1*2d543d20SAndroid Build Coastguard Worker# Authors: Karl MacMillan <[email protected]> 2*2d543d20SAndroid Build Coastguard Worker# 3*2d543d20SAndroid Build Coastguard Worker# Copyright (C) 2006 Red Hat 4*2d543d20SAndroid Build Coastguard Worker# see file 'COPYING' for use and warranty information 5*2d543d20SAndroid Build Coastguard Worker# 6*2d543d20SAndroid Build Coastguard Worker# This program is free software; you can redistribute it and/or 7*2d543d20SAndroid Build Coastguard Worker# modify it under the terms of the GNU General Public License as 8*2d543d20SAndroid Build Coastguard Worker# published by the Free Software Foundation; version 2 only 9*2d543d20SAndroid Build Coastguard Worker# 10*2d543d20SAndroid Build Coastguard Worker# This program is distributed in the hope that it will be useful, 11*2d543d20SAndroid Build Coastguard Worker# but WITHOUT ANY WARRANTY; without even the implied warranty of 12*2d543d20SAndroid Build Coastguard Worker# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13*2d543d20SAndroid Build Coastguard Worker# GNU General Public License for more details. 14*2d543d20SAndroid Build Coastguard Worker# 15*2d543d20SAndroid Build Coastguard Worker# You should have received a copy of the GNU General Public License 16*2d543d20SAndroid Build Coastguard Worker# along with this program; if not, write to the Free Software 17*2d543d20SAndroid Build Coastguard Worker# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18*2d543d20SAndroid Build Coastguard Worker# 19*2d543d20SAndroid Build Coastguard Worker 20*2d543d20SAndroid Build Coastguard Workerimport unittest 21*2d543d20SAndroid Build Coastguard Workerimport sepolgen.audit 22*2d543d20SAndroid Build Coastguard Workerimport sepolgen.refpolicy 23*2d543d20SAndroid Build Coastguard Worker 24*2d543d20SAndroid Build Coastguard Worker# syslog message 25*2d543d20SAndroid Build Coastguard Workeraudit1 = """Sep 12 08:26:43 dhcp83-5 kernel: audit(1158064002.046:4): avc: denied { read } for pid=2 496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file""" 26*2d543d20SAndroid Build Coastguard Worker 27*2d543d20SAndroid Build Coastguard Worker# audit daemon messages 28*2d543d20SAndroid Build Coastguard Workeraudit2 = """type=AVC msg=audit(1158584779.745:708): avc: denied { dac_read_search } for pid=8132 comm="sh" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability""" 29*2d543d20SAndroid Build Coastguard Worker 30*2d543d20SAndroid Build Coastguard Workerlog1 = """type=AVC msg=audit(1158584779.745:708): avc: denied { dac_read_search } for pid=8132 comm="sh" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 31*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1158584779.745:708): arch=40000003 syscall=195 success=no exit=-13 a0=80d2437 a1=bf9132f8 a2=4c56cff4 a3=0 items=0 ppid=8131 pid=8132 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:vpnc_t:s0 key=(null) 32*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584779.753:709): avc: denied { dac_override } for pid=8133 comm="vpnc-script" capability=1 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 33*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584779.753:709): avc: denied { dac_read_search } for pid=8133 comm="vpnc-script" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 34*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1158584779.753:709): arch=40000003 syscall=195 success=no exit=-13 a0=80d2437 a1=bf910a48 a2=4c56cff4 a3=0 items=0 ppid=8132 pid=8133 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vpnc-script" exe="/bin/bash" subj=user_u:system_r:vpnc_t:s0 key=(null) 35*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584779.825:710): avc: denied { dac_override } for pid=8134 comm="vpnc-script" capability=1 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 36*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584779.825:710): avc: denied { dac_read_search } for pid=8134 comm="vpnc-script" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 37*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1158584779.825:710): arch=40000003 syscall=195 success=no exit=-13 a0=80d2437 a1=bf910a48 a2=4c56cff4 a3=0 items=0 ppid=8132 pid=8134 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vpnc-script" exe="/bin/bash" subj=user_u:system_r:vpnc_t:s0 key=(null) 38*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.793:711): avc: denied { dac_override } for pid=8144 comm="sh" capability=1 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 39*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.793:711): avc: denied { dac_read_search } for pid=8144 comm="sh" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 40*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1158584780.793:711): arch=40000003 syscall=195 success=no exit=-13 a0=80d2437 a1=bfc0ba38 a2=4c56cff4 a3=0 items=0 ppid=8131 pid=8144 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:vpnc_t:s0 key=(null) 41*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.797:712): avc: denied { dac_override } for pid=8145 comm="vpnc-script" capability=1 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 42*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.797:712): avc: denied { dac_read_search } for pid=8145 comm="vpnc-script" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 43*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1158584780.797:712): arch=40000003 syscall=195 success=no exit=-13 a0=80d2437 a1=bfc0b188 a2=4c56cff4 a3=0 items=0 ppid=8144 pid=8145 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vpnc-script" exe="/bin/bash" subj=user_u:system_r:vpnc_t:s0 key=(null) 44*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.801:713): avc: denied { dac_override } for pid=8146 comm="vpnc-script" capability=1 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 45*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1158584780.801:713): avc: denied { dac_read_search } for pid=8146 comm="vpnc-script" capability=2 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=capability 46*2d543d20SAndroid Build Coastguard Workertype=AVC_PATH msg=audit(1162850461.778:1113): path="/etc/rc.d/init.d/innd" 47*2d543d20SAndroid Build Coastguard Worker""" 48*2d543d20SAndroid Build Coastguard Worker 49*2d543d20SAndroid Build Coastguard Workergranted1 = """type=AVC msg=audit(1188833848.190:34): avc: granted { getattr } for pid=4310 comm="ls" name="foo.pp" dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file""" 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Workerpath1 = """type=AVC_PATH msg=audit(1162852201.019:1225): path="/usr/lib/sa/sa1" 52*2d543d20SAndroid Build Coastguard Worker""" 53*2d543d20SAndroid Build Coastguard Worker 54*2d543d20SAndroid Build Coastguard Workerlog2 = """type=AVC_PATH msg=audit(1162852201.019:1225): path="/usr/lib/sa/sa1" 55*2d543d20SAndroid Build Coastguard Workertype=SYSCALL msg=audit(1162852201.019:1225): arch=40000003 syscall=11 success=yes exit=0 a0=87271b0 a1=8727358 a2=8727290 a3=8727008 items=0 ppid=6973 pid=6974 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sa1" exe="/bin/bash" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) 56*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1162852201.019:1225): avc: denied { execute_no_trans } for pid=6974 comm="sh" name="sa1" dev=dm-0 ino=13061698 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file 57*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1162852201.019:1225): avc: denied { execute } for pid=6974 comm="sh" name="sa1" dev=dm-0 ino=13061698 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file""" 58*2d543d20SAndroid Build Coastguard Worker 59*2d543d20SAndroid Build Coastguard Workerxperms1 = """type=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 ioctlcmd=0x42 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 60*2d543d20SAndroid Build Coastguard Worker""" 61*2d543d20SAndroid Build Coastguard Workerxperms2 = """type=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 ioctlcmd=0x42 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 62*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 ioctlcmd=0x1234 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 63*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 ioctlcmd=0xdead scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 64*2d543d20SAndroid Build Coastguard Workertype=AVC msg=audit(1516626657.910:4461): avc: denied { getattr } for pid=4310 comm="test" path="/root/test" ino=8619937 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=dir permissive=0 65*2d543d20SAndroid Build Coastguard Worker""" 66*2d543d20SAndroid Build Coastguard Workerxperms_invalid = """type=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 ioctlcmd=asdf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 67*2d543d20SAndroid Build Coastguard Worker""" 68*2d543d20SAndroid Build Coastguard Workerxperms_without = """type=AVC msg=audit(1516626657.910:4461): avc: denied { ioctl } for pid=4310 comm="test" path="/root/test" ino=8619937 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_file_t:s0 tclass=file permissive=0 69*2d543d20SAndroid Build Coastguard Worker""" 70*2d543d20SAndroid Build Coastguard Worker 71*2d543d20SAndroid Build Coastguard Workerclass TestAVCMessage(unittest.TestCase): 72*2d543d20SAndroid Build Coastguard Worker def test_defs(self): 73*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(audit1) 74*2d543d20SAndroid Build Coastguard Worker sc = sepolgen.refpolicy.SecurityContext() 75*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext, sc) 76*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext, sc) 77*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tclass, "") 78*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.accesses, []) 79*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.ioctlcmd, None) 80*2d543d20SAndroid Build Coastguard Worker 81*2d543d20SAndroid Build Coastguard Worker def test_granted(self): 82*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(granted1) 83*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(granted1.split()) 84*2d543d20SAndroid Build Coastguard Worker 85*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.user, "user_u") 86*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.role, "system_r") 87*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.type, "unconfined_t") 88*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.level, "s0") 89*2d543d20SAndroid Build Coastguard Worker 90*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.user, "user_u") 91*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.role, "object_r") 92*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.type, "user_home_t") 93*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.level, "s0") 94*2d543d20SAndroid Build Coastguard Worker 95*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tclass, "file") 96*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.accesses, ["getattr"]) 97*2d543d20SAndroid Build Coastguard Worker 98*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.denial, False) 99*2d543d20SAndroid Build Coastguard Worker 100*2d543d20SAndroid Build Coastguard Worker def test_xperms(self): 101*2d543d20SAndroid Build Coastguard Worker """Test that the ioctlcmd field is parsed""" 102*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(xperms1) 103*2d543d20SAndroid Build Coastguard Worker recs = xperms1.split() 104*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(recs) 105*2d543d20SAndroid Build Coastguard Worker 106*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.ioctlcmd, 66) 107*2d543d20SAndroid Build Coastguard Worker 108*2d543d20SAndroid Build Coastguard Worker def test_xperms_invalid(self): 109*2d543d20SAndroid Build Coastguard Worker """Test message with invalid value in the ioctlcmd field""" 110*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(xperms_invalid) 111*2d543d20SAndroid Build Coastguard Worker recs = xperms_invalid.split() 112*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(recs) 113*2d543d20SAndroid Build Coastguard Worker 114*2d543d20SAndroid Build Coastguard Worker self.assertIsNone(avc.ioctlcmd) 115*2d543d20SAndroid Build Coastguard Worker 116*2d543d20SAndroid Build Coastguard Worker def test_xperms_without(self): 117*2d543d20SAndroid Build Coastguard Worker """Test message without the ioctlcmd field""" 118*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(xperms_without) 119*2d543d20SAndroid Build Coastguard Worker recs = xperms_without.split() 120*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(recs) 121*2d543d20SAndroid Build Coastguard Worker 122*2d543d20SAndroid Build Coastguard Worker self.assertIsNone(avc.ioctlcmd) 123*2d543d20SAndroid Build Coastguard Worker 124*2d543d20SAndroid Build Coastguard Worker def test_from_split_string(self): 125*2d543d20SAndroid Build Coastguard Worker # syslog message 126*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(audit1) 127*2d543d20SAndroid Build Coastguard Worker recs = audit1.split() 128*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(recs) 129*2d543d20SAndroid Build Coastguard Worker 130*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.header, "audit(1158064002.046:4):") 131*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.user, "user_u") 132*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.role, "system_r") 133*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.type, "bluetooth_helper_t") 134*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.level, "s0-s0:c0") 135*2d543d20SAndroid Build Coastguard Worker 136*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.user, "system_u") 137*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.role, "object_r") 138*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.type, "xdm_tmp_t") 139*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.level, "s0") 140*2d543d20SAndroid Build Coastguard Worker 141*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tclass, "file") 142*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.accesses, ["read"]) 143*2d543d20SAndroid Build Coastguard Worker 144*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.comm, "bluez-pin") 145*2d543d20SAndroid Build Coastguard Worker 146*2d543d20SAndroid Build Coastguard Worker 147*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.denial, True) 148*2d543d20SAndroid Build Coastguard Worker 149*2d543d20SAndroid Build Coastguard Worker # audit daemon message 150*2d543d20SAndroid Build Coastguard Worker avc = sepolgen.audit.AVCMessage(audit2) 151*2d543d20SAndroid Build Coastguard Worker recs = audit2.split() 152*2d543d20SAndroid Build Coastguard Worker avc.from_split_string(recs) 153*2d543d20SAndroid Build Coastguard Worker 154*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.header, "audit(1158584779.745:708):") 155*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.user, "user_u") 156*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.role, "system_r") 157*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.type, "vpnc_t") 158*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.scontext.level, "s0") 159*2d543d20SAndroid Build Coastguard Worker 160*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.user, "user_u") 161*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.role, "system_r") 162*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.type, "vpnc_t") 163*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tcontext.level, "s0") 164*2d543d20SAndroid Build Coastguard Worker 165*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.tclass, "capability") 166*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.accesses, ["dac_read_search"]) 167*2d543d20SAndroid Build Coastguard Worker 168*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.comm, "sh") 169*2d543d20SAndroid Build Coastguard Worker 170*2d543d20SAndroid Build Coastguard Worker self.assertEqual(avc.denial, True) 171*2d543d20SAndroid Build Coastguard Worker 172*2d543d20SAndroid Build Coastguard Workerclass TestPathMessage(unittest.TestCase): 173*2d543d20SAndroid Build Coastguard Worker def test_from_split_string(self): 174*2d543d20SAndroid Build Coastguard Worker path = sepolgen.audit.PathMessage(path1) 175*2d543d20SAndroid Build Coastguard Worker recs = path1.split() 176*2d543d20SAndroid Build Coastguard Worker path.from_split_string(recs) 177*2d543d20SAndroid Build Coastguard Worker self.assertEqual(path.path, "/usr/lib/sa/sa1") 178*2d543d20SAndroid Build Coastguard Worker 179*2d543d20SAndroid Build Coastguard Worker# TODO - add tests for the other message types 180*2d543d20SAndroid Build Coastguard Worker 181*2d543d20SAndroid Build Coastguard Worker 182*2d543d20SAndroid Build Coastguard Worker# TODO - these tests need a lot of expansion and more examples of 183*2d543d20SAndroid Build Coastguard Worker# different types of log files 184*2d543d20SAndroid Build Coastguard Workerclass TestAuditParser(unittest.TestCase): 185*2d543d20SAndroid Build Coastguard Worker def test_parse_string(self): 186*2d543d20SAndroid Build Coastguard Worker a = sepolgen.audit.AuditParser() 187*2d543d20SAndroid Build Coastguard Worker a.parse_string(log1) 188*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.avc_msgs), 11) 189*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.compute_sid_msgs), 0) 190*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.invalid_msgs), 0) 191*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.policy_load_msgs), 0) 192*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.path_msgs), 1) 193*2d543d20SAndroid Build Coastguard Worker 194*2d543d20SAndroid Build Coastguard Worker def test_post_process(self): 195*2d543d20SAndroid Build Coastguard Worker a = sepolgen.audit.AuditParser() 196*2d543d20SAndroid Build Coastguard Worker a.parse_string(log2) 197*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.avc_msgs), 2) 198*2d543d20SAndroid Build Coastguard Worker self.assertEqual(a.avc_msgs[0].path, "/usr/lib/sa/sa1") 199*2d543d20SAndroid Build Coastguard Worker self.assertEqual(a.avc_msgs[1].path, "/usr/lib/sa/sa1") 200*2d543d20SAndroid Build Coastguard Worker 201*2d543d20SAndroid Build Coastguard Worker def test_parse_file(self): 202*2d543d20SAndroid Build Coastguard Worker f = open("audit.txt") 203*2d543d20SAndroid Build Coastguard Worker a = sepolgen.audit.AuditParser() 204*2d543d20SAndroid Build Coastguard Worker a.parse_file(f) 205*2d543d20SAndroid Build Coastguard Worker f.close() 206*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.avc_msgs), 21) 207*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.compute_sid_msgs), 0) 208*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.invalid_msgs), 0) 209*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(a.policy_load_msgs), 0) 210*2d543d20SAndroid Build Coastguard Worker 211*2d543d20SAndroid Build Coastguard Worker def test_parse_xperms(self): 212*2d543d20SAndroid Build Coastguard Worker """ Test that correct access vectors are generated from a set of AVC 213*2d543d20SAndroid Build Coastguard Worker denial messages. """ 214*2d543d20SAndroid Build Coastguard Worker a = sepolgen.audit.AuditParser() 215*2d543d20SAndroid Build Coastguard Worker a.parse_string(xperms2) 216*2d543d20SAndroid Build Coastguard Worker av_set = a.to_access() 217*2d543d20SAndroid Build Coastguard Worker 218*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(av_set), 2) 219*2d543d20SAndroid Build Coastguard Worker av_list = list(sorted(av_set)) 220*2d543d20SAndroid Build Coastguard Worker self.assertEqual(av_list[0].xperms, {}) 221*2d543d20SAndroid Build Coastguard Worker self.assertEqual(list(av_list[1].xperms), ["ioctl"]) 222*2d543d20SAndroid Build Coastguard Worker self.assertEqual(av_list[1].xperms["ioctl"].ranges, [(66,66), 223*2d543d20SAndroid Build Coastguard Worker (4660,4660), (57005,57005)]) 224*2d543d20SAndroid Build Coastguard Worker 225*2d543d20SAndroid Build Coastguard Workerclass TestGeneration(unittest.TestCase): 226*2d543d20SAndroid Build Coastguard Worker def test_generation(self): 227*2d543d20SAndroid Build Coastguard Worker parser = sepolgen.audit.AuditParser() 228*2d543d20SAndroid Build Coastguard Worker parser.parse_string(log1) 229*2d543d20SAndroid Build Coastguard Worker avs = parser.to_access() 230*2d543d20SAndroid Build Coastguard Worker 231*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(avs), 1) 232*2d543d20SAndroid Build Coastguard Worker 233*2d543d20SAndroid Build Coastguard Worker def test_generation_granted(self): 234*2d543d20SAndroid Build Coastguard Worker parser = sepolgen.audit.AuditParser() 235*2d543d20SAndroid Build Coastguard Worker parser.parse_string(granted1) 236*2d543d20SAndroid Build Coastguard Worker avs = parser.to_access() 237*2d543d20SAndroid Build Coastguard Worker 238*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(avs), 0) 239*2d543d20SAndroid Build Coastguard Worker 240*2d543d20SAndroid Build Coastguard Worker avs = parser.to_access(only_denials=False) 241*2d543d20SAndroid Build Coastguard Worker 242*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(avs), 1) 243*2d543d20SAndroid Build Coastguard Worker 244