xref: /aosp_15_r20/external/selinux/secilc/test/deny_rule_test1.cil (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1(class CLASS (PERM))
2(class ca (pa1 pa2 pa3 pa4 pa5 pa6 pa7 pa8 pa9))
3(class cb (pb1 pb2 pb3 pb4 pb5 pb6 pb7 pb8 pb9))
4(class cc (pc1 pc2 pc3 pc4 pc5 pc6 pc7 pc8 pc9))
5(class cd (pd1 pd2 pd3 pd4 pd5 pd6 pd7 pd8 pd9))
6(class ce (pe1 pe2 pe3 pe4 pe5 pe6 pe7 pe8 pe9))
7(class cf (pf1 pf2 pf3 pf4 pf5 pf6 pf7 pf8 pf9))
8(class cg (pg1 pg2 pg3 pg4 pg5 pg6 pg7 pg8 pg9))
9(class ch (ph1 ph2 ph3 ph4 ph5 ph6 ph7 ph8 ph9))
10(class ci (pi1 pi2 pi3 pi4 pi5 pi6 pi7 pi8 pi9))
11(class cj (pj1 pj2 pj3 pj4 pj5 pj6 pj7 pj8 pj9))
12(classorder (CLASS ca cb cc cd ce cf cg ch ci cj))
13(sid SID)
14(sidorder (SID))
15(user USER)
16(role ROLE)
17(type TYPE)
18(category CAT)
19(categoryorder (CAT))
20(sensitivity SENS)
21(sensitivityorder (SENS))
22(sensitivitycategory SENS (CAT))
23(allow TYPE self (CLASS (PERM)))
24(roletype ROLE TYPE)
25(userrole USER ROLE)
26(userlevel USER (SENS))
27(userrange USER ((SENS)(SENS (CAT))))
28(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
29
30(classmap cma (mpa1 mpa2))
31(classmapping cma mpa1
32	      (cc (pc1 pc2)))
33(classmapping cma mpa2
34	      (cc (pc3 pc4)))
35
36(classmap cmb (mpb1 mpb2))
37(classmapping cmb mpb1
38	      (cd (pd1 pd2)))
39(classmapping cmb mpb2
40	      (cd (pd3 pd4)))
41
42(classpermission cpsa)
43(classpermissionset cpsa (cd (pd5 pd6)))
44(classpermissionset cpsa (cd (pd7 pd8)))
45
46(classpermission cpsb)
47(classpermissionset cpsb (cd (pd1 pd2)))
48(classpermissionset cpsb (cd (pd3 pd4)))
49
50(type ta)
51(type tb)
52(type tc)
53(type td)
54(type te)
55(type tf)
56(type tg)
57(type th)
58(type ti)
59(type tj)
60(type tk)
61(type tl)
62(type tm)
63(type tn)
64(type to)
65(type tp)
66(type tq)
67(type tr)
68(type ts)
69(type tt)
70(type tu)
71(type tv)
72(type tw)
73(type tx)
74(type ty)
75(type tz)
76
77(typeattribute a_s1)
78(typeattributeset a_s1 (ta tb tc td te tf tg th tk tl tm tn ts tt))
79(typeattribute a_t1)
80(typeattributeset a_t1 (ta tb tc td te tf ti tj tk tl to tp tu tv))
81(typeattribute a_s2)
82(typeattributeset a_s2 (ta tb tc td tg th ti tj tm tn tq tr tw tx))
83(typeattribute a_t2)
84(typeattributeset a_t2 (ta tb te tf tg th ti tj to tp tq tr ty tz))
85(typeattribute a_s3)
86(typeattributeset a_s3 (and a_s1 (not a_s2)))
87(typeattribute a_s4)
88(typeattributeset a_s4 (and a_s1 a_s2))
89(typeattribute a_t3)
90(typeattributeset a_t3 (and a_t1 (not a_t2)))
91
92
93(typeattribute aab)
94(typeattributeset aab (ta tb))
95
96(typeattribute aNab)
97(typeattributeset aNab (and (all) (not (ta tb))))
98
99(typeattribute aNac)
100(typeattributeset aNac (and (all) (not (ta tc))))
101
102(typeattribute aNbc)
103(typeattributeset aNbc (and (all) (not (tb tc))))
104
105(typeattribute acd)
106(typeattributeset acd (tc td))
107
108(typeattribute aNacd)
109(typeattributeset aNacd (and (all) (not (ta tc td))))
110
111(typeattribute aabc)
112(typeattributeset aabc (ta tb tc))
113
114
115; Test 01
116(allow ta tb (ca (pa1)))
117(deny ta tb (ca (pa1)))
118(neverallow ta tb (ca (pa1)))
119
120; Test 02
121(allow ta tb (ca (pa2 pa3)))
122(deny ta tb (ca (pa2)))
123(neverallow ta tb (ca (pa2)))
124; (neverallow ta tb (ca (pa3))) ; This check should fail
125
126; Test 03
127(allow tc td (ca (pa2)))
128(deny tc td (ca (pa2 pa3)))
129(neverallow tc td (ca (pa2 pa3)))
130
131; Test 04
132(allow aab acd (ca (pa4)))
133(deny aab acd (ca (pa4)))
134(neverallow aab acd (ca (pa4)))
135
136; Test 05
137(allow ta tc (ca (pa5)))
138(deny aab acd (ca (pa5)))
139(neverallow aab acd (ca (pa5)))
140
141; Test 06
142(allow aab acd (ca (pa6)))
143(deny ta tc (ca (pa6)))
144(neverallow ta tc (ca (pa6)))
145; (neverallow tb td (ca (pa6))) ; This check should fail
146
147; Test 07
148(allow ta self (ca (pa7)))
149(deny ta self (ca (pa7)))
150(neverallow ta self (ca (pa7)))
151
152; Test 08
153(allow ta self (ca (pa8)))
154(deny ta ta (ca (pa8)))
155(neverallow ta ta (ca (pa8)))
156
157; Test 09
158(allow ta ta (ca (pa9)))
159(deny ta self (ca (pa9)))
160(neverallow ta self (ca (pa9)))
161
162; Test 11
163(allow aab self (cb (pb1)))
164(deny aab self (cb (pb1)))
165(neverallow aab self (cb (pb1)))
166
167; Test 12
168(allow ta self (cb (pb2)))
169(deny aab self (cb (pb2)))
170(neverallow aab self (cb (pb2)))
171
172; Test 13
173(allow aab self (cb (pb3)))
174(deny ta self (cb (pb3)))
175(neverallow ta self (cb (pb3)))
176; (neverallow tb self (cb (pb3))) ; This check should fail
177
178; Test 14
179(allow aab self (cb (pb4)))
180(deny aab aab (cb (pb4)))
181(neverallow aab aab (cb (pb4)))
182
183; Test 15
184(allow aab aab (cb (pb5)))
185(deny aab self (cb (pb5)))
186(neverallow aab self (cb (pb5)))
187; (neverallow ta tb (cb (pb5))) ; This check should fail
188; (neverallow tb ta (cb (pb5))) ; This check should fail
189
190; Test 16
191(allow aab self (cb (pb6)))
192(deny ta ta (cb (pb6)))
193(neverallow ta ta (cb (pb6)))
194; (neverallow tb tb (cb (pb6))) ; This check should fail
195
196; Test 17
197(allow ta ta (cb (pb7)))
198(deny aab self (cb (pb7)))
199(neverallow aab self (cb (pb7)))
200
201; Test 18
202(allow ta self (cb (pb8)))
203(deny aab aab (cb (pb8)))
204(neverallow aab aab (cb (pb8)))
205
206; Test 19
207(allow aab aab (cb (pb9)))
208(deny ta self (cb (pb9)))
209(neverallow ta self (cb (pb9)))
210; (neverallow ta tb (cb (pb9))) ; This check should fail
211; (neverallow tb ta (cb (pb9))) ; This check should fail
212
213; Test 21
214(allow ta tb (cma (mpa1)))
215(deny ta tb (cma (mpa1)))
216(neverallow ta tb (cma (mpa1)))
217
218; Test 22
219(allow tc td (cma (mpa1 mpa2)))
220(deny tc td (cma (mpa1)))
221(neverallow tc td (cma (mpa1)))
222; (neverallow tc td (cma (mpa2))) ; This check should fail
223
224; Test 23
225(allow te tf (cma (mpa1)))
226(deny te tf (cma (mpa1 mpa2)))
227(neverallow te tf (cma (mpa1 mpa2)))
228
229; Test 24
230(allow tg th (cc (pc1)))
231(deny tg th (cma (mpa1)))
232(neverallow tg th (cma (mpa1)))
233
234; Test 25
235(allow ti tj (cma (mpa1)))
236(deny ti tj (cc (pc1)))
237(neverallow ti tj (cc (pc1)))
238; (neverallow ti tj (cc (pc2))) ; This check should fail
239
240; Test 31
241(allow ta tb cpsa)
242(deny ta tb cpsa)
243(neverallow ta tb cpsa)
244
245; Test 32
246(allow tc td cpsa)
247(deny tc td (cd (pd5 pd6)))
248(neverallow tc td (cd (pd5 pd6)))
249; (neverallow tc td (cd (pd7 pd8))) ; This check should fail
250
251; Test 33
252(allow te tf (cd (pd5 pd6)))
253(deny te tf cpsa)
254(neverallow te tf cpsa)
255
256; Test 34
257(allow tg th cpsb)
258(deny tg th (cmb (mpb1 mpb2)))
259(neverallow tg th (cmb (mpb1 mpb2)))
260
261; Test 35
262(allow ti tj (cmb (mpb1 mpb2)))
263(deny ti tj cpsb)
264(neverallow ti tj cpsb)
265
266; Test 36
267(allow tk tl cpsb)
268(deny tk tl (cmb (mpb1)))
269(neverallow tk tl (cmb (mpb1)))
270; (neverallow tk tl (cmb (mpb2))) ; This check should fail
271
272; Test 37
273(allow tm tn (cmb (mpb1)))
274(deny tm tn cpsb)
275(neverallow tm tn cpsb)
276
277; Test 41
278(block b41
279  (allow ta tb (ce (pe1)))
280  (deny ta tb (ce (pe1)))
281  (neverallow ta tb (ce (pe1)))
282)
283
284; Test 42
285(block b42
286  (type ta)
287  (type tb)
288  (type tc)
289  (type td)
290  (type te)
291  (type tf)
292  (type tg)
293  (typeattribute aa)
294  (typeattribute ab)
295  (typeattribute ac)
296  (typeattribute ad)
297  (typeattribute s3)
298  (typeattribute s4)
299  (typeattribute t3)
300  (typeattributeset aa (ta tb td))
301  (typeattributeset ab (ta tc te))
302  (typeattributeset ac (ta tb tf))
303  (typeattributeset ad (ta tc tg))
304  (typeattributeset s3 (and aa (not ac)))
305  (typeattributeset s4 (and aa ac))
306  (typeattributeset t3 (and ab (not ad)))
307  (allow aa ab (ce (pe2)))
308  (deny ac ad (ce (pe2)))
309  (neverallow ac ad (ce (pe2)))
310  ;(neverallow s3 ab (ce (pe2))) ; This check should fail
311  ;(neverallow s4 t3 (ce (pe2))) ; This check should fail
312)
313
314; Test 43
315(block b43
316  (type ta)
317  (type tb)
318  (allow ta tb (ce (pe3)))
319)
320(deny b43.ta b43.tb (ce (pe3)))
321(neverallow b43.ta b43.tb (ce (pe3)))
322
323; Test 44
324(block b44
325  (type ta)
326  (type tb)
327  (allow ta tb (ce (pe4)))
328)
329
330(block b44a
331  (blockinherit b44)
332  (deny ta tb (ce (pe4)))
333  (neverallow ta tb (ce (pe4)))
334)
335
336(block b44b
337  (blockinherit b44)
338)
339(deny b44b.ta b44b.tb (ce (pe4)))
340(neverallow b44b.ta b44b.tb (ce (pe4)))
341
342
343; Test 45
344(optional opt45
345  (allow aab acd (ce (pe5)))
346  (deny aab acd (ce (pe5)))
347  (neverallow aab acd (ce (pe5)))
348)
349
350; Test 46
351(allow ta tc (ce (pe6)))
352(optional opt46
353  (deny aab acd (ce (pe6)))
354  (neverallow aab acd (ce (pe6)))
355)
356
357; Test 47
358(optional opt47
359  (allow aab acd (ce (pe7)))
360)
361(deny ta tc (ce (pe7)))
362(neverallow ta tc (ce (pe7)))
363
364; Test 51
365(boolean b51 true)
366(booleanif b51
367  (true
368    (allow ta tb (cf (pf1)))
369  )
370)
371(deny ta tb (cf (pf1)))
372(neverallow ta tb (cf (pf1)))
373
374; Test 52
375(boolean b52 true)
376(booleanif b52
377  (false
378    (allow ta tb (cf (pf2)))
379  )
380)
381(deny ta tb (cf (pf2)))
382(neverallow ta tb (cf (pf2)))
383
384; Test 53
385(boolean b53 false)
386(booleanif b53
387  (true
388    (allow ta tb (cf (pf3)))
389  )
390)
391(deny ta tb (cf (pf3)))
392(neverallow ta tb (cf (pf3)))
393
394; Test 54
395(boolean b54 false)
396(booleanif b54
397  (true
398    (allow ta tb (cf (pf4)))
399  )
400)
401(deny ta tb (cf (pf4)))
402(neverallow ta tb (cf (pf4)))
403
404; Test 55
405(tunable b55 true)
406(tunableif b55
407  (true
408    (allow ta tb (cf (pf5)))
409  )
410)
411(deny ta tb (cf (pf5)))
412(neverallow ta tb (cf (pf5)))
413
414; Test 56
415(tunable b56 true)
416(tunableif b56
417  (false
418    (allow ta tb (cf (pf6)))
419  )
420)
421(deny ta tb (cf (pf6)))
422(neverallow ta tb (cf (pf6)))
423
424; Test 57
425(tunable b57 false)
426(tunableif b57
427  (true
428    (allow ta tb (cf (pf7)))
429  )
430)
431(deny ta tb (cf (pf7)))
432(neverallow ta tb (cf (pf7)))
433
434; Test 58
435(tunable b58 false)
436(tunableif b58
437  (true
438    (allow ta tb (cf (pf8)))
439  )
440)
441(deny ta tb (cf (pf8)))
442(neverallow ta tb (cf (pf8)))
443
444; Test 61
445(allow a_s1 a_t1 (cg (pg1)))
446(deny a_s2 a_t2 (cg (pg1)))
447(neverallow a_s2 a_t2 (cg (pg1)))
448; (neverallow a_s3 a_t1 (cg (pg1))) ; This check should fail
449; (neverallow a_s4 a_t3 (cg (pg1))) ; This check should fail
450
451; Test 62
452(allow tm a_t1 (cg (pg2)))
453(deny a_s2 a_t2 (cg (pg2)))
454(neverallow a_s2 a_t2 (cg (pg2)))
455; (neverallow tm a_t3 (cg (pg2))) ; This check should fail
456
457; Test 63
458(allow a_s1 to (cg (pg3)))
459(deny a_s2 a_t2 (cg (pg3)))
460(neverallow a_s2 a_t2 (cg (pg3)))
461; (neverallow a_s3 to (cg (pg3))) ; This check should fail
462
463; Test 64
464(allow a_s1 a_t1 (cg (pg4)))
465(deny tm a_t2 (cg (pg4)))
466(neverallow tm a_t2 (cg (pg4)))
467; (neverallow a_s3 a_t1 (cg (pg4))) ; This check should fail
468; (neverallow tm a_t3 (cg (pg4)))   ; This check should fail
469
470; Test 65
471(allow a_s1 a_t1 (cg (pg5)))
472(deny a_s2 to (cg (pg5)))
473(neverallow a_s2 to (cg (pg5)))
474; (neverallow a_s3 a_t1 (cg (pg5))) ; This check should fail
475; (neverallow a_s4 a_t3 (cg (pg5))) ; This check should fail
476
477; Test 71
478(allow a_s1 self (ch (ph1)))
479(deny a_s2 a_t2 (ch (ph1)))
480(neverallow a_s2 a_t2 (ch (ph1)))
481; Below should fail
482(typeattribute a71)
483(typeattributeset a71 (and a_s4 (not a_t2)))
484; (neverallow a_s3 self (ch (ph1))) ; This check should fail
485; (neverallow a71 self (ch (ph1)))  ; This check should fail
486
487; Test 72
488(allow tg self (ch (ph2)))
489(deny a_s2 a_t2 (ch (ph2)))
490(neverallow a_s2 a_t2 (ch (ph2)))
491
492; Test 73
493(allow a_s1 self (ch (ph3)))
494(deny tg a_t2 (ch (ph3)))
495(neverallow tg a_t2 (ch (ph3)))
496; (neverallow a_s3 self (ch (ph3))) ; This check should fail
497
498; Test 74
499(allow a_s1 self (ch (ph4)))
500(deny a_s2 tg (ch (ph4)))
501(neverallow a_s2 tg (ch (ph4)))
502; Below should fail
503(typeattribute a74)
504(typeattributeset a74 (and a_s4 (not tg)))
505; (neverallow a_s3 self (ch (ph4))) ; This check should fail
506; (neverallow a74 self (ch (ph4)))  ; This check should fail
507
508; Test 81
509(allow a_s1 a_t1 (ci (pi1)))
510(deny a_s2 self (ci (pi1)))
511(neverallow a_s2 self (ci (pi1)))
512; Below should fail
513(typeattribute a81a)
514(typeattribute a81b)
515(typeattribute a81c)
516(typeattribute a81b01)
517(typeattribute a81b02)
518(typeattribute a81b03)
519(typeattribute a81b04)
520(typeattributeset a81a (and a_s4 (not a_t1)))
521(typeattributeset a81b (and a_s4 a_t1))
522(typeattributeset a81c (and a_t1 (not a_s4)))
523(typeattributeset a81b01 (and a81b (not ta)))
524(typeattributeset a81b02 (and a81b (not tb)))
525(typeattributeset a81b03 (and a81b (not tc)))
526(typeattributeset a81b04 (and a81b (not td)))
527; (neverallow a_s3 a_t1 (ci (pi1))) ; This check should fail
528; (neverallow a81a a_t1 (ci (pi1))) ; This check should fail
529; (neverallow a81b a81c (ci (pi1))) ; This check should fail
530; (neverallow ta a81b01 (ci (pi1))) ; This check should fail
531; (neverallow tb a81b02 (ci (pi1))) ; This check should fail
532; (neverallow tc a81b03 (ci (pi1))) ; This check should fail
533; (neverallow td a81b04 (ci (pi1))) ; This check should fail
534
535; Test 82
536(allow tc a_t1 (ci (pi2)))
537(deny a_s2 self (ci (pi2)))
538(neverallow a_s2 self (ci (pi2)))
539; Below should fail
540(typeattribute a82)
541(typeattributeset a82 (and a_t1 (not a_s4)))
542; (neverallow tc a82 (ci (pi2))) ; This check should fail
543
544; Test 83
545(allow a_s1 tc (ci (pi3)))
546(deny a_s2 self (ci (pi3)))
547(neverallow a_s2 self (ci (pi3)))
548; Below should fail
549(typeattribute a83)
550(typeattributeset a83 (and a_s4 (not tc)))
551; (neverallow a_s3 tc (ci (pi3))) ; This check should fail
552; (neverallow a83 tc (ci (pi3)))  ; This check should fail
553
554
555; Test 84
556(allow a_s1 a_t1 (ci (pi4)))
557(deny tc self (ci (pi4)))
558(neverallow tc self (ci (pi4)))
559; Below should fail
560(typeattribute a84)
561(typeattributeset a84 (and a_t1 (not a_s4)))
562; (neverallow a_s3 a_t1 (ci (pi4))) ; This check should fail
563; (neverallow tc a84 (ci (pi4)))    ; This check should fail
564
565; Test 91
566(allow a_s1 self (cj (pj1)))
567(deny a_s2 self (cj (pj1)))
568(neverallow a_s2 self (cj (pj1)))
569; (neverallow a_s3 self (cj (pj1))) ; This check should fail
570
571; Test 92
572(allow tm self (cj (pj2)))
573(deny a_s2 self (cj (pj2)))
574(neverallow a_s2 self (cj (pj2)))
575
576; Test 93
577(allow a_s1 self (cj (pj3)))
578(deny tm self (cj (pj3)))
579(neverallow tm self (cj (pj3)))
580; (neverallow a_s3 self (cj (pj3))) ; This check should fail
581