1*2d543d20SAndroid Build Coastguard Worker #define _GNU_SOURCE /* vasprintf(3) */
2*2d543d20SAndroid Build Coastguard Worker
3*2d543d20SAndroid Build Coastguard Worker #include "test-neverallow.h"
4*2d543d20SAndroid Build Coastguard Worker
5*2d543d20SAndroid Build Coastguard Worker #include "helpers.h"
6*2d543d20SAndroid Build Coastguard Worker #include "test-common.h"
7*2d543d20SAndroid Build Coastguard Worker
8*2d543d20SAndroid Build Coastguard Worker #include <sepol/debug.h>
9*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/link.h>
10*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/expand.h>
11*2d543d20SAndroid Build Coastguard Worker
12*2d543d20SAndroid Build Coastguard Worker #include <stdio.h>
13*2d543d20SAndroid Build Coastguard Worker #include <stdarg.h>
14*2d543d20SAndroid Build Coastguard Worker
15*2d543d20SAndroid Build Coastguard Worker extern int mls;
16*2d543d20SAndroid Build Coastguard Worker
neverallow_test_init(void)17*2d543d20SAndroid Build Coastguard Worker int neverallow_test_init(void)
18*2d543d20SAndroid Build Coastguard Worker {
19*2d543d20SAndroid Build Coastguard Worker return 0;
20*2d543d20SAndroid Build Coastguard Worker }
21*2d543d20SAndroid Build Coastguard Worker
neverallow_test_cleanup(void)22*2d543d20SAndroid Build Coastguard Worker int neverallow_test_cleanup(void)
23*2d543d20SAndroid Build Coastguard Worker {
24*2d543d20SAndroid Build Coastguard Worker return 0;
25*2d543d20SAndroid Build Coastguard Worker }
26*2d543d20SAndroid Build Coastguard Worker
27*2d543d20SAndroid Build Coastguard Worker static struct msg_list {
28*2d543d20SAndroid Build Coastguard Worker char *msg;
29*2d543d20SAndroid Build Coastguard Worker struct msg_list *next;
30*2d543d20SAndroid Build Coastguard Worker } *messages;
31*2d543d20SAndroid Build Coastguard Worker
messages_clean(void)32*2d543d20SAndroid Build Coastguard Worker static void messages_clean(void)
33*2d543d20SAndroid Build Coastguard Worker {
34*2d543d20SAndroid Build Coastguard Worker while (messages) {
35*2d543d20SAndroid Build Coastguard Worker struct msg_list *n = messages->next;
36*2d543d20SAndroid Build Coastguard Worker free(messages->msg);
37*2d543d20SAndroid Build Coastguard Worker free(messages);
38*2d543d20SAndroid Build Coastguard Worker messages = n;
39*2d543d20SAndroid Build Coastguard Worker }
40*2d543d20SAndroid Build Coastguard Worker }
41*2d543d20SAndroid Build Coastguard Worker
messages_check(unsigned count,const char * const expected[count])42*2d543d20SAndroid Build Coastguard Worker static void messages_check(unsigned count, const char *const expected[count])
43*2d543d20SAndroid Build Coastguard Worker {
44*2d543d20SAndroid Build Coastguard Worker unsigned i;
45*2d543d20SAndroid Build Coastguard Worker const struct msg_list *m = messages;
46*2d543d20SAndroid Build Coastguard Worker
47*2d543d20SAndroid Build Coastguard Worker for (i = 0; i < count; i++, m = m->next) {
48*2d543d20SAndroid Build Coastguard Worker if (!m) {
49*2d543d20SAndroid Build Coastguard Worker CU_FAIL("less messages than expected");
50*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "\n<expected %u, got %u>\n", count, i);
51*2d543d20SAndroid Build Coastguard Worker return;
52*2d543d20SAndroid Build Coastguard Worker }
53*2d543d20SAndroid Build Coastguard Worker
54*2d543d20SAndroid Build Coastguard Worker if (strcmp(expected[i], m->msg) != 0) {
55*2d543d20SAndroid Build Coastguard Worker CU_FAIL("messages differ from expected");
56*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "\n<expected: '''%s''', got: '''%s'''>\n", expected[i], m->msg);
57*2d543d20SAndroid Build Coastguard Worker }
58*2d543d20SAndroid Build Coastguard Worker }
59*2d543d20SAndroid Build Coastguard Worker
60*2d543d20SAndroid Build Coastguard Worker if (m) {
61*2d543d20SAndroid Build Coastguard Worker CU_FAIL("more messages than expected");
62*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "\n<expected %u; next message: '''%s'''>\n", count, m->msg);
63*2d543d20SAndroid Build Coastguard Worker }
64*2d543d20SAndroid Build Coastguard Worker }
65*2d543d20SAndroid Build Coastguard Worker
66*2d543d20SAndroid Build Coastguard Worker __attribute__ ((format(printf, 3, 4)))
msg_handler(void * varg,sepol_handle_t * handle,const char * fmt,...)67*2d543d20SAndroid Build Coastguard Worker static void msg_handler(void *varg __attribute__ ((unused)),
68*2d543d20SAndroid Build Coastguard Worker sepol_handle_t * handle __attribute__ ((unused)),
69*2d543d20SAndroid Build Coastguard Worker const char *fmt, ...)
70*2d543d20SAndroid Build Coastguard Worker {
71*2d543d20SAndroid Build Coastguard Worker char *msg;
72*2d543d20SAndroid Build Coastguard Worker va_list ap;
73*2d543d20SAndroid Build Coastguard Worker int r;
74*2d543d20SAndroid Build Coastguard Worker
75*2d543d20SAndroid Build Coastguard Worker va_start(ap, fmt);
76*2d543d20SAndroid Build Coastguard Worker r = vasprintf(&msg, fmt, ap);
77*2d543d20SAndroid Build Coastguard Worker if (r < 0)
78*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("oom");
79*2d543d20SAndroid Build Coastguard Worker va_end(ap);
80*2d543d20SAndroid Build Coastguard Worker
81*2d543d20SAndroid Build Coastguard Worker struct msg_list *new = malloc(sizeof(*new));
82*2d543d20SAndroid Build Coastguard Worker if (!new)
83*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("oom");
84*2d543d20SAndroid Build Coastguard Worker new->msg = msg;
85*2d543d20SAndroid Build Coastguard Worker new->next = messages;
86*2d543d20SAndroid Build Coastguard Worker messages = new;
87*2d543d20SAndroid Build Coastguard Worker }
88*2d543d20SAndroid Build Coastguard Worker
89*2d543d20SAndroid Build Coastguard Worker #define ARRAY_SIZE(a) (sizeof(a) / sizeof(*a))
90*2d543d20SAndroid Build Coastguard Worker
test_neverallow_basic(void)91*2d543d20SAndroid Build Coastguard Worker static void test_neverallow_basic(void)
92*2d543d20SAndroid Build Coastguard Worker {
93*2d543d20SAndroid Build Coastguard Worker policydb_t basemod, base_expanded;
94*2d543d20SAndroid Build Coastguard Worker sepol_handle_t *handle;
95*2d543d20SAndroid Build Coastguard Worker static const char *const expected_messages[] = {
96*2d543d20SAndroid Build Coastguard Worker "30 neverallow failures occurred",
97*2d543d20SAndroid Build Coastguard Worker "neverallow on line 53 of policies/test-neverallow/policy.conf.std (or line 53 of policies/test-neverallow/policy.conf.std) violated by allow test1_t test1_t:file { read };",
98*2d543d20SAndroid Build Coastguard Worker "neverallow on line 60 of policies/test-neverallow/policy.conf.std (or line 60 of policies/test-neverallow/policy.conf.std) violated by allow test2_t test2_t:file { read write };",
99*2d543d20SAndroid Build Coastguard Worker "neverallow on line 67 of policies/test-neverallow/policy.conf.std (or line 67 of policies/test-neverallow/policy.conf.std) violated by allow test3_t test3_t:file { read };",
100*2d543d20SAndroid Build Coastguard Worker "neverallow on line 74 of policies/test-neverallow/policy.conf.std (or line 74 of policies/test-neverallow/policy.conf.std) violated by allow test4_t test4_t:file { read };",
101*2d543d20SAndroid Build Coastguard Worker "neverallow on line 81 of policies/test-neverallow/policy.conf.std (or line 81 of policies/test-neverallow/policy.conf.std) violated by allow test5_t test5_t:file { read };",
102*2d543d20SAndroid Build Coastguard Worker "neverallow on line 89 of policies/test-neverallow/policy.conf.std (or line 89 of policies/test-neverallow/policy.conf.std) violated by allow test6_1_t test6_1_t:file { read };",
103*2d543d20SAndroid Build Coastguard Worker "neverallow on line 97 of policies/test-neverallow/policy.conf.std (or line 97 of policies/test-neverallow/policy.conf.std) violated by allow test7_1_t test7_1_t:file { read };",
104*2d543d20SAndroid Build Coastguard Worker "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { read };",
105*2d543d20SAndroid Build Coastguard Worker "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { write };",
106*2d543d20SAndroid Build Coastguard Worker "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { write };",
107*2d543d20SAndroid Build Coastguard Worker "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { read };",
108*2d543d20SAndroid Build Coastguard Worker "neverallow on line 124 of policies/test-neverallow/policy.conf.std (or line 124 of policies/test-neverallow/policy.conf.std) violated by allow test10_1_t test10_1_t:file { read };",
109*2d543d20SAndroid Build Coastguard Worker "neverallow on line 131 of policies/test-neverallow/policy.conf.std (or line 131 of policies/test-neverallow/policy.conf.std) violated by allow test11_t test11_t:process { dyntransition transition };",
110*2d543d20SAndroid Build Coastguard Worker "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { getattr };",
111*2d543d20SAndroid Build Coastguard Worker "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_2_t:file { getattr };",
112*2d543d20SAndroid Build Coastguard Worker "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { open };",
113*2d543d20SAndroid Build Coastguard Worker "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_2_t test12_1_t:file { open };",
114*2d543d20SAndroid Build Coastguard Worker "neverallow on line 156 of policies/test-neverallow/policy.conf.std (or line 156 of policies/test-neverallow/policy.conf.std) violated by allow test13_1_t test13_1_t:file { read };",
115*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 174 of policies/test-neverallow/policy.conf.std (or line 174 of policies/test-neverallow/policy.conf.std) violated by\nallow test15_t test15_t:file { ioctl };",
116*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 182 of policies/test-neverallow/policy.conf.std (or line 182 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test16_t test16_t:file ioctl { 0x1111 };",
117*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 198 of policies/test-neverallow/policy.conf.std (or line 198 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test18_t test18_t:file ioctl { 0x1111 };",
118*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 206 of policies/test-neverallow/policy.conf.std (or line 206 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test19_t test19_t:file ioctl { 0x1111 };",
119*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 216 of policies/test-neverallow/policy.conf.std (or line 216 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test20_a test20_a:file ioctl { 0x1111 };",
120*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 227 of policies/test-neverallow/policy.conf.std (or line 227 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test21_1_a test21_2_a:file ioctl { 0x1111 };",
121*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 237 of policies/test-neverallow/policy.conf.std (or line 237 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test22_t test22_t:file ioctl { 0x1111 };",
122*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 247 of policies/test-neverallow/policy.conf.std (or line 247 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test23_t test23_t:file ioctl { 0x1111 };",
123*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 257 of policies/test-neverallow/policy.conf.std (or line 257 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test24_t test24_a:file ioctl { 0x1111 };",
124*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 267 of policies/test-neverallow/policy.conf.std (or line 267 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test25_t test25_t:file ioctl { 0x1111 };",
125*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
126*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
127*2d543d20SAndroid Build Coastguard Worker };
128*2d543d20SAndroid Build Coastguard Worker
129*2d543d20SAndroid Build Coastguard Worker if (policydb_init(&base_expanded))
130*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize policy");
131*2d543d20SAndroid Build Coastguard Worker
132*2d543d20SAndroid Build Coastguard Worker if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy.conf"))
133*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to load policy");
134*2d543d20SAndroid Build Coastguard Worker
135*2d543d20SAndroid Build Coastguard Worker if (link_modules(NULL, &basemod, NULL, 0, 0))
136*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to link base module");
137*2d543d20SAndroid Build Coastguard Worker
138*2d543d20SAndroid Build Coastguard Worker if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
139*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to expand policy");
140*2d543d20SAndroid Build Coastguard Worker
141*2d543d20SAndroid Build Coastguard Worker if ((handle = sepol_handle_create()) == NULL)
142*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize handle");
143*2d543d20SAndroid Build Coastguard Worker
144*2d543d20SAndroid Build Coastguard Worker sepol_msg_set_callback(handle, msg_handler, NULL);
145*2d543d20SAndroid Build Coastguard Worker
146*2d543d20SAndroid Build Coastguard Worker if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
147*2d543d20SAndroid Build Coastguard Worker CU_FAIL("Assertions did not trigger");
148*2d543d20SAndroid Build Coastguard Worker
149*2d543d20SAndroid Build Coastguard Worker messages_check(ARRAY_SIZE(expected_messages), expected_messages);
150*2d543d20SAndroid Build Coastguard Worker
151*2d543d20SAndroid Build Coastguard Worker sepol_handle_destroy(handle);
152*2d543d20SAndroid Build Coastguard Worker messages_clean();
153*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&basemod);
154*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&base_expanded);
155*2d543d20SAndroid Build Coastguard Worker }
156*2d543d20SAndroid Build Coastguard Worker
test_neverallow_minus_self(void)157*2d543d20SAndroid Build Coastguard Worker static void test_neverallow_minus_self(void)
158*2d543d20SAndroid Build Coastguard Worker {
159*2d543d20SAndroid Build Coastguard Worker policydb_t basemod, base_expanded;
160*2d543d20SAndroid Build Coastguard Worker sepol_handle_t *handle;
161*2d543d20SAndroid Build Coastguard Worker static const char *const expected_messages[] = {
162*2d543d20SAndroid Build Coastguard Worker "33 neverallow failures occurred",
163*2d543d20SAndroid Build Coastguard Worker "neverallow on line 77 of policies/test-neverallow/policy_minus_self.conf.std (or line 77 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test3_1_t test3_2_t:file { read };",
164*2d543d20SAndroid Build Coastguard Worker "neverallow on line 85 of policies/test-neverallow/policy_minus_self.conf.std (or line 85 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test4_1_t test4_2_t:file { read };",
165*2d543d20SAndroid Build Coastguard Worker "neverallow on line 93 of policies/test-neverallow/policy_minus_self.conf.std (or line 93 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test5_2_t test5_1_t:class5 { perm };",
166*2d543d20SAndroid Build Coastguard Worker "neverallow on line 93 of policies/test-neverallow/policy_minus_self.conf.std (or line 93 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test5_1_t test5_2_t:class5 { perm };",
167*2d543d20SAndroid Build Coastguard Worker "neverallow on line 101 of policies/test-neverallow/policy_minus_self.conf.std (or line 101 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test6_1_t test6_2_t:class6 { perm };",
168*2d543d20SAndroid Build Coastguard Worker "neverallow on line 118 of policies/test-neverallow/policy_minus_self.conf.std (or line 118 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test8_1_t test8_2_t:file { read };",
169*2d543d20SAndroid Build Coastguard Worker "neverallow on line 127 of policies/test-neverallow/policy_minus_self.conf.std (or line 127 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test9_1_t test9_2_t:file { read };",
170*2d543d20SAndroid Build Coastguard Worker "neverallow on line 137 of policies/test-neverallow/policy_minus_self.conf.std (or line 137 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test10_1_t test10_2_t:file { read };",
171*2d543d20SAndroid Build Coastguard Worker "neverallow on line 157 of policies/test-neverallow/policy_minus_self.conf.std (or line 157 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test12_1_t test12_2_t:file { read };",
172*2d543d20SAndroid Build Coastguard Worker "neverallow on line 166 of policies/test-neverallow/policy_minus_self.conf.std (or line 166 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };",
173*2d543d20SAndroid Build Coastguard Worker "neverallow on line 175 of policies/test-neverallow/policy_minus_self.conf.std (or line 175 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test14_2_t test14_1_t:file { read };",
174*2d543d20SAndroid Build Coastguard Worker "neverallow on line 175 of policies/test-neverallow/policy_minus_self.conf.std (or line 175 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test14_1_t test14_2_t:file { read };",
175*2d543d20SAndroid Build Coastguard Worker "neverallow on line 193 of policies/test-neverallow/policy_minus_self.conf.std (or line 193 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test16_2_t test16_1_t:file { read };",
176*2d543d20SAndroid Build Coastguard Worker "neverallow on line 193 of policies/test-neverallow/policy_minus_self.conf.std (or line 193 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test16_1_t test16_2_t:file { read };",
177*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 201 of policies/test-neverallow/policy_minus_self.conf.std (or line 201 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test17_1_t test17_2_t:class17 { ioctl };",
178*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 219 of policies/test-neverallow/policy_minus_self.conf.std (or line 219 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test19_2_t test19_1_t:file ioctl { 0x101-0x102 };",
179*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 231 of policies/test-neverallow/policy_minus_self.conf.std (or line 231 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test20_2_t test20_1_t:file ioctl { 0x103 };",
180*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 231 of policies/test-neverallow/policy_minus_self.conf.std (or line 231 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test20_1_t test20_2_t:file ioctl { 0x102 };",
181*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 261 of policies/test-neverallow/policy_minus_self.conf.std (or line 261 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test23_1_t test23_2_t:file ioctl { 0x9511 };",
182*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 272 of policies/test-neverallow/policy_minus_self.conf.std (or line 272 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test24_1_t test24_a:file ioctl { 0x9511 };",
183*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 283 of policies/test-neverallow/policy_minus_self.conf.std (or line 283 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test25_a test25_a:file ioctl { 0x9511 };",
184*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
185*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
186*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
187*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
188*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 317 of policies/test-neverallow/policy_minus_self.conf.std (or line 317 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test28_2_t test28_1_t:file { ioctl };",
189*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 317 of policies/test-neverallow/policy_minus_self.conf.std (or line 317 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test28_1_t test28_2_t:file ioctl { 0x9521 };",
190*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 327 of policies/test-neverallow/policy_minus_self.conf.std (or line 327 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test29_2_t test29_1_t:file { ioctl };",
191*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 327 of policies/test-neverallow/policy_minus_self.conf.std (or line 327 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test29_1_t test29_a:file ioctl { 0x9521 };",
192*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 337 of policies/test-neverallow/policy_minus_self.conf.std (or line 337 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };",
193*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 337 of policies/test-neverallow/policy_minus_self.conf.std (or line 337 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };",
194*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 348 of policies/test-neverallow/policy_minus_self.conf.std (or line 348 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };",
195*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 348 of policies/test-neverallow/policy_minus_self.conf.std (or line 348 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };",
196*2d543d20SAndroid Build Coastguard Worker };
197*2d543d20SAndroid Build Coastguard Worker
198*2d543d20SAndroid Build Coastguard Worker if (policydb_init(&base_expanded))
199*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize policy");
200*2d543d20SAndroid Build Coastguard Worker
201*2d543d20SAndroid Build Coastguard Worker if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_minus_self.conf"))
202*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to load policy");
203*2d543d20SAndroid Build Coastguard Worker
204*2d543d20SAndroid Build Coastguard Worker if (link_modules(NULL, &basemod, NULL, 0, 0))
205*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to link base module");
206*2d543d20SAndroid Build Coastguard Worker
207*2d543d20SAndroid Build Coastguard Worker if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
208*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to expand policy");
209*2d543d20SAndroid Build Coastguard Worker
210*2d543d20SAndroid Build Coastguard Worker if ((handle = sepol_handle_create()) == NULL)
211*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize handle");
212*2d543d20SAndroid Build Coastguard Worker
213*2d543d20SAndroid Build Coastguard Worker sepol_msg_set_callback(handle, msg_handler, NULL);
214*2d543d20SAndroid Build Coastguard Worker
215*2d543d20SAndroid Build Coastguard Worker if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
216*2d543d20SAndroid Build Coastguard Worker CU_FAIL("Assertions did not trigger");
217*2d543d20SAndroid Build Coastguard Worker
218*2d543d20SAndroid Build Coastguard Worker messages_check(ARRAY_SIZE(expected_messages), expected_messages);
219*2d543d20SAndroid Build Coastguard Worker
220*2d543d20SAndroid Build Coastguard Worker sepol_handle_destroy(handle);
221*2d543d20SAndroid Build Coastguard Worker messages_clean();
222*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&basemod);
223*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&base_expanded);
224*2d543d20SAndroid Build Coastguard Worker }
225*2d543d20SAndroid Build Coastguard Worker
test_neverallow_not_self(void)226*2d543d20SAndroid Build Coastguard Worker static void test_neverallow_not_self(void)
227*2d543d20SAndroid Build Coastguard Worker {
228*2d543d20SAndroid Build Coastguard Worker policydb_t basemod, base_expanded;
229*2d543d20SAndroid Build Coastguard Worker sepol_handle_t *handle;
230*2d543d20SAndroid Build Coastguard Worker static const char *const expected_messages[] = {
231*2d543d20SAndroid Build Coastguard Worker "34 neverallow failures occurred",
232*2d543d20SAndroid Build Coastguard Worker "neverallow on line 78 of policies/test-neverallow/policy_not_self.conf.std (or line 78 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test3_1_t test3_2_t:file { read };",
233*2d543d20SAndroid Build Coastguard Worker "neverallow on line 86 of policies/test-neverallow/policy_not_self.conf.std (or line 86 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test4_1_t test4_2_t:file { read };",
234*2d543d20SAndroid Build Coastguard Worker "neverallow on line 94 of policies/test-neverallow/policy_not_self.conf.std (or line 94 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test5_2_t test5_1_t:class5 { perm };",
235*2d543d20SAndroid Build Coastguard Worker "neverallow on line 94 of policies/test-neverallow/policy_not_self.conf.std (or line 94 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test5_1_t test5_2_t:class5 { perm };",
236*2d543d20SAndroid Build Coastguard Worker "neverallow on line 102 of policies/test-neverallow/policy_not_self.conf.std (or line 102 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test6_1_t test6_2_t:class6 { perm };",
237*2d543d20SAndroid Build Coastguard Worker "neverallow on line 119 of policies/test-neverallow/policy_not_self.conf.std (or line 119 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test8_1_t test8_2_t:file { read };",
238*2d543d20SAndroid Build Coastguard Worker "neverallow on line 128 of policies/test-neverallow/policy_not_self.conf.std (or line 128 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test9_1_t test9_2_t:file { read };",
239*2d543d20SAndroid Build Coastguard Worker "neverallow on line 138 of policies/test-neverallow/policy_not_self.conf.std (or line 138 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test10_1_t test10_2_t:file { read };",
240*2d543d20SAndroid Build Coastguard Worker "neverallow on line 158 of policies/test-neverallow/policy_not_self.conf.std (or line 158 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test12_1_t test12_2_t:file { read };",
241*2d543d20SAndroid Build Coastguard Worker "neverallow on line 167 of policies/test-neverallow/policy_not_self.conf.std (or line 167 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };",
242*2d543d20SAndroid Build Coastguard Worker "neverallow on line 176 of policies/test-neverallow/policy_not_self.conf.std (or line 176 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test14_2_t test14_1_t:file { read };",
243*2d543d20SAndroid Build Coastguard Worker "neverallow on line 176 of policies/test-neverallow/policy_not_self.conf.std (or line 176 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test14_1_t test14_2_t:file { read };",
244*2d543d20SAndroid Build Coastguard Worker "neverallow on line 185 of policies/test-neverallow/policy_not_self.conf.std (or line 185 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };",
245*2d543d20SAndroid Build Coastguard Worker "neverallow on line 194 of policies/test-neverallow/policy_not_self.conf.std (or line 194 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test16_2_t test16_1_t:file { read };",
246*2d543d20SAndroid Build Coastguard Worker "neverallow on line 194 of policies/test-neverallow/policy_not_self.conf.std (or line 194 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test16_1_t test16_2_t:file { read };",
247*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 202 of policies/test-neverallow/policy_not_self.conf.std (or line 202 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test17_1_t test17_2_t:class17 { ioctl };",
248*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 220 of policies/test-neverallow/policy_not_self.conf.std (or line 220 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test19_2_t test19_1_t:file ioctl { 0x101-0x102 };",
249*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 232 of policies/test-neverallow/policy_not_self.conf.std (or line 232 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test20_2_t test20_1_t:file ioctl { 0x103 };",
250*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 232 of policies/test-neverallow/policy_not_self.conf.std (or line 232 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test20_1_t test20_2_t:file ioctl { 0x102 };",
251*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 262 of policies/test-neverallow/policy_not_self.conf.std (or line 262 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test23_1_t test23_2_t:file ioctl { 0x9511 };",
252*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 273 of policies/test-neverallow/policy_not_self.conf.std (or line 273 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test24_1_t test24_a:file ioctl { 0x9511 };",
253*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 284 of policies/test-neverallow/policy_not_self.conf.std (or line 284 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test25_a test25_a:file ioctl { 0x9511 };",
254*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
255*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
256*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
257*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };",
258*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 318 of policies/test-neverallow/policy_not_self.conf.std (or line 318 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test28_2_t test28_1_t:file { ioctl };",
259*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 318 of policies/test-neverallow/policy_not_self.conf.std (or line 318 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test28_1_t test28_2_t:file ioctl { 0x9521 };",
260*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 328 of policies/test-neverallow/policy_not_self.conf.std (or line 328 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test29_2_t test29_1_t:file { ioctl };",
261*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 328 of policies/test-neverallow/policy_not_self.conf.std (or line 328 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test29_1_t test29_a:file ioctl { 0x9521 };",
262*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 338 of policies/test-neverallow/policy_not_self.conf.std (or line 338 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };",
263*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 338 of policies/test-neverallow/policy_not_self.conf.std (or line 338 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };",
264*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 349 of policies/test-neverallow/policy_not_self.conf.std (or line 349 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };",
265*2d543d20SAndroid Build Coastguard Worker "neverallowxperm on line 349 of policies/test-neverallow/policy_not_self.conf.std (or line 349 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };",
266*2d543d20SAndroid Build Coastguard Worker };
267*2d543d20SAndroid Build Coastguard Worker
268*2d543d20SAndroid Build Coastguard Worker if (policydb_init(&base_expanded))
269*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize policy");
270*2d543d20SAndroid Build Coastguard Worker
271*2d543d20SAndroid Build Coastguard Worker if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_not_self.conf"))
272*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to load policy");
273*2d543d20SAndroid Build Coastguard Worker
274*2d543d20SAndroid Build Coastguard Worker if (link_modules(NULL, &basemod, NULL, 0, 0))
275*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to link base module");
276*2d543d20SAndroid Build Coastguard Worker
277*2d543d20SAndroid Build Coastguard Worker if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
278*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to expand policy");
279*2d543d20SAndroid Build Coastguard Worker
280*2d543d20SAndroid Build Coastguard Worker if ((handle = sepol_handle_create()) == NULL)
281*2d543d20SAndroid Build Coastguard Worker CU_FAIL_FATAL("Failed to initialize handle");
282*2d543d20SAndroid Build Coastguard Worker
283*2d543d20SAndroid Build Coastguard Worker sepol_msg_set_callback(handle, msg_handler, NULL);
284*2d543d20SAndroid Build Coastguard Worker
285*2d543d20SAndroid Build Coastguard Worker if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
286*2d543d20SAndroid Build Coastguard Worker CU_FAIL("Assertions did not trigger");
287*2d543d20SAndroid Build Coastguard Worker
288*2d543d20SAndroid Build Coastguard Worker messages_check(ARRAY_SIZE(expected_messages), expected_messages);
289*2d543d20SAndroid Build Coastguard Worker
290*2d543d20SAndroid Build Coastguard Worker sepol_handle_destroy(handle);
291*2d543d20SAndroid Build Coastguard Worker messages_clean();
292*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&basemod);
293*2d543d20SAndroid Build Coastguard Worker policydb_destroy(&base_expanded);
294*2d543d20SAndroid Build Coastguard Worker }
295*2d543d20SAndroid Build Coastguard Worker
neverallow_add_tests(CU_pSuite suite)296*2d543d20SAndroid Build Coastguard Worker int neverallow_add_tests(CU_pSuite suite)
297*2d543d20SAndroid Build Coastguard Worker {
298*2d543d20SAndroid Build Coastguard Worker /*
299*2d543d20SAndroid Build Coastguard Worker * neverallow rules operate only on types and are unaffected by MLS
300*2d543d20SAndroid Build Coastguard Worker * (avoid adjusting the messages for std and mls)
301*2d543d20SAndroid Build Coastguard Worker */
302*2d543d20SAndroid Build Coastguard Worker if (mls)
303*2d543d20SAndroid Build Coastguard Worker return 0;
304*2d543d20SAndroid Build Coastguard Worker
305*2d543d20SAndroid Build Coastguard Worker if (NULL == CU_add_test(suite, "neverallow_basic", test_neverallow_basic)) {
306*2d543d20SAndroid Build Coastguard Worker CU_cleanup_registry();
307*2d543d20SAndroid Build Coastguard Worker return CU_get_error();
308*2d543d20SAndroid Build Coastguard Worker }
309*2d543d20SAndroid Build Coastguard Worker
310*2d543d20SAndroid Build Coastguard Worker if (NULL == CU_add_test(suite, "neverallow_not_self", test_neverallow_not_self)) {
311*2d543d20SAndroid Build Coastguard Worker CU_cleanup_registry();
312*2d543d20SAndroid Build Coastguard Worker return CU_get_error();
313*2d543d20SAndroid Build Coastguard Worker }
314*2d543d20SAndroid Build Coastguard Worker
315*2d543d20SAndroid Build Coastguard Worker if (NULL == CU_add_test(suite, "neverallow_minus_self", test_neverallow_minus_self)) {
316*2d543d20SAndroid Build Coastguard Worker CU_cleanup_registry();
317*2d543d20SAndroid Build Coastguard Worker return CU_get_error();
318*2d543d20SAndroid Build Coastguard Worker }
319*2d543d20SAndroid Build Coastguard Worker
320*2d543d20SAndroid Build Coastguard Worker return 0;
321*2d543d20SAndroid Build Coastguard Worker }
322