selinux/policy/

constraints.rs

// Copyright 2025 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

use super::extensible_bitmap::ExtensibleBitmap;
use super::security_context::{Level, SecurityContext, SecurityLevel};
use super::symbols::{
    ConstraintExpr, ConstraintTerm, CONSTRAINT_EXPR_OPERAND_TYPE_H1_H2,
    CONSTRAINT_EXPR_OPERAND_TYPE_H1_L2, CONSTRAINT_EXPR_OPERAND_TYPE_L1_H1,
    CONSTRAINT_EXPR_OPERAND_TYPE_L1_H2, CONSTRAINT_EXPR_OPERAND_TYPE_L1_L2,
    CONSTRAINT_EXPR_OPERAND_TYPE_L2_H2, CONSTRAINT_EXPR_OPERAND_TYPE_ROLE,
    CONSTRAINT_EXPR_OPERAND_TYPE_TYPE, CONSTRAINT_EXPR_OPERAND_TYPE_USER,
    CONSTRAINT_EXPR_OPERATOR_TYPE_DOM, CONSTRAINT_EXPR_OPERATOR_TYPE_DOMBY,
    CONSTRAINT_EXPR_OPERATOR_TYPE_EQ, CONSTRAINT_EXPR_OPERATOR_TYPE_INCOMP,
    CONSTRAINT_EXPR_OPERATOR_TYPE_NE, CONSTRAINT_EXPR_WITH_NAMES_OPERAND_TYPE_TARGET_MASK,
    CONSTRAINT_TERM_TYPE_AND_OPERATOR, CONSTRAINT_TERM_TYPE_EXPR,
    CONSTRAINT_TERM_TYPE_EXPR_WITH_NAMES, CONSTRAINT_TERM_TYPE_NOT_OPERATOR,
    CONSTRAINT_TERM_TYPE_OR_OPERATOR,
};
use super::{ParseStrategy, RoleId, TypeId, UserId};

use std::cmp::Ordering;
use std::collections::HashSet;
use std::num::NonZeroU32;
use thiserror::Error;

#[derive(Clone, Debug, Error, Eq, PartialEq)]
pub(super) enum ConstraintError {
    #[error("missing names for constraint term")]
    MissingNames,
    #[error("invalid constraint term type {type_:?}")]
    InvalidTermType { type_: u32 },
    #[error("invalid operator type for context expression: {type_:?}")]
    InvalidContextOperatorType { type_: u32 },
    #[error("invalid operand type for context expression: {type_:?}")]
    InvalidContextOperandType { type_: u32 },
    #[error("invalid operand type for context expression with names: {type_:?}")]
    InvalidContextWithNamesOperandType { type_: u32 },
    #[error("invalid operator type {operator:?} for operands ({left:?}, {right:?})")]
    InvalidContextOperatorForOperands {
        operator: ContextOperator,
        left: ContextOperand,
        right: ContextOperand,
    },
    #[error("invalid pair of context operands: ({left:?}, {right:?})")]
    InvalidContextOperands { left: ContextOperand, right: ContextOperand },
    #[error("invalid constraint term sequence")]
    InvalidTermSequence,
}

/// Given a [`ConstraintExpr`] and source and target [`SecurityContext`]s,
/// decode the constraint expression and evaluate it for the security contexts.
///
/// Assumes that the terms of the [`ConstraintExpr`] were sequenced in postfix
/// order by the policy compiler.
///
/// This implementation deliberately avoids shortcuts, since it is used to
/// validate that constraint expressions are well-formed as well as for
/// access decisions.
// TODO: https://fxbug.dev/372400976 - Consider optimizations if this is a
// performance bottleneck.
pub(super) fn evaluate_constraint<PS: ParseStrategy>(
    constraint_expr: &ConstraintExpr<PS>,
    source: &SecurityContext,
    target: &SecurityContext,
) -> Result<bool, ConstraintError> {
    let nodes = constraint_expr
        .constraint_terms()
        .iter()
        .map(|term| ConstraintNode::try_from_constraint_term(term, source, target))
        .collect::<Result<Vec<_>, _>>()?;
    let mut stack = Vec::new();
    for node in nodes.iter() {
        match node {
            ConstraintNode::Leaf(expr) => stack.push(expr.evaluate()?),
            ConstraintNode::Branch(op) => match op {
                BooleanOperator::Not => {
                    let arg = stack.last_mut().ok_or(ConstraintError::InvalidTermSequence)?;
                    *arg = !*arg;
                }
                BooleanOperator::And => {
                    let right = stack.pop().ok_or(ConstraintError::InvalidTermSequence)?;
                    let left = stack.last_mut().ok_or(ConstraintError::InvalidTermSequence)?;
                    *left = *left && right;
                }
                BooleanOperator::Or => {
                    let right = stack.pop().ok_or(ConstraintError::InvalidTermSequence)?;
                    let left = stack.last_mut().ok_or(ConstraintError::InvalidTermSequence)?;
                    *left = *left || right;
                }
            },
        }
    }
    let result = stack.pop().ok_or(ConstraintError::InvalidTermSequence)?;
    if !stack.is_empty() {
        return Err(ConstraintError::InvalidTermSequence);
    }
    Ok(result)
}

/// A node in the parse tree of a [`ConstraintExpr`].
#[derive(Debug, Eq, PartialEq)]
enum ConstraintNode {
    Branch(BooleanOperator),
    Leaf(ContextExpression),
}

impl ConstraintNode {
    fn try_from_constraint_term<PS: ParseStrategy>(
        value: &ConstraintTerm<PS>,
        source: &SecurityContext,
        target: &SecurityContext,
    ) -> Result<ConstraintNode, ConstraintError> {
        if let Ok(op) = BooleanOperator::try_from_constraint_term(value) {
            Ok(ConstraintNode::Branch(op))
        } else {
            Ok(ConstraintNode::Leaf(ContextExpression::try_from_constraint_term(
                value, source, target,
            )?))
        }
    }
}

/// A branch node in the parse tree of a [`ConstraintExpr`],
/// representing an operator on the boolean values of the subtree(s)
/// below that node.
#[derive(Debug, Eq, PartialEq)]
enum BooleanOperator {
    Not,
    And,
    Or,
}

impl BooleanOperator {
    fn try_from_constraint_term<PS: ParseStrategy>(
        value: &ConstraintTerm<PS>,
    ) -> Result<BooleanOperator, ConstraintError> {
        match value.constraint_term_type() {
            CONSTRAINT_TERM_TYPE_NOT_OPERATOR => Ok(BooleanOperator::Not),
            CONSTRAINT_TERM_TYPE_AND_OPERATOR => Ok(BooleanOperator::And),
            CONSTRAINT_TERM_TYPE_OR_OPERATOR => Ok(BooleanOperator::Or),
            _ => Err(ConstraintError::InvalidTermType { type_: value.constraint_term_type() }),
        }
    }
}

/// An operator on [`SecurityContext`] fields in a
/// [`ContextExpression`].
#[derive(Clone, Debug, Eq, PartialEq)]
pub(super) enum ContextOperator {
    Equal,        // `eq` or `==` in policy language
    NotEqual,     // `ne` or `!=` in policy language
    Dominates,    // `dom` in policy language
    DominatedBy,  // `domby` in policy language
    Incomparable, // `incomp` in policy language
}

/// An operand in a [`ContextExpression`].
#[derive(Clone, Debug, Eq, PartialEq)]
pub(super) enum ContextOperand {
    UserId(UserId),
    RoleId(RoleId),
    TypeId(TypeId),
    Level(SecurityLevel),
    UserIds(HashSet<UserId>),
    RoleIds(HashSet<RoleId>),
    TypeIds(HashSet<TypeId>),
}

/// A leaf node in the parse tree of a [`ConstraintExpr`]. Represents
/// a boolean expression in terms of source and target
/// [`SecurityContext`]s.
#[derive(Debug, Eq, PartialEq)]
struct ContextExpression {
    left: ContextOperand,
    right: ContextOperand,
    operator: ContextOperator,
}

impl ContextExpression {
    fn evaluate(&self) -> Result<bool, ConstraintError> {
        match (&self.left, &self.right) {
            (ContextOperand::UserId(_), ContextOperand::UserId(_))
            | (ContextOperand::RoleId(_), ContextOperand::RoleId(_))
            | (ContextOperand::TypeId(_), ContextOperand::TypeId(_)) => match self.operator {
                ContextOperator::Equal => Ok(self.left == self.right),
                ContextOperator::NotEqual => Ok(self.left != self.right),
                _ => Err(ConstraintError::InvalidContextOperatorForOperands {
                    operator: self.operator.clone(),
                    left: self.left.clone(),
                    right: self.right.clone(),
                }),
            },
            (ContextOperand::UserId(id), ContextOperand::UserIds(ids)) => match self.operator {
                ContextOperator::Equal => Ok(ids.contains(id)),
                ContextOperator::NotEqual => Ok(!ids.contains(id)),
                _ => Err(ConstraintError::InvalidContextOperatorForOperands {
                    operator: self.operator.clone(),
                    left: self.left.clone(),
                    right: self.right.clone(),
                }),
            },
            (ContextOperand::RoleId(id), ContextOperand::RoleIds(ids)) => match self.operator {
                ContextOperator::Equal => Ok(ids.contains(id)),
                ContextOperator::NotEqual => Ok(!ids.contains(id)),
                _ => Err(ConstraintError::InvalidContextOperatorForOperands {
                    operator: self.operator.clone(),
                    left: self.left.clone(),
                    right: self.right.clone(),
                }),
            },
            (ContextOperand::TypeId(id), ContextOperand::TypeIds(ids)) => match self.operator {
                ContextOperator::Equal => Ok(ids.contains(id)),
                ContextOperator::NotEqual => Ok(!ids.contains(id)),
                _ => Err(ConstraintError::InvalidContextOperatorForOperands {
                    operator: self.operator.clone(),
                    left: self.left.clone(),
                    right: self.right.clone(),
                }),
            },
            (ContextOperand::Level(left), ContextOperand::Level(right)) => match self.operator {
                ContextOperator::Equal => Ok(left.compare(right) == Some(Ordering::Equal)),
                ContextOperator::NotEqual => Ok(left.compare(right) != Some(Ordering::Equal)),
                ContextOperator::Dominates => Ok(left.dominates(right)),
                ContextOperator::DominatedBy => Ok(right.dominates(left)),
                ContextOperator::Incomparable => Ok(left.compare(right).is_none()),
            },
            _ => Err(ConstraintError::InvalidContextOperands {
                left: self.left.clone(),
                right: self.right.clone(),
            }),
        }
    }

    fn try_from_constraint_term<PS: ParseStrategy>(
        value: &ConstraintTerm<PS>,
        source: &SecurityContext,
        target: &SecurityContext,
    ) -> Result<ContextExpression, ConstraintError> {
        let (left, right) = match value.constraint_term_type() {
            CONSTRAINT_TERM_TYPE_EXPR => {
                ContextExpression::operands_from_expr(value.expr_operand_type(), source, target)
            }
            CONSTRAINT_TERM_TYPE_EXPR_WITH_NAMES => {
                if let Some(names) = value.names() {
                    ContextExpression::operands_from_expr_with_names(
                        value.expr_operand_type(),
                        names,
                        source,
                        target,
                    )
                } else {
                    Err(ConstraintError::MissingNames)
                }
            }
            _ => Err(ConstraintError::InvalidTermType { type_: value.constraint_term_type() }),
        }?;
        let operator = match value.expr_operator_type() {
            CONSTRAINT_EXPR_OPERATOR_TYPE_EQ => Ok(ContextOperator::Equal),
            CONSTRAINT_EXPR_OPERATOR_TYPE_NE => Ok(ContextOperator::NotEqual),
            CONSTRAINT_EXPR_OPERATOR_TYPE_DOM => Ok(ContextOperator::Dominates),
            CONSTRAINT_EXPR_OPERATOR_TYPE_DOMBY => Ok(ContextOperator::DominatedBy),
            CONSTRAINT_EXPR_OPERATOR_TYPE_INCOMP => Ok(ContextOperator::Incomparable),
            _ => Err(ConstraintError::InvalidContextOperatorType {
                type_: value.expr_operator_type(),
            }),
        }?;
        Ok(ContextExpression { left, right, operator })
    }

    fn operands_from_expr(
        operand_type: u32,
        source: &SecurityContext,
        target: &SecurityContext,
    ) -> Result<(ContextOperand, ContextOperand), ConstraintError> {
        match operand_type {
            CONSTRAINT_EXPR_OPERAND_TYPE_USER => {
                Ok((ContextOperand::UserId(source.user()), ContextOperand::UserId(target.user())))
            }
            CONSTRAINT_EXPR_OPERAND_TYPE_ROLE => {
                Ok((ContextOperand::RoleId(source.role()), ContextOperand::RoleId(target.role())))
            }
            CONSTRAINT_EXPR_OPERAND_TYPE_TYPE => {
                Ok((ContextOperand::TypeId(source.type_()), ContextOperand::TypeId(target.type_())))
            }
            CONSTRAINT_EXPR_OPERAND_TYPE_L1_L2 => Ok((
                ContextOperand::Level(source.low_level().clone()),
                ContextOperand::Level(target.low_level().clone()),
            )),
            CONSTRAINT_EXPR_OPERAND_TYPE_L1_H2 => Ok((
                ContextOperand::Level(source.low_level().clone()),
                ContextOperand::Level(target.effective_high_level().clone()),
            )),
            CONSTRAINT_EXPR_OPERAND_TYPE_H1_L2 => Ok((
                ContextOperand::Level(source.effective_high_level().clone()),
                ContextOperand::Level(target.low_level().clone()),
            )),
            CONSTRAINT_EXPR_OPERAND_TYPE_H1_H2 => Ok((
                ContextOperand::Level(source.effective_high_level().clone()),
                ContextOperand::Level(target.effective_high_level().clone()),
            )),
            CONSTRAINT_EXPR_OPERAND_TYPE_L1_H1 => Ok((
                ContextOperand::Level(source.low_level().clone()),
                ContextOperand::Level(source.effective_high_level().clone()),
            )),
            CONSTRAINT_EXPR_OPERAND_TYPE_L2_H2 => Ok((
                ContextOperand::Level(target.low_level().clone()),
                ContextOperand::Level(target.effective_high_level().clone()),
            )),
            _ => Err(ConstraintError::InvalidContextOperandType { type_: operand_type }),
        }
    }

    fn operands_from_expr_with_names<PS: ParseStrategy>(
        operand_type: u32,
        names: &ExtensibleBitmap<PS>,
        source: &SecurityContext,
        target: &SecurityContext,
    ) -> Result<(ContextOperand, ContextOperand), ConstraintError> {
        let ids = names
            .spans()
            .flat_map(|span| span.low..=span.high)
            .map(|i| NonZeroU32::new(i + 1).unwrap());

        let (left, right) =
            if operand_type & CONSTRAINT_EXPR_WITH_NAMES_OPERAND_TYPE_TARGET_MASK == 0 {
                match operand_type {
                    CONSTRAINT_EXPR_OPERAND_TYPE_USER => Ok((
                        ContextOperand::UserId(source.user()),
                        ContextOperand::UserIds(ids.map(|id| UserId(id)).collect()),
                    )),
                    CONSTRAINT_EXPR_OPERAND_TYPE_ROLE => Ok((
                        ContextOperand::RoleId(source.role()),
                        ContextOperand::RoleIds(ids.map(|id| RoleId(id)).collect()),
                    )),
                    CONSTRAINT_EXPR_OPERAND_TYPE_TYPE => Ok((
                        ContextOperand::TypeId(source.type_()),
                        ContextOperand::TypeIds(ids.map(|id| TypeId(id)).collect()),
                    )),
                    _ => Err(ConstraintError::InvalidContextWithNamesOperandType {
                        type_: operand_type,
                    }),
                }
            } else {
                match operand_type ^ CONSTRAINT_EXPR_WITH_NAMES_OPERAND_TYPE_TARGET_MASK {
                    CONSTRAINT_EXPR_OPERAND_TYPE_USER => Ok((
                        ContextOperand::UserId(target.user()),
                        ContextOperand::UserIds(ids.map(|id| UserId(id)).collect()),
                    )),
                    CONSTRAINT_EXPR_OPERAND_TYPE_ROLE => Ok((
                        ContextOperand::RoleId(target.role()),
                        ContextOperand::RoleIds(ids.map(|id| RoleId(id)).collect()),
                    )),
                    CONSTRAINT_EXPR_OPERAND_TYPE_TYPE => Ok((
                        ContextOperand::TypeId(target.type_()),
                        ContextOperand::TypeIds(ids.map(|id| TypeId(id)).collect()),
                    )),
                    _ => Err(ConstraintError::InvalidContextWithNamesOperandType {
                        type_: operand_type,
                    }),
                }
            }?;
        Ok((left, right))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::policy::{find_class_by_name, parse_policy_by_reference};

    fn normalize_context_expr(expr: ContextExpression) -> ContextExpression {
        let (left, right) = match expr.operator {
            ContextOperator::Dominates | ContextOperator::DominatedBy => (expr.left, expr.right),
            ContextOperator::Equal | ContextOperator::NotEqual | ContextOperator::Incomparable => {
                match (&expr.left, &expr.right) {
                    (ContextOperand::UserId(left), ContextOperand::UserId(right)) => (
                        ContextOperand::UserId(std::cmp::min(*left, *right)),
                        ContextOperand::UserId(std::cmp::max(*left, *right)),
                    ),
                    (ContextOperand::TypeId(left), ContextOperand::TypeId(right)) => (
                        ContextOperand::TypeId(std::cmp::min(*left, *right)),
                        ContextOperand::TypeId(std::cmp::max(*left, *right)),
                    ),
                    (ContextOperand::RoleId(left), ContextOperand::RoleId(right)) => (
                        ContextOperand::RoleId(std::cmp::min(*left, *right)),
                        ContextOperand::RoleId(std::cmp::max(*left, *right)),
                    ),
                    _ => (expr.left, expr.right),
                }
            }
        };
        ContextExpression { operator: expr.operator, left, right }
    }

    fn normalize(expr: Vec<ConstraintNode>) -> Vec<ConstraintNode> {
        expr.into_iter()
            .map(|node| match node {
                ConstraintNode::Leaf(context_expr) => {
                    ConstraintNode::Leaf(normalize_context_expr(context_expr))
                }
                ConstraintNode::Branch(_) => node,
            })
            .collect()
    }

    #[test]
    fn decode_constraint_expr() {
        let policy_bytes = include_bytes!("../../testdata/micro_policies/constraints_policy.pp");
        let policy = parse_policy_by_reference(policy_bytes.as_slice())
            .expect("parse policy")
            .validate()
            .expect("validate policy");
        let parsed_policy = policy.0.parsed_policy();

        let source = policy
            .parse_security_context(b"user0:object_r:type0:s0-s0".into())
            .expect("valid source security context");
        let target = policy
            .parse_security_context(b"user1:object_r:security_t:s0:c0-s0:c0".into())
            .expect("valid target security context");

        let class = find_class_by_name(parsed_policy.classes(), "class_constraint_nested")
            .expect("look up class");
        let constraints = class.constraints();
        assert_eq!(constraints.len(), 1);
        let constraint = &constraints[0].constraint_expr();
        let result: Result<Vec<ConstraintNode>, ConstraintError> = constraint
            .constraint_terms()
            .iter()
            .map(|x| ConstraintNode::try_from_constraint_term(x, &source, &target))
            .collect();
        let constraint_nodes = normalize(result.expect("decode constraint terms"));
        let expected = vec![
            // ( u2 == { user0 user1 } )
            ConstraintNode::Leaf(ContextExpression {
                left: ContextOperand::UserId(UserId(NonZeroU32::new(2).unwrap())),
                right: ContextOperand::UserIds(HashSet::from([
                    UserId(NonZeroU32::new(1).unwrap()),
                    UserId(NonZeroU32::new(2).unwrap()),
                ])),
                operator: ContextOperator::Equal,
            }),
            // ( r1 == r2 )
            ConstraintNode::Leaf(ContextExpression {
                left: ContextOperand::RoleId(RoleId(NonZeroU32::new(1).unwrap())),
                right: ContextOperand::RoleId(RoleId(NonZeroU32::new(1).unwrap())),
                operator: ContextOperator::Equal,
            }),
            // ( (u2 == { user0 user1 }) and (r1 == r2) )
            ConstraintNode::Branch(BooleanOperator::And),
            // (u1 == u2)
            ConstraintNode::Leaf(ContextExpression {
                left: ContextOperand::UserId(UserId(NonZeroU32::new(1).unwrap())),
                right: ContextOperand::UserId(UserId(NonZeroU32::new(2).unwrap())),
                operator: ContextOperator::Equal,
            }),
            // (t1 == t2)
            ConstraintNode::Leaf(ContextExpression {
                left: ContextOperand::TypeId(TypeId(NonZeroU32::new(1).unwrap())),
                right: ContextOperand::TypeId(TypeId(NonZeroU32::new(2).unwrap())),
                operator: ContextOperator::Equal,
            }),
            // not (t1 == t2)
            ConstraintNode::Branch(BooleanOperator::Not),
            // (( u1 == u2 ) and ( not (t1 == t2)))
            ConstraintNode::Branch(BooleanOperator::And),
            // ( (u2 == { user0 user1 }) and (r1 == r2) ) or (( u1 == u2 ) and ( not (t1 == t2)))
            ConstraintNode::Branch(BooleanOperator::Or),
        ];

        assert_eq!(constraint_nodes, expected)
    }

    #[test]
    fn evaluate_constraint_expr() {
        let policy_bytes = include_bytes!("../../testdata/micro_policies/constraints_policy.pp");
        let policy = parse_policy_by_reference(policy_bytes.as_slice())
            .expect("parse policy")
            .validate()
            .expect("validate policy");
        let parsed_policy = policy.0.parsed_policy();

        let source = policy
            .parse_security_context(b"user0:object_r:type0:s0-s0".into())
            .expect("valid source security context");
        let target = policy
            .parse_security_context(b"user1:object_r:security_t:s0:c0-s0:c0".into())
            .expect("valid target security context");

        let class_constraint_eq =
            find_class_by_name(parsed_policy.classes(), "class_constraint_eq")
                .expect("look up class");
        let class_constraint_eq_constraints = class_constraint_eq.constraints();
        assert_eq!(class_constraint_eq_constraints.len(), 1);
        // ( u1 == u2 )
        let constraint_eq = &class_constraint_eq_constraints[0].constraint_expr();
        assert_eq!(
            evaluate_constraint(constraint_eq, &source, &target).expect("evaluate constraint"),
            false
        );

        let class_constraint_with_and =
            find_class_by_name(parsed_policy.classes(), "class_constraint_with_and")
                .expect("look up class");
        let class_constraint_with_and_constraints = class_constraint_with_and.constraints();
        assert_eq!(class_constraint_with_and_constraints.len(), 1);
        // ( ( u1 == u2 ) and ( t1 == t2 ) )
        let constraint_with_and = &class_constraint_with_and_constraints[0].constraint_expr();
        assert_eq!(
            evaluate_constraint(constraint_with_and, &source, &target)
                .expect("evaluate constraint"),
            false
        );

        let class_constraint_with_not =
            find_class_by_name(parsed_policy.classes(), "class_constraint_with_not")
                .expect("look up class");
        let class_constraint_with_not_constraints = class_constraint_with_not.constraints();
        assert_eq!(class_constraint_with_not_constraints.len(), 1);
        // ( not ( ( u1 == u2 ) and ( t1 == t2 ) )
        let constraint_with_not = &class_constraint_with_not_constraints[0].constraint_expr();
        assert_eq!(
            evaluate_constraint(constraint_with_not, &source, &target)
                .expect("evaluate constraint"),
            true
        );

        let class_constraint_with_names =
            find_class_by_name(parsed_policy.classes(), "class_constraint_with_names")
                .expect("look up class");
        let class_constraint_with_names_constraints = class_constraint_with_names.constraints();
        assert_eq!(class_constraint_with_names_constraints.len(), 1);
        // ( u1 != { user0 user1 })
        let constraint_with_names = &class_constraint_with_names_constraints[0].constraint_expr();
        assert_eq!(
            evaluate_constraint(constraint_with_names, &source, &target)
                .expect("evaluate constraint"),
            false
        );

        let class_constraint_nested =
            find_class_by_name(parsed_policy.classes(), "class_constraint_nested")
                .expect("look up class");
        let class_constraint_nested_constraints = class_constraint_nested.constraints();
        assert_eq!(class_constraint_nested_constraints.len(), 1);
        // ( ( ( u2 == { user0 user1} ) and ( r1 == r2 ) ) or ( ( u1 == u2 ) and ( not (t1 == t2 ) ) ) )
        let constraint_nested = &class_constraint_nested_constraints[0].constraint_expr();
        assert_eq!(
            evaluate_constraint(constraint_nested, &source, &target).expect("evaluate constraint"),
            true
        )
    }

    #[test]
    fn evaluate_mls_constraint_expr() {
        let policy_bytes = include_bytes!("../../testdata/micro_policies/constraints_policy.pp");
        let policy = parse_policy_by_reference(policy_bytes.as_slice())
            .expect("parse policy")
            .validate()
            .expect("validate policy");
        let parsed_policy = policy.0.parsed_policy();

        let source = policy
            .parse_security_context(b"user0:object_r:type0:s0-s0".into())
            .expect("valid source security context");
        let target = policy
            .parse_security_context(b"user1:object_r:security_t:s0:c0-s0:c0".into())
            .expect("valid target security context");

        let class = find_class_by_name(parsed_policy.classes(), "class_mls_constraints")
            .expect("look up class");
        let constraints = class.constraints();
        // Constraints appear in reverse order in parsed policy.
        let expected = vec![
            false, // l1 incomp h1
            false, // h1 incomp h2
            true,  // l1 domby h2
            false, // h1 dom l2
            false, // l2 != h2
            false, // l1 == l2
        ];
        for (i, constraint) in constraints.iter().enumerate() {
            assert_eq!(
                evaluate_constraint(constraint.constraint_expr(), &source, &target)
                    .expect("evaluate constraint",),
                expected[i],
                "constraint {}",
                i
            );
        }
    }
}