• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************/
2 /* This program is free software;  you can redistribute it and/or modify      */
3 /* it under the terms of the GNU General Public License as published by       */
4 /* the Free Software Foundation; either version 2 of the License, or          */
5 /* (at your option) any later version.                                        */
6 /*                                                                            */
7 /* This program is distributed in the hope that it will be useful,            */
8 /* but WITHOUT ANY WARRANTY;  without even the implied warranty of            */
9 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See                  */
10 /* the GNU General Public License for more details.                           */
11 /*                                                                            */
12 /* You should have received a copy of the GNU General Public License          */
13 /* along with this program;  if not, write to the Free Software               */
14 /* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    */
15 /*                                                                            */
16 /******************************************************************************/
17 /*
18  * tomoyo_new_file_test.c
19  *
20  * Testing program for security/tomoyo/
21  *
22  * Copyright (C) 2005-2010  NTT DATA CORPORATION
23  */
24 #include "include.h"
25 
26 static const char *policy = "";
27 
show_result(int result,char should_success)28 static void show_result(int result, char should_success)
29 {
30 	int error = errno;
31 	printf("%s : ", policy);
32 	if (should_success) {
33 		if (result != EOF)
34 			printf("OK\n");
35 		else
36 			printf("FAILED: %s\n", strerror(error));
37 	} else {
38 		if (result == EOF) {
39 			if (error == EPERM)
40 				printf("OK: Permission denied.\n");
41 			else
42 				printf("FAILED: %s\n", strerror(error));
43 		} else {
44 			printf("BUG: didn't fail.\n");
45 		}
46 	}
47 }
48 
create2(const char * pathname)49 static void create2(const char *pathname)
50 {
51 	set_profile(0, "file::create");
52 	set_profile(0, "file::open");
53 	close(creat(pathname, 0600));
54 	set_profile(3, "file::create");
55 	set_profile(3, "file::open");
56 	errno = 0;
57 }
58 
mkdir2(const char * pathname)59 static void mkdir2(const char *pathname)
60 {
61 	set_profile(0, "file::mkdir");
62 	mkdir(pathname, 0600);
63 	set_profile(3, "file::mkdir");
64 	errno = 0;
65 }
66 
unlink2(const char * pathname)67 static void unlink2(const char *pathname)
68 {
69 	set_profile(0, "file::unlink");
70 	unlink(pathname);
71 	set_profile(3, "file::unlink");
72 	errno = 0;
73 }
74 
rmdir2(const char * pathname)75 static void rmdir2(const char *pathname)
76 {
77 	set_profile(0, "file::rmdir");
78 	rmdir(pathname);
79 	set_profile(3, "file::rmdir");
80 	errno = 0;
81 }
82 
mkfifo2(const char * pathname)83 static void mkfifo2(const char *pathname)
84 {
85 	set_profile(0, "file::mkfifo");
86 	mkfifo(pathname, 0600);
87 	set_profile(3, "file::mkfifo");
88 	errno = 0;
89 }
90 
stage_file_test(void)91 static void stage_file_test(void)
92 {
93 	const char buffer[] = "32768 61000";
94 	int pipe_fd[2] = { EOF, EOF };
95 	int error = 0;
96 	int fd;
97 	char pbuffer[1024];
98 	struct stat sbuf;
99 	struct sockaddr_un addr;
100 	struct ifreq ifreq;
101 	char *filename = "";
102 	set_profile(3, "file::execute");
103 	set_profile(3, "file::open");
104 	set_profile(3, "file::create");
105 	set_profile(3, "file::unlink");
106 	set_profile(3, "file::mkdir");
107 	set_profile(3, "file::rmdir");
108 	set_profile(3, "file::mkfifo");
109 	set_profile(3, "file::mksock");
110 	set_profile(3, "file::truncate");
111 	set_profile(3, "file::symlink");
112 	set_profile(3, "file::rewrite");
113 	set_profile(3, "file::mkblock");
114 	set_profile(3, "file::mkchar");
115 	set_profile(3, "file::link");
116 	set_profile(3, "file::rename");
117 	set_profile(3, "file::chmod");
118 	set_profile(3, "file::chown");
119 	set_profile(3, "file::chgrp");
120 	set_profile(3, "file::ioctl");
121 	set_profile(3, "file::chroot");
122 	set_profile(3, "file::mount");
123 	set_profile(3, "file::umount");
124 	set_profile(3, "file::pivot_root");
125 
126 	policy = "allow_read /proc/sys/net/ipv4/ip_local_port_range";
127 	write_domain_policy(policy, 0);
128 	show_result(read_sysctl(TEST_SYSCTL_PATH, NULL, 0), 1);
129 	write_domain_policy(policy, 1);
130 	show_result(read_sysctl(TEST_SYSCTL_PATH, NULL, 0), 0);
131 
132 	policy = "allow_write /proc/sys/net/ipv4/ip_local_port_range";
133 	write_domain_policy(policy, 0);
134 	show_result(write_sysctl(TEST_SYSCTL_PATH, buffer), 1);
135 	write_domain_policy(policy, 1);
136 	show_result(write_sysctl(TEST_SYSCTL_PATH, buffer), 0);
137 
138 	policy = "allow_read/write /proc/sys/net/ipv4/ip_local_port_range";
139 	write_domain_policy(policy, 0);
140 	show_result(read_sysctl(TEST_SYSCTL_PATH, NULL, 0) &&
141 	            write_sysctl(TEST_SYSCTL_PATH, buffer), 1);
142 	write_domain_policy(policy, 1);
143 	show_result(read_sysctl(TEST_SYSCTL_PATH, NULL, 0) &&
144 	            write_sysctl(TEST_SYSCTL_PATH, buffer), 0);
145 
146 	policy = "allow_read /bin/true";
147 	write_domain_policy(policy, 0);
148 	show_result(uselib("/bin/true"), 1);
149 	write_domain_policy(policy, 1);
150 	show_result(uselib("/bin/true"), 0);
151 
152 	policy = "allow_execute /bin/true";
153 	write_domain_policy(policy, 0);
154 	fflush(stdout);
155 	fflush(stderr);
156 	if (pipe(pipe_fd) == -1)
157 		err(1, "pipe");
158 	if (fork() == 0) {
159 		execl("/bin/true", "/bin/true", NULL);
160 		if (write(pipe_fd[1], &errno, sizeof(errno)) == -1)
161 			err(1, "write");
162 		exit(0);
163 	}
164 	close(pipe_fd[1]);
165 	(void)read(pipe_fd[0], &error, sizeof(error));
166 	close(pipe_fd[0]);
167 	wait(NULL);
168 	errno = error;
169 	show_result(error ? EOF : 0, 1);
170 	write_domain_policy(policy, 1);
171 	fflush(stdout);
172 	fflush(stderr);
173 	if (pipe(pipe_fd) == -1)
174 		err(1, "pipe");
175 	if (fork() == 0) {
176 		execl("/bin/true", "/bin/true", NULL);
177 		if (write(pipe_fd[1], &errno, sizeof(errno)) == -1)
178 			err(1, "write");
179 		_exit(0);
180 	}
181 	close(pipe_fd[1]);
182 	(void)read(pipe_fd[0], &error, sizeof(error));
183 	close(pipe_fd[0]);
184 	wait(NULL);
185 	errno = error;
186 	show_result(errno ? EOF : 0, 0);
187 
188 	policy = "allow_read /dev/null";
189 	write_domain_policy(policy, 0);
190 	fd = open("/dev/null", O_RDONLY);
191 	show_result(fd, 1);
192 	if (fd != EOF)
193 		close(fd);
194 	write_domain_policy(policy, 1);
195 	fd = open("/dev/null", O_RDONLY);
196 	show_result(fd, 0);
197 	if (fd != EOF)
198 		close(fd);
199 
200 	policy = "allow_read /dev/null";
201 	write_domain_policy(policy, 0);
202 	fd = open("/dev/null", O_RDONLY);
203 	show_result(fd, 1);
204 	if (fd != EOF)
205 		close(fd);
206 	write_domain_policy(policy, 1);
207 	fd = open("/dev/null", O_RDONLY);
208 	show_result(fd, 0);
209 	if (fd != EOF)
210 		close(fd);
211 
212 	policy = "allow_read /dev/null";
213 	write_domain_policy(policy, 0);
214 	fd = open("/dev/null", O_RDONLY);
215 	show_result(fd, 1);
216 	if (fd != EOF)
217 		close(fd);
218 	write_domain_policy(policy, 1);
219 	fd = open("/dev/null", O_RDONLY);
220 	show_result(fd, 0);
221 	if (fd != EOF)
222 		close(fd);
223 
224 	policy = "allow_read /dev/null";
225 	write_domain_policy(policy, 0);
226 	fd = open("/dev/null", O_RDONLY);
227 	show_result(fd, 1);
228 	if (fd != EOF)
229 		close(fd);
230 	write_domain_policy(policy, 1);
231 	fd = open("/dev/null", O_RDONLY);
232 	show_result(fd, 0);
233 	if (fd != EOF)
234 		close(fd);
235 
236 	set_profile(3, "file::mkfifo");
237 	policy = "allow_mkfifo /tmp/mknod_fifo_test 0644";
238 	write_domain_policy(policy, 0);
239 	filename = "/tmp/mknod_fifo_test";
240 	show_result(mknod(filename, S_IFIFO | 0644, 0), 1);
241 	write_domain_policy(policy, 1);
242 	unlink2(filename);
243 	show_result(mknod(filename, S_IFIFO | 0644, 0), 0);
244 
245 	memset(pbuffer, 0, sizeof(pbuffer));
246 	memset(&sbuf, 0, sizeof(sbuf));
247 	filename = "/dev/null";
248 	stat(filename, &sbuf);
249 	snprintf(pbuffer, sizeof(pbuffer) - 1, "allow_write %s", filename);
250 	policy = pbuffer;
251 	write_domain_policy(policy, 0);
252 	fd = open(filename, O_WRONLY);
253 	show_result(fd, 1);
254 	if (fd != EOF)
255 		close(fd);
256 	write_domain_policy(policy, 1);
257 	fd = open(filename, O_WRONLY);
258 	show_result(fd, 0);
259 	if (fd != EOF)
260 		close(fd);
261 
262 	policy = "allow_read/write /tmp/fifo";
263 	mkfifo2("/tmp/fifo");
264 	write_domain_policy(policy, 0);
265 	fd = open("/tmp/fifo", O_RDWR);
266 	show_result(fd, 1);
267 	if (fd != EOF)
268 		close(fd);
269 	write_domain_policy(policy, 1);
270 	fd = open("/tmp/fifo", O_RDWR);
271 	show_result(fd, 0);
272 	if (fd != EOF)
273 		close(fd);
274 
275 	policy = "allow_read /dev/null";
276 	write_domain_policy(policy, 0);
277 	fd = open("/dev/null", O_RDONLY);
278 	show_result(fd, 1);
279 	if (fd != EOF)
280 		close(fd);
281 	write_domain_policy(policy, 1);
282 	fd = open("/dev/null", O_RDONLY);
283 	show_result(fd, 0);
284 	if (fd != EOF)
285 		close(fd);
286 
287 	policy = "allow_write /dev/null";
288 	write_domain_policy(policy, 0);
289 	fd = open("/dev/null", O_WRONLY);
290 	show_result(fd, 1);
291 	if (fd != EOF)
292 		close(fd);
293 	write_domain_policy(policy, 1);
294 	fd = open("/dev/null", O_WRONLY);
295 	show_result(fd, 0);
296 	if (fd != EOF)
297 		close(fd);
298 
299 	policy = "allow_read/write /dev/null";
300 	write_domain_policy(policy, 0);
301 	fd = open("/dev/null", O_RDWR);
302 	show_result(fd, 1);
303 	if (fd != EOF)
304 		close(fd);
305 	write_domain_policy(policy, 1);
306 	fd = open("/dev/null", O_RDWR);
307 	show_result(fd, 0);
308 	if (fd != EOF)
309 		close(fd);
310 
311 	policy = "allow_create /tmp/open_test 0644";
312 	write_domain_policy(policy, 0);
313 	policy = "allow_write /tmp/open_test";
314 	write_domain_policy(policy, 0);
315 	fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644);
316 	show_result(fd, 1);
317 	if (fd != EOF)
318 		close(fd);
319 	unlink2("/tmp/open_test");
320 	write_domain_policy(policy, 1);
321 	fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644);
322 	show_result(fd, 0);
323 	if (fd != EOF)
324 		close(fd);
325 	unlink2("/tmp/open_test");
326 
327 	policy = "allow_create /tmp/open_test 0644";
328 	write_domain_policy(policy, 1);
329 
330 	policy = "allow_write /tmp/open_test";
331 	write_domain_policy(policy, 0);
332 	policy = "allow_create /tmp/open_test 0644";
333 	write_domain_policy(policy, 0);
334 	fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644);
335 	show_result(fd, 1);
336 	if (fd != EOF)
337 		close(fd);
338 	unlink2("/tmp/open_test");
339 	write_domain_policy(policy, 1);
340 	fd = open("/tmp/open_test", O_WRONLY | O_CREAT | O_EXCL, 0644);
341 	show_result(fd, 0);
342 	if (fd != EOF)
343 		close(fd);
344 	unlink2("/tmp/open_test");
345 	policy = "allow_write /tmp/open_test";
346 	write_domain_policy(policy, 1);
347 
348 	filename = "/tmp/truncate_test";
349 	create2(filename);
350 
351 	policy = "allow_truncate /tmp/truncate_test";
352 	write_domain_policy(policy, 0);
353 	policy = "allow_write /tmp/truncate_test";
354 	write_domain_policy(policy, 0);
355 	fd = open(filename, O_WRONLY | O_TRUNC);
356 	show_result(fd, 1);
357 	if (fd != EOF)
358 		close(fd);
359 	write_domain_policy(policy, 1);
360 	fd = open(filename, O_WRONLY | O_TRUNC);
361 	show_result(fd, 0);
362 	if (fd != EOF)
363 		close(fd);
364 	policy = "allow_truncate /tmp/truncate_test";
365 	write_domain_policy(policy, 1);
366 
367 	policy = "allow_write /tmp/truncate_test";
368 	write_domain_policy(policy, 0);
369 	policy = "allow_truncate /tmp/truncate_test";
370 	write_domain_policy(policy, 0);
371 	fd = open(filename, O_WRONLY | O_TRUNC);
372 	show_result(fd, 1);
373 	if (fd != EOF)
374 		close(fd);
375 	write_domain_policy(policy, 1);
376 	fd = open(filename, O_WRONLY | O_TRUNC);
377 	show_result(fd, 0);
378 	if (fd != EOF)
379 		close(fd);
380 	policy = "allow_write /tmp/truncate_test";
381 	write_domain_policy(policy, 1);
382 
383 	policy = "allow_truncate /tmp/truncate_test";
384 	write_domain_policy(policy, 0);
385 	show_result(truncate(filename, 0), 1);
386 	write_domain_policy(policy, 1);
387 	show_result(truncate(filename, 0), 0);
388 
389 	policy = "allow_truncate /tmp/truncate_test";
390 	write_domain_policy(policy, 0);
391 	set_profile(0, "file::open");
392 	fd = open(filename, O_WRONLY);
393 	set_profile(3, "file::open");
394 	show_result(ftruncate(fd, 0), 1);
395 	write_domain_policy(policy, 1);
396 	show_result(ftruncate(fd, 0), 0);
397 	if (fd != EOF)
398 		close(fd);
399 
400 	unlink2(filename);
401 
402 	policy = "allow_create /tmp/mknod_reg_test 0644";
403 	write_domain_policy(policy, 0);
404 	filename = "/tmp/mknod_reg_test";
405 	show_result(mknod(filename, S_IFREG | 0644, 0), 1);
406 	write_domain_policy(policy, 1);
407 	unlink2(filename);
408 	show_result(mknod(filename, S_IFREG | 0644, 0), 0);
409 
410 	policy = "allow_mkchar /tmp/mknod_chr_test 0644 1 3";
411 	write_domain_policy(policy, 0);
412 	filename = "/tmp/mknod_chr_test";
413 	show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 1);
414 	write_domain_policy(policy, 1);
415 	unlink2(filename);
416 	show_result(mknod(filename, S_IFCHR | 0644, MKDEV(1, 3)), 0);
417 
418 	policy = "allow_mkblock /tmp/mknod_blk_test 0644 1 0";
419 	write_domain_policy(policy, 0);
420 	filename = "/tmp/mknod_blk_test";
421 	show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 1);
422 	write_domain_policy(policy, 1);
423 	unlink2(filename);
424 	show_result(mknod(filename, S_IFBLK | 0644, MKDEV(1, 0)), 0);
425 
426 	policy = "allow_mkfifo /tmp/mknod_fifo_test 0644";
427 	write_domain_policy(policy, 0);
428 	filename = "/tmp/mknod_fifo_test";
429 	show_result(mknod(filename, S_IFIFO | 0644, 0), 1);
430 	write_domain_policy(policy, 1);
431 	unlink2(filename);
432 	show_result(mknod(filename, S_IFIFO | 0644, 0), 0);
433 
434 	policy = "allow_mksock /tmp/mknod_sock_test 0644";
435 	write_domain_policy(policy, 0);
436 	filename = "/tmp/mknod_sock_test";
437 	show_result(mknod(filename, S_IFSOCK | 0644, 0), 1);
438 	write_domain_policy(policy, 1);
439 	unlink2(filename);
440 	show_result(mknod(filename, S_IFSOCK | 0644, 0), 0);
441 
442 	policy = "allow_mkdir /tmp/mkdir_test/ 0600";
443 	write_domain_policy(policy, 0);
444 	filename = "/tmp/mkdir_test";
445 	show_result(mkdir(filename, 0600), 1);
446 	write_domain_policy(policy, 1);
447 	rmdir2(filename);
448 	show_result(mkdir(filename, 0600), 0);
449 
450 	policy = "allow_rmdir /tmp/rmdir_test/";
451 	write_domain_policy(policy, 0);
452 	filename = "/tmp/rmdir_test";
453 	mkdir2(filename);
454 	show_result(rmdir(filename), 1);
455 	write_domain_policy(policy, 1);
456 	mkdir2(filename);
457 	show_result(rmdir(filename), 0);
458 	rmdir2(filename);
459 
460 	policy = "allow_unlink /tmp/unlink_test";
461 	write_domain_policy(policy, 0);
462 	filename = "/tmp/unlink_test";
463 	create2(filename);
464 	show_result(unlink(filename), 1);
465 	write_domain_policy(policy, 1);
466 	create2(filename);
467 	show_result(unlink(filename), 0);
468 	unlink2(filename);
469 
470 	policy = "allow_symlink /tmp/symlink_source_test";
471 	write_domain_policy(policy, 0);
472 	filename = "/tmp/symlink_source_test";
473 	show_result(symlink("/tmp/symlink_dest_test", filename), 1);
474 	write_domain_policy(policy, 1);
475 	unlink2(filename);
476 	show_result(symlink("/tmp/symlink_dest_test", filename), 0);
477 
478 	policy = "allow_symlink /tmp/symlink_source_test";
479 	write_domain_policy(policy, 0);
480 	filename = "/tmp/symlink_source_test";
481 	show_result(symlink("/tmp/symlink_dest_test", filename), 1);
482 	write_domain_policy(policy, 1);
483 	unlink2(filename);
484 	show_result(symlink("/tmp/symlink_dest_test", filename), 0);
485 
486 	policy = "allow_symlink /tmp/symlink_source_test";
487 	write_domain_policy(policy, 0);
488 	filename = "/tmp/symlink_source_test";
489 	show_result(symlink("/tmp/symlink_dest_test", filename), 1);
490 	write_domain_policy(policy, 1);
491 	unlink2(filename);
492 	show_result(symlink("/tmp/symlink_dest_test", filename), 0);
493 
494 	policy = "allow_symlink /tmp/symlink_source_test";
495 	write_domain_policy(policy, 0);
496 	filename = "/tmp/symlink_source_test";
497 	show_result(symlink("/tmp/symlink_dest_test", filename), 1);
498 	write_domain_policy(policy, 1);
499 	unlink2(filename);
500 	show_result(symlink("/tmp/symlink_dest_test", filename), 0);
501 
502 	policy = "allow_symlink /tmp/symlink_source_test";
503 	write_domain_policy(policy, 0);
504 	filename = "/tmp/symlink_source_test";
505 	show_result(symlink("/tmp/symlink_dest_test", filename), 1);
506 	write_domain_policy(policy, 1);
507 	unlink2(filename);
508 	show_result(symlink("/tmp/symlink_dest_test", filename), 0);
509 
510 	policy = "allow_link /tmp/link_source_test /tmp/link_dest_test";
511 	write_domain_policy(policy, 0);
512 	filename = "/tmp/link_source_test";
513 	create2(filename);
514 	show_result(link(filename, "/tmp/link_dest_test"), 1);
515 	write_domain_policy(policy, 1);
516 	unlink2("/tmp/link_dest_test");
517 	show_result(link(filename, "/tmp/link_dest_test"), 0);
518 	unlink2(filename);
519 
520 	policy = "allow_rename /tmp/rename_source_test /tmp/rename_dest_test";
521 	write_domain_policy(policy, 0);
522 	filename = "/tmp/rename_source_test";
523 	create2(filename);
524 	show_result(rename(filename, "/tmp/rename_dest_test"), 1);
525 	write_domain_policy(policy, 1);
526 	unlink2("/tmp/rename_dest_test");
527 	create2(filename);
528 	show_result(rename(filename, "/tmp/rename_dest_test"), 0);
529 	unlink2(filename);
530 
531 	policy = "allow_mksock /tmp/socket_test 0755";
532 	write_domain_policy(policy, 0);
533 	filename = "/tmp/socket_test";
534 	memset(&addr, 0, sizeof(addr));
535 	addr.sun_family = AF_UNIX;
536 	strncpy(addr.sun_path, filename, sizeof(addr.sun_path) - 1);
537 	fd = socket(AF_UNIX, SOCK_STREAM, 0);
538 	show_result(bind(fd, (struct sockaddr *)&addr, sizeof(addr)), 1);
539 	if (fd != EOF)
540 		close(fd);
541 	write_domain_policy(policy, 1);
542 	unlink2(filename);
543 	fd = socket(AF_UNIX, SOCK_STREAM, 0);
544 	show_result(bind(fd, (struct sockaddr *)&addr, sizeof(addr)), 0);
545 	if (fd != EOF)
546 		close(fd);
547 
548 	filename = "/tmp/rewrite_test";
549 	create2(filename);
550 	policy = "allow_read/write /tmp/rewrite_test";
551 	write_domain_policy(policy, 0);
552 	write_exception_policy("deny_rewrite /tmp/rewrite_test", 0);
553 	policy = "allow_truncate /tmp/rewrite_test";
554 	write_domain_policy(policy, 0);
555 
556 	fd = open(filename, O_RDONLY);
557 	show_result(fd, 1);
558 	if (fd != EOF)
559 		close(fd);
560 
561 	fd = open(filename, O_WRONLY | O_APPEND);
562 	show_result(fd, 1);
563 	if (fd != EOF)
564 		close(fd);
565 
566 	fd = open(filename, O_WRONLY);
567 	show_result(fd, 0);
568 	if (fd != EOF)
569 		close(fd);
570 
571 	fd = open(filename, O_WRONLY | O_TRUNC);
572 	show_result(fd, 0);
573 	if (fd != EOF)
574 		close(fd);
575 
576 	fd = open(filename, O_WRONLY | O_TRUNC | O_APPEND);
577 	show_result(fd, 0);
578 	if (fd != EOF)
579 		close(fd);
580 
581 	show_result(truncate(filename, 0), 0);
582 
583 	set_profile(0, "file::open");
584 	fd = open(filename, O_WRONLY | O_APPEND);
585 	set_profile(3, "file::open");
586 	show_result(ftruncate(fd, 0), 0);
587 
588 	show_result(fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_APPEND), 0);
589 	if (fd != EOF)
590 		close(fd);
591 
592 	write_domain_policy(policy, 1);
593 
594 	policy = "allow_read/write /tmp/rewrite_test";
595 	write_domain_policy(policy, 1);
596 	write_exception_policy("deny_rewrite /tmp/rewrite_test", 1);
597 
598 	unlink2(filename);
599 
600 	policy = "allow_ioctl socket:[family=2:type=2:protocol=17] "
601 	    "35122-35124";
602 	write_domain_policy(policy, 0);
603 	fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
604 	memset(&ifreq, 0, sizeof(ifreq));
605 	snprintf(ifreq.ifr_name, sizeof(ifreq.ifr_name) - 1, "lo");
606 	show_result(ioctl(fd, 35123, &ifreq), 1);
607 	write_domain_policy(policy, 1);
608 	policy = "allow_ioctl " "socket:[family=2:type=2:protocol=17] 0-35122";
609 	write_domain_policy(policy, 0);
610 	show_result(ioctl(fd, 35123, &ifreq), 0);
611 	write_domain_policy(policy, 1);
612 	if (fd != EOF)
613 		close(fd);
614 }
615 
main(int argc,char * argv[])616 int main(int argc, char *argv[])
617 {
618 	tomoyo_test_init();
619 	fprintf(domain_fp, "%s /bin/true\n", self_domain);
620 	fprintf(domain_fp, "use_profile 255\n");
621 	fprintf(domain_fp, "select pid=%u\n", pid);
622 	fprintf(profile_fp, "255-PREFERENCE::audit={ max_reject_log=1024 }\n");
623 	stage_file_test();
624 	fprintf(domain_fp, "use_profile 0\n");
625 	clear_status();
626 	return 0;
627 }
628