1# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
2#
3# Copyright (C) 2006 Red Hat
4# see file 'COPYING' for use and warranty information
5#
6# This program is free software; you can redistribute it and/or
7# modify it under the terms of the GNU General Public License as
8# published by the Free Software Foundation; version 2 only
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18#
19
20import unittest
21import sepolgen.refpolicy as refpolicy
22import sepolgen.access as access
23import selinux
24
25class TestIdSet(unittest.TestCase):
26    def test_set_to_str(self):
27        s = refpolicy.IdSet(["read", "write", "getattr"])
28        s = s.to_space_str().split(' ')
29        s.sort()
30        expected = "{ read write getattr }".split(' ')
31        expected.sort()
32        self.assertEqual(s, expected)
33        s = refpolicy.IdSet()
34        s.add("read")
35        self.assertEqual(s.to_space_str(), "read")
36
37class TestXpermSet(unittest.TestCase):
38    def test_init(self):
39        """ Test that all atttributes are correctly initialized. """
40        s1 = refpolicy.XpermSet()
41        self.assertEqual(s1.complement, False)
42        self.assertEqual(s1.ranges, [])
43
44        s2 = refpolicy.XpermSet(True)
45        self.assertEqual(s2.complement, True)
46        self.assertEqual(s2.ranges, [])
47
48    def test_normalize_ranges(self):
49        """ Test that ranges that are overlapping or neighboring are correctly
50            merged into one range. """
51        s = refpolicy.XpermSet()
52        s.ranges = [(1, 7), (5, 10), (100, 110), (102, 107), (200, 205),
53            (205, 210), (300, 305), (306, 310), (400, 405), (407, 410),
54            (500, 502), (504, 508), (500, 510)]
55        s._XpermSet__normalize_ranges()
56
57        i = 0
58        r = list(sorted(s.ranges))
59        while i < len(r) - 1:
60            # check that range low bound is less than equal than the upper bound
61            self.assertLessEqual(r[i][0], r[i][1])
62            # check that two ranges are not overlapping or neighboring
63            self.assertGreater(r[i + 1][0] - r[i][1], 1)
64            i += 1
65
66    def test_add(self):
67        """ Test adding new values or ranges to the set. """
68        s = refpolicy.XpermSet()
69        s.add(1, 7)
70        s.add(5, 10)
71        s.add(42)
72        self.assertEqual(s.ranges, [(1,10), (42,42)])
73
74    def test_extend(self):
75        """ Test adding ranges from another XpermSet object. """
76        a = refpolicy.XpermSet()
77        a.add(1, 7)
78
79        b = refpolicy.XpermSet()
80        b.add(5, 10)
81
82        a.extend(b)
83        self.assertEqual(a.ranges, [(1,10)])
84
85    def test_to_string(self):
86        """ Test printing the values to a string. """
87        a = refpolicy.XpermSet()
88        a.complement = False
89        self.assertEqual(a.to_string(), "")
90        a.complement = True
91        self.assertEqual(a.to_string(), "")
92        a.add(1234)
93        self.assertEqual(a.to_string(), "~ 1234")
94        a.complement = False
95        self.assertEqual(a.to_string(), "1234")
96        a.add(2345)
97        self.assertEqual(a.to_string(), "{ 1234 2345 }")
98        a.complement = True
99        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
100        a.add(42,64)
101        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
102        a.complement = False
103        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
104
105class TestSecurityContext(unittest.TestCase):
106    def test_init(self):
107        sc = refpolicy.SecurityContext()
108        sc = refpolicy.SecurityContext("user_u:object_r:foo_t")
109
110    def test_from_string(self):
111        context = "user_u:object_r:foo_t"
112        sc = refpolicy.SecurityContext()
113        sc.from_string(context)
114        self.assertEqual(sc.user, "user_u")
115        self.assertEqual(sc.role, "object_r")
116        self.assertEqual(sc.type, "foo_t")
117        self.assertEqual(sc.level, None)
118        if selinux.is_selinux_mls_enabled():
119            self.assertEqual(str(sc), context + ":s0")
120        else:
121            self.assertEqual(str(sc), context)
122        self.assertEqual(sc.to_string(default_level="s1"), context + ":s1")
123
124        context = "user_u:object_r:foo_t:s0-s0:c0-c255"
125        sc = refpolicy.SecurityContext()
126        sc.from_string(context)
127        self.assertEqual(sc.user, "user_u")
128        self.assertEqual(sc.role, "object_r")
129        self.assertEqual(sc.type, "foo_t")
130        self.assertEqual(sc.level, "s0-s0:c0-c255")
131        self.assertEqual(str(sc), context)
132        self.assertEqual(sc.to_string(), context)
133
134        sc = refpolicy.SecurityContext()
135        self.assertRaises(ValueError, sc.from_string, "abc")
136
137    def test_equal(self):
138        sc1 = refpolicy.SecurityContext("user_u:object_r:foo_t")
139        sc2 = refpolicy.SecurityContext("user_u:object_r:foo_t")
140        sc3 = refpolicy.SecurityContext("user_u:object_r:foo_t:s0")
141        sc4 = refpolicy.SecurityContext("user_u:object_r:bar_t")
142
143        self.assertEqual(sc1, sc2)
144        self.assertNotEqual(sc1, sc3)
145        self.assertNotEqual(sc1, sc4)
146
147class TestObjecClass(unittest.TestCase):
148    def test_init(self):
149        o = refpolicy.ObjectClass(name="file")
150        self.assertEqual(o.name, "file")
151        self.assertTrue(isinstance(o.perms, set))
152
153class TestAVRule(unittest.TestCase):
154    def test_init(self):
155        a = refpolicy.AVRule()
156        self.assertEqual(a.rule_type, a.ALLOW)
157        self.assertTrue(isinstance(a.src_types, set))
158        self.assertTrue(isinstance(a.tgt_types, set))
159        self.assertTrue(isinstance(a.obj_classes, set))
160        self.assertTrue(isinstance(a.perms, set))
161
162    def test_to_string(self):
163        a = refpolicy.AVRule()
164        a.src_types.add("foo_t")
165        a.tgt_types.add("bar_t")
166        a.obj_classes.add("file")
167        a.perms.add("read")
168        self.assertEqual(a.to_string(), "allow foo_t bar_t:file read;")
169
170        a.rule_type = a.DONTAUDIT
171        a.src_types.add("user_t")
172        a.tgt_types.add("user_home_t")
173        a.obj_classes.add("lnk_file")
174        a.perms.add("write")
175        # This test might need to go because set ordering is not guaranteed
176        a = a.to_string().split(' ')
177        a.sort()
178        b = "dontaudit { foo_t user_t } { user_home_t bar_t }:{ lnk_file file } { read write };".split(' ')
179        b.sort()
180        self.assertEqual(a, b)
181
182class TestAVExtRule(unittest.TestCase):
183    def test_init(self):
184        """ Test initialization of attributes """
185        a = refpolicy.AVExtRule()
186        self.assertEqual(a.rule_type, a.ALLOWXPERM)
187        self.assertIsInstance(a.src_types, set)
188        self.assertIsInstance(a.tgt_types, set)
189        self.assertIsInstance(a.obj_classes, set)
190        self.assertIsNone(a.operation)
191        self.assertIsInstance(a.xperms, refpolicy.XpermSet)
192
193    def test_rule_type_str(self):
194        """ Test strings returned by __rule_type_str() """
195        a = refpolicy.AVExtRule()
196        self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
197        a.rule_type = a.ALLOWXPERM
198        self.assertEqual(a._AVExtRule__rule_type_str(), "allowxperm")
199        a.rule_type = a.DONTAUDITXPERM
200        self.assertEqual(a._AVExtRule__rule_type_str(), "dontauditxperm")
201        a.rule_type = a.NEVERALLOWXPERM
202        self.assertEqual(a._AVExtRule__rule_type_str(), "neverallowxperm")
203        a.rule_type = a.AUDITALLOWXPERM
204        self.assertEqual(a._AVExtRule__rule_type_str(), "auditallowxperm")
205        a.rule_type = 42
206        self.assertIsNone(a._AVExtRule__rule_type_str())
207
208    def test_from_av(self):
209        """ Test creating the rule from an access vector. """
210        av = access.AccessVector(["foo", "bar", "file", "ioctl"])
211        xp = refpolicy.XpermSet()
212        av.xperms = { "ioctl": xp }
213
214        a = refpolicy.AVExtRule()
215
216        a.from_av(av, "ioctl")
217        self.assertEqual(a.src_types, {"foo"})
218        self.assertEqual(a.tgt_types, {"bar"})
219        self.assertEqual(a.obj_classes, {"file"})
220        self.assertEqual(a.operation, "ioctl")
221        self.assertIs(a.xperms, xp)
222
223    def test_from_av_self(self):
224        """ Test creating the rule from an access vector that has same
225            source and target context. """
226        av = access.AccessVector(["foo", "foo", "file", "ioctl"])
227        xp = refpolicy.XpermSet()
228        av.xperms = { "ioctl": xp }
229
230        a = refpolicy.AVExtRule()
231
232        a.from_av(av, "ioctl")
233        self.assertEqual(a.src_types, {"foo"})
234        self.assertEqual(a.tgt_types, {"self"})
235        self.assertEqual(a.obj_classes, {"file"})
236        self.assertEqual(a.operation, "ioctl")
237        self.assertIs(a.xperms, xp)
238
239    def test_to_string(self):
240        """ Test printing the rule to a string. """
241        a = refpolicy.AVExtRule()
242        a._AVExtRule__rule_type_str = lambda: "first"
243        a.src_types.to_space_str = lambda: "second"
244        a.tgt_types.to_space_str = lambda: "third"
245        a.obj_classes.to_space_str = lambda: "fourth"
246        a.operation = "fifth"
247        a.xperms.to_string = lambda: "seventh"
248
249        self.assertEqual(a.to_string(),
250                         "first second third:fourth fifth seventh;")
251
252class TestTypeRule(unittest.TestCase):
253    def test_init(self):
254        a = refpolicy.TypeRule()
255        self.assertEqual(a.rule_type, a.TYPE_TRANSITION)
256        self.assertTrue(isinstance(a.src_types, set))
257        self.assertTrue(isinstance(a.tgt_types, set))
258        self.assertTrue(isinstance(a.obj_classes, set))
259        self.assertEqual(a.dest_type, "")
260
261    def test_to_string(self):
262        a = refpolicy.TypeRule()
263        a.src_types.add("foo_t")
264        a.tgt_types.add("bar_exec_t")
265        a.obj_classes.add("process")
266        a.dest_type = "bar_t"
267        self.assertEqual(a.to_string(), "type_transition foo_t bar_exec_t:process bar_t;")
268
269
270class TestParseNode(unittest.TestCase):
271    def test_walktree(self):
272        # Construct a small tree
273        h = refpolicy.Headers()
274        a = refpolicy.AVRule()
275        a.src_types.add("foo_t")
276        a.tgt_types.add("bar_t")
277        a.obj_classes.add("file")
278        a.perms.add("read")
279
280        ifcall = refpolicy.InterfaceCall(ifname="allow_foobar")
281        ifcall.args.append("foo_t")
282        ifcall.args.append("{ file dir }")
283
284        i = refpolicy.Interface(name="foo")
285        i.children.append(a)
286        i.children.append(ifcall)
287        h.children.append(i)
288
289        a = refpolicy.AVRule()
290        a.rule_type = a.DONTAUDIT
291        a.src_types.add("user_t")
292        a.tgt_types.add("user_home_t")
293        a.obj_classes.add("lnk_file")
294        a.perms.add("write")
295        i = refpolicy.Interface(name="bar")
296        i.children.append(a)
297        h.children.append(i)
298
299class TestHeaders(unittest.TestCase):
300    def test_iter(self):
301        h = refpolicy.Headers()
302        h.children.append(refpolicy.Interface(name="foo"))
303        h.children.append(refpolicy.Interface(name="bar"))
304        h.children.append(refpolicy.ClassMap("file", "read write"))
305        i = 0
306        for node in h:
307            i += 1
308        self.assertEqual(i, 3)
309
310        i = 0
311        for node in h.interfaces():
312            i += 1
313        self.assertEqual(i, 2)
314
315