From fe0ae7e07781a9c589b38c95410c56f710515c1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Wed, 23 Oct 2024 10:55:31 +1100
Subject: [PATCH] Add tests for nlmsg extended permission
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The "Test" prefix is added to TERuleQueryXperm to ensure it is executed.

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
 tests/library/policyrep/rules.conf            |   5 +-
 tests/library/policyrep/selinuxpolicy.conf    | 213 +++++++++---------
 tests/library/policyrep/test_rules.py         |   4 +-
 tests/library/policyrep/test_selinuxpolicy.py |   2 +-
 tests/library/terulequery2.conf               |  16 ++
 tests/library/test_terulequery.py             |  11 +-
 6 files changed, 139 insertions(+), 112 deletions(-)

diff --git a/tests/library/policyrep/rules.conf b/tests/library/policyrep/rules.conf
index 12329b71..625473cf 100644
--- a/tests/library/policyrep/rules.conf
+++ b/tests/library/policyrep/rules.conf
@@ -17,7 +17,8 @@ common infoflow
 	low_r
 	med_r
 	hi_r
-    ioctl
+	ioctl
+	nlmsg
 }
 
 class infoflow
@@ -120,7 +121,7 @@ if (a_bool) {
 type_transition type31b system:infoflow4 type30 "the_filename";
 
 allowxperm type30 type31a:infoflow ioctl 0x00ff;
-auditallowxperm type31a type31b:infoflow ioctl { 0x001-0x0003 };
+auditallowxperm type31a type31b:infoflow nlmsg { 0x001-0x0003 };
 
 allow system self:infoflow hi_w;
 range_transition type30 system:infoflow7 s0:c1 - s2:c0.c4;
diff --git a/tests/library/policyrep/selinuxpolicy.conf b/tests/library/policyrep/selinuxpolicy.conf
index be822706..001f7039 100644
--- a/tests/library/policyrep/selinuxpolicy.conf
+++ b/tests/library/policyrep/selinuxpolicy.conf
@@ -86,6 +86,7 @@ class infoflow6
 	setuid
 	setpcap
 	linux_immutable
+	nlmsg
 }
 
 class infoflow7
@@ -2026,38 +2027,38 @@ allowxperm type6 type8:infoflow6 ioctl 0x1234;
 allowxperm type7 type9:infoflow6 ioctl 0x1234;
 allowxperm type8 type10:infoflow6 ioctl 0x1234;
 allowxperm type9 type11:infoflow6 ioctl 0x1234;
-allowxperm type10 type12:infoflow6 ioctl 0x1234;
-allowxperm type11 type13:infoflow6 ioctl 0x1234;
-allowxperm type12 type14:infoflow6 ioctl 0x1234;
-allowxperm type13 type15:infoflow6 ioctl 0x1234;
-allowxperm type14 type16:infoflow6 ioctl 0x1234;
-allowxperm type15 type17:infoflow6 ioctl 0x1234;
-allowxperm type16 type18:infoflow6 ioctl 0x1234;
-allowxperm type17 type19:infoflow6 ioctl 0x1234;
-allowxperm type18 type20:infoflow6 ioctl 0x1234;
-allowxperm type19 type21:infoflow6 ioctl 0x1234;
-allowxperm type20 type22:infoflow6 ioctl 0x1234;
-allowxperm type21 type23:infoflow6 ioctl 0x1234;
-allowxperm type22 type24:infoflow6 ioctl 0x1234;
-allowxperm type23 type25:infoflow6 ioctl 0x1234;
-allowxperm type24 type26:infoflow6 ioctl 0x1234;
-allowxperm type25 type27:infoflow6 ioctl 0x1234;
-allowxperm type26 type28:infoflow6 ioctl 0x1234;
-allowxperm type27 type29:infoflow6 ioctl 0x1234;
-allowxperm type28 type30:infoflow6 ioctl 0x1234;
-allowxperm type29 type31:infoflow6 ioctl 0x1234;
-allowxperm type30 type32:infoflow6 ioctl 0x1234;
-allowxperm type31 type33:infoflow6 ioctl 0x1234;
-allowxperm type32 type34:infoflow6 ioctl 0x1234;
-allowxperm type33 type35:infoflow6 ioctl 0x1234;
-allowxperm type34 type36:infoflow6 ioctl 0x1234;
-allowxperm type35 type37:infoflow6 ioctl 0x1234;
-allowxperm type36 type38:infoflow6 ioctl 0x1234;
-allowxperm type37 type39:infoflow6 ioctl 0x1234;
-allowxperm type38 type40:infoflow6 ioctl 0x1234;
-allowxperm type39 type41:infoflow6 ioctl 0x1234;
-allowxperm type40 type42:infoflow6 ioctl 0x1234;
-allowxperm type41 type43:infoflow6 ioctl 0x1234;
+allowxperm type10 type12:infoflow6 nlmsg 0x1234;
+allowxperm type11 type13:infoflow6 nlmsg 0x1234;
+allowxperm type12 type14:infoflow6 nlmsg 0x1234;
+allowxperm type13 type15:infoflow6 nlmsg 0x1234;
+allowxperm type14 type16:infoflow6 nlmsg 0x1234;
+allowxperm type15 type17:infoflow6 nlmsg 0x1234;
+allowxperm type16 type18:infoflow6 nlmsg 0x1234;
+allowxperm type17 type19:infoflow6 nlmsg 0x1234;
+allowxperm type18 type20:infoflow6 nlmsg 0x1234;
+allowxperm type19 type21:infoflow6 nlmsg 0x1234;
+allowxperm type20 type22:infoflow6 nlmsg 0x1234;
+allowxperm type21 type23:infoflow6 nlmsg 0x1234;
+allowxperm type22 type24:infoflow6 nlmsg 0x1234;
+allowxperm type23 type25:infoflow6 nlmsg 0x1234;
+allowxperm type24 type26:infoflow6 nlmsg 0x1234;
+allowxperm type25 type27:infoflow6 nlmsg 0x1234;
+allowxperm type26 type28:infoflow6 nlmsg 0x1234;
+allowxperm type27 type29:infoflow6 nlmsg 0x1234;
+allowxperm type28 type30:infoflow6 nlmsg 0x1234;
+allowxperm type29 type31:infoflow6 nlmsg 0x1234;
+allowxperm type30 type32:infoflow6 nlmsg 0x1234;
+allowxperm type31 type33:infoflow6 nlmsg 0x1234;
+allowxperm type32 type34:infoflow6 nlmsg 0x1234;
+allowxperm type33 type35:infoflow6 nlmsg 0x1234;
+allowxperm type34 type36:infoflow6 nlmsg 0x1234;
+allowxperm type35 type37:infoflow6 nlmsg 0x1234;
+allowxperm type36 type38:infoflow6 nlmsg 0x1234;
+allowxperm type37 type39:infoflow6 nlmsg 0x1234;
+allowxperm type38 type40:infoflow6 nlmsg 0x1234;
+allowxperm type39 type41:infoflow6 nlmsg 0x1234;
+allowxperm type40 type42:infoflow6 nlmsg 0x1234;
+allowxperm type41 type43:infoflow6 nlmsg 0x1234;
 
 # 181 auditallowxperm rules
 auditallowxperm type0 type2:infoflow6 ioctl 0x1234;
@@ -2207,40 +2208,40 @@ auditallowxperm type6 type9:infoflow6 ioctl 0x1234;
 auditallowxperm type7 type10:infoflow6 ioctl 0x1234;
 auditallowxperm type8 type11:infoflow6 ioctl 0x1234;
 auditallowxperm type9 type12:infoflow6 ioctl 0x1234;
-auditallowxperm type10 type13:infoflow6 ioctl 0x1234;
-auditallowxperm type11 type14:infoflow6 ioctl 0x1234;
-auditallowxperm type12 type15:infoflow6 ioctl 0x1234;
-auditallowxperm type13 type16:infoflow6 ioctl 0x1234;
-auditallowxperm type14 type17:infoflow6 ioctl 0x1234;
-auditallowxperm type15 type18:infoflow6 ioctl 0x1234;
-auditallowxperm type16 type19:infoflow6 ioctl 0x1234;
-auditallowxperm type17 type20:infoflow6 ioctl 0x1234;
-auditallowxperm type18 type21:infoflow6 ioctl 0x1234;
-auditallowxperm type19 type22:infoflow6 ioctl 0x1234;
-auditallowxperm type20 type23:infoflow6 ioctl 0x1234;
-auditallowxperm type21 type24:infoflow6 ioctl 0x1234;
-auditallowxperm type22 type25:infoflow6 ioctl 0x1234;
-auditallowxperm type23 type26:infoflow6 ioctl 0x1234;
-auditallowxperm type24 type27:infoflow6 ioctl 0x1234;
-auditallowxperm type25 type28:infoflow6 ioctl 0x1234;
-auditallowxperm type26 type29:infoflow6 ioctl 0x1234;
-auditallowxperm type27 type30:infoflow6 ioctl 0x1234;
-auditallowxperm type28 type31:infoflow6 ioctl 0x1234;
-auditallowxperm type29 type32:infoflow6 ioctl 0x1234;
-auditallowxperm type30 type33:infoflow6 ioctl 0x1234;
-auditallowxperm type31 type34:infoflow6 ioctl 0x1234;
-auditallowxperm type32 type35:infoflow6 ioctl 0x1234;
-auditallowxperm type33 type36:infoflow6 ioctl 0x1234;
-auditallowxperm type34 type37:infoflow6 ioctl 0x1234;
-auditallowxperm type35 type38:infoflow6 ioctl 0x1234;
-auditallowxperm type36 type39:infoflow6 ioctl 0x1234;
-auditallowxperm type37 type40:infoflow6 ioctl 0x1234;
-auditallowxperm type38 type41:infoflow6 ioctl 0x1234;
-auditallowxperm type39 type42:infoflow6 ioctl 0x1234;
-auditallowxperm type40 type43:infoflow6 ioctl 0x1234;
-auditallowxperm type41 type44:infoflow6 ioctl 0x1234;
-auditallowxperm type42 type45:infoflow6 ioctl 0x1234;
-auditallowxperm type43 type46:infoflow6 ioctl 0x1234;
+auditallowxperm type10 type13:infoflow6 nlmsg 0x1234;
+auditallowxperm type11 type14:infoflow6 nlmsg 0x1234;
+auditallowxperm type12 type15:infoflow6 nlmsg 0x1234;
+auditallowxperm type13 type16:infoflow6 nlmsg 0x1234;
+auditallowxperm type14 type17:infoflow6 nlmsg 0x1234;
+auditallowxperm type15 type18:infoflow6 nlmsg 0x1234;
+auditallowxperm type16 type19:infoflow6 nlmsg 0x1234;
+auditallowxperm type17 type20:infoflow6 nlmsg 0x1234;
+auditallowxperm type18 type21:infoflow6 nlmsg 0x1234;
+auditallowxperm type19 type22:infoflow6 nlmsg 0x1234;
+auditallowxperm type20 type23:infoflow6 nlmsg 0x1234;
+auditallowxperm type21 type24:infoflow6 nlmsg 0x1234;
+auditallowxperm type22 type25:infoflow6 nlmsg 0x1234;
+auditallowxperm type23 type26:infoflow6 nlmsg 0x1234;
+auditallowxperm type24 type27:infoflow6 nlmsg 0x1234;
+auditallowxperm type25 type28:infoflow6 nlmsg 0x1234;
+auditallowxperm type26 type29:infoflow6 nlmsg 0x1234;
+auditallowxperm type27 type30:infoflow6 nlmsg 0x1234;
+auditallowxperm type28 type31:infoflow6 nlmsg 0x1234;
+auditallowxperm type29 type32:infoflow6 nlmsg 0x1234;
+auditallowxperm type30 type33:infoflow6 nlmsg 0x1234;
+auditallowxperm type31 type34:infoflow6 nlmsg 0x1234;
+auditallowxperm type32 type35:infoflow6 nlmsg 0x1234;
+auditallowxperm type33 type36:infoflow6 nlmsg 0x1234;
+auditallowxperm type34 type37:infoflow6 nlmsg 0x1234;
+auditallowxperm type35 type38:infoflow6 nlmsg 0x1234;
+auditallowxperm type36 type39:infoflow6 nlmsg 0x1234;
+auditallowxperm type37 type40:infoflow6 nlmsg 0x1234;
+auditallowxperm type38 type41:infoflow6 nlmsg 0x1234;
+auditallowxperm type39 type42:infoflow6 nlmsg 0x1234;
+auditallowxperm type40 type43:infoflow6 nlmsg 0x1234;
+auditallowxperm type41 type44:infoflow6 nlmsg 0x1234;
+auditallowxperm type42 type45:infoflow6 nlmsg 0x1234;
+auditallowxperm type43 type46:infoflow6 nlmsg 0x1234;
 
 # 191 neverallowxperm rules
 neverallowxperm type0 type4:infoflow6 ioctl 0x1234;
@@ -2420,20 +2421,20 @@ neverallowxperm type36 type41:infoflow6 ioctl 0x1234;
 neverallowxperm type37 type42:infoflow6 ioctl 0x1234;
 neverallowxperm type38 type43:infoflow6 ioctl 0x1234;
 neverallowxperm type39 type44:infoflow6 ioctl 0x1234;
-neverallowxperm type40 type45:infoflow6 ioctl 0x1234;
-neverallowxperm type41 type46:infoflow6 ioctl 0x1234;
-neverallowxperm type42 type47:infoflow6 ioctl 0x1234;
-neverallowxperm type43 type48:infoflow6 ioctl 0x1234;
-neverallowxperm type44 type49:infoflow6 ioctl 0x1234;
-neverallowxperm type45 type50:infoflow6 ioctl 0x1234;
-neverallowxperm type46 type51:infoflow6 ioctl 0x1234;
-neverallowxperm type47 type52:infoflow6 ioctl 0x1234;
-neverallowxperm type48 type53:infoflow6 ioctl 0x1234;
-neverallowxperm type49 type54:infoflow6 ioctl 0x1234;
-neverallowxperm type50 type55:infoflow6 ioctl 0x1234;
-neverallowxperm type51 type56:infoflow6 ioctl 0x1234;
-neverallowxperm type52 type57:infoflow6 ioctl 0x1234;
-neverallowxperm type53 type58:infoflow6 ioctl 0x1234;
+neverallowxperm type40 type45:infoflow6 nlmsg 0x1234;
+neverallowxperm type41 type46:infoflow6 nlmsg 0x1234;
+neverallowxperm type42 type47:infoflow6 nlmsg 0x1234;
+neverallowxperm type43 type48:infoflow6 nlmsg 0x1234;
+neverallowxperm type44 type49:infoflow6 nlmsg 0x1234;
+neverallowxperm type45 type50:infoflow6 nlmsg 0x1234;
+neverallowxperm type46 type51:infoflow6 nlmsg 0x1234;
+neverallowxperm type47 type52:infoflow6 nlmsg 0x1234;
+neverallowxperm type48 type53:infoflow6 nlmsg 0x1234;
+neverallowxperm type49 type54:infoflow6 nlmsg 0x1234;
+neverallowxperm type50 type55:infoflow6 nlmsg 0x1234;
+neverallowxperm type51 type56:infoflow6 nlmsg 0x1234;
+neverallowxperm type52 type57:infoflow6 nlmsg 0x1234;
+neverallowxperm type53 type58:infoflow6 nlmsg 0x1234;
 
 # 193 dontauditxperm rules
 dontauditxperm type0 type5:infoflow6 ioctl 0x1234;
@@ -2603,32 +2604,32 @@ dontauditxperm type26 type32:infoflow6 ioctl 0x1234;
 dontauditxperm type27 type33:infoflow6 ioctl 0x1234;
 dontauditxperm type28 type34:infoflow6 ioctl 0x1234;
 dontauditxperm type29 type35:infoflow6 ioctl 0x1234;
-dontauditxperm type30 type36:infoflow6 ioctl 0x1234;
-dontauditxperm type31 type37:infoflow6 ioctl 0x1234;
-dontauditxperm type32 type38:infoflow6 ioctl 0x1234;
-dontauditxperm type33 type39:infoflow6 ioctl 0x1234;
-dontauditxperm type34 type40:infoflow6 ioctl 0x1234;
-dontauditxperm type35 type41:infoflow6 ioctl 0x1234;
-dontauditxperm type36 type42:infoflow6 ioctl 0x1234;
-dontauditxperm type37 type43:infoflow6 ioctl 0x1234;
-dontauditxperm type38 type44:infoflow6 ioctl 0x1234;
-dontauditxperm type39 type45:infoflow6 ioctl 0x1234;
-dontauditxperm type40 type46:infoflow6 ioctl 0x1234;
-dontauditxperm type41 type47:infoflow6 ioctl 0x1234;
-dontauditxperm type42 type48:infoflow6 ioctl 0x1234;
-dontauditxperm type43 type49:infoflow6 ioctl 0x1234;
-dontauditxperm type44 type50:infoflow6 ioctl 0x1234;
-dontauditxperm type45 type51:infoflow6 ioctl 0x1234;
-dontauditxperm type46 type52:infoflow6 ioctl 0x1234;
-dontauditxperm type47 type53:infoflow6 ioctl 0x1234;
-dontauditxperm type48 type54:infoflow6 ioctl 0x1234;
-dontauditxperm type49 type55:infoflow6 ioctl 0x1234;
-dontauditxperm type50 type56:infoflow6 ioctl 0x1234;
-dontauditxperm type51 type57:infoflow6 ioctl 0x1234;
-dontauditxperm type52 type58:infoflow6 ioctl 0x1234;
-dontauditxperm type53 type59:infoflow6 ioctl 0x1234;
-dontauditxperm type54 type60:infoflow6 ioctl 0x1234;
-dontauditxperm type55 type61:infoflow6 ioctl 0x1234;
+dontauditxperm type30 type36:infoflow6 nlmsg 0x1234;
+dontauditxperm type31 type37:infoflow6 nlmsg 0x1234;
+dontauditxperm type32 type38:infoflow6 nlmsg 0x1234;
+dontauditxperm type33 type39:infoflow6 nlmsg 0x1234;
+dontauditxperm type34 type40:infoflow6 nlmsg 0x1234;
+dontauditxperm type35 type41:infoflow6 nlmsg 0x1234;
+dontauditxperm type36 type42:infoflow6 nlmsg 0x1234;
+dontauditxperm type37 type43:infoflow6 nlmsg 0x1234;
+dontauditxperm type38 type44:infoflow6 nlmsg 0x1234;
+dontauditxperm type39 type45:infoflow6 nlmsg 0x1234;
+dontauditxperm type40 type46:infoflow6 nlmsg 0x1234;
+dontauditxperm type41 type47:infoflow6 nlmsg 0x1234;
+dontauditxperm type42 type48:infoflow6 nlmsg 0x1234;
+dontauditxperm type43 type49:infoflow6 nlmsg 0x1234;
+dontauditxperm type44 type50:infoflow6 nlmsg 0x1234;
+dontauditxperm type45 type51:infoflow6 nlmsg 0x1234;
+dontauditxperm type46 type52:infoflow6 nlmsg 0x1234;
+dontauditxperm type47 type53:infoflow6 nlmsg 0x1234;
+dontauditxperm type48 type54:infoflow6 nlmsg 0x1234;
+dontauditxperm type49 type55:infoflow6 nlmsg 0x1234;
+dontauditxperm type50 type56:infoflow6 nlmsg 0x1234;
+dontauditxperm type51 type57:infoflow6 nlmsg 0x1234;
+dontauditxperm type52 type58:infoflow6 nlmsg 0x1234;
+dontauditxperm type53 type59:infoflow6 nlmsg 0x1234;
+dontauditxperm type54 type60:infoflow6 nlmsg 0x1234;
+dontauditxperm type55 type61:infoflow6 nlmsg 0x1234;
 
 ################################################################################
 
diff --git a/tests/library/policyrep/test_rules.py b/tests/library/policyrep/test_rules.py
index 36281763..87e026b5 100644
--- a/tests/library/policyrep/test_rules.py
+++ b/tests/library/policyrep/test_rules.py
@@ -60,8 +60,8 @@ class RuleTestCase:
                  xperm="ioctl", perms=setools.XpermSet((0x00ff,)), type_=setools.AVRuleXperm,
                  statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"),
     RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow",
-                 xperm="ioctl", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm,
-                 statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")]
+                 xperm="nlmsg", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm,
+                 statement="auditallowxperm type31a type31b:infoflow nlmsg 0x0001-0x0003;")]
 
 
 @pytest.mark.obj_args("tests/library/policyrep/rules.conf")
diff --git a/tests/library/policyrep/test_selinuxpolicy.py b/tests/library/policyrep/test_selinuxpolicy.py
index 67ae328a..4c7ed11b 100644
--- a/tests/library/policyrep/test_selinuxpolicy.py
+++ b/tests/library/policyrep/test_selinuxpolicy.py
@@ -115,7 +115,7 @@ def test_nodecon_count(self, compiled_policy: setools.SELinuxPolicy) -> None:
 
     def test_permission_count(self, compiled_policy: setools.SELinuxPolicy) -> None:
         """SELinuxPolicy: permission count"""
-        assert compiled_policy.permission_count == 29
+        assert compiled_policy.permission_count == 30
 
     def test_permissive_types_count(self, compiled_policy: setools.SELinuxPolicy) -> None:
         """SELinuxPolicy: permissive types count"""
diff --git a/tests/library/terulequery2.conf b/tests/library/terulequery2.conf
index c9f67cd1..a93c3d67 100644
--- a/tests/library/terulequery2.conf
+++ b/tests/library/terulequery2.conf
@@ -5,6 +5,7 @@ class infoflow4
 class infoflow5
 class infoflow6
 class infoflow7
+class infoflow8
 
 sid kernel
 sid security
@@ -54,6 +55,11 @@ inherits infoflow
 	super_unmapped
 }
 
+class infoflow8
+{
+	nlmsg
+}
+
 sensitivity low_s;
 sensitivity medium_s alias med;
 sensitivity high_s;
@@ -245,6 +251,16 @@ allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 };
 allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 };
 allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 };
 
+# test 102
+# ruletype: unset
+# source: test102a, direct, no regex
+# target: unset
+# class: unset
+# perms: unset
+attribute test102a;
+type test102s, test102a;
+type test102t;
+allowxperm test102a test102t:infoflow8 nlmsg { 0x01-0xf1 };
 ############# END XPERM ############################
 
 role system;
diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py
index 04737f48..fe109381 100644
--- a/tests/library/test_terulequery.py
+++ b/tests/library/test_terulequery.py
@@ -289,7 +289,7 @@ def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None:
 
 
 @pytest.mark.obj_args("tests/library/terulequery2.conf")
-class TERuleQueryXperm:
+class TestTERuleQueryXperm:
 
     """TE Rule Query with extended permission rules."""
 
@@ -463,3 +463,12 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None:
         util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7",
                            perms=setools.XpermSet([0x9011, 0x9012, 0x9013]), xperm="ioctl")
 
+    def test_nlmsg(self, compiled_policy: setools.SELinuxPolicy) -> None:
+        """Xperm rule query with exact, direct, source match."""
+        q = TERuleQuery(
+            compiled_policy, source="test102a", source_indirect=False, source_regex=False)
+
+        r = sorted(q.results())
+        assert len(r) == 1
+        util.validate_rule(r[0], TRT.allowxperm, "test102a", "test102t", tclass="infoflow8",
+                           perms=setools.XpermSet(range(0x1, 0xf1+1)), xperm="nlmsg")