Add an intermediate domain which is entered first to avoid the need to
reference the calling domain in the policy.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_nnp_nosuid.te | 26 +++++++++++++---------
tests/nnp_nosuid/test | 45 +++++++++++++++++++++++----------------
2 files changed, 43 insertions(+), 28 deletions(-)
diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te
index ad5f742..8d5a1c6 100644
--- a/policy/test_nnp_nosuid.te
+++ b/policy/test_nnp_nosuid.te
@@ -3,19 +3,25 @@
# Policy for testing NO_NEW_PRIVS and nosuid transitions.
#
+# An intermediate domain to avoid referencing the caller domain.
+type test_intermediate_t;
+testsuite_domain_type(test_intermediate_t)
+# executes runcon
+corecmd_exec_bin(test_intermediate_t)
+
# A domain bounded by the unconfined domain.
type test_bounded_t;
testsuite_domain_type(test_bounded_t)
-typebounds unconfined_t test_bounded_t;
+typebounds test_intermediate_t test_bounded_t;
# The entrypoint type for this domain.
type test_bounded_exec_t;
files_type(test_bounded_exec_t)
domain_entry_file(test_bounded_t, test_bounded_exec_t)
-domain_entry_file(unconfined_t, test_bounded_exec_t)
+domain_entry_file(test_intermediate_t, test_bounded_exec_t)
# Run it! This should succeed on v3.18 or later, fail on older kernels.
-unconfined_run_to(test_bounded_t, test_bounded_exec_t)
+domtrans_pattern(test_intermediate_t, test_bounded_exec_t, test_bounded_t)
# A domain that is not bounded by the unconfined domain.
type test_notbounded_t;
@@ -27,7 +33,7 @@ files_type(test_notbounded_exec_t)
domain_entry_file(test_notbounded_t, test_notbounded_exec_t)
# Run it! This should fail always.
-unconfined_run_to(test_notbounded_t, test_notbounded_exec_t)
+domtrans_pattern(test_intermediate_t, test_notbounded_exec_t, test_notbounded_t)
# A domain to which the unconfined domain is allowed nnp_transition.
type test_nnptransition_t;
@@ -39,9 +45,9 @@ files_type(test_nnptransition_exec_t)
domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t)
# Run it! This should succeed on v4.14 or later.
-unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nnptransition_exec_t, test_nnptransition_t)
ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nnptransition_t:process2 nnp_transition;
+allow test_intermediate_t test_nnptransition_t:process2 nnp_transition;
')
# A domain to which the unconfined domain is allowed nosuid_transition.
@@ -54,9 +60,9 @@ files_type(test_nosuidtransition_exec_t)
domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t)
# Run it! This should succeed on v4.14 or later.
-unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nosuidtransition_exec_t, test_nosuidtransition_t)
ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition;
+allow test_intermediate_t test_nosuidtransition_t:process2 nosuid_transition;
')
# A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition.
@@ -69,7 +75,7 @@ files_type(test_nosuidtransition_exec_t)
domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t)
# Run it! This should succeed on v4.14 or later.
-unconfined_run_to(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nnpnosuidtransition_exec_t, test_nnpnosuidtransition_t)
ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition };
+allow test_intermediate_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition };
')
diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test
index 4e13927..bebe575 100755
--- a/tests/nnp_nosuid/test
+++ b/tests/nnp_nosuid/test
@@ -31,31 +31,36 @@ system("chcon -t test_bounded_exec_t $basedir/checkcon");
# Create nosuid mount.
system("mkdir -p $basedir/testdir");
system("mount -t tmpfs -o nosuid none $basedir/testdir");
+system("chcon -t test_file_t $basedir/testdir");
# Set entrypoint type for bounded domain under nosuid.
system("cp $basedir/checkcon $basedir/testdir");
system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon");
+# Run everything from test_intermediate_t (to simplify the policy)
+$run = "runcon -t test_intermediate_t --";
+
# Transition under NNP to bounded type via setexec.
$result = system(
-"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1"
);
ok( $result, 0 ); #this should pass
# Transition on nosuid to bounded type via setexec.
$result = system(
-"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1"
+"$run $basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1"
);
ok( $result, 0 ); #this should pass
# Automatic transition under NNP to bounded domain via exec.
$result =
- system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1");
+ system("$run $basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1");
ok( $result, 0 ); #this should pass
# Automatic transition on nosuid to bounded domain via exec.
$result =
- system("$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1");
+ system(
+ "$run $basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1");
ok( $result, 0 ); #this should pass
# Use true as an entrypoint program to test ability to exec at all.
@@ -71,25 +76,28 @@ system(
# Transition under NNP to notbounded domain via setexec.
$result =
system(
- "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1");
+ "$run $basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1"
+ );
ok($result); #this should fail
# Transition on nosuid to notbounded domain via setexec.
$result =
system(
- "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1"
);
ok($result); #this should fail
# Automatic transition under NNP to notbounded domain via exec.
$result =
- system("$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1");
+ system(
+ "$run $basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1");
ok($result); #this should fail
# Automatic transition on nosuid to notbounded domain via exec.
$result =
system(
- "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1");
+ "$run $basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1"
+ );
ok($result); #this should fail
if ($test_nnp_nosuid_transition) {
@@ -104,27 +112,28 @@ if ($test_nnp_nosuid_transition) {
# Transition under NNP to nnptransition domain via setexec.
$result =
system(
-"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1"
);
ok( $result, 0 ); #this should succeed
# Transition under NNP+nosuid to nnptransition domain via setexec.
$result =
system(
-"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1"
);
ok($result); #this should fail
# Automatic transition under NNP to nnptransition domain via exec.
$result =
system(
- "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1");
+"$run $basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1"
+ );
ok( $result, 0 ); #this should succeed
# Automatic transition under NNP+nosuid to nnptransition domain via exec.
$result =
system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1"
);
ok($result); #this should fail
@@ -136,28 +145,28 @@ if ($test_nnp_nosuid_transition) {
# Transition under nosuid to nosuidtransition domain via setexec.
$result =
system(
-"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
);
ok( $result, 0 ); #this should succeed
# Transition under NNP+nosuid to nosuidtransition domain via setexec.
$result =
system(
-"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
);
ok($result); #this should fail
# Automatic transition under nosuid to nosuidtransition domain via exec.
$result =
system(
-"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
+"$run $basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
);
ok( $result, 0 ); #this should succeed
# Automatic transition under NNP+nosuid to nosuidtransition domain via exec.
$result =
system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
);
ok($result); #this should fail
@@ -169,14 +178,14 @@ if ($test_nnp_nosuid_transition) {
# Transition under NNP+nosuid to nnpnosuidtransition domain via setexec.
$result =
system(
-"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1"
);
ok( $result, 0 ); #this should succeed
# Automatic transition under NNP+nosuid to nnpnosuidtransition domain via exec.
$result =
system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1"
);
ok( $result, 0 ); #this should succeed
}
--
2.37.1
