[PATCH 2/4] checkpolicy/tests: add test for splitting xperm rule

Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> · Mon, 8 Apr 2024 17:08:00 +0200

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

An extended permission rule statement might get split into multiple
access vector rules, due to size limitations.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 checkpolicy/tests/policy_allonce.conf              | 2 +-
 checkpolicy/tests/policy_allonce.expected.conf     | 4 +++-
 checkpolicy/tests/policy_allonce.expected_opt.conf | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
index 34e6402d..54a4c811 100644
--- a/checkpolicy/tests/policy_allonce.conf
+++ b/checkpolicy/tests/policy_allonce.conf
@@ -36,7 +36,7 @@ allow TYPE1 self : CLASS1 { PERM1 };
 auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
 dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
 neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
-allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
+allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 };
 auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
 dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
 neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
index 63739e1f..aff6bfa3 100644
--- a/checkpolicy/tests/policy_allonce.expected.conf
+++ b/checkpolicy/tests/policy_allonce.expected.conf
@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;
diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
index 1c969961..335486d1 100644
--- a/checkpolicy/tests/policy_allonce.expected_opt.conf
+++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
@@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
 auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
 dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
 dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
-allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
+allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
 auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
 dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
 type_transition TYPE1 TYPE2:CLASS1 TYPE3;
-- 
2.43.0








