1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import InfoFlowAnalysis
from setools import TERuletype as TERT
from setools.exception import InvalidType
from setools.permmap import PermissionMap
from setools.policyrep import Type
from . import mixins
from .policyrep.util import compile_policy
# Note: the testing for having correct rules on every edge is only
# performed once on the full graph, since it is assumed that NetworkX's
# Digraph.subgraph() function correctly copies the edge attributes into
# the subgraph.
class ConditionalInfoFlowAnalysisTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/conditionalinfoflow.conf", mls=False)
cls.m = PermissionMap("tests/perm_map")
cls.a = InfoFlowAnalysis(cls.p, cls.m)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_001_keep_conditional_rules(self):
"""Keep all conditional rules."""
self.a.booleans = None
self.a._rebuildgraph = True
self.a._build_subgraph()
source = self.p.lookup_type("src")
target = self.p.lookup_type("tgt")
flow_true = self.p.lookup_type("flow_true")
flow_false = self.p.lookup_type("flow_false")
r = self.a.G.edges[source, flow_true]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[flow_true, target]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[source, flow_false]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[flow_false, target]["rules"]
self.assertEqual(len(r), 1)
def test_002_default_conditional_rules(self):
"""Keep only default conditional rules."""
self.a.booleans = {}
self.a._rebuildgraph = True
self.a._build_subgraph()
source = self.p.lookup_type("src")
target = self.p.lookup_type("tgt")
flow_true = self.p.lookup_type("flow_true")
flow_false = self.p.lookup_type("flow_false")
r = self.a.G.edges[source, flow_true]["rules"]
self.assertEqual(len(r), 0)
r = self.a.G.edges[flow_true, target]["rules"]
self.assertEqual(len(r), 0)
r = self.a.G.edges[source, flow_false]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[flow_false, target]["rules"]
self.assertEqual(len(r), 1)
def test_003_user_conditional_true(self):
"""Keep only conditional rules selected by user specified booleans (True Case.)"""
self.a.booleans = {"condition": True}
self.a.rebuildgraph = True
self.a._build_subgraph()
source = self.p.lookup_type("src")
target = self.p.lookup_type("tgt")
flow_true = self.p.lookup_type("flow_true")
flow_false = self.p.lookup_type("flow_false")
r = self.a.G.edges[source, flow_true]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[flow_true, target]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[source, flow_false]["rules"]
self.assertEqual(len(r), 0)
r = self.a.G.edges[flow_false, target]["rules"]
self.assertEqual(len(r), 0)
def test_004_user_conditional_false(self):
"""Keep only conditional rules selected by user specified booleans (False Case.)"""
self.a.booleans = {"condition": False}
self.a.rebuildgraph = True
self.a._build_subgraph()
source = self.p.lookup_type("src")
target = self.p.lookup_type("tgt")
flow_true = self.p.lookup_type("flow_true")
flow_false = self.p.lookup_type("flow_false")
r = self.a.G.edges[source, flow_true]["rules"]
self.assertEqual(len(r), 0)
r = self.a.G.edges[flow_true, target]["rules"]
self.assertEqual(len(r), 0)
r = self.a.G.edges[source, flow_false]["rules"]
self.assertEqual(len(r), 1)
r = self.a.G.edges[flow_false, target]["rules"]
self.assertEqual(len(r), 1)
def test_005_remaining_edges(self):
"""Keep edges when rules are deleted, but there are still remaining rules on the edge."""
self.a.booleans = {}
self.a.rebuildgraph = True
self.a._build_subgraph()
source = self.p.lookup_type("src_remain")
target = self.p.lookup_type("tgt_remain")
flow = self.p.lookup_type("flow_remain")
r = self.a.G.edges[source, flow]["rules"]
self.assertEqual(len(r), 1)
self.assertEqual(str(r[0]), 'allow src_remain flow_remain:infoflow hi_w;')
r = self.a.G.edges[flow, target]["rules"]
self.assertEqual(len(r), 1)
self.assertEqual(str(r[0]), 'allow tgt_remain flow_remain:infoflow hi_r;')
|
