Skip to content

Commit

Permalink
Rename IoctlSet to XpermSet
Browse files Browse the repository at this point in the history 
The same class can be used for both ioctl and nlmsg extended
permissions. Rename the current class and mark IoctlSet as deprecated.

Signed-off-by: Thiébaud Weksteen <[email protected]>
  • Loading branch information
@tweksteen
tweksteen committed Nov 1, 2024
1 parent e0e687f commit ab4cce4
Show file tree
Hide file tree
Showing 9 changed files with 102 additions and 91 deletions.
2 changes: 1 addition & 1 deletion setools/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
IoctlSet, Iomemcon, IomemconRange, Ioportcon, IoportconRange, Level, LevelDecl, MLSRule, \
Netifcon, Nodecon, ObjClass, Pcidevicecon, Pirqcon, PolicyCapability, Portcon, PortconRange, \
Range, Role, RoleAllow, RoleTransition, Sensitivity, TERule, TruthTableRow, Type, \
TypeAttribute, User, Validatetrans
TypeAttribute, User, Validatetrans, XpermSet

# Exceptions
from . import exception
Expand Down
12 changes: 6 additions & 6 deletions setools/diff/terules.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,9 @@ class ModifiedAVRuleXperm(DifferenceResult):
"""Difference details for a modified access vector rule."""

rule: policyrep.AVRuleXperm
added_perms: policyrep.IoctlSet
removed_perms: policyrep.IoctlSet
matched_perms: policyrep.IoctlSet
added_perms: policyrep.XpermSet
removed_perms: policyrep.XpermSet
matched_perms: policyrep.XpermSet


@dataclass(frozen=True, order=True)
Expand Down Expand Up @@ -365,9 +365,9 @@ def diff(self) -> None:
if added_perms or removed_perms:
modified.append(
ModifiedAVRuleXperm(left_rule.origin,
policyrep.IoctlSet(added_perms),
policyrep.IoctlSet(removed_perms),
policyrep.IoctlSet(p[0] for p in matched_perms)))
policyrep.XpermSet(added_perms),
policyrep.XpermSet(removed_perms),
policyrep.XpermSet(p[0] for p in matched_perms)))

setattr(self, f"added_{ruletype}s", set(a.origin for a in added))
setattr(self, f"removed_{ruletype}s", set(r.origin for r in removed))
Expand Down
8 changes: 5 additions & 3 deletions setools/policyrep.pyi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ class PolicyRule(PolicyObject):
target: "PolicySymbol" = ...
tclass: "ObjClass" = ...
xperm_type: str = ...
perms: frozenset[str] | "IoctlSet" = ...
perms: frozenset[str] | "XpermSet" = ...
default: PolicyObject = ...
filename: str = ...
def enabled(self, **kwargs) -> bool: ...
Expand Down Expand Up @@ -101,7 +101,7 @@ class AVRule(BaseTERule):

class AVRuleXperm(BaseTERule):
default: NoReturn = ...
perms: "IoctlSet" = ...
perms: "XpermSet" = ...
xperm_type: str = ...
def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ...

Expand Down Expand Up @@ -247,9 +247,11 @@ class IbpkeyconRange:
class InitialSID(Ocontext):
name: str = ...

class IoctlSet(frozenset[int]):
class XpermSet(frozenset[int]):
def ranges(self) -> int: ...

class IoctlSet(XpermSet): ...

class Iomemcon(Ocontext):
addr: "IomemconRange" = ...

Expand Down
18 changes: 13 additions & 5 deletions setools/policyrep/terule.pxi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,11 +213,11 @@ cdef class AVRule(BaseTERule):
return self.rule_string


cdef class IoctlSet(frozenset):
cdef class XpermSet(frozenset):

"""
A set with overridden string functions which compresses
the output into ioctl ranges instead of individual elements.
the output into ioctl/nlmsg ranges instead of individual elements.
"""

def __format__(self, spec):
Expand Down Expand Up @@ -249,7 +249,7 @@ cdef class IoctlSet(frozenset):
elif spec == ",":
return ", ".join(shortlist)
else:
return super(IoctlSet, self).__format__(spec)
return super().__format__(spec)

def __str__(self):
return f"{self}"
Expand All @@ -267,12 +267,20 @@ cdef class IoctlSet(frozenset):
sorted(self), key=lambda k, c=itertools.count(): k - next(c)))


cdef class IoctlSet(XpermSet):

def __init__(self, *args, **kwargs):
log = logging.getLogger(__name__)
log.warning("IoctlSet is deprecated, use XpermSet instead.")
super().__init__(*args, **kwargs)


cdef class AVRuleXperm(BaseTERule):

"""An extended permission access vector type enforcement rule."""

cdef:
readonly IoctlSet perms
readonly XpermSet perms
readonly str xperm_type

@staticmethod
Expand Down Expand Up @@ -322,7 +330,7 @@ cdef class AVRuleXperm(BaseTERule):
r.source = type_or_attr_factory(policy, policy.type_value_to_datum(key.source_type - 1))
r.target = type_or_attr_factory(policy, policy.type_value_to_datum(key.target_type - 1))
r.tclass = ObjClass.factory(policy, policy.class_value_to_datum(key.target_class - 1))
r.perms = IoctlSet(perms)
r.perms = XpermSet(perms)
r.extended = True
r.xperm_type = xperm_type
r._conditional = conditional
Expand Down
6 changes: 3 additions & 3 deletions setools/terulequery.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,11 +80,11 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
boolean = CriteriaSetDescriptor[policyrep.Boolean]("boolean_regex", "lookup_boolean")
boolean_regex: bool = False
boolean_equal: bool = False
_xperms: policyrep.IoctlSet | None = None
_xperms: policyrep.XpermSet | None = None
xperms_equal: bool = False

@property
def xperms(self) -> policyrep.IoctlSet | None:
def xperms(self) -> policyrep.XpermSet | None:
return self._xperms

@xperms.setter
Expand All @@ -104,7 +104,7 @@ def xperms(self, value: Iterable[tuple[int, int]] | None) -> None:

pending_xperms.update(i for i in range(low, high + 1))

self._xperms = policyrep.IoctlSet(pending_xperms)
self._xperms = policyrep.XpermSet(pending_xperms)
else:
self._xperms = None

Expand Down
10 changes: 5 additions & 5 deletions tests/library/policyrep/test_rules.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ class RuleTestCase:
type_: type # the rule's policyrep class
tclass: str | None = None
xperm: str | None = None
perms: set[str] | setools.IoctlSet | None = None
perms: set[str] | setools.XpermSet | None = None
default: str | None = None
filename: str | None = None
conditional: str | None = None
Expand Down Expand Up @@ -57,10 +57,10 @@ class RuleTestCase:
default="system", type_=setools.TERule, conditional="a_bool",
statement="type_change type31c type31b:infoflow2 system; [ a_bool ]:False"),
RuleTestCase(setools.TERuletype.allowxperm, "type30", "type31a", tclass="infoflow",
xperm="ioctl", perms=setools.IoctlSet((0x00ff,)), type_=setools.AVRuleXperm,
xperm="ioctl", perms=setools.XpermSet((0x00ff,)), type_=setools.AVRuleXperm,
statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"),
RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow",
xperm="ioctl", perms=setools.IoctlSet((1, 2, 3)), type_=setools.AVRuleXperm,
xperm="ioctl", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm,
statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")]


Expand Down Expand Up @@ -213,5 +213,5 @@ def test_regression(self, compiled_policy: setools.SELinuxPolicy):
# expect 2 rules:
# allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 };
# allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff };
assert setools.IoctlSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}"
assert setools.IoctlSet([0x8910]) == rules[1].perms, f"{rules[1].perms}"
assert setools.XpermSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}"
assert setools.XpermSet([0x8910]) == rules[1].perms, f"{rules[1].perms}"
Loading

0 comments on commit ab4cce4

Please sign in to comment.