diff options
Diffstat (limited to 'tests/policies/test-linker')
-rw-r--r-- | tests/policies/test-linker/module1.conf | 138 | ||||
-rw-r--r-- | tests/policies/test-linker/module2.conf | 62 | ||||
-rw-r--r-- | tests/policies/test-linker/small-base.conf | 593 |
3 files changed, 793 insertions, 0 deletions
diff --git a/tests/policies/test-linker/module1.conf b/tests/policies/test-linker/module1.conf new file mode 100644 index 0000000..7cfb6cb --- /dev/null +++ b/tests/policies/test-linker/module1.conf @@ -0,0 +1,138 @@ +module linker_test_1 1.0; + +require { + class file { read write }; + class lnk_file append; + role g_b_role_2; + attribute g_b_attr_3; + attribute g_b_attr_5; + attribute o4_b_attr_1; + type g_b_type_3; +} + +type tag_g_m1; + +#test for type in module and attr in module, added to in module +attribute g_m1_attr_1; +type g_m1_type_1, g_m1_attr_1; +type g_m1_type_2; +typeattribute g_m1_type_2 g_m1_attr_1; + +#add role in module test +role g_m1_role_1 types g_m1_type_1; + +# test for attr declared in base, added to in module +type g_m1_type_3; +typeattribute g_m1_type_3 g_b_attr_3; + +# test for attr declared in base, added to in 2 modules +type g_m1_type_4; +typeattribute g_m1_type_4 g_b_attr_5; + +# test for attr declared in base optional, added to in module +type g_m1_type_5; +typeattribute g_m1_type_5 o4_b_attr_1; + +# test for attr declared in module, added to in base optional +attribute g_m1_attr_2; + +#add type to base role test +role g_b_role_2 types g_m1_type_1; +role g_b_role_3 types g_m1_type_2; + +#add type to base optional role test +role o1_b_role_2 types g_m1_type_1; + +#optional base role w/ adds in 2 modules +role o4_b_role_1 types g_m1_type_2; + +# attr a added to in base optional, declared/added to in module, added to in other module +attribute g_m1_attr_3; +type g_m1_type_6, g_m1_attr_3; + +# attr a added to in base optional, declared/added in module , added to in other module optional +attribute g_m1_attr_4; +type g_m1_type_7, g_m1_attr_4; + +# alias tests +typealias g_b_type_3 alias g_m_alias_1; + +# single boolean in module +bool g_m1_bool_1 true; +if (g_m1_bool_1) { + allow g_m1_type_1 g_m1_type_2 : lnk_file append; +} + + +optional { + require { + type optional_type; + attribute g_b_attr_4; + attribute o1_b_attr_2; + class lnk_file { ioctl }; + } + + type tag_o1_m1; + + attribute o1_m1_attr_1; + type o1_m1_type_2, o1_m1_attr_1; + + type o1_m1_type_1; + role o1_m1_role_1 types o1_m1_type_1; + + type o1_m1_type_3; + typeattribute o1_m1_type_3 g_b_attr_4; + + type o1_m1_type_5; + typeattribute o1_m1_type_5 o1_b_attr_2; + + bool o1_m1_bool_1 false; + if (o1_m1_bool_1) { + allow o1_m1_type_2 o1_m1_type_1 : lnk_file ioctl; + } + +} + +optional { + require { + type optional_type; + #role g_b_role_4; // This causes a bug where the role scope doesn't get copied into base + } + + type tag_o2_m1; + + role g_b_role_4 types g_m1_type_2; +} + +optional { + require { + attribute g_b_attr_6; + } + + type tag_o3_m1; + + type o3_m1_type_1; + role o3_b_role_1 types o3_m1_type_1; + + type o3_m1_type_2, g_b_attr_6; + + attribute o3_m1_attr_1; + + # attr a added to in base optional, declared/added in module optional, added to in other module + attribute o3_m1_attr_2; + type o3_m1_type_3, o3_m1_attr_2; + +} + +optional { + require { + type enable_optional; + } + type tag_o4_m1; + + attribute o4_m1_attr_1; + type o4_m1_type_1; + typeattribute o4_m1_type_1 o4_m1_attr_1; + + +} diff --git a/tests/policies/test-linker/module2.conf b/tests/policies/test-linker/module2.conf new file mode 100644 index 0000000..3820cb7 --- /dev/null +++ b/tests/policies/test-linker/module2.conf @@ -0,0 +1,62 @@ +module linker_test_2 1.0; + +require { + class file { read write }; + class lnk_file { unlink }; + attribute g_b_attr_5; + attribute g_b_attr_6; + attribute g_m1_attr_3; + attribute o3_m1_attr_2; +} + +type tag_g_m2; + +type g_m2_type_1; +role g_m2_role_1 types g_m2_type_1; + +type g_m2_type_4, g_b_attr_5; +type g_m2_type_5, g_b_attr_6; + +#add types to role declared in base test +type g_m2_type_2; +role g_b_role_3 types g_m2_type_2; + +#optional base role w/ adds in 2 modules +role o4_b_role_1 types g_m2_type_1; + +# attr a added to in base optional, declared/added to in module, added to in other module +type g_m2_type_3, g_m1_attr_3; + +# attr a added to in base optional, declared/added in module optional, added to in other module +type g_m2_type_6, o3_m1_attr_2; + +# cond mapping tests +bool g_m2_bool_1 true; +bool g_m2_bool_2 false; +if (g_m2_bool_1 && g_m2_bool_2) { + allow g_m2_type_1 g_m2_type_2 : lnk_file unlink; +} + +optional { + require { + type optional_type; + } + + type tag_o1_m2; + + type o1_m2_type_1; + role o1_m2_role_1 types o1_m2_type_1; +} + + +optional { + require { + attribute g_m1_attr_4; + attribute o4_m1_attr_1; + } + type tag_o2_m2; + + type o2_m2_type_1, g_m1_attr_4; + type o2_m2_type_2, o4_m1_attr_1; + +} diff --git a/tests/policies/test-linker/small-base.conf b/tests/policies/test-linker/small-base.conf new file mode 100644 index 0000000..2f166c9 --- /dev/null +++ b/tests/policies/test-linker/small-base.conf @@ -0,0 +1,593 @@ +# FLASK + +# +# Define the security object classes +# + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related clases +class sem +class msg +class msgq +class shm +class ipc + +# FLASK +# FLASK + +# +# Define initial security identifiers +# + +sid kernel + + +# FLASK +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint +} + +class lnk_file +inherits file + +class chr_file +inherits file + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class udp_socket +inherits socket + +class rawip_socket +inherits socket + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + transition_sid + member_sid + sid_to_context + context_to_sid + load_policy + get_sids + change_sid + get_user_sids +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + avc_toggle + nfsd_control + bdflush + syslog_read + syslog_mod + syslog_console + ichsid +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease +} + +ifdef(`enable_mls',` +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } + ( h1 dom h2 ); +') + +#################################### +#################################### +##################################### + +#g_b stands for global base + +type enable_optional; + +#decorative type for finding this decl, every block should have one +type tag_g_b; + +attribute g_b_attr_1; +attribute g_b_attr_2; +attribute g_b_attr_3; +attribute g_b_attr_4; +attribute g_b_attr_5; +attribute g_b_attr_6; + +type g_b_type_1, g_b_attr_1; +type g_b_type_2, g_b_attr_2; +type g_b_type_3; + +role g_b_role_1 types g_b_type_1; +role g_b_role_2 types g_b_type_2; +role g_b_role_3 types g_b_type_2; +role g_b_role_4 types g_b_type_2; + +bool g_b_bool_1 false; +bool g_b_bool_2 true; + +allow g_b_type_1 g_b_type_2 : security { compute_av load_policy }; +allow g_b_type_1 g_b_type_2 : file *; # test * +allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~ + +typealias g_b_type_3 alias g_b_alias_1; + +if (g_b_bool_1) { + allow g_b_type_1 g_b_type_2: lnk_file read; +} + + +optional { + require { + type enable_optional; + attribute g_m1_attr_2; + } + type tag_o1_b; + + attribute o1_b_attr_1; + type o1_b_type_1, o1_b_attr_1; + bool o1_b_bool_1 true; + role o1_b_role_1 types o1_b_type_1; + + role o1_b_role_2 types o1_b_type_1; + + attribute o1_b_attr_2; + + type o1_b_type_2, g_m1_attr_2; + + if (o1_b_bool_1) { + allow o1_b_type_1 o1_b_type_2: lnk_file write; + } + +} + +optional { + require { + # this should be activated by module 1 + type g_m1_type_1; + attribute o3_m1_attr_2; + } + type tag_o2_b; + + type o2_b_type_1, o3_m1_attr_2; +} + +optional { + require { + #this block should not come on + type invalid_type; + } + type tag_o3_b; + + + attribute o3_b_attr_1; + type o3_b_type_1; + bool o3_b_bool_1 true; + + role o3_b_role_1 types o3_b_type_1; + + allow g_b_type_1 invalid_type : sem { create destroy }; +} + +optional { + require { + # also should be enabled by module 1 + type enable_optional; + type g_m1_type_1; + attribute o3_m1_attr_1; + attribute g_m1_attr_3; + } + + type tag_o4_b; + + attribute o4_b_attr_1; + + role o4_b_role_1 types g_m1_type_1; + + # test for attr declared in module optional, added to in base optional + type o4_b_type_1, o3_m1_attr_1; + + type o4_b_type_2, g_m1_attr_3; +} + +optional { + require { + attribute g_m1_attr_4; + attribute o4_m1_attr_1; + } + type tag_o5_b; + + type o5_b_type_1, g_m1_attr_4; + type o5_b_type_2, o4_m1_attr_1; +} + +optional { + require { + type enable_optional; + } + type tag_o6_b; + + typealias g_b_type_3 alias g_b_alias_2; +} + +optional { + require { + type g_m_alias_1; + } + type tag_o7_b; + + allow g_m_alias_1 enable_optional:file read; +} + +gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23) +gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5) + +#################################### +#line 1 "initial_sid_contexts" + +sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0) + + +############################################ +#line 1 "fs_use" +# +fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0); +fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0); +fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0); + + +genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0) + + +#################################### +#line 1 "net_contexts" + +#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0 + +#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0 + +# +#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0 + +nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0) + + + + |