xref: /aosp_15_r20/external/selinux/python/sepolgen/tests/test_access.py (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba)

# Authors: Karl MacMillan <[email protected]>
#
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

import unittest
import sepolgen.refpolicy as refpolicy
import sepolgen.refparser as refparser
import sepolgen.policygen as policygen
import sepolgen.access as access

class TestAccessVector(unittest.TestCase):
    def test_init(self):
        # Default construction
        a = access.AccessVector()
        self.assertEqual(a.src_type, None)
        self.assertEqual(a.tgt_type, None)
        self.assertEqual(a.obj_class, None)
        self.assertTrue(isinstance(a.perms, refpolicy.IdSet))
        self.assertTrue(isinstance(a.audit_msgs, type([])))
        self.assertTrue(isinstance(a.xperms, type({})))
        self.assertEqual(len(a.audit_msgs), 0)

        # Construction from a list
        a = access.AccessVector()
        a.src_type = "foo"
        a.tgt_type = "bar"
        a.obj_class = "file"
        a.perms.update(["read", "write"])

        l = access.AccessVector(['foo', 'bar', 'file', 'read', 'write'])
        self.assertEqual(a.src_type, l.src_type)
        self.assertEqual(a.tgt_type, l.tgt_type)
        self.assertEqual(a.obj_class, l.obj_class)
        self.assertEqual(a.perms, l.perms)

    def test_from_list(self):
        a = access.AccessVector()
        a.src_type = "foo"
        a.tgt_type = "bar"
        a.obj_class = "file"
        a.perms.update(["read", "write"])

        l = access.AccessVector()
        l.from_list(['foo', 'bar', 'file', 'read', 'write'])
        self.assertEqual(a.src_type, l.src_type)
        self.assertEqual(a.tgt_type, l.tgt_type)
        self.assertEqual(a.obj_class, l.obj_class)
        self.assertEqual(a.perms, l.perms)

        l2 = access.AccessVector()
        with self.assertRaises(ValueError):
            l2.from_list(['foo', 'bar', 'file'])

    def test_to_list(self):
        a = access.AccessVector()
        a.src_type = "foo"
        a.tgt_type = "bar"
        a.obj_class = "file"
        a.perms.update(["read", "write"])

        l = a.to_list()
        self.assertEqual(l[0], "foo")
        self.assertEqual(l[1], "bar")
        self.assertEqual(l[2], "file")
        perms = l[3:]
        perms.sort()
        self.assertEqual(perms[0], "read")
        self.assertEqual(perms[1], "write")

    def test_to_string(self):
        a = access.AccessVector()
        a.src_type = "foo"
        a.tgt_type = "bar"
        a.obj_class = "file"
        a.perms.update(["read", "write"])

        first, second = str(a).split(':')
        self.assertEqual(first, "allow foo bar")
        second = second.split(' ')
        second.sort()
        expected = "file { read write };".split(' ')
        expected.sort()
        self.assertEqual(second, expected)

        first, second = a.to_string().split(':')
        self.assertEqual(first, "allow foo bar")
        second = second.split(' ')
        second.sort()
        expected = "file { read write };".split(' ')
        expected.sort()
        self.assertEqual(second, expected)

    def test_cmp(self):
        a = access.AccessVector()
        a.src_type = "foo"
        a.tgt_type = "bar"
        a.obj_class = "file"
        a.perms.update(["read", "write"])

        b = access.AccessVector()
        b.src_type = "foo"
        b.tgt_type = "bar"
        b.obj_class = "file"
        b.perms.update(["read", "write"])

        self.assertEqual(a, b)

        # Source Type
        b.src_type = "baz"
        self.assertNotEqual(a, b)
        self.assertTrue(a > b)

        b.src_type = "gaz"
        self.assertNotEqual(a, b)
        self.assertTrue(a < b)

        # Target Type
        b.src_type = "foo"
        b.tgt_type = "aar"
        self.assertNotEqual(a, b)
        self.assertTrue(a > b)

        b.tgt_type = "gaz"
        self.assertNotEqual(a, b)
        self.assertTrue(a < b)

        # Perms
        b.tgt_type = "bar"
        b.perms = refpolicy.IdSet(["read"])
        self.assertNotEqual(a, b)
        self.assertTrue(a > b)

        b.perms = refpolicy.IdSet(["read", "write", "append"])
        self.assertNotEqual(a, b)

        b.perms = refpolicy.IdSet(["read", "append"])
        self.assertNotEqual(a, b)

    def test_merge_noxperm(self):
        """Test merging two AVs without xperms"""
        a = access.AccessVector(["foo", "bar", "file", "read", "write"])
        b = access.AccessVector(["foo", "bar", "file", "append"])

        a.merge(b)
        self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])

    def text_merge_xperm1(self):
        """Test merging AV that contains xperms with AV that does not"""
        a = access.AccessVector(["foo", "bar", "file", "read"])
        b = access.AccessVector(["foo", "bar", "file", "read"])
        xp = refpolicy.XpermSet()
        xp.add(42)
        xp.add(12345)
        b.xperms = {"ioctl": xp}

        a.merge(b)
        self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
        self.assertEqual(list(a.xperms.keys()), ["ioctl"])
        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")

    def text_merge_xperm2(self):
        """Test merging AV that does not contain xperms with AV that does"""
        a = access.AccessVector(["foo", "bar", "file", "read"])
        xp = refpolicy.XpermSet()
        xp.add(42)
        xp.add(12345)
        a.xperms = {"ioctl": xp}
        b = access.AccessVector(["foo", "bar", "file", "read"])

        a.merge(b)
        self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
        self.assertEqual(list(a.xperms.keys()), ["ioctl"])
        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")

    def test_merge_xperm_diff_op(self):
        """Test merging two AVs that contain xperms with different operation"""
        a = access.AccessVector(["foo", "bar", "file", "read"])
        xp1 = refpolicy.XpermSet()
        xp1.add(23)
        a.xperms = {"asdf": xp1}

        b = access.AccessVector(["foo", "bar", "file", "read"])
        xp2 = refpolicy.XpermSet()
        xp2.add(42)
        xp2.add(12345)
        b.xperms = {"ioctl": xp2}

        a.merge(b)
        self.assertEqual(list(a.perms), ["read"])
        self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")

    def test_merge_xperm_same_op(self):
        """Test merging two AVs that contain xperms with same operation"""
        a = access.AccessVector(["foo", "bar", "file", "read"])
        xp1 = refpolicy.XpermSet()
        xp1.add(23)
        a.xperms = {"ioctl": xp1}

        b = access.AccessVector(["foo", "bar", "file", "read"])
        xp2 = refpolicy.XpermSet()
        xp2.add(42)
        xp2.add(12345)
        b.xperms = {"ioctl": xp2}

        a.merge(b)
        self.assertEqual(list(a.perms), ["read"])
        self.assertEqual(list(a.xperms.keys()), ["ioctl"])
        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")

class TestUtilFunctions(unittest.TestCase):
    def test_is_idparam(self):
        self.assertTrue(access.is_idparam("$1"))
        self.assertTrue(access.is_idparam("$2"))
        self.assertTrue(access.is_idparam("$123"))
        self.assertFalse(access.is_idparam("$123.23"))
        self.assertFalse(access.is_idparam("$A"))

    def test_avrule_to_access_vectors(self):
        rule = refpolicy.AVRule()
        rule.src_types.add("foo")
        rule.src_types.add("baz")
        rule.tgt_types.add("bar")
        rule.tgt_types.add("what")
        rule.obj_classes.add("file")
        rule.obj_classes.add("dir")
        rule.perms.add("read")
        rule.perms.add("write")

        avs = access.avrule_to_access_vectors(rule)
        self.assertEqual(len(avs), 8)
        comps = [("foo", "what", "dir"),
                 ("foo", "what", "file"),
                 ("foo", "bar", "dir"),
                 ("foo", "bar", "file"),
                 ("baz", "what", "dir"),
                 ("baz", "what", "file"),
                 ("baz", "bar", "dir"),
                 ("baz", "bar", "file")]
        status = [False] * 8
        for av in access.avrule_to_access_vectors(rule):
            self.assertEqual(av.perms, refpolicy.IdSet(["read", "write"]))
            for i in range(len(comps)):
                if comps[i][0] == av.src_type and \
                   comps[i][1] == av.tgt_type and \
                   comps[i][2] == av.obj_class:
                    status[i] = True

        for s in status:
            self.assertEqual(s, True)


class TestAccessVectorSet(unittest.TestCase):
    def setUp(self):
        rule = refpolicy.AVRule()
        rule.src_types.add("foo")
        rule.src_types.add("baz")
        rule.tgt_types.add("bar")
        rule.tgt_types.add("what")
        rule.obj_classes.add("file")
        rule.obj_classes.add("dir")
        rule.perms.add("read")
        rule.perms.add("write")

        s = access.AccessVectorSet()
        avs = access.avrule_to_access_vectors(rule)
        for av in avs:
            s.add_av(av)
        self.s = s

    def test_init(self):
        a = access.AccessVectorSet()

    def test_iter(self):
        comps = [("foo", "what", "dir"),
                 ("foo", "what", "file"),
                 ("foo", "bar", "dir"),
                 ("foo", "bar", "file"),
                 ("baz", "what", "dir"),
                 ("baz", "what", "file"),
                 ("baz", "bar", "dir"),
                 ("baz", "bar", "file")]
        status = [False] * 8
        for av in self.s:
            self.assertEqual(av.perms, refpolicy.IdSet(["read", "write"]))
            for i in range(len(comps)):
                if comps[i][0] == av.src_type and \
                   comps[i][1] == av.tgt_type and \
                   comps[i][2] == av.obj_class:
                    status[i] = True

        for s in status:
            self.assertEqual(s, True)

    def test_len(self):
        self.assertEqual(len(self.s), 8)

    def test_list(self):
        a = access.AccessVectorSet()
        a.add("$1", "foo", "file", refpolicy.IdSet(["read", "write"]))
        a.add("$1", "bar", "file", refpolicy.IdSet(["read", "write"]))
        a.add("what", "bar", "file", refpolicy.IdSet(["read", "write"]))

        avl = a.to_list()
        avl.sort()

        test_l = [['what','bar','file','read','write'],
                  ['$1','foo','file','read','write'],
                  ['$1','bar','file','read','write']]
        test_l.sort()

        for a,b in zip(test_l, avl):
            self.assertEqual(len(a), len(b))
            for x,y in list(zip(a,b))[:3]:
                self.assertEqual(x, y)
            perms1 = a[3:]
            perms2 = b[3:]
            perms1.sort()
            perms2.sort()
            self.assertEqual(perms1, perms2)

        b = access.AccessVectorSet()
        b.from_list(avl)
        self.assertEqual(len(b), 3)

    def test_add_av_first(self):
        """Test adding first AV to the AV set"""
        avs = access.AccessVectorSet()
        av = access.AccessVector(['foo', 'bar', 'file', 'read'])

        avs.add_av(av)

        self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read']])

    def test_add_av_second(self):
        """Test adding second AV to the AV set with same source and target
        context and class"""
        avs = access.AccessVectorSet()
        av1 = access.AccessVector(['foo', 'bar', 'file', 'read'])
        av2 = access.AccessVector(['foo', 'bar', 'file', 'write'])

        avs.add_av(av1)
        avs.add_av(av2)

        self.assertEqual(avs.to_list(), [['foo', 'bar', 'file', 'read',
                         'write']])

    def test_add_av_with_msg(self):
        """Test adding audit message"""
        avs = access.AccessVectorSet()
        av = access.AccessVector(['foo', 'bar', 'file', 'read'])

        avs.add_av(av, 'test message')

        self.assertEqual(avs.src['foo']['bar']['file', av.type].audit_msgs,
                         ['test message'])

    def test_add(self):
        """Test adding AV to the set"""
        s = access.AccessVectorSet()

        def test_add_av(av, audit_msg=None):
            self.assertEqual(av.src_type, 'foo')
            self.assertEqual(av.tgt_type, 'bar')
            self.assertEqual(av.obj_class, 'file')
            self.assertEqual(list(av.perms), ['read'])
            self.assertEqual(av.data, 'test data')
            self.assertEqual(av.type, 42)
            self.assertEqual(audit_msg, 'test message')

        s.add_av = test_add_av

        s.add("foo", "bar", "file", refpolicy.IdSet(["read"]),
              audit_msg='test message', avc_type=42, data='test data')