selinux/python/sepolgen/tests/test_policygen.py
Jan Zarsky 42b4a44b74 python: add xperms support to audit2allow
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.

AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.

Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.

PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.

With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:36:14 +02:00

136 lines
5.2 KiB
Python

# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import unittest
import sepolgen.policygen as policygen
import sepolgen.access as access
import sepolgen.refpolicy as refpolicy
class TestPolicyGenerator(unittest.TestCase):
def setUp(self):
self.g = policygen.PolicyGenerator()
def test_init(self):
""" Test that extended permission AV rules are not generated by
default. """
self.assertFalse(self.g.xperms)
def test_set_gen_xperms(self):
""" Test turning on and off generating of extended permission
AV rules. """
self.g.set_gen_xperms(True)
self.assertTrue(self.g.xperms)
self.g.set_gen_xperms(False)
self.assertFalse(self.g.xperms)
def test_av_rules(self):
""" Test generating of AV rules from access vectors. """
av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 1)
r = self.g.module.children[0]
self.assertIsInstance(r, refpolicy.AVRule)
self.assertEqual(r.to_string(),
"allow test_src_t test_tgt_t:file { ioctl open read };")
def test_ext_av_rules(self):
""" Test generating of extended permission AV rules from access
vectors. """
self.g.set_gen_xperms(True)
av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
av1.xperms['ioctl'] = refpolicy.XpermSet()
av1.xperms['ioctl'].add(42)
av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
av2.xperms['ioctl'] = refpolicy.XpermSet()
av2.xperms['ioctl'].add(1234)
av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
av3.xperms['ioctl'] = refpolicy.XpermSet()
av3.xperms['ioctl'].add(2345)
avs = access.AccessVectorSet()
avs.add_av(av1)
avs.add_av(av2)
avs.add_av(av3)
self.g.add_access(avs)
self.assertEqual(len(self.g.module.children), 4)
# we cannot sort the rules, so find all rules manually
av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None
for r in self.g.module.children:
if isinstance(r, refpolicy.AVRule):
if 'file' in r.obj_classes:
av_rule1 = r
else:
av_rule2 = r
elif isinstance(r, refpolicy.AVExtRule):
if 'file' in r.obj_classes:
av_ext_rule1 = r
else:
av_ext_rule2 = r
else:
self.fail("Unexpected rule type '%s'" % type(r))
# check that all rules are present
self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))
self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
self.assertEqual(av_rule1.src_types, {"test_src_t"})
self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule1.obj_classes, {"file"})
self.assertEqual(av_rule1.perms, {"ioctl"})
self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule1.obj_classes, {"file"})
self.assertEqual(av_ext_rule1.operation, "ioctl")
xp1 = refpolicy.XpermSet()
xp1.add(42)
xp1.add(1234)
self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)
self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
self.assertEqual(av_rule2.src_types, {"test_src_t"})
self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_rule2.obj_classes, {"dir"})
self.assertEqual(av_rule2.perms, {"ioctl"})
self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
self.assertEqual(av_ext_rule2.operation, "ioctl")
xp2 = refpolicy.XpermSet()
xp2.add(2345)
self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)