From b64fcea3797f05da8b14948b620627e1e39e9084 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 14 Jan 2016 18:31:06 -0500
Subject: [PATCH] PolicyDifference: implement policy capabilities diff

Closes #64
---
 sediff                   | 20 ++++++++++++++++-
 setools/diff/__init__.py |  2 ++
 setools/diff/polcap.py   | 47 ++++++++++++++++++++++++++++++++++++++++
 tests/diff.py            | 19 ++++++++++++++++
 tests/diff_left.conf     |  4 ++++
 tests/diff_right.conf    |  4 ++++
 6 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 setools/diff/polcap.py

diff --git a/sediff b/sediff
index d2a8f649..20acd12c 100755
--- a/sediff
+++ b/sediff
@@ -78,6 +78,9 @@ labeling.add_argument("--netifcon", action="store_true", help="Print netifcon di
 labeling.add_argument("--nodecon", action="store_true", help="Print nodecon differences")
 labeling.add_argument("--portcon", action="store_true", help="Print portcon differences")
 
+other = parser.add_argument_group("other differences")
+other.add_argument("--polcap", action="store_true", help="Print policy capability differences")
+
 args = parser.parse_args()
 
 all_differences = not any((args.class_, args.common, args.type_, args.attribute, args.role,
@@ -85,7 +88,7 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
                            args.allow, args.neverallow, args.auditallow, args.dontaudit,
                            args.type_trans, args.type_change, args.type_member, args.role_allow,
                            args.role_trans, args.range_trans, args.initialsid, args.genfscon,
-                           args.netifcon, args.nodecon, args.portcon, args.fs_use))
+                           args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap))
 
 if args.debug:
     logging.basicConfig(level=logging.DEBUG,
@@ -902,6 +905,21 @@ try:
 
             print()
 
+    if all_differences or args.polcap:
+        if diff.added_polcaps or diff.removed_polcaps or args.polcap:
+            print("Policy Capabilities ({0} Added, {1} Removed)".format(
+                len(diff.added_polcaps), len(diff.removed_polcaps)))
+            if diff.added_polcaps and not args.stats:
+                print("   Added Policy Capabilities: {0}".format(len(diff.added_polcaps)))
+                for n in sorted(diff.added_polcaps):
+                    print("      + {0}".format(n))
+            if diff.removed_polcaps and not args.stats:
+                print("   Removed Policy Capabilities: {0}".format(len(diff.removed_polcaps)))
+                for n in sorted(diff.removed_polcaps):
+                    print("      - {0}".format(n))
+
+            print()
+
 except Exception as err:
     if args.debug:
         import traceback
diff --git a/setools/diff/__init__.py b/setools/diff/__init__.py
index 2ca9841a..88e50893 100644
--- a/setools/diff/__init__.py
+++ b/setools/diff/__init__.py
@@ -26,6 +26,7 @@
 from .netifcon import NetifconsDifference
 from .nodecon import NodeconsDifference
 from .objclass import ObjClassDifference
+from .polcap import PolCapsDifference
 from .rbacrules import RBACRulesDifference
 from .roles import RolesDifference
 from .terules import TERulesDifference
@@ -47,6 +48,7 @@ class PolicyDifference(BooleansDifference,
                        NetifconsDifference,
                        NodeconsDifference,
                        ObjClassDifference,
+                       PolCapsDifference,
                        RBACRulesDifference,
                        RolesDifference,
                        SensitivitiesDifference,
diff --git a/setools/diff/polcap.py b/setools/diff/polcap.py
new file mode 100644
index 00000000..9c0afe24
--- /dev/null
+++ b/setools/diff/polcap.py
@@ -0,0 +1,47 @@
+# Copyright 2016, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+from .descriptors import DiffResultDescriptor
+from .difference import Difference, SymbolWrapper
+
+
+class PolCapsDifference(Difference):
+
+    """Determine the difference in polcaps between two policies."""
+
+    added_polcaps = DiffResultDescriptor("diff_polcaps")
+    removed_polcaps = DiffResultDescriptor("diff_polcaps")
+
+    def diff_polcaps(self):
+        """Generate the difference in polcaps between the policies."""
+
+        self.log.info("Generating policy cap differences from {0.left_policy} to {0.right_policy}".
+                      format(self))
+
+        self.added_polcaps, self.removed_polcaps, _ = self._set_diff(
+            (SymbolWrapper(n) for n in self.left_policy.polcaps()),
+            (SymbolWrapper(n) for n in self.right_policy.polcaps()))
+
+    #
+    # Internal functions
+    #
+    def _reset_diff(self):
+        """Reset diff results on policy changes."""
+        self.log.debug("Resetting policy capability differences")
+        self.added_polcaps = None
+        self.removed_polcaps = None
diff --git a/tests/diff.py b/tests/diff.py
index 80a1152f..8c726431 100644
--- a/tests/diff.py
+++ b/tests/diff.py
@@ -1225,6 +1225,17 @@ def test_modified_nodecons(self):
         self.assertEqual("modified_change_level:object_r:system:s2:c1", added_context)
         self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed_context)
 
+    #
+    # Policy capabilities
+    #
+    def test_added_polcaps(self):
+        """Diff: added polcaps."""
+        self.assertSetEqual(set(["always_check_network"]), self.diff.added_polcaps)
+
+    def test_removed_polcaps(self):
+        """Diff: removed polcaps."""
+        self.assertSetEqual(set(["network_peer_controls"]), self.diff.removed_polcaps)
+
 
 class PolicyDifferenceTestNoDiff(unittest.TestCase):
 
@@ -1533,3 +1544,11 @@ def test_removed_nodecons(self):
     def test_modified_nodecons(self):
         """NoDiff: no modified nodecons."""
         self.assertFalse(self.diff.modified_nodecons)
+
+    def test_added_polcaps(self):
+        """NoDiff: no added polcaps."""
+        self.assertFalse(self.diff.added_polcaps)
+
+    def test_removed_polcaps(self):
+        """NoDiff: no removed polcaps."""
+        self.assertFalse(self.diff.removed_polcaps)
diff --git a/tests/diff_left.conf b/tests/diff_left.conf
index 4924fca5..d5fd9a66 100644
--- a/tests/diff_left.conf
+++ b/tests/diff_left.conf
@@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_
 
 ################################################################################
 
+# policycaps
+policycap open_perms;
+policycap network_peer_controls;
+
 #users
 user system roles system level s0 range s0;
 
diff --git a/tests/diff_right.conf b/tests/diff_right.conf
index 7943c848..c20113cf 100644
--- a/tests/diff_right.conf
+++ b/tests/diff_right.conf
@@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_
 
 ################################################################################
 
+# policycaps
+policycap open_perms;
+policycap always_check_network;
+
 #users
 user system roles system level s0 range s0;