xref: /aosp_15_r20/external/selinux/libsepol/tests/policies/test-neverallow/policy_minus_self.conf (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1class process
2class blk_file
3class chr_file
4class dir
5class fifo_file
6class file
7class lnk_file
8class sock_file
9
10class class5
11class class6
12class class7
13class class17
14
15sid kernel
16sid security
17sid unlabeled
18sid file
19sid port
20sid netif
21sid netmsg
22sid node
23sid devnull
24
25class process { dyntransition transition }
26class file { ioctl read write }
27
28class class5 { perm }
29class class6 { perm }
30class class7 { perm }
31class class17 { ioctl }
32
33ifdef(`enable_mls',`
34sensitivity s0;
35dominance { s0 }
36category c0; category c1; category c2; category c3;
37category c4; category c5; category c6; category c7;
38category c8; category c9; category c10; category c11;
39category c12; category c13; category c14; category c15;
40category c16; category c17; category c18; category c19;
41category c20; category c21; category c22; category c23;
42
43level s0:c0.c23;
44
45mlsconstrain file { write } ( h1 dom h2 );
46')
47
48
49########################################
50#
51# Test start
52#
53########################################
54
55
56## Test 1 (single type)
57
58type test1_t;
59allow      test1_t test1_t           : file read;
60neverallow test1_t { test1_t -self } : file read;  # nofail
61
62
63## Test 2 (single type)
64
65type test2_t;
66allow      test2_t self              : file read;
67neverallow test2_t { test1_t -self } : file read;  # nofail
68
69## Test 3 (single type)
70
71type test3_1_t;
72type test3_2_t;
73allow      test3_1_t test3_2_t           : file read;
74neverallow test3_1_t { test3_2_t -self } : file read;
75
76
77## Test 4 (two types I)
78
79type test4_1_t;
80type test4_2_t;
81allow      { test4_1_t test4_2_t } { test4_1_t test4_2_t }       : file read;
82neverallow test4_1_t               { test4_1_t test4_2_t -self } : file read;
83
84
85## Test 5 (two types II)
86
87type test5_1_t;
88type test5_2_t;
89allow      { test5_1_t test5_2_t } { test5_1_t test5_2_t }       : class5 perm;
90neverallow *                       { test5_1_t test5_2_t -self } : class5 perm;
91
92
93## Test 6 (two types III)
94
95type test6_1_t;
96type test6_2_t;
97allow      { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm;
98neverallow *                       { test6_2_t -self }     : class6 perm;
99
100
101## Test 7 (two types IV)
102
103type test7_1_t;
104type test7_2_t;
105allow      { test7_1_t test7_2_t } test7_2_t : class7 perm;
106neverallow *         { test7_1_t -self }     : class7 perm; # nofail
107
108
109## Test 8 (attribute violates type I)
110
111attribute test8_a;
112type test8_1_t, test8_a;
113type test8_2_t, test8_a;
114allow      test8_a   test8_a           : file read;
115neverallow test8_1_t { test8_a -self } : file *;
116
117
118## Test 9 (attribute violates type II)
119
120attribute test9_a;
121type test9_1_t, test9_a;
122type test9_2_t, test9_a;
123allow      test9_1_t test9_a           : file read;
124neverallow test9_1_t { test9_a -self } : file *;
125
126
127## Test 10 (attribute violates type III)
128
129attribute test10_1_a;
130attribute test10_2_a;
131type test10_1_t, test10_1_a, test10_1_a;
132type test10_2_t, test10_1_a, test10_1_a;
133allow      test10_1_a test10_1_a           : file read;
134neverallow test10_1_t { test10_2_a -self } : file *;
135
136
137## Test 11 (attribute violates attribute I)
138
139attribute test11_1_a;
140attribute test11_2_a;
141type test11_1_t, test11_1_a, test11_2_a;
142type test11_2_t, test11_1_a, test11_2_a;
143allow      test11_1_t self                 : file read;
144allow      test11_2_t test11_2_t           : file read;
145neverallow test11_1_a { test11_2_a -self } : file *;  # nofail
146
147
148## Test 12 (attribute violates attribute II)
149
150attribute test12_a;
151type test12_1_t, test12_a;
152type test12_2_t, test12_a;
153allow      test12_1_t test12_2_t         : file read;
154neverallow test12_a   { test12_a -self } : file *;
155
156
157## Test 13 (attribute violates attribute III)
158
159attribute test13_a;
160type test13_1_t, test13_a;
161type test13_2_t, test13_a;
162allow      test13_1_t test13_a           : file read;
163neverallow test13_a   { test13_a -self } : file *;
164
165
166## Test 14 (attribute violates attribute IV)
167
168attribute test14_a;
169type test14_1_t, test14_a;
170type test14_2_t, test14_a;
171allow      test14_a test14_a           : file read;
172neverallow test14_a { test14_a -self } : file *;
173
174
175# ## Test 15 (attribute violates attribute V)
176
177attribute test13_1_a;
178attribute test13_2_a;
179type test13_t, test13_1_a, test13_2_a;
180allow      test13_1_a test13_2_a           : file read;
181neverallow test13_a   { test13_2_a -self } : file *;
182
183
184## Test 16 (types violate attribute)
185
186attribute test16_a;
187type test16_1_t, test16_a;
188type test16_2_t, test16_a;
189allow      { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read;
190neverallow test16_a                  { test16_a -self }        : file ~write;
191
192
193## Test 17 (extended permissions I)
194
195type test17_1_t;
196type test17_2_t;
197allow           { test17_1_t test17_2_t } { test17_1_t test17_2_t }       : class17 ioctl;
198neverallowxperm ~test17_2_t               { test17_1_t test17_2_t -self } : class17 ioctl 0x1111;
199
200
201## Test 18 (extended permissions II)
202
203type test18_1_t;
204type test18_2_t;
205allow           { test18_1_t test18_2_t } { test18_1_t test18_2_t }       : file ioctl;
206allowxperm      { test18_1_t test18_2_t } { test18_1_t test18_2_t }       : file ioctl 0x1111;
207neverallowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t -self } : file ioctl 0x2222;  # nofail
208
209
210## Test 19 (extended permissions III)
211
212type test19_1_t;
213type test19_2_t;
214allow           { test19_1_t test19_2_t } { test19_1_t test19_2_t }       : file ioctl;
215allowxperm      { test19_1_t test19_2_t } { test19_1_t test19_2_t }       : file ioctl { 0x0100 - 0x0102 };
216neverallowxperm test19_2_t                { test19_1_t test19_2_t -self } : file ioctl { 0x0101 - 0x0104 };
217
218
219## Test 20 (extended permissions IV)
220
221type test20_1_t;
222type test20_2_t;
223allow           { test20_1_t test20_2_t } { test20_1_t test20_2_t }       : file ioctl;
224allowxperm      test20_1_t                test20_1_t                      : file ioctl 0x0101;
225allowxperm      test20_1_t                test20_2_t                      : file ioctl 0x0102;
226allowxperm      test20_2_t                test20_1_t                      : file ioctl 0x0103;
227allowxperm      test20_2_t                test20_2_t                      : file ioctl 0x0104;
228neverallowxperm { test20_1_t test20_2_t } { test20_1_t test20_2_t -self } : file ioctl { 0x0000 - 0x9000 };
229
230
231## Test 21 (extended permissions V)
232
233attribute test21_a;
234type test21_1_t, test21_a;
235type test21_2_t, test21_a;
236allow           test21_a   test21_a           : file ioctl;
237allowxperm      test21_a   test21_a           : file ioctl 0x9501;
238neverallowxperm test21_1_t { test21_a -self } : file ioctl 0x9511;  # nofail
239
240
241## Test 22 (extended permissions VI)
242
243type test22_t;
244allow           test22_t self               : file ioctl;
245allowxperm      test22_t self               : file ioctl 0x9501;
246allowxperm      test22_t self               : file ioctl 0x9511;
247neverallowxperm test22_t { test22_t -self } : file ioctl 0x9511;  # nofail
248
249
250## Test 23 (extended permissions VII)
251
252attribute test23_a;
253type test23_1_t, test23_a;
254type test23_2_t, test23_a;
255allow           test23_a   test23_a           : file ioctl;
256allowxperm      test23_a   test23_a           : file ioctl 0x9501;
257allowxperm      test23_1_t test23_2_t         : file ioctl 0x9511;
258neverallowxperm test23_1_t { test23_a -self } : file ioctl 0x9511;
259
260
261## Test 24 (extended permissions VII)
262
263attribute test24_a;
264type test24_1_t, test24_a;
265type test24_2_t, test24_a;
266allow           test24_a   test24_a           : file ioctl;
267allowxperm      test24_a   test24_a           : file ioctl 0x9501;
268allowxperm      test24_1_t test24_a           : file ioctl 0x9511;
269neverallowxperm test24_1_t { test24_a -self } : file ioctl 0x9511;
270
271
272## Test 25 (extended permissions IX)
273
274attribute test25_a;
275type test25_1_t, test25_a;
276type test25_2_t, test25_a;
277allow           test25_a   test25_a           : file ioctl;
278allowxperm      test25_a   test25_a           : file ioctl 0x9501;
279allowxperm      test25_a   test25_a           : file ioctl 0x9511;
280neverallowxperm test25_1_t { test25_a -self } : file ioctl 0x9511;
281
282
283## Test 26 (extended permissions X)
284
285attribute test26_1_a;
286attribute test26_2_a;
287type test26_1_t, test26_1_a, test26_2_a;
288type test26_2_t, test26_1_a, test26_2_a;
289allow           { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl;
290allowxperm      { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501;
291allowxperm      test26_1_a                test26_2_a                : file ioctl 0x9511;
292neverallowxperm test26_1_t                { test26_2_a -self }      : file ioctl 0x9511;
293
294
295# ## Test 27 (extended permissions attribute violation I)
296
297attribute test27_a;
298type test27_1_t, test27_a;
299type test27_2_t, test27_a;
300allow           test27_a   test27_a           : file ioctl;
301allowxperm      test27_a   test27_a           : file ioctl 0x9501;
302allowxperm      test27_1_t self               : file ioctl 0x9521;
303allowxperm      test27_2_t test27_2_t         : file ioctl 0x9521;
304neverallowxperm test27_a   { test27_a -self } : file ioctl 0x9521;  # nofail
305
306
307# ## Test 28 (extended permissions attribute violation II)
308
309attribute test28_a;
310type test28_1_t, test28_a;
311type test28_2_t, test28_a;
312allow           test28_a   test28_a           : file ioctl;
313allowxperm      test28_1_t test28_2_t         : file ioctl 0x9521;
314neverallowxperm test28_a   { test28_a -self } : file ioctl 0x9521;
315
316
317## Test 29 (extended permissions attribute violation III)
318
319attribute test29_a;
320type test29_1_t, test29_a;
321type test29_2_t, test29_a;
322allow           test29_a   test29_a           : file ioctl;
323allowxperm      test29_1_t test29_a           : file ioctl 0x9521;
324neverallowxperm test29_a   { test29_a -self } : file ioctl 0x9521;
325
326
327## Test 30 (extended permissions attribute violation IV)
328
329attribute test30_a;
330type test30_1_t, test30_a;
331type test30_2_t, test30_a;
332allow           test30_a test30_a           : file ioctl;
333allowxperm      test30_a test30_a           : file ioctl 0x9521;
334neverallowxperm test30_a { test30_a -self } : file ioctl 0x9521;
335
336
337## Test 31 (extended permissions attribute violation V)
338
339attribute test31_1_a;
340attribute test31_2_a;
341type test31_1_t, test31_1_a, test31_2_a;
342type test31_2_t, test31_1_a, test31_2_a;
343allow           test31_1_a test31_1_a           : file ioctl;
344allowxperm      test31_1_a test31_2_a           : file ioctl 0x9521;
345neverallowxperm test31_1_a { test31_2_a -self } : file ioctl 0x9521;
346
347
348########################################
349#
350# Test End
351#
352########################################
353
354
355type sys_isid;
356role sys_role;
357role sys_role types sys_isid;
358gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23)
359sid kernel gen_context(sys_user:sys_role:sys_isid, s0)
360sid security gen_context(sys_user:sys_role:sys_isid, s0)
361sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0)
362sid file gen_context(sys_user:sys_role:sys_isid, s0)
363sid port gen_context(sys_user:sys_role:sys_isid, s0)
364sid netif gen_context(sys_user:sys_role:sys_isid, s0)
365sid netmsg gen_context(sys_user:sys_role:sys_isid, s0)
366sid node gen_context(sys_user:sys_role:sys_isid, s0)
367sid devnull gen_context(sys_user:sys_role:sys_isid, s0)
368fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0);
369fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);
370