Skip to content

Commit

Permalink
Add test for nlmsg extended permission
Browse files Browse the repository at this point in the history 
The "Test" prefix is added to TERuleQueryXperm to ensure it is executed.

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
  • Loading branch information
@tweksteen
tweksteen committed Oct 23, 2024
1 parent a29f953 commit bdb19b8
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
16 changes: 16 additions & 0 deletions tests/library/terulequery2.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ class infoflow4
class infoflow5
class infoflow6
class infoflow7
class infoflow8

sid kernel
sid security
Expand Down Expand Up @@ -54,6 +55,11 @@ inherits infoflow
super_unmapped
}

class infoflow8
{
nlmsg
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
Expand Down Expand Up @@ -245,6 +251,16 @@ allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 };
allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 };
allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 };

# test 102
# ruletype: unset
# source: test102a, direct, no regex
# target: unset
# class: unset
# perms: unset
attribute test102a;
type test102s, test102a;
type test102t;
allowxperm test102a test102t:infoflow8 nlmsg { 0x01-0xf1 };
############# END XPERM ############################

role system;
Expand Down
11 changes: 10 additions & 1 deletion tests/library/test_terulequery.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None:


@pytest.mark.obj_args("tests/library/terulequery2.conf")
class TERuleQueryXperm:
class TestTERuleQueryXperm:

"""TE Rule Query with extended permission rules."""

Expand Down Expand Up @@ -463,3 +463,12 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None:
util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7",
perms=setools.XpermSet([0x9011, 0x9012, 0x9013]), xperm="ioctl")

def test_nlmsg(self, compiled_policy: setools.SELinuxPolicy) -> None:
"""Xperm rule query with exact, direct, source match."""
q = TERuleQuery(
compiled_policy, source="test102a", source_indirect=False, source_regex=False)

r = sorted(q.results())
assert len(r) == 1
util.validate_rule(r[0], TRT.allowxperm, "test102a", "test102t", tclass="infoflow8",
perms=setools.XpermSet(range(0x1, 0xf1+1)), xperm="nlmsg")

0 comments on commit bdb19b8

Please sign in to comment.