selinux/python/sepolgen/tests/test_access.py
Christian Göttsche 9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00

391 lines
13 KiB
Python

# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import unittest
import sepolgen.refpolicy as refpolicy
import sepolgen.refparser as refparser
import sepolgen.policygen as policygen
import sepolgen.access as access
class TestAccessVector(unittest.TestCase):
def test_init(self):
# Default construction
a = access.AccessVector()
self.assertEqual(a.src_type, None)
self.assertEqual(a.tgt_type, None)
self.assertEqual(a.obj_class, None)
self.assertTrue(isinstance(a.perms, refpolicy.IdSet))
self.assertTrue(isinstance(a.audit_msgs, type([])))
self.assertTrue(isinstance(a.xperms, type({})))
self.assertEqual(len(a.audit_msgs), 0)
# Construction from a list
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = access.AccessVector(['foo', 'bar', 'file', 'read', 'write'])
self.assertEqual(a.src_type, l.src_type)
self.assertEqual(a.tgt_type, l.tgt_type)
self.assertEqual(a.obj_class, l.obj_class)
self.assertEqual(a.perms, l.perms)
def test_from_list(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = access.AccessVector()
l.from_list(['foo', 'bar', 'file', 'read', 'write'])
self.assertEqual(a.src_type, l.src_type)
self.assertEqual(a.tgt_type, l.tgt_type)
self.assertEqual(a.obj_class, l.obj_class)
self.assertEqual(a.perms, l.perms)
l2 = access.AccessVector()
with self.assertRaises(ValueError):
l2.from_list(['foo', 'bar', 'file'])
def test_to_list(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
l = a.to_list()
self.assertEqual(l[0], "foo")
self.assertEqual(l[1], "bar")
self.assertEqual(l[2], "file")
perms = l[3:]
perms.sort()
self.assertEqual(perms[0], "read")
self.assertEqual(perms[1], "write")
def test_to_string(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
first, second = str(a).split(':')
self.assertEqual(first, "allow foo bar")
second = second.split(' ')
second.sort()
expected = "file { read write };".split(' ')
expected.sort()
self.assertEqual(second, expected)
first, second = a.to_string().split(':')
self.assertEqual(first, "allow foo bar")
second = second.split(' ')
second.sort()
expected = "file { read write };".split(' ')
expected.sort()
self.assertEqual(second, expected)
def test_cmp(self):
a = access.AccessVector()
a.src_type = "foo"
a.tgt_type = "bar"
a.obj_class = "file"
a.perms.update(["read", "write"])
b = access.AccessVector()
b.src_type = "foo"
b.tgt_type = "bar"
b.obj_class = "file"
b.perms.update(["read", "write"])
self.assertEqual(a, b)
# Source Type
b.src_type = "baz"
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.src_type = "gaz"
self.assertNotEqual(a, b)
self.assertTrue(a < b)
# Target Type
b.src_type = "foo"
b.tgt_type = "aar"
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.tgt_type = "gaz"
self.assertNotEqual(a, b)
self.assertTrue(a < b)
# Perms
b.tgt_type = "bar"
b.perms = refpolicy.IdSet(["read"])
self.assertNotEqual(a, b)
self.assertTrue(a > b)
b.perms = refpolicy.IdSet(["read", "write", "append"])
self.assertNotEqual(a, b)
b.perms = refpolicy.IdSet(["read", "append"])
self.assertNotEqual(a, b)
def test_merge_noxperm(self):
"""Test merging two AVs without xperms"""
a = access.AccessVector(["foo", "bar", "file", "read", "write"])
b = access.AccessVector(["foo", "bar", "file", "append"])
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
def text_merge_xperm1(self):
"""Test merging AV that contains xperms with AV that does not"""
a = access.AccessVector(["foo", "bar", "file", "read"])
b = access.AccessVector(["foo", "bar", "file", "read"])
xp = refpolicy.XpermSet()
xp.add(42)
xp.add(12345)
b.xperms = {"ioctl": xp}
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp = refpolicy.XpermSet()
xp.add(42)
xp.add(12345)
a.xperms = {"ioctl": xp}
b = access.AccessVector(["foo", "bar", "file", "read"])
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp1 = refpolicy.XpermSet()
xp1.add(23)
a.xperms = {"asdf": xp1}
b = access.AccessVector(["foo", "bar", "file", "read"])
xp2 = refpolicy.XpermSet()
xp2.add(42)
xp2.add(12345)
b.xperms = {"ioctl": xp2}
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
a = access.AccessVector(["foo", "bar", "file", "read"])
xp1 = refpolicy.XpermSet()
xp1.add(23)
a.xperms = {"ioctl": xp1}
b = access.AccessVector(["foo", "bar", "file", "read"])
xp2 = refpolicy.XpermSet()
xp2.add(42)
xp2.add(12345)
b.xperms = {"ioctl": xp2}
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
class TestUtilFunctions(unittest.TestCase):
def test_is_idparam(self):
self.assertTrue(access.is_idparam("$1"))
self.assertTrue(access.is_idparam("$2"))
self.assertTrue(access.is_idparam("$123"))
self.assertFalse(access.is_idparam("$123.23"))
self.assertFalse(access.is_idparam("$A"))
def test_avrule_to_access_vectors(self):
rule = refpolicy.AVRule()
rule.src_types.add("foo")
rule.src_types.add("baz")
rule.tgt_types.add("bar")
rule.tgt_types.add("what")
rule.obj_classes.add("file")
rule.obj_classes.add("dir")
rule.perms.add("read")
rule.perms.add("write")
avs = access.avrule_to_access_vectors(rule)
self.assertEqual(len(avs), 8)
comps = [("foo", "what", "dir"),
("foo", "what", "file"),
("foo", "bar", "dir"),
("foo", "bar", "file"),
("baz", "what", "dir"),
("baz", "what", "file"),
("baz", "bar", "dir"),
("baz", "bar", "file")]
status = [False] * 8
for av in access.avrule_to_access_vectors(rule):
self.assertEqual(av.perms, refpolicy.IdSet(["read", "write"]))
for i in range(len(comps)):
if comps[i][0] == av.src_type and \
comps[i][1] == av.tgt_type and \
comps[i][2] == av.obj_class:
status[i] = True
for s in status:
self.assertEqual(s, True)
class TestAccessVectorSet(unittest.TestCase):
def setUp(self):
rule = refpolicy.AVRule()
rule.src_types.add("foo")
rule.src_types.add("baz")
rule.tgt_types.add("bar")
rule.tgt_types.add("what")
rule.obj_classes.add("file")
rule.obj_classes.add("dir")
rule.perms.add("read")
rule.perms.add("write")
s = access.AccessVectorSet()
avs = access.avrule_to_access_vectors(rule)
for av in avs:
s.add_av(av)
self.s = s
def test_init(self):
a = access.AccessVectorSet()
def test_iter(self):
comps = [("foo", "what", "dir"),
("foo", "what", "file"),
("foo", "bar", "dir"),
("foo", "bar", "file"),
("baz", "what", "dir"),
("baz", "what", "file"),
("baz", "bar", "dir"),
("baz", "bar", "file")]
status = [False] * 8
for av in self.s:
self.assertEqual(av.perms, refpolicy.IdSet(["read", "write"]))
for i in range(len(comps)):
if comps[i][0] == av.src_type and \
comps[i][1] == av.tgt_type and \
comps[i][2] == av.obj_class:
status[i] = True
for s in status:
self.assertEqual(s, True)
def test_len(self):
self.assertEqual(len(self.s), 8)
def test_list(self):
a = access.AccessVectorSet()
a.add("$1", "foo", "file", refpolicy.IdSet(["read", "write"]))
a.add("$1", "bar", "file", refpolicy.IdSet(["read", "write"]))
a.add("what", "bar", "file", refpolicy.IdSet(["read", "write"]))
avl = a.to_list()
avl.sort()
test_l = [['what','bar','file','read','write'],
['$1','foo','file','read','write'],
['$1','bar','file','read','write']]
test_l.sort()
for a,b in zip(test_l, avl):
self.assertEqual(len(a), len(b))
for x,y in list(zip(a,b))[:3]:
self.assertEqual(x, y)
perms1 = a[3:]
perms2 = b[3:]
perms1.sort()
perms2.sort()
self.assertEqual(perms1, perms2)
b = access.AccessVectorSet()
b.from_list(avl)
self.assertEqual(len(b), 3)
def test_add_av_first(self):
"""Test adding first AV to the AV set"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av)
self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read']])
def test_add_av_second(self):
"""Test adding second AV to the AV set with same source and target
context and class"""
avs = access.AccessVectorSet()
av1 = access.AccessVector(['foo', 'bar', 'file', 'read'])
av2 = access.AccessVector(['foo', 'bar', 'file', 'write'])
avs.add_av(av1)
avs.add_av(av2)
self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read',
'write']])
def test_add_av_with_msg(self):
"""Test adding audit message"""
avs = access.AccessVectorSet()
av = access.AccessVector(['foo', 'bar', 'file', 'read'])
avs.add_av(av, 'test message')
self.assertEqual(avs.src['foo']['bar']['file', av.type].audit_msgs,
['test message'])
def test_add(self):
"""Test adding AV to the set"""
s = access.AccessVectorSet()
def test_add_av(av, audit_msg=None):
self.assertEqual(av.src_type, 'foo')
self.assertEqual(av.tgt_type, 'bar')
self.assertEqual(av.obj_class, 'file')
self.assertEqual(list(av.perms), ['read'])
self.assertEqual(av.data, 'test data')
self.assertEqual(av.type, 42)
self.assertEqual(audit_msg, 'test message')
s.add_av = test_add_av
s.add("foo", "bar", "file", refpolicy.IdSet(["read"]),
audit_msg='test message', avc_type=42, data='test data')