| 14 |
static int exception_fd = EOF; |
static int exception_fd = EOF; |
| 15 |
static const char *policy = ""; |
static const char *policy = ""; |
| 16 |
static char self_domain[4096] = ""; |
static char self_domain[4096] = ""; |
| 17 |
|
static _Bool has_cond = 1; |
| 18 |
|
|
| 19 |
static int write_policy(void) |
static int write_policy(void) |
| 20 |
{ |
{ |
| 131 |
char *filename = ""; |
char *filename = ""; |
| 132 |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
| 133 |
"if task.uid=0 task.gid=0"; |
"if task.uid=0 task.gid=0"; |
| 134 |
|
if (!has_cond) |
| 135 |
|
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range"; |
| 136 |
if (write_policy()) { |
if (write_policy()) { |
| 137 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
| 138 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
| 144 |
} |
} |
| 145 |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
| 146 |
"if task.euid=0 0=0 1-100=10-1000"; |
"if task.euid=0 0=0 1-100=10-1000"; |
| 147 |
|
if (!has_cond) |
| 148 |
|
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range"; |
| 149 |
if (write_policy()) { |
if (write_policy()) { |
| 150 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
| 151 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
| 157 |
} |
} |
| 158 |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
| 159 |
"if 1!=10-100"; |
"if 1!=10-100"; |
| 160 |
|
if (!has_cond) |
| 161 |
|
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range"; |
| 162 |
if (write_policy()) { |
if (write_policy()) { |
| 163 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
| 164 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
| 171 |
|
|
| 172 |
policy = "allow_read /bin/true " |
policy = "allow_read /bin/true " |
| 173 |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
| 174 |
|
if (!has_cond) |
| 175 |
|
policy = "allow_read /bin/true"; |
| 176 |
if (write_policy()) { |
if (write_policy()) { |
| 177 |
show_result(uselib("/bin/true"), 1); |
show_result(uselib("/bin/true"), 1); |
| 178 |
delete_policy(); |
delete_policy(); |
| 180 |
} |
} |
| 181 |
|
|
| 182 |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
| 183 |
|
if (!has_cond) |
| 184 |
|
policy = "allow_execute /bin/true"; |
| 185 |
if (write_policy()) { |
if (write_policy()) { |
| 186 |
int pipe_fd[2] = { EOF, EOF }; |
int pipe_fd[2] = { EOF, EOF }; |
| 187 |
int err = 0; |
int err = 0; |
| 220 |
|
|
| 221 |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
| 222 |
"path1.dev_minor=3"; |
"path1.dev_minor=3"; |
| 223 |
|
if (!has_cond) |
| 224 |
|
policy = "allow_read /dev/null"; |
| 225 |
if (write_policy()) { |
if (write_policy()) { |
| 226 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
| 227 |
show_result(fd, 1); |
show_result(fd, 1); |
| 235 |
} |
} |
| 236 |
|
|
| 237 |
policy = "allow_read /dev/null if path1.perm=0666"; |
policy = "allow_read /dev/null if path1.perm=0666"; |
| 238 |
|
if (!has_cond) |
| 239 |
|
policy = "allow_read /dev/null"; |
| 240 |
if (write_policy()) { |
if (write_policy()) { |
| 241 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
| 242 |
show_result(fd, 1); |
show_result(fd, 1); |
| 250 |
} |
} |
| 251 |
|
|
| 252 |
policy = "allow_read /dev/null if path1.perm!=0777"; |
policy = "allow_read /dev/null if path1.perm!=0777"; |
| 253 |
|
if (!has_cond) |
| 254 |
|
policy = "allow_read /dev/null"; |
| 255 |
if (write_policy()) { |
if (write_policy()) { |
| 256 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
| 257 |
show_result(fd, 1); |
show_result(fd, 1); |
| 270 |
"path1.perm!=group_execute path1.perm=others_read " |
"path1.perm!=group_execute path1.perm=others_read " |
| 271 |
"path1.perm=others_write path1.perm!=others_execute " |
"path1.perm=others_write path1.perm!=others_execute " |
| 272 |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
| 273 |
|
if (!has_cond) |
| 274 |
|
policy = "allow_read /dev/null"; |
| 275 |
if (write_policy()) { |
if (write_policy()) { |
| 276 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
| 277 |
show_result(fd, 1); |
show_result(fd, 1); |
| 287 |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
| 288 |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
| 289 |
"path1.parent.uid=0 path1.parent.gid=0"; |
"path1.parent.uid=0 path1.parent.gid=0"; |
| 290 |
|
if (!has_cond) |
| 291 |
|
policy = "allow_mkfifo /tmp/mknod_fifo_test"; |
| 292 |
if (write_policy()) { |
if (write_policy()) { |
| 293 |
filename = "/tmp/mknod_fifo_test"; |
filename = "/tmp/mknod_fifo_test"; |
| 294 |
show_result(mknod(filename, S_IFIFO, 0), 1); |
show_result(mknod(filename, S_IFIFO, 0), 1); |
| 308 |
"allow_write %s if path1.major=%u path1.minor=%u", |
"allow_write %s if path1.major=%u path1.minor=%u", |
| 309 |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
| 310 |
(unsigned int) MINOR(sbuf.st_dev)); |
(unsigned int) MINOR(sbuf.st_dev)); |
| 311 |
|
if (!has_cond) |
| 312 |
|
snprintf(buffer, sizeof(buffer) - 1, |
| 313 |
|
"allow_write %s", filename); |
| 314 |
policy = buffer; |
policy = buffer; |
| 315 |
if (write_policy()) { |
if (write_policy()) { |
| 316 |
int fd = open(filename, O_WRONLY); |
int fd = open(filename, O_WRONLY); |
| 326 |
} |
} |
| 327 |
|
|
| 328 |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
| 329 |
|
if (!has_cond) |
| 330 |
|
policy = "allow_read /dev/initctl"; |
| 331 |
if (write_policy()) { |
if (write_policy()) { |
| 332 |
int fd = open("/dev/initctl", O_RDONLY); |
int fd = open("/dev/initctl", O_RDONLY); |
| 333 |
show_result(fd, 1); |
show_result(fd, 1); |
| 341 |
} |
} |
| 342 |
|
|
| 343 |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
| 344 |
|
if (!has_cond) |
| 345 |
|
policy = "allow_read /dev/null"; |
| 346 |
if (write_policy()) { |
if (write_policy()) { |
| 347 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
| 348 |
show_result(fd, 1); |
show_result(fd, 1); |
| 356 |
} |
} |
| 357 |
|
|
| 358 |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
| 359 |
|
if (!has_cond) |
| 360 |
|
policy = "allow_write /dev/null"; |
| 361 |
if (write_policy()) { |
if (write_policy()) { |
| 362 |
int fd = open("/dev/null", O_WRONLY); |
int fd = open("/dev/null", O_WRONLY); |
| 363 |
show_result(fd, 1); |
show_result(fd, 1); |
| 371 |
} |
} |
| 372 |
|
|
| 373 |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
| 374 |
|
if (!has_cond) |
| 375 |
|
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
| 376 |
if (write_policy()) { |
if (write_policy()) { |
| 377 |
int fd = open("/dev/null", O_RDWR); |
int fd = open("/dev/null", O_RDWR); |
| 378 |
show_result(fd, 1); |
show_result(fd, 1); |
| 386 |
} |
} |
| 387 |
|
|
| 388 |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
| 389 |
|
if (!has_cond) |
| 390 |
|
policy = "allow_create /tmp/open_test"; |
| 391 |
if (write_policy()) { |
if (write_policy()) { |
| 392 |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
| 393 |
|
if (!has_cond) |
| 394 |
|
policy = "allow_write /tmp/open_test"; |
| 395 |
if (write_policy()) { |
if (write_policy()) { |
| 396 |
int fd = open("/tmp/open_test", |
int fd = open("/tmp/open_test", |
| 397 |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
| 408 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
| 409 |
} |
} |
| 410 |
policy = "allow_create /tmp/open_test " |
policy = "allow_create /tmp/open_test " |
| 411 |
"if path1.parent.uid=task.uid\n"; |
"if path1.parent.uid=task.uid"; |
| 412 |
|
if (!has_cond) |
| 413 |
|
policy = "allow_create /tmp/open_test"; |
| 414 |
delete_policy(); |
delete_policy(); |
| 415 |
} |
} |
| 416 |
|
|
| 433 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
| 434 |
} |
} |
| 435 |
policy = "allow_write /tmp/open_test " |
policy = "allow_write /tmp/open_test " |
| 436 |
"if task.uid=0 path1.ino!=0\n"; |
"if task.uid=0 path1.ino!=0"; |
| 437 |
|
if (!has_cond) |
| 438 |
|
policy = "allow_write /tmp/open_test"; |
| 439 |
delete_policy(); |
delete_policy(); |
| 440 |
} |
} |
| 441 |
|
|
| 475 |
if (fd != EOF) |
if (fd != EOF) |
| 476 |
close(fd); |
close(fd); |
| 477 |
} |
} |
| 478 |
policy = "allow_write /tmp/truncate_test\n"; |
policy = "allow_write /tmp/truncate_test"; |
| 479 |
delete_policy(); |
delete_policy(); |
| 480 |
} |
} |
| 481 |
|
|
| 711 |
cp = "use_profile 255\n"; |
cp = "use_profile 255\n"; |
| 712 |
write(domain_fd, cp, strlen(cp)); |
write(domain_fd, cp, strlen(cp)); |
| 713 |
} |
} |
| 714 |
|
has_cond = !access("/proc/ccs/version", F_OK); |
| 715 |
cp = "255-MAX_REJECT_LOG=1024\n"; |
cp = "255-MAX_REJECT_LOG=1024\n"; |
| 716 |
write(profile_fd, cp, strlen(cp)); |
write(profile_fd, cp, strlen(cp)); |
| 717 |
stage_file_test(); |
stage_file_test(); |
TOMOYO
Parent Directory
Revision Log
Patch