From: "Christian Göttsche" <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: "Christian Göttsche" <cgzones@googlemail.com>
Subject: [PATCH 2/4] checkpolicy/tests: add test for splitting xperm rule
Date: Mon, 8 Apr 2024 17:08:00 +0200 [thread overview]
Message-ID: <20240408150802.63941-2-cgoettsche@seltendoof.de> (raw)
In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de>
From: Christian Göttsche <cgzones@googlemail.com>
An extended permission rule statement might get split into multiple
access vector rules, due to size limitations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/tests/policy_allonce.conf | 2 +-
checkpolicy/tests/policy_allonce.expected.conf | 4 +++-
checkpolicy/tests/policy_allonce.expected_opt.conf | 4 +++-
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
index 34e6402d..54a4c811 100644
--- a/checkpolicy/tests/policy_allonce.conf
+++ b/checkpolicy/tests/policy_allonce.conf
@@ -36,7 +36,7 @@ allow TYPE1 self : CLASS1 { PERM1 };
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
-allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
+allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 };
auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
index 63739e1f..aff6bfa3 100644
--- a/checkpolicy/tests/policy_allonce.expected.conf
+++ b/checkpolicy/tests/policy_allonce.expected.conf
@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
index 1c969961..335486d1 100644
--- a/checkpolicy/tests/policy_allonce.expected_opt.conf
+++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
--
2.43.0
next prev parent reply other threads:[~2024-04-08 15:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-08 15:07 [PATCH 1/4] libsepol: improve policy lookup failure message Christian Göttsche
2024-04-08 15:08 ` Christian Göttsche [this message]
2024-04-08 15:08 ` [PATCH 3/4] checkpolicy: declare file local variable static Christian Göttsche
2024-04-08 15:08 ` [PATCH 4/4] checkpolicy: drop global policyvers variable Christian Göttsche
2024-04-22 20:48 ` [PATCH 1/4] libsepol: improve policy lookup failure message James Carter
2024-05-02 18:03 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240408150802.63941-2-cgoettsche@seltendoof.de \
--to=cgoettsche@seltendoof.de \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.