int main(int argc, char *argv[])
{
tomoyo_test_init();
fprintf(profile_fp, "255-PREFERENCE::learning={ verbose=no }\n");
fprintf(profile_fp, "255-PREFERENCE::enforcing={ verbose=no }\n");
fprintf(profile_fp, "255-PREFERENCE::permissive={ verbose=no }\n");
fprintf(profile_fp, "255-PREFERENCE::disabled={ verbose=no }\n");
set_profile(0, "file");
fprintf(profile_fp, "255-PREFERENCE::learning={ max_entry=2048 }\n");
{
int append_loop;
for (append_loop = 0; append_loop < 2; append_loop++) {
int truncate_loop;
for (truncate_loop = 0; truncate_loop < 2;
truncate_loop++) {
int create_loop;
for (create_loop = 0; create_loop < 3;
create_loop++) {
int rw_loop;
for (rw_loop = 0; rw_loop < 4;
rw_loop++)
test(rw_loop, truncate_loop,
append_loop, create_loop);
}
}
}
}
fprintf(profile_fp, "255-CONFIG::file=disabled\n");
printf("Done\n");
clear_status();
return 0;
}
int main(int argc, char *argv[])
{
tomoyo_test_init();
fprintf(domain_fp, "%s /bin/true\n", self_domain);
fprintf(domain_fp, "use_profile 255\n");
fprintf(domain_fp, "select pid=%u\n", pid);
fprintf(profile_fp, "255-PREFERENCE::audit={ max_reject_log=1024 }\n");
stage_file_test();
fprintf(domain_fp, "use_profile 0\n");
clear_status();
return 0;
}
int main(int argc, char *argv[])
{
int i;
tomoyo_test_init();
for (i = 0; tests[i].do_test; i++) {
int trial;
for (trial = 0; trial < 2; trial++) {
int should_fail;
for (should_fail = 0; should_fail < 2; should_fail++) {
if (tests[i].do_setup)
tests[i].do_setup();
if (!should_fail)
write_domain_policy(tests[i].policy, 0);
set_profile(3, tests[i].name);
tests[i].do_test();
show_result(tests[i].policy, !should_fail);
set_profile(0, tests[i].name);
if (tests[i].do_cleanup)
tests[i].do_cleanup();
if (!should_fail)
write_domain_policy(tests[i].policy, 1);
}
}
}
for (i = 0; tests[i].do_test; i++) {
int mode;
for (mode = 0; mode < 4; mode++) {
if (tests[i].do_setup)
tests[i].do_setup();
set_profile(mode, tests[i].name);
tests[i].do_test();
show_result(tests[i].name, 1);
set_profile(0, tests[i].name);
if (tests[i].do_cleanup)
tests[i].do_cleanup();
}
}
fprintf(domain_fp, "delete %s\n", self_domain);
return 0;
}
int main(int argc, char *argv[])
{
tomoyo_test_init();
printf("***** Testing file hooks in enforce mode. *****\n");
create_files();
should_fail = 1;
set_file_enforce(1);
stage_file_test();
set_file_enforce(0);
clear_status();
creanup_files();
printf("***** Testing file hooks in permissive mode. *****\n");
should_fail = 0;
create_files();
set_file_enforce(0);
stage_file_test();
creanup_files();
clear_status();
return 0;
}
int main(int argc, char *argv[])
{
char c = 0;
tomoyo_test_init();
/* Test mount(). */
{
set_profile(3, "file::mount");
show_prompt("mount('dev\\011name', '/', 'fs\\011name') ", 1);
if (mount("dev\tname", "/", "fs\tname", 0, NULL) == EOF &&
errno == EPERM)
printf("OK: Permission denied.\n");
else if (errno == ENODEV)
printf("OK: No such device.\n");
else
printf("BUG: %s\n", strerror(errno));
set_profile(1, "file::mount");
show_prompt("mount('dev\\011name', '/', 'fs\\011name') ", 0);
if (mount("dev\tname", "/", "fs\tname", 0, NULL) == EOF &&
errno == ENOMEM)
printf("OK: Out of memory.\n");
else if (errno == ENODEV)
printf("OK: No such device.\n");
else
printf("BUG: %s\n", strerror(errno));
set_profile(3, "file::mount");
show_prompt("mount('dev\\011name', '/', 'fs\\011name') ", 0);
if (mount("dev\tname", "/", "fs\tname", 0, NULL) == EOF &&
errno == ENOMEM)
printf("OK: Out of memory.\n");
else if (errno == ENODEV)
printf("OK: No such device.\n");
else
printf("BUG: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_mount dev\\011name / "
"fs\\011name 0\n");
show_prompt("mount('dev\\011name', '/', 'fs\\011name') ", 1);
if (mount("dev\tname", "/", "fs\tname", 0, NULL) == EOF &&
errno == EPERM)
printf("OK: Permission denied.\n");
else if (errno == ENODEV)
printf("OK: No such device.\n");
else
printf("BUG: %s\n", strerror(errno));
set_profile(1, "file::mount");
show_prompt("mount(NULL, '/', 'tmpfs') ", 0);
if (mount(NULL, "/", "tmpfs", 0, NULL))
printf("BUG: %s\n", strerror(errno));
else
printf("OK: Success\n");
set_profile(3, "file::mount");
show_prompt("mount(NULL, '/', 'tmpfs') ", 0);
if (mount(NULL, "/", "tmpfs", 0, NULL))
printf("BUG: %s\n", strerror(errno));
else
printf("OK: Success\n");
show_prompt("mount('anydev', '/', 'tmpfs') ", 0);
if (mount("anydev", "/", "tmpfs", 0, NULL))
printf("BUG: %s\n", strerror(errno));
else
printf("OK: Success\n");
fprintf(domain_fp, "delete allow_mount <NULL> / tmpfs 0\n");
fprintf(domain_fp, "allow_mount anydev / tmpfs 0\n");
show_prompt("mount(NULL, '/', 'tmpfs') ", 0);
if (mount(NULL, "/", "tmpfs", 0, NULL))
printf("BUG: %s\n", strerror(errno));
else
printf("OK: Success\n");
fprintf(domain_fp, "delete allow_mount anydev / tmpfs 0\n");
set_profile(2, "file::mount");
show_prompt("mount(NULL, NULL, 'tmpfs') ", 1);
if (mount(NULL, NULL, "tmpfs", 0, NULL))
printf("OK: %s\n", strerror(errno));
else
printf("BUG: Did not fail.\n");
show_prompt("mount(NULL, NULL, NULL) ", 1);
if (mount(NULL, NULL, NULL, 0, NULL))
printf("OK: %s\n", strerror(errno));
else
printf("BUG: Did not fail.\n");
show_prompt("mount('/', NULL, NULL) ", 1);
if (mount("/", NULL, NULL, 0, NULL))
printf("OK: %s\n", strerror(errno));
else
printf("BUG: Did not fail.\n");
show_prompt("mount('/', NULL, 'tmpfs') ", 1);
if (mount("/", NULL, "tmpfs", 0, NULL))
printf("OK: %s\n", strerror(errno));
else
printf("BUG: Did not fail.\n");
show_prompt("mount('/', '/', 'nonexistentfs') ", 1);
if (mount("/", "/", "nonexistentfs", 0, NULL))
printf("OK: %s\n", strerror(errno));
else
printf("BUG: Did not fail.\n");
set_profile(0, "file::mount");
}
mkdir("/tmp/mount/", 0755);
mkdir("/tmp/mount_bind/", 0755);
mkdir("/tmp/mount_move/", 0755);
/* Test mount(). */
{
static char buf[4096];
char *dev_ram_path = canonicalize_file_name("/dev/ram0");
if (!dev_ram_path)
dev_ram_path = canonicalize_file_name("/dev/ram");
if (!dev_ram_path) {
dev_ram_path = "/dev/ram0";
mknod(dev_ram_path, S_IFBLK, MKDEV(1, 0));
}
memset(buf, 0, sizeof(buf));
{
struct stat sbuf;
FILE *fp = NULL;
snprintf(buf, sizeof(buf) - 1, "zcat - > %s",
dev_ram_path);
if (lstat(dev_ram_path, &sbuf) == 0 &&
S_ISBLK(sbuf.st_mode) && MAJOR(sbuf.st_rdev) == 1)
fp = popen(buf, "w");
if (fp) {
if (fwrite(compressed_ext2_image_sample, 1,
sizeof(compressed_ext2_image_sample), fp) !=
sizeof(compressed_ext2_image_sample))
err(1, "fwrite");
pclose(fp);
} else
fprintf(stderr, "Can't write to %s .\n",
dev_ram_path);
}
set_profile(3, "file::mount");
/* Test standard case */
show_prompt("mount('none', '/tmp/mount/', 'tmpfs') for "
"'/tmp/mount/'", 1);
if (mount("none", "/tmp/mount/", "tmpfs", 0, NULL) == EOF &&
errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
/* Test device_name with pattern */
snprintf(buf, sizeof(buf) - 1, "mount('%s', '/tmp/mount/', "
"'ext2') for '%s\\*'", dev_ram_path, dev_ram_path);
show_prompt(buf, 1);
if (mount(dev_ram_path, "/tmp/mount/", "ext2", MS_RDONLY, NULL)
== EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
/* Test dir_name with pattern */
show_prompt("mount('none', '/tmp/mount/', 'tmpfs') for "
"'/tmp/\\?\\?\\?\\?\\?/'", 1);
if (mount("none", "/tmp/mount/", "tmpfs", 0, NULL) == EOF &&
errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
/* Test standard case */
fprintf(domain_fp, "allow_mount none /tmp/mount/ tmpfs 0\n");
show_prompt("mount('none', '/tmp/mount/', 'tmpfs') for "
"'/tmp/mount/'", 0);
if (mount("none", "/tmp/mount/", "tmpfs", 0, NULL) == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fprintf(domain_fp,
"delete allow_mount none /tmp/mount/ tmpfs 0\n");
/* Test device_name with pattern */
fprintf(domain_fp, "allow_mount %s\\* /tmp/mount/ ext2 1\n",
dev_ram_path);
snprintf(buf, sizeof(buf) - 1, "mount('%s', '/tmp/mount/', "
"'ext2') for '%s\\*'", dev_ram_path, dev_ram_path);
show_prompt(buf, 0);
if (mount(dev_ram_path, "/tmp/mount/", "ext2", MS_RDONLY, NULL)
== 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_mount %s\\* "
"/tmp/mount/ ext2 1\n", dev_ram_path);
/* Test dir_name with pattern */
fprintf(domain_fp,
"allow_mount none /tmp/\\?\\?\\?\\?\\?/ tmpfs 0\n");
show_prompt("mount('none', '/tmp/mount/', 'tmpfs') for "
"'/tmp/\\?\\?\\?\\?\\?/'", 0);
if (mount("none", "/tmp/mount/", "tmpfs", 0, NULL) == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_mount none "
"/tmp/\\?\\?\\?\\?\\?/ tmpfs 0\n");
set_profile(0, "file::mount");
while (umount("/tmp/mount/") == 0)
c++; /* Dummy. */
}
/* Test mount(). */
{
mount2("none", "/tmp/mount/", "tmpfs");
set_profile(3, "file::mount");
/* Test remount case */
show_prompt("mount('/tmp/mount/', MS_REMOUNT)", 1);
if (mount("none", "/tmp/mount/", "tmpfs", MS_REMOUNT, NULL)
== EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
show_prompt("mount('/tmp/mount/', MS_REMOUNT)", 1);
if (mount(NULL, "/tmp/mount/", NULL, MS_REMOUNT, NULL) == EOF
&& errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
fprintf(domain_fp, "allow_mount something /tmp/mount/ "
"--remount 0\n");
show_prompt("mount('/tmp/mount/', MS_REMOUNT)", 0);
if (mount(NULL, "/tmp/mount/", NULL, MS_REMOUNT, NULL))
printf("BUG: %s\n", strerror(errno));
else
printf("OK: Success.\n");
fprintf(domain_fp, "delete allow_mount something /tmp/mount/ "
"--remount 0\n");
/* Test bind case */
show_prompt("mount('/tmp/mount/', '/tmp/mount_bind/', "
"MS_BIND)", 1);
if (mount("/tmp/mount/", "/tmp/mount_bind/", NULL, MS_BIND,
NULL) == EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
/* Test move case */
show_prompt("mount('/tmp/mount/', '/tmp/mount_move/', "
"MS_MOVE)", 1);
if (mount("/tmp/mount/", "/tmp/mount_move/", NULL, MS_MOVE,
NULL) == EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
/* Test remount case */
fprintf(domain_fp,
"allow_mount any /tmp/mount/ --remount 0\n");
show_prompt("mount('/tmp/mount/', MS_REMOUNT)", 0);
if (mount("none", "/tmp/mount/", "tmpfs", MS_REMOUNT, NULL)
== 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_mount any /tmp/mount/ "
"--remount 0\n");
/* Test bind case */
fprintf(domain_fp,
"allow_mount /tmp/mount/ /tmp/mount_bind/ --bind 0\n");
show_prompt("mount('/tmp/mount/', '/tmp/mount_bind', MS_BIND)",
0);
if (mount("/tmp/mount/", "/tmp/mount_bind/", NULL, MS_BIND,
NULL) == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
set_profile(0, "file::mount");
umount("/tmp/mount_bind/");
fprintf(domain_fp, "delete allow_mount /tmp/mount/ "
"/tmp/mount_bind/ --bind 0\n");
/* Test move case */
set_profile(3, "file::mount");
fprintf(domain_fp, "allow_unmount /tmp/mount/\n");
fprintf(domain_fp, "allow_mount /tmp/mount/ /tmp/mount_move/ "
"--move 0\n");
show_prompt("mount('/tmp/mount/', '/tmp/mount_move/', "
"MS_MOVE)", 0);
if (mount("/tmp/mount/", "/tmp/mount_move/", NULL, MS_MOVE,
NULL) == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
set_profile(0, "file::mount");
umount("/tmp/mount_move/");
fprintf(domain_fp, "delete allow_unmount /tmp/mount/\n");
fprintf(domain_fp, "delete allow_mount /tmp/mount/ "
"/tmp/mount_move/ --move 0\n");
while (umount("/tmp/mount/") == 0)
c++; /* Dummy. */
}
/* Test umount(). */
{
/* Test standard case */
fprintf(domain_fp, "allow_unmount /tmp/mount/\n");
set_profile(0, "file::umount");
mount2("none", "/tmp/mount/", "tmpfs");
set_profile(3, "file::umount");
show_prompt("umount('/tmp/mount/') for '/tmp/mount/'", 0);
if (umount("/tmp/mount/") == 0)
printf("OK\n");
else
printf("BUG: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_unmount /tmp/mount/\n");
set_profile(0, "file::umount");
mount2("none", "/tmp/mount/", "tmpfs");
set_profile(3, "file::umount");
show_prompt("umount('/tmp/mount/') for '/tmp/mount/'", 1);
if (umount("/tmp/mount/") == EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("FAILED: %s\n", strerror(errno));
/* Test pattern */
fprintf(domain_fp, "allow_unmount /tmp/\\?\\?\\?\\?\\?/\n");
set_profile(0, "file::umount");
mount2("none", "/tmp/mount/", "tmpfs");
set_profile(3, "file::umount");
show_prompt("umount('/tmp/mount/') for "
"'/tmp/\\?\\?\\?\\?\\?/'", 1);
if (umount("/tmp/mount/") == 0)
printf("OK\n");
else
printf("BUG: %s\n", strerror(errno));
fprintf(domain_fp,
"delete allow_unmount /tmp/\\?\\?\\?\\?\\?/\n");
set_profile(0, "file::umount");
while (umount("/tmp/mount/") == 0)
c++; /* Dummy. */
}
/* Test chroot(). */
{
set_profile(3, "file::chroot");
/* Test standard case */
fprintf(domain_fp, "allow_chroot /tmp/mount/\n");
show_prompt("chroot('/tmp/mount/') for '/tmp/mount/'", 0);
fflush(stdout);
if (fork() == 0) {
if (chroot("/tmp/mount/") == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fflush(stdout);
_exit(0);
}
wait(NULL);
fprintf(domain_fp, "delete allow_chroot /tmp/mount/\n");
show_prompt("chroot('/tmp/mount/') for '/tmp/mount/'", 1);
fflush(stdout);
if (fork() == 0) {
if (chroot("/tmp/mount/") == EOF && errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
fflush(stdout);
_exit(0);
}
wait(NULL);
/* Test pattern */
fprintf(domain_fp, "allow_chroot /tmp/\\?\\?\\?\\?\\?/\n");
show_prompt("chroot('/tmp/mount/') for "
"'/tmp/\\?\\?\\?\\?\\?/'", 0);
fflush(stdout);
if (fork() == 0) {
if (chroot("/tmp/mount/") == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fflush(stdout);
_exit(0);
}
wait(NULL);
fprintf(domain_fp,
"delete allow_chroot /tmp/\\?\\?\\?\\?\\?/\n");
set_profile(0, "file::chroot");
}
/* Test pivot_root(). */
{
int error;
static char stack[8192];
set_profile(3, "file::pivot_root");
fprintf(domain_fp, "allow_pivot_root %s %s\n",
pivot_root_dir, proc_policy_dir);
snprintf(stack, 8191, "pivot_root('%s', '%s')", pivot_root_dir,
proc_policy_dir);
show_prompt(stack, 0);
{
const pid_t pid = ltp_clone_quick(CLONE_NEWNS, child,
NULL);
while (waitpid(pid, &error, __WALL) == EOF &&
errno == EINTR)
c++; /* Dummy. */
}
errno = WIFEXITED(error) ? WEXITSTATUS(error) : -1;
if (errno == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
fprintf(domain_fp, "delete allow_pivot_root %s %s\n",
pivot_root_dir, proc_policy_dir);
snprintf(stack, 8191, "pivot_root('%s', '%s')", pivot_root_dir,
proc_policy_dir);
show_prompt(stack, 1);
{
const pid_t pid = ltp_clone_quick(CLONE_NEWNS, child,
NULL);
while (waitpid(pid, &error, __WALL) == EOF &&
errno == EINTR)
c++; /* Dummy. */
}
errno = WIFEXITED(error) ? WEXITSTATUS(error) : -1;
if (errno == EPERM)
printf("OK: Permission denied.\n");
else
printf("BUG: %s\n", strerror(errno));
set_profile(2, "file::pivot_root");
snprintf(stack, 8191, "pivot_root('%s', '%s')", pivot_root_dir,
proc_policy_dir);
show_prompt(stack, 0);
{
const pid_t pid = ltp_clone_quick(CLONE_NEWNS, child,
NULL);
while (waitpid(pid, &error, __WALL) == EOF &&
errno == EINTR)
c++; /* Dummy. */
}
errno = WIFEXITED(error) ? WEXITSTATUS(error) : -1;
if (errno == 0)
printf("OK\n");
else
printf("FAILED: %s\n", strerror(errno));
set_profile(0, "file::pivot_root");
}
rmdir("/tmp/mount_move/");
rmdir("/tmp/mount_bind/");
rmdir("/tmp/mount/");
clear_status();
return 0;
}
