checkpolicy/tests: add test for splitting xperm rule

An extended permission rule statement might get split into multiple
access vector rules, due to size limitations.

Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>

checkpolicy/tests/policy_allonce.conf

@@ -36,7 +36,7 @@ allow TYPE1 self : CLASS1 { PERM1 };
 auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
 dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
 neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
-allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
+allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 };
 auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
 dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
 neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;

checkpolicy/tests/policy_allonce.expected.conf

@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;

checkpolicy/tests/policy_allonce.expected_opt.conf

@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;