diff mbox series

[RFC,3/3] libselinux: add policy capability test binary

Message ID 20200110141509.21098-4-cgzones@googlemail.com (mailing list archive)
State RFC
Headers show
Series Add policy capability for systemd overhaul | expand

Commit Message

Christian Göttsche Jan. 10, 2020, 2:15 p.m. UTC 
---
 libselinux/utils/.gitignore       |  1 +
 libselinux/utils/polcap_enabled.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 libselinux/utils/polcap_enabled.c

Comments

Stephen Smalley Jan. 10, 2020, 2:32 p.m. UTC | #1 
On 1/10/20 9:15 AM, Christian Göttsche wrote:
> ---
>   libselinux/utils/.gitignore       |  1 +
>   libselinux/utils/polcap_enabled.c | 30 ++++++++++++++++++++++++++++++
>   2 files changed, 31 insertions(+)
>   create mode 100644 libselinux/utils/polcap_enabled.c
> 
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 3ef34374..bfe1db4d 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -12,6 +12,7 @@ getpidcon
>   getsebool
>   getseuser
>   matchpathcon
> +polcap_enabled
>   policyvers
>   sefcontext_compile
>   selabel_digest
> diff --git a/libselinux/utils/polcap_enabled.c b/libselinux/utils/polcap_enabled.c
> new file mode 100644
> index 00000000..e984d1e4
> --- /dev/null
> +++ b/libselinux/utils/polcap_enabled.c
> @@ -0,0 +1,30 @@
> +#include <errno.h>
> +#include <stdio.h>
> +#include <string.h>
> +
> +#include <selinux/selinux.h>
> +
> +int main(int argc, char **argv)
> +{
> +	int ret;
> +
> +	if (argc != 2) {
> +		printf("usage: %s polcap_name\n", argv[0]);
> +		return 1;
> +	}
> +
> +	ret = security_is_policy_capability_enabled(argv[1]);
> +
> +	if (ret == 1)
> +		printf("enabled\n");
> +	else if (ret == 0)
> +		printf("disabled\n");
> +	else if (errno == ENOTSUP)
> +		printf("not supported\n");
> +	else {
> +		printf("error (%d): %s\n", errno, strerror(errno));
> +		return 1;
> +	}
> +
> +	return 0;
> +}

For new libselinux utilities, let's try to use some kind of unique 
prefix to help avoid collisions for distros that install these programs. 
  selinux_ should be fine.
diff mbox series

Patch

diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 3ef34374..bfe1db4d 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -12,6 +12,7 @@  getpidcon
 getsebool
 getseuser
 matchpathcon
+polcap_enabled
 policyvers
 sefcontext_compile
 selabel_digest
diff --git a/libselinux/utils/polcap_enabled.c b/libselinux/utils/polcap_enabled.c
new file mode 100644
index 00000000..e984d1e4
--- /dev/null
+++ b/libselinux/utils/polcap_enabled.c
@@ -0,0 +1,30 @@ 
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+	int ret;
+
+	if (argc != 2) {
+		printf("usage: %s polcap_name\n", argv[0]);
+		return 1;
+	}
+
+	ret = security_is_policy_capability_enabled(argv[1]);
+
+	if (ret == 1)
+		printf("enabled\n");
+	else if (ret == 0)
+		printf("disabled\n");
+	else if (errno == ENOTSUP)
+		printf("not supported\n");
+	else {
+		printf("error (%d): %s\n", errno, strerror(errno));
+		return 1;
+	}
+
+	return 0;
+}