1 |
/* |
/* |
2 |
* ccs_new_file_test.c |
* ccs_new_file_test.c |
3 |
* |
* |
4 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
5 |
* |
* |
6 |
* Version: 1.7.1 2009/11/11 |
* Version: 1.8.0-pre 2010/08/01 |
7 |
* |
* |
8 |
*/ |
*/ |
9 |
#include "include.h" |
#include "include.h" |
136 |
set_profile(3, "file::mksock"); |
set_profile(3, "file::mksock"); |
137 |
set_profile(3, "file::truncate"); |
set_profile(3, "file::truncate"); |
138 |
set_profile(3, "file::symlink"); |
set_profile(3, "file::symlink"); |
|
set_profile(3, "file::rewrite"); |
|
139 |
set_profile(3, "file::mkblock"); |
set_profile(3, "file::mkblock"); |
140 |
set_profile(3, "file::mkchar"); |
set_profile(3, "file::mkchar"); |
141 |
set_profile(3, "file::link"); |
set_profile(3, "file::link"); |
149 |
set_profile(3, "file::umount"); |
set_profile(3, "file::umount"); |
150 |
set_profile(3, "file::pivot_root"); |
set_profile(3, "file::pivot_root"); |
151 |
|
|
152 |
policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range " |
policy = "file read proc:/sys/net/ipv4/ip_local_port_range " |
153 |
"if task.uid=0 task.gid=0"; |
"if task.uid=0 task.gid=0"; |
154 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
155 |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 1); |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 1); |
156 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
157 |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 0); |
show_result(sysctl(name, 3, buffer, &size, 0, 0), 0); |
158 |
|
|
159 |
policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "file write proc:/sys/net/ipv4/ip_local_port_range " |
160 |
"if task.euid=0 0=0 1-100=10-1000"; |
"if task.euid=0 0=0 1-100=10-1000"; |
161 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
162 |
show_result(sysctl(name, 3, 0, 0, buffer, size), 1); |
show_result(sysctl(name, 3, 0, 0, buffer, size), 1); |
163 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
164 |
show_result(sysctl(name, 3, 0, 0, buffer, size), 0); |
show_result(sysctl(name, 3, 0, 0, buffer, size), 0); |
165 |
|
|
166 |
policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range " |
policy = "file read proc:/sys/net/ipv4/ip_local_port_range " |
167 |
|
"if 1!=10-100"; |
168 |
|
write_domain_policy(policy, 0); |
169 |
|
policy = "file write proc:/sys/net/ipv4/ip_local_port_range " |
170 |
"if 1!=10-100"; |
"if 1!=10-100"; |
171 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
172 |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 1); |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 1); |
173 |
|
policy = "file read proc:/sys/net/ipv4/ip_local_port_range " |
174 |
|
"if 1!=10-100"; |
175 |
|
write_domain_policy(policy, 1); |
176 |
|
policy = "file write proc:/sys/net/ipv4/ip_local_port_range " |
177 |
|
"if 1!=10-100"; |
178 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
179 |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 0); |
show_result(sysctl(name, 3, buffer, &size, buffer, size), 0); |
180 |
|
|
181 |
policy = "allow_read /bin/true " |
policy = "file read /bin/true " |
182 |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
"if path1.uid=0 path1.parent.uid=0 10=10-100"; |
183 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
184 |
show_result(uselib("/bin/true"), 1); |
show_result(uselib("/bin/true"), 1); |
185 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
186 |
show_result(uselib("/bin/true"), 0); |
show_result(uselib("/bin/true"), 0); |
187 |
|
|
188 |
policy = "allow_execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
policy = "file execute /bin/true if task.uid!=10 path1.parent.uid=0"; |
189 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
190 |
fflush(stdout); |
fflush(stdout); |
191 |
fflush(stderr); |
fflush(stderr); |
219 |
errno = err; |
errno = err; |
220 |
show_result(err ? EOF : 0, 0); |
show_result(err ? EOF : 0, 0); |
221 |
|
|
222 |
policy = "allow_read /dev/null if path1.type=char path1.dev_major=1 " |
policy = "file read /dev/null if path1.type=char path1.dev_major=1 " |
223 |
"path1.dev_minor=3"; |
"path1.dev_minor=3"; |
224 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
225 |
fd = open("/dev/null", O_RDONLY); |
fd = open("/dev/null", O_RDONLY); |
232 |
if (fd != EOF) |
if (fd != EOF) |
233 |
close(fd); |
close(fd); |
234 |
|
|
235 |
policy = "allow_read /dev/null if path1.perm=0666"; |
policy = "file read /dev/null if path1.perm=0666"; |
236 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
237 |
fd = open("/dev/null", O_RDONLY); |
fd = open("/dev/null", O_RDONLY); |
238 |
show_result(fd, 1); |
show_result(fd, 1); |
244 |
if (fd != EOF) |
if (fd != EOF) |
245 |
close(fd); |
close(fd); |
246 |
|
|
247 |
policy = "allow_read /dev/null if path1.perm!=0777"; |
policy = "file read /dev/null if path1.perm!=0777"; |
248 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
249 |
fd = open("/dev/null", O_RDONLY); |
fd = open("/dev/null", O_RDONLY); |
250 |
show_result(fd, 1); |
show_result(fd, 1); |
256 |
if (fd != EOF) |
if (fd != EOF) |
257 |
close(fd); |
close(fd); |
258 |
|
|
259 |
policy = "allow_read /dev/null if path1.perm=owner_read " |
policy = "file read /dev/null if path1.perm=owner_read " |
260 |
"path1.perm=owner_write path1.perm!=owner_execute " |
"path1.perm=owner_write path1.perm!=owner_execute " |
261 |
"path1.perm=group_read path1.perm=group_write " |
"path1.perm=group_read path1.perm=group_write " |
262 |
"path1.perm!=group_execute path1.perm=others_read " |
"path1.perm!=group_execute path1.perm=others_read " |
274 |
close(fd); |
close(fd); |
275 |
|
|
276 |
set_profile(3, "file::mkfifo"); |
set_profile(3, "file::mkfifo"); |
277 |
policy = "allow_mkfifo /tmp/mknod_fifo_test 0644 " |
policy = "file mkfifo /tmp/mknod_fifo_test 0644 " |
278 |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
"if path1.parent.perm=01777 path1.parent.perm=sticky " |
279 |
"path1.parent.uid=0 path1.parent.gid=0"; |
"path1.parent.uid=0 path1.parent.gid=0"; |
280 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
289 |
filename = "/dev/null"; |
filename = "/dev/null"; |
290 |
stat(filename, &sbuf); |
stat(filename, &sbuf); |
291 |
snprintf(pbuffer, sizeof(pbuffer) - 1, |
snprintf(pbuffer, sizeof(pbuffer) - 1, |
292 |
"allow_write %s if path1.major=%u path1.minor=%u", |
"file write %s if path1.major=%u path1.minor=%u", |
293 |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
filename, (unsigned int) MAJOR(sbuf.st_dev), |
294 |
(unsigned int) MINOR(sbuf.st_dev)); |
(unsigned int) MINOR(sbuf.st_dev)); |
295 |
policy = pbuffer; |
policy = pbuffer; |
304 |
if (fd != EOF) |
if (fd != EOF) |
305 |
close(fd); |
close(fd); |
306 |
|
|
307 |
policy = "allow_read/write /tmp/fifo if path1.type=fifo"; |
policy = "file read/write /tmp/fifo if path1.type=fifo"; |
308 |
mkfifo2("/tmp/fifo"); |
mkfifo2("/tmp/fifo"); |
309 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
310 |
fd = open("/tmp/fifo", O_RDWR); |
fd = open("/tmp/fifo", O_RDWR); |
317 |
if (fd != EOF) |
if (fd != EOF) |
318 |
close(fd); |
close(fd); |
319 |
|
|
320 |
policy = "allow_read /dev/null if path1.parent.ino=path1.parent.ino"; |
policy = "file read /dev/null if path1.parent.ino=path1.parent.ino"; |
321 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
322 |
fd = open("/dev/null", O_RDONLY); |
fd = open("/dev/null", O_RDONLY); |
323 |
show_result(fd, 1); |
show_result(fd, 1); |
329 |
if (fd != EOF) |
if (fd != EOF) |
330 |
close(fd); |
close(fd); |
331 |
|
|
332 |
policy = "allow_write /dev/null if path1.uid=path1.gid"; |
policy = "file write /dev/null if path1.uid=path1.gid"; |
333 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
334 |
fd = open("/dev/null", O_WRONLY); |
fd = open("/dev/null", O_WRONLY); |
335 |
show_result(fd, 1); |
show_result(fd, 1); |
341 |
if (fd != EOF) |
if (fd != EOF) |
342 |
close(fd); |
close(fd); |
343 |
|
|
344 |
policy = "allow_read/write /dev/null if task.uid=path1.parent.uid"; |
policy = "file read/write /dev/null if task.uid=path1.parent.uid"; |
345 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
346 |
fd = open("/dev/null", O_RDWR); |
fd = open("/dev/null", O_RDWR); |
347 |
show_result(fd, 1); |
show_result(fd, 1); |
353 |
if (fd != EOF) |
if (fd != EOF) |
354 |
close(fd); |
close(fd); |
355 |
|
|
356 |
policy = "allow_create /tmp/open_test 0644 " |
policy = "file create /tmp/open_test 0644 " |
357 |
"if path1.parent.uid=task.uid"; |
"if path1.parent.uid=task.uid"; |
358 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
359 |
policy = "allow_write /tmp/open_test if path1.parent.uid=0"; |
policy = "file write /tmp/open_test if path1.parent.uid=0"; |
360 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
361 |
fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644); |
fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644); |
362 |
show_result(fd, 1); |
show_result(fd, 1); |
370 |
close(fd); |
close(fd); |
371 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
372 |
|
|
373 |
policy = "allow_create /tmp/open_test 0644 " |
policy = "file create /tmp/open_test 0644 " |
374 |
"if path1.parent.uid=task.uid"; |
"if path1.parent.uid=task.uid"; |
375 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
376 |
|
|
377 |
policy = "allow_write /tmp/open_test if task.uid=0 path1.ino!=0"; |
policy = "file write /tmp/open_test if task.uid=0 path1.ino!=0"; |
378 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
379 |
policy = "allow_create /tmp/open_test 0644 if 0=0"; |
policy = "file create /tmp/open_test 0644 if 0=0"; |
380 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
381 |
fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644); |
fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644); |
382 |
show_result(fd, 1); |
show_result(fd, 1); |
389 |
if (fd != EOF) |
if (fd != EOF) |
390 |
close(fd); |
close(fd); |
391 |
unlink2("/tmp/open_test"); |
unlink2("/tmp/open_test"); |
392 |
policy = "allow_write /tmp/open_test if task.uid=0 path1.ino!=0"; |
policy = "file write /tmp/open_test if task.uid=0 path1.ino!=0"; |
393 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
394 |
|
|
395 |
filename = "/tmp/truncate_test"; |
filename = "/tmp/truncate_test"; |
396 |
create2(filename); |
create2(filename); |
397 |
|
|
398 |
policy = "allow_truncate /tmp/truncate_test if task.uid=path1.uid"; |
policy = "file truncate /tmp/truncate_test if task.uid=path1.uid"; |
399 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
400 |
policy = "allow_write /tmp/truncate_test if 1!=100-1000000"; |
policy = "file write /tmp/truncate_test if 1!=100-1000000"; |
401 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
402 |
fd = open(filename, O_WRONLY | O_TRUNC); |
fd = open(filename, O_WRONLY | O_TRUNC); |
403 |
show_result(fd, 1); |
show_result(fd, 1); |
408 |
show_result(fd, 0); |
show_result(fd, 0); |
409 |
if (fd != EOF) |
if (fd != EOF) |
410 |
close(fd); |
close(fd); |
411 |
policy = "allow_truncate /tmp/truncate_test " |
policy = "file truncate /tmp/truncate_test " |
412 |
"if task.uid=path1.uid"; |
"if task.uid=path1.uid"; |
413 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
414 |
|
|
415 |
policy = "allow_write /tmp/truncate_test"; |
policy = "file write /tmp/truncate_test"; |
416 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
417 |
policy = "allow_truncate /tmp/truncate_test"; |
policy = "file truncate /tmp/truncate_test"; |
418 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
419 |
fd = open(filename, O_WRONLY | O_TRUNC); |
fd = open(filename, O_WRONLY | O_TRUNC); |
420 |
show_result(fd, 1); |
show_result(fd, 1); |
425 |
show_result(fd, 0); |
show_result(fd, 0); |
426 |
if (fd != EOF) |
if (fd != EOF) |
427 |
close(fd); |
close(fd); |
428 |
policy = "allow_write /tmp/truncate_test"; |
policy = "file write /tmp/truncate_test"; |
429 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
430 |
|
|
431 |
policy = "allow_truncate /tmp/truncate_test"; |
policy = "file truncate /tmp/truncate_test"; |
432 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
433 |
show_result(truncate(filename, 0), 1); |
show_result(truncate(filename, 0), 1); |
434 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
435 |
show_result(truncate(filename, 0), 0); |
show_result(truncate(filename, 0), 0); |
436 |
|
|
437 |
policy = "allow_truncate /tmp/truncate_test"; |
policy = "file truncate /tmp/truncate_test"; |
438 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
439 |
set_profile(0, "file::open"); |
set_profile(0, "file::open"); |
440 |
fd = open(filename, O_WRONLY); |
fd = open(filename, O_WRONLY); |
447 |
|
|
448 |
unlink2(filename); |
unlink2(filename); |
449 |
|
|
450 |
policy = "allow_create /tmp/mknod_reg_test 0644"; |
policy = "file create /tmp/mknod_reg_test 0644"; |
451 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
452 |
filename = "/tmp/mknod_reg_test"; |
filename = "/tmp/mknod_reg_test"; |
453 |
show_result(mknod(filename, S_IFREG | 0644, 0), 1); |
show_result(mknod(filename, S_IFREG | 0644, 0), 1); |
455 |
unlink2(filename); |
unlink2(filename); |
456 |
show_result(mknod(filename, S_IFREG | 0644, 0), 0); |
show_result(mknod(filename, S_IFREG | 0644, 0), 0); |
457 |
|
|
458 |
policy = "allow_mkchar /tmp/mknod_chr_test 0644 1 3"; |
policy = "file mkchar /tmp/mknod_chr_test 0644 1 3"; |
459 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
460 |
filename = "/tmp/mknod_chr_test"; |
filename = "/tmp/mknod_chr_test"; |
461 |
show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 1); |
show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 1); |
463 |
unlink2(filename); |
unlink2(filename); |
464 |
show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 0); |
show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 0); |
465 |
|
|
466 |
policy = "allow_mkblock /tmp/mknod_blk_test 0644 1 0"; |
policy = "file mkblock /tmp/mknod_blk_test 0644 1 0"; |
467 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
468 |
filename = "/tmp/mknod_blk_test"; |
filename = "/tmp/mknod_blk_test"; |
469 |
show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 1); |
show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 1); |
471 |
unlink2(filename); |
unlink2(filename); |
472 |
show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 0); |
show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 0); |
473 |
|
|
474 |
policy = "allow_mkfifo /tmp/mknod_fifo_test 0644"; |
policy = "file mkfifo /tmp/mknod_fifo_test 0644"; |
475 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
476 |
filename = "/tmp/mknod_fifo_test"; |
filename = "/tmp/mknod_fifo_test"; |
477 |
show_result(mknod(filename, S_IFIFO | 0644, 0), 1); |
show_result(mknod(filename, S_IFIFO | 0644, 0), 1); |
479 |
unlink2(filename); |
unlink2(filename); |
480 |
show_result(mknod(filename, S_IFIFO | 0644, 0), 0); |
show_result(mknod(filename, S_IFIFO | 0644, 0), 0); |
481 |
|
|
482 |
policy = "allow_mksock /tmp/mknod_sock_test 0644"; |
policy = "file mksock /tmp/mknod_sock_test 0644"; |
483 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
484 |
filename = "/tmp/mknod_sock_test"; |
filename = "/tmp/mknod_sock_test"; |
485 |
show_result(mknod(filename, S_IFSOCK | 0644, 0), 1); |
show_result(mknod(filename, S_IFSOCK | 0644, 0), 1); |
487 |
unlink2(filename); |
unlink2(filename); |
488 |
show_result(mknod(filename, S_IFSOCK | 0644, 0), 0); |
show_result(mknod(filename, S_IFSOCK | 0644, 0), 0); |
489 |
|
|
490 |
policy = "allow_mkdir /tmp/mkdir_test/ 0600"; |
policy = "file mkdir /tmp/mkdir_test/ 0600"; |
491 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
492 |
filename = "/tmp/mkdir_test"; |
filename = "/tmp/mkdir_test"; |
493 |
show_result(mkdir(filename, 0600), 1); |
show_result(mkdir(filename, 0600), 1); |
495 |
rmdir2(filename); |
rmdir2(filename); |
496 |
show_result(mkdir(filename, 0600), 0); |
show_result(mkdir(filename, 0600), 0); |
497 |
|
|
498 |
policy = "allow_rmdir /tmp/rmdir_test/"; |
policy = "file rmdir /tmp/rmdir_test/"; |
499 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
500 |
filename = "/tmp/rmdir_test"; |
filename = "/tmp/rmdir_test"; |
501 |
mkdir2(filename); |
mkdir2(filename); |
505 |
show_result(rmdir(filename), 0); |
show_result(rmdir(filename), 0); |
506 |
rmdir2(filename); |
rmdir2(filename); |
507 |
|
|
508 |
policy = "allow_unlink /tmp/unlink_test"; |
policy = "file unlink /tmp/unlink_test"; |
509 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
510 |
filename = "/tmp/unlink_test"; |
filename = "/tmp/unlink_test"; |
511 |
create2(filename); |
create2(filename); |
515 |
show_result(unlink(filename), 0); |
show_result(unlink(filename), 0); |
516 |
unlink2(filename); |
unlink2(filename); |
517 |
|
|
518 |
policy = "allow_symlink /tmp/symlink_source_test"; |
policy = "file symlink /tmp/symlink_source_test"; |
519 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
520 |
filename = "/tmp/symlink_source_test"; |
filename = "/tmp/symlink_source_test"; |
521 |
show_result(symlink("/tmp/symlink_dest_test", filename), 1); |
show_result(symlink("/tmp/symlink_dest_test", filename), 1); |
523 |
unlink2(filename); |
unlink2(filename); |
524 |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
525 |
|
|
526 |
policy = "allow_symlink /tmp/symlink_source_test " |
policy = "file symlink /tmp/symlink_source_test " |
527 |
"if symlink.target=\"/tmp/symlink_\\*_test\""; |
"if symlink.target=\"/tmp/symlink_\\*_test\""; |
528 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
529 |
filename = "/tmp/symlink_source_test"; |
filename = "/tmp/symlink_source_test"; |
532 |
unlink2(filename); |
unlink2(filename); |
533 |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
534 |
|
|
535 |
policy = "allow_symlink /tmp/symlink_source_test " |
policy = "file symlink /tmp/symlink_source_test " |
536 |
"if task.uid=0 symlink.target=\"/tmp/symlink_\\*_test\""; |
"if task.uid=0 symlink.target=\"/tmp/symlink_\\*_test\""; |
537 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
538 |
filename = "/tmp/symlink_source_test"; |
filename = "/tmp/symlink_source_test"; |
541 |
unlink2(filename); |
unlink2(filename); |
542 |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
543 |
|
|
544 |
policy = "allow_symlink /tmp/symlink_source_test " |
policy = "file symlink /tmp/symlink_source_test " |
545 |
"if symlink.target!=\"\\*\""; |
"if symlink.target!=\"\\*\""; |
546 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
547 |
filename = "/tmp/symlink_source_test"; |
filename = "/tmp/symlink_source_test"; |
550 |
unlink2(filename); |
unlink2(filename); |
551 |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
552 |
|
|
553 |
policy = "allow_symlink /tmp/symlink_source_test " |
policy = "file symlink /tmp/symlink_source_test " |
554 |
"if symlink.target!=\"/tmp/symlink_\\*_test\""; |
"if symlink.target!=\"/tmp/symlink_\\*_test\""; |
555 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
556 |
filename = "/tmp/symlink_source_test"; |
filename = "/tmp/symlink_source_test"; |
559 |
unlink2(filename); |
unlink2(filename); |
560 |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
show_result(symlink("/tmp/symlink_dest_test", filename), 0); |
561 |
|
|
562 |
policy = "allow_link /tmp/link_source_test /tmp/link_dest_test"; |
policy = "file link /tmp/link_source_test /tmp/link_dest_test"; |
563 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
564 |
filename = "/tmp/link_source_test"; |
filename = "/tmp/link_source_test"; |
565 |
create2(filename); |
create2(filename); |
569 |
show_result(link(filename, "/tmp/link_dest_test"), 0); |
show_result(link(filename, "/tmp/link_dest_test"), 0); |
570 |
unlink2(filename); |
unlink2(filename); |
571 |
|
|
572 |
policy = "allow_rename /tmp/rename_source_test /tmp/rename_dest_test"; |
policy = "file rename /tmp/rename_source_test /tmp/rename_dest_test"; |
573 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
574 |
filename = "/tmp/rename_source_test"; |
filename = "/tmp/rename_source_test"; |
575 |
create2(filename); |
create2(filename); |
580 |
show_result(rename(filename, "/tmp/rename_dest_test"), 0); |
show_result(rename(filename, "/tmp/rename_dest_test"), 0); |
581 |
unlink2(filename); |
unlink2(filename); |
582 |
|
|
583 |
policy = "allow_mksock /tmp/socket_test 0755"; |
policy = "file mksock /tmp/socket_test 0755"; |
584 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
585 |
filename = "/tmp/socket_test"; |
filename = "/tmp/socket_test"; |
586 |
memset(&addr, 0, sizeof(addr)); |
memset(&addr, 0, sizeof(addr)); |
598 |
0); |
0); |
599 |
if (fd != EOF) |
if (fd != EOF) |
600 |
close(fd); |
close(fd); |
|
|
|
|
filename = "/tmp/rewrite_test"; |
|
|
create2(filename); |
|
|
policy = "allow_read/write /tmp/rewrite_test"; |
|
|
write_domain_policy(policy, 0); |
|
|
write_exception_policy("deny_rewrite /tmp/rewrite_test", 0); |
|
|
policy = "allow_truncate /tmp/rewrite_test"; |
|
|
write_domain_policy(policy, 0); |
|
|
|
|
|
fd = open(filename, O_RDONLY); |
|
|
show_result(fd, 1); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
fd = open(filename, O_WRONLY | O_APPEND); |
|
|
show_result(fd, 1); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
fd = open(filename, O_WRONLY); |
|
|
show_result(fd, 0); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
fd = open(filename, O_WRONLY | O_TRUNC); |
|
|
show_result(fd, 0); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
fd = open(filename, O_WRONLY | O_TRUNC | O_APPEND); |
|
|
show_result(fd, 0); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
show_result(truncate(filename, 0), 0); |
|
|
|
|
|
set_profile(0, "file::open"); |
|
|
fd = open(filename, O_WRONLY | O_APPEND); |
|
|
set_profile(3, "file::open"); |
|
|
show_result(ftruncate(fd, 0), 0); |
|
|
|
|
|
show_result(fcntl(fd, F_SETFL, |
|
|
fcntl(fd, F_GETFL) & ~O_APPEND), 0); |
|
|
if (fd != EOF) |
|
|
close(fd); |
|
|
|
|
|
write_domain_policy(policy, 1); |
|
|
|
|
|
policy = "allow_read/write /tmp/rewrite_test"; |
|
|
write_domain_policy(policy, 1); |
|
|
write_exception_policy("deny_rewrite /tmp/rewrite_test", 1); |
|
|
|
|
601 |
unlink2(filename); |
unlink2(filename); |
602 |
|
|
603 |
policy = "allow_ioctl socket:[family=2:type=2:protocol=17] " |
policy = "file ioctl socket:[family=2:type=2:protocol=17] " |
604 |
"35122-35124 if task.uid=0"; |
"35122-35124 if task.uid=0"; |
605 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
606 |
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); |
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); |
609 |
"lo"); |
"lo"); |
610 |
show_result(ioctl(fd, 35123, &ifreq), 1); |
show_result(ioctl(fd, 35123, &ifreq), 1); |
611 |
write_domain_policy(policy, 1); |
write_domain_policy(policy, 1); |
612 |
policy = "allow_ioctl " |
policy = "file ioctl " |
613 |
"socket:[family=2:type=2:protocol=17] 0-35122"; |
"socket:[family=2:type=2:protocol=17] 0-35122"; |
614 |
write_domain_policy(policy, 0); |
write_domain_policy(policy, 0); |
615 |
show_result(ioctl(fd, 35123, &ifreq), 0); |
show_result(ioctl(fd, 35123, &ifreq), 0); |