diff --git a/tests/regression/subdomain/link_subset.c b/tests/regression/subdomain/link_subset.c index bcf978223..ba78f2bd9 100644 --- a/tests/regression/subdomain/link_subset.c +++ b/tests/regression/subdomain/link_subset.c @@ -27,24 +27,27 @@ #define AA_MAY_LOCK 0x0020 #define AA_MAY_MOUNT 0x0040 #define AA_EXEC_MMAP 0x0080 + #define AA_EXEC_UNSAFE 0x0100 +#define AA_EXEC_INHERIT 0x0200 -#define AA_EXEC_MOD_0 0x0200 -#define AA_EXEC_MOD_1 0x0400 -#define AA_EXEC_MOD_2 0x0800 +#define AA_EXEC_MOD_0 0x0400 +#define AA_EXEC_MOD_1 0x0800 +#define AA_EXEC_MOD_2 0x1000 +#define AA_EXEC_MOD_3 0x2000 -#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | \ - AA_EXEC_MOD_1 | \ - AA_EXEC_MOD_2) +#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \ + AA_EXEC_MOD_2 | AA_EXEC_MOD_3) -#define AA_EXEC_BITS (AA_MAY_EXEC | AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE) + +#define AA_EXEC_TYPE (AA_MAY_EXEC | AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \ + AA_EXEC_MODIFIERS) #define AA_EXEC_UNCONFINED AA_EXEC_MOD_0 -#define AA_EXEC_INHERIT AA_EXEC_MOD_1 -#define AA_EXEC_PROFILE (AA_EXEC_MOD_0 | AA_EXEC_MOD_1) -#define AA_EXEC_PIX AA_EXEC_MOD_2 +#define AA_EXEC_PROFILE AA_EXEC_MOD_1 +#define AA_EXEC_LOCAL (AA_EXEC_MOD_0 | AA_EXEC_MOD_1) -#define MAX_PERM (AA_EXEC_MOD_2 << 1) +#define MAX_PERM (AA_EXEC_MOD_2) #define MAX_PERM_LEN 10 @@ -66,9 +69,9 @@ int valid_link_perm_subset(int tperm, int lperm) return 1; /* ix implies mix */ - if ((lperm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT) + if (lperm & AA_EXEC_INHERIT) lperm |= AA_EXEC_MMAP; - if ((tperm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT) + if (tperm & AA_EXEC_INHERIT) tperm |= AA_EXEC_MMAP; /* w implies a */ @@ -83,11 +86,11 @@ int valid_link_perm_subset(int tperm, int lperm) // tperm |= AA_EXEC_UNSAFE; /* treat safe exec as subset of unsafe exec */ -// if (!(lperm & AA_EXEC_UNSAFE)) -// lperm |= AA_EXEC_UNSAFE & tperm; + if (!(lperm & AA_EXEC_UNSAFE)) + lperm |= AA_EXEC_UNSAFE & tperm; /* check that exec mode, if present, matches */ - if ((lperm & AA_MAY_EXEC) && ((lperm & AA_EXEC_BITS) != (tperm & AA_EXEC_BITS))) + if ((lperm & AA_MAY_EXEC) && ((lperm & AA_EXEC_TYPE) != (tperm & AA_EXEC_TYPE))) return 0; return !(lperm & ~tperm); @@ -111,33 +114,32 @@ void permstring(char *buffer, int mask) case AA_EXEC_UNCONFINED: *b++ = 'u'; break; - case AA_EXEC_PIX: - *b++ = 'p'; - /* fall through */ - case AA_EXEC_INHERIT: - *b++ = 'i'; - break; case AA_EXEC_PROFILE: *b++ = 'p'; break; + case AA_EXEC_LOCAL: + *b++ = 'c'; + break; + default: + *b++ = 'y'; } } else { switch(mask & AA_EXEC_MODIFIERS) { case AA_EXEC_UNCONFINED: *b++ = 'U'; break; - case AA_EXEC_PIX: - *b++ = 'P'; - *b++ = 'i'; - break; - case AA_EXEC_INHERIT: - *b++ = 'I'; - break; case AA_EXEC_PROFILE: *b++ = 'P'; break; + case AA_EXEC_LOCAL: + *b++ = 'C'; + break; + default: + *b++ = 'Y'; } } + if (mask & AA_EXEC_INHERIT) + *b++ = 'i'; *b++ = 'x'; } if (mask & AA_MAY_LINK) @@ -156,19 +158,22 @@ void build_filename(const char *name, int perm, char *buffer) } int is_valid_perm_set(int perm) { - if (AA_EXEC_BITS & perm) { + if (AA_EXEC_TYPE & perm) { /* exec mods need the perm bit set */ if (!(perm & AA_MAY_EXEC)) return 0; - if (!(perm & AA_EXEC_MODIFIERS)) + + /* unconfined can't inherit */ + if (((perm & AA_EXEC_MODIFIERS) == AA_EXEC_UNCONFINED) && + (perm & AA_EXEC_INHERIT)) return 0; /* no such thing as an unsafe ix */ - if ((perm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT && (perm & AA_EXEC_UNSAFE)) + if ((perm & AA_EXEC_MODIFIERS) == 0 && (perm & AA_EXEC_INHERIT) && (perm & AA_EXEC_UNSAFE)) return 0; /* check exec_modifiers in range */ - if (!((perm & AA_EXEC_MODIFIERS) > 0 && (perm & AA_EXEC_MODIFIERS) < AA_EXEC_PIX +1)) + if (!((perm & AA_EXEC_MODIFIERS) > 0 && (perm & AA_EXEC_MODIFIERS) < AA_EXEC_MOD_2)) return 0; } /* only 1 of append or write should be set */