1*2d543d20SAndroid Build Coastguard Worker# Authors: Karl MacMillan <[email protected]> 2*2d543d20SAndroid Build Coastguard Worker# 3*2d543d20SAndroid Build Coastguard Worker# Copyright (C) 2006 Red Hat 4*2d543d20SAndroid Build Coastguard Worker# see file 'COPYING' for use and warranty information 5*2d543d20SAndroid Build Coastguard Worker# 6*2d543d20SAndroid Build Coastguard Worker# This program is free software; you can redistribute it and/or 7*2d543d20SAndroid Build Coastguard Worker# modify it under the terms of the GNU General Public License as 8*2d543d20SAndroid Build Coastguard Worker# published by the Free Software Foundation; version 2 only 9*2d543d20SAndroid Build Coastguard Worker# 10*2d543d20SAndroid Build Coastguard Worker# This program is distributed in the hope that it will be useful, 11*2d543d20SAndroid Build Coastguard Worker# but WITHOUT ANY WARRANTY; without even the implied warranty of 12*2d543d20SAndroid Build Coastguard Worker# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13*2d543d20SAndroid Build Coastguard Worker# GNU General Public License for more details. 14*2d543d20SAndroid Build Coastguard Worker# 15*2d543d20SAndroid Build Coastguard Worker# You should have received a copy of the GNU General Public License 16*2d543d20SAndroid Build Coastguard Worker# along with this program; if not, write to the Free Software 17*2d543d20SAndroid Build Coastguard Worker# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18*2d543d20SAndroid Build Coastguard Worker# 19*2d543d20SAndroid Build Coastguard Worker 20*2d543d20SAndroid Build Coastguard Workerimport unittest 21*2d543d20SAndroid Build Coastguard Workerimport sepolgen.access as access 22*2d543d20SAndroid Build Coastguard Workerimport sepolgen.interfaces as interfaces 23*2d543d20SAndroid Build Coastguard Workerimport sepolgen.policygen as policygen 24*2d543d20SAndroid Build Coastguard Workerimport sepolgen.refparser as refparser 25*2d543d20SAndroid Build Coastguard Workerimport sepolgen.refpolicy as refpolicy 26*2d543d20SAndroid Build Coastguard Worker 27*2d543d20SAndroid Build Coastguard Workerclass TestParam(unittest.TestCase): 28*2d543d20SAndroid Build Coastguard Worker def test(self): 29*2d543d20SAndroid Build Coastguard Worker p = interfaces.Param() 30*2d543d20SAndroid Build Coastguard Worker p.name = "$1" 31*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.name, "$1") 32*2d543d20SAndroid Build Coastguard Worker self.assertRaises(ValueError, p.set_name, "$N") 33*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.num, 1) 34*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.type, refpolicy.SRC_TYPE) 35*2d543d20SAndroid Build Coastguard Worker 36*2d543d20SAndroid Build Coastguard Workerclass TestAVExtractPerms(unittest.TestCase): 37*2d543d20SAndroid Build Coastguard Worker def test(self): 38*2d543d20SAndroid Build Coastguard Worker av = access.AccessVector(['foo', 'bar', 'file', 'read']) 39*2d543d20SAndroid Build Coastguard Worker params = { } 40*2d543d20SAndroid Build Coastguard Worker ret = interfaces.av_extract_params(av, params) 41*2d543d20SAndroid Build Coastguard Worker self.assertEqual(ret, 0) 42*2d543d20SAndroid Build Coastguard Worker self.assertEqual(params, { }) 43*2d543d20SAndroid Build Coastguard Worker 44*2d543d20SAndroid Build Coastguard Worker av.src_type = "$1" 45*2d543d20SAndroid Build Coastguard Worker ret = interfaces.av_extract_params(av, params) 46*2d543d20SAndroid Build Coastguard Worker self.assertEqual(ret, 0) 47*2d543d20SAndroid Build Coastguard Worker p = params["$1"] 48*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.name, "$1") 49*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.type, refpolicy.SRC_TYPE) 50*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.obj_classes, refpolicy.IdSet(["file"])) 51*2d543d20SAndroid Build Coastguard Worker 52*2d543d20SAndroid Build Coastguard Worker params = { } 53*2d543d20SAndroid Build Coastguard Worker av.tgt_type = "$1" 54*2d543d20SAndroid Build Coastguard Worker av.obj_class = "process" 55*2d543d20SAndroid Build Coastguard Worker ret = interfaces.av_extract_params(av, params) 56*2d543d20SAndroid Build Coastguard Worker self.assertEqual(ret, 0) 57*2d543d20SAndroid Build Coastguard Worker p = params["$1"] 58*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.name, "$1") 59*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.type, refpolicy.SRC_TYPE) 60*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.obj_classes, refpolicy.IdSet(["process"])) 61*2d543d20SAndroid Build Coastguard Worker 62*2d543d20SAndroid Build Coastguard Worker params = { } 63*2d543d20SAndroid Build Coastguard Worker av.tgt_type = "$1" 64*2d543d20SAndroid Build Coastguard Worker av.obj_class = "dir" 65*2d543d20SAndroid Build Coastguard Worker ret = interfaces.av_extract_params(av, params) 66*2d543d20SAndroid Build Coastguard Worker self.assertEqual(ret, 1) 67*2d543d20SAndroid Build Coastguard Worker p = params["$1"] 68*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.name, "$1") 69*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.type, refpolicy.SRC_TYPE) 70*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"])) 71*2d543d20SAndroid Build Coastguard Worker 72*2d543d20SAndroid Build Coastguard Worker av.src_type = "bar" 73*2d543d20SAndroid Build Coastguard Worker av.tgt_type = "$2" 74*2d543d20SAndroid Build Coastguard Worker av.obj_class = "dir" 75*2d543d20SAndroid Build Coastguard Worker ret = interfaces.av_extract_params(av, params) 76*2d543d20SAndroid Build Coastguard Worker self.assertEqual(ret, 0) 77*2d543d20SAndroid Build Coastguard Worker p = params["$2"] 78*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.name, "$2") 79*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.type, refpolicy.TGT_TYPE) 80*2d543d20SAndroid Build Coastguard Worker self.assertEqual(p.obj_classes, refpolicy.IdSet(["dir"])) 81*2d543d20SAndroid Build Coastguard Worker 82*2d543d20SAndroid Build Coastguard Workerinterface_example = """ 83*2d543d20SAndroid Build Coastguard Workerinterface(`files_search_usr',` 84*2d543d20SAndroid Build Coastguard Worker gen_require(` 85*2d543d20SAndroid Build Coastguard Worker type usr_t; 86*2d543d20SAndroid Build Coastguard Worker ') 87*2d543d20SAndroid Build Coastguard Worker 88*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir search; 89*2d543d20SAndroid Build Coastguard Worker allow { domain $1 } { usr_t usr_home_t }:{ file dir } { read write getattr }; 90*2d543d20SAndroid Build Coastguard Worker typeattribute $1 file_type; 91*2d543d20SAndroid Build Coastguard Worker 92*2d543d20SAndroid Build Coastguard Worker if (foo) { 93*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 94*2d543d20SAndroid Build Coastguard Worker } 95*2d543d20SAndroid Build Coastguard Worker 96*2d543d20SAndroid Build Coastguard Worker if (bar) { 97*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 98*2d543d20SAndroid Build Coastguard Worker } else { 99*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 100*2d543d20SAndroid Build Coastguard Worker } 101*2d543d20SAndroid Build Coastguard Worker') 102*2d543d20SAndroid Build Coastguard Worker 103*2d543d20SAndroid Build Coastguard Workerinterface(`files_list_usr',` 104*2d543d20SAndroid Build Coastguard Worker gen_require(` 105*2d543d20SAndroid Build Coastguard Worker type usr_t; 106*2d543d20SAndroid Build Coastguard Worker ') 107*2d543d20SAndroid Build Coastguard Worker 108*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir { read getattr }; 109*2d543d20SAndroid Build Coastguard Worker 110*2d543d20SAndroid Build Coastguard Worker optional_policy(` 111*2d543d20SAndroid Build Coastguard Worker search_usr($1) 112*2d543d20SAndroid Build Coastguard Worker ') 113*2d543d20SAndroid Build Coastguard Worker 114*2d543d20SAndroid Build Coastguard Worker tunable_policy(`foo',` 115*2d543d20SAndroid Build Coastguard Worker whatever($1) 116*2d543d20SAndroid Build Coastguard Worker ') 117*2d543d20SAndroid Build Coastguard Worker 118*2d543d20SAndroid Build Coastguard Worker') 119*2d543d20SAndroid Build Coastguard Worker 120*2d543d20SAndroid Build Coastguard Workerinterface(`files_exec_usr_files',` 121*2d543d20SAndroid Build Coastguard Worker gen_require(` 122*2d543d20SAndroid Build Coastguard Worker type usr_t; 123*2d543d20SAndroid Build Coastguard Worker ') 124*2d543d20SAndroid Build Coastguard Worker 125*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir read; 126*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:lnk_file { read getattr }; 127*2d543d20SAndroid Build Coastguard Worker can_exec($1,usr_t) 128*2d543d20SAndroid Build Coastguard Worker can_foo($1) 129*2d543d20SAndroid Build Coastguard Worker 130*2d543d20SAndroid Build Coastguard Worker') 131*2d543d20SAndroid Build Coastguard Worker""" 132*2d543d20SAndroid Build Coastguard Worker 133*2d543d20SAndroid Build Coastguard Workersimple_interface = """ 134*2d543d20SAndroid Build Coastguard Workerinterface(`foo',` 135*2d543d20SAndroid Build Coastguard Worker gen_require(` 136*2d543d20SAndroid Build Coastguard Worker type usr_t; 137*2d543d20SAndroid Build Coastguard Worker ') 138*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir { create add_name }; 139*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:file { read write }; 140*2d543d20SAndroid Build Coastguard Worker') 141*2d543d20SAndroid Build Coastguard Worker""" 142*2d543d20SAndroid Build Coastguard Worker 143*2d543d20SAndroid Build Coastguard Workertest_expansion = """ 144*2d543d20SAndroid Build Coastguard Workerinterface(`foo',` 145*2d543d20SAndroid Build Coastguard Worker gen_require(` 146*2d543d20SAndroid Build Coastguard Worker type usr_t; 147*2d543d20SAndroid Build Coastguard Worker ') 148*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir { create add_name }; 149*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:file { read write }; 150*2d543d20SAndroid Build Coastguard Worker') 151*2d543d20SAndroid Build Coastguard Worker 152*2d543d20SAndroid Build Coastguard Workerinterface(`map', ` 153*2d543d20SAndroid Build Coastguard Worker gen_require(` 154*2d543d20SAndroid Build Coastguard Worker type bar_t; 155*2d543d20SAndroid Build Coastguard Worker ') 156*2d543d20SAndroid Build Coastguard Worker allow $1 bar_t:file read; 157*2d543d20SAndroid Build Coastguard Worker allow $2 bar_t:file write; 158*2d543d20SAndroid Build Coastguard Worker 159*2d543d20SAndroid Build Coastguard Worker foo($2) 160*2d543d20SAndroid Build Coastguard Worker') 161*2d543d20SAndroid Build Coastguard Worker 162*2d543d20SAndroid Build Coastguard Workerinterface(`hard_map', ` 163*2d543d20SAndroid Build Coastguard Worker gen_require(` 164*2d543d20SAndroid Build Coastguard Worker type baz_t; 165*2d543d20SAndroid Build Coastguard Worker ') 166*2d543d20SAndroid Build Coastguard Worker allow $1 baz_t:file getattr; 167*2d543d20SAndroid Build Coastguard Worker allow $2 baz_t:file read; 168*2d543d20SAndroid Build Coastguard Worker allow $3 baz_t:file write; 169*2d543d20SAndroid Build Coastguard Worker 170*2d543d20SAndroid Build Coastguard Worker map($1, $2) 171*2d543d20SAndroid Build Coastguard Worker map($2, $3) 172*2d543d20SAndroid Build Coastguard Worker 173*2d543d20SAndroid Build Coastguard Worker # This should have no effect 174*2d543d20SAndroid Build Coastguard Worker foo($2) 175*2d543d20SAndroid Build Coastguard Worker') 176*2d543d20SAndroid Build Coastguard Worker""" 177*2d543d20SAndroid Build Coastguard Worker 178*2d543d20SAndroid Build Coastguard Workerdef compare_avsets(l, avs_b): 179*2d543d20SAndroid Build Coastguard Worker avs_a = access.AccessVectorSet() 180*2d543d20SAndroid Build Coastguard Worker avs_a.from_list(l) 181*2d543d20SAndroid Build Coastguard Worker 182*2d543d20SAndroid Build Coastguard Worker a = list(avs_a) 183*2d543d20SAndroid Build Coastguard Worker b = list(avs_b) 184*2d543d20SAndroid Build Coastguard Worker 185*2d543d20SAndroid Build Coastguard Worker a.sort() 186*2d543d20SAndroid Build Coastguard Worker b.sort() 187*2d543d20SAndroid Build Coastguard Worker 188*2d543d20SAndroid Build Coastguard Worker if len(a) != len(b): 189*2d543d20SAndroid Build Coastguard Worker return False 190*2d543d20SAndroid Build Coastguard Worker 191*2d543d20SAndroid Build Coastguard Worker 192*2d543d20SAndroid Build Coastguard Worker for av_a, av_b in zip(a, b): 193*2d543d20SAndroid Build Coastguard Worker if av_a != av_b: 194*2d543d20SAndroid Build Coastguard Worker return False 195*2d543d20SAndroid Build Coastguard Worker 196*2d543d20SAndroid Build Coastguard Worker return True 197*2d543d20SAndroid Build Coastguard Worker 198*2d543d20SAndroid Build Coastguard Worker 199*2d543d20SAndroid Build Coastguard Workerclass TestInterfaceSet(unittest.TestCase): 200*2d543d20SAndroid Build Coastguard Worker def test_simple(self): 201*2d543d20SAndroid Build Coastguard Worker h = refparser.parse(simple_interface) 202*2d543d20SAndroid Build Coastguard Worker i = interfaces.InterfaceSet() 203*2d543d20SAndroid Build Coastguard Worker i.add_headers(h) 204*2d543d20SAndroid Build Coastguard Worker 205*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(i.interfaces), 1) 206*2d543d20SAndroid Build Coastguard Worker for key, interface in i.interfaces.items(): 207*2d543d20SAndroid Build Coastguard Worker self.assertEqual(key, interface.name) 208*2d543d20SAndroid Build Coastguard Worker self.assertEqual(key, "foo") 209*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(interface.access), 2) 210*2d543d20SAndroid Build Coastguard Worker 211*2d543d20SAndroid Build Coastguard Worker # Check the access vectors 212*2d543d20SAndroid Build Coastguard Worker comp_avs = [["$1", "usr_t", "dir", "create", "add_name"], 213*2d543d20SAndroid Build Coastguard Worker ["$1", "usr_t", "file", "read", "write"]] 214*2d543d20SAndroid Build Coastguard Worker ret = compare_avsets(comp_avs, interface.access) 215*2d543d20SAndroid Build Coastguard Worker self.assertTrue(ret) 216*2d543d20SAndroid Build Coastguard Worker 217*2d543d20SAndroid Build Coastguard Worker # Check the params 218*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(interface.params), 1) 219*2d543d20SAndroid Build Coastguard Worker for param in interface.params.values(): 220*2d543d20SAndroid Build Coastguard Worker self.assertEqual(param.type, refpolicy.SRC_TYPE) 221*2d543d20SAndroid Build Coastguard Worker self.assertEqual(param.name, "$1") 222*2d543d20SAndroid Build Coastguard Worker self.assertEqual(param.num, 1) 223*2d543d20SAndroid Build Coastguard Worker self.assertEqual(param.required, True) 224*2d543d20SAndroid Build Coastguard Worker 225*2d543d20SAndroid Build Coastguard Worker def test_expansion(self): 226*2d543d20SAndroid Build Coastguard Worker h = refparser.parse(test_expansion) 227*2d543d20SAndroid Build Coastguard Worker i = interfaces.InterfaceSet() 228*2d543d20SAndroid Build Coastguard Worker i.add_headers(h) 229*2d543d20SAndroid Build Coastguard Worker 230*2d543d20SAndroid Build Coastguard Worker self.assertEqual(len(i.interfaces), 3) 231*2d543d20SAndroid Build Coastguard Worker for key, interface in i.interfaces.items(): 232*2d543d20SAndroid Build Coastguard Worker self.assertEqual(key, interface.name) 233*2d543d20SAndroid Build Coastguard Worker if key == "foo": 234*2d543d20SAndroid Build Coastguard Worker comp_avs = [["$1", "usr_t", "dir", "create", "add_name"], 235*2d543d20SAndroid Build Coastguard Worker ["$1", "usr_t", "file", "read", "write"]] 236*2d543d20SAndroid Build Coastguard Worker self.assertTrue(compare_avsets(comp_avs, interface.access)) 237*2d543d20SAndroid Build Coastguard Worker elif key == "map": 238*2d543d20SAndroid Build Coastguard Worker comp_avs = [["$2", "usr_t", "dir", "create", "add_name"], 239*2d543d20SAndroid Build Coastguard Worker ["$2", "usr_t", "file", "read", "write"], 240*2d543d20SAndroid Build Coastguard Worker ["$1", "bar_t", "file", "read"], 241*2d543d20SAndroid Build Coastguard Worker ["$2", "bar_t", "file", "write"]] 242*2d543d20SAndroid Build Coastguard Worker self.assertTrue(compare_avsets(comp_avs, interface.access)) 243*2d543d20SAndroid Build Coastguard Worker elif key == "hard_map": 244*2d543d20SAndroid Build Coastguard Worker comp_avs = [["$1", "baz_t", "file", "getattr"], 245*2d543d20SAndroid Build Coastguard Worker ["$2", "baz_t", "file", "read"], 246*2d543d20SAndroid Build Coastguard Worker ["$3", "baz_t", "file", "write"], 247*2d543d20SAndroid Build Coastguard Worker 248*2d543d20SAndroid Build Coastguard Worker ["$2", "usr_t", "dir", "create", "add_name"], 249*2d543d20SAndroid Build Coastguard Worker ["$2", "usr_t", "file", "read", "write"], 250*2d543d20SAndroid Build Coastguard Worker ["$1", "bar_t", "file", "read"], 251*2d543d20SAndroid Build Coastguard Worker ["$2", "bar_t", "file", "write"], 252*2d543d20SAndroid Build Coastguard Worker 253*2d543d20SAndroid Build Coastguard Worker ["$3", "usr_t", "dir", "create", "add_name"], 254*2d543d20SAndroid Build Coastguard Worker ["$3", "usr_t", "file", "read", "write"], 255*2d543d20SAndroid Build Coastguard Worker ["$2", "bar_t", "file", "read"], 256*2d543d20SAndroid Build Coastguard Worker ["$3", "bar_t", "file", "write"]] 257*2d543d20SAndroid Build Coastguard Worker self.assertTrue(compare_avsets(comp_avs, interface.access)) 258*2d543d20SAndroid Build Coastguard Worker 259*2d543d20SAndroid Build Coastguard Worker 260*2d543d20SAndroid Build Coastguard Worker def test_export(self): 261*2d543d20SAndroid Build Coastguard Worker h = refparser.parse(interface_example) 262*2d543d20SAndroid Build Coastguard Worker i = interfaces.InterfaceSet() 263*2d543d20SAndroid Build Coastguard Worker i.add_headers(h) 264*2d543d20SAndroid Build Coastguard Worker f = open("output", "w") 265*2d543d20SAndroid Build Coastguard Worker i.to_file(f) 266*2d543d20SAndroid Build Coastguard Worker f.close() 267*2d543d20SAndroid Build Coastguard Worker 268*2d543d20SAndroid Build Coastguard Worker i2 = interfaces.InterfaceSet() 269*2d543d20SAndroid Build Coastguard Worker f = open("output") 270*2d543d20SAndroid Build Coastguard Worker i2.from_file(f) 271*2d543d20SAndroid Build Coastguard Worker f.close() 272*2d543d20SAndroid Build Coastguard Worker if_status = [False, False, False] 273*2d543d20SAndroid Build Coastguard Worker for ifv in i2.interfaces.values(): 274*2d543d20SAndroid Build Coastguard Worker if ifv.name == "files_search_usr": 275*2d543d20SAndroid Build Coastguard Worker if_status[0] = True 276*2d543d20SAndroid Build Coastguard Worker if ifv.name == "files_list_usr": 277*2d543d20SAndroid Build Coastguard Worker if_status[1] = True 278*2d543d20SAndroid Build Coastguard Worker if ifv.name == "files_exec_usr_files": 279*2d543d20SAndroid Build Coastguard Worker if_status[2] = True 280*2d543d20SAndroid Build Coastguard Worker 281*2d543d20SAndroid Build Coastguard Worker self.assertEqual(if_status[0], True) 282*2d543d20SAndroid Build Coastguard Worker self.assertEqual(if_status[1], True) 283*2d543d20SAndroid Build Coastguard Worker self.assertEqual(if_status[2], True) 284