Skip to content

Commit

Permalink
libsepol/tests: add cond xperm neverallow tests
Browse files Browse the repository at this point in the history
Add some tests to verify assertion checking works for extended
permissions in conditional policies.

Signed-off-by: Christian Göttsche <[email protected]>
---
v3:
  add patch
  • Loading branch information
cgzones committed Nov 5, 2024
1 parent f2ad98f commit 507cf8f
Show file tree
Hide file tree
Showing 3 changed files with 309 additions and 0 deletions.
1 change: 1 addition & 0 deletions libsepol/tests/helpers.c
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ int test_load_policy(policydb_t * p, int policy_type, int mls, const char *test_

p->policy_type = policy_type;
p->mls = mls;
p->policyvers = MOD_POLICYDB_VERSION_MAX;

if (read_source_policy(p, filename, test_name)) {
fprintf(stderr, "failed to read policy %s\n", filename);
Expand Down
251 changes: 251 additions & 0 deletions libsepol/tests/policies/test-neverallow/policy_cond.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,251 @@
class process
class blk_file
class chr_file
class dir
class fifo_file
class file
class lnk_file
class sock_file

sid kernel
sid security
sid unlabeled
sid file
sid port
sid netif
sid netmsg
sid node
sid devnull

class process { dyntransition transition }
class file { getattr ioctl open read write }

bool boolean1 false;
bool boolean2 true;

ifdef(`enable_mls',`
sensitivity s0;
dominance { s0 }
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;

level s0:c0.c23;

mlsconstrain file { write } ( h1 dom h2 );
')


########################################
#
# Test start
#
########################################


## Test 1 (basic - fail)

type test1_t;
if boolean1 {
allow test1_t self : file read;
}
neverallow test1_t * : file *;


## Test 2 (basic - fail)

attribute test2_a;
type test2_1_t, test2_a;
type test2_2_t;
if !boolean1 {
allow test2_1_t test2_1_t : file write;
allow test2_2_t test2_2_t : file write;
}
neverallow test2_a * : file *;


## Test 3 (xperm - no xperm in one branch - fail)

type test3_t;
if boolean1 {
allow test3_t self : file ioctl;
} else {
allowxperm test3_t self : file ioctl 0x1;
}
neverallowxperm test3_t self : file ioctl 0x4;


## Test 4 (xperm - xperm in neither branch - fail)

type test4_t;
allow test4_t self : file ioctl;
if boolean1 {
allow test4_t self : file read;
} else {
allow test4_t self : file write;
}
neverallowxperm test4_t self : file ioctl 0x4;


## Test 5 (xperm - xperm in both branches - no failure)

type test5_t;
allow test5_t self : file ioctl;
if boolean1 {
allowxperm test5_t self : file ioctl 0x1;
} else {
allowxperm test5_t self : file ioctl 0x2;
}
neverallowxperm test5_t self : file ioctl 0x4; # nofail


## Test 6 (xperm - failure in one branch - fail)

type test6_t;
if boolean1 {
allow test6_t self : file ioctl;
allowxperm test6_t self : file ioctl 0x1;
} else {
allow test6_t self : file write;
}
neverallowxperm test6_t self : file ioctl 0x1;


## Test 7 (xperm - failure in both branches - fail)

type test7_t;
if boolean1 {
allow test7_t self : file ioctl;
allowxperm test7_t self : file ioctl 0x1;
} else {
allow test7_t self : file ioctl;
allowxperm test7_t self : file ioctl 0x2;
}
neverallowxperm test7_t self : file ioctl { 0x1-0x2 };


## Test 8 (xperm - different xperm in both branches - no failure)

type test8_t;
allow test8_t self : file ioctl;
if boolean1 {
allowxperm test8_t self : file ioctl 0x1;
} else {
allowxperm test8_t self : file ioctl 0x2;
}
neverallowxperm test8_t self : file ioctl 0x3; # nofail


## Test 9 (xperm - rules split into two booleans - no failure)

type test9_t;
allow test9_t self : file ioctl;
if boolean1 {
allowxperm test9_t self : file ioctl 0x1;
}
if !boolean2 {
allowxperm test9_t self : file ioctl 0x1;
}
neverallowxperm test9_t self : file ioctl 0x4;


## Test 10 (xperm - valid usage in one branch - no failure)

type test10_t;
if boolean1 {
allow test10_t self : file ioctl;
allowxperm test10_t self : file ioctl 0x1;
} else {
allow test10_t self : file write;
}
neverallowxperm test10_t self : file ioctl 0x2; # nofail


## Test 11 (xperm - valid usage in both branches - no failure)

type test11_t;
if boolean1 {
allow test11_t self : file ioctl;
allowxperm test11_t self : file ioctl 0x1;
} else {
allow test11_t self : file ioctl;
allowxperm test11_t self : file ioctl 0x2;
}
neverallowxperm test11_t self : file ioctl 0x3; # nofail


## Test 12 (xperm - base allow in one branch - fail)

type test12_t;
if boolean1 {
allow test12_t self : file ioctl;
} else {
allow test12_t self : file write;
}
neverallowxperm test12_t self : file ioctl 0x1;


## Test 13 (xperm - invalid second branch - fail)

type test13_t;
allow test13_t self : file ioctl;
if boolean1 {
allow test13_t self : file ioctl;
allowxperm test13_t self : file ioctl 0x1;
} else {
allow test13_t self : file write;
}
neverallowxperm test13_t self : file ioctl 0x1;


## Test 14 (xperm - invalid second branch - fail)

type test14_t;
allow test14_t self : file ioctl;
if boolean1 {
allow test14_t self : file ioctl;
allowxperm test14_t self : file ioctl 0x1;
} else {
allow test14_t self : file write;
}
neverallowxperm test14_t self : file ioctl 0x2;


## Test 15 (xperm - base uncond in one branch - fail)

type test15_t;
allow test15_t self : file ioctl;
allowxperm test15_t self : file ioctl 0x1;
if boolean1 {
allow test15_t self : file ioctl;
} else {
allow test15_t self : file write;
}
neverallowxperm test15_t self : file ioctl 0x2;


########################################
#
# Test End
#
########################################


type sys_isid;
role sys_role;
role sys_role types sys_isid;
gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23)
sid kernel gen_context(sys_user:sys_role:sys_isid, s0)
sid security gen_context(sys_user:sys_role:sys_isid, s0)
sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0)
sid file gen_context(sys_user:sys_role:sys_isid, s0)
sid port gen_context(sys_user:sys_role:sys_isid, s0)
sid netif gen_context(sys_user:sys_role:sys_isid, s0)
sid netmsg gen_context(sys_user:sys_role:sys_isid, s0)
sid node gen_context(sys_user:sys_role:sys_isid, s0)
sid devnull gen_context(sys_user:sys_role:sys_isid, s0)
fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0);
fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);
57 changes: 57 additions & 0 deletions libsepol/tests/test-neverallow.c
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,58 @@ static void test_neverallow_not_self(void)
policydb_destroy(&base_expanded);
}

static void test_neverallow_cond(void)
{
policydb_t basemod, base_expanded;
sepol_handle_t *handle;
static const char *const expected_messages[] = {
"16 neverallow failures occurred",
"neverallow on line 58 of policies/test-neverallow/policy_cond.conf.std (or line 58 of policies/test-neverallow/policy_cond.conf.std) violated by allow test1_t test1_t:file { read };",
"neverallow on line 70 of policies/test-neverallow/policy_cond.conf.std (or line 70 of policies/test-neverallow/policy_cond.conf.std) violated by allow test2_1_t test2_1_t:file { write };",
"neverallowxperm on line 81 of policies/test-neverallow/policy_cond.conf.std (or line 81 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test3_t test3_t:file { ioctl };",
"neverallowxperm on line 93 of policies/test-neverallow/policy_cond.conf.std (or line 93 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test4_t test4_t:file { ioctl };",
"neverallowxperm on line 117 of policies/test-neverallow/policy_cond.conf.std (or line 117 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test6_t test6_t:file ioctl { 0x1 };",
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x2 };",
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x1 };",
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x2 };",
"neverallowxperm on line 130 of policies/test-neverallow/policy_cond.conf.std (or line 130 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test7_t test7_t:file ioctl { 0x1 };",
"neverallowxperm on line 155 of policies/test-neverallow/policy_cond.conf.std (or line 155 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test9_t test9_t:file { ioctl };",
"neverallowxperm on line 191 of policies/test-neverallow/policy_cond.conf.std (or line 191 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test12_t test12_t:file { ioctl };",
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test13_t test13_t:file ioctl { 0x1 };",
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test13_t test13_t:file { ioctl };",
"neverallowxperm on line 204 of policies/test-neverallow/policy_cond.conf.std (or line 204 of policies/test-neverallow/policy_cond.conf.std) violated by\n allowxperm test13_t test13_t:file ioctl { 0x1 };",
"neverallowxperm on line 217 of policies/test-neverallow/policy_cond.conf.std (or line 217 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test14_t test14_t:file { ioctl };",
"neverallowxperm on line 230 of policies/test-neverallow/policy_cond.conf.std (or line 230 of policies/test-neverallow/policy_cond.conf.std) violated by\n allow test15_t test15_t:file { ioctl };",
};

if (policydb_init(&base_expanded))
CU_FAIL_FATAL("Failed to initialize policy");

if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_cond.conf"))
CU_FAIL_FATAL("Failed to load policy");

if (link_modules(NULL, &basemod, NULL, 0, 0))
CU_FAIL_FATAL("Failed to link base module");

if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
CU_FAIL_FATAL("Failed to expand policy");

if ((handle = sepol_handle_create()) == NULL)
CU_FAIL_FATAL("Failed to initialize handle");

sepol_msg_set_callback(handle, msg_handler, NULL);

if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
CU_FAIL("Assertions did not trigger");

messages_check(ARRAY_SIZE(expected_messages), expected_messages);

sepol_handle_destroy(handle);
messages_clean();
policydb_destroy(&basemod);
policydb_destroy(&base_expanded);
}

int neverallow_add_tests(CU_pSuite suite)
{
/*
Expand All @@ -317,5 +369,10 @@ int neverallow_add_tests(CU_pSuite suite)
return CU_get_error();
}

if (NULL == CU_add_test(suite, "neverallow_cond", test_neverallow_cond)) {
CU_cleanup_registry();
return CU_get_error();
}

return 0;
}

0 comments on commit 507cf8f

Please sign in to comment.