Skip to content

Commit

Permalink
tests/util: Refactor validate_rule() to handle role allows.
Browse files Browse the repository at this point in the history 
Signed-off-by: Chris PeBenito <[email protected]>
  • Loading branch information
@pebenito
pebenito committed Apr 19, 2024
1 parent c958e67 commit 0856100
Show file tree
Hide file tree
Showing 7 changed files with 435 additions and 353 deletions.
267 changes: 145 additions & 122 deletions tests/library/test_diff.py
View file

Large diffs are not rendered by default.

67 changes: 39 additions & 28 deletions tests/library/test_dta.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,46 +52,50 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None:
# regular transition
r = analysis.G.edges[s, t]["transition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process",
perms=set(["transition", "dyntransition"]))

# setexec perms
r = analysis.G.edges[s, t]["setexec"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"]))
util.validate_rule(r[0], TERT.allow, s, s, tclass="process",
perms=set(["setexec", "setcurrent"]))

# exec perms
k = sorted(analysis.G.edges[s, t]["execute"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["execute"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"]))

# entrypoint perms
k = sorted(analysis.G.edges[s, t]["entrypoint"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["entrypoint"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"]))

# type_transition
k = sorted(analysis.G.edges[s, t]["type_transition"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["type_transition"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.type_transition, s, e, "process", t)
util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process", default=t)

# dynamic transition
r = analysis.G.edges[s, t]["dyntransition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process",
perms=set(["transition", "dyntransition"]))

# setcurrent
r = analysis.G.edges[s, t]["setcurrent"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"]))
util.validate_rule(r[0], TERT.allow, s, s, tclass="process",
perms=set(["setexec", "setcurrent"]))

def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None:
"""DTA: setcon() transition."""
Expand Down Expand Up @@ -122,12 +126,14 @@ def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None:
# dynamic transition
r = analysis.G.edges[s, t]["dyntransition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["dyntransition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process",
perms=set(["dyntransition"]))

# setcurrent
r = analysis.G.edges[s, t]["setcurrent"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setcurrent"]))
util.validate_rule(r[0], TERT.allow, s, s, tclass="process",
perms=set(["setcurrent"]))

def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None:
"""DTA: type_transition transition."""
Expand All @@ -139,7 +145,8 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None:
# regular transition
r = analysis.G.edges[s, t]["transition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process",
perms=set(["transition"]))

# setexec perms
r = analysis.G.edges[s, t]["setexec"]
Expand All @@ -151,23 +158,26 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None:

r = analysis.G.edges[s, t]["execute"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e, tclass="file",
perms=set(["execute"]))

# entrypoint perms
k = sorted(analysis.G.edges[s, t]["entrypoint"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["entrypoint"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e, tclass="file",
perms=set(["entrypoint"]))

# type_transition
k = sorted(analysis.G.edges[s, t]["type_transition"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["type_transition"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.type_transition, s, e, "process", t)
util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process",
default=t)

# dynamic transition
r = analysis.G.edges[s, t]["dyntransition"]
Expand All @@ -187,28 +197,28 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None:
# regular transition
r = analysis.G.edges[s, t]["transition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"]))

# setexec perms
r = analysis.G.edges[s, t]["setexec"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"]))
util.validate_rule(r[0], TERT.allow, s, s, tclass="process", perms=set(["setexec"]))

# exec perms
k = sorted(analysis.G.edges[s, t]["execute"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["execute"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"]))

# entrypoint perms
k = sorted(analysis.G.edges[s, t]["entrypoint"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["entrypoint"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"]))

# type_transition
k = sorted(analysis.G.edges[s, t]["type_transition"].keys())
Expand All @@ -233,44 +243,44 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non
# regular transition
r = analysis.G.edges[s, t]["transition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"]))

# setexec perms
r = analysis.G.edges[s, t]["setexec"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"]))
util.validate_rule(r[0], TERT.allow, s, s, tclass="process", perms=set(["setexec"]))

# exec perms
k = sorted(analysis.G.edges[s, t]["execute"].keys())
assert k == e

r = analysis.G.edges[s, t]["execute"][e[0]]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e[0], "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e[0], tclass="file", perms=set(["execute"]))

r = analysis.G.edges[s, t]["execute"][e[1]]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e[1], "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e[1], tclass="file", perms=set(["execute"]))

# entrypoint perms
k = sorted(analysis.G.edges[s, t]["entrypoint"].keys())
assert k == e

r = analysis.G.edges[s, t]["entrypoint"][e[0]]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e[0], "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e[0], tclass="file", perms=set(["entrypoint"]))

r = analysis.G.edges[s, t]["entrypoint"][e[1]]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e[1], "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e[1], tclass="file", perms=set(["entrypoint"]))

# type_transition
k = sorted(analysis.G.edges[s, t]["type_transition"].keys())
assert k == [e[0]]

r = analysis.G.edges[s, t]["type_transition"][e[0]]
assert len(r) == 1
util.validate_rule(r[0], TERT.type_transition, s, e[0], "process", t)
util.validate_rule(r[0], TERT.type_transition, s, e[0], tclass="process", default=t)

# dynamic transition
r = analysis.G.edges[s, t]["dyntransition"]
Expand All @@ -290,7 +300,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No
# regular transition
r = analysis.G.edges[s, t]["transition"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"]))
util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"]))

# setexec perms
r = analysis.G.edges[s, t]["setexec"]
Expand All @@ -302,23 +312,24 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No

r = analysis.G.edges[s, t]["execute"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"]))
util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"]))

# entrypoint perms
k = sorted(analysis.G.edges[s, t]["entrypoint"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["entrypoint"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"]))
util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"]))

# type_transition
k = sorted(analysis.G.edges[s, t]["type_transition"].keys())
assert k == [e]

r = analysis.G.edges[s, t]["type_transition"][e]
assert len(r) == 1
util.validate_rule(r[0], TERT.type_transition, s, e, "process", t, cond="trans5")
util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process", default=t,
cond="trans5", cond_block=True)

# dynamic transition
r = analysis.G.edges[s, t]["dyntransition"]
Expand Down
41 changes: 26 additions & 15 deletions tests/library/test_infoflow.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,54 +63,65 @@ def test_full_graph(self, analysis: setools.InfoFlowAnalysis) -> None:

r = analysis.G.edges[disconnected1, disconnected2]["rules"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2",
set(["super"]))
util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", tclass="infoflow2",
perms=set(["super"]))

r = analysis.G.edges[disconnected2, disconnected1]["rules"]
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2",
set(["super"]))
util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", tclass="infoflow2",
perms=set(["super"]))

r = sorted(analysis.G.edges[node1, node2]["rules"])
assert len(r) == 2
util.validate_rule(r[0], TERT.allow, "node1", "node2", "infoflow", set(["med_w"]))
util.validate_rule(r[1], TERT.allow, "node2", "node1", "infoflow", set(["hi_r"]))
util.validate_rule(r[0], TERT.allow, "node1", "node2", tclass="infoflow",
perms=set(["med_w"]))
util.validate_rule(r[1], TERT.allow, "node2", "node1", tclass="infoflow",
perms=set(["hi_r"]))

r = sorted(analysis.G.edges[node1, node3]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node3", "node1", "infoflow", set(["low_r", "med_r"]))
util.validate_rule(r[0], TERT.allow, "node3", "node1", tclass="infoflow",
perms=set(["low_r", "med_r"]))

r = sorted(analysis.G.edges[node2, node4]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node2", "node4", "infoflow", set(["hi_w"]))
util.validate_rule(r[0], TERT.allow, "node2", "node4", tclass="infoflow",
perms=set(["hi_w"]))

r = sorted(analysis.G.edges[node3, node5]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node5", "node3", "infoflow", set(["low_r"]))
util.validate_rule(r[0], TERT.allow, "node5", "node3", tclass="infoflow",
perms=set(["low_r"]))

r = sorted(analysis.G.edges[node4, node6]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node4", "node6", "infoflow2", set(["hi_w"]))
util.validate_rule(r[0], TERT.allow, "node4", "node6", tclass="infoflow2",
perms=set(["hi_w"]))

r = sorted(analysis.G.edges[node5, node8]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node5", "node8", "infoflow2", set(["hi_w"]))
util.validate_rule(r[0], TERT.allow, "node5", "node8", tclass="infoflow2",
perms=set(["hi_w"]))

r = sorted(analysis.G.edges[node6, node5]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node5", "node6", "infoflow", set(["med_r"]))
util.validate_rule(r[0], TERT.allow, "node5", "node6", tclass="infoflow",
perms=set(["med_r"]))

r = sorted(analysis.G.edges[node6, node7]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node6", "node7", "infoflow", set(["hi_w"]))
util.validate_rule(r[0], TERT.allow, "node6", "node7", tclass="infoflow",
perms=set(["hi_w"]))

r = sorted(analysis.G.edges[node8, node9]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"]))
util.validate_rule(r[0], TERT.allow, "node8", "node9", tclass="infoflow2",
perms=set(["super"]))

r = sorted(analysis.G.edges[node9, node8]["rules"])
assert len(r) == 1
util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"]))
util.validate_rule(r[0], TERT.allow, "node8", "node9", tclass="infoflow2",
perms=set(["super"]))

def test_minimum_3(self, analysis: setools.InfoFlowAnalysis) -> None:
"""Information flow analysis with minimum weight 3."""
Expand Down
Loading

0 comments on commit 0856100

Please sign in to comment.