selinux/python/sepolgen/tests/test_refpolicy.py
Christian Göttsche 9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00

315 lines
11 KiB
Python

# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import unittest
import sepolgen.refpolicy as refpolicy
import sepolgen.access as access
import selinux
class TestIdSet(unittest.TestCase):
def test_set_to_str(self):
s = refpolicy.IdSet(["read", "write", "getattr"])
s = s.to_space_str().split(' ')
s.sort()
expected = "{ read write getattr }".split(' ')
expected.sort()
self.assertEqual(s, expected)
s = refpolicy.IdSet()
s.add("read")
self.assertEqual(s.to_space_str(), "read")
class TestXpermSet(unittest.TestCase):
def test_init(self):
""" Test that all attributes are correctly initialized. """
s1 = refpolicy.XpermSet()
self.assertEqual(s1.complement, False)
self.assertEqual(s1.ranges, [])
s2 = refpolicy.XpermSet(True)
self.assertEqual(s2.complement, True)
self.assertEqual(s2.ranges, [])
def test_normalize_ranges(self):
""" Test that ranges that are overlapping or neighboring are correctly
merged into one range. """
s = refpolicy.XpermSet()
s.ranges = [(1, 7), (5, 10), (100, 110), (102, 107), (200, 205),
(205, 210), (300, 305), (306, 310), (400, 405), (407, 410),
(500, 502), (504, 508), (500, 510)]
s._XpermSet__normalize_ranges()
i = 0
r = list(sorted(s.ranges))
while i < len(r) - 1:
# check that range low bound is less than equal than the upper bound
self.assertLessEqual(r[i][0], r[i][1])
# check that two ranges are not overlapping or neighboring
self.assertGreater(r[i + 1][0] - r[i][1], 1)
i += 1
def test_add(self):
""" Test adding new values or ranges to the set. """
s = refpolicy.XpermSet()
s.add(1, 7)
s.add(5, 10)
s.add(42)
self.assertEqual(s.ranges, [(1,10), (42,42)])
def test_extend(self):
""" Test adding ranges from another XpermSet object. """
a = refpolicy.XpermSet()
a.add(1, 7)
b = refpolicy.XpermSet()
b.add(5, 10)
a.extend(b)
self.assertEqual(a.ranges, [(1,10)])
def test_to_string(self):
""" Test printing the values to a string. """
a = refpolicy.XpermSet()
a.complement = False
self.assertEqual(a.to_string(), "")
a.complement = True
self.assertEqual(a.to_string(), "")
a.add(1234)
self.assertEqual(a.to_string(), "~ 0x4d2")
a.complement = False
self.assertEqual(a.to_string(), "0x4d2")
a.add(2345)
self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
a.complement = True
self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
a.add(42,64)
self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
a.complement = False
self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
class TestSecurityContext(unittest.TestCase):
def test_init(self):
sc = refpolicy.SecurityContext()
sc = refpolicy.SecurityContext("user_u:object_r:foo_t")
def test_from_string(self):
context = "user_u:object_r:foo_t"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEqual(sc.user, "user_u")
self.assertEqual(sc.role, "object_r")
self.assertEqual(sc.type, "foo_t")
self.assertEqual(sc.level, None)
if selinux.is_selinux_mls_enabled():
self.assertEqual(str(sc), context + ":s0")
else:
self.assertEqual(str(sc), context)
self.assertEqual(sc.to_string(default_level="s1"), context + ":s1")
context = "user_u:object_r:foo_t:s0-s0:c0-c255"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEqual(sc.user, "user_u")
self.assertEqual(sc.role, "object_r")
self.assertEqual(sc.type, "foo_t")
self.assertEqual(sc.level, "s0-s0:c0-c255")
self.assertEqual(str(sc), context)
self.assertEqual(sc.to_string(), context)
sc = refpolicy.SecurityContext()
self.assertRaises(ValueError, sc.from_string, "abc")
def test_equal(self):
sc1 = refpolicy.SecurityContext("user_u:object_r:foo_t")
sc2 = refpolicy.SecurityContext("user_u:object_r:foo_t")
sc3 = refpolicy.SecurityContext("user_u:object_r:foo_t:s0")
sc4 = refpolicy.SecurityContext("user_u:object_r:bar_t")
self.assertEqual(sc1, sc2)
self.assertNotEqual(sc1, sc3)
self.assertNotEqual(sc1, sc4)
class TestObjecClass(unittest.TestCase):
def test_init(self):
o = refpolicy.ObjectClass(name="file")
self.assertEqual(o.name, "file")
self.assertTrue(isinstance(o.perms, set))
class TestAVRule(unittest.TestCase):
def test_init(self):
a = refpolicy.AVRule()
self.assertEqual(a.rule_type, a.ALLOW)
self.assertTrue(isinstance(a.src_types, set))
self.assertTrue(isinstance(a.tgt_types, set))
self.assertTrue(isinstance(a.obj_classes, set))
self.assertTrue(isinstance(a.perms, set))
def test_to_string(self):
a = refpolicy.AVRule()
a.src_types.add("foo_t")
a.tgt_types.add("bar_t")
a.obj_classes.add("file")
a.perms.add("read")
self.assertEqual(a.to_string(), "allow foo_t bar_t:file read;")
a.rule_type = a.DONTAUDIT
a.src_types.add("user_t")
a.tgt_types.add("user_home_t")
a.obj_classes.add("lnk_file")
a.perms.add("write")
# This test might need to go because set ordering is not guaranteed
a = a.to_string().split(' ')
a.sort()
b = "dontaudit { foo_t user_t } { user_home_t bar_t }:{ lnk_file file } { read write };".split(' ')
b.sort()
self.assertEqual(a, b)
class TestAVExtRule(unittest.TestCase):
def test_init(self):
""" Test initialization of attributes """
a = refpolicy.AVExtRule()
self.assertEqual(a.rule_type, a.ALLOWXPERM)
self.assertIsInstance(a.src_types, set)
self.assertIsInstance(a.tgt_types, set)
self.assertIsInstance(a.obj_classes, set)
self.assertIsNone(a.operation)
self.assertIsInstance(a.xperms, refpolicy.XpermSet)
def test_rule_type_str(self):
""" Test strings returned by __rule_type_str() """
a = refpolicy.AVExtRule()
self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
a.rule_type = a.ALLOWXPERM
self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
a.rule_type = a.DONTAUDITXPERM
self.assertEqual(a._AVExtRule__rule_type_str(), "dontauditxperm")
a.rule_type = a.NEVERALLOWXPERM
self.assertEqual(a._AVExtRule__rule_type_str(), "neverallowxperm")
a.rule_type = a.AUDITALLOWXPERM
self.assertEqual(a._AVExtRule__rule_type_str(), "auditallowxperm")
a.rule_type = 42
self.assertIsNone(a._AVExtRule__rule_type_str())
def test_from_av(self):
""" Test creating the rule from an access vector. """
av = access.AccessVector(["foo", "bar", "file", "ioctl"])
xp = refpolicy.XpermSet()
av.xperms = { "ioctl": xp }
a = refpolicy.AVExtRule()
a.from_av(av, "ioctl")
self.assertEqual(a.src_types, {"foo"})
self.assertEqual(a.tgt_types, {"bar"})
self.assertEqual(a.obj_classes, {"file"})
self.assertEqual(a.operation, "ioctl")
self.assertIs(a.xperms, xp)
def test_from_av_self(self):
""" Test creating the rule from an access vector that has same
source and target context. """
av = access.AccessVector(["foo", "foo", "file", "ioctl"])
xp = refpolicy.XpermSet()
av.xperms = { "ioctl": xp }
a = refpolicy.AVExtRule()
a.from_av(av, "ioctl")
self.assertEqual(a.src_types, {"foo"})
self.assertEqual(a.tgt_types, {"self"})
self.assertEqual(a.obj_classes, {"file"})
self.assertEqual(a.operation, "ioctl")
self.assertIs(a.xperms, xp)
def test_to_string(self):
""" Test printing the rule to a string. """
a = refpolicy.AVExtRule()
a._AVExtRule__rule_type_str = lambda: "first"
a.src_types.to_space_str = lambda: "second"
a.tgt_types.to_space_str = lambda: "third"
a.obj_classes.to_space_str = lambda: "fourth"
a.operation = "fifth"
a.xperms.to_string = lambda: "seventh"
self.assertEqual(a.to_string(),
"first second third:fourth fifth seventh;")
class TestTypeRule(unittest.TestCase):
def test_init(self):
a = refpolicy.TypeRule()
self.assertEqual(a.rule_type, a.TYPE_TRANSITION)
self.assertTrue(isinstance(a.src_types, set))
self.assertTrue(isinstance(a.tgt_types, set))
self.assertTrue(isinstance(a.obj_classes, set))
self.assertEqual(a.dest_type, "")
def test_to_string(self):
a = refpolicy.TypeRule()
a.src_types.add("foo_t")
a.tgt_types.add("bar_exec_t")
a.obj_classes.add("process")
a.dest_type = "bar_t"
self.assertEqual(a.to_string(), "type_transition foo_t bar_exec_t:process bar_t;")
class TestParseNode(unittest.TestCase):
def test_walktree(self):
# Construct a small tree
h = refpolicy.Headers()
a = refpolicy.AVRule()
a.src_types.add("foo_t")
a.tgt_types.add("bar_t")
a.obj_classes.add("file")
a.perms.add("read")
ifcall = refpolicy.InterfaceCall(ifname="allow_foobar")
ifcall.args.append("foo_t")
ifcall.args.append("{ file dir }")
i = refpolicy.Interface(name="foo")
i.children.append(a)
i.children.append(ifcall)
h.children.append(i)
a = refpolicy.AVRule()
a.rule_type = a.DONTAUDIT
a.src_types.add("user_t")
a.tgt_types.add("user_home_t")
a.obj_classes.add("lnk_file")
a.perms.add("write")
i = refpolicy.Interface(name="bar")
i.children.append(a)
h.children.append(i)
class TestHeaders(unittest.TestCase):
def test_iter(self):
h = refpolicy.Headers()
h.children.append(refpolicy.Interface(name="foo"))
h.children.append(refpolicy.Interface(name="bar"))
h.children.append(refpolicy.ClassMap("file", "read write"))
i = 0
for node in h:
i += 1
self.assertEqual(i, 3)
i = 0
for node in h.interfaces():
i += 1
self.assertEqual(i, 2)