3 |
* |
* |
4 |
* Testing program for fs/tomoyo_file.c |
* Testing program for fs/tomoyo_file.c |
5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.6-pre 2008/12/22 |
* Version: 1.6.7+ 2009/04/08 |
9 |
* |
* |
10 |
*/ |
*/ |
11 |
#include "include.h" |
#include "include.h" |
14 |
static int exception_fd = EOF; |
static int exception_fd = EOF; |
15 |
static const char *policy = ""; |
static const char *policy = ""; |
16 |
static char self_domain[4096] = ""; |
static char self_domain[4096] = ""; |
17 |
|
static _Bool has_cond = 1; |
18 |
|
|
19 |
static int write_policy(void) |
static int write_policy(void) |
20 |
{ |
{ |
131 |
char *filename = ""; |
char *filename = ""; |
132 |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
133 |
"if task.uid=0 task.gid=0"; |
"if task.uid=0 task.gid=0"; |
134 |
|
if (!has_cond) |
135 |
|
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range"; |
136 |
if (write_policy()) { |
if (write_policy()) { |
137 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
138 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
144 |
} |
} |
145 |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
146 |
"if task.euid=0 0=0 1-100=10-1000"; |
"if task.euid=0 0=0 1-100=10-1000"; |
147 |
|
if (!has_cond) |
148 |
|
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range"; |
149 |
if (write_policy()) { |
if (write_policy()) { |
150 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
151 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
157 |
} |
} |
158 |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
159 |
"if 1!=10-100"; |
"if 1!=10-100"; |
160 |
|
if (!has_cond) |
161 |
|
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range"; |
162 |
if (write_policy()) { |
if (write_policy()) { |
163 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
164 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
171 |
|
|
172 |
policy = "allow_read /bin/true " |
policy = "allow_read /bin/true " |
173 |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
174 |
|
if (!has_cond) |
175 |
|
policy = "allow_read /bin/true"; |
176 |
if (write_policy()) { |
if (write_policy()) { |
177 |
show_result(uselib("/bin/true"), 1); |
show_result(uselib("/bin/true"), 1); |
178 |
delete_policy(); |
delete_policy(); |
180 |
} |
} |
181 |
|
|
182 |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
183 |
|
if (!has_cond) |
184 |
|
policy = "allow_execute /bin/true"; |
185 |
if (write_policy()) { |
if (write_policy()) { |
186 |
int pipe_fd[2] = { EOF, EOF }; |
int pipe_fd[2] = { EOF, EOF }; |
187 |
int err = 0; |
int err = 0; |
220 |
|
|
221 |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
222 |
"path1.dev_minor=3"; |
"path1.dev_minor=3"; |
223 |
|
if (!has_cond) |
224 |
|
policy = "allow_read /dev/null"; |
225 |
if (write_policy()) { |
if (write_policy()) { |
226 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
227 |
show_result(fd, 1); |
show_result(fd, 1); |
235 |
} |
} |
236 |
|
|
237 |
policy = "allow_read /dev/null if path1.perm=0666"; |
policy = "allow_read /dev/null if path1.perm=0666"; |
238 |
|
if (!has_cond) |
239 |
|
policy = "allow_read /dev/null"; |
240 |
if (write_policy()) { |
if (write_policy()) { |
241 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
242 |
show_result(fd, 1); |
show_result(fd, 1); |
250 |
} |
} |
251 |
|
|
252 |
policy = "allow_read /dev/null if path1.perm!=0777"; |
policy = "allow_read /dev/null if path1.perm!=0777"; |
253 |
|
if (!has_cond) |
254 |
|
policy = "allow_read /dev/null"; |
255 |
if (write_policy()) { |
if (write_policy()) { |
256 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
257 |
show_result(fd, 1); |
show_result(fd, 1); |
270 |
"path1.perm!=group_execute path1.perm=others_read " |
"path1.perm!=group_execute path1.perm=others_read " |
271 |
"path1.perm=others_write path1.perm!=others_execute " |
"path1.perm=others_write path1.perm!=others_execute " |
272 |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
273 |
|
if (!has_cond) |
274 |
|
policy = "allow_read /dev/null"; |
275 |
if (write_policy()) { |
if (write_policy()) { |
276 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
277 |
show_result(fd, 1); |
show_result(fd, 1); |
287 |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
288 |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
289 |
"path1.parent.uid=0 path1.parent.gid=0"; |
"path1.parent.uid=0 path1.parent.gid=0"; |
290 |
|
if (!has_cond) |
291 |
|
policy = "allow_mkfifo /tmp/mknod_fifo_test"; |
292 |
if (write_policy()) { |
if (write_policy()) { |
293 |
filename = "/tmp/mknod_fifo_test"; |
filename = "/tmp/mknod_fifo_test"; |
294 |
show_result(mknod(filename, S_IFIFO, 0), 1); |
show_result(mknod(filename, S_IFIFO, 0), 1); |
308 |
"allow_write %s if path1.major=%u path1.minor=%u", |
"allow_write %s if path1.major=%u path1.minor=%u", |
309 |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
310 |
(unsigned int) MINOR(sbuf.st_dev)); |
(unsigned int) MINOR(sbuf.st_dev)); |
311 |
|
if (!has_cond) |
312 |
|
snprintf(buffer, sizeof(buffer) - 1, |
313 |
|
"allow_write %s", filename); |
314 |
policy = buffer; |
policy = buffer; |
315 |
if (write_policy()) { |
if (write_policy()) { |
316 |
int fd = open(filename, O_WRONLY); |
int fd = open(filename, O_WRONLY); |
326 |
} |
} |
327 |
|
|
328 |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
329 |
|
if (!has_cond) |
330 |
|
policy = "allow_read /dev/initctl"; |
331 |
if (write_policy()) { |
if (write_policy()) { |
332 |
int fd = open("/dev/initctl", O_RDONLY); |
int fd = open("/dev/initctl", O_RDONLY); |
333 |
show_result(fd, 1); |
show_result(fd, 1); |
341 |
} |
} |
342 |
|
|
343 |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
344 |
|
if (!has_cond) |
345 |
|
policy = "allow_read /dev/null"; |
346 |
if (write_policy()) { |
if (write_policy()) { |
347 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
348 |
show_result(fd, 1); |
show_result(fd, 1); |
356 |
} |
} |
357 |
|
|
358 |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
359 |
|
if (!has_cond) |
360 |
|
policy = "allow_write /dev/null"; |
361 |
if (write_policy()) { |
if (write_policy()) { |
362 |
int fd = open("/dev/null", O_WRONLY); |
int fd = open("/dev/null", O_WRONLY); |
363 |
show_result(fd, 1); |
show_result(fd, 1); |
371 |
} |
} |
372 |
|
|
373 |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
374 |
|
if (!has_cond) |
375 |
|
policy = "allow_read/write /dev/null"; |
376 |
if (write_policy()) { |
if (write_policy()) { |
377 |
int fd = open("/dev/null", O_RDWR); |
int fd = open("/dev/null", O_RDWR); |
378 |
show_result(fd, 1); |
show_result(fd, 1); |
386 |
} |
} |
387 |
|
|
388 |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
389 |
|
if (!has_cond) |
390 |
|
policy = "allow_create /tmp/open_test"; |
391 |
if (write_policy()) { |
if (write_policy()) { |
392 |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
393 |
|
if (!has_cond) |
394 |
|
policy = "allow_write /tmp/open_test"; |
395 |
if (write_policy()) { |
if (write_policy()) { |
396 |
int fd = open("/tmp/open_test", |
int fd = open("/tmp/open_test", |
397 |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
408 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
409 |
} |
} |
410 |
policy = "allow_create /tmp/open_test " |
policy = "allow_create /tmp/open_test " |
411 |
"if path1.parent.uid=task.uid\n"; |
"if path1.parent.uid=task.uid"; |
412 |
|
if (!has_cond) |
413 |
|
policy = "allow_create /tmp/open_test"; |
414 |
delete_policy(); |
delete_policy(); |
415 |
} |
} |
416 |
|
|
417 |
policy = "allow_write /tmp/open_test if task.uid=0 path1.ino!=0"; |
policy = "allow_write /tmp/open_test if task.uid=0 path1.ino!=0"; |
418 |
|
if (!has_cond) |
419 |
|
policy = "allow_write /tmp/open_test"; |
420 |
if (write_policy()) { |
if (write_policy()) { |
421 |
policy = "allow_create /tmp/open_test if 0=0"; |
policy = "allow_create /tmp/open_test if 0=0"; |
422 |
|
if (!has_cond) |
423 |
|
policy = "allow_create /tmp/open_test"; |
424 |
if (write_policy()) { |
if (write_policy()) { |
425 |
int fd = open("/tmp/open_test", |
int fd = open("/tmp/open_test", |
426 |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
437 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
438 |
} |
} |
439 |
policy = "allow_write /tmp/open_test " |
policy = "allow_write /tmp/open_test " |
440 |
"if task.uid=0 path1.ino!=0\n"; |
"if task.uid=0 path1.ino!=0"; |
441 |
|
if (!has_cond) |
442 |
|
policy = "allow_write /tmp/open_test"; |
443 |
delete_policy(); |
delete_policy(); |
444 |
} |
} |
445 |
|
|
447 |
create2(filename); |
create2(filename); |
448 |
|
|
449 |
policy = "allow_truncate /tmp/truncate_test if task.uid=path1.uid"; |
policy = "allow_truncate /tmp/truncate_test if task.uid=path1.uid"; |
450 |
|
if (!has_cond) |
451 |
|
policy = "allow_truncate /tmp/truncate_test"; |
452 |
if (write_policy()) { |
if (write_policy()) { |
453 |
policy = "allow_write /tmp/truncate_test if 1!=100-1000000"; |
policy = "allow_write /tmp/truncate_test if 1!=100-1000000"; |
454 |
|
if (!has_cond) |
455 |
|
policy = "allow_write /tmp/truncate_test"; |
456 |
if (write_policy()) { |
if (write_policy()) { |
457 |
int fd = open(filename, O_WRONLY | O_TRUNC); |
int fd = open(filename, O_WRONLY | O_TRUNC); |
458 |
show_result(fd, 1); |
show_result(fd, 1); |
466 |
} |
} |
467 |
policy = "allow_truncate /tmp/truncate_test " |
policy = "allow_truncate /tmp/truncate_test " |
468 |
"if task.uid=path1.uid"; |
"if task.uid=path1.uid"; |
469 |
|
if (!has_cond) |
470 |
|
policy = "allow_truncate /tmp/truncate_test"; |
471 |
delete_policy(); |
delete_policy(); |
472 |
} |
} |
473 |
|
|
485 |
if (fd != EOF) |
if (fd != EOF) |
486 |
close(fd); |
close(fd); |
487 |
} |
} |
488 |
policy = "allow_write /tmp/truncate_test\n"; |
policy = "allow_write /tmp/truncate_test"; |
489 |
delete_policy(); |
delete_policy(); |
490 |
} |
} |
491 |
|
|
700 |
write(exception_fd, cp, strlen(cp)); |
write(exception_fd, cp, strlen(cp)); |
701 |
} |
} |
702 |
unlink2(filename); |
unlink2(filename); |
703 |
|
|
704 |
|
if (has_cond) { |
705 |
|
const char *cp = "255-MAC_FOR_IOCTL=enforcing\n"; |
706 |
|
write(profile_fd, cp, strlen(cp)); |
707 |
|
policy = "allow_ioctl socket:[family=2:type=2:protocol=17] " |
708 |
|
"35122-35124 if task.uid=0"; |
709 |
|
if (write_policy()) { |
710 |
|
struct ifreq ifreq; |
711 |
|
int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); |
712 |
|
memset(&ifreq, 0, sizeof(ifreq)); |
713 |
|
snprintf(ifreq.ifr_name, sizeof(ifreq.ifr_name) - 1, "lo"); |
714 |
|
show_result(ioctl(fd, 35123, &ifreq), 1); |
715 |
|
delete_policy(); |
716 |
|
policy = "allow_ioctl socket:[family=2:type=2:protocol=17] " |
717 |
|
"0-35122"; |
718 |
|
if (write_policy()) { |
719 |
|
show_result(ioctl(fd, 35123, &ifreq), 0); |
720 |
|
delete_policy(); |
721 |
|
} |
722 |
|
if (fd != EOF) |
723 |
|
close(fd); |
724 |
|
} |
725 |
|
cp = "255-MAC_FOR_IOCTL=disabled\n"; |
726 |
|
write(profile_fd, cp, strlen(cp)); |
727 |
|
} |
728 |
} |
} |
729 |
|
|
730 |
int main(int argc, char *argv[]) |
int main(int argc, char *argv[]) |
732 |
char *cp; |
char *cp; |
733 |
ccs_test_init(); |
ccs_test_init(); |
734 |
domain_fd = open(proc_policy_domain_policy, O_WRONLY); |
domain_fd = open(proc_policy_domain_policy, O_WRONLY); |
735 |
|
if (domain_fd == EOF && errno == ENOENT) { |
736 |
|
fprintf(stderr, "You can't use this program for this kernel." |
737 |
|
"\n"); |
738 |
|
return 1; |
739 |
|
} |
740 |
exception_fd = open(proc_policy_exception_policy, O_WRONLY); |
exception_fd = open(proc_policy_exception_policy, O_WRONLY); |
741 |
{ |
{ |
742 |
int self_fd = open(proc_policy_self_domain, O_RDONLY); |
int self_fd = open(proc_policy_self_domain, O_RDONLY); |
751 |
cp = "use_profile 255\n"; |
cp = "use_profile 255\n"; |
752 |
write(domain_fd, cp, strlen(cp)); |
write(domain_fd, cp, strlen(cp)); |
753 |
} |
} |
754 |
|
has_cond = !access("/proc/ccs/version", F_OK); |
755 |
cp = "255-MAX_REJECT_LOG=1024\n"; |
cp = "255-MAX_REJECT_LOG=1024\n"; |
756 |
write(profile_fd, cp, strlen(cp)); |
write(profile_fd, cp, strlen(cp)); |
757 |
stage_file_test(); |
stage_file_test(); |