1 /*
2 * Author: Joshua Brindle <jbrindle@tresys.com>
3 *
4 * Copyright (C) 2006 Tresys Technology, LLC
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19 */
20
21 #include "parse_util.h"
22 #include "helpers.h"
23 #include "test-common.h"
24
25 #include <sepol/policydb/policydb.h>
26 #include <sepol/policydb/link.h>
27
28 #include <CUnit/Basic.h>
29 #include <stdlib.h>
30
31 /* Tests for roles:
32 * Test for each of these for
33 * - role in appropriate symtab (global and decl)
34 * - datum in the decl symtab has correct type_set
35 * - scope datum has correct decl ids
36 * - dominates bitmap is correct
37 * Tests:
38 * - role in base, no modules
39 * - role in base optional, no modules
40 * - role a in base, b in module
41 * - role a in base and module (additive)
42 * - role a in base and 2 module
43 * - role a in base optional, b in module
44 * - role a in base, b in module optional
45 * - role a in base optional, b in module optional
46 * - role a in base optional and module
47 * - role a in base and module optional
48 * - role a in base optional and module optional
49 * - role a in base optional and 2 modules
50 * - role a and b in base, b dom a, are types correct (TODO)
51 */
52
53 /* this simply tests whether the passed in role only has its own
54 * value in its dominates ebitmap */
only_dominates_self(policydb_t * p,role_datum_t * role)55 static void only_dominates_self(policydb_t * p, role_datum_t * role)
56 {
57 ebitmap_node_t *tnode;
58 unsigned int i;
59 int found = 0;
60
61 ebitmap_for_each_bit(&role->dominates, tnode, i) {
62 if (ebitmap_node_get_bit(tnode, i)) {
63 found++;
64 CU_ASSERT(i == role->s.value - 1);
65 }
66 }
67 CU_ASSERT(found == 1);
68 }
69
base_role_tests(policydb_t * base)70 void base_role_tests(policydb_t * base)
71 {
72 avrule_decl_t *decl;
73 role_datum_t *role;
74 unsigned int decls[2];
75 const char *types[2];
76
77 /* These tests look at roles in the base only, the desire is to ensure that
78 * roles are not destroyed or otherwise removed during the link process */
79
80 /**** test for g_b_role_1 in base and decl 1 (global) ****/
81 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
82 test_sym_presence(base, "g_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
83 /* make sure it has the correct type set (g_b_type_1, no negset, no flags) */
84 types[0] = "g_b_type_1";
85 role = test_role_type_set(base, "g_b_role_1", NULL, types, 1, 0);
86 /* This role should only dominate itself */
87 only_dominates_self(base, role);
88
89 /**** test for o1_b_role_1 in optional (decl 2) ****/
90 decl = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b");
91 decls[0] = decl->decl_id;
92 test_sym_presence(base, "o1_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
93 /* make sure it has the correct type set (o1_b_type_1, no negset, no flags) */
94 types[0] = "o1_b_type_1";
95 role = test_role_type_set(base, "o1_b_role_1", decl, types, 1, 0);
96 /* and only dominates itself */
97 only_dominates_self(base, role);
98 }
99
module_role_tests(policydb_t * base)100 void module_role_tests(policydb_t * base)
101 {
102 role_datum_t *role;
103 avrule_decl_t *decl;
104 unsigned int decls[3];
105 const char *types[3];
106
107 /* These tests are run when the base is linked with 2 modules,
108 * They should test whether the roles get copied correctly from the
109 * modules into the base */
110
111 /**** test for role in module 1 (global) ****/
112 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
113 test_sym_presence(base, "g_m1_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
114 /* make sure it has the correct type set (g_m1_type_1, no negset, no flags) */
115 types[0] = "g_m1_type_1";
116 role = test_role_type_set(base, "g_m1_role_1", NULL, types, 1, 0);
117 /* and only dominates itself */
118 only_dominates_self(base, role);
119
120 /**** test for role in module 1 (optional) ****/
121 decl = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1");
122 decls[0] = decl->decl_id;
123 test_sym_presence(base, "o1_m1_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
124 /* make sure it has the correct type set (o1_m1_type_1, no negset, no flags) */
125 types[0] = "o1_m1_type_1";
126 role = test_role_type_set(base, "o1_m1_role_1", decl, types, 1, 0);
127 /* and only dominates itself */
128 only_dominates_self(base, role);
129
130 /* These test whether the type sets are copied to the right place and
131 * correctly unioned when they should be */
132
133 /**** test for type added to base role in module 1 (global) ****/
134 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
135 test_sym_presence(base, "g_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 1);
136 /* make sure it has the correct type set (g_m1_type_1, no negset, no flags) */
137 types[0] = "g_b_type_2"; /* added in base when declared */
138 types[1] = "g_m1_type_1"; /* added in module */
139 role = test_role_type_set(base, "g_b_role_2", NULL, types, 2, 0);
140 /* and only dominates itself */
141 only_dominates_self(base, role);
142
143 /**** test for type added to base role in module 1 & 2 (global) ****/
144 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
145 decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
146 decls[2] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2"))->decl_id;
147 test_sym_presence(base, "g_b_role_3", SYM_ROLES, SCOPE_DECL, decls, 3);
148 /* make sure it has the correct type set (g_b_type_2, g_m1_type_2, g_m2_type_2, no negset, no flags) */
149 types[0] = "g_b_type_2"; /* added in base when declared */
150 types[1] = "g_m1_type_2"; /* added in module 1 */
151 types[2] = "g_m2_type_2"; /* added in module 2 */
152 role = test_role_type_set(base, "g_b_role_3", NULL, types, 3, 0);
153 /* and only dominates itself */
154 only_dominates_self(base, role);
155
156 /**** test for role in base optional and module 1 (additive) ****/
157 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"))->decl_id;
158 decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
159 test_sym_presence(base, "o1_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 2);
160 /* this one will have 2 type sets, one in the global symtab and one in the base optional 1 */
161 types[0] = "g_m1_type_1";
162 role = test_role_type_set(base, "o1_b_role_2", NULL, types, 1, 0);
163 types[0] = "o1_b_type_1";
164 role = test_role_type_set(base, "o1_b_role_2", test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"), types, 1, 0);
165 /* and only dominates itself */
166 only_dominates_self(base, role);
167
168 /**** test for role in base and module 1 optional (additive) ****/
169 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
170 decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m1"))->decl_id;
171 test_sym_presence(base, "g_b_role_4", SYM_ROLES, SCOPE_DECL, decls, 2);
172 /* this one will have 2 type sets, one in the global symtab and one in the base optional 1 */
173 types[0] = "g_b_type_2";
174 role = test_role_type_set(base, "g_b_role_4", NULL, types, 1, 0);
175 types[0] = "g_m1_type_2";
176 role = test_role_type_set(base, "g_b_role_4", test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m1"), types, 1, 0);
177 /* and only dominates itself */
178 only_dominates_self(base, role);
179
180 /**** test for role in base and module 1 optional (additive) ****/
181 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_b"))->decl_id;
182 decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"))->decl_id;
183 test_sym_presence(base, "o3_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 2);
184 /* this one will have 2 type sets, one in the 3rd base optional and one in the 3rd module optional */
185 types[0] = "o3_b_type_1";
186 role = test_role_type_set(base, "o3_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_b"), types, 1, 0);
187 types[0] = "o3_m1_type_1";
188 role = test_role_type_set(base, "o3_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"), types, 1, 0);
189 /* and only dominates itself */
190 only_dominates_self(base, role);
191
192 /**** test for role in base and module 1 optional (additive) ****/
193 decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b"))->decl_id;
194 decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
195 decls[2] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2"))->decl_id;
196 test_sym_presence(base, "o4_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 3);
197 /* this one will have 2 type sets, one in the global symtab (with both module types) and one in the 4th optional of base */
198 types[0] = "g_m1_type_1";
199 role = test_role_type_set(base, "o4_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b"), types, 1, 0);
200 types[0] = "g_m2_type_1";
201 types[1] = "g_m1_type_2";
202 role = test_role_type_set(base, "o4_b_role_1", NULL, types, 2, 0);
203 /* and only dominates itself */
204 only_dominates_self(base, role);
205 }
206