|
|
|
|
@ -1,623 +1,320 @@
|
|
|
|
|
diff --git a/checkpolicy/.gitignore b/checkpolicy/.gitignore
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000..a7bd076
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/checkpolicy/.gitignore
|
|
|
|
|
@@ -0,0 +1,5 @@
|
|
|
|
|
+checkmodule
|
|
|
|
|
+checkpolicy
|
|
|
|
|
+lex.yy.c
|
|
|
|
|
+y.tab.c
|
|
|
|
|
+y.tab.h
|
|
|
|
|
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
|
|
|
|
|
index d6ebd78..0946ff6 100644
|
|
|
|
|
--- a/checkpolicy/module_compiler.c
|
|
|
|
|
+++ b/checkpolicy/module_compiler.c
|
|
|
|
|
@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* this doesn't actually append, but really prepends it */
|
|
|
|
|
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules)
|
|
|
|
|
+{
|
|
|
|
|
+ avrule_decl_t *decl = stack_top->decl;
|
|
|
|
|
+
|
|
|
|
|
+ /* filename transitions are not allowed within conditionals */
|
|
|
|
|
+ assert(stack_top->type == 1);
|
|
|
|
|
+
|
|
|
|
|
+ filename_trans_rules->next = decl->filename_trans_rules;
|
|
|
|
|
+ decl->filename_trans_rules = filename_trans_rules;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+/* this doesn't actually append, but really prepends it */
|
|
|
|
|
void append_range_trans(range_trans_rule_t * range_tr_rules)
|
|
|
|
|
{
|
|
|
|
|
avrule_decl_t *decl = stack_top->decl;
|
|
|
|
|
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
|
|
|
|
|
index fa91400..ae33753 100644
|
|
|
|
|
--- a/checkpolicy/module_compiler.h
|
|
|
|
|
+++ b/checkpolicy/module_compiler.h
|
|
|
|
|
@@ -80,6 +80,7 @@ void append_avrule(avrule_t * avrule);
|
|
|
|
|
void append_role_trans(role_trans_rule_t * role_tr_rules);
|
|
|
|
|
void append_role_allow(role_allow_rule_t * role_allow_rules);
|
|
|
|
|
void append_range_trans(range_trans_rule_t * range_tr_rules);
|
|
|
|
|
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
|
|
|
|
|
|
|
|
|
|
/* Create a new optional block and add it to the global policy.
|
|
|
|
|
* During the second pass resolve the block's requirements. Return 0
|
|
|
|
|
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
|
|
|
|
index 5e99b30..f75a682 100644
|
|
|
|
|
--- a/checkpolicy/policy_define.c
|
|
|
|
|
+++ b/checkpolicy/policy_define.c
|
|
|
|
|
@@ -2241,6 +2241,190 @@ int define_role_allow(void)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+avrule_t *define_cond_filename_trans(void)
|
|
|
|
|
+{
|
|
|
|
|
+ yyerror("type transitions with a filename not allowed inside "
|
|
|
|
|
+ "conditionals\n");
|
|
|
|
|
+ return COND_ERR;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+int define_filename_trans(void)
|
|
|
|
|
+{
|
|
|
|
|
+ char *id, *name = NULL;
|
|
|
|
|
+ type_set_t stypes, ttypes;
|
|
|
|
|
+ ebitmap_t e_stypes, e_ttypes;
|
|
|
|
|
+ ebitmap_t e_tclasses;
|
|
|
|
|
+ ebitmap_node_t *snode, *tnode, *cnode;
|
|
|
|
|
+ filename_trans_t *ft;
|
|
|
|
|
+ filename_trans_rule_t *ftr;
|
|
|
|
|
+ class_datum_t *cladatum;
|
|
|
|
|
+ type_datum_t *typdatum;
|
|
|
|
|
+ uint32_t otype;
|
|
|
|
|
+ unsigned int c, s, t;
|
|
|
|
|
+ int add;
|
|
|
|
|
+
|
|
|
|
|
+ if (pass == 1) {
|
|
|
|
|
+ /* stype */
|
|
|
|
|
+ while ((id = queue_remove(id_queue)))
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ /* ttype */
|
|
|
|
|
+ while ((id = queue_remove(id_queue)))
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ /* tclass */
|
|
|
|
|
+ while ((id = queue_remove(id_queue)))
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ /* otype */
|
|
|
|
|
+ id = queue_remove(id_queue);
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ /* name */
|
|
|
|
|
+ id = queue_remove(id_queue);
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ add = 1;
|
|
|
|
|
+ type_set_init(&stypes);
|
|
|
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
|
|
|
+ if (set_types(&stypes, id, &add, 0))
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ add =1;
|
|
|
|
|
+ type_set_init(&ttypes);
|
|
|
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
|
|
|
+ if (set_types(&ttypes, id, &add, 0))
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ ebitmap_init(&e_tclasses);
|
|
|
|
|
+ while ((id = queue_remove(id_queue))) {
|
|
|
|
|
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
|
|
|
+ yyerror2("class %s is not within scope", id);
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
|
|
|
+ if (!cladatum) {
|
|
|
|
|
+ yyerror2("unknown class %s", id);
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
|
|
|
|
|
+ yyerror("Out of memory");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ id = (char *)queue_remove(id_queue);
|
|
|
|
|
+ if (!id) {
|
|
|
|
|
+ yyerror("no otype in transition definition?");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ if (!is_id_in_scope(SYM_TYPES, id)) {
|
|
|
|
|
+ yyerror2("type %s is not within scope", id);
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ typdatum = hashtab_search(policydbp->p_types.table, id);
|
|
|
|
|
+ if (!typdatum) {
|
|
|
|
|
+ yyerror2("unknown type %s used in transition definition", id);
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ free(id);
|
|
|
|
|
+ otype = typdatum->s.value;
|
|
|
|
|
+
|
|
|
|
|
+ name = queue_remove(id_queue);
|
|
|
|
|
+ if (!name) {
|
|
|
|
|
+ yyerror("no pathname specified in filename_trans definition?");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* We expand the class set into seperate rules. We expand the types
|
|
|
|
|
+ * just to make sure there are not duplicates. They will get turned
|
|
|
|
|
+ * into seperate rules later */
|
|
|
|
|
+ ebitmap_init(&e_stypes);
|
|
|
|
|
+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1))
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+
|
|
|
|
|
+ ebitmap_init(&e_ttypes);
|
|
|
|
|
+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1))
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+
|
|
|
|
|
+ ebitmap_for_each_bit(&e_tclasses, cnode, c) {
|
|
|
|
|
+ if (!ebitmap_node_get_bit(cnode, c))
|
|
|
|
|
+ continue;
|
|
|
|
|
+ ebitmap_for_each_bit(&e_stypes, snode, s) {
|
|
|
|
|
+ if (!ebitmap_node_get_bit(snode, s))
|
|
|
|
|
+ continue;
|
|
|
|
|
+ ebitmap_for_each_bit(&e_ttypes, tnode, t) {
|
|
|
|
|
+ if (!ebitmap_node_get_bit(tnode, t))
|
|
|
|
|
+ continue;
|
|
|
|
|
+
|
|
|
|
|
+ for (ft = policydbp->filename_trans; ft; ft = ft->next) {
|
|
|
|
|
+ if (ft->stype == (s + 1) &&
|
|
|
|
|
+ ft->ttype == (t + 1) &&
|
|
|
|
|
+ ft->tclass == (c + 1) &&
|
|
|
|
|
+ !strcmp(ft->name, name)) {
|
|
|
|
|
+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
|
|
|
|
|
+ name,
|
|
|
|
|
+ policydbp->p_type_val_to_name[s],
|
|
|
|
|
+ policydbp->p_type_val_to_name[t],
|
|
|
|
|
+ policydbp->p_class_val_to_name[c]);
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ ft = malloc(sizeof(*ft));
|
|
|
|
|
+ if (!ft) {
|
|
|
|
|
+ yyerror("out of memory");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ memset(ft, 0, sizeof(*ft));
|
|
|
|
|
+
|
|
|
|
|
+ ft->next = policydbp->filename_trans;
|
|
|
|
|
+ policydbp->filename_trans = ft;
|
|
|
|
|
+
|
|
|
|
|
+ ft->name = strdup(name);
|
|
|
|
|
+ if (!ft->name) {
|
|
|
|
|
+ yyerror("out of memory");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ ft->stype = s + 1;
|
|
|
|
|
+ ft->ttype = t + 1;
|
|
|
|
|
+ ft->tclass = c + 1;
|
|
|
|
|
+ ft->otype = otype;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* Now add the real rule since we didn't find any duplicates */
|
|
|
|
|
+ ftr = malloc(sizeof(*ftr));
|
|
|
|
|
+ if (!ftr) {
|
|
|
|
|
+ yyerror("out of memory");
|
|
|
|
|
+ goto bad;
|
|
|
|
|
+ }
|
|
|
|
|
+ filename_trans_rule_init(ftr);
|
|
|
|
|
+ append_filename_trans(ftr);
|
|
|
|
|
+
|
|
|
|
|
+ ftr->name = strdup(name);
|
|
|
|
|
+ ftr->stypes = stypes;
|
|
|
|
|
+ ftr->ttypes = ttypes;
|
|
|
|
|
+ ftr->tclass = c + 1;
|
|
|
|
|
+ ftr->otype = otype;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ free(name);
|
|
|
|
|
+ ebitmap_destroy(&e_stypes);
|
|
|
|
|
+ ebitmap_destroy(&e_ttypes);
|
|
|
|
|
+ ebitmap_destroy(&e_tclasses);
|
|
|
|
|
+
|
|
|
|
|
+ return 0;
|
|
|
|
|
+
|
|
|
|
|
+bad:
|
|
|
|
|
+ free(name);
|
|
|
|
|
+ return -1;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
|
|
|
|
|
{
|
|
|
|
|
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
|
|
|
|
|
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
|
|
|
|
|
index 2f7a78f..890a6af 100644
|
|
|
|
|
--- a/checkpolicy/policy_define.h
|
|
|
|
|
+++ b/checkpolicy/policy_define.h
|
|
|
|
|
@@ -16,6 +16,7 @@
|
|
|
|
|
avrule_t *define_cond_compute_type(int which);
|
|
|
|
|
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
|
|
|
|
|
avrule_t *define_cond_te_avtab(int which);
|
|
|
|
|
+avrule_t *define_cond_filename_trans(void);
|
|
|
|
|
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
|
|
|
|
|
int define_attrib(void);
|
|
|
|
|
int define_av_perms(int inherits);
|
|
|
|
|
@@ -47,6 +48,7 @@ int define_range_trans(int class_specified);
|
|
|
|
|
int define_role_allow(void);
|
|
|
|
|
int define_role_trans(int class_specified);
|
|
|
|
|
int define_role_types(void);
|
|
|
|
|
+int define_filename_trans(void);
|
|
|
|
|
int define_sens(void);
|
|
|
|
|
int define_te_avtab(int which);
|
|
|
|
|
int define_typealias(void);
|
|
|
|
|
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
|
|
|
|
|
index 8c29e2b..8274d36 100644
|
|
|
|
|
--- a/checkpolicy/policy_parse.y
|
|
|
|
|
+++ b/checkpolicy/policy_parse.y
|
|
|
|
|
@@ -81,6 +81,7 @@ typedef int (* require_func_t)();
|
|
|
|
|
%type <require_func> require_decl_def
|
|
|
|
|
|
|
|
|
|
%token PATH
|
|
|
|
|
+%token FILENAME
|
|
|
|
|
%token CLONE
|
|
|
|
|
%token COMMON
|
|
|
|
|
%token CLASS
|
|
|
|
|
@@ -341,7 +342,10 @@ cond_rule_def : cond_transition_def
|
|
|
|
|
| require_block
|
|
|
|
|
{ $$ = NULL; }
|
|
|
|
|
;
|
|
|
|
|
-cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';'
|
|
|
|
|
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
|
|
|
|
|
+ { $$ = define_cond_filename_trans() ;
|
|
|
|
|
+ if ($$ == COND_ERR) return -1;}
|
|
|
|
|
+ | TYPE_TRANSITION names names ':' names identifier ';'
|
|
|
|
|
{ $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
|
|
|
|
|
if ($$ == COND_ERR) return -1;}
|
|
|
|
|
| TYPE_MEMBER names names ':' names identifier ';'
|
|
|
|
|
@@ -376,7 +380,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
|
|
|
|
|
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
|
|
|
|
|
if ($$ == COND_ERR) return -1; }
|
|
|
|
|
;
|
|
|
|
|
-transition_def : TYPE_TRANSITION names names ':' names identifier ';'
|
|
|
|
|
+transition_def : TYPE_TRANSITION names names ':' names identifier filename';'
|
|
|
|
|
+ {if (define_filename_trans()) return -1; }
|
|
|
|
|
+ |TYPE_TRANSITION names names ':' names identifier ';'
|
|
|
|
|
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
|
|
|
|
|
| TYPE_MEMBER names names ':' names identifier ';'
|
|
|
|
|
{if (define_compute_type(AVRULE_MEMBER)) return -1;}
|
|
|
|
|
@@ -639,7 +645,7 @@ opt_fs_uses : fs_uses
|
|
|
|
|
fs_uses : fs_use_def
|
|
|
|
|
| fs_uses fs_use_def
|
|
|
|
|
;
|
|
|
|
|
-fs_use_def : FSUSEXATTR identifier security_context_def ';'
|
|
|
|
|
+fs_use_def : FSUSEXATTR filename security_context_def ';'
|
|
|
|
|
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
|
|
|
|
|
| FSUSETASK identifier security_context_def ';'
|
|
|
|
|
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
|
|
|
|
|
@@ -652,11 +658,11 @@ opt_genfs_contexts : genfs_contexts
|
|
|
|
|
genfs_contexts : genfs_context_def
|
|
|
|
|
| genfs_contexts genfs_context_def
|
|
|
|
|
;
|
|
|
|
|
-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
|
|
|
|
|
+genfs_context_def : GENFSCON filename path '-' identifier security_context_def
|
|
|
|
|
{if (define_genfs_context(1)) return -1;}
|
|
|
|
|
- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
|
|
|
|
|
+ | GENFSCON filename path '-' '-' {insert_id("-", 0);} security_context_def
|
|
|
|
|
{if (define_genfs_context(1)) return -1;}
|
|
|
|
|
- | GENFSCON identifier path security_context_def
|
|
|
|
|
+ | GENFSCON filename path security_context_def
|
|
|
|
|
{if (define_genfs_context(0)) return -1;}
|
|
|
|
|
;
|
|
|
|
|
ipv4_addr_def : IPV4_ADDR
|
|
|
|
|
@@ -733,6 +739,17 @@ identifier : IDENTIFIER
|
|
|
|
|
path : PATH
|
|
|
|
|
{ if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
;
|
|
|
|
|
+filename : FILENAME
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ | NUMBER
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ | IPV4_ADDR
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ | VERSION_IDENTIFIER
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ | IDENTIFIER
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ ;
|
|
|
|
|
number : NUMBER
|
|
|
|
|
{ $$ = strtoul(yytext,NULL,0); }
|
|
|
|
|
;
|
|
|
|
|
@@ -757,6 +774,8 @@ module_def : MODULE identifier version_identifier ';'
|
|
|
|
|
;
|
|
|
|
|
version_identifier : VERSION_IDENTIFIER
|
|
|
|
|
{ if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
+ | number
|
|
|
|
|
+ { if (insert_id(yytext,0)) return -1; }
|
|
|
|
|
| ipv4_addr_def /* version can look like ipv4 address */
|
|
|
|
|
;
|
|
|
|
|
avrules_block : avrule_decls avrule_user_defs
|
|
|
|
|
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
|
|
|
|
|
index 48128a8..1331c04 100644
|
|
|
|
|
index 5ee27f8..b4b9066 100644
|
|
|
|
|
--- a/checkpolicy/policy_scan.l
|
|
|
|
|
+++ b/checkpolicy/policy_scan.l
|
|
|
|
|
@@ -218,9 +218,13 @@ PERMISSIVE { return(PERMISSIVE); }
|
|
|
|
|
@@ -222,7 +222,7 @@ POLICYCAP { return(POLICYCAP); }
|
|
|
|
|
permissive |
|
|
|
|
|
PERMISSIVE { return(PERMISSIVE); }
|
|
|
|
|
"/"({alnum}|[_\.\-/])* { return(PATH); }
|
|
|
|
|
-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
|
|
|
|
|
+\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
|
|
|
|
|
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
|
|
|
|
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
|
|
|
|
{digit}+|0x{hexval}+ { return(NUMBER); }
|
|
|
|
|
+{alnum}* { return(FILENAME); }
|
|
|
|
|
+\.({alnum}|[_\.\-])* { return(FILENAME); }
|
|
|
|
|
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
|
|
|
|
|
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
|
|
|
|
|
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
|
|
|
|
|
+{letter}+([-_\.]|{alnum})+ { return(FILENAME); }
|
|
|
|
|
+([_\.]){alnum}+ { return(FILENAME); }
|
|
|
|
|
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
|
|
|
|
|
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
|
|
|
|
|
#[^\n]* { /* delete comments */ }
|
|
|
|
|
diff --git a/checkpolicy/test/.gitignore b/checkpolicy/test/.gitignore
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000..dbb03b9
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/checkpolicy/test/.gitignore
|
|
|
|
|
@@ -0,0 +1,2 @@
|
|
|
|
|
+dismod
|
|
|
|
|
+dispol
|
|
|
|
|
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
|
|
|
|
|
index 65cf901..0731e89 100644
|
|
|
|
|
--- a/checkpolicy/test/Makefile
|
|
|
|
|
+++ b/checkpolicy/test/Makefile
|
|
|
|
|
@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin
|
|
|
|
|
LIBDIR=$(PREFIX)/lib
|
|
|
|
|
INCLUDEDIR ?= $(PREFIX)/include
|
|
|
|
|
|
|
|
|
|
-CFLAGS ?= -g -Wall -O2 -pipe
|
|
|
|
|
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
|
|
|
|
|
override CFLAGS += -I$(INCLUDEDIR)
|
|
|
|
|
|
|
|
|
|
LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
|
|
|
|
|
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
|
|
|
|
index 33a29e4..66f976f 100644
|
|
|
|
|
index 1674a47..6a951f6 100644
|
|
|
|
|
--- a/checkpolicy/test/dismod.c
|
|
|
|
|
+++ b/checkpolicy/test/dismod.c
|
|
|
|
|
@@ -45,6 +45,15 @@
|
|
|
|
|
#define le32_to_cpu(x) bswap_32(x)
|
|
|
|
|
#endif
|
|
|
|
|
@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
|
|
|
|
|
int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
|
|
|
|
|
FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
- int i, num_types;
|
|
|
|
|
+ unsigned int i, num_types;
|
|
|
|
|
|
|
|
|
|
+#define DISPLAY_AVBLOCK_COND_AVTAB 0
|
|
|
|
|
+#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1
|
|
|
|
|
+#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */
|
|
|
|
|
+#define DISPLAY_AVBLOCK_ROLE_TRANS 3
|
|
|
|
|
+#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
|
|
|
|
|
+#define DISPLAY_AVBLOCK_REQUIRES 5
|
|
|
|
|
+#define DISPLAY_AVBLOCK_DECLARES 6
|
|
|
|
|
+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7
|
|
|
|
|
+
|
|
|
|
|
static policydb_t policydb;
|
|
|
|
|
extern unsigned int ss_initialized;
|
|
|
|
|
if (set->flags & TYPE_STAR) {
|
|
|
|
|
fprintf(fp, " * ");
|
|
|
|
|
@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
|
|
|
|
|
|
|
|
|
|
@@ -497,6 +506,18 @@ void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
|
|
|
|
|
int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
- int i, num = 0;
|
|
|
|
|
+ unsigned int i, num = 0;
|
|
|
|
|
|
|
|
|
|
if (roles->flags & ROLE_STAR) {
|
|
|
|
|
fprintf(fp, " * ");
|
|
|
|
|
@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-/* 'what' values for this function */
|
|
|
|
|
-#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
|
|
|
|
|
-#define RENDER_ENABLED 0x0002
|
|
|
|
|
-#define RENDER_DISABLED 0x0004
|
|
|
|
|
-#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
|
|
|
|
|
-
|
|
|
|
|
-int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
|
|
|
|
|
+int display_avrule(avrule_t * avrule, policydb_t * policy,
|
|
|
|
|
FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
class_perm_node_t *cur;
|
|
|
|
|
@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
|
|
|
|
{
|
|
|
|
|
type_datum_t *type;
|
|
|
|
|
FILE *fp;
|
|
|
|
|
- int i, first_attrib = 1;
|
|
|
|
|
+ unsigned int i, first_attrib = 1;
|
|
|
|
|
|
|
|
|
|
type = (type_datum_t *) datum;
|
|
|
|
|
fp = (FILE *) data;
|
|
|
|
|
@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp)
|
|
|
|
|
|
|
|
|
|
int display_users(policydb_t * p, FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
- int i, j;
|
|
|
|
|
+ unsigned int i, j;
|
|
|
|
|
ebitmap_t *bitmap;
|
|
|
|
|
for (i = 0; i < p->p_users.nprim; i++) {
|
|
|
|
|
display_id(p, fp, SYM_USERS, i, "");
|
|
|
|
|
@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp)
|
|
|
|
|
|
|
|
|
|
int display_bools(policydb_t * p, FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < p->p_bools.nprim; i++) {
|
|
|
|
|
display_id(p, fp, SYM_BOOLS, i, "");
|
|
|
|
|
@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, FILE * fp)
|
|
|
|
|
+{
|
|
|
|
|
+ for (; tr; tr = tr->next) {
|
|
|
|
|
+ fprintf(fp, "filename transition %s", tr->name);
|
|
|
|
|
+ display_type_set(&tr->stypes, 0, p, fp);
|
|
|
|
|
+ display_type_set(&tr->ttypes, 0, p, fp);
|
|
|
|
|
+ display_id(p, fp, SYM_CLASSES, tr->tclass - 1, ":");
|
|
|
|
|
+ display_id(p, fp, SYM_TYPES, tr->otype - 1, "");
|
|
|
|
|
+ fprintf(fp, "\n");
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
|
|
|
|
-void display_policycon(policydb_t * p, FILE * fp)
|
|
|
|
|
+void display_policycon(FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
-#if 0
|
|
|
|
|
- int i;
|
|
|
|
|
- ocontext_t *cur;
|
|
|
|
|
- char *name;
|
|
|
|
|
-
|
|
|
|
|
- for (i = 0; i < POLICYCON_NUM; i++) {
|
|
|
|
|
- fprintf(fp, "%s:", symbol_labels[i]);
|
|
|
|
|
- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
|
|
|
|
|
- if (*(cur->u.name) == '\0') {
|
|
|
|
|
- name = "{default}";
|
|
|
|
|
- } else {
|
|
|
|
|
- name = cur->u.name;
|
|
|
|
|
- }
|
|
|
|
|
- fprintf(fp, "\n%16s - %s:%s:%s", name,
|
|
|
|
|
- p->p_user_val_to_name[cur->context[0].user - 1],
|
|
|
|
|
- p->p_role_val_to_name[cur->context[0].role - 1],
|
|
|
|
|
- p->p_type_val_to_name[cur->context[0].type -
|
|
|
|
|
- 1]);
|
|
|
|
|
- }
|
|
|
|
|
- fprintf(fp, "\n");
|
|
|
|
|
- }
|
|
|
|
|
-#endif
|
|
|
|
|
+ /* There was an attempt to implement this at one time. Look through
|
|
|
|
|
+ * git history to find it. */
|
|
|
|
|
+ fprintf(fp, "Sorry, not implemented\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void display_initial_sids(policydb_t * p, FILE * fp)
|
|
|
|
|
@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
|
|
|
|
|
|
|
|
|
|
void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
|
|
|
|
|
{
|
|
|
|
|
- int i, num = 0;
|
|
|
|
|
+ unsigned int i, num = 0;
|
|
|
|
|
|
|
|
|
|
for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
|
|
|
|
|
if (!ebitmap_get_bit(classes, i))
|
|
|
|
|
@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
|
|
|
|
+int role_display_callback(hashtab_key_t key __attribute__((unused)),
|
|
|
|
|
+ hashtab_datum_t datum, void *data)
|
|
|
|
|
{
|
|
|
|
|
role_datum_t *role;
|
|
|
|
|
@@ -596,7 +617,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
|
|
|
|
|
(decl->enabled ? " [enabled]" : ""));
|
|
|
|
|
switch (field) {
|
|
|
|
|
- case 0:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_COND_AVTAB:{
|
|
|
|
|
cond_list_t *cond = decl->cond_list;
|
|
|
|
|
avrule_t *avrule;
|
|
|
|
|
while (cond) {
|
|
|
|
|
@@ -624,7 +645,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 1:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{
|
|
|
|
|
avrule_t *avrule = decl->avrules;
|
|
|
|
|
if (avrule == NULL) {
|
|
|
|
|
fprintf(out_fp, " <empty>\n");
|
|
|
|
|
@@ -638,32 +659,37 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 2:{ /* role_type_node */
|
|
|
|
|
+ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 3:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_ROLE_TRANS:{
|
|
|
|
|
display_role_trans(decl->role_tr_rules, policy, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 4:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_ROLE_ALLOW:{
|
|
|
|
|
display_role_allow(decl->role_allow_rules, policy,
|
|
|
|
|
out_fp);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 5:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_REQUIRES:{
|
|
|
|
|
if (display_scope_index
|
|
|
|
|
(&decl->required, policy, out_fp)) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
- case 6:{
|
|
|
|
|
+ case DISPLAY_AVBLOCK_DECLARES:{
|
|
|
|
|
if (display_scope_index
|
|
|
|
|
(&decl->declared, policy, out_fp)) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
+ case DISPLAY_AVBLOCK_FILENAME_TRANS:
|
|
|
|
|
+ display_filename_trans(decl->filename_trans_rules, policy,
|
|
|
|
|
+ out_fp);
|
|
|
|
|
+ return -1;
|
|
|
|
|
+ break;
|
|
|
|
|
default:{
|
|
|
|
|
assert(0);
|
|
|
|
|
}
|
|
|
|
|
@@ -829,6 +855,7 @@ int menu()
|
|
|
|
|
printf("c) Display policy capabilities\n");
|
|
|
|
|
printf("l) Link in a module\n");
|
|
|
|
|
printf("u) Display the unknown handling setting\n");
|
|
|
|
|
+ printf("F) Display filename_trans rules\n");
|
|
|
|
|
printf("\n");
|
|
|
|
|
printf("f) set output file\n");
|
|
|
|
|
printf("m) display menu\n");
|
|
|
|
|
@@ -886,15 +913,16 @@ int main(int argc, char **argv)
|
|
|
|
|
fgets(ans, sizeof(ans), stdin);
|
|
|
|
|
switch (ans[0]) {
|
|
|
|
|
FILE *fp;
|
|
|
|
|
@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
|
|
|
|
static int display_scope_index(scope_index_t * indices, policydb_t * p,
|
|
|
|
|
FILE * out_fp)
|
|
|
|
|
{
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
for (i = 0; i < SYM_NUM; i++) {
|
|
|
|
|
- int any_found = 0, j;
|
|
|
|
|
+ unsigned int any_found = 0, j;
|
|
|
|
|
fprintf(out_fp, "%s:", symbol_labels[i]);
|
|
|
|
|
for (j = ebitmap_startbit(&indices->scope[i]);
|
|
|
|
|
j < ebitmap_length(&indices->scope[i]); j++) {
|
|
|
|
|
@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
- case '1':{
|
|
|
|
|
- fprintf(out_fp, "unconditional avtab:\n");
|
|
|
|
|
- display_avblock(1, RENDER_UNCONDITIONAL,
|
|
|
|
|
- &policydb, out_fp);
|
|
|
|
|
- break;
|
|
|
|
|
- }
|
|
|
|
|
+ case '1':
|
|
|
|
|
+ fprintf(out_fp, "unconditional avtab:\n");
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
|
|
|
|
|
+ RENDER_UNCONDITIONAL, &policydb,
|
|
|
|
|
+ out_fp);
|
|
|
|
|
+ break;
|
|
|
|
|
-int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
+int display_avdecl(avrule_decl_t * decl, int field,
|
|
|
|
|
policydb_t * policy, FILE * out_fp)
|
|
|
|
|
{
|
|
|
|
|
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
|
|
|
|
|
@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
avrule = cond->avtrue_list;
|
|
|
|
|
while (avrule) {
|
|
|
|
|
display_avrule(avrule,
|
|
|
|
|
- RENDER_UNCONDITIONAL,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
avrule = avrule->next;
|
|
|
|
|
}
|
|
|
|
|
@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
avrule = cond->avfalse_list;
|
|
|
|
|
while (avrule) {
|
|
|
|
|
display_avrule(avrule,
|
|
|
|
|
- RENDER_UNCONDITIONAL,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
avrule = avrule->next;
|
|
|
|
|
}
|
|
|
|
|
@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
fprintf(out_fp, " <empty>\n");
|
|
|
|
|
}
|
|
|
|
|
while (avrule != NULL) {
|
|
|
|
|
- if (display_avrule
|
|
|
|
|
- (avrule, what, policy, out_fp)) {
|
|
|
|
|
+ if (display_avrule(avrule, policy, out_fp))
|
|
|
|
|
return -1;
|
|
|
|
|
- }
|
|
|
|
|
avrule = avrule->next;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
|
|
|
|
|
return 0; /* should never get here */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-int display_avblock(int field, uint32_t what, policydb_t * policy,
|
|
|
|
|
+int display_avblock(int field, policydb_t * policy,
|
|
|
|
|
FILE * out_fp)
|
|
|
|
|
{
|
|
|
|
|
avrule_block_t *block = policydb.global;
|
|
|
|
|
@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy,
|
|
|
|
|
fprintf(out_fp, "--- begin avrule block ---\n");
|
|
|
|
|
avrule_decl_t *decl = block->branch_list;
|
|
|
|
|
while (decl != NULL) {
|
|
|
|
|
- if (display_avdecl(decl, field, what, policy, out_fp)) {
|
|
|
|
|
+ if (display_avdecl(decl, field, policy, out_fp)) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
decl = decl->next;
|
|
|
|
|
@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
|
|
|
|
|
ebitmap_node_t *node;
|
|
|
|
|
const char *capname;
|
|
|
|
|
char buf[64];
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
|
|
|
|
|
fprintf(fp, "policy capabilities:\n");
|
|
|
|
|
ebitmap_for_each_bit(&p->policycaps, node, i) {
|
|
|
|
|
@@ -915,14 +887,12 @@ int main(int argc, char **argv)
|
|
|
|
|
case '1':
|
|
|
|
|
fprintf(out_fp, "unconditional avtab:\n");
|
|
|
|
|
display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
|
|
|
|
|
- RENDER_UNCONDITIONAL, &policydb,
|
|
|
|
|
- out_fp);
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case '2':
|
|
|
|
|
fprintf(out_fp, "conditional avtab:\n");
|
|
|
|
|
- display_avblock(0, RENDER_UNCONDITIONAL, &policydb,
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
|
|
|
|
|
+ RENDER_UNCONDITIONAL, &policydb,
|
|
|
|
|
out_fp);
|
|
|
|
|
display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
|
|
|
|
|
- RENDER_UNCONDITIONAL, &policydb,
|
|
|
|
|
- out_fp);
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case '3':
|
|
|
|
|
@@ -917,11 +945,13 @@ int main(int argc, char **argv)
|
|
|
|
|
display_users(&policydb, out_fp);
|
|
|
|
|
@@ -944,28 +914,28 @@ int main(int argc, char **argv)
|
|
|
|
|
break;
|
|
|
|
|
case '7':
|
|
|
|
|
fprintf(out_fp, "role transitions:\n");
|
|
|
|
|
- display_avblock(3, 0, &policydb, out_fp);
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case '8':
|
|
|
|
|
fprintf(out_fp, "role allows:\n");
|
|
|
|
|
- display_avblock(4, 0, &policydb, out_fp);
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case '9':
|
|
|
|
|
display_policycon(&policydb, out_fp);
|
|
|
|
|
@@ -931,11 +961,13 @@ int main(int argc, char **argv)
|
|
|
|
|
- display_policycon(&policydb, out_fp);
|
|
|
|
|
+ display_policycon(out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case '0':
|
|
|
|
|
display_initial_sids(&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case 'a':
|
|
|
|
|
fprintf(out_fp, "avrule block requirements:\n");
|
|
|
|
|
- display_avblock(5, 0, &policydb, out_fp);
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case 'b':
|
|
|
|
|
fprintf(out_fp, "avrule block declarations:\n");
|
|
|
|
|
- display_avblock(6, 0, &policydb, out_fp);
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
|
|
|
|
|
- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_DECLARES,
|
|
|
|
|
&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case 'c':
|
|
|
|
|
@@ -993,7 +963,7 @@ int main(int argc, char **argv)
|
|
|
|
|
case 'F':
|
|
|
|
|
fprintf(out_fp, "filename_trans rules:\n");
|
|
|
|
|
display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
|
|
|
|
|
- 0, &policydb, out_fp);
|
|
|
|
|
+ &policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
case 'c':
|
|
|
|
|
display_policycaps(&policydb, out_fp);
|
|
|
|
|
@@ -959,6 +991,11 @@ int main(int argc, char **argv)
|
|
|
|
|
if (out_fp != stdout)
|
|
|
|
|
printf("\nOutput to file: %s\n", OutfileName);
|
|
|
|
|
break;
|
|
|
|
|
+ case 'F':
|
|
|
|
|
+ fprintf(out_fp, "filename_trans rules:\n");
|
|
|
|
|
+ display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
|
|
|
|
|
+ 0, &policydb, out_fp);
|
|
|
|
|
+ break;
|
|
|
|
|
case 'l':
|
|
|
|
|
link_module(&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
|
|
|
|
|
index f8c05e6..2213946 100644
|
|
|
|
|
index 0e08965..f41acdc 100644
|
|
|
|
|
--- a/checkpolicy/test/dispol.c
|
|
|
|
|
+++ b/checkpolicy/test/dispol.c
|
|
|
|
|
@@ -341,6 +341,35 @@ static void display_permissive(policydb_t *p, FILE *fp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
|
|
|
|
|
|
|
|
|
|
+static void display_role_trans(policydb_t *p, FILE *fp)
|
|
|
|
|
+{
|
|
|
|
|
+ role_trans_t *rt;
|
|
|
|
|
+
|
|
|
|
|
+ fprintf(fp, "role_trans rules:\n");
|
|
|
|
|
+ for (rt = p->role_tr; rt; rt = rt->next) {
|
|
|
|
|
+ display_id(p, fp, SYM_ROLES, rt->role - 1, "");
|
|
|
|
|
+ display_id(p, fp, SYM_TYPES, rt->type - 1, "");
|
|
|
|
|
+ display_id(p, fp, SYM_CLASSES, rt->tclass - 1, ":");
|
|
|
|
|
+ display_id(p, fp, SYM_ROLES, rt->new_role - 1, "");
|
|
|
|
|
+ fprintf(fp, "\n");
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static void display_filename_trans(policydb_t *p, FILE *fp)
|
|
|
|
|
+{
|
|
|
|
|
+ filename_trans_t *ft;
|
|
|
|
|
+
|
|
|
|
|
+ fprintf(fp, "filename_trans rules:\n");
|
|
|
|
|
+ for (ft = p->filename_trans; ft; ft = ft->next) {
|
|
|
|
|
+ fprintf(fp, "%s\n", ft->name);
|
|
|
|
|
+ display_id(p, fp, SYM_TYPES, ft->stype - 1, "");
|
|
|
|
|
+ display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
|
|
|
|
|
+ display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
|
|
|
|
|
+ display_id(p, fp, SYM_TYPES, ft->otype - 1, "");
|
|
|
|
|
+ fprintf(fp, "\n");
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
int menu()
|
|
|
|
|
int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
printf("\nSelect a command:\n");
|
|
|
|
|
@@ -351,10 +380,13 @@ int menu()
|
|
|
|
|
printf("5) display conditional bools\n");
|
|
|
|
|
printf("6) display conditional expressions\n");
|
|
|
|
|
printf("7) change a boolean value\n");
|
|
|
|
|
+ printf("8) display role transitions\n");
|
|
|
|
|
printf("\n");
|
|
|
|
|
printf("c) display policy capabilities\n");
|
|
|
|
|
printf("p) display the list of permissive types\n");
|
|
|
|
|
printf("u) display unknown handling setting\n");
|
|
|
|
|
+ printf("F) display filename_trans rules\n");
|
|
|
|
|
+ printf("\n");
|
|
|
|
|
printf("f) set output file\n");
|
|
|
|
|
printf("m) display menu\n");
|
|
|
|
|
printf("q) quit\n");
|
|
|
|
|
@@ -467,6 +499,9 @@ int main(int argc, char **argv)
|
|
|
|
|
change_bool(name, state, &policydb, out_fp);
|
|
|
|
|
free(name);
|
|
|
|
|
break;
|
|
|
|
|
+ case '8':
|
|
|
|
|
+ display_role_trans(&policydb, out_fp);
|
|
|
|
|
+ break;
|
|
|
|
|
case 'c':
|
|
|
|
|
display_policycaps(&policydb, out_fp);
|
|
|
|
|
break;
|
|
|
|
|
@@ -492,6 +527,9 @@ int main(int argc, char **argv)
|
|
|
|
|
if (out_fp != stdout)
|
|
|
|
|
printf("\nOutput to file: %s\n", OutfileName);
|
|
|
|
|
break;
|
|
|
|
|
+ case 'F':
|
|
|
|
|
+ display_filename_trans(&policydb, out_fp);
|
|
|
|
|
+ break;
|
|
|
|
|
case 'q':
|
|
|
|
|
policydb_destroy(&policydb);
|
|
|
|
|
exit(0);
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
avtab_ptr_t cur;
|
|
|
|
|
avtab_t expa;
|
|
|
|
|
|
|
|
|
|
@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
|
|
|
|
|
|
|
|
|
|
int display_bools(policydb_t * p, FILE * fp)
|
|
|
|
|
{
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < p->p_bools.nprim; i++) {
|
|
|
|
|
fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
|
|
|
|
|
@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
|
|
|
|
|
ebitmap_node_t *node;
|
|
|
|
|
const char *capname;
|
|
|
|
|
char buf[64];
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
|
|
|
|
|
fprintf(fp, "policy capabilities:\n");
|
|
|
|
|
ebitmap_for_each_bit(&p->policycaps, node, i) {
|
|
|
|
|
@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
|
|
|
|
|
static void display_permissive(policydb_t *p, FILE *fp)
|
|
|
|
|
{
|
|
|
|
|
ebitmap_node_t *node;
|
|
|
|
|
- int i;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
|
|
|
|
|
fprintf(fp, "permissive sids:\n");
|
|
|
|
|
ebitmap_for_each_bit(&p->permissive_map, node, i) {
|
|
|
|
|
|
dwalsh