xref: /aosp_15_r20/external/selinux/secilc/test/deny_rule_test2.cil (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1(class CLASS (PERM))
2(class ca (pa1 pa2 pa3 pa4 pa5 pa6 pa7 pa8 pa9))
3(class cb (pb1 pb2 pb3 pb4 pb5 pb6 pb7 pb8 pb9))
4(class cc (pc1 pc2 pc3 pc4 pc5 pc6 pc7 pc8 pc9))
5(class cd (pd1 pd2 pd3 pd4 pd5 pd6 pd7 pd8 pd9))
6(class ce (pe1 pe2 pe3 pe4 pe5 pe6 pe7 pe8 pe9))
7(class cf (pf1 pf2 pf3 pf4 pf5 pf6 pf7 pf8 pf9))
8(class cg (pg1 pg2 pg3 pg4 pg5 pg6 pg7 pg8 pg9))
9(class ch (ph1 ph2 ph3 ph4 ph5 ph6 ph7 ph8 ph9))
10(class ci (pi1 pi2 pi3 pi4 pi5 pi6 pi7 pi8 pi9))
11(class cj (pj1 pj2 pj3 pj4 pj5 pj6 pj7 pj8 pj9))
12(classorder (CLASS ca cb cc cd ce cf cg ch ci cj))
13(sid SID)
14(sidorder (SID))
15(user USER)
16(role ROLE)
17(type TYPE)
18(category CAT)
19(categoryorder (CAT))
20(sensitivity SENS)
21(sensitivityorder (SENS))
22(sensitivitycategory SENS (CAT))
23(allow TYPE self (CLASS (PERM)))
24(roletype ROLE TYPE)
25(userrole USER ROLE)
26(userlevel USER (SENS))
27(userrange USER ((SENS)(SENS (CAT))))
28(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
29
30(type ta)
31(type tb)
32(type tc)
33(type td)
34(type te)
35(type tf)
36(type tg)
37(type th)
38(type ti)
39(type tj)
40(type tk)
41(type tl)
42(type tm)
43(type tn)
44(type to)
45(type tp)
46(type tq)
47(type tr)
48(type ts)
49(type tt)
50(type tu)
51(type tv)
52(type tw)
53(type tx)
54(type ty)
55(type tz)
56
57(typeattribute a_s1)
58(typeattributeset a_s1 (ta tb tc td te tf tg th tk tl tm tn ts tt))
59(typeattribute a_t1)
60(typeattributeset a_t1 (ta tb tc td te tf ti tj tk tl to tp tu tv))
61(typeattribute a_s2)
62(typeattributeset a_s2 (ta tb tc td tg th ti tj tm tn tq tr tw tx))
63(typeattribute a_t2)
64(typeattributeset a_t2 (ta tb te tf tg th ti tj to tp tq tr ty tz))
65(typeattribute a_s3)
66(typeattributeset a_s3 (and a_s1 (not a_s2)))
67(typeattribute a_s4)
68(typeattributeset a_s4 (and a_s1 a_s2))
69
70
71(typeattribute aab)
72(typeattributeset aab (ta tb))
73
74(typeattribute aNab)
75(typeattributeset aNab (and (all) (not (ta tb))))
76
77(typeattribute aNac)
78(typeattributeset aNac (and (all) (not (ta tc))))
79
80(typeattribute aNbc)
81(typeattributeset aNbc (and (all) (not (tb tc))))
82
83(typeattribute acd)
84(typeattributeset aab (tc td))
85
86(typeattribute aNacd)
87(typeattributeset aNacd (and (all) (not (ta tc td))))
88
89(typeattribute aabc)
90(typeattributeset aabc (ta tb tc))
91
92
93; Test 01
94(allow ta notself (ca (pa1)))
95(deny ta notself (ca (pa1)))
96(neverallow ta notself (ca (pa1)))
97
98; Test 02
99(allow aab notself (ca (pa2)))
100(deny aab notself (ca (pa2)))
101(neverallow aab notself (ca (pa2)))
102
103; Test 03
104(allow ta notself (ca (pa3)))
105(deny aab notself (ca (pa3)))
106(neverallow aab notself (ca (pa3)))
107
108; Test 04
109(allow aab notself (ca (pa4)))
110(deny ta notself (ca (pa4)))
111(neverallow ta notself (ca (pa4)))
112; (neverallow tb notself (ca (pa4))) ; This check should fail
113
114; Test 11
115(allow ta notself (cb (pb1)))
116(deny ta tb (cb (pb1)))
117(neverallow ta tb (cb (pb1)))
118; (neverallow ta aNab (cb (pb1))) ; This check should fail
119
120; Test 12
121(allow ta tb (cb (pb2)))
122(deny ta notself (cb (pb2)))
123(neverallow ta notself (cb (pb2)))
124
125; Test 13
126(allow aab notself (cb (pb3)))
127(deny ta tb (cb (pb3)))
128(neverallow ta tb (cb (pb3)))
129; (neverallow ta aNab (cb (pb3)))    ; This check should fail
130; (neverallow tb notself (cb (pb3))) ; This check should fail
131
132; Test 14
133(allow ta tb (cb (pb4)))
134(deny aab notself (cb (pb4)))
135(neverallow aab notself (cb (pb4)))
136
137; Test 15
138(allow aab notself (cb (pb5)))
139(deny aab tc (cb (pb5)))
140(neverallow aab tc (cb (pb5)))
141; (neverallow ta aNac (cb (pb5)))    ; This check should fail
142; (neverallow tb aNbc (cb (pb5)))    ; This check should fail
143
144; Test 16
145(allow aab tc (cb (pb6)))
146(deny aab notself (cb (pb6)))
147(neverallow aab notself (cb (pb6)))
148
149; Test 17
150(allow aab notself (cb (pb7)))
151(deny aab acd (cb (pb7)))
152(neverallow aab acd (cb (pb7)))
153; (neverallow aab aNacd (cb (pb7)))    ; This check should fail
154
155; Test 18
156(allow aab acd (cb (pb7)))
157(deny aab notself (cb (pb7)))
158(neverallow aab notself (cb (pb7)))
159
160; Test 21
161(allow aab other (cc (pc1)))
162(deny aab other (cc (pc1)))
163(neverallow aab other (cc (pc1)))
164
165; Test 22
166(allow aabc other (cc (pc2)))
167(deny aab other (cc (pc2)))
168(neverallow aab other (cc (pc2)))
169; (neverallow tc aab (cc (pc2))) ; This check should fail
170
171; Test 23
172(allow aab other (cc (pc3)))
173(deny aabc other (cc (pc3)))
174(neverallow aabc other (cc (pc3)))
175
176; Test 31
177(allow aab other (cd (pd1)))
178(deny aab aab (cd (pd1)))
179(neverallow aab aab (cd (pd1)))
180
181; Test 32
182(allow aab aab (cd (pd2)))
183(deny aab other (cd (pd2)))
184(neverallow aab other (cd (pd2)))
185; (neverallow aab self (cd (pd2))) ; This check should fail
186
187; Test 33
188(allow ta tb (cd (pd3)))
189(deny aab other (cd (pd3)))
190(neverallow aab other (cd (pd3)))
191
192; Test 34
193(allow aab other (cd (pd4)))
194(deny ta tb (cd (pd4)))
195(neverallow ta tb (cd (pd4)))
196; (neverallow tb ta (cd (pd4))) ; This check should fail
197
198
199; Test 61
200(allow a_s1 notself (ce (pe1)))
201(deny a_s2 a_t2 (ce (pe1)))
202(neverallow a_s2 a_t2 (ce (pe1)))
203; Below should fail
204(typeattribute a61a)
205(typeattributeset a61a (and a_s4 (not a_t2)))
206(typeattribute a61b)
207(typeattributeset a61b (and a_s4 a_t2))
208(typeattribute a61c)
209(typeattributeset a61c (and (all) (not a_t2)))
210(typeattribute a61d)
211(typeattributeset a61d (and a61c (not a_s4)))
212; (neverallow a_s3 notself (ce (pe1))) ; This check should fail
213; (neverallow a61a other (ce (pe1)))   ; This check should fail
214; (neverallow a61a a61d (ce (pe1)))    ; This check should fail
215; (neverallow a61b a61c (ce (pe1)))    ; This check should fail
216
217; Test 62
218(allow tg notself (ce (pe2)))
219(deny a_s2 a_t2 (ce (pe2)))
220(neverallow a_s2 a_t2 (ce (pe2)))
221
222; Test 63
223(allow tm notself (ce (pe3)))
224(deny a_s2 a_t2 (ce (pe3)))
225(neverallow a_s2 a_t2 (ce (pe3)))
226
227; Test 64
228(allow a_s1 notself (ce (pe4)))
229(deny tg a_t2 (ce (pe4)))
230(neverallow tg a_t2 (ce (pe4)))
231
232; Test 65
233(allow a_s1 notself (ce (pe5)))
234(deny tm a_t2 (ce (pe5)))
235(neverallow tm a_t2 (ce (pe5)))
236
237; Test 66
238(allow a_s1 notself (ce (pe6)))
239(deny a_s2 tg (ce (pe6)))
240(neverallow a_s2 tg (ce (pe6)))
241; (neverallow a_s3 notself (ce (pe6))) ; This check should fail
242
243; Test 67
244(allow a_s1 notself (ce (pe7)))
245(deny a_s2 ty (ce (pe7)))
246(neverallow a_s2 ty (ce (pe7)))
247; (neverallow a_s3 notself (ce (pe7))) ; This check should fail
248
249; Test 68
250(typeattribute a68)
251(typeattributeset a68 (tg tm))
252(allow a68 notself (ce (pe8)))
253(deny a_s2 a_t2 (ce (pe8)))
254(neverallow a_s2 a_t2 (ce (pe8)))
255
256; Test 71
257(allow a_s1 a_t1 (cf (pf1)))
258(deny a_s2 notself (cf (pf1)))
259(neverallow a_s2 notself (cf (pf1)))
260; Below should fail
261(typeattribute a71a)
262(typeattributeset a71a (and a_s4 a_t1))
263; (neverallow a_s3 a_t1 (cf (pf1))) ; This check should fail
264; (neverallow a71a self (cf (pf1))) ; This check should fail
265
266; Test 72
267(allow tc a_t1 (cf (pf2)))
268(deny a_s2 notself (cf (pf2)))
269(neverallow a_s2 notself (cf (pf2)))
270
271; Test 73
272(allow tm a_t1 (cf (pf3)))
273(deny a_s2 notself (cf (pf3)))
274(neverallow a_s2 notself (cf (pf3)))
275
276; Test 74
277(allow a_s1 a_t1 (cf (pf4)))
278(deny tc notself (cf (pf4)))
279(neverallow tc notself (cf (pf4)))
280
281; Test 75
282(allow a_s1 a_t1 (cf (pf5)))
283(deny tm notself (cf (pf5)))
284(neverallow tm notself (cf (pf5)))
285
286; Test 76
287(allow a_s1 tc (cf (pf6)))
288(deny a_s2 notself (cf (pf6)))
289(neverallow a_s2 notself (cf (pf6)))
290; (neverallow a_s3 tc (cf (pf6))) ; This check should fail
291
292; Test 77
293(allow a_s1 tu (cf (pf7)))
294(deny a_s2 notself (cf (pf7)))
295(neverallow a_s2 notself (cf (pf7)))
296; (neverallow a_s3 tu (cf (pf7))) ; This check should fail
297
298; Test 78
299(typeattribute a78)
300(typeattributeset a78 (tc tm))
301(allow a_s1 a_t1 (cf (pf8)))
302(deny a78 notself (cf (pf8)))
303(neverallow a78 notself (cf (pf8)))
304
305; Test 81
306(allow a_s1 other (cg (pg1)))
307(deny a_s2 a_t2 (cg (pg1)))
308(neverallow a_s2 a_t2 (cg (pg1)))
309; Below should fail
310(typeattribute a81a)
311(typeattributeset a81a (and a_s4 (not a_t2)))
312(typeattribute a81b)
313(typeattributeset a81b (and a_s4 a_t2))
314(typeattribute a81c)
315(typeattributeset a81c (and a_s1 (not a_t2)))
316(typeattribute a81d)
317(typeattributeset a81d (and a_s3 (not a_t2)))
318; (neverallow a_s3 other (cg (pg1))) ; This check should fail
319; (neverallow a81a other (cg (pg1))) ; This check should fail
320; (neverallow a81a a81d (cg (pg1)))  ; This check should fail
321; (neverallow a81b a81c (cg (pg1)))  ; This check should fail
322
323; Test 82
324(allow a_s1 other (cg (pg2)))
325(deny tg a_t2 (cg (pg2)))
326(neverallow tg a_t2 (cg (pg2)))
327
328; Test 83
329(allow a_s1 other (cg (pg3)))
330(deny tm a_t2 (cg (pg3)))
331(neverallow tm a_t2 (cg (pg3)))
332
333; Test 84
334(allow a_s1 other (cg (pg4)))
335(deny a_s2 tg (cg (pg4)))
336(neverallow a_s2 tg (cg (pg4)))
337; (neverallow a_s3 other (cg (pg4))) ; This check should fail
338
339; Test 85
340(allow a_s1 other (cg (pg5)))
341(deny a_s2 ty (cg (pg5)))
342(neverallow a_s2 ty (cg (pg5)))
343; (neverallow a_s3 other (cg (pg5))) ; This check should fail
344
345; Test 86
346(typeattribute a86)
347(typeattributeset a86 (tg tm ts))
348(allow a86 other (cg (pg6)))
349(deny a_s2 a_t2 (cg (pg6)))
350(neverallow a_s2 a_t2 (cg (pg6)))
351
352; Test 91
353(allow a_s1 a_t1 (ch (ph1)))
354(deny a_s2 other (ch (ph1)))
355(neverallow a_s2 other (ch (ph1)))
356; Below should fail
357(typeattribute a91a)
358(typeattributeset a91a (and a_s4 a_t1))
359(typeattribute a91b)
360(typeattributeset a91b (and a_t1 a_s2))
361; (neverallow a_s3 a_t1 (ch (ph1))) ; This check should fail
362; (neverallow a_s4 a91b (ch (ph1))) ; This check should fail
363; (neverallow a91a self (ch (ph1))) ; This check should fail
364
365; Test 92
366(allow tc a_t1 (ch (ph2)))
367(deny a_s2 other (ch (ph2)))
368(neverallow a_s2 other (ch (ph2)))
369
370; Test 93
371(allow tm a_t1 (ch (ph3)))
372(deny a_s2 other (ch (ph3)))
373(neverallow a_s2 other (ch (ph3)))
374
375; Test 94
376(allow a_s1 tc (ch (ph4)))
377(deny a_s2 other (ch (ph4)))
378(neverallow a_s2 other (ch (ph4)))
379; (neverallow a_s3 tc (ch (ph4))) ; This check should fail
380
381; Test 95
382(allow a_s1 tu (ch (ph5)))
383(deny a_s2 other (ch (ph5)))
384(neverallow a_s2 other (ch (ph5)))
385; (neverallow a_s3 tu (ch (ph5))) ; This check should fail
386
387; Test 96
388(typeattribute a96)
389(typeattributeset a96 (tc tm tw))
390(allow a_s1 a_t1 (ch (ph6)))
391(deny a96 other (ch (ph6)))
392(neverallow a96 other (ch (ph6)))
393
394; Test 101
395(allow a_s1 other (ci (pi1)))
396(deny a_s2 other (ci (pi1)))
397(neverallow a_s2 other (ci (pi1)))
398; (neverallow a_s3 other (ci (pi1))) ; This check should fail
399; (neverallow a_s4 a_s3 (ci (pi1)))  ; This check should fail
400
401; Test 102
402(allow a_s1 notself (ci (pi2)))
403(deny a_s2 other (ci (pi2)))
404(neverallow a_s2 other (ci (pi2)))
405; (neverallow a_s3 notself (ci (pi2))) ; This check should fail
406; (neverallow a_s4 a_s3 (ci (pi2)))    ; This check should fail
407
408; Test 103
409(allow a_s1 other (ci (pi3)))
410(deny a_s2 notself (ci (pi3)))
411(neverallow a_s2 notself (ci (pi3)))
412; (neverallow a_s3 other (ci (pi3))) ; This check should fail
413
414; Test 104
415(allow a_s1 notself (ci (pi4)))
416(deny a_s2 notself (ci (pi4)))
417(neverallow a_s2 notself (ci (pi4)))
418; (neverallow a_s3 notself (ci (pi4))) ; This check should fail
419