« back to all changes in this revision
Viewing changes to checkpolicy.c
- browse files at revision 4
- compare with another revision
- download diff
- download tarball
- view history from revision 4
- Committer: Bazaar Package Importer
- Author(s): Manoj Srivastava
- Date: 2005-06-27 14:42:10 UTC
- mfrom: (1.1.2 upstream) (2.1.1 sarge)
- Revision ID: james.westby@ubuntu.com-20050627144210-so2wgrysi6glkqkt
Tags: 1.24-1
* New upstream release
* Updated version for release.
* Merged cleanup patch from Dan Walsh.
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.
* Merged identifier fix from Joshua Brindle (Tresys).
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.
* Updated version for release.
* Merged cleanup patch from Dan Walsh.
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.
* Merged identifier fix from Joshua Brindle (Tresys).
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.
added
removed
checkpolicy.c
3
3
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
4
4
*/
5
5
6
/* Updated: Karl MacMillan <kmacmillan@tresys.com>
6
/*
7
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8
*
9
* Support for enhanced MLS infrastructure.
10
*
11
* Updated: Karl MacMillan <kmacmillan@tresys.com>
7
12
*
8
13
* Added conditional policy language extensions
9
14
*
11
16
*
12
17
* Added IPv6 support.
13
18
*
19
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14
20
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
15
21
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
16
22
* This program is free software; you can redistribute it and/or modify
61
67
#include <sepol/policydb.h>
62
68
#include <sepol/services.h>
63
69
#include <sepol/conditional.h>
70
#include <sepol/hierarchy.h>
64
71
#include <sepol/flask.h>
65
72
66
73
#include "queue.h"
88
95
char *binfile = "policy";
89
96
90
97
unsigned int policyvers = POLICYDB_VERSION_MAX;
98
unsigned int mlspol = 0;
91
99
92
100
void usage(char *progname)
93
101
{
94
printf("usage: %s [-b] [-d] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
102
printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
95
103
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
96
104
exit(1);
97
105
}
98
106
99
static int print_sid(security_id_t sid,
107
#define FGETS(out, size, in) \
108
if (fgets(out,size,in)==NULL) { \
109
fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
110
strerror(errno)); \
111
exit(1);\
112
}
113
static int print_sid(sepol_security_id_t sid,
100
114
context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused)))
101
115
{
102
security_context_t scontext;
116
sepol_security_context_t scontext;
103
117
size_t scontext_len;
104
118
int rc;
105
119
305
319
}
306
320
}
307
321
308
extern char *av_to_string(uint32_t tclass, access_vector_t av);
322
extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
309
323
310
324
void check_assertion_helper(unsigned int stype, unsigned int ttype, ebitmap_t *tclasses,
311
access_vector_t *avp, unsigned long line)
325
sepol_access_vector_t *avp, unsigned long line)
312
326
{
313
327
avtab_key_t avkey;
314
328
avtab_datum_t *avdatump;
437
451
438
452
int main(int argc, char **argv)
439
453
{
440
security_class_t tclass;
441
security_id_t ssid, tsid, *sids;
442
security_context_t scontext;
443
struct av_decision avd;
454
sepol_security_class_t tclass;
455
sepol_security_id_t ssid, tsid, *sids;
456
sepol_security_context_t scontext;
457
struct sepol_av_decision avd;
444
458
class_datum_t *cladatum;
445
char ans[80 + 1], *file = txtfile, *outfile = NULL, *path, *fstype;
459
char ans[80 + 1], *file = txtfile, *outfile = NULL, *path, *fstype, error_msg[ERRMSG_LEN];
446
460
size_t scontext_len, pathlen;
447
461
unsigned int i;
448
462
unsigned int protocol, port;
449
463
unsigned int binary = 0, debug = 0;
450
464
struct val_to_name v;
451
465
int ret, ch, fd;
452
unsigned int nel;
466
unsigned int nel, uret;
453
467
struct stat sb;
454
468
void *map;
455
469
FILE *outfp = NULL;
459
473
struct policy_file pf;
460
474
461
475
462
while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) {
476
while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
463
477
switch (ch) {
464
478
case 'o':
465
479
outfile = optarg;
474
488
case 'V':
475
489
show_version = 1;
476
490
break;
491
case 'M':
492
mlspol = 1;
493
break;
477
494
case 'c': {
478
495
long int n = strtol(optarg, NULL, 10);
479
496
if (errno) {
497
514
}
498
515
499
516
if (show_version) {
500
#ifdef CONFIG_SECURITY_SELINUX_MLS
501
printf("%d-mls (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
502
#else
503
517
printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
504
#endif
505
518
exit(0);
506
519
}
507
520
546
559
exit(1);
547
560
}
548
561
policydbp = &policydb;
562
563
/* Check Policy Consistency */
564
if (sepol_mls_enabled()) {
565
if (!mlspol) {
566
fprintf(stderr,"%s: MLS policy, but non-MLS"
567
" is specified\n", argv[0]);
568
exit(1);
569
}
570
} else {
571
if (mlspol) {
572
fprintf(stderr,"%s: non-MLS policy, but MLS"
573
" is specified\n", argv[0]);
574
exit(1);
575
}
576
}
549
577
} else {
550
578
yyin = fopen(file, "r");
551
579
if (!yyin) {
557
585
if (policydb_init(&policydb))
558
586
exit(1);
559
587
588
/* Let sepol know if we are dealing with MLS support */
589
sepol_set_mls(mlspol);
590
560
591
id_queue = queue_create();
561
592
if (!id_queue) {
562
593
fprintf(stderr, "%s: out of memory\n", argv[0]);
593
624
fprintf(stderr, "%s: policy lacks new netlink classes, unable to generate policy version %d\n", argv[0], policyvers);
594
625
exit(1);
595
626
}
596
627
628
if (hierarchy_check_constraints(&policydb, error_msg, sizeof(error_msg))) {
629
fprintf(stderr, "%s\n", error_msg);
630
exit(1);
631
}
632
597
633
/* remove type attributes */
598
634
hashtab_map_remove_on_error(policydb.p_types.table,
599
635
type_attr_remove, 0, 0);
636
600
637
fclose(yyin);
601
638
}
602
639
614
651
exit(1);
615
652
}
616
653
617
sepol_set_policyvers(policyvers);
654
if (sepol_set_policyvers(policyvers)) {
655
fprintf(stderr,"%s: incompatible policy (version %d) "
656
"for writing to %s\n", argv[0],
657
policyvers, outfile);
658
exit(1);
659
}
618
660
619
661
pf.type = PF_USE_STDIO;
620
662
pf.fp = outfp;
656
698
printf("q) Exit\n");
657
699
while (1) {
658
700
printf("\nChoose: ");
659
fgets(ans, sizeof(ans), stdin);
701
FGETS(ans, sizeof(ans), stdin);
660
702
switch (ans[0]) {
661
703
case '0':
662
704
printf("source sid? ");
663
fgets(ans, sizeof(ans), stdin);
705
FGETS(ans, sizeof(ans), stdin);
664
706
ssid = atoi(ans);
665
707
666
708
printf("target sid? ");
667
fgets(ans, sizeof(ans), stdin);
709
FGETS(ans, sizeof(ans), stdin);
668
710
tsid = atoi(ans);
669
711
670
712
printf("target class? ");
671
fgets(ans, sizeof(ans), stdin);
713
FGETS(ans, sizeof(ans), stdin);
672
714
if (isdigit(ans[0])) {
673
715
tclass = atoi(ans);
674
716
if (!tclass || tclass > policydb.p_classes.nprim) {
720
762
break;
721
763
case '1':
722
764
printf("sid? ");
723
fgets(ans, sizeof(ans), stdin);
765
FGETS(ans, sizeof(ans), stdin);
724
766
ssid = atoi(ans);
725
767
ret = sepol_sid_to_context(ssid,
726
768
&scontext, &scontext_len);
741
783
break;
742
784
case '2':
743
785
printf("scontext? ");
744
fgets(ans, sizeof(ans), stdin);
786
FGETS(ans, sizeof(ans), stdin);
745
787
scontext_len = strlen(ans);
746
788
ans[scontext_len - 1] = 0;
747
789
ret = sepol_context_to_sid(ans, scontext_len,
766
808
ch = ans[0];
767
809
768
810
printf("source sid? ");
769
fgets(ans, sizeof(ans), stdin);
811
FGETS(ans, sizeof(ans), stdin);
770
812
ssid = atoi(ans);
771
813
printf("target sid? ");
772
fgets(ans, sizeof(ans), stdin);
814
FGETS(ans, sizeof(ans), stdin);
773
815
tsid = atoi(ans);
774
816
775
817
printf("object class? ");
776
fgets(ans, sizeof(ans), stdin);
818
FGETS(ans, sizeof(ans), stdin);
777
819
if (isdigit(ans[0])) {
778
820
tclass = atoi(ans);
779
821
if (!tclass || tclass > policydb.p_classes.nprim) {
816
858
break;
817
859
case '7':
818
860
printf("pathname? ");
819
fgets(ans, sizeof(ans), stdin);
861
FGETS(ans, sizeof(ans), stdin);
820
862
pathlen = strlen(ans);
821
863
ans[pathlen - 1] = 0;
822
864
printf("%s: loading policy configuration from %s\n", argv[0], ans);
854
896
break;
855
897
case '8':
856
898
printf("fs kdevname? ");
857
fgets(ans, sizeof(ans), stdin);
899
FGETS(ans, sizeof(ans), stdin);
858
900
ans[strlen(ans) - 1] = 0;
859
901
sepol_fs_sid(ans, &ssid, &tsid);
860
902
printf("fs_sid %d default_file_sid %d\n",
862
904
break;
863
905
case '9':
864
906
printf("protocol? ");
865
fgets(ans, sizeof(ans), stdin);
907
FGETS(ans, sizeof(ans), stdin);
866
908
ans[strlen(ans) - 1] = 0;
867
909
if (!strcmp(ans, "tcp") || !strcmp(ans, "TCP"))
868
910
protocol = IPPROTO_TCP;
873
915
break;
874
916
}
875
917
printf("port? ");
876
fgets(ans, sizeof(ans), stdin);
918
FGETS(ans, sizeof(ans), stdin);
877
919
port = atoi(ans);
878
920
sepol_port_sid(0, 0, protocol, port, &ssid);
879
921
printf("sid %d\n", ssid);
880
922
break;
881
923
case 'a':
882
924
printf("netif name? ");
883
fgets(ans, sizeof(ans), stdin);
925
FGETS(ans, sizeof(ans), stdin);
884
926
ans[strlen(ans) - 1] = 0;
885
927
sepol_netif_sid(ans, &ssid, &tsid);
886
928
printf("if_sid %d default_msg_sid %d\n",
893
935
struct in6_addr addr6;
894
936
895
937
printf("protocol family? ");
896
fgets(ans, sizeof(ans), stdin);
938
FGETS(ans, sizeof(ans), stdin);
897
939
ans[strlen(ans) - 1] = 0;
898
940
if (!strcasecmp(ans, "ipv4"))
899
941
family = AF_INET;
905
947
}
906
948
907
949
printf("node address? ");
908
fgets(ans, sizeof(ans), stdin);
950
FGETS(ans, sizeof(ans), stdin);
909
951
ans[strlen(ans) - 1] = 0;
910
952
911
953
if (family == AF_INET) {
927
969
}
928
970
case 'c':
929
971
printf("fstype? ");
930
fgets(ans, sizeof(ans), stdin);
972
FGETS(ans, sizeof(ans), stdin);
931
973
ans[strlen(ans) - 1] = 0;
932
sepol_fs_use(ans, &ret, &ssid);
933
switch (ret) {
974
sepol_fs_use(ans, &uret, &ssid);
975
switch (uret) {
934
976
case SECURITY_FS_USE_XATTR:
935
977
printf("use xattr\n");
936
978
break;
951
993
break;
952
994
case 'd':
953
995
printf("fstype? ");
954
fgets(ans, sizeof(ans), stdin);
996
FGETS(ans, sizeof(ans), stdin);
955
997
ans[strlen(ans) - 1] = 0;
956
998
fstype = strdup(ans);
957
999
printf("path? ");
958
fgets(ans, sizeof(ans), stdin);
1000
FGETS(ans, sizeof(ans), stdin);
959
1001
ans[strlen(ans) - 1] = 0;
960
1002
path = strdup(ans);
961
1003
printf("object class? ");
962
fgets(ans, sizeof(ans), stdin);
1004
FGETS(ans, sizeof(ans), stdin);
963
1005
if (isdigit(ans[0])) {
964
1006
tclass = atoi(ans);
965
1007
if (!tclass || tclass > policydb.p_classes.nprim) {
983
1025
break;
984
1026
case 'e':
985
1027
printf("from SID? ");
986
fgets(ans, sizeof(ans), stdin);
1028
FGETS(ans, sizeof(ans), stdin);
987
1029
ans[strlen(ans) - 1] = 0;
988
1030
ssid = atoi(ans);
989
1031
990
1032
printf("username? ");
991
fgets(ans, sizeof(ans), stdin);
1033
FGETS(ans, sizeof(ans), stdin);
992
1034
ans[strlen(ans) - 1] = 0;
993
1035
994
1036
ret = sepol_get_user_sids(ssid, ans, &sids, &nel);
1019
1061
break;
1020
1062
case 'h':
1021
1063
printf("name? ");
1022
fgets(ans, sizeof(ans), stdin);
1064
FGETS(ans, sizeof(ans), stdin);
1023
1065
ans[strlen(ans) - 1] = 0;
1024
1066
1025
1067
name = malloc((strlen(ans) + 1) * sizeof(char));
1031
1073
1032
1074
1033
1075
printf("state? ");
1034
fgets(ans, sizeof(ans), stdin);
1076
FGETS(ans, sizeof(ans), stdin);
1035
1077
ans[strlen(ans) - 1] = 0;
1036
1078
1037
1079
if (atoi(ans))
Loggerhead is a web-based interface for Breezy
Version: 2.0.1