14 |
static int exception_fd = EOF; |
static int exception_fd = EOF; |
15 |
static const char *policy = ""; |
static const char *policy = ""; |
16 |
static char self_domain[4096] = ""; |
static char self_domain[4096] = ""; |
17 |
|
static _Bool has_cond = 1; |
18 |
|
|
19 |
static int write_policy(void) |
static int write_policy(void) |
20 |
{ |
{ |
131 |
char *filename = ""; |
char *filename = ""; |
132 |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
133 |
"if task.uid=0 task.gid=0"; |
"if task.uid=0 task.gid=0"; |
134 |
|
if (!has_cond) |
135 |
|
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range"; |
136 |
if (write_policy()) { |
if (write_policy()) { |
137 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
138 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
144 |
} |
} |
145 |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
146 |
"if task.euid=0 0=0 1-100=10-1000"; |
"if task.euid=0 0=0 1-100=10-1000"; |
147 |
|
if (!has_cond) |
148 |
|
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range"; |
149 |
if (write_policy()) { |
if (write_policy()) { |
150 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
151 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
157 |
} |
} |
158 |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
159 |
"if 1!=10-100"; |
"if 1!=10-100"; |
160 |
|
if (!has_cond) |
161 |
|
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range"; |
162 |
if (write_policy()) { |
if (write_policy()) { |
163 |
static int name[] = { CTL_NET, NET_IPV4, |
static int name[] = { CTL_NET, NET_IPV4, |
164 |
NET_IPV4_LOCAL_PORT_RANGE }; |
NET_IPV4_LOCAL_PORT_RANGE }; |
171 |
|
|
172 |
policy = "allow_read /bin/true " |
policy = "allow_read /bin/true " |
173 |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
174 |
|
if (!has_cond) |
175 |
|
policy = "allow_read /bin/true"; |
176 |
if (write_policy()) { |
if (write_policy()) { |
177 |
show_result(uselib("/bin/true"), 1); |
show_result(uselib("/bin/true"), 1); |
178 |
delete_policy(); |
delete_policy(); |
180 |
} |
} |
181 |
|
|
182 |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
183 |
|
if (!has_cond) |
184 |
|
policy = "allow_execute /bin/true"; |
185 |
if (write_policy()) { |
if (write_policy()) { |
186 |
int pipe_fd[2] = { EOF, EOF }; |
int pipe_fd[2] = { EOF, EOF }; |
187 |
int err = 0; |
int err = 0; |
220 |
|
|
221 |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
222 |
"path1.dev_minor=3"; |
"path1.dev_minor=3"; |
223 |
|
if (!has_cond) |
224 |
|
policy = "allow_read /dev/null"; |
225 |
if (write_policy()) { |
if (write_policy()) { |
226 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
227 |
show_result(fd, 1); |
show_result(fd, 1); |
235 |
} |
} |
236 |
|
|
237 |
policy = "allow_read /dev/null if path1.perm=0666"; |
policy = "allow_read /dev/null if path1.perm=0666"; |
238 |
|
if (!has_cond) |
239 |
|
policy = "allow_read /dev/null"; |
240 |
if (write_policy()) { |
if (write_policy()) { |
241 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
242 |
show_result(fd, 1); |
show_result(fd, 1); |
250 |
} |
} |
251 |
|
|
252 |
policy = "allow_read /dev/null if path1.perm!=0777"; |
policy = "allow_read /dev/null if path1.perm!=0777"; |
253 |
|
if (!has_cond) |
254 |
|
policy = "allow_read /dev/null"; |
255 |
if (write_policy()) { |
if (write_policy()) { |
256 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
257 |
show_result(fd, 1); |
show_result(fd, 1); |
270 |
"path1.perm!=group_execute path1.perm=others_read " |
"path1.perm!=group_execute path1.perm=others_read " |
271 |
"path1.perm=others_write path1.perm!=others_execute " |
"path1.perm=others_write path1.perm!=others_execute " |
272 |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
"path1.perm!=setuid path1.perm!=setgid path1.perm!=sticky"; |
273 |
|
if (!has_cond) |
274 |
|
policy = "allow_read /dev/null"; |
275 |
if (write_policy()) { |
if (write_policy()) { |
276 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
277 |
show_result(fd, 1); |
show_result(fd, 1); |
287 |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
policy = "allow_mkfifo /tmp/mknod_fifo_test " |
288 |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
289 |
"path1.parent.uid=0 path1.parent.gid=0"; |
"path1.parent.uid=0 path1.parent.gid=0"; |
290 |
|
if (!has_cond) |
291 |
|
policy = "allow_mkfifo /tmp/mknod_fifo_test"; |
292 |
if (write_policy()) { |
if (write_policy()) { |
293 |
filename = "/tmp/mknod_fifo_test"; |
filename = "/tmp/mknod_fifo_test"; |
294 |
show_result(mknod(filename, S_IFIFO, 0), 1); |
show_result(mknod(filename, S_IFIFO, 0), 1); |
308 |
"allow_write %s if path1.major=%u path1.minor=%u", |
"allow_write %s if path1.major=%u path1.minor=%u", |
309 |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
310 |
(unsigned int) MINOR(sbuf.st_dev)); |
(unsigned int) MINOR(sbuf.st_dev)); |
311 |
|
if (!has_cond) |
312 |
|
snprintf(buffer, sizeof(buffer) - 1, |
313 |
|
"allow_write %s", filename); |
314 |
policy = buffer; |
policy = buffer; |
315 |
if (write_policy()) { |
if (write_policy()) { |
316 |
int fd = open(filename, O_WRONLY); |
int fd = open(filename, O_WRONLY); |
326 |
} |
} |
327 |
|
|
328 |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
policy = "allow_read /dev/initctl if path1.type=fifo"; |
329 |
|
if (!has_cond) |
330 |
|
policy = "allow_read /dev/initctl"; |
331 |
if (write_policy()) { |
if (write_policy()) { |
332 |
int fd = open("/dev/initctl", O_RDONLY); |
int fd = open("/dev/initctl", O_RDONLY); |
333 |
show_result(fd, 1); |
show_result(fd, 1); |
341 |
} |
} |
342 |
|
|
343 |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
344 |
|
if (!has_cond) |
345 |
|
policy = "allow_read /dev/null"; |
346 |
if (write_policy()) { |
if (write_policy()) { |
347 |
int fd = open("/dev/null", O_RDONLY); |
int fd = open("/dev/null", O_RDONLY); |
348 |
show_result(fd, 1); |
show_result(fd, 1); |
356 |
} |
} |
357 |
|
|
358 |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
359 |
|
if (!has_cond) |
360 |
|
policy = "allow_write /dev/null"; |
361 |
if (write_policy()) { |
if (write_policy()) { |
362 |
int fd = open("/dev/null", O_WRONLY); |
int fd = open("/dev/null", O_WRONLY); |
363 |
show_result(fd, 1); |
show_result(fd, 1); |
371 |
} |
} |
372 |
|
|
373 |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
374 |
|
if (!has_cond) |
375 |
|
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
376 |
if (write_policy()) { |
if (write_policy()) { |
377 |
int fd = open("/dev/null", O_RDWR); |
int fd = open("/dev/null", O_RDWR); |
378 |
show_result(fd, 1); |
show_result(fd, 1); |
386 |
} |
} |
387 |
|
|
388 |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
policy = "allow_create /tmp/open_test if path1.parent.uid=task.uid"; |
389 |
|
if (!has_cond) |
390 |
|
policy = "allow_create /tmp/open_test"; |
391 |
if (write_policy()) { |
if (write_policy()) { |
392 |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
393 |
|
if (!has_cond) |
394 |
|
policy = "allow_write /tmp/open_test"; |
395 |
if (write_policy()) { |
if (write_policy()) { |
396 |
int fd = open("/tmp/open_test", |
int fd = open("/tmp/open_test", |
397 |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
O_WRONLY | O_CREAT | O_EXCL, 0666); |
408 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
409 |
} |
} |
410 |
policy = "allow_create /tmp/open_test " |
policy = "allow_create /tmp/open_test " |
411 |
"if path1.parent.uid=task.uid\n"; |
"if path1.parent.uid=task.uid"; |
412 |
|
if (!has_cond) |
413 |
|
policy = "allow_create /tmp/open_test"; |
414 |
delete_policy(); |
delete_policy(); |
415 |
} |
} |
416 |
|
|
433 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
434 |
} |
} |
435 |
policy = "allow_write /tmp/open_test " |
policy = "allow_write /tmp/open_test " |
436 |
"if task.uid=0 path1.ino!=0\n"; |
"if task.uid=0 path1.ino!=0"; |
437 |
|
if (!has_cond) |
438 |
|
policy = "allow_write /tmp/open_test"; |
439 |
delete_policy(); |
delete_policy(); |
440 |
} |
} |
441 |
|
|
475 |
if (fd != EOF) |
if (fd != EOF) |
476 |
close(fd); |
close(fd); |
477 |
} |
} |
478 |
policy = "allow_write /tmp/truncate_test\n"; |
policy = "allow_write /tmp/truncate_test"; |
479 |
delete_policy(); |
delete_policy(); |
480 |
} |
} |
481 |
|
|
711 |
cp = "use_profile 255\n"; |
cp = "use_profile 255\n"; |
712 |
write(domain_fd, cp, strlen(cp)); |
write(domain_fd, cp, strlen(cp)); |
713 |
} |
} |
714 |
|
has_cond = !access("/proc/ccs/version", F_OK); |
715 |
cp = "255-MAX_REJECT_LOG=1024\n"; |
cp = "255-MAX_REJECT_LOG=1024\n"; |
716 |
write(profile_fd, cp, strlen(cp)); |
write(profile_fd, cp, strlen(cp)); |
717 |
stage_file_test(); |
stage_file_test(); |