2
/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
4
* Copyright (C) 2003 Tresys Technology, LLC
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License as published by
7
* the Free Software Foundation, version 2.
13
* Test program to the contents of a binary policy in text
14
* form. This program currently only displays the
15
* avtab (including conditional avtab) rules.
17
* displaypol binary_pol_file
20
#include "../policydb.h"
22
#include "../services.h"
23
#include "../conditional.h"
27
#include <sys/types.h>
34
extern policydb_t policydb;
35
extern unsigned int ss_initialized;
38
int avc_ss_reset(__u32 seqno)
43
void usage(char *progname)
45
printf("usage: %s binary_pol_file\n\n", progname);
49
/* borrowed from avtab.c */
51
#define HASH_BUCKETS (1 << HASH_BITS)
52
#define HASH_MASK (HASH_BUCKETS-1)
54
/* borrowed from checkpolicy.c */
55
static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *p)
58
perm_datum_t *perdatum;
60
valuep = (unsigned int *) p;
61
perdatum = (perm_datum_t *) datum;
63
if (*valuep == perdatum->value)
69
int render_access_mask(__u32 mask, avtab_key_t *key, policydb_t *p, FILE *fp)
72
class_datum_t *cladatum;
74
cladatum = p->class_val_to_struct[key->target_class -1];
76
for (i = 1; i <= sizeof(mask) * 8; i++) {
77
if (mask & (1 << (i - 1))) {
78
perm = (char *) hashtab_map(cladatum->permissions.table,
81
if (!perm && cladatum->comdatum) {
82
perm = (char *) hashtab_map(cladatum->comdatum->permissions.table,
86
fprintf(fp, " %s", perm);
93
int render_type(__u32 type, policydb_t *p, FILE *fp)
95
fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
99
int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)
101
fprintf(fp, "%s %s : %s ", p->p_type_val_to_name[key->source_type - 1],
102
p->p_type_val_to_name[key->target_type - 1],
103
p->p_class_val_to_name[key->target_class - 1]);
107
/* 'what' values for this function */
108
#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
109
#define RENDER_ENABLED 0x0002
110
#define RENDER_DISABLED 0x0004
111
#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
113
int render_av_rule(avtab_key_t *key, avtab_datum_t *datum, __u32 what, policydb_t *p, FILE *fp)
115
if(!(what & RENDER_UNCONDITIONAL)) {
116
if(what != RENDER_CONDITIONAL &&
117
(((what & RENDER_ENABLED) && !(datum->specified & AVTAB_ENABLED)) ||
118
((what & RENDER_DISABLED) && (datum->specified & AVTAB_ENABLED)))) {
119
return 0; /* doesn't match selection criteria */
123
if(!(what & RENDER_UNCONDITIONAL)) {
124
if(datum->specified & AVTAB_ENABLED)
125
fprintf(fp, "[enabled] ");
126
else if(!(datum->specified & AVTAB_ENABLED))
127
fprintf(fp, "[disabled] ");
130
if( datum->specified & AVTAB_AV) {
131
if(datum->specified & AVTAB_ALLOWED) {
132
fprintf(fp, "allow ");
133
render_key(key, p, fp);
134
render_access_mask(avtab_allowed(datum),key, p, fp);
137
if(datum->specified & AVTAB_AUDITALLOW) {
138
fprintf(fp, "auditallow ");
139
render_key(key, p, fp);
140
render_access_mask(avtab_auditallow(datum),key, p, fp);
143
if(datum->specified & AVTAB_AUDITDENY) {
144
fprintf(fp, "dontaudit ");
145
render_key(key, p, fp);
146
/* We inverse the mask for dontaudit since the mask is internally stored
147
* as a auditdeny mask */
148
render_access_mask(~avtab_auditdeny(datum),key, p, fp);
152
else if( datum->specified & AVTAB_TYPE){
153
if(datum->specified & AVTAB_TRANSITION) {
154
fprintf(fp, "type_transition ");
155
render_key(key, p, fp);
156
render_type(avtab_transition(datum), p, fp);
159
if(datum->specified & AVTAB_MEMBER) {
160
fprintf(fp, "type_member ");
161
render_key(key, p, fp);
162
render_type(avtab_member(datum), p, fp);
165
if(datum->specified & AVTAB_CHANGE) {
166
fprintf(fp, "type_change ");
167
render_key(key, p, fp);
168
render_type(avtab_change(datum), p, fp);
173
fprintf(fp, " ERROR: no valid rule type specified\n");
179
int display_avtab(avtab_t *a, __u32 what, policydb_t *p, FILE *fp)
184
for (i = 0; i < AVTAB_SIZE; i++) {
185
for (cur = a->htable[i]; cur; cur = cur->next) {
186
render_av_rule(&cur->key, &cur->datum, what, p, fp);
193
int display_bools(policydb_t *p, FILE *fp)
197
for (i = 0; i < p->p_bools.nprim; i++) {
198
fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
199
p->bool_val_to_struct[i]->state);
204
void display_expr(policydb_t *p, cond_expr_t *exp, FILE *fp)
208
for (cur = exp; cur != NULL; cur = cur->next) {
209
switch (cur->expr_type) {
211
fprintf(fp, "%s ", p->p_bool_val_to_name[cur->bool - 1]);
232
fprintf(fp, "error!");
238
int display_cond_expressions(policydb_t *p, FILE *fp)
241
cond_av_list_t *av_cur;
242
for (cur = p->cond_list; cur != NULL; cur = cur->next) {
243
fprintf(fp, "expression: ");
244
display_expr(p, cur->expr, fp);
245
fprintf(fp, "current state: %d\n", cur->cur_state);
246
fprintf(fp, "True list:\n");
247
for (av_cur = cur->true_list; av_cur != NULL; av_cur = av_cur->next) {
249
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
250
RENDER_CONDITIONAL, p, fp);
252
fprintf(fp, "False list:\n");
253
for (av_cur = cur->false_list; av_cur != NULL; av_cur = av_cur->next) {
255
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
256
RENDER_CONDITIONAL, p, fp);
262
int change_bool(char *name, int state, policydb_t *p, FILE *fp)
264
cond_bool_datum_t *bool;
266
bool = hashtab_search(p->p_bools.table, name);
268
fprintf(fp, "Could not find bool %s\n", name);
277
printf("\nSelect a command:\n");
278
printf("1) display unconditional AVTAB\n");
279
printf("2) display conditional AVTAB (entirely)\n");
280
printf("3) display conditional AVTAG (only ENABLED rules)\n");
281
printf("4) display conditional AVTAB (only DISABLED rules)\n");
282
printf("5) display conditional bools\n");
283
printf("6) display conditional expressions\n");
284
printf("7) change a boolean value\n");
286
printf("f) set output file\n");
287
printf("m) display menu\n");
293
int main(int argc, char **argv)
295
FILE *out_fp = stdout;
296
char ans[81], OutfileName[121];
307
fd = open(argv[1], O_RDONLY);
309
fprintf(stderr, "Can't open '%s': %s\n",
310
argv[1], strerror(errno));
313
if (fstat(fd, &sb) < 0) {
314
fprintf(stderr, "Can't stat '%s': %s\n",
315
argv[1], strerror(errno));
318
map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
319
if (map == MAP_FAILED) {
320
fprintf(stderr, "Can't map '%s': %s\n",
321
argv[1], strerror(errno));
325
/* read the binary policy */
326
fprintf(out_fp, "Reading policy...\n");
327
ret = security_load_policy(map,sb.st_size);
329
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
333
fprintf(stdout, "binary policy file loaded\n\n");
338
printf("\nCommand (\'m\' for menu): ");
339
fgets(ans, sizeof(ans), stdin);
343
display_avtab(&policydb.te_avtab, RENDER_UNCONDITIONAL, &policydb, out_fp);
346
display_avtab(&policydb.te_cond_avtab, RENDER_CONDITIONAL, &policydb, out_fp);
349
display_avtab(&policydb.te_cond_avtab, RENDER_ENABLED, &policydb, out_fp);
352
display_avtab(&policydb.te_cond_avtab, RENDER_DISABLED, &policydb, out_fp);
355
display_bools(&policydb, out_fp);
358
display_cond_expressions(&policydb, out_fp);
362
fgets(ans, sizeof(ans), stdin);
363
ans[strlen(ans) - 1] = 0;
365
name = malloc((strlen(ans) + 1) * sizeof(char));
367
fprintf(stderr, "couldn't malloc string.\n");
374
fgets(ans, sizeof(ans), stdin);
375
ans[strlen(ans) - 1] = 0;
382
change_bool(name, state, &policydb, out_fp);
386
printf("\nFilename for output (<CR> for screen output): ");
387
fgets(OutfileName, sizeof(OutfileName), stdin);
388
OutfileName[strlen(OutfileName)-1] = '\0'; /* fix_string (remove LF) */
389
if (strlen(OutfileName) == 0)
391
else if ((out_fp = fopen(OutfileName, "w")) == NULL) {
392
fprintf (stderr, "Cannot open output file %s\n", OutfileName);
395
if (out_fp != stdout)
396
printf("\nOutput to file: %s\n", OutfileName);
399
policydb_destroy(&policydb);
406
printf("\nInvalid choice\n");