diff options
Diffstat (limited to 'tools/sepolicy-analyze')
| -rw-r--r-- | tools/sepolicy-analyze/Android.mk | 14 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/README | 94 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/attribute.c | 39 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/attribute.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/booleans.c | 22 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/booleans.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/dups.c | 91 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/dups.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/neverallow.c | 515 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/neverallow.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/perm.c | 30 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/perm.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/sepolicy-analyze.c | 65 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/typecmp.c | 295 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/typecmp.h | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/utils.c | 68 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/utils.h | 16 |
17 files changed, 0 insertions, 1315 deletions
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk deleted file mode 100644 index 7568351..0000000 --- a/tools/sepolicy-analyze/Android.mk +++ /dev/null @@ -1,14 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -################################### -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy-analyze -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/selinux/libsepol/include -LOCAL_CFLAGS := -Wall -Werror -LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README deleted file mode 100644 index d18609a..0000000 --- a/tools/sepolicy-analyze/README +++ /dev/null @@ -1,94 +0,0 @@ -sepolicy-analyze - A component-ized tool for performing various kinds of analysis on a - sepolicy file. The current kinds of analysis that are currently - supported include: - - TYPE EQUIVALENCE (typecmp) - sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e - - Display all type pairs that are "equivalent", i.e. they are - identical with respect to allow rules, including indirect allow - rules via attributes and default-enabled conditional rules - (i.e. default boolean values yield a true conditional expression). - - Equivalent types are candidates for being coalesced into a single - type. However, there may be legitimate reasons for them to remain - separate, for example: - the types may differ in a respect not - included in the current analysis, such as default-disabled - conditional rules, audit-related rules (auditallow or dontaudit), - default type transitions, or constraints (e.g. mls), or - the - current policy may be overly permissive with respect to one or the - other of the types and thus the correct action may be to tighten - access to one or the other rather than coalescing them together, - or - the domains that would in fact have different accesses to the - types may not yet be defined or may be unconfined in the policy - you are analyzing. - - TYPE DIFFERENCE (typecmp) - sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d - - Display type pairs that differ and the first difference found - between the two types. This may be used in looking for similar - types that are not equivalent but may be candidates for coalescing. - - DUPLICATE ALLOW RULES (dups) - sepolicy-analyze out/target/product/<board>/root/sepolicy dups - - Displays duplicate allow rules, i.e. pairs of allow rules that - grant the same permissions where one allow rule is written - directly in terms of individual types and the other is written in - terms of attributes associated with those same types. The rule - with individual types is a candidate for removal. The rule with - individual types may be directly represented in the source policy - or may be a result of expansion of a type negation (e.g. domain - -foo -bar is expanded to individual allow rules by the policy - compiler). Domains with unconfineddomain will typically have such - duplicate rules as a natural side effect and can be ignored. - - PERMISSIVE DOMAINS (permissive) - sepolicy-analyze out/target/product/<board>/root/sepolicy permissive - - Displays domains in the policy that are permissive, i.e. avc - denials are logged but not enforced for these domains. While - permissive domains can be helpful during development, they - should not be present in a final -user build. - - BOOLEANS (booleans) - sepolicy-analyze out/target/product/<board>/root/sepolicy booleans - - Displays the boolean names in the policy (if any). - Policy booleans are forbidden in Android policy, so if there is any - output, the policy will fail CTS. - - ATTRIBUTE (attribute) - sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name> - - Displays the types associated with the specified attribute name. - - NEVERALLOW CHECKING (neverallow) - sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \ - [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"] - - Check whether the sepolicy file violates any of the neverallow rules - from the neverallows.conf file or a given string, which contain neverallow - statements in the same format as the SELinux policy.conf file, i.e. after - m4 macro expansion of the rules from a .te file. You can use an entire - policy.conf file as the neverallows.conf file and sepolicy-analyze will - ignore everything except for the neverallows within it. You can also - specify this as a command-line string argument, which could be useful for - quickly checking an individual expanded rule or group of rules. If there are - no violations, sepolicy-analyze will exit successfully with no output. - Otherwise, sepolicy-analyze will report all violations and exit - with a non-zero exit status. - - The -w or --warn option may be used to warn on any types, attributes, - classes, or permissions from a neverallow rule that could not be resolved - within the sepolicy file. This can be normal due to differences between - the policy from which the neverallow rules were taken and the policy - being checked. Such values are ignored for the purposes of neverallow - checking. - - The -d or --debug option may be used to cause sepolicy-analyze to emit the - neverallow rules as it parses them. This is principally a debugging facility - for the parser but could also be used to extract neverallow rules from - a full policy.conf file and output them in a more easily parsed format. diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c deleted file mode 100644 index 474bda2..0000000 --- a/tools/sepolicy-analyze/attribute.c +++ /dev/null @@ -1,39 +0,0 @@ -#include "attribute.h" - -void attribute_usage() { - fprintf(stderr, "\tattribute <attribute-name>\n"); -} - -static int list_attribute(policydb_t * policydb, char *name) -{ - struct type_datum *attr; - struct ebitmap_node *n; - unsigned int bit; - - attr = hashtab_search(policydb->p_types.table, name); - if (!attr) { - fprintf(stderr, "%s is not defined in this policy.\n", name); - return -1; - } - - if (attr->flavor != TYPE_ATTRIB) { - fprintf(stderr, "%s is a type not an attribute in this policy.\n", name); - return -1; - } - - ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) { - if (!ebitmap_node_get_bit(n, bit)) - continue; - printf("%s\n", policydb->p_type_val_to_name[bit]); - } - - return 0; -} - -int attribute_func (int argc, char **argv, policydb_t *policydb) { - if (argc != 2) { - USAGE_ERROR = true; - return -1; - } - return list_attribute(policydb, argv[1]); -} diff --git a/tools/sepolicy-analyze/attribute.h b/tools/sepolicy-analyze/attribute.h deleted file mode 100644 index 05adcbd..0000000 --- a/tools/sepolicy-analyze/attribute.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef ATTRIBUTE_H -#define ATTRIBUTE_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void attribute_usage(void); -int attribute_func(int argc, char **argv, policydb_t *policydb); - -#endif /* ATTRIBUTE_H */ diff --git a/tools/sepolicy-analyze/booleans.c b/tools/sepolicy-analyze/booleans.c deleted file mode 100644 index c3b605d..0000000 --- a/tools/sepolicy-analyze/booleans.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "booleans.h" - -void booleans_usage() { - fprintf(stderr, "\tbooleans\n"); -} - -static int list_booleans(hashtab_key_t k, - __attribute__ ((unused)) hashtab_datum_t d, - __attribute__ ((unused)) void *args) -{ - const char *name = k; - printf("%s\n", name); - return 0; -} - -int booleans_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return hashtab_map(policydb->p_bools.table, list_booleans, NULL); -} diff --git a/tools/sepolicy-analyze/booleans.h b/tools/sepolicy-analyze/booleans.h deleted file mode 100644 index bfbe0e1..0000000 --- a/tools/sepolicy-analyze/booleans.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef BOOLEANS_H -#define BOOLEANS_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void booleans_usage(void); -int booleans_func(int argc, char **argv, policydb_t *policydb); - -#endif /* BOOLEANS_H */ diff --git a/tools/sepolicy-analyze/dups.c b/tools/sepolicy-analyze/dups.c deleted file mode 100644 index 88c2be2..0000000 --- a/tools/sepolicy-analyze/dups.c +++ /dev/null @@ -1,91 +0,0 @@ -#include <stdbool.h> -#include <stdio.h> -#include <sys/stat.h> -#include <sys/types.h> - -#include "dups.h" - -void dups_usage() { - fprintf(stderr, "\tdups\n"); -} - -static int find_dups_helper(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - policydb_t *policydb = args; - ebitmap_t *sattr, *tattr; - ebitmap_node_t *snode, *tnode; - unsigned int i, j; - avtab_key_t avkey; - avtab_ptr_t node; - struct type_datum *stype, *ttype, *stype2, *ttype2; - bool attrib1, attrib2; - - if (!(k->specified & AVTAB_ALLOWED)) - return 0; - - if (k->source_type == k->target_type) - return 0; /* self rule */ - - avkey.target_class = k->target_class; - avkey.specified = k->specified; - - sattr = &policydb->type_attr_map[k->source_type - 1]; - tattr = &policydb->type_attr_map[k->target_type - 1]; - stype = policydb->type_val_to_struct[k->source_type - 1]; - ttype = policydb->type_val_to_struct[k->target_type - 1]; - attrib1 = stype->flavor || ttype->flavor; - ebitmap_for_each_bit(sattr, snode, i) { - if (!ebitmap_node_get_bit(snode, i)) - continue; - ebitmap_for_each_bit(tattr, tnode, j) { - if (!ebitmap_node_get_bit(tnode, j)) - continue; - avkey.source_type = i + 1; - avkey.target_type = j + 1; - if (avkey.source_type == k->source_type && - avkey.target_type == k->target_type) - continue; - if (avkey.source_type == avkey.target_type) - continue; /* self rule */ - stype2 = policydb->type_val_to_struct[avkey.source_type - 1]; - ttype2 = policydb->type_val_to_struct[avkey.target_type - 1]; - attrib2 = stype2->flavor || ttype2->flavor; - if (attrib1 && attrib2) - continue; /* overlapping attribute-based rules */ - for (node = avtab_search_node(&policydb->te_avtab, &avkey); - node != NULL; - node = avtab_search_node_next(node, avkey.specified)) { - uint32_t perms = node->datum.data & d->data; - if ((attrib1 && perms == node->datum.data) || - (attrib2 && perms == d->data)) { - /* - * The attribute-based rule is a superset of the - * non-attribute-based rule. This is a dup. - */ - printf("Duplicate allow rule found:\n"); - display_allow(policydb, k, i, d->data); - display_allow(policydb, &node->key, i, node->datum.data); - printf("\n"); - } - } - } - } - - return 0; -} - -static int find_dups(policydb_t * policydb) -{ - if (avtab_map(&policydb->te_avtab, find_dups_helper, policydb)) - return -1; - return 0; -} - -int dups_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return find_dups(policydb); -} diff --git a/tools/sepolicy-analyze/dups.h b/tools/sepolicy-analyze/dups.h deleted file mode 100644 index 0e77224..0000000 --- a/tools/sepolicy-analyze/dups.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef DUPS_H -#define DUPS_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void dups_usage(void); -int dups_func(int argc, char **argv, policydb_t *policydb); - -#endif /* DUPS_H */ diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c deleted file mode 100644 index b288ea7..0000000 --- a/tools/sepolicy-analyze/neverallow.c +++ /dev/null @@ -1,515 +0,0 @@ -#include <ctype.h> -#include <fcntl.h> -#include <getopt.h> -#include <stdbool.h> -#include <stdio.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#include "neverallow.h" - -static int debug; -static int warn; - -void neverallow_usage() { - fprintf(stderr, "\tneverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]\n"); -} - -static int read_typeset(policydb_t *policydb, char **ptr, char *end, - type_set_t *typeset, uint32_t *flags) -{ - const char *keyword = "self"; - size_t keyword_size = strlen(keyword), len; - char *p = *ptr; - unsigned openparens = 0; - char *start, *id; - type_datum_t *type; - struct ebitmap_node *n; - unsigned int bit; - bool negate = false; - int rc; - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '~') { - if (debug) - printf(" ~"); - typeset->flags = TYPE_COMP; - p++; - while (p < end && isspace(*p)) - p++; - if (p == end) - goto err; - } - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '*') { - if (debug) - printf(" *"); - typeset->flags = TYPE_STAR; - p++; - continue; - } - - if (*p == '-') { - if (debug) - printf(" -"); - negate = true; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != ':' && *p != ';' && *p != '{' && *p != '}' && *p != '#') - p++; - - if (p == start) - goto err; - - len = p - start; - if (len == keyword_size && !strncmp(start, keyword, keyword_size)) { - if (debug) - printf(" self"); - *flags |= RULE_SELF; - continue; - } - - id = calloc(1, len + 1); - if (!id) - goto err; - memcpy(id, start, len); - if (debug) - printf(" %s", id); - type = hashtab_search(policydb->p_types.table, id); - if (!type) { - if (warn) - fprintf(stderr, "Warning! Type or attribute %s used in neverallow undefined in policy being checked.\n", id); - negate = false; - continue; - } - free(id); - - if (type->flavor == TYPE_ATTRIB) { - if (negate) - rc = ebitmap_union(&typeset->negset, &policydb->attr_type_map[type->s.value - 1]); - else - rc = ebitmap_union(&typeset->types, &policydb->attr_type_map[type->s.value - 1]); - } else if (negate) { - rc = ebitmap_set_bit(&typeset->negset, type->s.value - 1, 1); - } else { - rc = ebitmap_set_bit(&typeset->types, type->s.value - 1, 1); - } - - negate = false; - - if (rc) - goto err; - - } while (p < end && openparens); - - if (p == end) - goto err; - - if (typeset->flags & TYPE_STAR) { - for (bit = 0; bit < policydb->p_types.nprim; bit++) { - if (ebitmap_get_bit(&typeset->negset, bit)) - continue; - if (policydb->type_val_to_struct[bit] && - policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB) - continue; - if (ebitmap_set_bit(&typeset->types, bit, 1)) - goto err; - } - } - - ebitmap_for_each_bit(&typeset->negset, n, bit) { - if (!ebitmap_node_get_bit(n, bit)) - continue; - if (ebitmap_set_bit(&typeset->types, bit, 0)) - goto err; - } - - if (typeset->flags & TYPE_COMP) { - for (bit = 0; bit < policydb->p_types.nprim; bit++) { - if (policydb->type_val_to_struct[bit] && - policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB) - continue; - if (ebitmap_get_bit(&typeset->types, bit)) - ebitmap_set_bit(&typeset->types, bit, 0); - else { - if (ebitmap_set_bit(&typeset->types, bit, 1)) - goto err; - } - } - } - - if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags)) - fprintf(stderr, "Warning! Empty type set\n"); - - *ptr = p; - return 0; -err: - return -1; -} - -static int read_classperms(policydb_t *policydb, char **ptr, char *end, - class_perm_node_t **perms) -{ - char *p = *ptr; - unsigned openparens = 0; - char *id, *start; - class_datum_t *cls = NULL; - perm_datum_t *perm = NULL; - class_perm_node_t *classperms = NULL, *node = NULL; - bool complement = false; - - while (p < end && isspace(*p)) - p++; - - if (p == end || *p != ':') - goto err; - p++; - - if (debug) - printf(" :"); - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#') - p++; - - if (p == start) - goto err; - - id = calloc(1, p - start + 1); - if (!id) - goto err; - memcpy(id, start, p - start); - if (debug) - printf(" %s", id); - cls = hashtab_search(policydb->p_classes.table, id); - if (!cls) { - if (warn) - fprintf(stderr, "Warning! Class %s used in neverallow undefined in policy being checked.\n", id); - continue; - } - - node = calloc(1, sizeof *node); - if (!node) - goto err; - node->tclass = cls->s.value; - node->next = classperms; - classperms = node; - free(id); - } while (p < end && openparens); - - if (p == end) - goto err; - - if (warn && !classperms) - fprintf(stderr, "Warning! Empty class set\n"); - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '~') { - if (debug) - printf(" ~"); - complement = true; - p++; - while (p < end && isspace(*p)) - p++; - if (p == end) - goto err; - } - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#') - p++; - - if (p == start) - goto err; - - id = calloc(1, p - start + 1); - if (!id) - goto err; - memcpy(id, start, p - start); - if (debug) - printf(" %s", id); - - if (!strcmp(id, "*")) { - for (node = classperms; node; node = node->next) - node->data = ~0; - continue; - } - - for (node = classperms; node; node = node->next) { - cls = policydb->class_val_to_struct[node->tclass-1]; - perm = hashtab_search(cls->permissions.table, id); - if (cls->comdatum && !perm) - perm = hashtab_search(cls->comdatum->permissions.table, id); - if (!perm) { - if (warn) - fprintf(stderr, "Warning! Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->tclass-1]); - continue; - } - node->data |= 1U << (perm->s.value - 1); - } - free(id); - } while (p < end && openparens); - - if (p == end) - goto err; - - if (complement) { - for (node = classperms; node; node = node->next) - node->data = ~node->data; - } - - if (warn) { - for (node = classperms; node; node = node->next) - if (!node->data) - fprintf(stderr, "Warning! Empty permission set\n"); - } - - *perms = classperms; - *ptr = p; - return 0; -err: - return -1; -} - -static int check_neverallows(policydb_t *policydb, char *text, char *end) -{ - const char *keyword = "neverallow"; - size_t keyword_size = strlen(keyword), len; - struct avrule *neverallows = NULL, *avrule; - char *p, *start; - - p = text; - while (p < end) { - while (p < end && isspace(*p)) - p++; - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p)) - p++; - - len = p - start; - if (len != keyword_size || strncmp(start, keyword, keyword_size)) - continue; - - if (debug) - printf("neverallow"); - - avrule = calloc(1, sizeof *avrule); - if (!avrule) - goto err; - - avrule->specified = AVRULE_NEVERALLOW; - - if (read_typeset(policydb, &p, end, &avrule->stypes, &avrule->flags)) - goto err; - - if (read_typeset(policydb, &p, end, &avrule->ttypes, &avrule->flags)) - goto err; - - if (read_classperms(policydb, &p, end, &avrule->perms)) - goto err; - - while (p < end && *p != ';') - p++; - - if (p == end || *p != ';') - goto err; - - if (debug) - printf(";\n"); - - avrule->next = neverallows; - neverallows = avrule; - } - - if (!neverallows) - goto err; - - return check_assertions(NULL, policydb, neverallows); -err: - if (errno == ENOMEM) { - fprintf(stderr, "Out of memory while parsing neverallow rules\n"); - } else - fprintf(stderr, "Error while parsing neverallow rules\n"); - return -1; -} - -static int check_neverallows_file(policydb_t *policydb, const char *filename) -{ - int fd; - struct stat sb; - char *text, *end; - - fd = open(filename, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Could not open %s: %s\n", filename, strerror(errno)); - return -1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); - close(fd); - return -1; - } - text = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - end = text + sb.st_size; - if (text == MAP_FAILED) { - fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); - close(fd); - return -1; - } - close(fd); - return check_neverallows(policydb, text, end); -} - -static int check_neverallows_string(policydb_t *policydb, char *string, size_t len) -{ - char *text, *end; - text = string; - end = text + len; - return check_neverallows(policydb, text, end); -} - -int neverallow_func (int argc, char **argv, policydb_t *policydb) { - char *rules = 0, *file = 0; - char ch; - - struct option neverallow_options[] = { - {"debug", no_argument, NULL, 'd'}, - {"file_input", required_argument, NULL, 'f'}, - {"neverallow", required_argument, NULL, 'n'}, - {"warn", no_argument, NULL, 'w'}, - {NULL, 0, NULL, 0} - }; - - while ((ch = getopt_long(argc, argv, "df:n:w", neverallow_options, NULL)) != -1) { - switch (ch) { - case 'd': - debug = 1; - break; - case 'f': - file = optarg; - break; - case 'n': - rules = optarg; - break; - case 'w': - warn = 1; - break; - default: - USAGE_ERROR = true; - return -1; - } - } - - if (!(rules || file) || (rules && file)){ - USAGE_ERROR = true; - return -1; - } - if (file) { - return check_neverallows_file(policydb, file); - } else { - return check_neverallows_string(policydb, rules, strlen(rules)); - } -} diff --git a/tools/sepolicy-analyze/neverallow.h b/tools/sepolicy-analyze/neverallow.h deleted file mode 100644 index be80822..0000000 --- a/tools/sepolicy-analyze/neverallow.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef NEVERALLOW_H -#define NEVERALLOW_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void neverallow_usage(void); -int neverallow_func(int argc, char **argv, policydb_t *policydb); - -#endif /* NEVERALLOW_H */ diff --git a/tools/sepolicy-analyze/perm.c b/tools/sepolicy-analyze/perm.c deleted file mode 100644 index 4cc4869..0000000 --- a/tools/sepolicy-analyze/perm.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "perm.h" - -void permissive_usage() { - fprintf(stderr, "\tpermissive\n"); -} - -static int list_permissive(policydb_t * policydb) -{ - struct ebitmap_node *n; - unsigned int bit; - - /* - * iterate over all domains and check if domain is in permissive - */ - ebitmap_for_each_bit(&policydb->permissive_map, n, bit) - { - if (ebitmap_node_get_bit(n, bit)) { - printf("%s\n", policydb->p_type_val_to_name[bit -1]); - } - } - return 0; -} - -int permissive_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return list_permissive(policydb); -} diff --git a/tools/sepolicy-analyze/perm.h b/tools/sepolicy-analyze/perm.h deleted file mode 100644 index 16e619a..0000000 --- a/tools/sepolicy-analyze/perm.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PERM_H -#define PERM_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void permissive_usage(void); -int permissive_func(int argc, char **argv, policydb_t *policydb); - -#endif /* PERM_H */ diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c deleted file mode 100644 index b70eaaa..0000000 --- a/tools/sepolicy-analyze/sepolicy-analyze.c +++ /dev/null @@ -1,65 +0,0 @@ -#include <stddef.h> -#include <stdio.h> -#include <string.h> - -#include "dups.h" -#include "neverallow.h" -#include "perm.h" -#include "typecmp.h" -#include "booleans.h" -#include "attribute.h" -#include "utils.h" - -#define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0])) - -#define COMP(x) { #x, sizeof(#x) - 1, x ##_usage, x ##_func } -static struct { - const char *key; - size_t keylen; - void (*usage) (void); - int (*func) (int argc, char **argv, policydb_t *policydb); -} analyze_components[] = { - COMP(dups), - COMP(neverallow), - COMP(permissive), - COMP(typecmp), - COMP(booleans), - COMP(attribute) -}; - -void usage(char *arg0) -{ - int i; - - fprintf(stderr, "%s must be called on a policy file with a component and the appropriate arguments specified\n", arg0); - fprintf(stderr, "%s <policy-file>:\n", arg0); - for(i = 0; i < NUM_COMPONENTS; i++) { - analyze_components[i].usage(); - } - exit(1); -} - -int main(int argc, char **argv) -{ - char *policy; - struct policy_file pf; - policydb_t policydb; - int rc; - int i; - - if (argc < 3) - usage(argv[0]); - policy = argv[1]; - if(load_policy(policy, &policydb, &pf)) - exit(1); - for(i = 0; i < NUM_COMPONENTS; i++) { - if (!strcmp(analyze_components[i].key, argv[2])) { - rc = analyze_components[i].func(argc - 2, argv + 2, &policydb); - if (rc && USAGE_ERROR) { - usage(argv[0]); } - return rc; - } - } - usage(argv[0]); - exit(0); -} diff --git a/tools/sepolicy-analyze/typecmp.c b/tools/sepolicy-analyze/typecmp.c deleted file mode 100644 index 5fffd63..0000000 --- a/tools/sepolicy-analyze/typecmp.c +++ /dev/null @@ -1,295 +0,0 @@ -#include <getopt.h> -#include <sepol/policydb/expand.h> - -#include "typecmp.h" - -void typecmp_usage() { - fprintf(stderr, "\ttypecmp [-d|--diff] [-e|--equiv]\n"); -} - -static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d, - struct avtab_node *type_rules) -{ - struct avtab_node *p, *c, *n; - - for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) { - /* - * Find the insertion point, keeping the list - * ordered by source type, then target type, then - * target class. - */ - if (k->source_type < c->key.source_type) - break; - if (k->source_type == c->key.source_type && - k->target_type < c->key.target_type) - break; - if (k->source_type == c->key.source_type && - k->target_type == c->key.target_type && - k->target_class <= c->key.target_class) - break; - } - - if (c && - k->source_type == c->key.source_type && - k->target_type == c->key.target_type && - k->target_class == c->key.target_class) { - c->datum.data |= d->data; - return 0; - } - - /* Insert the rule */ - n = malloc(sizeof(struct avtab_node)); - if (!n) { - fprintf(stderr, "out of memory\n"); - exit(1); - } - - n->key = *k; - n->datum = *d; - n->next = p->next; - p->next = n; - return 0; -} - -static int create_type_rules_helper(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - struct avtab_node *type_rules = args; - avtab_key_t key; - - /* - * Insert the rule into the list for - * the source type. The source type value - * is cleared as we want to compare against other type - * rules with different source types. - */ - key = *k; - key.source_type = 0; - if (k->source_type == k->target_type) { - /* Clear target type as well; this is a self rule. */ - key.target_type = 0; - } - if (insert_type_rule(&key, d, &type_rules[k->source_type - 1])) - return -1; - - if (k->source_type == k->target_type) - return 0; - - /* - * If the target type differs, then we also - * insert the rule into the list for the target - * type. We clear the target type value so that - * we can compare against other type rules with - * different target types. - */ - key = *k; - key.target_type = 0; - if (insert_type_rule(&key, d, &type_rules[k->target_type - 1])) - return -1; - - return 0; -} - -static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args) -{ - if (k->specified & AVTAB_ALLOWED) - return create_type_rules_helper(k, d, args); - return 0; -} - -static int create_type_rules_cond(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - if ((k->specified & (AVTAB_ALLOWED|AVTAB_ENABLED)) == - (AVTAB_ALLOWED|AVTAB_ENABLED)) - return create_type_rules_helper(k, d, args); - return 0; -} - -static void free_type_rules(struct avtab_node *l) -{ - struct avtab_node *tmp; - - while (l) { - tmp = l; - l = l->next; - free(tmp); - } -} - -static int find_match(policydb_t *policydb, struct avtab_node *l1, - int idx1, struct avtab_node *l2, int idx2) -{ - struct avtab_node *c; - uint32_t perms1, perms2; - - for (c = l2; c; c = c->next) { - if (l1->key.source_type < c->key.source_type) - break; - if (l1->key.source_type == c->key.source_type && - l1->key.target_type < c->key.target_type) - break; - if (l1->key.source_type == c->key.source_type && - l1->key.target_type == c->key.target_type && - l1->key.target_class <= c->key.target_class) - break; - } - - if (c && - l1->key.source_type == c->key.source_type && - l1->key.target_type == c->key.target_type && - l1->key.target_class == c->key.target_class) { - perms1 = l1->datum.data & ~c->datum.data; - perms2 = c->datum.data & ~l1->datum.data; - if (perms1 || perms2) { - if (perms1) - display_allow(policydb, &l1->key, idx1, perms1); - if (perms2) - display_allow(policydb, &c->key, idx2, perms2); - printf("\n"); - return 1; - } - } - - return 0; -} - -static int analyze_types(policydb_t * policydb, char diff, char equiv) -{ - avtab_t exp_avtab, exp_cond_avtab; - struct avtab_node *type_rules, *l1, *l2; - struct type_datum *type; - size_t i, j; - - /* - * Create a list of access vector rules for each type - * from the access vector table. - */ - type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim); - if (!type_rules) { - fprintf(stderr, "out of memory\n"); - exit(1); - } - memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim); - - if (avtab_init(&exp_avtab) || avtab_init(&exp_cond_avtab)) { - fputs("out of memory\n", stderr); - return -1; - } - - if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) { - fputs("out of memory\n", stderr); - avtab_destroy(&exp_avtab); - return -1; - } - - if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) { - fputs("out of memory\n", stderr); - avtab_destroy(&exp_avtab); /* */ - return -1; - } - - if (avtab_map(&exp_avtab, create_type_rules, type_rules)) - exit(1); - - if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules)) - exit(1); - - avtab_destroy(&exp_avtab); - avtab_destroy(&exp_cond_avtab); - - /* - * Compare the type lists and identify similar types. - */ - for (i = 0; i < policydb->p_types.nprim - 1; i++) { - if (!type_rules[i].next) - continue; - type = policydb->type_val_to_struct[i]; - if (type->flavor) { - free_type_rules(type_rules[i].next); - type_rules[i].next = NULL; - continue; - } - for (j = i + 1; j < policydb->p_types.nprim; j++) { - type = policydb->type_val_to_struct[j]; - if (type->flavor) { - free_type_rules(type_rules[j].next); - type_rules[j].next = NULL; - continue; - } - for (l1 = type_rules[i].next, l2 = type_rules[j].next; - l1 && l2; l1 = l1->next, l2 = l2->next) { - if (l1->key.source_type != l2->key.source_type) - break; - if (l1->key.target_type != l2->key.target_type) - break; - if (l1->key.target_class != l2->key.target_class - || l1->datum.data != l2->datum.data) - break; - } - if (l1 || l2) { - if (diff) { - printf - ("Types %s and %s differ, starting with:\n", - policydb->p_type_val_to_name[i], - policydb->p_type_val_to_name[j]); - - if (l1 && l2) { - if (find_match(policydb, l1, i, l2, j)) - continue; - if (find_match(policydb, l2, j, l1, i)) - continue; - } - if (l1) - display_allow(policydb, &l1->key, i, l1->datum.data); - if (l2) - display_allow(policydb, &l2->key, j, l2->datum.data); - printf("\n"); - } - continue; - } - free_type_rules(type_rules[j].next); - type_rules[j].next = NULL; - if (equiv) { - printf("Types %s and %s are equivalent.\n", - policydb->p_type_val_to_name[i], - policydb->p_type_val_to_name[j]); - } - } - free_type_rules(type_rules[i].next); - type_rules[i].next = NULL; - } - - free(type_rules); - return 0; -} - -int typecmp_func (int argc, char **argv, policydb_t *policydb) { - char ch, diff = 0, equiv = 0; - - struct option typecmp_options[] = { - {"diff", no_argument, NULL, 'd'}, - {"equiv", no_argument, NULL, 'e'}, - {NULL, 0, NULL, 0} - }; - - while ((ch = getopt_long(argc, argv, "de", typecmp_options, NULL)) != -1) { - switch (ch) { - case 'd': - diff = 1; - break; - case 'e': - equiv = 1; - break; - default: - USAGE_ERROR = true; - return -1; - } - } - - if (!(diff || equiv)) { - USAGE_ERROR = true; - return -1; - } - return analyze_types(policydb, diff, equiv); -} diff --git a/tools/sepolicy-analyze/typecmp.h b/tools/sepolicy-analyze/typecmp.h deleted file mode 100644 index f93daaa..0000000 --- a/tools/sepolicy-analyze/typecmp.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef TYPECMP_H -#define TYPECMP_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void typecmp_usage(void); -int typecmp_func(int argc, char **argv, policydb_t *policydb); - -#endif /* TYPECMP_H */ diff --git a/tools/sepolicy-analyze/utils.c b/tools/sepolicy-analyze/utils.c deleted file mode 100644 index 5e52f59..0000000 --- a/tools/sepolicy-analyze/utils.c +++ /dev/null @@ -1,68 +0,0 @@ -#include <fcntl.h> -#include <sepol/policydb/policydb.h> -#include <sepol/policydb/util.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <unistd.h> - -#include "utils.h" - -bool USAGE_ERROR = false; - -void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms) -{ - printf(" allow %s %s:%s { %s };\n", - policydb->p_type_val_to_name[key->source_type - ? key->source_type - 1 : idx], - key->target_type == key->source_type ? "self" : - policydb->p_type_val_to_name[key->target_type - ? key->target_type - 1 : idx], - policydb->p_class_val_to_name[key->target_class - 1], - sepol_av_to_string - (policydb, key->target_class, perms)); -} - -int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf) -{ - int fd; - struct stat sb; - void *map; - int ret; - - fd = open(filename, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); - return 1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - - policy_file_init(pf); - pf->type = PF_USE_MEMORY; - pf->data = map; - pf->len = sb.st_size; - if (policydb_init(policydb)) { - fprintf(stderr, "Could not initialize policydb!\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - ret = policydb_read(policydb, pf, 0); - if (ret) { - fprintf(stderr, "error(s) encountered while parsing configuration\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - - return 0; -} diff --git a/tools/sepolicy-analyze/utils.h b/tools/sepolicy-analyze/utils.h deleted file mode 100644 index 83f5a78..0000000 --- a/tools/sepolicy-analyze/utils.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef UTILS_H -#define UTILS_H - -#include <stdbool.h> -#include <stdint.h> -#include <sepol/policydb/avtab.h> -#include <sepol/policydb/policydb.h> - - -extern bool USAGE_ERROR; - -void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms); - -int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf); - -#endif /* UTILS_H */ |