1# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
2#
3# Copyright (C) 2006 Red Hat
4# see file 'COPYING' for use and warranty information
5#
6# This program is free software; you can redistribute it and/or
7# modify it under the terms of the GNU General Public License as
8# published by the Free Software Foundation; version 2 only
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18#
19
20import unittest
21import sepolgen.policygen as policygen
22import sepolgen.access as access
23import sepolgen.refpolicy as refpolicy
24
25class TestPolicyGenerator(unittest.TestCase):
26    def setUp(self):
27        self.g = policygen.PolicyGenerator()
28
29    def test_init(self):
30        """ Test that extended permission AV rules are not generated by
31            default. """
32        self.assertFalse(self.g.xperms)
33
34    def test_set_gen_xperms(self):
35        """ Test turning on and off generating of extended permission
36            AV rules. """
37        self.g.set_gen_xperms(True)
38        self.assertTrue(self.g.xperms)
39        self.g.set_gen_xperms(False)
40        self.assertFalse(self.g.xperms)
41
42    def test_av_rules(self):
43        """ Test generating of AV rules from access vectors. """
44        av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
45        av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
46        av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])
47
48        avs = access.AccessVectorSet()
49        avs.add_av(av1)
50        avs.add_av(av2)
51        avs.add_av(av3)
52
53        self.g.add_access(avs)
54
55        self.assertEqual(len(self.g.module.children), 1)
56        r = self.g.module.children[0]
57        self.assertIsInstance(r, refpolicy.AVRule)
58        self.assertEqual(r.to_string(),
59            "allow test_src_t test_tgt_t:file { ioctl open read };")
60
61    def test_ext_av_rules(self):
62        """ Test generating of extended permission AV rules from access
63            vectors. """
64        self.g.set_gen_xperms(True)
65
66        av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
67        av1.xperms['ioctl'] = refpolicy.XpermSet()
68        av1.xperms['ioctl'].add(42)
69        av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
70        av2.xperms['ioctl'] = refpolicy.XpermSet()
71        av2.xperms['ioctl'].add(1234)
72        av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
73        av3.xperms['ioctl'] = refpolicy.XpermSet()
74        av3.xperms['ioctl'].add(2345)
75
76        avs = access.AccessVectorSet()
77        avs.add_av(av1)
78        avs.add_av(av2)
79        avs.add_av(av3)
80
81        self.g.add_access(avs)
82
83        self.assertEqual(len(self.g.module.children), 4)
84
85        # we cannot sort the rules, so find all rules manually
86        av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None
87
88        for r in self.g.module.children:
89            if isinstance(r, refpolicy.AVRule):
90                if 'file' in r.obj_classes:
91                    av_rule1 = r
92                else:
93                    av_rule2 = r
94            elif isinstance(r, refpolicy.AVExtRule):
95                if 'file' in r.obj_classes:
96                    av_ext_rule1 = r
97                else:
98                    av_ext_rule2 = r
99            else:
100                self.fail("Unexpected rule type '%s'" % type(r))
101
102        # check that all rules are present
103        self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))
104
105        self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
106        self.assertEqual(av_rule1.src_types, {"test_src_t"})
107        self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
108        self.assertEqual(av_rule1.obj_classes, {"file"})
109        self.assertEqual(av_rule1.perms, {"ioctl"})
110
111        self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
112        self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
113        self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
114        self.assertEqual(av_ext_rule1.obj_classes, {"file"})
115        self.assertEqual(av_ext_rule1.operation, "ioctl")
116        xp1 = refpolicy.XpermSet()
117        xp1.add(42)
118        xp1.add(1234)
119        self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)
120
121        self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
122        self.assertEqual(av_rule2.src_types, {"test_src_t"})
123        self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
124        self.assertEqual(av_rule2.obj_classes, {"dir"})
125        self.assertEqual(av_rule2.perms, {"ioctl"})
126
127        self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
128        self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
129        self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
130        self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
131        self.assertEqual(av_ext_rule2.operation, "ioctl")
132        xp2 = refpolicy.XpermSet()
133        xp2.add(2345)
134        self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)
135
136