5 |
* |
* |
6 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.7.0-pre 2009/08/24 |
* Version: 1.7.0 2009/09/03 |
9 |
* |
* |
10 |
*/ |
*/ |
11 |
#include "include.h" |
#include "include.h" |
151 |
set_profile(3, "file::mount"); |
set_profile(3, "file::mount"); |
152 |
set_profile(3, "file::umount"); |
set_profile(3, "file::umount"); |
153 |
set_profile(3, "file::pivot_root"); |
set_profile(3, "file::pivot_root"); |
154 |
|
|
155 |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
156 |
"if task.uid=0 task.gid=0"; |
"if task.uid=0 task.gid=0"; |
157 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
158 |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 1); |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 1); |
159 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
160 |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 0); |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 0); |
161 |
|
|
162 |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
163 |
"if task.euid=0 0=0 1-100=10-1000"; |
"if task.euid=0 0=0 1-100=10-1000"; |
164 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
165 |
show_result(sysctl(name, 3, 0, 0, buffer, size), 1); |
show_result(sysctl(name, 3, 0, 0, buffer, size), 1); |
166 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
167 |
show_result(sysctl(name, 3, 0, 0, buffer, size), 0); |
show_result(sysctl(name, 3, 0, 0, buffer, size), 0); |
168 |
|
|
169 |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
170 |
"if 1!=10-100"; |
"if 1!=10-100"; |
171 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
172 |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 1); |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 1); |
173 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
174 |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 0); |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 0); |
175 |
|
|
176 |
policy = "allow_read /bin/true " |
policy = "allow_read /bin/true " |
177 |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
178 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
179 |
show_result(uselib("/bin/true"), 1); |
show_result(uselib("/bin/true"), 1); |
180 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
181 |
show_result(uselib("/bin/true"), 0); |
show_result(uselib("/bin/true"), 0); |
182 |
|
|
183 |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
184 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
185 |
fflush(stdout); |
fflush(stdout); |
226 |
show_result(fd, 0); |
show_result(fd, 0); |
227 |
if (fd != EOF) |
if (fd != EOF) |
228 |
close(fd); |
close(fd); |
229 |
|
|
230 |
policy = "allow_read /dev/null if path1.perm=0666"; |
policy = "allow_read /dev/null if path1.perm=0666"; |
231 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
232 |
fd = open("/dev/null", O_RDONLY); |
fd = open("/dev/null", O_RDONLY); |
348 |
if (fd != EOF) |
if (fd != EOF) |
349 |
close(fd); |
close(fd); |
350 |
|
|
351 |
policy = "allow_create /tmp/open_test 0644 if path1.parent.uid=task.uid"; |
policy = "allow_create /tmp/open_test 0644 " |
352 |
|
"if path1.parent.uid=task.uid"; |
353 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
354 |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
355 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
606 |
show_result(fd, 1); |
show_result(fd, 1); |
607 |
if (fd != EOF) |
if (fd != EOF) |
608 |
close(fd); |
close(fd); |
609 |
|
|
610 |
fd = open(filename, O_WRONLY | O_APPEND); |
fd = open(filename, O_WRONLY | O_APPEND); |
611 |
show_result(fd, 1); |
show_result(fd, 1); |
612 |
if (fd != EOF) |
if (fd != EOF) |
613 |
close(fd); |
close(fd); |
614 |
|
|
615 |
fd = open(filename, O_WRONLY); |
fd = open(filename, O_WRONLY); |
616 |
show_result(fd, 0); |
show_result(fd, 0); |
617 |
if (fd != EOF) |
if (fd != EOF) |
618 |
close(fd); |
close(fd); |
619 |
|
|
620 |
fd = open(filename, O_WRONLY | O_TRUNC); |
fd = open(filename, O_WRONLY | O_TRUNC); |
621 |
show_result(fd, 0); |
show_result(fd, 0); |
622 |
if (fd != EOF) |
if (fd != EOF) |
623 |
close(fd); |
close(fd); |
624 |
|
|
625 |
fd = open(filename, O_WRONLY | O_TRUNC | O_APPEND); |
fd = open(filename, O_WRONLY | O_TRUNC | O_APPEND); |
626 |
show_result(fd, 0); |
show_result(fd, 0); |
627 |
if (fd != EOF) |
if (fd != EOF) |
628 |
close(fd); |
close(fd); |
629 |
|
|
630 |
show_result(truncate(filename, 0), 0); |
show_result(truncate(filename, 0), 0); |
631 |
|
|
632 |
set_profile(0, "file::open"); |
set_profile(0, "file::open"); |
633 |
fd = open(filename, O_WRONLY | O_APPEND); |
fd = open(filename, O_WRONLY | O_APPEND); |
634 |
set_profile(3, "file::open"); |
set_profile(3, "file::open"); |
635 |
show_result(ftruncate(fd, 0), 0); |
show_result(ftruncate(fd, 0), 0); |
636 |
|
|
637 |
show_result(fcntl(fd, F_SETFL, |
show_result(fcntl(fd, F_SETFL, |
638 |
fcntl(fd, F_GETFL) & ~O_APPEND), 0); |
fcntl(fd, F_GETFL) & ~O_APPEND), 0); |
639 |
if (fd != EOF) |
if (fd != EOF) |
640 |
close(fd); |
close(fd); |
641 |
|
|
642 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
643 |
|
|
644 |
policy = "allow_read/write /tmp/rewrite_test"; |
policy = "allow_read/write /tmp/rewrite_test"; |