mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-22 05:59:58 +00:00
libsepol/tests: add cond xperm neverallow tests
Add some tests to verify assertion checking works for extended permissions in conditional policies. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
c8f9dff384
commit
77da320e29
@ -53,6 +53,7 @@ int test_load_policy(policydb_t * p, int policy_type, int mls, const char *test_
|
||||
|
||||
p->policy_type = policy_type;
|
||||
p->mls = mls;
|
||||
p->policyvers = MOD_POLICYDB_VERSION_MAX;
|
||||
|
||||
if (read_source_policy(p, filename, test_name)) {
|
||||
fprintf(stderr, "failed to read policy %s\n", filename);
|
||||
|
251
libsepol/tests/policies/test-neverallow/policy_cond.conf
Normal file
251
libsepol/tests/policies/test-neverallow/policy_cond.conf
Normal file
@ -0,0 +1,251 @@
|
||||
class process
|
||||
class blk_file
|
||||
class chr_file
|
||||
class dir
|
||||
class fifo_file
|
||||
class file
|
||||
class lnk_file
|
||||
class sock_file
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
sid unlabeled
|
||||
sid file
|
||||
sid port
|
||||
sid netif
|
||||
sid netmsg
|
||||
sid node
|
||||
sid devnull
|
||||
|
||||
class process { dyntransition transition }
|
||||
class file { getattr ioctl open read write }
|
||||
|
||||
bool boolean1 false;
|
||||
bool boolean2 true;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
sensitivity s0;
|
||||
dominance { s0 }
|
||||
category c0; category c1; category c2; category c3;
|
||||
category c4; category c5; category c6; category c7;
|
||||
category c8; category c9; category c10; category c11;
|
||||
category c12; category c13; category c14; category c15;
|
||||
category c16; category c17; category c18; category c19;
|
||||
category c20; category c21; category c22; category c23;
|
||||
|
||||
level s0:c0.c23;
|
||||
|
||||
mlsconstrain file { write } ( h1 dom h2 );
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Test start
|
||||
#
|
||||
########################################
|
||||
|
||||
|
||||
## Test 1 (basic - fail)
|
||||
|
||||
type test1_t;
|
||||
if boolean1 {
|
||||
allow test1_t self : file read;
|
||||
}
|
||||
neverallow test1_t * : file *;
|
||||
|
||||
|
||||
## Test 2 (basic - fail)
|
||||
|
||||
attribute test2_a;
|
||||
type test2_1_t, test2_a;
|
||||
type test2_2_t;
|
||||
if !boolean1 {
|
||||
allow test2_1_t test2_1_t : file write;
|
||||
allow test2_2_t test2_2_t : file write;
|
||||
}
|
||||
neverallow test2_a * : file *;
|
||||
|
||||
|
||||
## Test 3 (xperm - no xperm in one branch - fail)
|
||||
|
||||
type test3_t;
|
||||
if boolean1 {
|
||||
allow test3_t self : file ioctl;
|
||||
} else {
|
||||
allowxperm test3_t self : file ioctl 0x1;
|
||||
}
|
||||
neverallowxperm test3_t self : file ioctl 0x4;
|
||||
|
||||
|
||||
## Test 4 (xperm - xperm in neither branch - fail)
|
||||
|
||||
type test4_t;
|
||||
allow test4_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allow test4_t self : file read;
|
||||
} else {
|
||||
allow test4_t self : file write;
|
||||
}
|
||||
neverallowxperm test4_t self : file ioctl 0x4;
|
||||
|
||||
|
||||
## Test 5 (xperm - xperm in both branches - no failure)
|
||||
|
||||
type test5_t;
|
||||
allow test5_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allowxperm test5_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allowxperm test5_t self : file ioctl 0x2;
|
||||
}
|
||||
neverallowxperm test5_t self : file ioctl 0x4; # nofail
|
||||
|
||||
|
||||
## Test 6 (xperm - failure in one branch - fail)
|
||||
|
||||
type test6_t;
|
||||
if boolean1 {
|
||||
allow test6_t self : file ioctl;
|
||||
allowxperm test6_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test6_t self : file write;
|
||||
}
|
||||
neverallowxperm test6_t self : file ioctl 0x1;
|
||||
|
||||
|
||||
## Test 7 (xperm - failure in both branches - fail)
|
||||
|
||||
type test7_t;
|
||||
if boolean1 {
|
||||
allow test7_t self : file ioctl;
|
||||
allowxperm test7_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test7_t self : file ioctl;
|
||||
allowxperm test7_t self : file ioctl 0x2;
|
||||
}
|
||||
neverallowxperm test7_t self : file ioctl { 0x1-0x2 };
|
||||
|
||||
|
||||
## Test 8 (xperm - different xperm in both branches - no failure)
|
||||
|
||||
type test8_t;
|
||||
allow test8_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allowxperm test8_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allowxperm test8_t self : file ioctl 0x2;
|
||||
}
|
||||
neverallowxperm test8_t self : file ioctl 0x3; # nofail
|
||||
|
||||
|
||||
## Test 9 (xperm - rules split into two booleans - no failure)
|
||||
|
||||
type test9_t;
|
||||
allow test9_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allowxperm test9_t self : file ioctl 0x1;
|
||||
}
|
||||
if !boolean2 {
|
||||
allowxperm test9_t self : file ioctl 0x1;
|
||||
}
|
||||
neverallowxperm test9_t self : file ioctl 0x4;
|
||||
|
||||
|
||||
## Test 10 (xperm - valid usage in one branch - no failure)
|
||||
|
||||
type test10_t;
|
||||
if boolean1 {
|
||||
allow test10_t self : file ioctl;
|
||||
allowxperm test10_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test10_t self : file write;
|
||||
}
|
||||
neverallowxperm test10_t self : file ioctl 0x2; # nofail
|
||||
|
||||
|
||||
## Test 11 (xperm - valid usage in both branches - no failure)
|
||||
|
||||
type test11_t;
|
||||
if boolean1 {
|
||||
allow test11_t self : file ioctl;
|
||||
allowxperm test11_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test11_t self : file ioctl;
|
||||
allowxperm test11_t self : file ioctl 0x2;
|
||||
}
|
||||
neverallowxperm test11_t self : file ioctl 0x3; # nofail
|
||||
|
||||
|
||||
## Test 12 (xperm - base allow in one branch - fail)
|
||||
|
||||
type test12_t;
|
||||
if boolean1 {
|
||||
allow test12_t self : file ioctl;
|
||||
} else {
|
||||
allow test12_t self : file write;
|
||||
}
|
||||
neverallowxperm test12_t self : file ioctl 0x1;
|
||||
|
||||
|
||||
## Test 13 (xperm - invalid second branch - fail)
|
||||
|
||||
type test13_t;
|
||||
allow test13_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allow test13_t self : file ioctl;
|
||||
allowxperm test13_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test13_t self : file write;
|
||||
}
|
||||
neverallowxperm test13_t self : file ioctl 0x1;
|
||||
|
||||
|
||||
## Test 14 (xperm - invalid second branch - fail)
|
||||
|
||||
type test14_t;
|
||||
allow test14_t self : file ioctl;
|
||||
if boolean1 {
|
||||
allow test14_t self : file ioctl;
|
||||
allowxperm test14_t self : file ioctl 0x1;
|
||||
} else {
|
||||
allow test14_t self : file write;
|
||||
}
|
||||
neverallowxperm test14_t self : file ioctl 0x2;
|
||||
|
||||
|
||||
## Test 15 (xperm - base uncond in one branch - fail)
|
||||
|
||||
type test15_t;
|
||||
allow test15_t self : file ioctl;
|
||||
allowxperm test15_t self : file ioctl 0x1;
|
||||
if boolean1 {
|
||||
allow test15_t self : file ioctl;
|
||||
} else {
|
||||
allow test15_t self : file write;
|
||||
}
|
||||
neverallowxperm test15_t self : file ioctl 0x2;
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Test End
|
||||
#
|
||||
########################################
|
||||
|
||||
|
||||
type sys_isid;
|
||||
role sys_role;
|
||||
role sys_role types sys_isid;
|
||||
gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23)
|
||||
sid kernel gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid security gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid file gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid port gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid netif gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid netmsg gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid node gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
sid devnull gen_context(sys_user:sys_role:sys_isid, s0)
|
||||
fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0);
|
||||
fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);
|
@ -293,6 +293,58 @@ static void test_neverallow_not_self(void)
|
||||
policydb_destroy(&base_expanded);
|
||||
}
|
||||
|
||||
static void test_neverallow_cond(void)
|
||||
{
|
||||
policydb_t basemod, base_expanded;
|
||||
sepol_handle_t *handle;
|
||||
static const char *const expected_messages[] = {
|
||||
"16 neverallow failures occurred",
|
||||
"neverallow on line 58 of policies/test-neverallow/policy_cond.conf.std (or line 58 of policies/test-neverallow/policy_cond.conf.std) violated by allow test1_t test1_t:file { read };",
|
||||
"neverallow on line 70 of policies/test-neverallow/policy_cond.conf.std (or line 70 of policies/test-neverallow/policy_cond.conf.std) violated by allow test2_1_t test2_1_t:file { write };",
|
||||
"neverallowxperm on line 81 of policies/test-neverallow/policy_cond.conf.std (or line 81 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test3_t test3_t:file { ioctl };",
|
||||
"neverallowxperm on line 93 of policies/test-neverallow/policy_cond.conf.std (or line 93 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test4_t test4_t:file { ioctl };",
|
||||
"neverallowxperm on line 117 of policies/test-neverallow/policy_cond.conf.std (or line 117 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test6_t test6_t:file ioctl { 0x1 };",
|
||||
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x2 };",
|
||||
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x1 };",
|
||||
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x2 };",
|
||||
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x1 };",
|
||||
"neverallowxperm on line 155 of policies/test-neverallow/policy_cond.conf.std (or line 155 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test9_t test9_t:file { ioctl };",
|
||||
"neverallowxperm on line 191 of policies/test-neverallow/policy_cond.conf.std (or line 191 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test12_t test12_t:file { ioctl };",
|
||||
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test13_t test13_t:file ioctl { 0x1 };",
|
||||
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test13_t test13_t:file { ioctl };",
|
||||
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test13_t test13_t:file ioctl { 0x1 };",
|
||||
"neverallowxperm on line 217 of policies/test-neverallow/policy_cond.conf.std (or line 217 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test14_t test14_t:file { ioctl };",
|
||||
"neverallowxperm on line 230 of policies/test-neverallow/policy_cond.conf.std (or line 230 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test15_t test15_t:file { ioctl };",
|
||||
};
|
||||
|
||||
if (policydb_init(&base_expanded))
|
||||
CU_FAIL_FATAL("Failed to initialize policy");
|
||||
|
||||
if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_cond.conf"))
|
||||
CU_FAIL_FATAL("Failed to load policy");
|
||||
|
||||
if (link_modules(NULL, &basemod, NULL, 0, 0))
|
||||
CU_FAIL_FATAL("Failed to link base module");
|
||||
|
||||
if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
|
||||
CU_FAIL_FATAL("Failed to expand policy");
|
||||
|
||||
if ((handle = sepol_handle_create()) == NULL)
|
||||
CU_FAIL_FATAL("Failed to initialize handle");
|
||||
|
||||
sepol_msg_set_callback(handle, msg_handler, NULL);
|
||||
|
||||
if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
|
||||
CU_FAIL("Assertions did not trigger");
|
||||
|
||||
messages_check(ARRAY_SIZE(expected_messages), expected_messages);
|
||||
|
||||
sepol_handle_destroy(handle);
|
||||
messages_clean();
|
||||
policydb_destroy(&basemod);
|
||||
policydb_destroy(&base_expanded);
|
||||
}
|
||||
|
||||
int neverallow_add_tests(CU_pSuite suite)
|
||||
{
|
||||
/*
|
||||
@ -317,5 +369,10 @@ int neverallow_add_tests(CU_pSuite suite)
|
||||
return CU_get_error();
|
||||
}
|
||||
|
||||
if (NULL == CU_add_test(suite, "neverallow_cond", test_neverallow_cond)) {
|
||||
CU_cleanup_registry();
|
||||
return CU_get_error();
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user