diff mbox series

[1/5,v2] libsepol: Add support for file types in writing out policy.conf

Message ID 20211110144727.1467744-2-jwcart2@gmail.com (mailing list archive)
State Accepted
Headers show
Series Fix/add optional file type handling for genfscon rules | expand

Commit Message

James Carter Nov. 10, 2021, 2:47 p.m. UTC 
Although rarely used, genfscon rules support the specification of a
file type just like the rules in a file context file. The file type
is used to make the genfscon rule apply only for a specific security
class. Currently, when writing out a policy.conf file from a kernel
policy, it is assumed that every genfscon rule applies to all security
classes and no file type will be added to the genfscon rule.

Write out the appropriate file type if the genfscon rule is only for
a specific security class (file, dir, blk_file, chr_file, fifo_file,
lnk_file, or sock_file).

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Reordered if else block to have a consistent ordering.

 libsepol/src/kernel_to_conf.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

Comments

James Carter Dec. 9, 2021, 5:32 p.m. UTC | #1 
On Tue, Dec 7, 2021 at 1:31 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Nov 10, 2021 at 9:47 AM James Carter <jwcart2@gmail.com> wrote:
>>
>> Although rarely used, genfscon rules support the specification of a
>> file type just like the rules in a file context file. The file type
>> is used to make the genfscon rule apply only for a specific security
>> class. Currently, when writing out a policy.conf file from a kernel
>> policy, it is assumed that every genfscon rule applies to all security
>> classes and no file type will be added to the genfscon rule.
>>
>> Write out the appropriate file type if the genfscon rule is only for
>> a specific security class (file, dir, blk_file, chr_file, fifo_file,
>> lnk_file, or sock_file).
>>
>> Signed-off-by: James Carter <jwcart2@gmail.com>
>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

This series was merged.
Jim
diff mbox series

Patch

diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index eb72e4ac..9f04961a 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -2513,6 +2513,8 @@  static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 	struct ocontext *ocon;
 	struct strs *strs;
 	char *fstype, *name, *ctx;
+	uint32_t sclass;
+	const char *file_type;
 	int rc;
 
 	rc = strs_init(&strs, 32);
@@ -2525,14 +2527,43 @@  static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 			fstype = genfs->fstype;
 			name = ocon->u.name;
 
+			sclass = ocon->v.sclass;
+			file_type = NULL;
+			if (sclass) {
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "--";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "-d";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "-c";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "-b";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "-s";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "-p";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "-l";
+				} else {
+					rc = -1;
+					goto exit;
+				}
+			}
+
 			ctx = context_to_str(pdb, &ocon->context[0]);
 			if (!ctx) {
 				rc = -1;
 				goto exit;
 			}
 
-			rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
-						 fstype, name, ctx);
+			if (file_type) {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s %s", 4,
+										 fstype, name, file_type, ctx);
+			} else {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
+										 fstype, name, ctx);
+			}
 			free(ctx);
 			if (rc != 0) {
 				goto exit;