| Message ID | 1475524323-29138-1-git-send-email-jwcart2@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
Once this gets submitted I'll do a pull on upstream into AOSP. On Mon, Oct 3, 2016 at 12:52 PM James Carter <jwcart2@tycho.nsa.gov> wrote: > Checkpolicy has an option to produce CIL output and is dependent on > the policydb-to-CIL conversion in libsepol for that option. Add > support for converting extended permissions to CIL so that checlpolicy > can generate CIL. > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> > --- > libsepol/src/module_to_cil.c | 115 > +++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 111 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index 508a861..556d11e 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -609,6 +609,103 @@ exit: > return rc; > } > > +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + > 1), p)) > + > +static int xperms_to_cil(const av_extended_perms_t *xperms) > +{ > + uint16_t value; > + uint16_t low_bit; > + uint16_t low_value; > + unsigned int bit; > + unsigned int in_range = 0; > + int first = 1; > + > + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) > + return -1; > + > + for (bit = 0; bit < sizeof(xperms->perms)*8; bit++) { > + if (!xperm_test(bit, xperms->perms)) > + continue; > + > + if (in_range && next_bit_in_range(bit, xperms->perms)) { > + /* continue until high value found */ > + continue; > + } else if (next_bit_in_range(bit, xperms->perms)) { > + /* low value */ > + low_bit = bit; > + in_range = 1; > + continue; > + } > + > + if (!first) > + cil_printf(" "); > + else > + first = 0; > + > + if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { > + value = xperms->driver<<8 | bit; > + low_value = xperms->driver<<8 | low_bit; > + if (in_range) { > + cil_printf("(range 0x%hx 0x%hx)", > low_value, value); > + in_range = 0; > + } else { > + cil_printf("0x%hx", value); > + } > + } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { > + value = bit << 8; > + low_value = low_bit << 8; > + if (in_range) { > + cil_printf("(range 0x%hx 0x%hx)", > low_value, (uint16_t) (value|0xff)); > + in_range = 0; > + } else { > + cil_printf("(range 0x%hx 0x%hx)", value, > (uint16_t) (value|0xff)); > + } > + } > + } > + > + return 0; > +} > + > +static int avrulex_to_cil(int indent, struct policydb *pdb, uint32_t > type, const char *src, const char *tgt, const class_perm_node_t > *classperms, const av_extended_perms_t *xperms) > +{ > + int rc = -1; > + const char *rule; > + const struct class_perm_node *classperm; > + > + switch (type) { > + case AVRULE_XPERMS_ALLOWED: > + rule = "allowxperm"; > + break; > + case AVRULE_XPERMS_AUDITALLOW: > + rule = "auditallowxperm"; > + break; > + case AVRULE_XPERMS_DONTAUDIT: > + rule = "dontauditxperm"; > + break; > + case AVRULE_XPERMS_NEVERALLOW: > + rule = "neverallowxperm"; > + break; > + default: > + log_err("Unknown avrule xperm type: %i", type); > + rc = -1; > + goto exit; > + } > + > + for (classperm = classperms; classperm != NULL; classperm = > classperm->next) { > + cil_indent(indent); > + cil_printf("(%s %s %s %s (%s (", rule, src, tgt, > + "ioctl", > pdb->p_class_val_to_name[classperm->tclass - 1]); > + xperms_to_cil(xperms); > + cil_printf("))\n"); > + } > + > + return 0; > + > +exit: > + return rc; > +} > + > static int num_digits(int n) > { > int num = 1; > @@ -1077,7 +1174,8 @@ static int avrule_list_to_cil(int indent, struct > policydb *pdb, struct avrule *a > struct type_set *ts; > > for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { > - if (avrule->specified == AVRULE_NEVERALLOW && > avrule->source_filename) { > + if ((avrule->specified & > (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > + avrule->source_filename) { > cil_println(0, ";;* lmx %lu > %s\n",avrule->source_line, avrule->source_filename); > } > > @@ -1095,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct > policydb *pdb, struct avrule *a > > for (s = 0; s < num_snames; s++) { > for (t = 0; t < num_tnames; t++) { > - rc = avrule_to_cil(indent, pdb, > avrule->specified, snames[s], tnames[t], avrule->perms); > + if (avrule->specified & AVRULE_XPERMS) { > + rc = avrulex_to_cil(indent, pdb, > avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); > + } else { > + rc = avrule_to_cil(indent, pdb, > avrule->specified, snames[s], tnames[t], avrule->perms); > + } > if (rc != 0) { > goto exit; > } > } > > if (avrule->flags & RULE_SELF) { > - rc = avrule_to_cil(indent, pdb, > avrule->specified, snames[s], "self", avrule->perms); > + if (avrule->specified & AVRULE_XPERMS) { > + rc = avrulex_to_cil(indent, pdb, > avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); > + } else { > + rc = avrule_to_cil(indent, pdb, > avrule->specified, snames[s], "self", avrule->perms); > + } > if (rc != 0) { > goto exit; > } > @@ -1112,7 +1218,8 @@ static int avrule_list_to_cil(int indent, struct > policydb *pdb, struct avrule *a > names_destroy(&snames, &num_snames); > names_destroy(&tnames, &num_tnames); > > - if (avrule->specified == AVRULE_NEVERALLOW && > avrule->source_filename) { > + if ((avrule->specified & > (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > + avrule->source_filename) { > cil_println(0, ";;* lme\n"); > } > } > -- > 2.7.4 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. >
On 10/03/2016 12:52 PM, James Carter wrote: > Checkpolicy has an option to produce CIL output and is dependent on > the policydb-to-CIL conversion in libsepol for that option. Add > support for converting extended permissions to CIL so that checlpolicy > can generate CIL. > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> I had a bug open for this, thank you! +jeffv@google.com who was looking into it. -Dan
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 508a861..556d11e 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -609,6 +609,103 @@ exit: return rc; } +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) + +static int xperms_to_cil(const av_extended_perms_t *xperms) +{ + uint16_t value; + uint16_t low_bit; + uint16_t low_value; + unsigned int bit; + unsigned int in_range = 0; + int first = 1; + + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + return -1; + + for (bit = 0; bit < sizeof(xperms->perms)*8; bit++) { + if (!xperm_test(bit, xperms->perms)) + continue; + + if (in_range && next_bit_in_range(bit, xperms->perms)) { + /* continue until high value found */ + continue; + } else if (next_bit_in_range(bit, xperms->perms)) { + /* low value */ + low_bit = bit; + in_range = 1; + continue; + } + + if (!first) + cil_printf(" "); + else + first = 0; + + if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { + value = xperms->driver<<8 | bit; + low_value = xperms->driver<<8 | low_bit; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, value); + in_range = 0; + } else { + cil_printf("0x%hx", value); + } + } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { + value = bit << 8; + low_value = low_bit << 8; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff)); + in_range = 0; + } else { + cil_printf("(range 0x%hx 0x%hx)", value, (uint16_t) (value|0xff)); + } + } + } + + return 0; +} + +static int avrulex_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const class_perm_node_t *classperms, const av_extended_perms_t *xperms) +{ + int rc = -1; + const char *rule; + const struct class_perm_node *classperm; + + switch (type) { + case AVRULE_XPERMS_ALLOWED: + rule = "allowxperm"; + break; + case AVRULE_XPERMS_AUDITALLOW: + rule = "auditallowxperm"; + break; + case AVRULE_XPERMS_DONTAUDIT: + rule = "dontauditxperm"; + break; + case AVRULE_XPERMS_NEVERALLOW: + rule = "neverallowxperm"; + break; + default: + log_err("Unknown avrule xperm type: %i", type); + rc = -1; + goto exit; + } + + for (classperm = classperms; classperm != NULL; classperm = classperm->next) { + cil_indent(indent); + cil_printf("(%s %s %s %s (%s (", rule, src, tgt, + "ioctl", pdb->p_class_val_to_name[classperm->tclass - 1]); + xperms_to_cil(xperms); + cil_printf("))\n"); + } + + return 0; + +exit: + return rc; +} + static int num_digits(int n) { int num = 1; @@ -1077,7 +1174,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a struct type_set *ts; for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename); } @@ -1095,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a for (s = 0; s < num_snames; s++) { for (t = 0; t < num_tnames; t++) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + } if (rc != 0) { goto exit; } } if (avrule->flags & RULE_SELF) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + } if (rc != 0) { goto exit; } @@ -1112,7 +1218,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a names_destroy(&snames, &num_snames); names_destroy(&tnames, &num_tnames); - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lme\n"); } }
Checkpolicy has an option to produce CIL output and is dependent on the policydb-to-CIL conversion in libsepol for that option. Add support for converting extended permissions to CIL so that checlpolicy can generate CIL. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/src/module_to_cil.c | 115 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 111 insertions(+), 4 deletions(-)