAUDIT
|
|
a.src_types.add("user_t")
|
|
a.tgt_types.add("user_home_t")
|
|
a.obj_classes.add("lnk_file")
|
|
a.perms.add("write")
|
|
# This test might need to go because set ordering is not guaranteed
|
|
a = a.to_string().split(' ')
|
|
a.sort()
|
|
b = "dontaudit { foo_t user_t } { user_home_t bar_t }:{ lnk_file file } { read write };".split(' ')
|
|
b.sort()
|
|
self.assertEqual(a, b)
|
|
|
|
class TestAVExtRule(unittest.TestCase):
|
|
def test_init(self):
|
|
""" Test initialization of attributes """
|
|
a = refpolicy.AVExtRule()
|
|
self.assertEqual(a.rule_type, a.ALLOWXPERM)
|
|
self.assertIsInstance(a.src_types, set)
|
|
self.assertIsInstance(a.tgt_types, set)
|
|
self.assertIsInstance(a.obj_classes, set)
|
|
self.assertIsNone(a.operation)
|
|
self.assertIsInstance(a.xperms, refpolicy.XpermSet)
|
|
|
|
def test_rule_type_str(self):
|
|
""" Test strings returned by __rule_type_str() """
|
|
a = refpolicy.AVExtRule()
|
|
self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
|
|
a.rule_type = a.ALLOWXPERM
|
|
self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
|
|
a.rule_type = a.DONTAUDITXPERM
|
|
self.assertEqual(a._AVExtRule__rule_type_str(), "dontauditxperm")
|
|
a.rule_type = a.NEVERALLOWXPERM
|
|
self.assertEqual(a._AVExtRule__rule_type_str(), "neverallowxperm")
|
|
a.rule_type = a.AUDITALLOWXPERM
|
|
self.assertEqual(a._AVExtRule__rule_type_str(), "auditallowxperm")
|
|
a.rule_type = 42
|
|
self.assertIsNone(a._AVExtRule__rule_type_str())
|
|
|
|
def test_from_av(self):
|
|
""" Test creating the rule from an access vector. """
|
|
av = access.AccessVector(["foo", "bar", "file", "ioctl"])
|
|
xp = refpolicy.XpermSet()
|
|
av.xperms = { "ioctl": xp }
|
|
|
|
a = refpolicy.AVExtRule()
|
|
|
|
a.from_av(av, "ioctl")
|
|
self.assertEqual(a.src_types, {"foo"})
|
|
self.assertEqual(a.tgt_types, {"bar"})
|
|
self.assertEqual(a.obj_classes, {"file"})
|
|
self.assertEqual(a.operation, "ioctl")
|
|
self.assertIs(a.xperms, xp)
|
|
|
|
def test_from_av_self(self):
|
|
""" Test creating the rule from an access vector that has same
|
|
source and target context. """
|
|
av = access.AccessVector(["foo", "foo", "file", "ioctl"])
|
|
xp = refpolicy.XpermSet()
|
|
av.xperms = { "ioctl": xp }
|
|
|
|
a = refpolicy.AVExtRule()
|
|
|
|
a.from_av(av, "ioctl")
|
|
self.assertEqual(a.src_types, {"foo"})
|
|
self.assertEqual(a.tgt_types, {"self"})
|
|
self.assertEqual(a.obj_classes, {"file"})
|
|
self.assertEqual(a.operation, "ioctl")
|
|
self.assertIs(a.xperms, xp)
|
|
|
|
def test_to_string(self):
|
|
""" Test printing the rule to a string. """
|
|
a = refpolicy.AVExtRule()
|
|
a._AVExtRule__rule_type_str = lambda: "first"
|
|
a.src_types.to_space_str = lambda: "second"
|
|
a.tgt_types.to_space_str = lambda: "third"
|
|
a.obj_classes.to_space_str = lambda: "fourth"
|
|
a.operation = "fifth"
|
|
a.xperms.to_string = lambda: "seventh"
|
|
|
|
self.assertEqual(a.to_string(),
|
|
"first second third:fourth fifth seventh;")
|
|
|
|
class TestTypeRule(unittest.TestCase):
|
|
def test_init(self):
|
|
a = refpolicy.TypeRule()
|
|
self.assertEqual(a.rule_type, a.TYPE_TRANSITION)
|
|
self.assertTrue(isinstance(a.src_types, set))
|
|
self.assertTrue(isinstance(a.tgt_types, set))
|
|
self.assertTrue(isinstance(a.obj_classes, set))
|
|
self.assertEqual(a.dest_type, "")
|
|
|
|
def test_to_string(self):
|
|
a = refpolicy.TypeRule()
|
|
a.src_types.add("foo_t")
|
|
a.tgt_types.add("bar_exec_t")
|
|
a.obj_classes.add("process")
|
|
a.dest_type = "bar_t"
|
|
self.assertEqual(a.to_string(), "type_transition foo_t bar_exec_t:process bar_t;")
|
|
|
|
|
|
class TestParseNode(unittest.TestCase):
|
|
def test_walktree(self):
|
|
# Construct a small tree
|
|
h = refpolicy.Headers()
|
|
a = refpolicy.AVRule()
|
|
a.src_types.add("foo_t")
|
|
a.tgt_types.add("bar_t")
|
|
a.obj_classes.add("file")
|
|
a.perms.add("read")
|
|
|
|
ifcall = refpolicy.InterfaceCall(ifname="allow_foobar")
|
|
ifcall.args.append("foo_t")
|
|
ifcall.args.append("{ file dir }")
|
|
|
|
i = refpolicy.Interface(name="foo")
|
|
i.children.append(a)
|
|
i.children.append(ifcall)
|
|
h.children.append(i)
|
|
|
|
a = refpolicy.AVRule()
|
|
a.rule_type = a.DONTAUDIT
|
|
a.src_types.add("user_t")
|
|
a.tgt_types.add("user_home_t")
|
|
a.obj_classes.add("lnk_file")
|
|
a.perms.add("write")
|
|
i = refpolicy.Interface(name="bar")
|
|
i.children.append(a)
|
|
h.children.append(i)
|
|
|
|
class TestHeaders(unittest.TestCase):
|
|
def test_iter(self):
|
|
h = refpolicy.Headers()
|
|
h.children.append(refpolicy.Interface(name="foo"))
|
|
h.children.append(refpolicy.Interface(name="bar"))
|
|
h.children.append(refpolicy.ClassMap("file", "read write"))
|
|
i = 0
|
|
for node in h:
|
|
i += 1
|
|
self.assertEqual(i, 3)
|
|
|
|
i = 0
|
|
for node in h.interfaces():
|
|
i += 1
|
|
self.assertEqual(i, 2)
|
|
|