1*2d543d20SAndroid Build Coastguard Worker# Authors: Karl MacMillan <[email protected]> 2*2d543d20SAndroid Build Coastguard Worker# 3*2d543d20SAndroid Build Coastguard Worker# Copyright (C) 2006 Red Hat 4*2d543d20SAndroid Build Coastguard Worker# see file 'COPYING' for use and warranty information 5*2d543d20SAndroid Build Coastguard Worker# 6*2d543d20SAndroid Build Coastguard Worker# This program is free software; you can redistribute it and/or 7*2d543d20SAndroid Build Coastguard Worker# modify it under the terms of the GNU General Public License as 8*2d543d20SAndroid Build Coastguard Worker# published by the Free Software Foundation; version 2 only 9*2d543d20SAndroid Build Coastguard Worker# 10*2d543d20SAndroid Build Coastguard Worker# This program is distributed in the hope that it will be useful, 11*2d543d20SAndroid Build Coastguard Worker# but WITHOUT ANY WARRANTY; without even the implied warranty of 12*2d543d20SAndroid Build Coastguard Worker# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13*2d543d20SAndroid Build Coastguard Worker# GNU General Public License for more details. 14*2d543d20SAndroid Build Coastguard Worker# 15*2d543d20SAndroid Build Coastguard Worker# You should have received a copy of the GNU General Public License 16*2d543d20SAndroid Build Coastguard Worker# along with this program; if not, write to the Free Software 17*2d543d20SAndroid Build Coastguard Worker# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18*2d543d20SAndroid Build Coastguard Worker# 19*2d543d20SAndroid Build Coastguard Worker 20*2d543d20SAndroid Build Coastguard Workerimport unittest 21*2d543d20SAndroid Build Coastguard Workerimport sepolgen.refparser as refparser 22*2d543d20SAndroid Build Coastguard Workerimport sepolgen.refpolicy as refpolicy 23*2d543d20SAndroid Build Coastguard Worker 24*2d543d20SAndroid Build Coastguard Workerinterface_example = """######################################## 25*2d543d20SAndroid Build Coastguard Worker## <summary> 26*2d543d20SAndroid Build Coastguard Worker## Search the content of /etc. 27*2d543d20SAndroid Build Coastguard Worker## </summary> 28*2d543d20SAndroid Build Coastguard Worker## <param name="domain"> 29*2d543d20SAndroid Build Coastguard Worker## <summary> 30*2d543d20SAndroid Build Coastguard Worker## Domain allowed access. 31*2d543d20SAndroid Build Coastguard Worker## </summary> 32*2d543d20SAndroid Build Coastguard Worker## </param> 33*2d543d20SAndroid Build Coastguard Worker# 34*2d543d20SAndroid Build Coastguard Workerinterface(`files_search_usr',` 35*2d543d20SAndroid Build Coastguard Worker gen_require(` 36*2d543d20SAndroid Build Coastguard Worker type usr_t; 37*2d543d20SAndroid Build Coastguard Worker ') 38*2d543d20SAndroid Build Coastguard Worker 39*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir search; 40*2d543d20SAndroid Build Coastguard Worker allow { domain $1 } { usr_t usr_home_t }:{ file dir } { read write getattr }; 41*2d543d20SAndroid Build Coastguard Worker typeattribute $1 file_type; 42*2d543d20SAndroid Build Coastguard Worker 43*2d543d20SAndroid Build Coastguard Worker if (foo) { 44*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 45*2d543d20SAndroid Build Coastguard Worker } 46*2d543d20SAndroid Build Coastguard Worker 47*2d543d20SAndroid Build Coastguard Worker if (bar) { 48*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 49*2d543d20SAndroid Build Coastguard Worker } else { 50*2d543d20SAndroid Build Coastguard Worker allow $1 foo:bar baz; 51*2d543d20SAndroid Build Coastguard Worker } 52*2d543d20SAndroid Build Coastguard Worker') 53*2d543d20SAndroid Build Coastguard Worker 54*2d543d20SAndroid Build Coastguard Worker######################################## 55*2d543d20SAndroid Build Coastguard Worker## <summary> 56*2d543d20SAndroid Build Coastguard Worker## List the contents of generic 57*2d543d20SAndroid Build Coastguard Worker## directories in /usr. 58*2d543d20SAndroid Build Coastguard Worker## </summary> 59*2d543d20SAndroid Build Coastguard Worker## <param name="domain"> 60*2d543d20SAndroid Build Coastguard Worker## <summary> 61*2d543d20SAndroid Build Coastguard Worker## Domain allowed access. 62*2d543d20SAndroid Build Coastguard Worker## </summary> 63*2d543d20SAndroid Build Coastguard Worker## </param> 64*2d543d20SAndroid Build Coastguard Worker# 65*2d543d20SAndroid Build Coastguard Workerinterface(`files_list_usr',` 66*2d543d20SAndroid Build Coastguard Worker gen_require(` 67*2d543d20SAndroid Build Coastguard Worker type usr_t; 68*2d543d20SAndroid Build Coastguard Worker ') 69*2d543d20SAndroid Build Coastguard Worker 70*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir { read getattr }; 71*2d543d20SAndroid Build Coastguard Worker 72*2d543d20SAndroid Build Coastguard Worker optional_policy(` 73*2d543d20SAndroid Build Coastguard Worker search_usr($1) 74*2d543d20SAndroid Build Coastguard Worker ') 75*2d543d20SAndroid Build Coastguard Worker 76*2d543d20SAndroid Build Coastguard Worker tunable_policy(`foo',` 77*2d543d20SAndroid Build Coastguard Worker whatever($1) 78*2d543d20SAndroid Build Coastguard Worker ') 79*2d543d20SAndroid Build Coastguard Worker 80*2d543d20SAndroid Build Coastguard Worker') 81*2d543d20SAndroid Build Coastguard Worker 82*2d543d20SAndroid Build Coastguard Worker######################################## 83*2d543d20SAndroid Build Coastguard Worker## <summary> 84*2d543d20SAndroid Build Coastguard Worker## Execute generic programs in /usr in the caller domain. 85*2d543d20SAndroid Build Coastguard Worker## </summary> 86*2d543d20SAndroid Build Coastguard Worker## <param name="domain"> 87*2d543d20SAndroid Build Coastguard Worker## <summary> 88*2d543d20SAndroid Build Coastguard Worker## Domain allowed access. 89*2d543d20SAndroid Build Coastguard Worker## </summary> 90*2d543d20SAndroid Build Coastguard Worker## </param> 91*2d543d20SAndroid Build Coastguard Worker# 92*2d543d20SAndroid Build Coastguard Workerinterface(`files_exec_usr_files',` 93*2d543d20SAndroid Build Coastguard Worker gen_require(` 94*2d543d20SAndroid Build Coastguard Worker type usr_t; 95*2d543d20SAndroid Build Coastguard Worker ') 96*2d543d20SAndroid Build Coastguard Worker 97*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:dir read; 98*2d543d20SAndroid Build Coastguard Worker allow $1 usr_t:lnk_file { read getattr }; 99*2d543d20SAndroid Build Coastguard Worker can_exec($1,usr_t) 100*2d543d20SAndroid Build Coastguard Worker can_foo($1) 101*2d543d20SAndroid Build Coastguard Worker 102*2d543d20SAndroid Build Coastguard Worker') 103*2d543d20SAndroid Build Coastguard Worker""" 104*2d543d20SAndroid Build Coastguard Worker 105*2d543d20SAndroid Build Coastguard Workerclass TestParser(unittest.TestCase): 106*2d543d20SAndroid Build Coastguard Worker def test_interface_parsing(self): 107*2d543d20SAndroid Build Coastguard Worker h = refparser.parse(interface_example) 108*2d543d20SAndroid Build Coastguard Worker #print "" 109*2d543d20SAndroid Build Coastguard Worker #refpolicy.print_tree(h) 110*2d543d20SAndroid Build Coastguard Worker #self.assertEqual(len(h.interfaces), 3) 111*2d543d20SAndroid Build Coastguard Worker 112*2d543d20SAndroid Build Coastguard Worker name = "files_search_usr" 113*2d543d20SAndroid Build Coastguard Worker #i = h.interfaces[name] 114*2d543d20SAndroid Build Coastguard Worker #self.assertEqual(i.name, name) 115*2d543d20SAndroid Build Coastguard Worker #self.assertEqual(len(i.rules), 1) 116*2d543d20SAndroid Build Coastguard Worker #rule = i.rules[0] 117*2d543d20SAndroid Build Coastguard Worker #self.assertTrue(isinstance(rule, refpolicy.AVRule)) 118*2d543d20SAndroid Build Coastguard Worker 119*2d543d20SAndroid Build Coastguard Worker 120*2d543d20SAndroid Build Coastguard Worker 121