1 #define _GNU_SOURCE /* vasprintf(3) */
2
3 #include "test-neverallow.h"
4
5 #include "helpers.h"
6 #include "test-common.h"
7
8 #include <sepol/debug.h>
9 #include <sepol/policydb/link.h>
10 #include <sepol/policydb/expand.h>
11
12 #include <stdio.h>
13 #include <stdarg.h>
14
15 extern int mls;
16
neverallow_test_init(void)17 int neverallow_test_init(void)
18 {
19 return 0;
20 }
21
neverallow_test_cleanup(void)22 int neverallow_test_cleanup(void)
23 {
24 return 0;
25 }
26
27 static struct msg_list {
28 char *msg;
29 struct msg_list *next;
30 } *messages;
31
messages_clean(void)32 static void messages_clean(void)
33 {
34 while (messages) {
35 struct msg_list *n = messages->next;
36 free(messages->msg);
37 free(messages);
38 messages = n;
39 }
40 }
41
messages_check(unsigned count,const char * const expected[count])42 static void messages_check(unsigned count, const char *const expected[count])
43 {
44 unsigned i;
45 const struct msg_list *m = messages;
46
47 for (i = 0; i < count; i++, m = m->next) {
48 if (!m) {
49 CU_FAIL("less messages than expected");
50 fprintf(stderr, "\n<expected %u, got %u>\n", count, i);
51 return;
52 }
53
54 if (strcmp(expected[i], m->msg) != 0) {
55 CU_FAIL("messages differ from expected");
56 fprintf(stderr, "\n<expected: '''%s''', got: '''%s'''>\n", expected[i], m->msg);
57 }
58 }
59
60 if (m) {
61 CU_FAIL("more messages than expected");
62 fprintf(stderr, "\n<expected %u; next message: '''%s'''>\n", count, m->msg);
63 }
64 }
65
66 __attribute__ ((format(printf, 3, 4)))
msg_handler(void * varg,sepol_handle_t * handle,const char * fmt,...)67 static void msg_handler(void *varg __attribute__ ((unused)),
68 sepol_handle_t * handle __attribute__ ((unused)),
69 const char *fmt, ...)
70 {
71 char *msg;
72 va_list ap;
73 int r;
74
75 va_start(ap, fmt);
76 r = vasprintf(&msg, fmt, ap);
77 if (r < 0)
78 CU_FAIL_FATAL("oom");
79 va_end(ap);
80
81 struct msg_list *new = malloc(sizeof(*new));
82 if (!new)
83 CU_FAIL_FATAL("oom");
84 new->msg = msg;
85 new->next = messages;
86 messages = new;
87 }
88
89 #define ARRAY_SIZE(a) (sizeof(a) / sizeof(*a))
90
test_neverallow_basic(void)91 static void test_neverallow_basic(void)
92 {
93 policydb_t basemod, base_expanded;
94 sepol_handle_t *handle;
95 static const char *const expected_messages[] = {
96 "30 neverallow failures occurred",
97 "neverallow on line 53 of policies/test-neverallow/policy.conf.std (or line 53 of policies/test-neverallow/policy.conf.std) violated by allow test1_t test1_t:file { read };",
98 "neverallow on line 60 of policies/test-neverallow/policy.conf.std (or line 60 of policies/test-neverallow/policy.conf.std) violated by allow test2_t test2_t:file { read write };",
99 "neverallow on line 67 of policies/test-neverallow/policy.conf.std (or line 67 of policies/test-neverallow/policy.conf.std) violated by allow test3_t test3_t:file { read };",
100 "neverallow on line 74 of policies/test-neverallow/policy.conf.std (or line 74 of policies/test-neverallow/policy.conf.std) violated by allow test4_t test4_t:file { read };",
101 "neverallow on line 81 of policies/test-neverallow/policy.conf.std (or line 81 of policies/test-neverallow/policy.conf.std) violated by allow test5_t test5_t:file { read };",
102 "neverallow on line 89 of policies/test-neverallow/policy.conf.std (or line 89 of policies/test-neverallow/policy.conf.std) violated by allow test6_1_t test6_1_t:file { read };",
103 "neverallow on line 97 of policies/test-neverallow/policy.conf.std (or line 97 of policies/test-neverallow/policy.conf.std) violated by allow test7_1_t test7_1_t:file { read };",
104 "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { write };",
105 "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { read };",
106 "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { read };",
107 "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { write };",
108 "neverallow on line 124 of policies/test-neverallow/policy.conf.std (or line 124 of policies/test-neverallow/policy.conf.std) violated by allow test10_1_t test10_1_t:file { read };",
109 "neverallow on line 131 of policies/test-neverallow/policy.conf.std (or line 131 of policies/test-neverallow/policy.conf.std) violated by allow test11_t test11_t:process { dyntransition transition };",
110 "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { getattr };",
111 "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_2_t:file { getattr };",
112 "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { open };",
113 "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_2_t test12_1_t:file { open };",
114 "neverallow on line 156 of policies/test-neverallow/policy.conf.std (or line 156 of policies/test-neverallow/policy.conf.std) violated by allow test13_1_t test13_1_t:file { read };",
115 "neverallowxperm on line 174 of policies/test-neverallow/policy.conf.std (or line 174 of policies/test-neverallow/policy.conf.std) violated by\nallow test15_t test15_t:file { ioctl };",
116 "neverallowxperm on line 182 of policies/test-neverallow/policy.conf.std (or line 182 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test16_t test16_t:file ioctl { 0x1111 };",
117 "neverallowxperm on line 198 of policies/test-neverallow/policy.conf.std (or line 198 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test18_t test18_t:file ioctl { 0x1111 };",
118 "neverallowxperm on line 206 of policies/test-neverallow/policy.conf.std (or line 206 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test19_t test19_t:file ioctl { 0x1111 };",
119 "neverallowxperm on line 216 of policies/test-neverallow/policy.conf.std (or line 216 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test20_a test20_a:file ioctl { 0x1111 };",
120 "neverallowxperm on line 227 of policies/test-neverallow/policy.conf.std (or line 227 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test21_1_a test21_2_a:file ioctl { 0x1111 };",
121 "neverallowxperm on line 237 of policies/test-neverallow/policy.conf.std (or line 237 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test22_t test22_t:file ioctl { 0x1111 };",
122 "neverallowxperm on line 247 of policies/test-neverallow/policy.conf.std (or line 247 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test23_t test23_t:file ioctl { 0x1111 };",
123 "neverallowxperm on line 257 of policies/test-neverallow/policy.conf.std (or line 257 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test24_t test24_a:file ioctl { 0x1111 };",
124 "neverallowxperm on line 267 of policies/test-neverallow/policy.conf.std (or line 267 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test25_t test25_t:file ioctl { 0x1111 };",
125 "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
126 "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
127 };
128
129 if (policydb_init(&base_expanded))
130 CU_FAIL_FATAL("Failed to initialize policy");
131
132 if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy.conf"))
133 CU_FAIL_FATAL("Failed to load policy");
134
135 if (link_modules(NULL, &basemod, NULL, 0, 0))
136 CU_FAIL_FATAL("Failed to link base module");
137
138 if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
139 CU_FAIL_FATAL("Failed to expand policy");
140
141 if ((handle = sepol_handle_create()) == NULL)
142 CU_FAIL_FATAL("Failed to initialize handle");
143
144 sepol_msg_set_callback(handle, msg_handler, NULL);
145
146 if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
147 CU_FAIL("Assertions did not trigger");
148
149 messages_check(ARRAY_SIZE(expected_messages), expected_messages);
150
151 sepol_handle_destroy(handle);
152 messages_clean();
153 policydb_destroy(&basemod);
154 policydb_destroy(&base_expanded);
155 }
156
neverallow_add_tests(CU_pSuite suite)157 int neverallow_add_tests(CU_pSuite suite)
158 {
159 /*
160 * neverallow rules operate only on types and are unaffected by MLS
161 * (avoid adjusting the messages for std and mls)
162 */
163 if (mls)
164 return 0;
165
166 if (NULL == CU_add_test(suite, "neverallow_basic", test_neverallow_basic)) {
167 CU_cleanup_registry();
168 return CU_get_error();
169 }
170
171 return 0;
172 }
173