Implement SensitivityQuery

closes #19
closes #20

seinfo

@@ -165,6 +165,13 @@ try:
             q = setools.rolequery.RoleQuery(p)
         components.append(("Roles", q))
 
+    if args.mlssensquery or args.all:
+        if isinstance(args.mlssensquery, str):
+            q = setools.sensitivityquery.SensitivityQuery(p, name=args.mlssensquery)
+        else:
+            q = setools.sensitivityquery.SensitivityQuery(p)
+        components.append(("Sensitivities", q))
+
     if args.typequery or args.all:
         if isinstance(args.typequery, str):
             q = setools.typequery.TypeQuery(p, name=args.typequery)

setools/__init__.py

@@ -34,6 +34,7 @@ from . import commonquery
 from . import objclassquery
 from . import polcapquery
 from . import rolequery
+from . import sensitivityquery
 from . import typequery
 from . import userquery
 

setools/policyrep/__init__.py

@@ -289,6 +289,10 @@ class SELinuxPolicy(object):
         """Look up a MLS level."""
         return mls.level_factory(self.policy, level)
 
+    def lookup_sensitivity(self, name):
+        """Look up a MLS sensitivity by name."""
+        return mls.sensitivity_factory(self.policy, name)
+
     def lookup_range(self, range_):
         """Look up a MLS range."""
         return mls.range_factory(self.policy, range_)
@@ -368,6 +372,17 @@ class SELinuxPolicy(object):
                 # libqpol unfortunately iterates over levels and sens aliases
                 pass
 
+    def sensitivities(self):
+        """Generator which yields all sensitivities."""
+
+        # see mls.py for more info on why level_iter is used here.
+        for sens in self.policy.level_iter():
+            try:
+                yield mls.sensitivity_factory(self.policy, sens)
+            except TypeError:
+                # libqpol unfortunately iterates over sens and aliases
+                pass
+
     def types(self):
         """Generator which yields all types."""
 

setools/sensitivityquery.py

@@ -0,0 +1,135 @@
+# Copyright 2015, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+import re
+
+from . import compquery
+
+
+class SensitivityQuery(compquery.ComponentQuery):
+
+    """Query MLS Sensitivities"""
+
+    def __init__(self, policy,
+                 name="", name_regex=False,
+                 alias="", alias_regex=False,
+                 sens="", sens_dom=False, sens_domby=False):
+        """
+        Parameters:
+        name         The name of the category to match.
+        name_regex   If true, regular expression matching will
+                     be used for matching the name.
+        alias        The alias name to match.
+        alias_regex  If true, regular expression matching
+                     will be used on the alias names.
+        sens         The criteria to match the sensitivity by dominance.
+        sens_dom     If true, the criteria will match if it dominates
+                     the sensitivity.
+        sens_domby   If true, the criteria will match if it is dominated
+                     by the sensitivity.
+        """
+
+        self.policy = policy
+        self.set_name(name, regex=name_regex)
+        self.set_alias(alias, regex=alias_regex)
+        self.set_sensitivity(sens, dom=sens_dom, domby=sens_domby)
+
+    def results(self):
+        """Generator which yields all matching sensitivities."""
+
+        for s in self.policy.sensitivities():
+            if self.name and not self._match_regex(
+                    s,
+                    self.name_cmp,
+                    self.name_regex):
+                continue
+
+            if self.alias and not self._match_in_set(
+                    s.aliases(),
+                    self.alias_cmp,
+                    self.alias_regex):
+                continue
+
+            if self.sens and not self._match_level(
+                    s,
+                    self.sens,
+                    self.sens_dom,
+                    self.sens_domby,
+                    False):
+                continue
+
+            yield s
+
+    def set_alias(self, alias, **opts):
+        """
+        Set the criteria for the sensitivity's aliases.
+
+        Parameter:
+        alias       Name to match the sensitivity's aliases.
+
+        Keyword Options:
+        regex       If true, regular expression matching will be used.
+
+        Exceptions:
+        NameError   Invalid keyword option.
+        """
+
+        self.alias = alias
+
+        for k in list(opts.keys()):
+            if k == "regex":
+                self.alias_regex = opts[k]
+            else:
+                raise NameError("Invalid alias option: {0}".format(k))
+
+        if not self.alias:
+            self.alias_cmp = None
+        elif self.alias_regex:
+            self.alias_cmp = re.compile(self.alias)
+        else:
+            self.alias_cmp = self.alias
+
+    def set_sensitivity(self, sens, **opts):
+        """
+        Set the criteria for matching the sensitivity by dominance.
+
+        Parameter:
+        sens        Criteria to match the sensitivity.
+
+        Keyword Parameters:
+        dom         If true, the criteria will match if it
+                    dominates the sensitivity.
+        domby       If true, the criteria will match if it
+                    is dominated by the sensitivity.
+
+        Exceptions:
+        NameError   Invalid keyword option.
+        """
+
+        if sens:
+            self.sens = self.policy.lookup_sensitivity(sens)
+        else:
+            self.sens = None
+
+        for k in list(opts.keys()):
+            if k == "dom":
+                self.sens_dom = opts[k]
+            elif k == "domby":
+                self.sens_domby = opts[k]
+            else:
+                raise NameError("Invalid name option: {0}".format(k))

tests/__init__.py

@@ -31,6 +31,7 @@ from . import permmap
 from . import polcapquery
 from . import rbacrulequery
 from . import rolequery
+from . import sensitivityquery
 from . import terulequery
 from . import typequery
 from . import userquery

tests/sensitivityquery.conf

@@ -0,0 +1,169 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+sensitivity sens;
+
+# test1
+# name: test1
+# alias: unset
+# sens: unset
+sensitivity test1;
+
+# test2
+# name: test2(a|b)
+# alias: unset
+# sens: unset
+sensitivity test2a;
+sensitivity test2b;
+
+# test 10
+# name: unset
+# alias: test10a
+# sens: unset
+sensitivity test10s1 alias { test10a test10c };
+sensitivity test10s2 alias { test10b test10d };
+
+# test 11
+# name: unset
+# alias: test11(a|b)
+# sens: unset
+sensitivity test11s1 alias { test11a test11c };
+sensitivity test11s2 alias { test11b test11d };
+sensitivity test11s3 alias { test11e test11f };
+
+
+# test 20
+# name: unset
+# alias: unset
+# sens: test20
+sensitivity test20;
+
+# test 21
+# name: unset
+# alias: unset
+# sens: test21crit, dom
+sensitivity test21;
+sensitivity test21crit;
+
+# test 22
+# name: unset
+# alias: unset
+# sens: test22crit, domby
+sensitivity test22;
+sensitivity test22crit;
+
+dominance { test21 test21crit test1 test2a test2b test10s1 sens test10s2 test11s1 test11s2 test11s3 test20 test22crit test22 }
+
+category begin;
+category end;
+
+#level decl
+level sens:begin.end;
+level test1;
+level test2a;
+level test2b;
+level test10s1;
+level test10s2;
+level test11s1;
+level test11s2;
+level test11s3;
+level test20;
+level test21;
+level test21crit;
+level test22;
+level test22crit;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+################################################################################
+# Type enforcement declarations and rules
+
+
+################################################################################
+
+#users
+user system roles system level sens range sens - sens:begin.end;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:sens:begin
+sid security system:system:system:sens:begin
+
+#fs_use
+fs_use_trans devpts system:object_r:system:sens;
+fs_use_xattr ext3 system:object_r:system:sens;
+fs_use_task pipefs system:object_r:system:sens;
+
+#genfscon
+genfscon proc / system:object_r:system:sens
+genfscon proc /sys system:object_r:system:sens
+genfscon selinuxfs / system:object_r:system:sens:begin.end
+
+portcon tcp 80 system:object_r:system:sens
+
+netifcon eth0 system:object_r:system:sens system:object_r:system:sens
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:sens:begin
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:sens:begin
+

tests/sensitivityquery.py

@@ -0,0 +1,100 @@
+# Copyright 2015, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+#
+import unittest
+
+from setools import SELinuxPolicy
+from setools.sensitivityquery import SensitivityQuery
+
+
+class SensitivityQueryTest(unittest.TestCase):
+
+    def setUp(self):
+        self.p = SELinuxPolicy("tests/sensitivityquery.conf")
+
+    def test_000_unset(self):
+        """Sensitivity query with no criteria."""
+        # query with no parameters gets all sensitivities.
+        allsens = sorted(str(c) for c in self.p.sensitivities())
+
+        q = SensitivityQuery(self.p)
+        qsens = sorted(str(c) for c in q.results())
+
+        self.assertListEqual(allsens, qsens)
+
+    def test_001_name_exact(self):
+        """Sensitivity query with exact name match."""
+        q = SensitivityQuery(self.p, name="test1")
+
+        sens = sorted(str(c) for c in q.results())
+        self.assertListEqual(["test1"], sens)
+
+    def test_002_name_regex(self):
+        """Sensitivity query with regex name match."""
+        q = SensitivityQuery(self.p, name="test2(a|b)", name_regex=True)
+
+        sens = sorted(str(c) for c in q.results())
+        self.assertListEqual(["test2a", "test2b"], sens)
+
+    def test_010_alias_exact(self):
+        """Sensitivity query with exact alias match."""
+        q = SensitivityQuery(self.p, alias="test10a")
+
+        sens = sorted(str(t) for t in q.results())
+        self.assertListEqual(["test10s1"], sens)
+
+    def test_011_alias_regex(self):
+        """Sensitivity query with regex alias match."""
+        q = SensitivityQuery(self.p, alias="test11(a|b)", alias_regex=True)
+
+        sens = sorted(str(t) for t in q.results())
+        self.assertListEqual(["test11s1", "test11s2"], sens)
+
+    def test_020_sens_equal(self):
+        """Sensitivity query with sens equality."""
+        q = SensitivityQuery(self.p, sens="test20")
+
+        sens = sorted(str(u) for u in q.results())
+        self.assertListEqual(["test20"], sens)
+
+    def test_021_sens_dom1(self):
+        """Sensitivity query with sens dominance."""
+        q = SensitivityQuery(self.p, sens="test21crit", sens_dom=True)
+
+        sens = sorted(str(u) for u in q.results())
+        self.assertListEqual(["test21", "test21crit"], sens)
+
+    def test_021_sens_dom2(self):
+        """Sensitivity query with sens dominance (equal)."""
+        q = SensitivityQuery(self.p, sens="test21", sens_dom=True)
+
+        sens = sorted(str(u) for u in q.results())
+        self.assertListEqual(["test21"], sens)
+
+    def test_022_sens_domby1(self):
+        """Sensitivity query with sens dominated-by."""
+        q = SensitivityQuery(self.p, sens="test22crit", sens_domby=True)
+
+        sens = sorted(str(u) for u in q.results())
+        self.assertListEqual(["test22", "test22crit"], sens)
+
+    def test_022_sens_domby2(self):
+        """Sensitivity query with sens dominated-by (equal)."""
+        q = SensitivityQuery(self.p, sens="test22", sens_domby=True)
+
+        sens = sorted(str(u) for u in q.results())
+        self.assertListEqual(["test22"], sens)