13 | System Control Test Domains
14 |
15 |
16 |
17 |
18 |
19 | Name
20 | Description
21 |
22 |
23 |
24 |
25 | test_sysctl_t
26 | Domain for process that has all system control permissions.
27 |
28 |
29 | test_nosysctl_t
30 | Domain for process that has no system control permissions, except for search access to the directories.
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 | The selinux_sysctl hook is tested. Attempts are
39 | made to read and write the kernel.modprobe sysctl
40 | variable from each domain. The test_sysctl_t
41 | domain should succeed on both operations, while the
42 | test_nosysctl_t domain should fail on both
43 | operations.
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/policy/.gitignore:
--------------------------------------------------------------------------------
1 | test_policy/
2 |
--------------------------------------------------------------------------------
/policy/test_add_levels.cil:
--------------------------------------------------------------------------------
1 | (sensitivity s1)
2 | (sensitivitycategory s1 (range c0 c1023))
3 | (sensitivity s2)
4 | (sensitivitycategory s2 (range c0 c1023))
5 | (sensitivity s3)
6 | (sensitivitycategory s3 (range c0 c1023))
7 | (sensitivity s4)
8 | (sensitivitycategory s4 (range c0 c1023))
9 | (sensitivity s5)
10 | (sensitivitycategory s5 (range c0 c1023))
11 | (sensitivity s6)
12 | (sensitivitycategory s6 (range c0 c1023))
13 | (sensitivity s7)
14 | (sensitivitycategory s7 (range c0 c1023))
15 | (sensitivity s8)
16 | (sensitivitycategory s8 (range c0 c1023))
17 | (sensitivity s9)
18 | (sensitivitycategory s9 (range c0 c1023))
19 | (sensitivity s10)
20 | (sensitivitycategory s10 (range c0 c1023))
21 | (sensitivity s11)
22 | (sensitivitycategory s11 (range c0 c1023))
23 | (sensitivity s12)
24 | (sensitivitycategory s12 (range c0 c1023))
25 | (sensitivity s13)
26 | (sensitivitycategory s13 (range c0 c1023))
27 | (sensitivity s14)
28 | (sensitivitycategory s14 (range c0 c1023))
29 | (sensitivity s15)
30 | (sensitivitycategory s15 (range c0 c1023))
31 | (sensitivityorder (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15))
32 |
--------------------------------------------------------------------------------
/policy/test_atsecure.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing the setting of the
4 | # AT_SECURE auxv flag based on noatsecure permission
5 | #
6 |
7 | attribute atsecuredomain;
8 |
9 | # Domain for process that is not allowed noatsecure to the new domain.
10 | type test_atsecure_denied_t;
11 | testsuite_domain_type(test_atsecure_denied_t)
12 | typeattribute test_atsecure_denied_t atsecuredomain;
13 |
14 | # Domain for process that is allowed noatsecure to the new domain.
15 | type test_atsecure_allowed_t;
16 | testsuite_domain_type(test_atsecure_allowed_t)
17 | typeattribute test_atsecure_allowed_t atsecuredomain;
18 |
19 | # New domain for the process after the transition.
20 | type test_atsecure_newdomain_t;
21 | testsuite_domain_type(test_atsecure_newdomain_t)
22 | typeattribute test_atsecure_newdomain_t atsecuredomain;
23 |
24 | # Allow the domain entrypoints and transitions.
25 | domain_entry_file(test_atsecure_newdomain_t, test_file_t)
26 | domain_transition_pattern(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
27 | domain_transition_pattern(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
28 | allow test_atsecure_newdomain_t test_atsecure_denied_t:fd use;
29 | allow test_atsecure_newdomain_t test_atsecure_allowed_t:fd use;
30 | allow_map(atsecuredomain, test_file_t, file)
31 |
32 | # Only allow the allowed domain noatsecure permission to the
33 | # new domain.
34 | allow test_atsecure_allowed_t test_atsecure_newdomain_t:process noatsecure;
35 |
--------------------------------------------------------------------------------
/policy/test_attrib.te:
--------------------------------------------------------------------------------
1 | #
2 | # Declarations for type attributes for test domains.
3 | #
4 |
5 | attribute capabledomain;
6 | attribute execsharedomain;
7 | attribute exectracedomain;
8 | attribute fdreceivedomain;
9 | attribute fileopdomain;
10 | attribute inheritdomain;
11 | attribute ioctldomain;
12 | attribute ipcdomain;
13 | attribute test_link_domain;
14 | attribute test_mkdir_domain;
15 | attribute test_open_domain;
16 | attribute ptracedomain;
17 | attribute test_readlink_domain;
18 | attribute test_relabel_domain;
19 | attribute test_rename_domain;
20 | attribute test_rxdir_domain;
21 | attribute test_setattr_domain;
22 | attribute setnicedomain;
23 | attribute killdomain;
24 | attribute socketdomain;
25 | attribute test_stat_domain;
26 | attribute sysctldomain;
27 | attribute sysmiscdomain;
28 | attribute test_create_d;
29 | attribute test_getsched_d;
30 | attribute test_getsid_d;
31 | attribute test_setpgid_d;
32 | attribute test_setsched_d;
33 | attribute transitiondomain;
34 | attribute waitdomain;
35 | attribute test_getpgid_d;
36 | attribute dyntracedomain;
37 | attribute dyntransdomain;
38 | attribute mqopdomain;
39 |
--------------------------------------------------------------------------------
/policy/test_cap_userns.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing non-init userns capability checking.
4 | #
5 |
6 | attribute capusernsdomain;
7 |
8 | # Domain for process that is allowed non-init userns capabilities
9 | type test_cap_userns_t;
10 | testsuite_domain_type(test_cap_userns_t)
11 | typeattribute test_cap_userns_t capusernsdomain;
12 |
13 | # This domain is allowed sys_admin on non-init userns for mount.
14 | allow test_cap_userns_t self:cap_userns sys_admin;
15 |
16 | # Domain for process that is not allowed non-init userns capabilities
17 | type test_no_cap_userns_t;
18 | testsuite_domain_type(test_no_cap_userns_t)
19 | typeattribute test_no_cap_userns_t capusernsdomain;
20 |
21 | # Rules common to both domains.
22 | allow_userns_create(capusernsdomain)
23 | # linux >= v5.12 needs setfcap to map UID 0
24 | allow capusernsdomain self:capability setfcap;
25 |
--------------------------------------------------------------------------------
/policy/test_capable_sys.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing system related capabilities. The test_capable_file.te
4 | # policy is a prequisite for this file.
5 | #
6 |
7 | # Type for process that is allowed certain capabilities
8 | type test_scap_t;
9 | testsuite_domain_type(test_scap_t)
10 | typeattribute test_scap_t capabledomain;
11 |
12 | # Domain for process that has no capability
13 | type test_noscap_t;
14 | testsuite_domain_type(test_noscap_t)
15 | typeattribute test_noscap_t capabledomain;
16 |
17 | # Permissions for the good domain
18 | allow test_scap_t self:capability { sys_rawio sys_chroot sys_admin sys_nice };
19 |
--------------------------------------------------------------------------------
/policy/test_cgroupfs.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing cgroupfs labeling
4 | #
5 |
6 | # Types for test file.
7 | type test_cgroup_t;
8 | files_type(test_cgroup_t)
9 |
10 | require {
11 | type cgroup_t;
12 | }
13 | allow test_cgroup_t cgroup_t:filesystem { associate };
14 |
--------------------------------------------------------------------------------
/policy/test_dyntrans.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing process dyntrans permission
4 | #
5 |
6 | attribute dyntransdomain;
7 |
8 | # Domain for process that is allowed to transition to the new domain.
9 | type test_dyntrans_fromdomain_t;
10 | testsuite_domain_type(test_dyntrans_fromdomain_t)
11 | domain_dyntrans_type(test_dyntrans_fromdomain_t)
12 | typeattribute test_dyntrans_fromdomain_t dyntransdomain;
13 |
14 | # Domain for process that is not allowed to transition to the new domain.
15 | type test_dyntrans_notfromdomain_t;
16 | testsuite_domain_type(test_dyntrans_notfromdomain_t)
17 | typeattribute test_dyntrans_notfromdomain_t dyntransdomain;
18 |
19 | # Allow the fromdomain to dyntrans to the new domain.
20 | type test_dyntrans_todomain_t;
21 | testsuite_domain_type(test_dyntrans_todomain_t)
22 | typeattribute test_dyntrans_todomain_t dyntransdomain;
23 |
24 | # Allow the fromdomain to dyntrans to the new domain.
25 | allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
26 |
--------------------------------------------------------------------------------
/policy/test_entrypoint.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing entrypoint permission
4 | #
5 |
6 | # Type that the test domain can be entered through.
7 | type test_entrypoint_allow_t;
8 | files_type(test_entrypoint_allow_t)
9 |
10 | # Type that the test domain can NOT be entered through.
11 | type test_entrypoint_deny_t;
12 | files_type(test_entrypoint_deny_t)
13 |
14 | # Test domain that can only be entered via the type above.
15 | type test_entrypoint_t;
16 | testsuite_domain_type(test_entrypoint_t)
17 |
18 | # Allow this domain to be entered via test_entrypoint_allow_t.
19 | domain_entry_file(test_entrypoint_t, test_entrypoint_allow_t)
20 |
21 | # Allow the domain to execute test_entrypoint_deny_t, but not
22 | # to enter through it.
23 | can_exec(test_entrypoint_t, test_entrypoint_deny_t)
24 |
25 |
--------------------------------------------------------------------------------
/policy/test_execute_no_trans.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing execute_notrans permission
4 | #
5 |
6 | # Type for the execute_notrans program allowed to execute from the test domain.
7 | type test_execute_notrans_allowed_t;
8 | files_type(test_execute_notrans_allowed_t)
9 |
10 | # Type for the execute_notrans program not allowed to execute
11 | # from the test domain.
12 | type test_execute_notrans_denied_t;
13 | files_type(test_execute_notrans_denied_t);
14 |
15 | # Test domain that can only be entered via the types above.
16 | type test_execute_notrans_t;
17 | testsuite_domain_type(test_execute_notrans_t);
18 |
19 | #Allow test_execute_notrans permissions to the allowed type
20 | can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
21 | allow_map(test_execute_notrans_t, test_execute_notrans_denied_t, file)
22 | allow test_execute_notrans_t test_execute_notrans_denied_t:file { getattr open read };
23 |
--------------------------------------------------------------------------------
/policy/test_filesystem_name_trans.te:
--------------------------------------------------------------------------------
1 | #
2 | ######### Test filesystem name-base transition policy module ##########
3 | #
4 |
5 | # Name-based type transition context:
6 | type test_filesystem_filenametranscon1_t;
7 | files_type(test_filesystem_filenametranscon1_t)
8 | type test_filesystem_filenametranscon2_t;
9 | files_type(test_filesystem_filenametranscon2_t)
10 |
11 | # Create file and change context via name-based type_transition rule:
12 | fs_associate(test_filesystem_filenametranscon1_t)
13 | type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1";
14 | allow test_filesystem_t test_filesystem_filenametranscon1_t:file { create getattr open write };
15 |
16 | fs_associate(test_filesystem_filenametranscon2_t)
17 | type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon2_t "name_trans_test_file2";
18 | allow test_filesystem_t test_filesystem_filenametranscon2_t:file { create getattr open write };
19 |
20 | ### NFS Rules ##########
21 | type_transition test_filesystem_t test_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1";
22 | type_transition test_filesystem_t test_file_t:file test_filesystem_filenametranscon2_t "name_trans_test_file2";
23 | allow test_filesystem_filenametranscon1_t test_filesystem_file_t:filesystem { associate };
24 | allow test_filesystem_filenametranscon2_t test_filesystem_file_t:filesystem { associate };
25 |
--------------------------------------------------------------------------------
/policy/test_glblub.cil:
--------------------------------------------------------------------------------
1 | (defaultrange db_table glblub)
2 |
3 | (class new_class_no_default_range (foobar))
4 | (classorder (unordered new_class_no_default_range))
5 |
--------------------------------------------------------------------------------
/policy/test_ibendport.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing Infiniband Pkey access.
4 | #
5 |
6 | attribute ibendportdomain;
7 |
8 | # Domain for process.
9 | type test_ibendport_manage_subnet_t;
10 | testsuite_domain_type(test_ibendport_manage_subnet_t)
11 | typeattribute test_ibendport_manage_subnet_t ibendportdomain;
12 |
13 | type test_ibendport_t;
14 | ifdef(`corenet_ib_endport',`
15 | corenet_ib_endport(test_ibendport_t)
16 | ')
17 |
18 | dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
19 | dev_rw_sysfs(test_ibendport_manage_subnet_t)
20 |
21 | ifdef(`dev_rw_infiniband_mgmt_dev', `
22 | dev_rw_infiniband_mgmt_dev(test_ibendport_manage_subnet_t)
23 | ')
24 |
25 | ifdef(`corenet_ib_access_unlabeled_pkeys',`
26 | corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
27 | ')
28 |
29 | allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
30 |
--------------------------------------------------------------------------------
/policy/test_ibpkey.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing Infiniband Pkey access.
4 | #
5 |
6 | attribute ibpkeydomain;
7 |
8 | # Domain for process.
9 | type test_ibpkey_access_t;
10 | testsuite_domain_type(test_ibpkey_access_t)
11 | typeattribute test_ibpkey_access_t ibpkeydomain;
12 |
13 | # ibv_create_cq(3) locks some memory - make sure the domain can do that
14 | # even with strict resource limits.
15 | allow test_ibpkey_access_t self:capability ipc_lock;
16 |
17 | # ibv_get_device_list(3) wants to list the devices via netlink by default
18 | # (if denied it falls back to listing them via sysfs).
19 | allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms;
20 |
21 | dev_rw_infiniband_dev(test_ibpkey_access_t)
22 | dev_rw_sysfs(test_ibpkey_access_t)
23 |
24 | # Define a pkey type for labeling pkeys during the test.
25 | type test_ibpkey_t;
26 | ifdef(`corenet_ib_pkey',`
27 | corenet_ib_pkey(test_ibpkey_t)
28 | ')
29 |
30 | ifdef(`corenet_ib_access_unlabeled_pkeys',`
31 | corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
32 | ')
33 |
--------------------------------------------------------------------------------
/policy/test_ioctl.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing ioctl permission
4 | #
5 |
6 | attribute ioctldomain;
7 |
8 | # Domain for process that is allowed to perform ioctl.
9 | type test_ioctl_t;
10 | testsuite_domain_type(test_ioctl_t)
11 | typeattribute test_ioctl_t ioctldomain;
12 |
13 | # Domain for process that is not allowed to perform ioctl.
14 | type test_noioctl_t;
15 | testsuite_domain_type(test_noioctl_t)
16 | typeattribute test_noioctl_t ioctldomain;
17 |
18 | # Type for temp test files
19 | type test_ioctl_file_t;
20 | files_type(test_ioctl_file_t)
21 |
22 | # Allow the test domains some access to the temp file
23 | allow test_ioctl_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
24 | allow test_noioctl_t test_ioctl_file_t:file { open read };
25 |
26 |
--------------------------------------------------------------------------------
/policy/test_ioctl_cond_xperms.te:
--------------------------------------------------------------------------------
1 | define(`SIOCGIFNAME', `{ 0x8910 }')
2 | define(`SIOCGIFINDEX', `{ 0x8933 }')
3 |
4 | bool test_ioctl_cond_xperm_switch false;
5 |
6 | # Domain for process that is allowed SIOCGIFNAME on true and SIOCGIFINDEX on false.
7 | type test_ioctl_cond_xperm_a_t;
8 | testsuite_domain_type(test_ioctl_cond_xperm_a_t)
9 | typeattribute test_ioctl_cond_xperm_a_t ioctldomain;
10 | allow test_ioctl_cond_xperm_a_t self:udp_socket { create ioctl };
11 | if (test_ioctl_cond_xperm_switch) {
12 | allowxperm test_ioctl_cond_xperm_a_t self:udp_socket ioctl SIOCGIFNAME;
13 | } else {
14 | allowxperm test_ioctl_cond_xperm_a_t self:udp_socket ioctl SIOCGIFINDEX;
15 | }
16 |
17 | # Domain for process that is allowed SIOCGIFINDEX on true and SIOCGIFNAME on false.
18 | type test_ioctl_cond_xperm_b_t;
19 | testsuite_domain_type(test_ioctl_cond_xperm_b_t)
20 | typeattribute test_ioctl_cond_xperm_b_t ioctldomain;
21 | allow test_ioctl_cond_xperm_b_t self:udp_socket { create ioctl };
22 | if (test_ioctl_cond_xperm_switch) {
23 | allowxperm test_ioctl_cond_xperm_b_t self:udp_socket ioctl SIOCGIFINDEX;
24 | } else {
25 | allowxperm test_ioctl_cond_xperm_b_t self:udp_socket ioctl SIOCGIFNAME;
26 | }
27 |
--------------------------------------------------------------------------------
/policy/test_ioctl_xperms.te:
--------------------------------------------------------------------------------
1 | # include FIOQSIZE ioctl numbers through all arches
2 | define(`FIOQSIZE', `{ 0x545e 0x5460 0x667f 0x6680 }')
3 |
4 | # Domain for process that is allowed the required ioctl xperms.
5 | type test_ioctl_xperm_t;
6 | testsuite_domain_type(test_ioctl_xperm_t)
7 | typeattribute test_ioctl_xperm_t ioctldomain;
8 | allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
9 | allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE;
10 |
11 | # Domain for process that is not allowed the required ioctl xperms.
12 | type test_ioctl_noxperm_t;
13 | testsuite_domain_type(test_ioctl_noxperm_t)
14 | typeattribute test_ioctl_noxperm_t ioctldomain;
15 | allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl };
16 | allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE;
17 |
--------------------------------------------------------------------------------
/policy/test_mlsconstrain.cil:
--------------------------------------------------------------------------------
1 | (mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
2 | (mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
3 |
--------------------------------------------------------------------------------
/policy/test_netlink_socket.te:
--------------------------------------------------------------------------------
1 | ########################################
2 | #
3 | # Policy for testing the new netlink socket classes.
4 |
5 | attribute netlinksocktestdomain;
6 |
7 | #
8 | # netlink_socket_test(newclass)
9 | #
10 | # Generate a pair of test domains and rules to test
11 | # that the kernel checks permission against the
12 | # 'newclass' security class rather than the generic
13 | # 'netlink_socket' security class.
14 | #
15 | define(`netlink_socket_test', `
16 | # Domain that is allowed to create $1_socket.
17 | type test_$1_t;
18 | testsuite_domain_type(test_$1_t)
19 | typeattribute test_$1_t netlinksocktestdomain;
20 |
21 | # Allow $1 but not netlink_socket.
22 | # This is to ensure that the kernel is checking the right class.
23 | allow test_$1_t self:$1 create_socket_perms;
24 |
25 | # Domain that is not allowed to create $1.
26 | type test_no_$1_t;
27 | testsuite_domain_type(test_no_$1_t)
28 | typeattribute test_no_$1_t netlinksocktestdomain;
29 |
30 | # Allow netlink_socket but not $1.
31 | # This is to ensure that the kernel is checking the right class.
32 | allow test_no_$1_t self:netlink_socket create_socket_perms;
33 | ')
34 |
35 | netlink_socket_test(netlink_iscsi_socket)
36 | netlink_socket_test(netlink_netfilter_socket)
37 | netlink_socket_test(netlink_generic_socket)
38 | netlink_socket_test(netlink_crypto_socket)
39 |
40 | #
41 | # Common rules for all netlink socket class test domains.
42 | #
43 |
44 | # Trigger kernel module auto-loading of the protocol implementations.
45 | kernel_request_load_module(netlinksocktestdomain)
46 |
--------------------------------------------------------------------------------
/policy/test_nlmsg.te:
--------------------------------------------------------------------------------
1 | ########################################
2 | #
3 | # Policy for testing the nlmsg extended permissions.
4 |
5 | define(`RTM_GETLINK', `18')
6 | define(`RTM_SETLINK', `19')
7 | define(`RTM_GETADDR', `22')
8 |
9 | attribute nlmsgtestdomain;
10 |
11 | # Domain that is allowed the nlmsg extended permissions.
12 | type test_nlmsg_xperm_t;
13 | typeattribute test_nlmsg_xperm_t nlmsgtestdomain;
14 | testsuite_domain_type(test_nlmsg_xperm_t)
15 | allow test_nlmsg_xperm_t self:netlink_route_socket create_socket_perms;
16 | # Also allow the legacy nlmsg_read/write permissions to ensure no false positives.
17 | allow test_nlmsg_xperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write };
18 | allowxperm test_nlmsg_xperm_t self:netlink_route_socket nlmsg { RTM_GETLINK RTM_SETLINK RTM_GETADDR };
19 |
20 | # Domain that is not allowed the nlmsg extended permissions.
21 | type test_nlmsg_noxperm_t;
22 | typeattribute test_nlmsg_noxperm_t nlmsgtestdomain;
23 | testsuite_domain_type(test_nlmsg_noxperm_t)
24 | allow test_nlmsg_noxperm_t self:netlink_route_socket create_socket_perms;
25 | # Also allow the legacy nlmsg_read/write permissions to ensure no false positives.
26 | allow test_nlmsg_noxperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write };
27 | allowxperm test_nlmsg_noxperm_t self:netlink_route_socket nlmsg ~{ RTM_GETLINK RTM_SETLINK RTM_GETADDR };
28 |
29 | #
30 | # Common rules for all nlmsg test domains.
31 | #
32 |
33 | # Trigger kernel module auto-loading of the protocol implementations.
34 | kernel_request_load_module(nlmsgtestdomain)
35 |
--------------------------------------------------------------------------------
/policy/test_open.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing open operation
4 | #
5 |
6 | attribute test_open_domain;
7 |
8 | # Types for test file.
9 | type test_open_file_t;
10 | files_type(test_open_file_t)
11 |
12 | # Domain for process that can open the test file for reading and writing.
13 | type test_open_t;
14 | testsuite_domain_type(test_open_t)
15 | typeattribute test_open_t test_open_domain;
16 | allow test_open_t test_open_file_t:file rw_file_perms;
17 |
18 | # Domain for process that cannot open the test file for reading or writing.
19 | type test_noopen_t;
20 | testsuite_domain_type(test_noopen_t)
21 | typeattribute test_noopen_t test_open_domain;
22 | # Allow open permission so that this tests read/write permissions.
23 | # TBD: Add separate tests for open permission itself.
24 | allow test_noopen_t test_open_file_t:file { getattr open };
25 |
26 | # Domain for process that can open test file for writing with O_APPEND.
27 | type test_append_t;
28 | testsuite_domain_type(test_append_t)
29 | typeattribute test_append_t test_open_domain;
30 | allow test_append_t test_open_file_t:file append_file_perms;
31 |
--------------------------------------------------------------------------------
/policy/test_overlay_defaultrange.cil:
--------------------------------------------------------------------------------
1 | (defaultrange file target low)
2 | (defaultrange dir target low)
3 | (defaultrange lnk_file target low)
4 | (defaultrange chr_file target low)
5 | (defaultrange blk_file target low)
6 | (defaultrange sock_file target low)
7 | (defaultrange fifo_file target low)
8 |
--------------------------------------------------------------------------------
/policy/test_prlimit.te:
--------------------------------------------------------------------------------
1 | ########################################
2 | #
3 | # Policy for testing prlimit(2) permission checks.
4 |
5 | attribute prlimittestdomain;
6 |
7 | # prlimit_test(permission)
8 | # Generate a pair of test domains and rules for
9 | # testing the specified permission check.
10 | #
11 | define(`prlimit_test', `
12 | # Domain that is allowed $1 permission to the child.
13 | type test_$1_t;
14 | testsuite_domain_type(test_$1_t)
15 | typeattribute test_$1_t prlimittestdomain;
16 |
17 | # Child domain
18 | type test_$1_child_t;
19 | testsuite_domain_type(test_$1_child_t)
20 | typeattribute test_$1_child_t prlimittestdomain;
21 |
22 | # Transition from parent to child.
23 | spec_domtrans_pattern(test_$1_t, test_file_t, test_$1_child_t)
24 |
25 | # Allow parent $1 to child.
26 | allow test_$1_t test_$1_child_t:process $1;
27 |
28 | # Domain that is not allowed $1 permission.
29 | type test_no_$1_t;
30 | testsuite_domain_type(test_no_$1_t)
31 | typeattribute test_no_$1_t prlimittestdomain;
32 |
33 | # Transition from parent to child.
34 | spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
35 | ')
36 |
37 | prlimit_test(setrlimit)
38 | prlimit_test(getrlimit)
39 |
--------------------------------------------------------------------------------
/policy/test_ptrace.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing ptrace call
4 | #
5 |
6 | attribute ptracedomain;
7 |
8 | # Domain for process that is allowed to trace.
9 | type test_ptrace_tracer_t;
10 | testsuite_domain_type(test_ptrace_tracer_t)
11 | typeattribute test_ptrace_tracer_t ptracedomain;
12 | allow test_ptrace_tracer_t self:capability sys_ptrace;
13 |
14 | # Domain for process that is not allowed to trace.
15 | type test_ptrace_nottracer_t;
16 | testsuite_domain_type(test_ptrace_nottracer_t)
17 | typeattribute test_ptrace_nottracer_t ptracedomain;
18 | allow test_ptrace_nottracer_t self:capability sys_ptrace;
19 |
20 | # Domain for process that is to be traced.
21 | type test_ptrace_traced_t;
22 | testsuite_domain_type(test_ptrace_traced_t)
23 | typeattribute test_ptrace_traced_t ptracedomain;
24 |
25 | # For writing to flag file:
26 | allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
27 |
28 | # Allow the tracer domain to trace the traced domain.
29 | allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
30 |
31 | # Let the tracer wait on the traced domain.
32 | allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
33 |
--------------------------------------------------------------------------------
/policy/test_readlink.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing readlink and follow_link operations
4 | #
5 |
6 | attribute test_readlink_domain;
7 |
8 | # Types for test file and test symbolic link.
9 | type test_readlink_file_t;
10 | type test_readlink_link_t;
11 | files_type(test_readlink_file_t)
12 | files_type(test_readlink_link_t)
13 |
14 | # Domain for process that can read and follow the symbolic link.
15 | type test_readlink_t;
16 | testsuite_domain_type(test_readlink_t)
17 | typeattribute test_readlink_t test_readlink_domain;
18 | allow test_readlink_t test_readlink_file_t:file { getattr read };
19 | allow test_readlink_t test_readlink_link_t:lnk_file { getattr read };
20 |
21 | # Domain for process that cannot read or follow the symbolic link.
22 | type test_noreadlink_t;
23 | testsuite_domain_type(test_noreadlink_t)
24 | typeattribute test_noreadlink_t test_readlink_domain;
25 | allow test_noreadlink_t test_readlink_file_t:file { getattr read };
26 | allow test_noreadlink_t test_readlink_link_t:lnk_file { getattr };
27 |
28 | # TODO: Needs to be translated into refpolicy... how?
29 | require {
30 | type ls_exec_t;
31 | }
32 | domain_entry_file(test_readlink_domain, ls_exec_t)
33 |
--------------------------------------------------------------------------------
/policy/test_relabel.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing relabel (chsid) operations
4 | #
5 |
6 | attribute test_relabel_domain;
7 |
8 | # Original and new types for the test file.
9 | type test_relabel_oldtype_t;
10 | type test_relabel_newtype_t;
11 | files_type(test_relabel_oldtype_t)
12 | files_type(test_relabel_newtype_t)
13 |
14 | # Domain for process that can relabel the test file.
15 | type test_relabel_t;
16 | testsuite_domain_type(test_relabel_t)
17 | domain_obj_id_change_exemption(test_relabel_t)
18 | typeattribute test_relabel_t test_relabel_domain;
19 | allow test_relabel_t test_relabel_oldtype_t:file { getattr relabelfrom };
20 | allow test_relabel_t test_relabel_newtype_t:file { getattr relabelto };
21 |
22 | # Domain for process that lacks relabelfrom permission to the old type.
23 | type test_norelabelfrom_t;
24 | testsuite_domain_type(test_norelabelfrom_t)
25 | domain_obj_id_change_exemption(test_norelabelfrom_t)
26 | typeattribute test_norelabelfrom_t test_relabel_domain;
27 | allow test_norelabelfrom_t test_relabel_oldtype_t:file { getattr };
28 | allow test_norelabelfrom_t test_relabel_newtype_t:file { getattr relabelto };
29 |
30 | # Domain for process that lacks relabelto permission to the new type.
31 | type test_norelabelto_t;
32 | testsuite_domain_type(test_norelabelto_t)
33 | domain_obj_id_change_exemption(test_norelabelto_t)
34 | typeattribute test_norelabelto_t test_relabel_domain;
35 | allow test_norelabelto_t test_relabel_oldtype_t:file { getattr relabelfrom };
36 | allow test_norelabelto_t test_relabel_newtype_t:file { getattr };
37 |
--------------------------------------------------------------------------------
/policy/test_rxdir.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing read and search access to a directory.
4 | #
5 |
6 | attribute test_rxdir_domain;
7 |
8 | # Type for top-level test directory in which the tests are performed.
9 | type test_rxdir_dir_t;
10 | files_type(test_rxdir_dir_t)
11 |
12 | # Domain for process that can read but not search the directory.
13 | type test_rdir_t;
14 | testsuite_domain_type(test_rdir_t)
15 | typeattribute test_rdir_t test_rxdir_domain;
16 | allow test_rdir_t test_rxdir_dir_t:dir { getattr read open };
17 | allow test_rdir_t test_rxdir_dir_t:file { getattr };
18 |
19 | # Domain for process that can search but not read the directory.
20 | type test_xdir_t;
21 | testsuite_domain_type(test_xdir_t)
22 | typeattribute test_xdir_t test_rxdir_domain;
23 | allow test_xdir_t test_rxdir_dir_t:dir search_dir_perms;
24 | allow test_xdir_t test_rxdir_dir_t:file { getattr };
25 |
26 | # TODO: How to translate this into refpolicy????
27 | # Allow all of these domains to be entered from sysadm domain
28 | require {
29 | type ls_exec_t;
30 | }
31 | domain_entry_file(test_rxdir_domain, ls_exec_t)
32 |
--------------------------------------------------------------------------------
/policy/test_setattr.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing setattr operations
4 | #
5 |
6 | attribute test_setattr_domain;
7 |
8 | # Types for test file.
9 | type test_setattr_file_t;
10 | files_type(test_setattr_file_t)
11 |
12 | # Domain for process that can set attributes on the test file.
13 | type test_setattr_t;
14 | testsuite_domain_type(test_setattr_t)
15 | typeattribute test_setattr_t test_setattr_domain;
16 | allow test_setattr_t self:capability chown;
17 | allow test_setattr_t test_setattr_file_t:file { getattr setattr write };
18 |
19 | # Domain for process that cannot set attributes on the test file.
20 | type test_nosetattr_t;
21 | testsuite_domain_type(test_nosetattr_t)
22 | typeattribute test_nosetattr_t test_setattr_domain;
23 | allow test_nosetattr_t self:capability chown;
24 | allow test_nosetattr_t test_setattr_file_t:file { getattr write };
25 |
--------------------------------------------------------------------------------
/policy/test_setnice.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing setnice permission
4 | #
5 |
6 | attribute setnicedomain;
7 |
8 | # Domain for process whose nice can be set.
9 | type test_setnice_set_t;
10 | testsuite_domain_type(test_setnice_set_t)
11 | typeattribute test_setnice_set_t setnicedomain;
12 |
13 | # Domain for process whose nice cannot be set.
14 | type test_setnice_noset_t;
15 | testsuite_domain_type(test_setnice_noset_t)
16 | typeattribute test_setnice_noset_t setnicedomain;
17 |
18 | # Domain for parent process.
19 | type test_setnice_change_t;
20 | testsuite_domain_type(test_setnice_change_t)
21 | typeattribute test_setnice_change_t setnicedomain;
22 |
23 | domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
24 | allow test_setnice_change_t test_setnice_set_t:fd use;
25 | allow test_setnice_set_t test_setnice_change_t:fd use;
26 | allow test_setnice_set_t test_setnice_change_t:fifo_file rw_file_perms;
27 | allow test_setnice_set_t test_setnice_change_t:process sigchld;
28 | allow test_setnice_set_t test_setnice_change_t:file rw_file_perms;
29 | allow test_setnice_change_t test_setnice_noset_t:fd use;
30 | allow test_setnice_noset_t test_setnice_change_t:fd use;
31 | allow test_setnice_noset_t test_setnice_change_t:fifo_file rw_file_perms;
32 | allow test_setnice_noset_t test_setnice_change_t:process sigchld;
33 | allow test_setnice_noset_t test_setnice_change_t:file rw_file_perms;
34 |
35 | allow test_setnice_change_t test_setnice_set_t:process setsched;
36 |
--------------------------------------------------------------------------------
/policy/test_sigkill.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing the task_kill hook
4 | #
5 |
6 | attribute killdomain;
7 |
8 | # Domain for process that receives the signals.
9 | type test_kill_server_t;
10 | testsuite_domain_type(test_kill_server_t)
11 | typeattribute test_kill_server_t killdomain;
12 |
13 | # For writing to flag file:
14 | allow test_kill_server_t test_file_t:fifo_file rw_file_perms;
15 |
16 | # Domain for process that is allowed to send sigkill.
17 | type test_kill_sigkill_t;
18 | testsuite_domain_type(test_kill_sigkill_t)
19 | typeattribute test_kill_sigkill_t killdomain;
20 | allow test_kill_sigkill_t test_kill_server_t:process sigkill;
21 |
22 | # Domain for process that is allowed to send sigstop.
23 | type test_kill_sigstop_t;
24 | testsuite_domain_type(test_kill_sigstop_t)
25 | typeattribute test_kill_sigstop_t killdomain;
26 | allow test_kill_sigstop_t test_kill_server_t:process sigstop;
27 |
28 | # Domain for process that is allowed to send sigchld.
29 | type test_kill_sigchld_t;
30 | testsuite_domain_type(test_kill_sigchld_t)
31 | typeattribute test_kill_sigchld_t killdomain;
32 | allow test_kill_sigchld_t test_kill_server_t:process sigchld;
33 |
34 | # Domain for process that is allowed to send other signals.
35 | type test_kill_signal_t;
36 | testsuite_domain_type(test_kill_signal_t)
37 | typeattribute test_kill_signal_t killdomain;
38 |
39 | allow test_kill_signal_t test_kill_server_t:process signal;
40 |
--------------------------------------------------------------------------------
/policy/test_stat.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing stat operations
4 | #
5 |
6 | attribute test_stat_domain;
7 |
8 | # Types for test file.
9 | type test_stat_file_t;
10 | files_type(test_stat_file_t)
11 |
12 | # Domain for process that can get attributes on the test file.
13 | type test_stat_t;
14 | testsuite_domain_type(test_stat_t)
15 | typeattribute test_stat_t test_stat_domain;
16 | allow test_stat_t test_stat_file_t:file getattr;
17 |
18 | # Domain for process that cannot set attributes on the test file.
19 | type test_nostat_t;
20 | testsuite_domain_type(test_nostat_t)
21 | typeattribute test_nostat_t test_stat_domain;
22 |
23 | # TODO: what is a replacement for this in refpolicy???
24 | # Allow entering test domains via ls_exec_t.
25 | require {
26 | type ls_exec_t;
27 | }
28 | domain_entry_file(test_stat_domain, ls_exec_t)
29 |
--------------------------------------------------------------------------------
/policy/test_sysctl.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing sysctl permission
4 | #
5 |
6 | attribute sysctldomain;
7 |
8 | # Domain for process that is allowed to perform sysctl.
9 | type test_sysctl_t;
10 | testsuite_domain_type(test_sysctl_t)
11 | typeattribute test_sysctl_t sysctldomain;
12 |
13 | # Domain for process that is not allowed to perform sysctl.
14 | type test_nosysctl_t;
15 | testsuite_domain_type(test_nosysctl_t)
16 | typeattribute test_nosysctl_t sysctldomain;
17 |
18 | # Allow the first domain to perform sysctl operations.
19 | kernel_rw_all_sysctls(test_sysctl_t)
20 |
21 | # Allow the second domain to search /proc/sys/kernel, but nothing more.
22 | allow test_nosysctl_t sysctl_type:dir search;
23 |
--------------------------------------------------------------------------------
/policy/test_task_create.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_create hook
4 | #
5 |
6 | attribute test_create_d;
7 |
8 | # Domain for process allowed to fork.
9 | type test_create_yes_t;
10 | testsuite_domain_type(test_create_yes_t)
11 | typeattribute test_create_yes_t test_create_d;
12 |
13 | # Domain for process not allowed to fork.
14 | # The same permissions as test_create_yes_t, except process fork
15 | type test_create_no_t;
16 | # In refpolicy, all types with "domain" attribute are allowed
17 | # process_fork. Thus, to prevent test_create_no_t from picking up this
18 | # permission so we can test it, we omit the domain attribute.
19 | # Ideally, refpolicy would _not_ grant such permissions to every domain,
20 | # as it makes the permission effectively unusable in real policy.
21 | testsuite_domain_type_minimal(test_create_no_t)
22 | typeattribute test_create_no_t test_create_d;
23 |
--------------------------------------------------------------------------------
/policy/test_task_getpgid.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_getpgid hook.
4 | #
5 |
6 | attribute test_getpgid_d;
7 |
8 | # Domain for the target process
9 | type test_getpgid_target_t;
10 | testsuite_domain_type(test_getpgid_target_t)
11 | typeattribute test_getpgid_target_t test_getpgid_d;
12 |
13 | # For writing to flag file:
14 | allow test_getpgid_target_t test_file_t:fifo_file rw_file_perms;
15 |
16 | # Domain that can get the target's process group ID.
17 | type test_getpgid_yes_t;
18 | testsuite_domain_type(test_getpgid_yes_t)
19 | typeattribute test_getpgid_yes_t test_getpgid_d;
20 |
21 | # Domain that cannot get the target's process group ID.
22 | type test_getpgid_no_t;
23 | testsuite_domain_type(test_getpgid_no_t)
24 | typeattribute test_getpgid_no_t test_getpgid_d;
25 |
26 | # Give test_getpgid_yes_t the permission needed.
27 | allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
28 |
--------------------------------------------------------------------------------
/policy/test_task_getsched.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_getscheduler hook.
4 | #
5 |
6 | attribute test_getsched_d;
7 |
8 | # Domain for the target process
9 | type test_getsched_target_t;
10 | testsuite_domain_type(test_getsched_target_t)
11 | typeattribute test_getsched_target_t test_getsched_d;
12 |
13 | # For writing to flag file:
14 | allow test_getsched_target_t test_file_t:fifo_file rw_file_perms;
15 |
16 | # Domain that can get the target's scheduling policy.
17 | type test_getsched_yes_t;
18 | testsuite_domain_type(test_getsched_yes_t)
19 | typeattribute test_getsched_yes_t test_getsched_d;
20 |
21 | # Domain that cannot get the target's scheduling policy.
22 | type test_getsched_no_t;
23 | testsuite_domain_type(test_getsched_no_t)
24 | typeattribute test_getsched_no_t test_getsched_d;
25 |
26 | # Give test_getsched_yes_t the permission needed.
27 | allow test_getsched_yes_t test_getsched_target_t:process getsched;
28 |
--------------------------------------------------------------------------------
/policy/test_task_getsid.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_getsid hook.
4 | #
5 |
6 | attribute test_getsid_d;
7 |
8 | # Domain for the target process
9 | type test_getsid_target_t;
10 | testsuite_domain_type(test_getsid_target_t)
11 | typeattribute test_getsid_target_t test_getsid_d;
12 |
13 | # For writing to flag file:
14 | allow test_getsid_target_t test_file_t:fifo_file rw_file_perms;
15 |
16 | # Domain that can get the target's session ID.
17 | type test_getsid_yes_t;
18 | testsuite_domain_type(test_getsid_yes_t)
19 | typeattribute test_getsid_yes_t test_getsid_d;
20 |
21 | # Domain that cannot get the target's session ID.
22 | type test_getsid_no_t;
23 | testsuite_domain_type(test_getsid_no_t)
24 | typeattribute test_getsid_no_t test_getsid_d;
25 |
26 | # Give test_getsid_yes_t the permission needed.
27 | allow test_getsid_yes_t test_getsid_target_t:process getsession;
28 |
--------------------------------------------------------------------------------
/policy/test_task_setpgid.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_setpgid hook
4 | #
5 |
6 | attribute test_setpgid_d;
7 |
8 | # Domain for process allowed to setpgid
9 | type test_setpgid_yes_t;
10 | testsuite_domain_type(test_setpgid_yes_t)
11 | typeattribute test_setpgid_yes_t test_setpgid_d;
12 |
13 | # Domain for process not allowed to setpgid.
14 | # The same permissions as test_setpgid_yes_t, except process setpgid
15 | type test_setpgid_no_t;
16 | testsuite_domain_type_minimal(test_setpgid_no_t)
17 | typeattribute test_setpgid_no_t test_setpgid_d;
18 |
--------------------------------------------------------------------------------
/policy/test_task_setsched.te:
--------------------------------------------------------------------------------
1 | #########################################
2 | #
3 | # Policy for testing the selinux_task_setnice and
4 | # selinux_task_setscheduler hooks.
5 | #
6 |
7 | attribute test_setsched_d;
8 |
9 | # Domain for the target process
10 | type test_setsched_target_t;
11 | testsuite_domain_type(test_setsched_target_t)
12 | typeattribute test_setsched_target_t test_setsched_d;
13 |
14 | # For writing to flag file:
15 | allow test_setsched_target_t test_file_t:fifo_file rw_file_perms;
16 |
17 | # Domain that can change the target's priority and scheduling policy.
18 | type test_setsched_yes_t;
19 | testsuite_domain_type(test_setsched_yes_t)
20 | typeattribute test_setsched_yes_t test_setsched_d;
21 |
22 | # Domain that cannot change the target's priority or scheduling policy.
23 | type test_setsched_no_t;
24 | testsuite_domain_type(test_setsched_no_t)
25 | typeattribute test_setsched_no_t test_setsched_d;
26 |
27 | # Give these domains the capability needed to change the target.
28 | allow test_setsched_d self:capability sys_nice;
29 |
30 | # Give test_setsched_yes_t the permission needed to change the target.
31 | allow test_setsched_yes_t test_setsched_target_t:process setsched;
32 |
--------------------------------------------------------------------------------
/policy/test_transition.te:
--------------------------------------------------------------------------------
1 | #################################
2 | #
3 | # Policy for testing process transition permission
4 | #
5 |
6 | attribute transitiondomain;
7 |
8 | # Domain for process that is allowed to transition to the new domain.
9 | type test_transition_fromdomain_t;
10 | testsuite_domain_type(test_transition_fromdomain_t)
11 | typeattribute test_transition_fromdomain_t transitiondomain;
12 |
13 | # Domain for process that is not allowed to transition to the new domain.
14 | type test_transition_notfromdomain_t;
15 | testsuite_domain_type(test_transition_notfromdomain_t)
16 | typeattribute test_transition_notfromdomain_t transitiondomain;
17 |
18 | # New domain for the process after the transition.
19 | type test_transition_todomain_t;
20 | testsuite_domain_type(test_transition_todomain_t)
21 | typeattribute test_transition_todomain_t transitiondomain;
22 |
23 | # Allow the fromdomain to transition to the new domain.
24 | domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
25 | allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
26 | allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
27 |
--------------------------------------------------------------------------------
/policy/test_watchkey.te:
--------------------------------------------------------------------------------
1 | #
2 | ######### Check watch_queue for key changes policy module ##########
3 | #
4 | attribute watchkeydomain;
5 |
6 | ################# Allow watch_queue key { view } ##########################
7 | type test_watchkey_t;
8 | # Note: allow rules for pipe2(2) 'fifo_file { ioctl }' are set via domain_type()
9 | testsuite_domain_type(test_watchkey_t)
10 | typeattribute test_watchkey_t watchkeydomain;
11 |
12 | allow test_watchkey_t self:key { view };
13 |
14 | ################# Deny watch_queue key { view } ##########################
15 | type test_watchkey_no_view_t;
16 | testsuite_domain_type(test_watchkey_no_view_t)
17 | typeattribute test_watchkey_no_view_t watchkeydomain;
18 |
--------------------------------------------------------------------------------
/tests/atsecure/.gitignore:
--------------------------------------------------------------------------------
1 | atsecure
2 | evil.so
3 | good
4 |
--------------------------------------------------------------------------------
/tests/atsecure/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=atsecure good evil.so
2 |
3 | all: $(TARGETS)
4 |
5 | evil.so: evil.c
6 | $(CC) -shared -o $@ -fPIC $<
7 |
8 | clean:
9 | rm -f $(TARGETS)
10 |
--------------------------------------------------------------------------------
/tests/atsecure/atsecure.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | int main(void)
7 | {
8 | return getauxval(AT_SECURE);
9 |
10 | }
11 |
--------------------------------------------------------------------------------
/tests/atsecure/evil.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | uid_t getuid(void)
7 | {
8 | printf("Evil code ran!\n");
9 | exit(1);
10 | }
11 |
--------------------------------------------------------------------------------
/tests/atsecure/good.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | int main(void)
7 | {
8 | printf("%u\n", getuid());
9 | exit(0);
10 | }
11 |
--------------------------------------------------------------------------------
/tests/atsecure/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 4 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that AT_SECURE is 1 when noatsecure permission is not allowed.
10 | $result = system(
11 | "runcon -t test_atsecure_denied_t -- runcon -t test_atsecure_newdomain_t $basedir/atsecure"
12 | );
13 | ok($result);
14 |
15 | # Verify that AT_SECURE is 0 when noatsecure permission is allowed.
16 | $result = system(
17 | "runcon -t test_atsecure_allowed_t -- runcon -t test_atsecure_newdomain_t $basedir/atsecure"
18 | );
19 | ok( $result, 0 );
20 |
21 | # Verify that LD_PRELOAD is ignored when noatsecure permission is not allowed.
22 | $result = system(
23 | "runcon -t test_atsecure_denied_t -- env LD_PRELOAD=$basedir/evil.so runcon -t test_atsecure_newdomain_t $basedir/good"
24 | );
25 | ok( $result, 0 );
26 |
27 | # Verify that LD_PRELOAD is honored when noatsecure permission is allowed.
28 | $result = system(
29 | "runcon -t test_atsecure_allowed_t -- env LD_PRELOAD=$basedir/evil.so runcon -t test_atsecure_newdomain_t $basedir/good"
30 | );
31 | ok($result);
32 |
--------------------------------------------------------------------------------
/tests/binder/.gitignore:
--------------------------------------------------------------------------------
1 | check_binder
2 | check_binderfs
3 | manager
4 | service_provider
5 | client
6 |
--------------------------------------------------------------------------------
/tests/binder/Makefile:
--------------------------------------------------------------------------------
1 | # Required for local building
2 | INCLUDEDIR ?= /usr/include
3 |
4 | TARGETS = check_binder client manager service_provider
5 | LDLIBS += -lselinux -lrt
6 | DEPS = binder_common.c binder_common.h
7 |
8 | ifeq ($(shell test -e $(INCLUDEDIR)/linux/android/binderfs.h && echo true),true)
9 | CFLAGS += -DHAVE_BINDERFS
10 | TARGETS += check_binderfs
11 | endif
12 |
13 | ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
14 | DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h
15 | LDLIBS += -lbpf
16 | endif
17 |
18 | all: $(TARGETS)
19 |
20 | clean:
21 | rm -f $(TARGETS) manager_flag service_provider_flag
22 |
23 | $(TARGETS): $(DEPS)
24 |
--------------------------------------------------------------------------------
/tests/binder/check_binder.c:
--------------------------------------------------------------------------------
1 | #include "binder_common.h"
2 |
3 | static void usage(char *progname)
4 | {
5 | fprintf(stderr,
6 | "usage: %s [-v]\n"
7 | "Where:\n\t"
8 | "-v Print binder version.\n", progname);
9 | exit(-1);
10 | }
11 |
12 | int main(int argc, char **argv)
13 | {
14 | int opt, result, fd;
15 | struct binder_version vers;
16 |
17 | while ((opt = getopt(argc, argv, "v")) != -1) {
18 | switch (opt) {
19 | case 'v':
20 | verbose = true;
21 | break;
22 | default:
23 | usage(argv[0]);
24 | }
25 | }
26 |
27 | fd = open(BINDER_DEV, O_RDWR | O_CLOEXEC);
28 | if (fd < 0) {
29 | fprintf(stderr, "Cannot open: %s error: %s\n",
30 | BINDER_DEV, strerror(errno));
31 | return NO_BINDER_SUPPORT;
32 | }
33 |
34 | result = ioctl(fd, BINDER_VERSION, &vers);
35 | if (result < 0) {
36 | fprintf(stderr, "ioctl BINDER_VERSION: %s\n",
37 | strerror(errno));
38 | result = BINDER_ERROR;
39 | goto brexit;
40 | }
41 |
42 | if (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION) {
43 | fprintf(stderr,
44 | "Binder kernel version: %d differs from user space version: %d\n",
45 | vers.protocol_version,
46 | BINDER_CURRENT_PROTOCOL_VERSION);
47 | result = BINDER_VER_ERROR;
48 | goto brexit;
49 | }
50 |
51 | if (verbose)
52 | printf("Binder kernel version: %d\n", vers.protocol_version);
53 |
54 | result = BASE_BINDER_SUPPORT;
55 |
56 | brexit:
57 | close(fd);
58 |
59 | return result;
60 | }
61 |
--------------------------------------------------------------------------------
/tests/binder/cleanup_binder.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | umount binder 2>/dev/null
4 | rmdir /dev/binderfs 2>/dev/null
5 |
--------------------------------------------------------------------------------
/tests/binder/init_binder.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | binder_dir=$(dirname $0)
4 | kvercmp=$binder_dir/../kvercmp
5 |
6 | # If < 5.4 then /dev/binder is automatically assigned by binder driver
7 | # when CONFIG_ANDROID_BINDER_DEVICES="binder"
8 | if [ "$($kvercmp $(uname -r) 5.4)" -lt 0 ]; then
9 | $binder_dir/check_binder $1 2>/dev/null
10 | rc=$?
11 | if [ $rc -ne 1 ]; then
12 | exit $rc
13 | fi
14 | # Have BASE_BINDER_SUPPORT
15 | if [ "$1" = '-v' ]; then
16 | echo "Using: /dev/binder"
17 | fi
18 |
19 | exit $rc
20 | else
21 | # From 5.4 generate a binder device using binderfs services
22 | mkdir /dev/binderfs 2>/dev/null
23 | mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null
24 | $binder_dir/check_binderfs $1 2>/dev/null
25 | rc=$?
26 | if [ $rc -ne 2 ]; then
27 | umount binder 2>/dev/null
28 | rmdir /dev/binderfs 2>/dev/null
29 | exit $rc
30 | fi
31 | # Have BINDERFS_SUPPORT
32 | if [ "$1" = '-v' ]; then
33 | echo "Using: /dev/binder-test"
34 | fi
35 |
36 | exit $rc
37 | fi
38 |
--------------------------------------------------------------------------------
/tests/bounds/.gitignore:
--------------------------------------------------------------------------------
1 | thread
2 |
--------------------------------------------------------------------------------
/tests/bounds/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 |
3 | LDLIBS += -lselinux -lpthread
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS) bounds_file*
8 |
--------------------------------------------------------------------------------
/tests/bpf/.gitignore:
--------------------------------------------------------------------------------
1 | bpf_test
2 | bpf_common
3 |
--------------------------------------------------------------------------------
/tests/bpf/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS = bpf_test
2 | DEPS = bpf_common.c bpf_common.h
3 | LDLIBS += -lselinux -lbpf
4 |
5 | # export so that BPF_ENABLED entries get built correctly on local build
6 | export CFLAGS += -DHAVE_BPF
7 |
8 | BPF_ENABLED = ../fdreceive ../binder
9 |
10 | all: $(TARGETS)
11 | @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
12 |
13 | clean:
14 | rm -f $(TARGETS) test_sock flag *_flag
15 | @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done
16 |
17 | $(TARGETS): $(DEPS)
18 |
--------------------------------------------------------------------------------
/tests/bpf/bpf_common.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | extern int create_bpf_map(void);
13 | extern int create_bpf_prog(void);
14 | extern void bpf_setrlimit(void);
15 |
16 | /* edited eBPF instruction library */
17 | /* Short form of mov, dst_reg = imm32 */
18 | #define BPF_MOV64_IMM(DST, IMM) \
19 | ((struct bpf_insn) { \
20 | .code = BPF_ALU64 | BPF_MOV | BPF_K, \
21 | .dst_reg = DST, \
22 | .src_reg = 0, \
23 | .off = 0, \
24 | .imm = IMM })
25 |
26 | /* Program exit */
27 | #define BPF_EXIT_INSN() \
28 | ((struct bpf_insn) { \
29 | .code = BPF_JMP | BPF_EXIT, \
30 | .dst_reg = 0, \
31 | .src_reg = 0, \
32 | .off = 0, \
33 | .imm = 0 })
34 |
35 |
--------------------------------------------------------------------------------
/tests/bpf/bpf_test.c:
--------------------------------------------------------------------------------
1 | #include "bpf_common.h"
2 |
3 | static void usage(char *progname)
4 | {
5 | fprintf(stderr,
6 | "usage: %s -m|-p [-v]\n"
7 | "Where:\n\t"
8 | "-m Create BPF map fd\n\t"
9 | "-p Create BPF prog fd\n\t"
10 | "-v Print information.\n", progname);
11 | exit(-1);
12 | }
13 |
14 | int main(int argc, char *argv[])
15 | {
16 | int opt, result, fd;
17 | bool verbose = false;
18 | char *context;
19 |
20 | enum {
21 | MAP_FD = 1,
22 | PROG_FD
23 | } bpf_fd_type;
24 |
25 | while ((opt = getopt(argc, argv, "mpv")) != -1) {
26 | switch (opt) {
27 | case 'm':
28 | bpf_fd_type = MAP_FD;
29 | break;
30 | case 'p':
31 | bpf_fd_type = PROG_FD;
32 | break;
33 | case 'v':
34 | verbose = true;
35 | break;
36 | default:
37 | usage(argv[0]);
38 | }
39 | }
40 |
41 | result = getcon(&context);
42 | if (result < 0) {
43 | fprintf(stderr, "Failed to obtain SELinux context\n");
44 | exit(-1);
45 | }
46 |
47 | if (verbose)
48 | printf("Process context:\n\t%s\n", context);
49 |
50 | free(context);
51 |
52 | /* If BPF enabled, then need to set limits */
53 | bpf_setrlimit();
54 |
55 | switch (bpf_fd_type) {
56 | case MAP_FD:
57 | if (verbose)
58 | printf("Creating BPF map\n");
59 |
60 | fd = create_bpf_map();
61 | break;
62 | case PROG_FD:
63 | if (verbose)
64 | printf("Creating BPF prog\n");
65 |
66 | fd = create_bpf_prog();
67 | break;
68 | default:
69 | usage(argv[0]);
70 | }
71 |
72 | if (fd < 0)
73 | return fd;
74 |
75 | close(fd);
76 | return 0;
77 | }
78 |
--------------------------------------------------------------------------------
/tests/cap_userns/.gitignore:
--------------------------------------------------------------------------------
1 | userns_child_exec
2 |
--------------------------------------------------------------------------------
/tests/cap_userns/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=userns_child_exec
2 |
3 | all: $(TARGETS)
4 | clean:
5 | rm -f $(TARGETS)
6 |
--------------------------------------------------------------------------------
/tests/cap_userns/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test::More;
4 |
5 | BEGIN {
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
10 | system(
11 | "echo 1 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
12 | }
13 | if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") == 0 ) {
14 | plan tests => 2;
15 | }
16 | else {
17 | plan skip_all => "CLONE_NEWUSER not supported";
18 | }
19 | }
20 |
21 | # Verify that test_cap_userns_t can mount proc within its own mount namespace.
22 |
23 | $result = system(
24 | "runcon -t test_cap_userns_t -- $basedir/userns_child_exec -p -m -U -M '0 0 1' -G '0 0 1' -- true 2>&1"
25 | );
26 | ok( $result eq 0 );
27 |
28 | # Verify that test_no_cap_userns_t cannot mount proc within its own mount namespace.
29 |
30 | $result = system(
31 | "runcon -t test_no_cap_userns_t -- $basedir/userns_child_exec -p -m -U -M '0 0 1' -G '0 0 1' -- true 2>&1"
32 | );
33 | ok($result);
34 |
35 | if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
36 | system("echo 0 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
37 | }
38 |
--------------------------------------------------------------------------------
/tests/capable_file/.gitignore:
--------------------------------------------------------------------------------
1 | test_lease
2 |
--------------------------------------------------------------------------------
/tests/capable_file/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | all: $(TARGETS)
3 | clean:
4 | rm -f $(TARGETS) temp_file temp_file2
5 |
6 |
--------------------------------------------------------------------------------
/tests/capable_file/test_lease.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | /*
10 | * Test the fcntl F_SETLEASE operation on a file whose name is given as
11 | * the first argument.
12 | */
13 | int main(int argc, char **argv)
14 | {
15 |
16 | int fd;
17 | int rc;
18 |
19 | if( argc != 2 ) {
20 | printf("usage: %s filename\n", argv[0]);
21 | exit(2);
22 | }
23 |
24 | fd = open(argv[1], O_RDONLY, 0);
25 |
26 | if(fd == -1) {
27 | perror("test_lease:open");
28 | exit(2);
29 | }
30 |
31 | rc = fcntl(fd, F_SETLEASE, 0);
32 | if( rc == -1 ) {
33 | perror("test_lease:F_SETLEASE");
34 | close(fd);
35 | exit(1);
36 | }
37 |
38 | close(fd);
39 | exit(0);
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/tests/capable_net/.gitignore:
--------------------------------------------------------------------------------
1 | test_bind
2 | test_raw
3 |
--------------------------------------------------------------------------------
/tests/capable_net/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | all: $(TARGETS)
3 | clean:
4 | rm -f $(TARGETS)
5 |
6 |
--------------------------------------------------------------------------------
/tests/capable_net/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | #
3 | # This test performs checks for network-related capabilties.
4 | #
5 |
6 | use Test;
7 | BEGIN { plan tests => 5 }
8 |
9 | $basedir = $0;
10 | $basedir =~ s|(.*)/[^/]*|$1|;
11 |
12 | # Find a usable ifconfig
13 | if ( -x "/sbin/ifconfig" ) {
14 | $ifconfig = "/sbin/ifconfig";
15 | }
16 | elsif ( -x "/usr/bin/ifconfig" ) {
17 | $ifconfig = "/usr/bin/ifconfig";
18 | }
19 | else {
20 | BAIL_OUT("can not find a copy of ifconfig");
21 | }
22 |
23 | #
24 | # Tests for the good domain.
25 | #
26 | # CAP_NET_ADMIN
27 | $result = system "runcon -t test_ncap_t -- $ifconfig lo -promisc 2>&1";
28 | ok( $result, 0 );
29 |
30 | # CAP_NET_BIND_SERVICE
31 | $result = system "runcon -t test_ncap_t -- $basedir/test_bind 2>&1";
32 | ok( $result, 0 );
33 |
34 | # CAP_NET_BROADCAST - Not done. Kernel does not check this capability yet.
35 |
36 | # CAP_NET_RAW
37 | $result = system "runcon -t test_ncap_t -- $basedir/test_raw 2>&1";
38 | ok( $result, 0 );
39 |
40 | #
41 | # Tests for the bad domain.
42 | #
43 |
44 | # CAP_NET_ADMIN
45 | $result = system "runcon -t test_resncap_t -- $ifconfig lo -promisc 2>&1";
46 | ok($result);
47 |
48 | # CAP_NET_BIND_SERVICE; included in can_network by fedora policy
49 | #$result = system "runcon -t test_resncap_t -- $basedir/test_bind 2>&1";
50 | #ok($result);
51 |
52 | # CAP_NET_RAW - Domain requires rawip_socket create permission
53 | $result = system "runcon -t test_resncap_t -- $basedir/test_raw 2>&1";
54 | ok($result);
55 |
56 | exit;
57 |
--------------------------------------------------------------------------------
/tests/capable_net/test_bind.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Test the bind() operation for a socket that is protected (< 1024).
8 | */
9 | int main(int argc, char **argv)
10 | {
11 |
12 | int fd;
13 | int aport;
14 |
15 | aport = IPPORT_RESERVED - 1;
16 | fd = rresvport(&aport);
17 | if(fd == -1) {
18 | perror("test_bind:rresvport");
19 | exit(1);
20 | }
21 |
22 | close(fd);
23 | exit(0);
24 |
25 | }
26 |
--------------------------------------------------------------------------------
/tests/capable_net/test_raw.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Test the bind() operation for a raw socket.
8 | */
9 | int main(int argc, char **argv)
10 | {
11 |
12 | int fd;
13 |
14 | fd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
15 | if(fd == -1) {
16 | perror("test_raw:socket");
17 | exit(1);
18 | }
19 |
20 | close(fd);
21 | exit(0);
22 |
23 | }
24 |
--------------------------------------------------------------------------------
/tests/capable_sys/.gitignore:
--------------------------------------------------------------------------------
1 | test_chroot
2 | test_hostname
3 | test_nice
4 | test_rawio
5 |
--------------------------------------------------------------------------------
/tests/capable_sys/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | all: $(TARGETS)
3 | clean:
4 | rm -f $(TARGETS)
5 |
6 |
--------------------------------------------------------------------------------
/tests/capable_sys/test_chroot.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | /*
6 | * Test the chroot() call on a directory whose name is given as the first
7 | * argument. This call will result in a CAP_SYS_CHROOT capable check.
8 | */
9 | int main(int argc, char **argv)
10 | {
11 |
12 | int rc;
13 |
14 | if( argc != 2 ) {
15 | printf("usage: %s pathname\n", argv[0]);
16 | exit(2);
17 | }
18 |
19 | rc = chroot(argv[1]);
20 | if( rc != 0 ) {
21 | perror("test_chroot:chroot");
22 | exit(1);
23 | }
24 |
25 | exit(0);
26 |
27 | }
28 |
--------------------------------------------------------------------------------
/tests/capable_sys/test_hostname.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Test the sethostname() call.
8 | * This call will result in a CAP_SYS_ADMIN capable check.
9 | */
10 | int main(int argc, char **argv)
11 | {
12 |
13 | int rc;
14 | char buf[255];
15 |
16 | rc = gethostname(buf, sizeof(buf));
17 | if( rc != 0 ) {
18 | perror("test_sethostname:gethostname");
19 | exit(2);
20 | }
21 |
22 | rc = sethostname(buf, strlen(buf));
23 | if( rc != 0 ) {
24 | perror("test_sethostname:sethostname");
25 | exit(1);
26 | }
27 |
28 | exit(0);
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/tests/capable_sys/test_nice.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Test the nice() system call.
8 | * This call will result in a CAP_SYS_NICE capable check.
9 | */
10 | int main(int argc, char **argv)
11 | {
12 |
13 | int rc;
14 |
15 | rc = nice(-10);
16 | if( rc == -1) {
17 | perror("test_nice:nice");
18 | exit(1);
19 | }
20 |
21 | exit(0);
22 |
23 | }
24 |
--------------------------------------------------------------------------------
/tests/capable_sys/test_rawio.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | /*
9 | * Test the FIBMAP ioctl() call on a file whose name is given as the first
10 | * argument. This ioctl will result in a CAP_SYS_RAWIO capable check.
11 | */
12 | int main(int argc, char **argv)
13 | {
14 |
15 | int fd;
16 | int rc;
17 | int val = 0;
18 |
19 | if( argc != 2 ) {
20 | printf("usage: %s filename\n", argv[0]);
21 | exit(2);
22 | }
23 |
24 | fd = open(argv[1], O_RDONLY, 0);
25 |
26 | if(fd == -1) {
27 | perror("test_rawio:open");
28 | exit(2);
29 | }
30 |
31 | val = 0;
32 | rc = ioctl(fd, FIBMAP, &val);
33 | if( rc != 0 ) {
34 | perror("test_rawio:FIBMAP");
35 | exit(1);
36 | }
37 |
38 | close(fd);
39 | exit(0);
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/tests/cgroupfs_label/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 |
--------------------------------------------------------------------------------
/tests/cgroupfs_label/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test::More;
4 |
5 | my ( $cgroup_dir, $cgroup_file );
6 |
7 | BEGIN {
8 | if ( -d "/sys/fs/cgroup/unified" ) {
9 |
10 | # Cgroupfs v2 + v1, use v2.
11 | $cgroup_dir = "/sys/fs/cgroup/unified";
12 | $cgroup_file = "cgroup.type";
13 | plan tests => 2;
14 | }
15 | elsif ( -d "/sys/fs/cgroup/devices" ) {
16 |
17 | # Cgroupfs v1 only.
18 | $cgroup_dir = "/sys/fs/cgroup/devices";
19 | $cgroup_file = "cgroup.procs";
20 | plan tests => 2;
21 | }
22 | elsif ( -d "/sys/fs/cgroup" ) {
23 |
24 | # Assume cgroupfs v2 only.
25 | $cgroup_dir = "/sys/fs/cgroup";
26 | $cgroup_file = "cgroup.type";
27 | plan tests => 2;
28 | }
29 | else {
30 | plan skip_all => "No cgroupfs mount detected";
31 | }
32 | }
33 |
34 | my $dir = "$cgroup_dir/selinuxtest";
35 | my $ret;
36 |
37 | # Create a new cgroupfs directory and relabel it.
38 | mkdir("$dir");
39 | system("chcon -R -t test_cgroup_t $dir");
40 |
41 | # Create a subdirectory in it.
42 | mkdir("$dir/subdir");
43 |
44 | $ret = system("secon -tf $dir/subdir | grep -q '^test_cgroup_t\$'");
45 | ok( $ret eq 0 ); # Did the subdirectory inherit the parent's label?
46 |
47 | $ret =
48 | system("secon -tf $dir/subdir/$cgroup_file | grep -q '^test_cgroup_t\$'");
49 | ok( $ret eq 0 ); # Did also files in the subdirectory inherit the label?
50 |
51 | # Cleanup.
52 | rmdir("$dir/subdir");
53 | rmdir("$dir");
54 |
55 | exit;
56 |
--------------------------------------------------------------------------------
/tests/checkreqprot/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 |
--------------------------------------------------------------------------------
/tests/checkreqprot/default_value.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | mydir=$(dirname $0)
4 | DISTRO=$($mydir/../os_detect)
5 | kvercmp=$mydir/../kvercmp
6 |
7 | if [ "$($kvercmp $(uname -r) 4.4)" -ge 0 ] ||
8 | [ "$DISTRO" = "RHEL7" -a "$($kvercmp $(uname -r) 3.10.0-327)" -ge 0 ]; then
9 | grep -q 0 /sys/fs/selinux/checkreqprot 2> /dev/null
10 | exit $?
11 | fi
12 | exit 0
13 |
--------------------------------------------------------------------------------
/tests/checkreqprot/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 |
5 | BEGIN {
6 | plan tests => 1;
7 | }
8 |
9 | $basedir = $0;
10 | $basedir =~ s|(.*)/[^/]*|$1|;
11 |
12 | $result = system("$basedir/default_value.sh");
13 | ok( $result, 0 );
14 |
15 | exit;
16 |
--------------------------------------------------------------------------------
/tests/domain_trans/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 |
--------------------------------------------------------------------------------
/tests/domain_trans/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that notfromdomain cannot transition to todomain.
10 | # Should fail on the transition permission check.
11 | $result = system(
12 | "runcon -t test_transition_notfromdomain_t -- runcon -t test_transition_todomain_t true 2>&1"
13 | );
14 | ok($result); # we expect this to fail.
15 |
16 | # Verify that fromdomain can transition to todomain.
17 | $result = system(
18 | "runcon -t test_transition_fromdomain_t -- runcon -t test_transition_todomain_t true 2>&1"
19 | );
20 | ok( $result, 0 );
21 |
--------------------------------------------------------------------------------
/tests/dyntrace/.gitignore:
--------------------------------------------------------------------------------
1 | child
2 | parent
3 |
--------------------------------------------------------------------------------
/tests/dyntrace/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=parent child
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/dyntrace/child.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | int main(int argc, char **argv)
6 | {
7 | int rc;
8 |
9 | rc = setcon(argv[1]);
10 | if (rc < 0) {
11 | perror("setcon");
12 | exit(1);
13 | }
14 | exit(0);
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/tests/dyntrace/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that test_dyntrace_child_t can be traced across an dyn
10 | # by test_dyntrace_parent_t.
11 | $result = system(
12 | "runcon -t test_dyntrace_parent_t -- $basedir/parent test_dyntrace_child_t $basedir/child 2>&1"
13 | );
14 | ok( $result, 0 );
15 |
16 | # Verify that test_dyntrace_notchild_t cannot be traced across an dyn
17 | # by test_dyntrace_parent_t.
18 | # Should fail on ptrace permission.
19 | $result = system(
20 | "runcon -t test_dyntrace_parent_t -- $basedir/parent test_dyntrace_notchild_t $basedir/child 2>&1"
21 | );
22 | ok($result); # we expect this to fail.
23 |
24 |
--------------------------------------------------------------------------------
/tests/dyntrans/.gitignore:
--------------------------------------------------------------------------------
1 | parent
2 |
--------------------------------------------------------------------------------
/tests/dyntrans/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=parent
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/dyntrans/parent.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | int main(int argc, char **argv)
12 | {
13 | int rc;
14 | const char *context_s;
15 | char *context_tmp;
16 | context_t context;
17 |
18 | if (argc != 2) {
19 | fprintf(stderr, "usage: %s newdomain\n", argv[0]);
20 | exit(-1);
21 | }
22 |
23 | rc = getcon(&context_tmp);
24 | if (rc < 0) {
25 | fprintf(stderr, "%s: unable to get my context\n", argv[0]);
26 | exit(-1);
27 |
28 | }
29 |
30 | context = context_new(context_tmp);
31 | if (!context) {
32 | fprintf(stderr, "%s: unable to create context structure\n", argv[0]);
33 | exit(-1);
34 | }
35 |
36 | if (context_type_set(context, argv[1])) {
37 | fprintf(stderr, "%s: unable to set new type\n", argv[0]);
38 | exit(-1);
39 | }
40 |
41 | freecon(context_tmp);
42 | context_s = context_str(context);
43 | if (!context_s) {
44 | fprintf(stderr, "%s: unable to obtain new context string\n", argv[0]);
45 | exit(-1);
46 | }
47 |
48 | rc = setcon(context_s);
49 | if (rc < 0) {
50 | perror("setcon failed");
51 | exit(-1);
52 | }
53 |
54 | printf("All systems go\n");
55 | exit(0);
56 | }
57 |
58 |
--------------------------------------------------------------------------------
/tests/dyntrans/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that notfromdomain cannot transition to todomain.
10 | # Should fail on the transition permission check.
11 | $result = system(
12 | "runcon -t test_dyntrans_notfromdomain_t -- $basedir/parent test_dyntrans_todomain_t 2>&1"
13 | );
14 | ok($result); # we expect this to fail.
15 |
16 | # Verify that fromdomain can transition to todomain.
17 | $result = system(
18 | "runcon -t test_dyntrans_fromdomain_t -- $basedir/parent test_dyntrans_todomain_t 2>&1"
19 | );
20 | ok( $result, 0 );
21 |
--------------------------------------------------------------------------------
/tests/entrypoint/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 | rm -f true
4 |
--------------------------------------------------------------------------------
/tests/entrypoint/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | system("cp /bin/true $basedir/true");
10 |
11 | # Verify that test_entrypoint_t cannot be entered via test_entrypoint_deny_t.
12 | system("chcon -t test_entrypoint_deny_t $basedir/true");
13 | $result = system("runcon -t test_entrypoint_t $basedir/true 2>&1");
14 | ok($result); #this should fail
15 |
16 | # Verify that test_entrypoint_t can be entered via test_entrypoint_allow_t.
17 | system("chcon -t test_entrypoint_allow_t $basedir/true");
18 | $result = system("runcon -t test_entrypoint_t $basedir/true");
19 | ok( $result, 0 ); #this should pass
20 |
21 | # Cleanup.
22 | system("rm -f $basedir/true");
23 |
24 | exit;
25 |
--------------------------------------------------------------------------------
/tests/execshare/.gitignore:
--------------------------------------------------------------------------------
1 | child
2 | parent
3 |
--------------------------------------------------------------------------------
/tests/execshare/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=parent child
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/execshare/child.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | int main(void)
4 | {
5 | exit(0);
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/tests/execshare/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that test_execshare_parent_t can share state across an exec with
10 | # test_execshare_child_t.
11 |
12 | $result = system(
13 | "runcon -t test_execshare_parent_t -- $basedir/parent 0x200 test_execshare_child_t $basedir/child 2>&1"
14 | );
15 | ok( $result, 0 );
16 |
17 | # Verify that test_execshare_parent_t cannot share state across an exec with
18 | # test_execshare_notchild_t.
19 |
20 | $result = system(
21 | "runcon -t test_execshare_parent_t -- $basedir/parent 0x200 test_execshare_notchild_t $basedir/child 2>&1"
22 | );
23 | ok($result);
24 |
25 |
--------------------------------------------------------------------------------
/tests/exectrace/.gitignore:
--------------------------------------------------------------------------------
1 | child
2 | parent
3 |
--------------------------------------------------------------------------------
/tests/exectrace/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=parent child
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/exectrace/child.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | int main(void)
4 | {
5 | exit(0);
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/tests/exectrace/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Verify that test_exectrace_child_t can be traced across an exec
10 | # by test_exectrace_parent_t.
11 | $result = system(
12 | "runcon -t test_exectrace_parent_t -- $basedir/parent test_exectrace_child_t $basedir/child 2>&1"
13 | );
14 | ok( $result, 0 );
15 |
16 | # Verify that test_exectrace_notchild_t cannot be traced across an exec
17 | # by test_exectrace_parent_t.
18 | # Should fail on ptrace permission.
19 | $result = system(
20 | "runcon -t test_exectrace_parent_t -- $basedir/parent test_exectrace_notchild_t $basedir/child 2>&1"
21 | );
22 | ok($result); # we expect this to fail.
23 |
24 |
--------------------------------------------------------------------------------
/tests/execute_no_trans/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 | rm -f true
4 |
--------------------------------------------------------------------------------
/tests/execute_no_trans/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 2 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Remove any leftover programs from prior failed runs.
10 | system("rm -f $basedir/true");
11 |
12 | # Set up a program with the denied type for this domain.
13 | system("cp /bin/true $basedir/true");
14 | system("chcon -t test_execute_notrans_denied_t $basedir/true");
15 |
16 | # Verify that test_execute_notrans_t cannot execute the denied type.
17 | $result =
18 | system("runcon -t test_execute_notrans_t -- bash -c $basedir/true 2>&1");
19 | ok($result); #this should fail
20 |
21 | # Set up a program with the allowed type for this domain.
22 | system("chcon -t test_execute_notrans_allowed_t $basedir/true");
23 |
24 | # Verify that test_execute_notrans_t can execute the allowed type.
25 | $result =
26 | system("runcon -t test_execute_notrans_t -- bash -c $basedir/true 2>&1");
27 | ok( $result, 0 ); #this should pass
28 |
29 | # Cleanup.
30 | system("rm -f $basedir/true");
31 |
32 | exit;
33 |
--------------------------------------------------------------------------------
/tests/extended_socket_class/.gitignore:
--------------------------------------------------------------------------------
1 | sockcreate
2 |
--------------------------------------------------------------------------------
/tests/extended_socket_class/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | all: $(TARGETS)
3 | clean:
4 | rm -f $(TARGETS)
5 |
--------------------------------------------------------------------------------
/tests/fdreceive/.gitignore:
--------------------------------------------------------------------------------
1 | client
2 | server
3 |
--------------------------------------------------------------------------------
/tests/fdreceive/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS = client server
2 |
3 | ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
4 | DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
5 | LDLIBS += -lbpf
6 | endif
7 |
8 | all: $(TARGETS)
9 |
10 | clean:
11 | rm -f $(TARGETS) test_file test_file2 test_sock flag
12 |
13 | client: $(DEPS)
14 |
--------------------------------------------------------------------------------
/tests/file/.gitignore:
--------------------------------------------------------------------------------
1 | test_fcntl
2 | test_lock
3 | test_mmap
4 | test_mprotect
5 | test_nofcntl
6 | test_rw
7 | test_seek
8 | test_sigiotask
9 | wait_io
10 |
--------------------------------------------------------------------------------
/tests/file/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | LDLIBS += -lselinux
3 | test_sigiotask: LDLIBS += -lutil
4 | all: $(TARGETS)
5 | clean:
6 | rm -f $(TARGETS) temp_file temp_file2 temp_file3
7 |
--------------------------------------------------------------------------------
/tests/file/test_fcntl.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | /*
9 | * Test the fcntl file operation on a file whose name is given as the first
10 | * argument.
11 | */
12 | int main(int argc, char **argv)
13 | {
14 |
15 | int fd;
16 | int rc;
17 | struct flock my_lock;
18 |
19 | if( argc != 2 ) {
20 | printf("usage: %s filename\n", argv[0]);
21 | exit(2);
22 | }
23 |
24 | fd = open(argv[1], O_RDONLY | O_APPEND, 0);
25 |
26 | if(fd == -1) {
27 | perror("test_fcntl:open");
28 | exit(2);
29 | }
30 |
31 | rc = fcntl(fd, F_SETFL, 0);
32 | if( rc == -1 ) {
33 | perror("test_fcntl:F_SETFL");
34 | exit(1);
35 | }
36 |
37 | rc = fcntl(fd, F_GETFL);
38 | if( rc == -1 ) {
39 | perror("test_fcntl:F_GETFL");
40 | exit(1);
41 | }
42 |
43 | my_lock.l_type = F_RDLCK;
44 | my_lock.l_start = 0;
45 | my_lock.l_whence = SEEK_CUR;
46 | my_lock.l_len = 0;
47 |
48 | rc = fcntl(fd, F_GETLK, &my_lock);
49 | if( rc == -1 ) {
50 | perror("test_fcntl:F_GETLK");
51 | exit(1);
52 | }
53 |
54 | close(fd);
55 | exit(0);
56 |
57 | }
58 |
--------------------------------------------------------------------------------
/tests/file/test_lock.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | /*
11 | * Test the lock file operation on a file whose name is given as the first
12 | * argument. The second argument must be the SID we are to use to test
13 | * the actual lock() operation by changing the SID of the file we are
14 | * given.
15 | */
16 | int main(int argc, char **argv)
17 | {
18 |
19 | int fd;
20 | int rc;
21 |
22 | if( argc != 3 ) {
23 | printf("usage: %s filename context\n", argv[0]);
24 | exit(2);
25 | }
26 |
27 | fd = open(argv[1], O_RDONLY, 0);
28 |
29 | if(fd == -1) {
30 | perror("test_lock:open");
31 | exit(2);
32 | }
33 |
34 | rc = fsetfilecon(fd, argv[2]);
35 | if (rc < 0) {
36 | perror("test_lock:fsetfilecon");
37 | exit(2);
38 | }
39 |
40 | rc = flock(fd, LOCK_EX);
41 | if( rc == -1 ) {
42 | perror("test_lock:LOCK_EX");
43 | exit(1);
44 | }
45 |
46 | close(fd);
47 | exit(0);
48 |
49 | }
50 |
--------------------------------------------------------------------------------
/tests/file/test_mmap.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | /*
10 | * Test the mmap file operation on a file whose name is given as the first
11 | * argument. The second argument must be the SID we are to use to test
12 | * the actual mmap() operation by changing the SID of the file we are
13 | * given.
14 | */
15 |
16 | int main(int argc, char **argv)
17 | {
18 |
19 | int fd;
20 | void *ptr;
21 | int rc;
22 |
23 | if( argc != 3 ) {
24 | printf("usage: %s filename context\n", argv[0]);
25 | exit(2);
26 | }
27 |
28 | fd = open(argv[1], O_RDWR, 0);
29 |
30 | if(fd == -1) {
31 | perror("test_mmap:open");
32 | exit(2);
33 | }
34 |
35 | rc = fsetfilecon(fd, argv[2]);
36 | if (rc < 0) {
37 | perror("test_mmap:fsetfilecon");
38 | exit(2);
39 | }
40 |
41 | ptr = mmap(0, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED, fd,
42 | getpagesize());
43 | if( ptr == MAP_FAILED ) {
44 | perror("test_mmap:mmap");
45 | close(fd);
46 | exit(1);
47 | }
48 |
49 | close(fd);
50 | exit(0);
51 |
52 | }
53 |
--------------------------------------------------------------------------------
/tests/file/test_mprotect.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | /*
10 | * Test the mprotect file operation on a file whose name is given as the first
11 | * argument. The second argument must be the SID we are to use to test
12 | * the actual mprotect() operation by changing the SID of the file we are
13 | * given.
14 | */
15 | int main(int argc, char **argv)
16 | {
17 |
18 | int fd;
19 | void *ptr;
20 | int rc;
21 |
22 | if( argc != 3 ) {
23 | printf("usage: %s filename context\n", argv[0]);
24 | exit(2);
25 | }
26 |
27 | fd = open(argv[1], O_RDONLY, 0);
28 |
29 | if(fd == -1) {
30 | perror("test_mprotect:open");
31 | exit(2);
32 | }
33 |
34 | ptr = mmap(0, 1024, PROT_READ, MAP_SHARED, fd, getpagesize());
35 | if( ptr == MAP_FAILED ) {
36 | close(fd);
37 | perror("test_mprotect:mmap");
38 | exit(2);
39 | }
40 |
41 | rc = fsetfilecon(fd, argv[2]);
42 | if (rc < 0) {
43 | perror("test_mprotect:fsetfilecon");
44 | exit(2);
45 | }
46 |
47 | rc = mprotect(ptr, 1024, PROT_READ);
48 | if( rc == -1 ) {
49 | close(fd);
50 | perror("test_mprotect:mprotect");
51 | exit(1);
52 | }
53 |
54 | close(fd);
55 | exit(0);
56 |
57 | }
58 |
--------------------------------------------------------------------------------
/tests/file/test_nofcntl.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | /*
9 | * Test the fcntl file operation on a file whose name is given as the first
10 | * argument. This program expects certain tests to fail, and that failure
11 | * is treated as success and the program continues.
12 | */
13 | int main(int argc, char **argv)
14 | {
15 |
16 | int fd;
17 | int rc;
18 | struct flock my_lock;
19 |
20 | if( argc != 2 ) {
21 | printf("usage: %s filename\n", argv[0]);
22 | exit(2);
23 | }
24 |
25 | fd = open(argv[1], O_RDONLY | O_APPEND, 0);
26 |
27 | if(fd == -1) {
28 | perror("test_nofcntl:open");
29 | exit(2);
30 | }
31 |
32 | /* The next two acesses should fail, so if that happens, we return success. */
33 |
34 | rc = fcntl(fd, F_SETFL, 0);
35 | if( rc != -1 ) {
36 | fprintf(stderr, "test_nofcntl:F_SETFL\n");
37 | exit(1);
38 | }
39 |
40 | my_lock.l_type = F_RDLCK;
41 | my_lock.l_start = 0;
42 | my_lock.l_whence = SEEK_CUR;
43 | my_lock.l_len = 0;
44 |
45 | rc = fcntl(fd, F_GETLK, &my_lock);
46 | if( rc != -1 ) {
47 | fprintf(stderr, "test_nofcntl:F_GETLK\n");
48 | exit(1);
49 | }
50 |
51 | close(fd);
52 | exit(0);
53 |
54 | }
55 |
--------------------------------------------------------------------------------
/tests/file/test_rw.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | /*
11 | * Test the read/write operation on a file whose name is given as the first
12 | * argument. The second argument must be the SID we are to use to test
13 | * the actual read/write() operation by changing the SID of the file we are
14 | * given.
15 | */
16 | int main(int argc, char **argv)
17 | {
18 |
19 | int fd;
20 | int rc;
21 | char buf[255];
22 | ssize_t bytes;
23 |
24 | if( argc != 3 ) {
25 | printf("usage: %s filename context\n", argv[0]);
26 | exit(2);
27 | }
28 |
29 | fd = open(argv[1], O_RDWR, 0);
30 |
31 | if(fd == -1) {
32 | perror("test_rw:open");
33 | exit(2);
34 | }
35 |
36 | rc = fsetfilecon(fd, argv[2]);
37 | if (rc < 0) {
38 | perror("test_rw:fsetfilecon");
39 | exit(2);
40 | }
41 |
42 | bytes = read(fd, buf, sizeof buf);
43 | if( bytes < 0) {
44 | perror("test_rw:read");
45 | exit(1);
46 | }
47 |
48 | bytes = write(fd, buf, bytes);
49 | if( bytes < 0) {
50 | perror("test_rw:write");
51 | exit(1);
52 | }
53 |
54 | close(fd);
55 | exit(0);
56 |
57 | }
58 |
--------------------------------------------------------------------------------
/tests/file/test_seek.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | /*
10 | * Test the seek file operation on a file whose name is given as the first
11 | * argument.
12 | */
13 | int main(int argc, char **argv)
14 | {
15 |
16 | int fd;
17 | int rc;
18 |
19 | if( argc != 2 ) {
20 | printf("usage: %s filename\n", argv[0]);
21 | exit(2);
22 | }
23 |
24 | fd = open(argv[1], O_RDONLY, 0);
25 |
26 | if(fd == -1) {
27 | perror("test_seek:open");
28 | exit(2);
29 | }
30 |
31 | rc = lseek(fd, 10, SEEK_SET);
32 | if( rc == -1 ) {
33 | perror("test_seek:lseek");
34 | close(fd);
35 | exit(1);
36 | }
37 |
38 | close(fd);
39 | exit(0);
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/tests/file/wait_io.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Function to handle SIGIO.
8 | */
9 | static void sig_io(int signo)
10 | {
11 | printf("wait_io: got sigio\n");
12 | exit(0);
13 | }
14 |
15 | /*
16 | * This program waits either for a SIGIO signal, or will time out. The
17 | * exit status is 'good' on the SIGIO receive, 'bad' on the timeout.
18 | */
19 | int main(int argc, char **argv)
20 | {
21 |
22 | struct sigaction siga;
23 | int fd;
24 |
25 | if (argc != 2) {
26 | fprintf(stderr, "wait_io: incorrect number of arguments\n");
27 | exit(2);
28 | }
29 |
30 | fd = atoi(argv[1]);
31 |
32 | /*
33 | * Set up signal handler for SIGIO.
34 | */
35 | siga.sa_handler = sig_io;
36 | sigemptyset(&siga.sa_mask);
37 | siga.sa_flags = 0;
38 | sigaction(SIGIO, &siga, NULL);
39 | write(fd, "x", 1);
40 | close(fd);
41 | sleep(5);
42 | printf("wait_io: exiting without receiving sigio\n");
43 | exit(1);
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/tests/filesystem/.gitignore:
--------------------------------------------------------------------------------
1 | mount
2 | umount
3 | quotas_test
4 | statfs_test
5 | fanotify_fs
6 | create_file_change_context
7 | fs_relabel
8 | check_file_context
9 | check_mount_context
10 | create_file
11 | grim_reaper
12 | xfs_quotas_test
13 | native_quotas_test
14 |
--------------------------------------------------------------------------------
/tests/filesystem/Makefile:
--------------------------------------------------------------------------------
1 | # Required for local building
2 | #export CFLAGS += -DHAVE_FS_WATCH_PERM
3 |
4 | TARGETS = mount umount quotas_test statfs_test create_file_change_context \
5 | fs_relabel check_file_context grim_reaper check_mount_context create_file \
6 | xfs_quotas_test native_quotas_test
7 |
8 | LDLIBS += -lselinux
9 |
10 | ifneq (,$(findstring -DHAVE_FS_WATCH_PERM,$(CFLAGS)))
11 | TARGETS += fanotify_fs
12 | endif
13 |
14 | all: $(TARGETS)
15 |
16 | clean:
17 | rm -f $(TARGETS)
18 |
--------------------------------------------------------------------------------
/tests/filesystem/ext4:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/filesystem/jfs:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/filesystem/statfs_test.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | static void print_usage(char *progname)
11 | {
12 | fprintf(stderr,
13 | "usage: %s -t path [-v]\n"
14 | "Where:\n\t"
15 | "-t Target path to statfs(2)\n\t"
16 | "-v Print information.\n", progname);
17 | exit(-1);
18 | }
19 |
20 | int main(int argc, char *argv[])
21 | {
22 | int opt, result, save_err;
23 | char *context, *tgt = NULL;
24 | bool verbose = false;
25 | struct statfs statfs_t;
26 |
27 | while ((opt = getopt(argc, argv, "t:v")) != -1) {
28 | switch (opt) {
29 | case 't':
30 | tgt = optarg;
31 | break;
32 | case 'v':
33 | verbose = true;
34 | break;
35 | default:
36 | print_usage(argv[0]);
37 | }
38 | }
39 |
40 | if (!tgt)
41 | print_usage(argv[0]);
42 |
43 | if (verbose) {
44 | result = getcon(&context);
45 | if (result < 0) {
46 | fprintf(stderr, "Failed to obtain process context\n");
47 | return -1;
48 | }
49 | printf("Process context:\n\t%s\n", context);
50 | free(context);
51 | }
52 |
53 | result = statfs(tgt, &statfs_t);
54 | save_err = errno;
55 | if (result < 0) {
56 | fprintf(stderr, "statfs(2) Failed: %s\n", strerror(errno));
57 | return save_err;
58 | }
59 |
60 | if (verbose)
61 | printf("statfs(2) returned magic filesystem: 0x%lx\n",
62 | statfs_t.f_type);
63 |
64 | return 0;
65 | }
66 |
--------------------------------------------------------------------------------
/tests/filesystem/vfat:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/filesystem/xfs:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/fs_filesystem/.gitignore:
--------------------------------------------------------------------------------
1 | fsmount
2 | fspick
3 | move_mount
4 |
--------------------------------------------------------------------------------
/tests/fs_filesystem/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS = fsmount fspick move_mount
2 | DEPS = fs_common.c fs_common.h
3 | LDLIBS += -lselinux
4 | USE_FS = ../filesystem
5 |
6 | all: $(TARGETS)
7 | @set -e; for i in $(USE_FS); do $(MAKE) -C $$i all ; done
8 |
9 | clean:
10 | rm -f $(TARGETS)
11 | @set -e; for i in $(USE_FS); do $(MAKE) -C $$i clean ; done
12 |
13 | $(TARGETS): $(DEPS)
14 |
--------------------------------------------------------------------------------
/tests/fs_filesystem/ext4:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/fs_filesystem/fs_common.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #ifndef AT_EMPTY_PATH
14 | #define AT_EMPTY_PATH 0x1000
15 | #endif
16 | #ifndef AT_RECURSIVE
17 | #define AT_RECURSIVE 0x8000
18 | #endif
19 |
20 | int fsopen(const char *fs_name, unsigned int flags);
21 | int fsmount(int fsfd, unsigned int flags, unsigned int ms_flags);
22 | int fsconfig(int fsfd, unsigned int cmd, const char *key,
23 | const void *val, int aux);
24 | int move_mount(int from_dfd, const char *from_pathname, int to_dfd,
25 | const char *to_pathname, unsigned int flags);
26 | int open_tree(int dirfd, const char *pathname, unsigned int flags);
27 | int fspick(int dirfd, const char *pathname, unsigned int flags);
28 |
29 | #define MAX_OPS 40
30 | int fsconfig_opts(int fd, char *src, char *tgt, char *opts, bool verbose);
31 |
--------------------------------------------------------------------------------
/tests/fs_filesystem/fspick.c:
--------------------------------------------------------------------------------
1 | #include "fs_common.h"
2 |
3 | static void print_usage(char *progname)
4 | {
5 | fprintf(stderr,
6 | "usage: %s -t tgt -o options [-v]\n"
7 | "Where:\n\t"
8 | "-t Target path\n\t"
9 | "-f Filesystem type\n\t"
10 | "-o Options list (comma separated list)\n\t"
11 | "-v Print information.\n", progname);
12 | exit(-1);
13 | }
14 |
15 | int main(int argc, char *argv[])
16 | {
17 | int opt, result, pfd;
18 | char *context, *tgt = NULL, *opts = NULL;
19 | bool verbose = false;
20 |
21 | while ((opt = getopt(argc, argv, "t:o:v")) != -1) {
22 | switch (opt) {
23 | case 't':
24 | tgt = optarg;
25 | break;
26 | case 'o':
27 | opts = optarg;
28 | break;
29 | case 'v':
30 | verbose = true;
31 | break;
32 | default:
33 | print_usage(argv[0]);
34 | }
35 | }
36 |
37 | if (!tgt || !opts)
38 | print_usage(argv[0]);
39 |
40 | if (verbose) {
41 | result = getcon(&context);
42 | if (result < 0) {
43 | fprintf(stderr, "Failed to obtain process context\n");
44 | return -1;
45 | }
46 | printf("Process context:\n\t%s\n", context);
47 | free(context);
48 | }
49 |
50 | if (verbose)
51 | printf("Mounting\n\ttgt: %s\n\topts: %s\n", tgt, opts);
52 |
53 | pfd = fspick(AT_FDCWD, tgt, 0);
54 | if (pfd < 0) {
55 | fprintf(stderr, "Failed fspick(2): %s\n", strerror(errno));
56 | return -1;
57 | }
58 |
59 | /* config_opts() will return 0 or errno from fsconfig(2) */
60 | result = fsconfig_opts(pfd, NULL, tgt, opts, verbose);
61 | if (result) {
62 | fprintf(stderr, "Failed config_opts\n");
63 | return result;
64 | }
65 |
66 | close(pfd);
67 | return 0;
68 | }
69 |
--------------------------------------------------------------------------------
/tests/fs_filesystem/jfs:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/fs_filesystem/vfat:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/fs_filesystem/xfs:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/glblub/.gitignore:
--------------------------------------------------------------------------------
1 | default_range
2 |
--------------------------------------------------------------------------------
/tests/glblub/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=default_range
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/glblub/default_range.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | void run_test(const char *c1, const char *c2, security_class_t tclass,
10 | const char *exp_con)
11 | {
12 | char *buf = NULL;
13 | int ret;
14 |
15 | ret = security_compute_create(c1, c2, tclass, &buf);
16 | if (ret < 0) {
17 | exit(3);
18 | }
19 |
20 | if (exp_con == NULL && buf == NULL) {
21 | return;
22 | }
23 |
24 | if (exp_con == NULL && buf != NULL) {
25 | fprintf(stderr, "expected NULL, got %s\n", buf);
26 | freecon(buf);
27 | exit(3);
28 | }
29 |
30 | if (exp_con != NULL && buf == NULL) {
31 | fprintf(stderr, "expected %s, got NULL\n", exp_con);
32 | exit(3);
33 | }
34 |
35 | if (strcmp(buf, exp_con)) {
36 | fprintf(stderr, "%s did not match expected %s\n", buf, exp_con);
37 | exit(3);
38 | }
39 |
40 | freecon(buf);
41 |
42 | }
43 |
44 | int main(int argc, const char **argv)
45 | {
46 | security_class_t tclass;
47 | const char *exp_con;
48 |
49 | if (argc != 4 && argc != 5) {
50 | fprintf(stderr, "Usage %s [expected]\n", argv[0]);
51 | exit(1);
52 | }
53 |
54 | if (argc == 4) exp_con = NULL;
55 | else exp_con = argv[4];
56 |
57 | tclass = string_to_security_class(argv[3]);
58 | if (!tclass) {
59 | fprintf(stderr, "Invalid class '%s'\n", argv[3]);
60 | exit(1);
61 | }
62 |
63 | run_test(argv[1], argv[2], tclass, exp_con);
64 |
65 | exit(EXIT_SUCCESS);
66 | }
67 |
--------------------------------------------------------------------------------
/tests/inet_socket/.gitignore:
--------------------------------------------------------------------------------
1 | bind
2 | client
3 | connect
4 | server
5 |
--------------------------------------------------------------------------------
/tests/inet_socket/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=client server bind connect
2 |
3 | LDLIBS+= -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS) flag
8 |
--------------------------------------------------------------------------------
/tests/inet_socket/calipso-flush:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
3 | netlabelctl map del default
4 | netlabelctl calipso del doi:16
5 | netlabelctl map add default protocol:unlbl
6 |
--------------------------------------------------------------------------------
/tests/inet_socket/calipso-load:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Define a doi for testing loopback for CALIPSO/IPv6.
3 | netlabelctl calipso add pass doi:16
4 | netlabelctl map del default
5 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
6 | netlabelctl map add default address:::/0 protocol:unlbl
7 | netlabelctl map add default address:::1 protocol:calipso,16
8 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-fl-flush:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Reset NetLabel configuration to unlabeled for all.
3 | netlabelctl map del default
4 | netlabelctl cipsov4 del doi:1
5 | netlabelctl map add default protocol:unlbl
6 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-fl-load:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Based on http://paulmoore.livejournal.com/7234.html.
3 | #
4 | # Modifications:
5 | # - Only defined the local doi since we are only testing loopback and
6 | # since NetLabel only supports full labeling over loopback (NetLabel
7 | # CIPSOv4 only supports passing MLS labels across the network).
8 |
9 | # Define a localhost/loopback doi and apply it to the loopback address
10 | # so that we get full SELinux labels over IPv4 loopback connections.
11 | netlabelctl cipsov4 add local doi:1
12 | netlabelctl map del default
13 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
14 | netlabelctl map add default address:::/0 protocol:unlbl
15 | netlabelctl map add default address:127.0.0.1 protocol:cipsov4,1
16 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-flush:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Reset NetLabel configuration to unlabeled for all.
3 | netlabelctl map del default
4 | netlabelctl cipsov4 del doi:16
5 | netlabelctl map add default protocol:unlbl
6 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-load-t1:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Based on http://paulmoore.livejournal.com/7234.html.
3 | #
4 | # Modifications:
5 | # - Defined a doi for testing loopback for CIPSOv4.
6 |
7 | netlabelctl cipsov4 add pass doi:16 tags:1
8 | netlabelctl map del default
9 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
10 | netlabelctl map add default address:::/0 protocol:unlbl
11 | netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
12 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-load-t2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Based on http://paulmoore.livejournal.com/7234.html.
3 | #
4 | # Modifications:
5 | # - Defined a doi for testing loopback for CIPSOv4.
6 |
7 | netlabelctl cipsov4 add pass doi:16 tags:2
8 | netlabelctl map del default
9 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
10 | netlabelctl map add default address:::/0 protocol:unlbl
11 | netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
12 |
--------------------------------------------------------------------------------
/tests/inet_socket/cipso-load-t5:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Based on http://paulmoore.livejournal.com/7234.html.
3 | #
4 | # Modifications:
5 | # - Defined a doi for testing loopback for CIPSOv4.
6 |
7 | netlabelctl cipsov4 add pass doi:16 tags:5
8 | netlabelctl map del default
9 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
10 | netlabelctl map add default address:::/0 protocol:unlbl
11 | netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
12 |
--------------------------------------------------------------------------------
/tests/inet_socket/ipsec-flush:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
3 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_policy
4 | ip xfrm policy deleteall
5 | ip xfrm policy flush
6 | ip xfrm state flush
7 |
--------------------------------------------------------------------------------
/tests/inet_socket/ipsec-load:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
3 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
4 | ip xfrm policy flush
5 | ip xfrm state flush
6 | goodclientcon=`secon -u --pid $$`:`secon -r --pid $$`:test_inet_client_t:`secon -m --pid $$`
7 | badclientcon=`secon -u --pid $$`:`secon -r --pid $$`:test_inet_bad_client_t:`secon -m --pid $$`
8 | ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
9 | ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
10 | ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
11 | ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
12 |
13 | # IPv6 loopback
14 | ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
15 | ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
16 | ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
17 | ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
18 |
--------------------------------------------------------------------------------
/tests/inet_socket/iptables-flush:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # Flush the security table.
3 | iptables -t security -F
4 | iptables -t security -X NEWCONN
5 | ip6tables -t security -F
6 | ip6tables -t security -X NEWCONN
7 |
--------------------------------------------------------------------------------
/tests/inet_socket/mptcp:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/inet_socket/nftables-flush:
--------------------------------------------------------------------------------
1 | delete table ip security
2 | delete table ip6 security
3 |
--------------------------------------------------------------------------------
/tests/inet_socket/tcp:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/inet_socket/udp:
--------------------------------------------------------------------------------
1 | .
--------------------------------------------------------------------------------
/tests/infiniband_endport/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 |
--------------------------------------------------------------------------------
/tests/infiniband_endport/ibendport_test.conf:
--------------------------------------------------------------------------------
1 | # InfiniBand endport test configuration file
2 |
3 | # The InfiniBand devices can be determined by inspecting the
4 | # /sys/class/infiniband directory and the ports for a given device can be
5 | # found by inspecting the /sys/class/infiniband//ports directory.
6 |
7 | # Enable(1)/Disable(0) these tests.
8 | SELINUX_INFINIBAND_ENDPORT_TEST=0
9 |
10 | # Device/port pair that should allow access.
11 | # The test uses semanage to allow, because ibendports are all unlabeled by
12 | # default the reference policy. This allows using the same device and port for
13 | # both the pass and fail testing as well.
14 | SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
15 |
16 | # Device/port pairs that should deny access.
17 | SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
18 |
19 |
--------------------------------------------------------------------------------
/tests/infiniband_pkey/.gitignore:
--------------------------------------------------------------------------------
1 | create_modify_qp
2 |
--------------------------------------------------------------------------------
/tests/infiniband_pkey/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=create_modify_qp
2 |
3 | LDLIBS+= -libverbs
4 |
5 | all: $(TARGETS)
6 |
7 | clean:
8 | rm -f $(TARGETS)
9 |
--------------------------------------------------------------------------------
/tests/infiniband_pkey/ibpkey_test.conf:
--------------------------------------------------------------------------------
1 | # InfiniBand PKey test configuration file
2 |
3 | # The InfiniBand devices can be determined by inspecting the
4 | # /sys/class/infiniband directory and the ports for a given device can be
5 | # found by inspecting the /sys/class/infiniband//ports directory.
6 |
7 | # Enable(1)/Disable(0) these tests
8 | SELINUX_INFINIBAND_PKEY_TEST=0
9 |
10 | # InfiniBand device to use.
11 | SELINUX_INFINIBAND_PKEY_TEST_DEV=mlx5_3
12 |
13 | # Physical port on the device to use.
14 | SELINUX_INFINIBAND_PKEY_TEST_PORT=1
15 |
16 | # CSV list of pkey table indexes containing labeled PKeys.
17 | # These will not be allowed.
18 | SELINUX_INFINIBAND_TEST_LABELED_PKEYS=
19 |
20 | # CSV list of pkey table indexes containing unlabeled PKeys.
21 | # This will be allowed, then temporarily labeled to see that they are
22 | # disallowed.
23 | SELINUX_INFINIBAND_TEST_UNLABELED_PKEYS=0
24 |
25 |
--------------------------------------------------------------------------------
/tests/inherit/.gitignore:
--------------------------------------------------------------------------------
1 | child
2 | parent
3 |
--------------------------------------------------------------------------------
/tests/inherit/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=child parent
2 |
3 | LDLIBS += -lselinux
4 |
5 | all: $(TARGETS)
6 | clean:
7 | rm -f $(TARGETS) test_file
8 |
--------------------------------------------------------------------------------
/tests/inherit/child.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(int argc, char **argv)
8 | {
9 | char buf[255];
10 | ssize_t bytes;
11 | int fd, ret;
12 | struct stat sb;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s fd\n", argv[0]);
16 | exit(-1);
17 | }
18 |
19 | fd = atoi(argv[1]);
20 |
21 | ret = fstat(fd, &sb);
22 | if (ret < 0) {
23 | perror("fstat");
24 | exit(2);
25 | }
26 | if (sb.st_rdev == 0x103 /* /dev/null */) {
27 | fprintf(stderr, "%s: null device\n", argv[0]);
28 | exit(1);
29 | }
30 |
31 | strcpy(buf, "hello world!\n");
32 | bytes = write(fd, buf, strlen(buf));
33 | if (bytes < 0) {
34 | perror("write");
35 | exit(1);
36 | }
37 | exit(0);
38 | }
39 |
--------------------------------------------------------------------------------
/tests/inherit/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | use Test;
4 | BEGIN { plan tests => 3 }
5 |
6 | $basedir = $0;
7 | $basedir =~ s|(.*)/[^/]*|$1|;
8 |
9 | # Remove any leftover test file from prior failed runs.
10 | system("rm -rf $basedir/test_file");
11 |
12 | # Create a test file with the test_inherit_file_t type for use in the tests.
13 | system("touch $basedir/test_file");
14 | system("chcon -t test_inherit_file_t $basedir/test_file");
15 |
16 | # Verify that test_inherit_nouse_t cannot inherit the rw fd to the test_file
17 | # from test_inherit_parent_t.
18 | # Should fail on fd use permission.
19 | $result = system(
20 | "runcon -t test_inherit_parent_t -- $basedir/parent test_inherit_nouse_t $basedir/test_file $basedir/child 2>&1"
21 | );
22 | ok($result); # we expect this to fail.
23 |
24 | # Verify that test_inherit_nowrite_t cannot inherit the rw fd to the test_file
25 | # from test_inherit_parent_t.
26 | # Should fail on file write permission.
27 | $result = system(
28 | "runcon -t test_inherit_parent_t -- $basedir/parent test_inherit_nowrite_t $basedir/test_file $basedir/child 2>&1"
29 | );
30 | ok($result); # we expect this to fail.
31 |
32 | # Verify that test_inherit_child_t can inherit the rw fd to the test file
33 | # from test_inherit_parent_t.
34 | $result = system(
35 | "runcon -t test_inherit_parent_t -- $basedir/parent test_inherit_child_t $basedir/test_file $basedir/child 2>&1"
36 | );
37 | ok( $result, 0 );
38 |
39 | # Cleanup.
40 | system("rm -rf $basedir/test_file");
41 |
--------------------------------------------------------------------------------
/tests/ioctl/.gitignore:
--------------------------------------------------------------------------------
1 | test_ioctl
2 | test_noioctl
3 | test_siocgifindex
4 | test_siocgifname
5 |
--------------------------------------------------------------------------------
/tests/ioctl/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 | all: $(TARGETS)
3 | clean:
4 | rm -f $(TARGETS) temp_file
5 |
--------------------------------------------------------------------------------
/tests/ioctl/test_siocgifindex.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | int main(int argc, char **argv)
12 | {
13 | int sock;
14 | int rc;
15 | struct ifreq val = {};
16 |
17 | sock = socket(AF_INET, SOCK_DGRAM, 0);
18 | if(sock == -1) {
19 | perror("test_siocgifindex:open");
20 | exit(1);
21 | }
22 |
23 | rc = ioctl(sock, SIOCGIFINDEX, &val);
24 | if (rc < 0 && errno != ENODEV) {
25 | perror("test_siocgifindex:SIOCGIFINDEX");
26 | close(sock);
27 | exit(7);
28 | }
29 |
30 | close(sock);
31 | exit(0);
32 | }
33 |
--------------------------------------------------------------------------------
/tests/ioctl/test_siocgifname.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | int main(int argc, char **argv)
12 | {
13 | int sock;
14 | int rc;
15 | struct ifreq val = {};
16 |
17 | sock = socket(AF_INET, SOCK_DGRAM, 0);
18 | if(sock == -1) {
19 | perror("test_siocgifname:socket");
20 | exit(1);
21 | }
22 |
23 | rc = ioctl(sock, SIOCGIFNAME, &val);
24 | if (rc < 0 && errno != ENODEV) {
25 | perror("test_siocgifname:SIOCGIFNAME");
26 | close(sock);
27 | exit(7);
28 | }
29 |
30 | close(sock);
31 | exit(0);
32 | }
33 |
--------------------------------------------------------------------------------
/tests/key_socket/.gitignore:
--------------------------------------------------------------------------------
1 | key_sock
2 |
--------------------------------------------------------------------------------
/tests/key_socket/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS = key_sock
2 | LDLIBS += -lselinux
3 |
4 | all: $(TARGETS)
5 |
6 | clean:
7 | rm -f $(TARGETS)
8 |
--------------------------------------------------------------------------------
/tests/key_socket/test:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | use Test::More;
3 |
4 | BEGIN {
5 | $basedir = $0;
6 | $basedir =~ s|(.*)/[^/]*|$1|;
7 |
8 | # allow info to be shown during tests
9 | $v = $ARGV[0];
10 | if ($v) {
11 | if ( $v ne "-v" ) {
12 | plan skip_all => "Invalid option (use -v)";
13 | }
14 | }
15 | else {
16 | $v = " ";
17 | }
18 |
19 | $result = system "$basedir/key_sock $v 2>&1";
20 | if ( $result >> 8 eq 97 ) { # EAFNOSUPPORT
21 | plan skip_all => "PF_KEY not supported by kernel";
22 | }
23 | else {
24 | plan tests => 5;
25 | }
26 | }
27 |
28 | ############ Test key_socket #############
29 | print "Test key management key_socket\n";
30 | $result = system "runcon -t test_key_sock_t $basedir/key_sock $v";
31 | ok( $result eq 0 );
32 |
33 | # Deny capability { net_admin } - EPERM
34 | $result =
35 | system "runcon -t test_key_sock_no_net_admin_t $basedir/key_sock $v 2>&1";
36 | ok( $result >> 8 eq 1 );
37 |
38 | # Deny key_socket { create } - EACCES
39 | $result =
40 | system "runcon -t test_key_sock_no_create_t $basedir/key_sock $v 2>&1";
41 | ok( $result >> 8 eq 13 );
42 |
43 | # Deny key_socket { write } - EACCES
44 | $result = system "runcon -t test_key_sock_no_write_t $basedir/key_sock $v 2>&1";
45 | ok( $result >> 8 eq 13 );
46 |
47 | # Deny key_socket { read } - EACCES
48 | $result = system "runcon -t test_key_sock_no_read_t $basedir/key_sock $v 2>&1";
49 | ok( $result >> 8 eq 13 );
50 |
51 | exit;
52 |
--------------------------------------------------------------------------------
/tests/keys/.gitignore:
--------------------------------------------------------------------------------
1 | keyctl
2 | keyctl_relabel
3 | keyring_service
4 | request_keys
5 |
--------------------------------------------------------------------------------
/tests/keys/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS = keyctl keyctl_relabel keyring_service request_keys
2 | LDLIBS += -lselinux -lkeyutils
3 |
4 | $(TARGETS): keys_common.h
5 |
6 | all: $(TARGETS)
7 |
8 | clean:
9 | rm -f $(TARGETS)
10 |
--------------------------------------------------------------------------------
/tests/kvercmp:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function kvercmp()
4 | {
5 | ver1=`echo $1 | sed 's/-/./'`
6 | ver2=`echo $2 | sed 's/-/./'`
7 |
8 | ret=0
9 | i=1
10 | while [ 1 ]; do
11 | digit1=`echo $ver1 | cut -d . -f $i`
12 | digit2=`echo $ver2 | cut -d . -f $i`
13 |
14 | if [ -z "$digit1" ]; then
15 | if [ -z "$digit2" ]; then
16 | ret=0
17 | break
18 | else
19 | ret=-1
20 | break
21 | fi
22 | fi
23 |
24 | if [ -z "$digit2" ]; then
25 | ret=1
26 | break
27 | fi
28 |
29 | if [ "$digit1" != "$digit2" ]; then
30 | if [ "$digit1" -lt "$digit2" ]; then
31 | ret=-1
32 | break
33 | fi
34 | ret=1
35 | break
36 | fi
37 |
38 | i=$((i+1))
39 | done
40 | echo $ret
41 | }
42 |
43 | kvercmp "$1" "$2"
44 |
--------------------------------------------------------------------------------
/tests/link/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 | rm -rf test_dir
4 |
--------------------------------------------------------------------------------
/tests/loop.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 |
3 | $count = shift || 1;
4 |
5 | print "Running all tests $count times\n";
6 |
7 | for ( $i = 0 ; $i < $count ; $i++ ) {
8 | print "$i: ";
9 | $foo = `./runtests.pl`;
10 | if ( $foo =~ m|All tests successful.\n| ) {
11 | print $';
12 | }
13 | else {
14 | print "Tests Failed: $'\n";
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/tests/mac_admin/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 | rm -rf test_dir test_file
4 |
--------------------------------------------------------------------------------
/tests/mkdir/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | clean:
3 | rm -rf test_dir
4 |
--------------------------------------------------------------------------------
/tests/mmap/.gitignore:
--------------------------------------------------------------------------------
1 | mmap_anon_private
2 | mmap_anon_shared
3 | mmap_file_private
4 | mmap_file_shared
5 | mmap_hugetlb_anon_private
6 | mmap_hugetlb_anon_shared
7 | mmap_zero
8 | mprotect_anon_private
9 | mprotect_anon_shared
10 | mprotect_file_private_execmod
11 | mprotect_file_private_rwx
12 | mprotect_file_private_rx
13 | mprotect_file_shared
14 | mprotect_heap
15 | mprotect_hugetlb_anon_private
16 | mprotect_hugetlb_anon_shared
17 | mprotect_stack
18 | mprotect_stack_thread
19 | shmat
20 |
--------------------------------------------------------------------------------
/tests/mmap/Makefile:
--------------------------------------------------------------------------------
1 | TARGETS=$(patsubst %.c,%,$(wildcard *.c))
2 |
3 | LDLIBS += -lpthread
4 |
5 | all: $(TARGETS)
6 |
7 | clean:
8 | rm -f $(TARGETS) temp_file
9 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_anon_private.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(void)
8 | {
9 | char *ptr;
10 |
11 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC,
12 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
13 | if (ptr == MAP_FAILED) {
14 | perror("mmap");
15 | exit(1);
16 | }
17 | exit(0);
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_anon_shared.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(void)
8 | {
9 | char *ptr;
10 |
11 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC,
12 | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
13 | if (ptr == MAP_FAILED) {
14 | perror("mmap");
15 | exit(1);
16 | }
17 | exit(0);
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_file_private.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | char *ptr;
11 | int fd;
12 |
13 | if (argc != 2) {
14 | fprintf(stderr, "usage: %s file\n", argv[0]);
15 | exit(1);
16 | }
17 |
18 | fd = open(argv[1], O_RDONLY);
19 | if (fd < 0) {
20 | perror(argv[1]);
21 | exit(1);
22 | }
23 |
24 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC,
25 | MAP_PRIVATE, fd, 0);
26 | if (ptr == MAP_FAILED) {
27 | perror("mmap");
28 | close(fd);
29 | exit(1);
30 | }
31 | close(fd);
32 | exit(0);
33 | }
34 |
35 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_file_shared.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | void usage(const char *progname)
10 | {
11 | fprintf(stderr, "usage: %s [-r] file\n", progname);
12 | exit(1);
13 | }
14 |
15 | int main(int argc, char **argv)
16 | {
17 | char *ptr;
18 | int fd, opt, prot = PROT_READ | PROT_WRITE | PROT_EXEC;
19 |
20 | while ((opt = getopt(argc, argv, "r")) != -1) {
21 | switch (opt) {
22 | case 'r':
23 | if (personality(READ_IMPLIES_EXEC) == -1) {
24 | perror("personality");
25 | exit(1);
26 | }
27 | prot &= ~PROT_EXEC;
28 | break;
29 | default:
30 | usage(argv[0]);
31 | break;
32 | }
33 | }
34 |
35 | if ((argc - optind) != 1)
36 | usage(argv[0]);
37 |
38 | fd = open(argv[optind], O_RDWR);
39 | if (fd < 0) {
40 | perror(argv[optind]);
41 | exit(1);
42 | }
43 |
44 | ptr = mmap(NULL, 4096, prot, MAP_SHARED, fd, 0);
45 | if (ptr == MAP_FAILED) {
46 | perror("mmap");
47 | close(fd);
48 | exit(1);
49 | }
50 | close(fd);
51 | exit(0);
52 | }
53 |
54 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_hugetlb_anon_private.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include "utils.h"
7 |
8 | #ifndef MAP_HUGETLB
9 | # define MAP_HUGETLB 0x40000
10 | #endif
11 |
12 | int main(void)
13 | {
14 | char *ptr;
15 | long length = getdefaulthugesize();
16 |
17 | ptr = mmap(NULL, length, PROT_READ | PROT_WRITE | PROT_EXEC,
18 | MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0);
19 | if (ptr == MAP_FAILED) {
20 | perror("mmap");
21 | exit(1);
22 | }
23 | exit(0);
24 | }
25 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_hugetlb_anon_shared.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include "utils.h"
7 |
8 | #ifndef MAP_HUGETLB
9 | # define MAP_HUGETLB 0x40000
10 | #endif
11 |
12 | int main(void)
13 | {
14 | char *ptr;
15 | long length = getdefaulthugesize();
16 |
17 | ptr = mmap(NULL, length, PROT_READ | PROT_WRITE | PROT_EXEC,
18 | MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0);
19 | if (ptr == MAP_FAILED) {
20 | perror("mmap");
21 | exit(1);
22 | }
23 | exit(0);
24 | }
25 |
--------------------------------------------------------------------------------
/tests/mmap/mmap_zero.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(void)
8 | {
9 | char *ptr;
10 |
11 | ptr = mmap(0, 4096, PROT_READ | PROT_WRITE,
12 | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
13 | if (ptr == MAP_FAILED) {
14 | perror("mmap");
15 | exit(1);
16 | }
17 | exit(0);
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_anon_private.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(void)
8 | {
9 | char *ptr;
10 | int rc;
11 |
12 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1,
13 | 0);
14 | if (ptr == MAP_FAILED) {
15 | perror("mmap");
16 | exit(1);
17 | }
18 |
19 | rc = mprotect(ptr, 4096, PROT_READ | PROT_EXEC);
20 | if (rc < 0) {
21 | perror("mprotect");
22 | exit(1);
23 | }
24 | exit(0);
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_anon_shared.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(void)
8 | {
9 | char *ptr;
10 | int rc;
11 |
12 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1,
13 | 0);
14 | if (ptr == MAP_FAILED) {
15 | perror("mmap");
16 | exit(1);
17 | }
18 |
19 | rc = mprotect(ptr, 4096, PROT_READ | PROT_EXEC);
20 | if (rc < 0) {
21 | perror("mprotect");
22 | exit(1);
23 | }
24 | exit(0);
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_file_private_execmod.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #ifndef READ_IMPLIES_EXEC
10 | #define READ_IMPLIES_EXEC 0x0400000
11 | #endif
12 |
13 | int main(int argc, char **argv)
14 | {
15 | char *ptr;
16 | int rc;
17 | int fd;
18 |
19 | if (argc != 2) {
20 | fprintf(stderr, "usage: %s file\n", argv[0]);
21 | exit(1);
22 | }
23 |
24 | /* clear READ_IMPLIES_EXEC if present, because it skips
25 | * check for FILE__EXECMOD in selinux_file_mprotect() */
26 | rc = personality(0xffffffff);
27 | if ((rc != -1) && (rc & READ_IMPLIES_EXEC)) {
28 | rc &= ~READ_IMPLIES_EXEC;
29 | personality(rc);
30 | }
31 |
32 | fd = open(argv[1], O_RDONLY);
33 | if (fd < 0) {
34 | perror(argv[1]);
35 | exit(1);
36 | }
37 |
38 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
39 | 0);
40 | if (ptr == MAP_FAILED) {
41 | perror("mmap");
42 | exit(1);
43 | }
44 |
45 | *((char *)ptr) = 42;
46 |
47 | rc = mprotect(ptr, 4096, PROT_READ | PROT_EXEC);
48 | if (rc < 0) {
49 | perror("mprotect");
50 | exit(1);
51 | }
52 | exit(0);
53 | }
54 |
55 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_file_private_rwx.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | char *ptr;
11 | int rc;
12 | int fd;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s file\n", argv[0]);
16 | exit(1);
17 | }
18 |
19 | fd = open(argv[1], O_RDONLY);
20 | if (fd < 0) {
21 | perror(argv[1]);
22 | exit(1);
23 | }
24 |
25 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
26 | 0);
27 | if (ptr == MAP_FAILED) {
28 | perror("mmap");
29 | exit(1);
30 | }
31 |
32 | rc = mprotect(ptr, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
33 | if (rc < 0) {
34 | perror("mprotect");
35 | exit(1);
36 | }
37 | exit(0);
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_file_private_rx.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | char *ptr;
11 | int rc;
12 | int fd;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s file\n", argv[0]);
16 | exit(1);
17 | }
18 |
19 | fd = open(argv[1], O_RDONLY);
20 | if (fd < 0) {
21 | perror(argv[1]);
22 | exit(1);
23 | }
24 |
25 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
26 | 0);
27 | if (ptr == MAP_FAILED) {
28 | perror("mmap");
29 | exit(1);
30 | }
31 |
32 | rc = mprotect(ptr, 4096, PROT_READ | PROT_EXEC);
33 | if (rc < 0) {
34 | perror("mprotect");
35 | exit(1);
36 | }
37 | exit(0);
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_file_shared.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | char *ptr;
11 | int rc;
12 | int fd;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s file\n", argv[0]);
16 | exit(1);
17 | }
18 |
19 | fd = open(argv[1], O_RDWR);
20 | if (fd < 0) {
21 | perror(argv[1]);
22 | exit(1);
23 | }
24 |
25 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, fd,
26 | 0);
27 | if (ptr == MAP_FAILED) {
28 | perror("mmap");
29 | exit(1);
30 | }
31 |
32 | rc = mprotect(ptr, 4096, PROT_READ | PROT_EXEC);
33 | if (rc < 0) {
34 | perror("mprotect");
35 | exit(1);
36 | }
37 | exit(0);
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_heap.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | #ifndef DEFAULT_MMAP_THRESHOLD_MAX
9 | #define DEFAULT_MMAP_THRESHOLD_MAX 512*1024
10 | #endif
11 |
12 | int main(void)
13 | {
14 | void *ptr;
15 | int rc;
16 | int pagesize = getpagesize();
17 |
18 | rc = mallopt(M_MMAP_THRESHOLD, DEFAULT_MMAP_THRESHOLD_MAX);
19 | if (rc != 1) {
20 | fprintf(stderr, "mallopt failed: %d\n", rc);
21 | exit(1);
22 | }
23 |
24 | rc = posix_memalign(&ptr, pagesize, pagesize);
25 | if (rc) {
26 | fprintf(stderr, "posix_memalign failed: %d\n", rc);
27 | exit(1);
28 | }
29 |
30 | rc = mprotect(ptr, pagesize, PROT_READ | PROT_EXEC);
31 | if (rc < 0) {
32 | perror("mprotect");
33 | exit(1);
34 | }
35 | exit(0);
36 | }
37 |
38 |
--------------------------------------------------------------------------------
/tests/mmap/mprotect_hugetlb_anon_private.c:
--------------------------------------------------------------------------------
1 | #include