diff --git a/autotests/folding/test.cil.fold b/autotests/folding/test.cil.fold --- a/autotests/folding/test.cil.fold +++ b/autotests/folding/test.cil.fold @@ -48,7 +48,7 @@ (classcommon file any dir) (file any dir) ; portcon -(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) +(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1)) (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) (defaultrole tcp udp) (tcp udp) @@ -58,7 +58,7 @@ (fsuse trans tmpfs file.tmpfs_context) (typemember xattr task trans) (xattr task trans) - + (allow unconfined.process self (file (read write))) (allow process httpd.object (file (read write))) @@ -142,3 +142,12 @@ (genfscon rootfs / rootfs_context) (genfscon selinuxfs / selinuxfs_context) ) + +; ioctl & call +(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind +(ioctl read + find connectto) ; kind or permission? +(ioctl read find connectto) ; ioctl permission +(ioctl read ) +(call ioctl read find connectto) ; statement or permission? +( call ) ; call permission diff --git a/autotests/folding/test.fc.fold b/autotests/folding/test.fc.fold --- a/autotests/folding/test.fc.fold +++ b/autotests/folding/test.fc.fold @@ -56,6 +56,14 @@ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0) ') +# Android file contexts + +android.hardware.light::ILight u:object_r:hal_light_hwservice:s0 +android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0 +* u:object_r:default_android_hwservice:s0 +ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string +sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int + # Tests # Variables diff --git a/autotests/folding/test.te.fold b/autotests/folding/test.te.fold new file mode 100644 --- /dev/null +++ b/autotests/folding/test.te.fold @@ -0,0 +1,125 @@ +# Sample SELinux Policy + +## > +## Sample SELinux Policy +## +## > +## > +## This module is not functional, +## but only to test the syntax highlighting. +## +## +## val="true"> +## Depended on by other required modules. +## + +policycap open_perms; +module myapp 1.0; + +require { + type httpd_t; + type httpd_sys_content_t; + type initrc_t; + class sock_file write; + class unix_stream_socket connectto; +} + +allow httpd_t httpd_sys_content_t:sock_file write; +allow httpd_t initrc_t:unix_stream_socket connectto; + +tunable_policy(`allow_execmem',` + /usr/share/holas(/.*)? -- gen_context(system_u:object_r:holas_t,s0); +') +regexp(`GNUs not Unix', `\w\(\w+\)$', `*** \& *** \1 ***') +ifdef(`distro_ubuntu',` + unconfined_domain(chkpwd_t) +') + +dominance { gen_dominance(0,decr($1)) }; +neverallow user=_isolated domain=((?!isolated_app).)* + +allow consoletype_t self:capability { sys_admin sys_tty_config }; +allow consoletype_t self:msg { send receive }; + +# sample for administrative user +user jadmin roles { staff_r sysadm_r }; +# sample for regular user +user jdoe roles { user_r }; + +default_user process source; +default_range process source low; + +sid devnull; +sid sysctl; + +common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton }; +class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod }; +class class; + +sensitivity s0 alias sens0; +category c0 alias cat0; +level s0:c0; + +mlsconstrain dir { search read ioctl lock } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); + +attribute_role dpkg_roles; +roleattribute system_r dpkg_roles; + +role system_r types system_t; +role_transition hello init_script_file_type system_r; + +attribute filesystem_type; +type dhcp_etc_t; +typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; + +bool le_boolean true; +TUNABLE allow_java_execstack false; + +type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; +AUDITALLOW xserver_t { root_xdrawable_t x_domain }:x_drawable send; + +optional { + neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; + neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; +}; + +if le_boolean { + DONTAUDIT untrusted_app asec_public_file:file { execute execmod }; +} else { + ALLOW untrusted_app perfprofd_data_file:file r_file_perms; + allow untrusted_app perfprofd_data_file:dir r_dir_perms; +}; + +sid devnull system_u:object_r:null_device_t:s0 +genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) +genfscon rootfs / gen_context(system_u:object_r:root_t,s0) + +genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 +genfscon selinuxfs / u:object_r:selinuxfs:s0 +fs_use_trans devtmpfs system_u:object_r:device_t:s0; +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; + +portcon tcp 80 u:object_r:http_port:s0; +portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0); +netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3); + +nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0; +nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0; + +# Regular Expressions +regexp(`Hello(!|\^\^)+', ` + ^\s*(?\.) + ( + hello[^\s\x12/][1-9]*| # Hello + bye + )\s*$ +') +"aaaa(?= +sdf sdf)ds(aa + aa)" +"sdf[^ +a]" diff --git a/autotests/html/test.cil.html b/autotests/html/test.cil.html --- a/autotests/html/test.cil.html +++ b/autotests/html/test.cil.html @@ -8,7 +8,7 @@ ; Tests -(policycap open_perms) ; Policy config. statement +(policycap open_perms) ; Policy config. statement (mls true) (handleunknown allow) @@ -49,12 +49,12 @@ ; filecon (filecon "/system/bin/run-as" file runas_exec_context) -(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0) +(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0) (filecon "/data/local/mine" dir ()) (classcommon file any dir) (file any dir) ; portcon -(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) +(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1)) (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) (defaultrole tcp udp) (tcp udp) @@ -64,16 +64,16 @@ (fsuse trans tmpfs file.tmpfs_context) (typemember xattr task trans) (xattr task trans) - + (allow unconfined.process self (file (read write))) (allow process httpd.object (file (read write))) ; Paths -"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?" -"/pa\12th.*a+b?" -/usr/hi\"esc\032esc\*3es{2,2}ds -"/data/(open " -"/data/[open " +"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?" +"/pa\12th.*a+b?" +/usr/hi\"esc\032esc\*3es{2,2}ds +"/data/(open " +"/data/[open " ; Some rules @@ -90,14 +90,14 @@ (allowx type_3 type_4 ioctl_nodebug) (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF))) -(class property_service (set)) +(class property_service (set)) (block av_rules (type type_1) (type type_2) (typeattribute all_types) (typeattributeset all_types ((all))) - (neverallow type_2 all_types (property_service (set))) + (neverallow type_2 all_types (property_service (set))) ) (macro binder_call ((type ARG1) (type ARG2)) (allow ARG1 ARG2 (binder (transfer call))) @@ -148,4 +148,13 @@ (genfscon rootfs / rootfs_context) (genfscon selinuxfs / selinuxfs_context) ) + +; ioctl & call +(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind +(ioctl read + find connectto) ; kind or permission? +(ioctl read find connectto) ; ioctl permission +(ioctl read ) +(call ioctl read find connectto) ; statement or permission? +( call ) ; call permission
> +## This module is not functional, +## but only to test the syntax highlighting. +##