mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-24 15:02:44 +00:00
42b4a44b74
Add support for extended permissions to audit2allow. Extend AuditParser to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow to turn on generating of extended permission AV rules. AVCMessage parses the ioctlcmd field in AVC messages. AuditParser converts the ioctlcmd values into generic representation of extended permissions that is stored in access vectors. Extended permissions are represented by operations (currently only 'ioctl') and values associated to the operations. Values (for example '~{ 0x42 1234 23-34 }') are stored in the XpermSet class. PolicyGenerator contains new method to turn on generating of xperms. When turned on, for each access vector, standard AV rule and possibly several xperm AV rules are generated. Xperm AV rules are represented by the AVExtRule class. With xperm generating turned off, PolicyGenerator provides comments about extended permissions in certain situations. When the AVC message contains the ioctlcmd field and the access would be allowed according to the policy, PolicyGenerator warns about xperm rules being the possible cause of the denial. Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
136 lines
5.2 KiB
Python
136 lines
5.2 KiB
Python
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2006 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
import unittest
|
|
import sepolgen.policygen as policygen
|
|
import sepolgen.access as access
|
|
import sepolgen.refpolicy as refpolicy
|
|
|
|
class TestPolicyGenerator(unittest.TestCase):
|
|
def setUp(self):
|
|
self.g = policygen.PolicyGenerator()
|
|
|
|
def test_init(self):
|
|
""" Test that extended permission AV rules are not generated by
|
|
default. """
|
|
self.assertFalse(self.g.xperms)
|
|
|
|
def test_set_gen_xperms(self):
|
|
""" Test turning on and off generating of extended permission
|
|
AV rules. """
|
|
self.g.set_gen_xperms(True)
|
|
self.assertTrue(self.g.xperms)
|
|
self.g.set_gen_xperms(False)
|
|
self.assertFalse(self.g.xperms)
|
|
|
|
def test_av_rules(self):
|
|
""" Test generating of AV rules from access vectors. """
|
|
av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
|
|
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
|
|
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])
|
|
|
|
avs = access.AccessVectorSet()
|
|
avs.add_av(av1)
|
|
avs.add_av(av2)
|
|
avs.add_av(av3)
|
|
|
|
self.g.add_access(avs)
|
|
|
|
self.assertEqual(len(self.g.module.children), 1)
|
|
r = self.g.module.children[0]
|
|
self.assertIsInstance(r, refpolicy.AVRule)
|
|
self.assertEqual(r.to_string(),
|
|
"allow test_src_t test_tgt_t:file { ioctl open read };")
|
|
|
|
def test_ext_av_rules(self):
|
|
""" Test generating of extended permission AV rules from access
|
|
vectors. """
|
|
self.g.set_gen_xperms(True)
|
|
|
|
av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
|
|
av1.xperms['ioctl'] = refpolicy.XpermSet()
|
|
av1.xperms['ioctl'].add(42)
|
|
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
|
|
av2.xperms['ioctl'] = refpolicy.XpermSet()
|
|
av2.xperms['ioctl'].add(1234)
|
|
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
|
|
av3.xperms['ioctl'] = refpolicy.XpermSet()
|
|
av3.xperms['ioctl'].add(2345)
|
|
|
|
avs = access.AccessVectorSet()
|
|
avs.add_av(av1)
|
|
avs.add_av(av2)
|
|
avs.add_av(av3)
|
|
|
|
self.g.add_access(avs)
|
|
|
|
self.assertEqual(len(self.g.module.children), 4)
|
|
|
|
# we cannot sort the rules, so find all rules manually
|
|
av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None
|
|
|
|
for r in self.g.module.children:
|
|
if isinstance(r, refpolicy.AVRule):
|
|
if 'file' in r.obj_classes:
|
|
av_rule1 = r
|
|
else:
|
|
av_rule2 = r
|
|
elif isinstance(r, refpolicy.AVExtRule):
|
|
if 'file' in r.obj_classes:
|
|
av_ext_rule1 = r
|
|
else:
|
|
av_ext_rule2 = r
|
|
else:
|
|
self.fail("Unexpected rule type '%s'" % type(r))
|
|
|
|
# check that all rules are present
|
|
self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))
|
|
|
|
self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
|
|
self.assertEqual(av_rule1.src_types, {"test_src_t"})
|
|
self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
|
|
self.assertEqual(av_rule1.obj_classes, {"file"})
|
|
self.assertEqual(av_rule1.perms, {"ioctl"})
|
|
|
|
self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
|
|
self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
|
|
self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
|
|
self.assertEqual(av_ext_rule1.obj_classes, {"file"})
|
|
self.assertEqual(av_ext_rule1.operation, "ioctl")
|
|
xp1 = refpolicy.XpermSet()
|
|
xp1.add(42)
|
|
xp1.add(1234)
|
|
self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)
|
|
|
|
self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
|
|
self.assertEqual(av_rule2.src_types, {"test_src_t"})
|
|
self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
|
|
self.assertEqual(av_rule2.obj_classes, {"dir"})
|
|
self.assertEqual(av_rule2.perms, {"ioctl"})
|
|
|
|
self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
|
|
self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
|
|
self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
|
|
self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
|
|
self.assertEqual(av_ext_rule2.operation, "ioctl")
|
|
xp2 = refpolicy.XpermSet()
|
|
xp2.add(2345)
|
|
self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)
|
|
|