Rename IoctlSet to XpermSet

The same class can be used for both ioctl and nlmsg extended
permissions. Rename the current class and mark IoctlSet as deprecated.

Signed-off-by: Thiébaud Weksteen <tweek@google.com>

Author: tweksteen

setools/__init__.py

@@ -26,7 +26,7 @@
     IoctlSet, Iomemcon, IomemconRange, Ioportcon, IoportconRange, Level, LevelDecl, MLSRule, \
     Netifcon, Nodecon, ObjClass, Pcidevicecon, Pirqcon, PolicyCapability, Portcon, PortconRange, \
     Range, Role, RoleAllow, RoleTransition, Sensitivity, TERule, TruthTableRow, Type, \
-    TypeAttribute, User, Validatetrans
+    TypeAttribute, User, Validatetrans, XpermSet
 
 # Exceptions
 from . import exception

setools/diff/terules.py

@@ -41,9 +41,9 @@ class ModifiedAVRuleXperm(DifferenceResult):
     """Difference details for a modified access vector rule."""
 
     rule: policyrep.AVRuleXperm
-    added_perms: policyrep.IoctlSet
-    removed_perms: policyrep.IoctlSet
-    matched_perms: policyrep.IoctlSet
+    added_perms: policyrep.XpermSet
+    removed_perms: policyrep.XpermSet
+    matched_perms: policyrep.XpermSet
 
 
 @dataclass(frozen=True, order=True)
@@ -365,9 +365,9 @@ def diff(self) -> None:
             if added_perms or removed_perms:
                 modified.append(
                     ModifiedAVRuleXperm(left_rule.origin,
-                                        policyrep.IoctlSet(added_perms),
-                                        policyrep.IoctlSet(removed_perms),
-                                        policyrep.IoctlSet(p[0] for p in matched_perms)))
+                                        policyrep.XpermSet(added_perms),
+                                        policyrep.XpermSet(removed_perms),
+                                        policyrep.XpermSet(p[0] for p in matched_perms)))
 
         setattr(self, f"added_{ruletype}s", set(a.origin for a in added))
         setattr(self, f"removed_{ruletype}s", set(r.origin for r in removed))

setools/policyrep.pyi

@@ -43,7 +43,7 @@ class PolicyRule(PolicyObject):
     target: "PolicySymbol" = ...
     tclass: "ObjClass" = ...
     xperm_type: str = ...
-    perms: frozenset[str] | "IoctlSet" = ...
+    perms: frozenset[str] | "XpermSet" = ...
     default: PolicyObject = ...
     filename: str = ...
     def enabled(self, **kwargs) -> bool: ...
@@ -101,7 +101,7 @@ class AVRule(BaseTERule):
 
 class AVRuleXperm(BaseTERule):
     default: NoReturn = ...
-    perms: "IoctlSet" = ...
+    perms: "XpermSet" = ...
     xperm_type: str = ...
     def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ...
 
@@ -247,9 +247,11 @@ class IbpkeyconRange:
 class InitialSID(Ocontext):
     name: str = ...
 
-class IoctlSet(frozenset[int]):
+class XpermSet(frozenset[int]):
     def ranges(self) -> int: ...
 
+class IoctlSet(XpermSet): ...
+
 class Iomemcon(Ocontext):
     addr: "IomemconRange" = ...
 

setools/policyrep/terule.pxi

@@ -213,11 +213,11 @@ cdef class AVRule(BaseTERule):
         return self.rule_string
 
 
-cdef class IoctlSet(frozenset):
+cdef class XpermSet(frozenset):
 
     """
     A set with overridden string functions which compresses
-    the output into ioctl ranges instead of individual elements.
+    the output into ioctl/nlmsg ranges instead of individual elements.
     """
 
     def __format__(self, spec):
@@ -249,7 +249,7 @@ cdef class IoctlSet(frozenset):
         elif spec == ",":
             return ", ".join(shortlist)
         else:
-            return super(IoctlSet, self).__format__(spec)
+            return super().__format__(spec)
 
     def __str__(self):
         return f"{self}"
@@ -267,12 +267,20 @@ cdef class IoctlSet(frozenset):
             sorted(self), key=lambda k, c=itertools.count(): k - next(c)))
 
 
+cdef class IoctlSet(XpermSet):
+
+    def __init__(self, *args, **kwargs):
+        log = logging.getLogger(__name__)
+        log.warning("IoctlSet is deprecated, use XpermSet instead.")
+        super().__init__(*args, **kwargs)
+
+
 cdef class AVRuleXperm(BaseTERule):
 
     """An extended permission access vector type enforcement rule."""
 
     cdef:
-        readonly IoctlSet perms
+        readonly XpermSet perms
         readonly str xperm_type
 
     @staticmethod
@@ -322,7 +330,7 @@ cdef class AVRuleXperm(BaseTERule):
         r.source = type_or_attr_factory(policy, policy.type_value_to_datum(key.source_type - 1))
         r.target = type_or_attr_factory(policy, policy.type_value_to_datum(key.target_type - 1))
         r.tclass = ObjClass.factory(policy, policy.class_value_to_datum(key.target_class - 1))
-        r.perms = IoctlSet(perms)
+        r.perms = XpermSet(perms)
         r.extended = True
         r.xperm_type = xperm_type
         r._conditional = conditional

setools/terulequery.py

@@ -80,11 +80,11 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
     boolean = CriteriaSetDescriptor[policyrep.Boolean]("boolean_regex", "lookup_boolean")
     boolean_regex: bool = False
     boolean_equal: bool = False
-    _xperms: policyrep.IoctlSet | None = None
+    _xperms: policyrep.XpermSet | None = None
     xperms_equal: bool = False
 
     @property
-    def xperms(self) -> policyrep.IoctlSet | None:
+    def xperms(self) -> policyrep.XpermSet | None:
         return self._xperms
 
     @xperms.setter
@@ -104,7 +104,7 @@ def xperms(self, value: Iterable[tuple[int, int]] | None) -> None:
 
                 pending_xperms.update(i for i in range(low, high + 1))
 
-            self._xperms = policyrep.IoctlSet(pending_xperms)
+            self._xperms = policyrep.XpermSet(pending_xperms)
         else:
             self._xperms = None
 

tests/library/policyrep/test_rules.py

@@ -25,7 +25,7 @@ class RuleTestCase:
     type_: type  # the rule's policyrep class
     tclass: str | None = None
     xperm: str | None = None
-    perms: set[str] | setools.IoctlSet | None = None
+    perms: set[str] | setools.XpermSet | None = None
     default: str | None = None
     filename: str | None = None
     conditional: str | None = None
@@ -57,10 +57,10 @@ class RuleTestCase:
                  default="system", type_=setools.TERule, conditional="a_bool",
                  statement="type_change type31c type31b:infoflow2 system; [ a_bool ]:False"),
     RuleTestCase(setools.TERuletype.allowxperm, "type30", "type31a", tclass="infoflow",
-                 xperm="ioctl", perms=setools.IoctlSet((0x00ff,)), type_=setools.AVRuleXperm,
+                 xperm="ioctl", perms=setools.XpermSet((0x00ff,)), type_=setools.AVRuleXperm,
                  statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"),
     RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow",
-                 xperm="ioctl", perms=setools.IoctlSet((1, 2, 3)), type_=setools.AVRuleXperm,
+                 xperm="ioctl", perms=setools.XpermSet((1, 2, 3)), type_=setools.AVRuleXperm,
                  statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")]
 
 
@@ -213,5 +213,5 @@ def test_regression(self, compiled_policy: setools.SELinuxPolicy):
         # expect 2 rules:
         # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 };
         # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff };
-        assert setools.IoctlSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}"
-        assert setools.IoctlSet([0x8910]) == rules[1].perms, f"{rules[1].perms}"
+        assert setools.XpermSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}"
+        assert setools.XpermSet([0x8910]) == rules[1].perms, f"{rules[1].perms}"