[2/4] checkpolicy/tests: add test for splitting xperm rule

Message ID	20240408150802.63941-2-cgoettsche@seltendoof.de (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CBD741C6C for <selinux@vger.kernel.org>; Mon, 8 Apr 2024 15:08:09 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> Subject: [PATCH 2/4] checkpolicy/tests: add test for splitting xperm rule Date: Mon, 8 Apr 2024 17:08:00 +0200 Message-ID: <20240408150802.63941-2-cgoettsche@seltendoof.de> In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de> References: <20240408150802.63941-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[1/4] libsepol: improve policy lookup failure message \| expand [1/4] libsepol: improve policy lookup failure message [2/4] checkpolicy/tests: add test for splitting xperm rule [3/4] checkpolicy: declare file local variable static [4/4] checkpolicy: drop global policyvers variable

Message ID

20240408150802.63941-2-cgoettsche@seltendoof.de (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Subject: [PATCH 2/4] checkpolicy/tests: add test for splitting xperm rule
Date: Mon,  8 Apr 2024 17:08:00 +0200
Message-ID: <20240408150802.63941-2-cgoettsche@seltendoof.de>
In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de>
References: <20240408150802.63941-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[1/4] libsepol: improve policy lookup failure message | expand

Commit Message

Christian Göttsche April 8, 2024, 3:08 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

An extended permission rule statement might get split into multiple
access vector rules, due to size limitations.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/tests/policy_allonce.conf              | 2 +-
 checkpolicy/tests/policy_allonce.expected.conf     | 4 +++-
 checkpolicy/tests/policy_allonce.expected_opt.conf | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
index 34e6402d..54a4c811 100644
--- a/checkpolicy/tests/policy_allonce.conf
+++ b/checkpolicy/tests/policy_allonce.conf
@@ -36,7 +36,7 @@  allow TYPE1 self : CLASS1 { PERM1 };
 auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
 dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
 neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
-allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
+allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 };
 auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
 dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
 neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
index 63739e1f..aff6bfa3 100644
--- a/checkpolicy/tests/policy_allonce.expected.conf
+++ b/checkpolicy/tests/policy_allonce.expected.conf
@@ -34,7 +34,9 @@  auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;
diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
index 1c969961..335486d1 100644
--- a/checkpolicy/tests/policy_allonce.expected_opt.conf
+++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
@@ -34,7 +34,9 @@  auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;

[2/4] checkpolicy/tests: add test for splitting xperm rule

Commit Message

Patch