Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
libsepol/tests: add tests for minus self neverallow rules
Signed-off-by: Christian Göttsche <[email protected]>
- Loading branch information
Showing
2 changed files
with
443 additions
and
0 deletions.
There are no files selected for viewing
369 changes: 369 additions & 0 deletions
369
libsepol/tests/policies/test-neverallow/policy_minus_self.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,369 @@ | ||
class process | ||
class blk_file | ||
class chr_file | ||
class dir | ||
class fifo_file | ||
class file | ||
class lnk_file | ||
class sock_file | ||
|
||
class class5 | ||
class class6 | ||
class class7 | ||
class class17 | ||
|
||
sid kernel | ||
sid security | ||
sid unlabeled | ||
sid file | ||
sid port | ||
sid netif | ||
sid netmsg | ||
sid node | ||
sid devnull | ||
|
||
class process { dyntransition transition } | ||
class file { ioctl read write } | ||
|
||
class class5 { perm } | ||
class class6 { perm } | ||
class class7 { perm } | ||
class class17 { ioctl } | ||
|
||
ifdef(`enable_mls',` | ||
sensitivity s0; | ||
dominance { s0 } | ||
category c0; category c1; category c2; category c3; | ||
category c4; category c5; category c6; category c7; | ||
category c8; category c9; category c10; category c11; | ||
category c12; category c13; category c14; category c15; | ||
category c16; category c17; category c18; category c19; | ||
category c20; category c21; category c22; category c23; | ||
|
||
level s0:c0.c23; | ||
|
||
mlsconstrain file { write } ( h1 dom h2 ); | ||
') | ||
|
||
|
||
######################################## | ||
# | ||
# Test start | ||
# | ||
######################################## | ||
|
||
|
||
## Test 1 (single type) | ||
|
||
type test1_t; | ||
allow test1_t test1_t : file read; | ||
neverallow test1_t { test1_t -self } : file read; # nofail | ||
|
||
|
||
## Test 2 (single type) | ||
|
||
type test2_t; | ||
allow test2_t self : file read; | ||
neverallow test2_t { test1_t -self } : file read; # nofail | ||
|
||
## Test 3 (single type) | ||
|
||
type test3_1_t; | ||
type test3_2_t; | ||
allow test3_1_t test3_2_t : file read; | ||
neverallow test3_1_t { test3_2_t -self } : file read; | ||
|
||
|
||
## Test 4 (two types I) | ||
|
||
type test4_1_t; | ||
type test4_2_t; | ||
allow { test4_1_t test4_2_t } { test4_1_t test4_2_t } : file read; | ||
neverallow test4_1_t { test4_1_t test4_2_t -self } : file read; | ||
|
||
|
||
## Test 5 (two types II) | ||
|
||
type test5_1_t; | ||
type test5_2_t; | ||
allow { test5_1_t test5_2_t } { test5_1_t test5_2_t } : class5 perm; | ||
neverallow * { test5_1_t test5_2_t -self } : class5 perm; | ||
|
||
|
||
## Test 6 (two types III) | ||
|
||
type test6_1_t; | ||
type test6_2_t; | ||
allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm; | ||
neverallow * { test6_2_t -self } : class6 perm; | ||
|
||
|
||
## Test 7 (two types IV) | ||
|
||
type test7_1_t; | ||
type test7_2_t; | ||
allow { test7_1_t test7_2_t } test7_2_t : class7 perm; | ||
neverallow * { test7_1_t -self } : class7 perm; # nofail | ||
|
||
|
||
## Test 8 (attribute violates type I) | ||
|
||
attribute test8_a; | ||
type test8_1_t, test8_a; | ||
type test8_2_t, test8_a; | ||
allow test8_a test8_a : file read; | ||
neverallow test8_1_t { test8_a -self } : file *; | ||
|
||
|
||
## Test 9 (attribute violates type II) | ||
|
||
attribute test9_a; | ||
type test9_1_t, test9_a; | ||
type test9_2_t, test9_a; | ||
allow test9_1_t test9_a : file read; | ||
neverallow test9_1_t { test9_a -self } : file *; | ||
|
||
|
||
## Test 10 (attribute violates type III) | ||
|
||
attribute test10_1_a; | ||
attribute test10_2_a; | ||
type test10_1_t, test10_1_a, test10_1_a; | ||
type test10_2_t, test10_1_a, test10_1_a; | ||
allow test10_1_a test10_1_a : file read; | ||
neverallow test10_1_t { test10_2_a -self } : file *; | ||
|
||
|
||
## Test 11 (attribute violates attribute I) | ||
|
||
attribute test11_1_a; | ||
attribute test11_2_a; | ||
type test11_1_t, test11_1_a, test11_2_a; | ||
type test11_2_t, test11_1_a, test11_2_a; | ||
allow test11_1_t self : file read; | ||
allow test11_2_t test11_2_t : file read; | ||
neverallow test11_1_a { test11_2_a -self } : file *; # nofail | ||
|
||
|
||
## Test 12 (attribute violates attribute II) | ||
|
||
attribute test12_a; | ||
type test12_1_t, test12_a; | ||
type test12_2_t, test12_a; | ||
allow test12_1_t test12_2_t : file read; | ||
neverallow test12_a { test12_a -self } : file *; | ||
|
||
|
||
## Test 13 (attribute violates attribute III) | ||
|
||
attribute test13_a; | ||
type test13_1_t, test13_a; | ||
type test13_2_t, test13_a; | ||
allow test13_1_t test13_a : file read; | ||
neverallow test13_a { test13_a -self } : file *; | ||
|
||
|
||
## Test 14 (attribute violates attribute IV) | ||
|
||
attribute test14_a; | ||
type test14_1_t, test14_a; | ||
type test14_2_t, test14_a; | ||
allow test14_a test14_a : file read; | ||
neverallow test14_a { test14_a -self } : file *; | ||
|
||
|
||
# ## Test 15 (attribute violates attribute V) | ||
|
||
attribute test13_1_a; | ||
attribute test13_2_a; | ||
type test13_t, test13_1_a, test13_2_a; | ||
allow test13_1_a test13_2_a : file read; | ||
neverallow test13_a { test13_2_a -self } : file *; | ||
|
||
|
||
## Test 16 (types violate attribute) | ||
|
||
attribute test16_a; | ||
type test16_1_t, test16_a; | ||
type test16_2_t, test16_a; | ||
allow { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read; | ||
neverallow test16_a { test16_a -self } : file ~write; | ||
|
||
|
||
## Test 17 (extended permissions I) | ||
|
||
type test17_1_t; | ||
type test17_2_t; | ||
allow { test17_1_t test17_2_t } { test17_1_t test17_2_t } : class17 ioctl; | ||
neverallowxperm ~test17_2_t { test17_1_t test17_2_t -self } : class17 ioctl 0x1111; | ||
|
||
|
||
## Test 18 (extended permissions II) | ||
|
||
type test18_1_t; | ||
type test18_2_t; | ||
allow { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl; | ||
allowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl 0x1111; | ||
neverallowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t -self } : file ioctl 0x2222; # nofail | ||
|
||
|
||
## Test 19 (extended permissions III) | ||
|
||
type test19_1_t; | ||
type test19_2_t; | ||
allow { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl; | ||
allowxperm { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl { 0x0100 - 0x0102 }; | ||
neverallowxperm test19_2_t { test19_1_t test19_2_t -self } : file ioctl { 0x0101 - 0x0104 }; | ||
|
||
|
||
## Test 20 (extended permissions IV) | ||
|
||
type test20_1_t; | ||
type test20_2_t; | ||
allow { test20_1_t test20_2_t } { test20_1_t test20_2_t } : file ioctl; | ||
allowxperm test20_1_t test20_1_t : file ioctl 0x0101; | ||
allowxperm test20_1_t test20_2_t : file ioctl 0x0102; | ||
allowxperm test20_2_t test20_1_t : file ioctl 0x0103; | ||
allowxperm test20_2_t test20_2_t : file ioctl 0x0104; | ||
neverallowxperm { test20_1_t test20_2_t } { test20_1_t test20_2_t -self } : file ioctl { 0x0000 - 0x9000 }; | ||
|
||
|
||
## Test 21 (extended permissions V) | ||
|
||
attribute test21_a; | ||
type test21_1_t, test21_a; | ||
type test21_2_t, test21_a; | ||
allow test21_a test21_a : file ioctl; | ||
allowxperm test21_a test21_a : file ioctl 0x9501; | ||
neverallowxperm test21_1_t { test21_a -self } : file ioctl 0x9511; # nofail | ||
|
||
|
||
## Test 22 (extended permissions VI) | ||
|
||
type test22_t; | ||
allow test22_t self : file ioctl; | ||
allowxperm test22_t self : file ioctl 0x9501; | ||
allowxperm test22_t self : file ioctl 0x9511; | ||
neverallowxperm test22_t { test22_t -self } : file ioctl 0x9511; # nofail | ||
|
||
|
||
## Test 23 (extended permissions VII) | ||
|
||
attribute test23_a; | ||
type test23_1_t, test23_a; | ||
type test23_2_t, test23_a; | ||
allow test23_a test23_a : file ioctl; | ||
allowxperm test23_a test23_a : file ioctl 0x9501; | ||
allowxperm test23_1_t test23_2_t : file ioctl 0x9511; | ||
neverallowxperm test23_1_t { test23_a -self } : file ioctl 0x9511; | ||
|
||
|
||
## Test 24 (extended permissions VII) | ||
|
||
attribute test24_a; | ||
type test24_1_t, test24_a; | ||
type test24_2_t, test24_a; | ||
allow test24_a test24_a : file ioctl; | ||
allowxperm test24_a test24_a : file ioctl 0x9501; | ||
allowxperm test24_1_t test24_a : file ioctl 0x9511; | ||
neverallowxperm test24_1_t { test24_a -self } : file ioctl 0x9511; | ||
|
||
|
||
## Test 25 (extended permissions IX) | ||
|
||
attribute test25_a; | ||
type test25_1_t, test25_a; | ||
type test25_2_t, test25_a; | ||
allow test25_a test25_a : file ioctl; | ||
allowxperm test25_a test25_a : file ioctl 0x9501; | ||
allowxperm test25_a test25_a : file ioctl 0x9511; | ||
neverallowxperm test25_1_t { test25_a -self } : file ioctl 0x9511; | ||
|
||
|
||
## Test 26 (extended permissions X) | ||
|
||
attribute test26_1_a; | ||
attribute test26_2_a; | ||
type test26_1_t, test26_1_a, test26_2_a; | ||
type test26_2_t, test26_1_a, test26_2_a; | ||
allow { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl; | ||
allowxperm { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501; | ||
allowxperm test26_1_a test26_2_a : file ioctl 0x9511; | ||
neverallowxperm test26_1_t { test26_2_a -self } : file ioctl 0x9511; | ||
|
||
|
||
# ## Test 27 (extended permissions attribute violation I) | ||
|
||
attribute test27_a; | ||
type test27_1_t, test27_a; | ||
type test27_2_t, test27_a; | ||
allow test27_a test27_a : file ioctl; | ||
allowxperm test27_a test27_a : file ioctl 0x9501; | ||
allowxperm test27_1_t self : file ioctl 0x9521; | ||
allowxperm test27_2_t test27_2_t : file ioctl 0x9521; | ||
neverallowxperm test27_a { test27_a -self } : file ioctl 0x9521; # nofail | ||
|
||
|
||
# ## Test 28 (extended permissions attribute violation II) | ||
|
||
attribute test28_a; | ||
type test28_1_t, test28_a; | ||
type test28_2_t, test28_a; | ||
allow test28_a test28_a : file ioctl; | ||
allowxperm test28_1_t test28_2_t : file ioctl 0x9521; | ||
neverallowxperm test28_a { test28_a -self } : file ioctl 0x9521; | ||
|
||
|
||
## Test 29 (extended permissions attribute violation III) | ||
|
||
attribute test29_a; | ||
type test29_1_t, test29_a; | ||
type test29_2_t, test29_a; | ||
allow test29_a test29_a : file ioctl; | ||
allowxperm test29_1_t test29_a : file ioctl 0x9521; | ||
neverallowxperm test29_a { test29_a -self } : file ioctl 0x9521; | ||
|
||
|
||
## Test 30 (extended permissions attribute violation IV) | ||
|
||
attribute test30_a; | ||
type test30_1_t, test30_a; | ||
type test30_2_t, test30_a; | ||
allow test30_a test30_a : file ioctl; | ||
allowxperm test30_a test30_a : file ioctl 0x9521; | ||
neverallowxperm test30_a { test30_a -self } : file ioctl 0x9521; | ||
|
||
|
||
## Test 31 (extended permissions attribute violation V) | ||
|
||
attribute test31_1_a; | ||
attribute test31_2_a; | ||
type test31_1_t, test31_1_a, test31_2_a; | ||
type test31_2_t, test31_1_a, test31_2_a; | ||
allow test31_1_a test31_1_a : file ioctl; | ||
allowxperm test31_1_a test31_2_a : file ioctl 0x9521; | ||
neverallowxperm test31_1_a { test31_2_a -self } : file ioctl 0x9521; | ||
|
||
|
||
######################################## | ||
# | ||
# Test End | ||
# | ||
######################################## | ||
|
||
|
||
type sys_isid; | ||
role sys_role; | ||
role sys_role types sys_isid; | ||
gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) | ||
sid kernel gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid security gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid file gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid port gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid netif gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid node gen_context(sys_user:sys_role:sys_isid, s0) | ||
sid devnull gen_context(sys_user:sys_role:sys_isid, s0) | ||
fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); | ||
fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); |
Oops, something went wrong.