From e0e687f151abff724022239ef532f624fc938b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 23 Oct 2024 10:43:28 +1100 Subject: [PATCH 1/4] Use 'main' branch from selinux for testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thiébaud Weksteen --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c7d3da6b..8de394ed 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,7 +4,7 @@ on: [push, pull_request] env: # This should be the minimum version required to run setools: - SELINUX_USERSPACE_VERSION: 3.2 + SELINUX_USERSPACE_VERSION: main # GitHub doesn't support building env # vars from others in this block. From ab4cce4fb935a9514dfd4c0d94e7115771dbce15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 23 Oct 2024 10:46:37 +1100 Subject: [PATCH 2/4] Rename IoctlSet to XpermSet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The same class can be used for both ioctl and nlmsg extended permissions. Rename the current class and mark IoctlSet as deprecated. Signed-off-by: Thiébaud Weksteen --- setools/__init__.py | 2 +- setools/diff/terules.py | 12 ++-- setools/policyrep.pyi | 8 ++- setools/policyrep/terule.pxi | 18 ++++-- setools/terulequery.py | 6 +- tests/library/policyrep/test_rules.py | 10 +-- tests/library/test_diff.py | 88 +++++++++++++-------------- tests/library/test_terulequery.py | 47 +++++++------- tests/library/util.py | 2 +- 9 files changed, 102 insertions(+), 91 deletions(-) diff --git a/setools/__init__.py b/setools/__init__.py index 1efd2cc0..d7090a81 100644 --- a/setools/__init__.py +++ b/setools/__init__.py @@ -26,7 +26,7 @@ IoctlSet, Iomemcon, IomemconRange, Ioportcon, IoportconRange, Level, LevelDecl, MLSRule, \ Netifcon, Nodecon, ObjClass, Pcidevicecon, Pirqcon, PolicyCapability, Portcon, PortconRange, \ Range, Role, RoleAllow, RoleTransition, Sensitivity, TERule, TruthTableRow, Type, \ - TypeAttribute, User, Validatetrans + TypeAttribute, User, Validatetrans, XpermSet # Exceptions from . import exception diff --git a/setools/diff/terules.py b/setools/diff/terules.py index 50916e16..4979c779 100644 --- a/setools/diff/terules.py +++ b/setools/diff/terules.py @@ -41,9 +41,9 @@ class ModifiedAVRuleXperm(DifferenceResult): """Difference details for a modified access vector rule.""" rule: policyrep.AVRuleXperm - added_perms: policyrep.IoctlSet - removed_perms: policyrep.IoctlSet - matched_perms: policyrep.IoctlSet + added_perms: policyrep.XpermSet + removed_perms: policyrep.XpermSet + matched_perms: policyrep.XpermSet @dataclass(frozen=True, order=True) @@ -365,9 +365,9 @@ def diff(self) -> None: if added_perms or removed_perms: modified.append( ModifiedAVRuleXperm(left_rule.origin, - policyrep.IoctlSet(added_perms), - policyrep.IoctlSet(removed_perms), - policyrep.IoctlSet(p[0] for p in matched_perms))) + policyrep.XpermSet(added_perms), + policyrep.XpermSet(removed_perms), + policyrep.XpermSet(p[0] for p in matched_perms))) setattr(self, f"added_{ruletype}s", set(a.origin for a in added)) setattr(self, f"removed_{ruletype}s", set(r.origin for r in removed)) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 445a2b4d..63bd2872 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -43,7 +43,7 @@ class PolicyRule(PolicyObject): target: "PolicySymbol" = ... tclass: "ObjClass" = ... xperm_type: str = ... - perms: frozenset[str] | "IoctlSet" = ... + perms: frozenset[str] | "XpermSet" = ... default: PolicyObject = ... filename: str = ... def enabled(self, **kwargs) -> bool: ... @@ -101,7 +101,7 @@ class AVRule(BaseTERule): class AVRuleXperm(BaseTERule): default: NoReturn = ... - perms: "IoctlSet" = ... + perms: "XpermSet" = ... xperm_type: str = ... def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ... @@ -247,9 +247,11 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... -class IoctlSet(frozenset[int]): +class XpermSet(frozenset[int]): def ranges(self) -> int: ... +class IoctlSet(XpermSet): ... + class Iomemcon(Ocontext): addr: "IomemconRange" = ... diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi index 384c0743..0aa807d4 100644 --- a/setools/policyrep/terule.pxi +++ b/setools/policyrep/terule.pxi @@ -213,11 +213,11 @@ cdef class AVRule(BaseTERule): return self.rule_string -cdef class IoctlSet(frozenset): +cdef class XpermSet(frozenset): """ A set with overridden string functions which compresses - the output into ioctl ranges instead of individual elements. + the output into ioctl/nlmsg ranges instead of individual elements. """ def __format__(self, spec): @@ -249,7 +249,7 @@ cdef class IoctlSet(frozenset): elif spec == ",": return ", ".join(shortlist) else: - return super(IoctlSet, self).__format__(spec) + return super().__format__(spec) def __str__(self): return f"{self}" @@ -267,12 +267,20 @@ cdef class IoctlSet(frozenset): sorted(self), key=lambda k, c=itertools.count(): k - next(c))) +cdef class IoctlSet(XpermSet): + + def __init__(self, *args, **kwargs): + log = logging.getLogger(__name__) + log.warning("IoctlSet is deprecated, use XpermSet instead.") + super().__init__(*args, **kwargs) + + cdef class AVRuleXperm(BaseTERule): """An extended permission access vector type enforcement rule.""" cdef: - readonly IoctlSet perms + readonly XpermSet perms readonly str xperm_type @staticmethod @@ -322,7 +330,7 @@ cdef class AVRuleXperm(BaseTERule): r.source = type_or_attr_factory(policy, policy.type_value_to_datum(key.source_type - 1)) r.target = type_or_attr_factory(policy, policy.type_value_to_datum(key.target_type - 1)) r.tclass = ObjClass.factory(policy, policy.class_value_to_datum(key.target_class - 1)) - r.perms = IoctlSet(perms) + r.perms = XpermSet(perms) r.extended = True r.xperm_type = xperm_type r._conditional = conditional diff --git a/setools/terulequery.py b/setools/terulequery.py index 7a9b50d8..866495c3 100644 --- a/setools/terulequery.py +++ b/setools/terulequery.py @@ -80,11 +80,11 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer boolean = CriteriaSetDescriptor[policyrep.Boolean]("boolean_regex", "lookup_boolean") boolean_regex: bool = False boolean_equal: bool = False - _xperms: policyrep.IoctlSet | None = None + _xperms: policyrep.XpermSet | None = None xperms_equal: bool = False @property - def xperms(self) -> policyrep.IoctlSet | None: + def xperms(self) -> policyrep.XpermSet | None: return self._xperms @xperms.setter @@ -104,7 +104,7 @@ def xperms(self, value: Iterable[tuple[int, int]] | None) -> None: pending_xperms.update(i for i in range(low, high + 1)) - self._xperms = policyrep.IoctlSet(pending_xperms) + self._xperms = policyrep.XpermSet(pending_xperms) else: self._xperms = None diff --git a/tests/library/policyrep/test_rules.py b/tests/library/policyrep/test_rules.py index 6ff6a040..36281763 100644 --- a/tests/library/policyrep/test_rules.py +++ b/tests/library/policyrep/test_rules.py @@ -25,7 +25,7 @@ class RuleTestCase: type_: type # the rule's policyrep class tclass: str | None = None xperm: str | None = None - perms: set[str] | setools.IoctlSet | None = None + perms: set[str] | setools.XpermSet | None = None default: str | None = None filename: str | None = None conditional: str | None = None @@ -57,10 +57,10 @@ class RuleTestCase: default="system", type_=setools.TERule, conditional="a_bool", statement="type_change type31c type31b:infoflow2 system; [ a_bool ]:False"), RuleTestCase(setools.TERuletype.allowxperm, "type30", "type31a", tclass="infoflow", - xperm="ioctl", perms=setools.IoctlSet((0x00ff,)), type_=setools.AVRuleXperm, + xperm="ioctl", perms=setools.XpermSet((0x00ff,)), type_=setools.AVRuleXperm, statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"), RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow", - xperm="ioctl", perms=setools.IoctlSet((1, 2, 3)), type_=setools.AVRuleXperm, + xperm="ioctl", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm, statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")] @@ -213,5 +213,5 @@ def test_regression(self, compiled_policy: setools.SELinuxPolicy): # expect 2 rules: # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 }; # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff }; - assert setools.IoctlSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}" - assert setools.IoctlSet([0x8910]) == rules[1].perms, f"{rules[1].perms}" + assert setools.XpermSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}" + assert setools.XpermSet([0x8910]) == rules[1].perms, f"{rules[1].perms}" diff --git a/tests/library/test_diff.py b/tests/library/test_diff.py index c2ae1d78..d85ae603 100644 --- a/tests/library/test_diff.py +++ b/tests/library/test_diff.py @@ -1581,12 +1581,12 @@ def test_added_allowxperm_rules(self, analysis: setools.PolicyDifference) -> Non # added rule with new type util.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") # added rule with existing types util.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", "ax_added_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed allowxperm rules.""" @@ -1596,11 +1596,11 @@ def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> N # removed rule with existing types util.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source", "ax_removed_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") # removed rule with new type util.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified allowxperm rules.""" @@ -1613,9 +1613,9 @@ def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> assert "ax_modified_rule_add_perms" == rule.source assert "ax_modified_rule_add_perms" == rule.target assert "infoflow" == rule.tclass - assert setools.IoctlSet([0x000f]) == added_perms + assert setools.XpermSet([0x000f]) == added_perms assert not removed_perms - assert setools.IoctlSet([0x0004]) == matched_perms + assert setools.XpermSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) @@ -1623,9 +1623,9 @@ def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> assert "ax_modified_rule_add_remove_perms" == rule.source assert "ax_modified_rule_add_remove_perms" == rule.target assert "infoflow2" == rule.tclass - assert setools.IoctlSet([0x0006]) == added_perms - assert setools.IoctlSet([0x0007]) == removed_perms - assert setools.IoctlSet([0x0008]) == matched_perms + assert setools.XpermSet([0x0006]) == added_perms + assert setools.XpermSet([0x0007]) == removed_perms + assert setools.XpermSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) @@ -1634,8 +1634,8 @@ def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> assert "ax_modified_rule_remove_perms" == rule.target assert "infoflow" == rule.tclass assert not added_perms - assert setools.IoctlSet([0x0006]) == removed_perms - assert setools.IoctlSet([0x0005]) == matched_perms + assert setools.XpermSet([0x0006]) == removed_perms + assert setools.XpermSet([0x0005]) == matched_perms # # Auditallowxperm rules @@ -1648,11 +1648,11 @@ def test_added_auditallowxperm_rules(self, analysis: setools.PolicyDifference) - # added rule with existing types util.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source", "aax_added_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") # added rule with new type util.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed auditallowxperm rules.""" @@ -1662,11 +1662,11 @@ def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) # removed rule with existing types util.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source", "aax_removed_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") # removed rule with new type util.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified auditallowxperm rules.""" @@ -1679,9 +1679,9 @@ def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference assert "aax_modified_rule_add_perms" == rule.source assert "aax_modified_rule_add_perms" == rule.target assert "infoflow" == rule.tclass - assert setools.IoctlSet([0x000f]) == added_perms + assert setools.XpermSet([0x000f]) == added_perms assert not removed_perms - assert setools.IoctlSet([0x0004]) == matched_perms + assert setools.XpermSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) @@ -1689,9 +1689,9 @@ def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference assert "aax_modified_rule_add_remove_perms" == rule.source assert "aax_modified_rule_add_remove_perms" == rule.target assert "infoflow2" == rule.tclass - assert setools.IoctlSet([0x0006]) == added_perms - assert setools.IoctlSet([0x0007]) == removed_perms - assert setools.IoctlSet([0x0008]) == matched_perms + assert setools.XpermSet([0x0006]) == added_perms + assert setools.XpermSet([0x0007]) == removed_perms + assert setools.XpermSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) @@ -1700,8 +1700,8 @@ def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference assert "aax_modified_rule_remove_perms" == rule.target assert "infoflow" == rule.tclass assert not added_perms - assert setools.IoctlSet([0x0006]) == removed_perms - assert setools.IoctlSet([0x0005]) == matched_perms + assert setools.XpermSet([0x0006]) == removed_perms + assert setools.XpermSet([0x0005]) == matched_perms # # Neverallowxperm rules @@ -1715,11 +1715,11 @@ def test_added_neverallowxperm_rules(self, analysis: setools.PolicyDifference) - # # # added rule with new type # util.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", - # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") + # "infoflow7", setools.XpermSet([0x0009]), xperm="ioctl") # # # added rule with existing types # util.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source", - # "nax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), + # "nax_added_rule_target", "infoflow", setools.XpermSet([0x0002]), # xperm="ioctl") def test_removed_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1731,12 +1731,12 @@ def test_removed_neverallowxperm_rules(self, analysis: setools.PolicyDifference) # # # removed rule with existing types # util.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source", - # "nax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), + # "nax_removed_rule_target", "infoflow", setools.XpermSet([0x0002]), # xperm="ioctl") # # # removed rule with new type # util.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type", - # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") + # "infoflow7", setools.XpermSet([0x0009]), xperm="ioctl") def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified neverallowxperm rules.""" @@ -1751,9 +1751,9 @@ def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference # assert "nax_modified_rule_add_perms" == rule.source # assert "nax_modified_rule_add_perms" == rule.target # assert "infoflow" == rule.tclass - # assert setools.IoctlSet([0x000f]) == added_perms + # assert setools.XpermSet([0x000f]) == added_perms # assert not removed_perms - # assert setools.IoctlSet([0x0004]) == matched_perms + # assert setools.XpermSet([0x0004]) == matched_perms # # # add and remove permissions # rule, added_perms, removed_perms, matched_perms = l[1] @@ -1761,9 +1761,9 @@ def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference # assert "nax_modified_rule_add_remove_perms" == rule.source # assert "nax_modified_rule_add_remove_perms" == rule.target # assert "infoflow2" == rule.tclass - # assert setools.IoctlSet([0x0006]) == added_perms - # assert setools.IoctlSet([0x0007]) == removed_perms - # assert setools.IoctlSet([0x0008]) == matched_perms + # assert setools.XpermSet([0x0006]) == added_perms + # assert setools.XpermSet([0x0007]) == removed_perms + # assert setools.XpermSet([0x0008]) == matched_perms # # # remove permissions # rule, added_perms, removed_perms, matched_perms = l[2] @@ -1772,8 +1772,8 @@ def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference # assert "nax_modified_rule_remove_perms" == rule.target # assert "infoflow" == rule.tclass # assert not added_perms - # assert setools.IoctlSet([0x0006]) == removed_perms - # assert setools.IoctlSet([0x0005]) == matched_perms + # assert setools.XpermSet([0x0006]) == removed_perms + # assert setools.XpermSet([0x0005]) == matched_perms # # Dontauditxperm rules @@ -1785,12 +1785,12 @@ def test_added_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> # added rule with new type util.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") # added rule with existing types util.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source", "dax_added_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed dontauditxperm rules.""" @@ -1800,11 +1800,11 @@ def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) # removed rule with existing types util.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source", "dax_removed_rule_target", tclass="infoflow", - perms=setools.IoctlSet([0x0002]), xperm="ioctl") + perms=setools.XpermSet([0x0002]), xperm="ioctl") # removed rule with new type util.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type", - tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl") def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified dontauditxperm rules.""" @@ -1817,9 +1817,9 @@ def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) assert "dax_modified_rule_add_perms" == rule.source assert "dax_modified_rule_add_perms" == rule.target assert "infoflow" == rule.tclass - assert setools.IoctlSet([0x000f]) == added_perms + assert setools.XpermSet([0x000f]) == added_perms assert not removed_perms - assert setools.IoctlSet([0x0004]) == matched_perms + assert setools.XpermSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) @@ -1827,9 +1827,9 @@ def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) assert "dax_modified_rule_add_remove_perms" == rule.source assert "dax_modified_rule_add_remove_perms" == rule.target assert "infoflow2" == rule.tclass - assert setools.IoctlSet([0x0006]) == added_perms - assert setools.IoctlSet([0x0007]) == removed_perms - assert setools.IoctlSet([0x0008]) == matched_perms + assert setools.XpermSet([0x0006]) == added_perms + assert setools.XpermSet([0x0007]) == removed_perms + assert setools.XpermSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) @@ -1838,8 +1838,8 @@ def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) assert "dax_modified_rule_remove_perms" == rule.target assert "infoflow" == rule.tclass assert not added_perms - assert setools.IoctlSet([0x0006]) == removed_perms - assert setools.IoctlSet([0x0005]) == matched_perms + assert setools.XpermSet([0x0006]) == removed_perms + assert setools.XpermSet([0x0005]) == matched_perms # # Ibendportcon statements diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py index 7b837aea..04737f48 100644 --- a/tests/library/test_terulequery.py +++ b/tests/library/test_terulequery.py @@ -301,7 +301,7 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", tclass="infoflow", - perms=setools.IoctlSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") + perms=setools.XpermSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, source match.""" @@ -311,7 +311,7 @@ def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", tclass="infoflow", - perms=setools.IoctlSet([0x5411, 0x5451]), xperm="ioctl") + perms=setools.XpermSet([0x5411, 0x5451]), xperm="ioctl") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, source match.""" @@ -321,7 +321,7 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", tclass="infoflow", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, source match.""" @@ -331,9 +331,9 @@ def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", tclass="infoflow", - perms=setools.IoctlSet([0x9999]), xperm="ioctl") + perms=setools.XpermSet([0x9999]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", tclass="infoflow", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, direct, target match.""" @@ -343,7 +343,7 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", tclass="infoflow", - perms=setools.IoctlSet([0x9999]), xperm="ioctl") + perms=setools.XpermSet([0x9999]), xperm="ioctl") def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, target match.""" @@ -353,9 +353,9 @@ def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", tclass="infoflow", - perms=setools.IoctlSet([0x9999]), xperm="ioctl") + perms=setools.XpermSet([0x9999]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", tclass="infoflow", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, target match.""" @@ -365,7 +365,7 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", tclass="infoflow", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, target match.""" @@ -375,9 +375,9 @@ def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", tclass="infoflow", - perms=setools.IoctlSet([0x9999]), xperm="ioctl") + perms=setools.XpermSet([0x9999]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", tclass="infoflow", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class list match.""" @@ -387,9 +387,9 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.allowxperm, "test10", "test10", tclass="infoflow3", - perms=setools.IoctlSet([0]), xperm="ioctl") + perms=setools.XpermSet([0]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test10", "test10", tclass="infoflow4", - perms=setools.IoctlSet([0x9999]), xperm="ioctl") + perms=setools.XpermSet([0x9999]), xperm="ioctl") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class regex match.""" @@ -398,9 +398,9 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.allowxperm, "test11", "test11", tclass="infoflow5", - perms=setools.IoctlSet([0x1111]), xperm="ioctl") + perms=setools.XpermSet([0x1111]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test11", "test11", tclass="infoflow6", - perms=setools.IoctlSet([0x5555]), xperm="ioctl") + perms=setools.XpermSet([0x5555]), xperm="ioctl") def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with rule type match.""" @@ -409,9 +409,9 @@ def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 util.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", tclass="infoflow7", - perms=setools.IoctlSet([0x1234]), xperm="ioctl") + perms=setools.XpermSet([0x1234]), xperm="ioctl") util.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", tclass="infoflow7", - perms=setools.IoctlSet([0x4321]), xperm="ioctl") + perms=setools.XpermSet([0x4321]), xperm="ioctl") def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match by standard permission.""" @@ -425,7 +425,7 @@ def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: # util.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", # set(["ioctl", "hi_w"])) # util.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2", - # setools.IoctlSet([0x1234]), xperm="ioctl") + # setools.XpermSet([0x1234]), xperm="ioctl") def test_std_perm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match by standard permission, equal perm set.""" @@ -446,13 +446,13 @@ def test_xperm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 util.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", tclass="infoflow7", - perms=setools.IoctlSet([0x9011]), xperm="ioctl") + perms=setools.XpermSet([0x9011]), xperm="ioctl") util.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", tclass="infoflow7", - perms=setools.IoctlSet([0x9011, 0x9012]), xperm="ioctl") + perms=setools.XpermSet([0x9011, 0x9012]), xperm="ioctl") util.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7", - perms=setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + perms=setools.XpermSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") util.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", tclass="infoflow7", - perms=setools.IoctlSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") + perms=setools.XpermSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match equal perm set.""" @@ -461,4 +461,5 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7", - perms=setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + perms=setools.XpermSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + diff --git a/tests/library/util.py b/tests/library/util.py index 78b2a3d2..76ec0303 100644 --- a/tests/library/util.py +++ b/tests/library/util.py @@ -14,7 +14,7 @@ def validate_rule(rule: setools.policyrep.PolicyRule, target: setools.policyrep.PolicySymbol | str, /, *, tclass: setools.ObjClass | str | None = None, - perms: set[str] | setools.IoctlSet | None = None, + perms: set[str] | setools.XpermSet | None = None, default: setools.policyrep.PolicySymbol | str | None = None, cond: str | None = None, cond_block: bool | None = None, From e2254a256e1e14bcbd444a4704f863e962b1ae0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 22 Oct 2024 12:52:32 +1100 Subject: [PATCH 3/4] Add support for nlmsg extended permission MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thiébaud Weksteen --- setools/policyrep/sepol.pxd | 2 ++ setools/policyrep/terule.pxi | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd index 922065e4..4db8fc3c 100644 --- a/setools/policyrep/sepol.pxd +++ b/setools/policyrep/sepol.pxd @@ -157,6 +157,7 @@ cdef extern from "": # cdef int AVTAB_XPERMS_IOCTLFUNCTION cdef int AVTAB_XPERMS_IOCTLDRIVER + cdef int AVTAB_XPERMS_NLMSG cdef struct avtab_extended_perms: uint8_t specified @@ -437,6 +438,7 @@ cdef extern from "": # cdef int AVRULE_XPERMS_IOCTLFUNCTION cdef int AVRULE_XPERMS_IOCTLDRIVER + cdef int AVRULE_XPERMS_NLMSG cdef int EXTENDED_PERMS_LEN cdef struct av_extended_perms: diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi index 0aa807d4..ddb2e950 100644 --- a/setools/policyrep/terule.pxi +++ b/setools/policyrep/terule.pxi @@ -300,9 +300,10 @@ cdef class AVRuleXperm(BaseTERule): # for curr in range(len): if sepol.xperm_test(curr, xperms.perms): - if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION: + if (xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \ + or xperms.specified == sepol.AVTAB_XPERMS_NLMSG): perms.add(xperms.driver << 8 | curr) - elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER: + elif xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER: base_value = curr << 8 perms.update(range(base_value, base_value + 0x100)) else: @@ -317,6 +318,8 @@ cdef class AVRuleXperm(BaseTERule): if datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \ or datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER: xperm_type = intern("ioctl") + elif datum.xperms.specified == sepol.AVTAB_XPERMS_NLMSG: + xperm_type = intern("nlmsg") else: raise LowLevelPolicyError(f"Unknown extended permission: {datum.xperms.specified}") From fc2d3daee9eb4058feb94a0b6de3c21d077effa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 23 Oct 2024 10:55:31 +1100 Subject: [PATCH 4/4] Add tests for nlmsg extended permission MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Test" prefix is added to TERuleQueryXperm to ensure it is executed. Signed-off-by: Thiébaud Weksteen --- tests/library/policyrep/rules.conf | 5 +- tests/library/policyrep/selinuxpolicy.conf | 213 +++++++++--------- tests/library/policyrep/test_rules.py | 4 +- tests/library/policyrep/test_selinuxpolicy.py | 2 +- tests/library/terulequery2.conf | 16 ++ tests/library/test_terulequery.py | 11 +- 6 files changed, 139 insertions(+), 112 deletions(-) diff --git a/tests/library/policyrep/rules.conf b/tests/library/policyrep/rules.conf index 12329b71..625473cf 100644 --- a/tests/library/policyrep/rules.conf +++ b/tests/library/policyrep/rules.conf @@ -17,7 +17,8 @@ common infoflow low_r med_r hi_r - ioctl + ioctl + nlmsg } class infoflow @@ -120,7 +121,7 @@ if (a_bool) { type_transition type31b system:infoflow4 type30 "the_filename"; allowxperm type30 type31a:infoflow ioctl 0x00ff; -auditallowxperm type31a type31b:infoflow ioctl { 0x001-0x0003 }; +auditallowxperm type31a type31b:infoflow nlmsg { 0x001-0x0003 }; allow system self:infoflow hi_w; range_transition type30 system:infoflow7 s0:c1 - s2:c0.c4; diff --git a/tests/library/policyrep/selinuxpolicy.conf b/tests/library/policyrep/selinuxpolicy.conf index be822706..001f7039 100644 --- a/tests/library/policyrep/selinuxpolicy.conf +++ b/tests/library/policyrep/selinuxpolicy.conf @@ -86,6 +86,7 @@ class infoflow6 setuid setpcap linux_immutable + nlmsg } class infoflow7 @@ -2026,38 +2027,38 @@ allowxperm type6 type8:infoflow6 ioctl 0x1234; allowxperm type7 type9:infoflow6 ioctl 0x1234; allowxperm type8 type10:infoflow6 ioctl 0x1234; allowxperm type9 type11:infoflow6 ioctl 0x1234; -allowxperm type10 type12:infoflow6 ioctl 0x1234; -allowxperm type11 type13:infoflow6 ioctl 0x1234; -allowxperm type12 type14:infoflow6 ioctl 0x1234; -allowxperm type13 type15:infoflow6 ioctl 0x1234; -allowxperm type14 type16:infoflow6 ioctl 0x1234; -allowxperm type15 type17:infoflow6 ioctl 0x1234; -allowxperm type16 type18:infoflow6 ioctl 0x1234; -allowxperm type17 type19:infoflow6 ioctl 0x1234; -allowxperm type18 type20:infoflow6 ioctl 0x1234; -allowxperm type19 type21:infoflow6 ioctl 0x1234; -allowxperm type20 type22:infoflow6 ioctl 0x1234; -allowxperm type21 type23:infoflow6 ioctl 0x1234; -allowxperm type22 type24:infoflow6 ioctl 0x1234; -allowxperm type23 type25:infoflow6 ioctl 0x1234; -allowxperm type24 type26:infoflow6 ioctl 0x1234; -allowxperm type25 type27:infoflow6 ioctl 0x1234; -allowxperm type26 type28:infoflow6 ioctl 0x1234; -allowxperm type27 type29:infoflow6 ioctl 0x1234; -allowxperm type28 type30:infoflow6 ioctl 0x1234; -allowxperm type29 type31:infoflow6 ioctl 0x1234; -allowxperm type30 type32:infoflow6 ioctl 0x1234; -allowxperm type31 type33:infoflow6 ioctl 0x1234; -allowxperm type32 type34:infoflow6 ioctl 0x1234; -allowxperm type33 type35:infoflow6 ioctl 0x1234; -allowxperm type34 type36:infoflow6 ioctl 0x1234; -allowxperm type35 type37:infoflow6 ioctl 0x1234; -allowxperm type36 type38:infoflow6 ioctl 0x1234; -allowxperm type37 type39:infoflow6 ioctl 0x1234; -allowxperm type38 type40:infoflow6 ioctl 0x1234; -allowxperm type39 type41:infoflow6 ioctl 0x1234; -allowxperm type40 type42:infoflow6 ioctl 0x1234; -allowxperm type41 type43:infoflow6 ioctl 0x1234; +allowxperm type10 type12:infoflow6 nlmsg 0x1234; +allowxperm type11 type13:infoflow6 nlmsg 0x1234; +allowxperm type12 type14:infoflow6 nlmsg 0x1234; +allowxperm type13 type15:infoflow6 nlmsg 0x1234; +allowxperm type14 type16:infoflow6 nlmsg 0x1234; +allowxperm type15 type17:infoflow6 nlmsg 0x1234; +allowxperm type16 type18:infoflow6 nlmsg 0x1234; +allowxperm type17 type19:infoflow6 nlmsg 0x1234; +allowxperm type18 type20:infoflow6 nlmsg 0x1234; +allowxperm type19 type21:infoflow6 nlmsg 0x1234; +allowxperm type20 type22:infoflow6 nlmsg 0x1234; +allowxperm type21 type23:infoflow6 nlmsg 0x1234; +allowxperm type22 type24:infoflow6 nlmsg 0x1234; +allowxperm type23 type25:infoflow6 nlmsg 0x1234; +allowxperm type24 type26:infoflow6 nlmsg 0x1234; +allowxperm type25 type27:infoflow6 nlmsg 0x1234; +allowxperm type26 type28:infoflow6 nlmsg 0x1234; +allowxperm type27 type29:infoflow6 nlmsg 0x1234; +allowxperm type28 type30:infoflow6 nlmsg 0x1234; +allowxperm type29 type31:infoflow6 nlmsg 0x1234; +allowxperm type30 type32:infoflow6 nlmsg 0x1234; +allowxperm type31 type33:infoflow6 nlmsg 0x1234; +allowxperm type32 type34:infoflow6 nlmsg 0x1234; +allowxperm type33 type35:infoflow6 nlmsg 0x1234; +allowxperm type34 type36:infoflow6 nlmsg 0x1234; +allowxperm type35 type37:infoflow6 nlmsg 0x1234; +allowxperm type36 type38:infoflow6 nlmsg 0x1234; +allowxperm type37 type39:infoflow6 nlmsg 0x1234; +allowxperm type38 type40:infoflow6 nlmsg 0x1234; +allowxperm type39 type41:infoflow6 nlmsg 0x1234; +allowxperm type40 type42:infoflow6 nlmsg 0x1234; +allowxperm type41 type43:infoflow6 nlmsg 0x1234; # 181 auditallowxperm rules auditallowxperm type0 type2:infoflow6 ioctl 0x1234; @@ -2207,40 +2208,40 @@ auditallowxperm type6 type9:infoflow6 ioctl 0x1234; auditallowxperm type7 type10:infoflow6 ioctl 0x1234; auditallowxperm type8 type11:infoflow6 ioctl 0x1234; auditallowxperm type9 type12:infoflow6 ioctl 0x1234; -auditallowxperm type10 type13:infoflow6 ioctl 0x1234; -auditallowxperm type11 type14:infoflow6 ioctl 0x1234; -auditallowxperm type12 type15:infoflow6 ioctl 0x1234; -auditallowxperm type13 type16:infoflow6 ioctl 0x1234; -auditallowxperm type14 type17:infoflow6 ioctl 0x1234; -auditallowxperm type15 type18:infoflow6 ioctl 0x1234; -auditallowxperm type16 type19:infoflow6 ioctl 0x1234; -auditallowxperm type17 type20:infoflow6 ioctl 0x1234; -auditallowxperm type18 type21:infoflow6 ioctl 0x1234; -auditallowxperm type19 type22:infoflow6 ioctl 0x1234; -auditallowxperm type20 type23:infoflow6 ioctl 0x1234; -auditallowxperm type21 type24:infoflow6 ioctl 0x1234; -auditallowxperm type22 type25:infoflow6 ioctl 0x1234; -auditallowxperm type23 type26:infoflow6 ioctl 0x1234; -auditallowxperm type24 type27:infoflow6 ioctl 0x1234; -auditallowxperm type25 type28:infoflow6 ioctl 0x1234; -auditallowxperm type26 type29:infoflow6 ioctl 0x1234; -auditallowxperm type27 type30:infoflow6 ioctl 0x1234; -auditallowxperm type28 type31:infoflow6 ioctl 0x1234; -auditallowxperm type29 type32:infoflow6 ioctl 0x1234; -auditallowxperm type30 type33:infoflow6 ioctl 0x1234; -auditallowxperm type31 type34:infoflow6 ioctl 0x1234; -auditallowxperm type32 type35:infoflow6 ioctl 0x1234; -auditallowxperm type33 type36:infoflow6 ioctl 0x1234; -auditallowxperm type34 type37:infoflow6 ioctl 0x1234; -auditallowxperm type35 type38:infoflow6 ioctl 0x1234; -auditallowxperm type36 type39:infoflow6 ioctl 0x1234; -auditallowxperm type37 type40:infoflow6 ioctl 0x1234; -auditallowxperm type38 type41:infoflow6 ioctl 0x1234; -auditallowxperm type39 type42:infoflow6 ioctl 0x1234; -auditallowxperm type40 type43:infoflow6 ioctl 0x1234; -auditallowxperm type41 type44:infoflow6 ioctl 0x1234; -auditallowxperm type42 type45:infoflow6 ioctl 0x1234; -auditallowxperm type43 type46:infoflow6 ioctl 0x1234; +auditallowxperm type10 type13:infoflow6 nlmsg 0x1234; +auditallowxperm type11 type14:infoflow6 nlmsg 0x1234; +auditallowxperm type12 type15:infoflow6 nlmsg 0x1234; +auditallowxperm type13 type16:infoflow6 nlmsg 0x1234; +auditallowxperm type14 type17:infoflow6 nlmsg 0x1234; +auditallowxperm type15 type18:infoflow6 nlmsg 0x1234; +auditallowxperm type16 type19:infoflow6 nlmsg 0x1234; +auditallowxperm type17 type20:infoflow6 nlmsg 0x1234; +auditallowxperm type18 type21:infoflow6 nlmsg 0x1234; +auditallowxperm type19 type22:infoflow6 nlmsg 0x1234; +auditallowxperm type20 type23:infoflow6 nlmsg 0x1234; +auditallowxperm type21 type24:infoflow6 nlmsg 0x1234; +auditallowxperm type22 type25:infoflow6 nlmsg 0x1234; +auditallowxperm type23 type26:infoflow6 nlmsg 0x1234; +auditallowxperm type24 type27:infoflow6 nlmsg 0x1234; +auditallowxperm type25 type28:infoflow6 nlmsg 0x1234; +auditallowxperm type26 type29:infoflow6 nlmsg 0x1234; +auditallowxperm type27 type30:infoflow6 nlmsg 0x1234; +auditallowxperm type28 type31:infoflow6 nlmsg 0x1234; +auditallowxperm type29 type32:infoflow6 nlmsg 0x1234; +auditallowxperm type30 type33:infoflow6 nlmsg 0x1234; +auditallowxperm type31 type34:infoflow6 nlmsg 0x1234; +auditallowxperm type32 type35:infoflow6 nlmsg 0x1234; +auditallowxperm type33 type36:infoflow6 nlmsg 0x1234; +auditallowxperm type34 type37:infoflow6 nlmsg 0x1234; +auditallowxperm type35 type38:infoflow6 nlmsg 0x1234; +auditallowxperm type36 type39:infoflow6 nlmsg 0x1234; +auditallowxperm type37 type40:infoflow6 nlmsg 0x1234; +auditallowxperm type38 type41:infoflow6 nlmsg 0x1234; +auditallowxperm type39 type42:infoflow6 nlmsg 0x1234; +auditallowxperm type40 type43:infoflow6 nlmsg 0x1234; +auditallowxperm type41 type44:infoflow6 nlmsg 0x1234; +auditallowxperm type42 type45:infoflow6 nlmsg 0x1234; +auditallowxperm type43 type46:infoflow6 nlmsg 0x1234; # 191 neverallowxperm rules neverallowxperm type0 type4:infoflow6 ioctl 0x1234; @@ -2420,20 +2421,20 @@ neverallowxperm type36 type41:infoflow6 ioctl 0x1234; neverallowxperm type37 type42:infoflow6 ioctl 0x1234; neverallowxperm type38 type43:infoflow6 ioctl 0x1234; neverallowxperm type39 type44:infoflow6 ioctl 0x1234; -neverallowxperm type40 type45:infoflow6 ioctl 0x1234; -neverallowxperm type41 type46:infoflow6 ioctl 0x1234; -neverallowxperm type42 type47:infoflow6 ioctl 0x1234; -neverallowxperm type43 type48:infoflow6 ioctl 0x1234; -neverallowxperm type44 type49:infoflow6 ioctl 0x1234; -neverallowxperm type45 type50:infoflow6 ioctl 0x1234; -neverallowxperm type46 type51:infoflow6 ioctl 0x1234; -neverallowxperm type47 type52:infoflow6 ioctl 0x1234; -neverallowxperm type48 type53:infoflow6 ioctl 0x1234; -neverallowxperm type49 type54:infoflow6 ioctl 0x1234; -neverallowxperm type50 type55:infoflow6 ioctl 0x1234; -neverallowxperm type51 type56:infoflow6 ioctl 0x1234; -neverallowxperm type52 type57:infoflow6 ioctl 0x1234; -neverallowxperm type53 type58:infoflow6 ioctl 0x1234; +neverallowxperm type40 type45:infoflow6 nlmsg 0x1234; +neverallowxperm type41 type46:infoflow6 nlmsg 0x1234; +neverallowxperm type42 type47:infoflow6 nlmsg 0x1234; +neverallowxperm type43 type48:infoflow6 nlmsg 0x1234; +neverallowxperm type44 type49:infoflow6 nlmsg 0x1234; +neverallowxperm type45 type50:infoflow6 nlmsg 0x1234; +neverallowxperm type46 type51:infoflow6 nlmsg 0x1234; +neverallowxperm type47 type52:infoflow6 nlmsg 0x1234; +neverallowxperm type48 type53:infoflow6 nlmsg 0x1234; +neverallowxperm type49 type54:infoflow6 nlmsg 0x1234; +neverallowxperm type50 type55:infoflow6 nlmsg 0x1234; +neverallowxperm type51 type56:infoflow6 nlmsg 0x1234; +neverallowxperm type52 type57:infoflow6 nlmsg 0x1234; +neverallowxperm type53 type58:infoflow6 nlmsg 0x1234; # 193 dontauditxperm rules dontauditxperm type0 type5:infoflow6 ioctl 0x1234; @@ -2603,32 +2604,32 @@ dontauditxperm type26 type32:infoflow6 ioctl 0x1234; dontauditxperm type27 type33:infoflow6 ioctl 0x1234; dontauditxperm type28 type34:infoflow6 ioctl 0x1234; dontauditxperm type29 type35:infoflow6 ioctl 0x1234; -dontauditxperm type30 type36:infoflow6 ioctl 0x1234; -dontauditxperm type31 type37:infoflow6 ioctl 0x1234; -dontauditxperm type32 type38:infoflow6 ioctl 0x1234; -dontauditxperm type33 type39:infoflow6 ioctl 0x1234; -dontauditxperm type34 type40:infoflow6 ioctl 0x1234; -dontauditxperm type35 type41:infoflow6 ioctl 0x1234; -dontauditxperm type36 type42:infoflow6 ioctl 0x1234; -dontauditxperm type37 type43:infoflow6 ioctl 0x1234; -dontauditxperm type38 type44:infoflow6 ioctl 0x1234; -dontauditxperm type39 type45:infoflow6 ioctl 0x1234; -dontauditxperm type40 type46:infoflow6 ioctl 0x1234; -dontauditxperm type41 type47:infoflow6 ioctl 0x1234; -dontauditxperm type42 type48:infoflow6 ioctl 0x1234; -dontauditxperm type43 type49:infoflow6 ioctl 0x1234; -dontauditxperm type44 type50:infoflow6 ioctl 0x1234; -dontauditxperm type45 type51:infoflow6 ioctl 0x1234; -dontauditxperm type46 type52:infoflow6 ioctl 0x1234; -dontauditxperm type47 type53:infoflow6 ioctl 0x1234; -dontauditxperm type48 type54:infoflow6 ioctl 0x1234; -dontauditxperm type49 type55:infoflow6 ioctl 0x1234; -dontauditxperm type50 type56:infoflow6 ioctl 0x1234; -dontauditxperm type51 type57:infoflow6 ioctl 0x1234; -dontauditxperm type52 type58:infoflow6 ioctl 0x1234; -dontauditxperm type53 type59:infoflow6 ioctl 0x1234; -dontauditxperm type54 type60:infoflow6 ioctl 0x1234; -dontauditxperm type55 type61:infoflow6 ioctl 0x1234; +dontauditxperm type30 type36:infoflow6 nlmsg 0x1234; +dontauditxperm type31 type37:infoflow6 nlmsg 0x1234; +dontauditxperm type32 type38:infoflow6 nlmsg 0x1234; +dontauditxperm type33 type39:infoflow6 nlmsg 0x1234; +dontauditxperm type34 type40:infoflow6 nlmsg 0x1234; +dontauditxperm type35 type41:infoflow6 nlmsg 0x1234; +dontauditxperm type36 type42:infoflow6 nlmsg 0x1234; +dontauditxperm type37 type43:infoflow6 nlmsg 0x1234; +dontauditxperm type38 type44:infoflow6 nlmsg 0x1234; +dontauditxperm type39 type45:infoflow6 nlmsg 0x1234; +dontauditxperm type40 type46:infoflow6 nlmsg 0x1234; +dontauditxperm type41 type47:infoflow6 nlmsg 0x1234; +dontauditxperm type42 type48:infoflow6 nlmsg 0x1234; +dontauditxperm type43 type49:infoflow6 nlmsg 0x1234; +dontauditxperm type44 type50:infoflow6 nlmsg 0x1234; +dontauditxperm type45 type51:infoflow6 nlmsg 0x1234; +dontauditxperm type46 type52:infoflow6 nlmsg 0x1234; +dontauditxperm type47 type53:infoflow6 nlmsg 0x1234; +dontauditxperm type48 type54:infoflow6 nlmsg 0x1234; +dontauditxperm type49 type55:infoflow6 nlmsg 0x1234; +dontauditxperm type50 type56:infoflow6 nlmsg 0x1234; +dontauditxperm type51 type57:infoflow6 nlmsg 0x1234; +dontauditxperm type52 type58:infoflow6 nlmsg 0x1234; +dontauditxperm type53 type59:infoflow6 nlmsg 0x1234; +dontauditxperm type54 type60:infoflow6 nlmsg 0x1234; +dontauditxperm type55 type61:infoflow6 nlmsg 0x1234; ################################################################################ diff --git a/tests/library/policyrep/test_rules.py b/tests/library/policyrep/test_rules.py index 36281763..87e026b5 100644 --- a/tests/library/policyrep/test_rules.py +++ b/tests/library/policyrep/test_rules.py @@ -60,8 +60,8 @@ class RuleTestCase: xperm="ioctl", perms=setools.XpermSet((0x00ff,)), type_=setools.AVRuleXperm, statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"), RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow", - xperm="ioctl", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm, - statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")] + xperm="nlmsg", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm, + statement="auditallowxperm type31a type31b:infoflow nlmsg 0x0001-0x0003;")] @pytest.mark.obj_args("tests/library/policyrep/rules.conf") diff --git a/tests/library/policyrep/test_selinuxpolicy.py b/tests/library/policyrep/test_selinuxpolicy.py index 67ae328a..4c7ed11b 100644 --- a/tests/library/policyrep/test_selinuxpolicy.py +++ b/tests/library/policyrep/test_selinuxpolicy.py @@ -115,7 +115,7 @@ def test_nodecon_count(self, compiled_policy: setools.SELinuxPolicy) -> None: def test_permission_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: permission count""" - assert compiled_policy.permission_count == 29 + assert compiled_policy.permission_count == 30 def test_permissive_types_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: permissive types count""" diff --git a/tests/library/terulequery2.conf b/tests/library/terulequery2.conf index c9f67cd1..a93c3d67 100644 --- a/tests/library/terulequery2.conf +++ b/tests/library/terulequery2.conf @@ -5,6 +5,7 @@ class infoflow4 class infoflow5 class infoflow6 class infoflow7 +class infoflow8 sid kernel sid security @@ -54,6 +55,11 @@ inherits infoflow super_unmapped } +class infoflow8 +{ + nlmsg +} + sensitivity low_s; sensitivity medium_s alias med; sensitivity high_s; @@ -245,6 +251,16 @@ allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 }; allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 }; allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 }; +# test 102 +# ruletype: unset +# source: test102a, direct, no regex +# target: unset +# class: unset +# perms: unset +attribute test102a; +type test102s, test102a; +type test102t; +allowxperm test102a test102t:infoflow8 nlmsg { 0x01-0xf1 }; ############# END XPERM ############################ role system; diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py index 04737f48..fe109381 100644 --- a/tests/library/test_terulequery.py +++ b/tests/library/test_terulequery.py @@ -289,7 +289,7 @@ def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: @pytest.mark.obj_args("tests/library/terulequery2.conf") -class TERuleQueryXperm: +class TestTERuleQueryXperm: """TE Rule Query with extended permission rules.""" @@ -463,3 +463,12 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7", perms=setools.XpermSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + def test_nlmsg(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Xperm rule query with exact, direct, source match.""" + q = TERuleQuery( + compiled_policy, source="test102a", source_indirect=False, source_regex=False) + + r = sorted(q.results()) + assert len(r) == 1 + util.validate_rule(r[0], TRT.allowxperm, "test102a", "test102t", tclass="infoflow8", + perms=setools.XpermSet(range(0x1, 0xf1+1)), xperm="nlmsg")