~ubuntu-branches/ubuntu/breezy/checkpolicy/breezy : revision 1

1

2

/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>

3

*

4

5

* This program is free software; you can redistribute it and/or modify

6

* it under the terms of the GNU General Public License as published by

7

* the Free Software Foundation, version 2.

8

*/

9

10

/*

11

* displaypol.c

12

*

13

* Test program to the contents of a binary policy in text

14

* form. This program currently only displays the

15

* avtab (including conditional avtab) rules.

16

*

17

* displaypol binary_pol_file

18

*/

19

20

#include "../policydb.h"

21

#include "../avtab.h"

22

#include "../services.h"

23

#include "../conditional.h"

24

#include <getopt.h>

25

#include <assert.h>

26

#include <sys/stat.h>

27

#include <sys/types.h>

28

#include <sys/mman.h>

29

#include <errno.h>

30

#include <stdio.h>

31

#include <fcntl.h>

32

33

34

extern policydb_t policydb;

35

extern unsigned int ss_initialized;

36

37

/* hack! */

38

int avc_ss_reset(__u32 seqno)

39

{

40

return 0;

41

}

42

43

void usage(char *progname)

44

{

45

printf("usage: %s binary_pol_file\n\n", progname);

46

exit(1);

47

}

48

49

/* borrowed from avtab.c */

50

#define HASH_BITS 15

51

#define HASH_BUCKETS (1 << HASH_BITS)

52

#define HASH_MASK (HASH_BUCKETS-1)

53

54

/* borrowed from checkpolicy.c */

55

static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *p)

56

{

57

unsigned int *valuep;

58

perm_datum_t *perdatum;

59

60

valuep = (unsigned int *) p;

61

perdatum = (perm_datum_t *) datum;

62

63

if (*valuep == perdatum->value)

64

return (int) key;

65

66

return 0;

67

}

68

69

int render_access_mask(__u32 mask, avtab_key_t *key, policydb_t *p, FILE *fp)

70

{

71

unsigned int i;

72

class_datum_t *cladatum;

73

char *perm;

74

cladatum = p->class_val_to_struct[key->target_class -1];

75

fprintf(fp, "{");

76

for (i = 1; i <= sizeof(mask) * 8; i++) {

77

if (mask & (1 << (i - 1))) {

78

perm = (char *) hashtab_map(cladatum->permissions.table,

79

find_perm, &i);

80

81

if (!perm && cladatum->comdatum) {

82

perm = (char *) hashtab_map(cladatum->comdatum->permissions.table,

83

find_perm, &i);

84

}

85

if (perm)

86

fprintf(fp, " %s", perm);

87

}

88

}

89

fprintf(fp, " }");

90

return 0;

91

}

92

93

int render_type(__u32 type, policydb_t *p, FILE *fp)

94

{

95

fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);

96

return 0;

97

}

98

99

int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)

100

{

101

fprintf(fp, "%s %s : %s ", p->p_type_val_to_name[key->source_type - 1],

102

p->p_type_val_to_name[key->target_type - 1],

103

p->p_class_val_to_name[key->target_class - 1]);

104

return 0;

105

}

106

107

/* 'what' values for this function */

108

#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */

109

#define RENDER_ENABLED 0x0002

110

#define RENDER_DISABLED 0x0004

111

#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)

112

113

int render_av_rule(avtab_key_t *key, avtab_datum_t *datum, __u32 what, policydb_t *p, FILE *fp)

114

{

115

if(!(what & RENDER_UNCONDITIONAL)) {

116

if(what != RENDER_CONDITIONAL &&

117

(((what & RENDER_ENABLED) && !(datum->specified & AVTAB_ENABLED)) ||

118

((what & RENDER_DISABLED) && (datum->specified & AVTAB_ENABLED)))) {

119

return 0; /* doesn't match selection criteria */

120

}

121

}

122

123

if(!(what & RENDER_UNCONDITIONAL)) {

124

if(datum->specified & AVTAB_ENABLED)

125

fprintf(fp, "[enabled] ");

126

else if(!(datum->specified & AVTAB_ENABLED))

127

fprintf(fp, "[disabled] ");

128

}

129

130

if( datum->specified & AVTAB_AV) {

131

if(datum->specified & AVTAB_ALLOWED) {

132

fprintf(fp, "allow ");

133

render_key(key, p, fp);

134

render_access_mask(avtab_allowed(datum),key, p, fp);

135

fprintf(fp, ";\n");

136

}

137

if(datum->specified & AVTAB_AUDITALLOW) {

138

fprintf(fp, "auditallow ");

139

render_key(key, p, fp);

140

render_access_mask(avtab_auditallow(datum),key, p, fp);

141

fprintf(fp, ";\n");

142

}

143

if(datum->specified & AVTAB_AUDITDENY) {

144

fprintf(fp, "dontaudit ");

145

render_key(key, p, fp);

146

/* We inverse the mask for dontaudit since the mask is internally stored

147

* as a auditdeny mask */

148

render_access_mask(~avtab_auditdeny(datum),key, p, fp);

149

fprintf(fp, ";\n");

150

}

151

}

152

else if( datum->specified & AVTAB_TYPE){

153

if(datum->specified & AVTAB_TRANSITION) {

154

fprintf(fp, "type_transition ");

155

render_key(key, p, fp);

156

render_type(avtab_transition(datum), p, fp);

157

fprintf(fp, ";\n");

158

}

159

if(datum->specified & AVTAB_MEMBER) {

160

fprintf(fp, "type_member ");

161

render_key(key, p, fp);

162

render_type(avtab_member(datum), p, fp);

163

fprintf(fp, ";\n");

164

}

165

if(datum->specified & AVTAB_CHANGE) {

166

fprintf(fp, "type_change ");

167

render_key(key, p, fp);

168

render_type(avtab_change(datum), p, fp);

169

fprintf(fp, ";\n");

170

}

171

}

172

else {

173

fprintf(fp, " ERROR: no valid rule type specified\n");

174

return -1;

175

}

176

return 0;

177

}

178

179

int display_avtab(avtab_t *a, __u32 what, policydb_t *p, FILE *fp)

180

{

181

int i;

182

avtab_ptr_t cur;

183

184

for (i = 0; i < AVTAB_SIZE; i++) {

185

for (cur = a->htable[i]; cur; cur = cur->next) {

186

render_av_rule(&cur->key, &cur->datum, what, p, fp);

187

}

188

}

189

fprintf(fp, "\n");

190

return 0;

191

}

192

193

int display_bools(policydb_t *p, FILE *fp)

194

{

195

int i;

196

197

for (i = 0; i < p->p_bools.nprim; i++) {

198

fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],

199

p->bool_val_to_struct[i]->state);

200

}

201

return 0;

202

}

203

204

void display_expr(policydb_t *p, cond_expr_t *exp, FILE *fp)

205

{

206

207

cond_expr_t *cur;

208

for (cur = exp; cur != NULL; cur = cur->next) {

209

switch (cur->expr_type) {

210

case COND_BOOL:

211

fprintf(fp, "%s ", p->p_bool_val_to_name[cur->bool - 1]);

212

break;

213

case COND_NOT:

214

fprintf(fp, "! ");

215

break;

216

case COND_OR:

217

fprintf(fp, "|| ");

218

break;

219

case COND_AND:

220

fprintf(fp, "&& ");

221

break;

222

case COND_XOR:

223

fprintf(fp, "^ ");

224

break;

225

case COND_EQ:

226

fprintf(fp, "== ");

227

break;

228

case COND_NEQ:

229

fprintf(fp, "!= ");

230

break;

231

default:

232

fprintf(fp, "error!");

233

break;

234

}

235

}

236

}

237

238

int display_cond_expressions(policydb_t *p, FILE *fp)

239

{

240

cond_node_t *cur;

241

cond_av_list_t *av_cur;

242

for (cur = p->cond_list; cur != NULL; cur = cur->next) {

243

fprintf(fp, "expression: ");

244

display_expr(p, cur->expr, fp);

245

fprintf(fp, "current state: %d\n", cur->cur_state);

246

fprintf(fp, "True list:\n");

247

for (av_cur = cur->true_list; av_cur != NULL; av_cur = av_cur->next) {

248

fprintf(fp, "\t");

249

render_av_rule(&av_cur->node->key, &av_cur->node->datum,

250

RENDER_CONDITIONAL, p, fp);

251

}

252

fprintf(fp, "False list:\n");

253

for (av_cur = cur->false_list; av_cur != NULL; av_cur = av_cur->next) {

254

fprintf(fp, "\t");

255

render_av_rule(&av_cur->node->key, &av_cur->node->datum,

256

RENDER_CONDITIONAL, p, fp);

257

}

258

}

259

return 0;

260

}

261

262

int change_bool(char *name, int state, policydb_t *p, FILE *fp)

263

{

264

cond_bool_datum_t *bool;

265

266

bool = hashtab_search(p->p_bools.table, name);

267

if (bool == NULL) {

268

fprintf(fp, "Could not find bool %s\n", name);

269

return -1;

270

}

271

bool->state = state;

272

evaluate_conds(p);

273

return 0;

274

}

275

276

int menu() {

277

printf("\nSelect a command:\n");

278

printf("1) display unconditional AVTAB\n");

279

printf("2) display conditional AVTAB (entirely)\n");

280

printf("3) display conditional AVTAG (only ENABLED rules)\n");

281

printf("4) display conditional AVTAB (only DISABLED rules)\n");

282

printf("5) display conditional bools\n");

283

printf("6) display conditional expressions\n");

284

printf("7) change a boolean value\n");

285

printf("\n");

286

printf("f) set output file\n");

287

printf("m) display menu\n");

288

printf("q) quit\n");

289

return 0;

290

}

291

292

293

int main(int argc, char **argv)

294

{

295

FILE *out_fp = stdout;

296

char ans[81], OutfileName[121];

297

int fd, ret;

298

struct stat sb;

299

void *map;

300

char *name;

301

int state;

302

303

304

if(argc != 2)

305

usage(argv[0]);

306

307

fd = open(argv[1], O_RDONLY);

308

if (fd < 0) {

309

fprintf(stderr, "Can't open '%s': %s\n",

310

argv[1], strerror(errno));

311

exit(1);

312

}

313

if (fstat(fd, &sb) < 0) {

314

fprintf(stderr, "Can't stat '%s': %s\n",

315

argv[1], strerror(errno));

316

exit(1);

317

}

318

map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);

319

if (map == MAP_FAILED) {

320

fprintf(stderr, "Can't map '%s': %s\n",

321

argv[1], strerror(errno));

322

exit(1);

323

}

324

325

/* read the binary policy */

326

fprintf(out_fp, "Reading policy...\n");

327

ret = security_load_policy(map,sb.st_size);

328

if (ret) {

329

fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);

330

exit(1);

331

}

332

333

fprintf(stdout, "binary policy file loaded\n\n");

334

close(fd);

335

336

menu();

337

for(;;) {

338

printf("\nCommand (\'m\' for menu): ");

339

fgets(ans, sizeof(ans), stdin);

340

switch(ans[0]) {

341

342

case '1':

343

display_avtab(&policydb.te_avtab, RENDER_UNCONDITIONAL, &policydb, out_fp);

344

break;

345

case '2':

346

display_avtab(&policydb.te_cond_avtab, RENDER_CONDITIONAL, &policydb, out_fp);

347

break;

348

case '3':

349

display_avtab(&policydb.te_cond_avtab, RENDER_ENABLED, &policydb, out_fp);

350

break;

351

case '4':

352

display_avtab(&policydb.te_cond_avtab, RENDER_DISABLED, &policydb, out_fp);

353

break;

354

case '5':

355

display_bools(&policydb, out_fp);

356

break;

357

case '6':

358

display_cond_expressions(&policydb, out_fp);

359

break;

360

case '7':

361

printf("name? ");

362

fgets(ans, sizeof(ans), stdin);

363

ans[strlen(ans) - 1] = 0;

364

365

name = malloc((strlen(ans) + 1) * sizeof(char));

366

if (name == NULL) {

367

fprintf(stderr, "couldn't malloc string.\n");

368

break;

369

}

370

strcpy(name, ans);

371

372

373

printf("state? ");

374

fgets(ans, sizeof(ans), stdin);

375

ans[strlen(ans) - 1] = 0;

376

377

if (atoi(ans))

378

state = 1;

379

else

380

state = 0;

381

382

change_bool(name, state, &policydb, out_fp);

383

free(name);

384

break;

385

case 'f':

386

printf("\nFilename for output (<CR> for screen output): ");

387

fgets(OutfileName, sizeof(OutfileName), stdin);

388

OutfileName[strlen(OutfileName)-1] = '\0'; /* fix_string (remove LF) */

389

if (strlen(OutfileName) == 0)

390

out_fp = stdout;

391

else if ((out_fp = fopen(OutfileName, "w")) == NULL) {

392

fprintf (stderr, "Cannot open output file %s\n", OutfileName);

393

out_fp = stdout;

394

}

395

if (out_fp != stdout)

396

printf("\nOutput to file: %s\n", OutfileName);

397

break;

398

case 'q':

399

policydb_destroy(&policydb);

400

exit(0);

401

break;

402

case 'm':

403

menu();

404

break;

405

default:

406

printf("\nInvalid choice\n");

407

menu();

408

break;

409

410

}

411

}

412

}

413

414

/* FLASK */

415