diff mbox series

[2/3] checkpolicy/dispol: add output functions

Message ID 20230331173442.101678-2-cgzones@googlemail.com (mailing list archive)
State Accepted
Commit b7b32cf40b94
Delegated to: Petr Lautrbach
Headers show
Series [1/3] checkpolicy: add option to skip checking neverallow rules | expand

Commit Message

Christian Göttsche March 31, 2023, 5:34 p.m. UTC
Add the ability to show booleans, classes, roles, types and type
attributes of policies.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
Almost all of the time seinfo(8) is a superior tool and several policy
details are still not supported, e.g. genfscon, ocontexts and class
constraints.
dispol was however useful in the past to analyze some OSS-Fuzz generated
policies, since seinfo trips over non-ascii identifier names.
---
 checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

Comments

James Carter April 24, 2023, 7:07 p.m. UTC | #1
On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Add the ability to show booleans, classes, roles, types and type
> attributes of policies.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
> Almost all of the time seinfo(8) is a superior tool and several policy
> details are still not supported, e.g. genfscon, ocontexts and class
> constraints.
> dispol was however useful in the past to analyze some OSS-Fuzz generated
> policies, since seinfo trips over non-ascii identifier names.
> ---
>  checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 94 insertions(+)
>
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index 36a3362c..adac2370 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
>         return 0;
>  }
>
> +static int display_booleans(policydb_t * p, FILE *fp)
> +{
> +       uint32_t i;
> +
> +       fprintf(fp, "booleans:\n");
> +       for (i = 0; i < p->p_bools.nprim; i++) {
> +               fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i],
> +                       p->bool_val_to_struct[i]->state);
> +       }
> +       return 0;
> +}
> +
>  static void display_policycaps(policydb_t * p, FILE * fp)
>  {
>         ebitmap_node_t *node;
> @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp)
>         }
>  }
>
> +static int display_classes(policydb_t * p, FILE *fp)
> +{
> +       uint32_t i;
> +
> +       fprintf(fp, "classes:\n");
> +       for (i = 0; i < p->p_classes.nprim; i++) {
> +               if (!p->p_class_val_to_name[i])
> +                       continue;
> +
> +               fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]);
> +       }
> +       return 0;
> +}
> +
>  static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
>                        uint32_t symbol_value, const char *prefix)
>  {
> @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp)
>         }
>  }
>
> +static int display_roles(policydb_t * p, FILE *fp)
> +{
> +       uint32_t i;
> +
> +       fprintf(fp, "roles:\n");
> +       for (i = 0; i < p->p_roles.nprim; i++) {
> +               if (!p->p_role_val_to_name[i])
> +                       continue;
> +
> +               fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]);
> +       }
> +       return 0;
> +}
> +
> +static int display_types(policydb_t * p, FILE *fp)
> +{
> +       uint32_t i;
> +
> +       fprintf(fp, "types:\n");
> +       for (i = 0; i < p->p_types.nprim; i++) {
> +               if (!p->p_type_val_to_name[i])
> +                       continue;
> +
> +               if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
> +                       continue;
> +
> +               fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> +       }
> +       return 0;
> +}
> +
> +static int display_attributes(policydb_t * p, FILE *fp)
> +{
> +       uint32_t i;
> +
> +       fprintf(fp, "attributes:\n");
> +       for (i = 0; i < p->p_types.nprim; i++) {
> +               if (!p->p_type_val_to_name[i])
> +                       continue;
> +
> +               if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB)
> +                       continue;
> +
> +               fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> +       }
> +       return 0;
> +}
> +
>  static void display_role_trans(policydb_t *p, FILE *fp)
>  {
>         role_trans_t *rt;
> @@ -381,6 +455,11 @@ static int menu(void)
>         printf("8)  display role transitions\n");
>         printf("\n");
>         printf("c)  display policy capabilities\n");
> +       printf("b)  display booleans\n");
> +       printf("C)  display classes\n");
> +       printf("r)  display roles\n");
> +       printf("t)  display types\n");
> +       printf("a)  display type attributes\n");
>         printf("p)  display the list of permissive types\n");
>         printf("u)  display unknown handling setting\n");
>         printf("F)  display filename_trans rules\n");
> @@ -511,12 +590,27 @@ int main(int argc, char **argv)
>                 case '8':
>                         display_role_trans(&policydb, out_fp);
>                         break;
> +               case 'a':
> +                       display_attributes(&policydb, out_fp);
> +                       break;
> +               case 'b':
> +                       display_booleans(&policydb, out_fp);
> +                       break;
>                 case 'c':
>                         display_policycaps(&policydb, out_fp);
>                         break;
> +               case 'C':
> +                       display_classes(&policydb, out_fp);
> +                       break;
>                 case 'p':
>                         display_permissive(&policydb, out_fp);
>                         break;
> +               case 'r':
> +                       display_roles(&policydb, out_fp);
> +                       break;
> +               case 't':
> +                       display_types(&policydb, out_fp);
> +                       break;
>                 case 'u':
>                 case 'U':
>                         display_handle_unknown(&policydb, out_fp);
> --
> 2.40.0
>
James Carter May 3, 2023, 4:24 p.m. UTC | #2
On Mon, Apr 24, 2023 at 3:07 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Add the ability to show booleans, classes, roles, types and type
> > attributes of policies.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

This patch has been merged since it was independent of the other two.
(The other two were not merged.)
Thanks,
Jim

> > ---
> > Almost all of the time seinfo(8) is a superior tool and several policy
> > details are still not supported, e.g. genfscon, ocontexts and class
> > constraints.
> > dispol was however useful in the past to analyze some OSS-Fuzz generated
> > policies, since seinfo trips over non-ascii identifier names.
> > ---
> >  checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 94 insertions(+)
> >
> > diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> > index 36a3362c..adac2370 100644
> > --- a/checkpolicy/test/dispol.c
> > +++ b/checkpolicy/test/dispol.c
> > @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
> >         return 0;
> >  }
> >
> > +static int display_booleans(policydb_t * p, FILE *fp)
> > +{
> > +       uint32_t i;
> > +
> > +       fprintf(fp, "booleans:\n");
> > +       for (i = 0; i < p->p_bools.nprim; i++) {
> > +               fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i],
> > +                       p->bool_val_to_struct[i]->state);
> > +       }
> > +       return 0;
> > +}
> > +
> >  static void display_policycaps(policydb_t * p, FILE * fp)
> >  {
> >         ebitmap_node_t *node;
> > @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp)
> >         }
> >  }
> >
> > +static int display_classes(policydb_t * p, FILE *fp)
> > +{
> > +       uint32_t i;
> > +
> > +       fprintf(fp, "classes:\n");
> > +       for (i = 0; i < p->p_classes.nprim; i++) {
> > +               if (!p->p_class_val_to_name[i])
> > +                       continue;
> > +
> > +               fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]);
> > +       }
> > +       return 0;
> > +}
> > +
> >  static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
> >                        uint32_t symbol_value, const char *prefix)
> >  {
> > @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp)
> >         }
> >  }
> >
> > +static int display_roles(policydb_t * p, FILE *fp)
> > +{
> > +       uint32_t i;
> > +
> > +       fprintf(fp, "roles:\n");
> > +       for (i = 0; i < p->p_roles.nprim; i++) {
> > +               if (!p->p_role_val_to_name[i])
> > +                       continue;
> > +
> > +               fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]);
> > +       }
> > +       return 0;
> > +}
> > +
> > +static int display_types(policydb_t * p, FILE *fp)
> > +{
> > +       uint32_t i;
> > +
> > +       fprintf(fp, "types:\n");
> > +       for (i = 0; i < p->p_types.nprim; i++) {
> > +               if (!p->p_type_val_to_name[i])
> > +                       continue;
> > +
> > +               if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
> > +                       continue;
> > +
> > +               fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> > +       }
> > +       return 0;
> > +}
> > +
> > +static int display_attributes(policydb_t * p, FILE *fp)
> > +{
> > +       uint32_t i;
> > +
> > +       fprintf(fp, "attributes:\n");
> > +       for (i = 0; i < p->p_types.nprim; i++) {
> > +               if (!p->p_type_val_to_name[i])
> > +                       continue;
> > +
> > +               if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB)
> > +                       continue;
> > +
> > +               fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> > +       }
> > +       return 0;
> > +}
> > +
> >  static void display_role_trans(policydb_t *p, FILE *fp)
> >  {
> >         role_trans_t *rt;
> > @@ -381,6 +455,11 @@ static int menu(void)
> >         printf("8)  display role transitions\n");
> >         printf("\n");
> >         printf("c)  display policy capabilities\n");
> > +       printf("b)  display booleans\n");
> > +       printf("C)  display classes\n");
> > +       printf("r)  display roles\n");
> > +       printf("t)  display types\n");
> > +       printf("a)  display type attributes\n");
> >         printf("p)  display the list of permissive types\n");
> >         printf("u)  display unknown handling setting\n");
> >         printf("F)  display filename_trans rules\n");
> > @@ -511,12 +590,27 @@ int main(int argc, char **argv)
> >                 case '8':
> >                         display_role_trans(&policydb, out_fp);
> >                         break;
> > +               case 'a':
> > +                       display_attributes(&policydb, out_fp);
> > +                       break;
> > +               case 'b':
> > +                       display_booleans(&policydb, out_fp);
> > +                       break;
> >                 case 'c':
> >                         display_policycaps(&policydb, out_fp);
> >                         break;
> > +               case 'C':
> > +                       display_classes(&policydb, out_fp);
> > +                       break;
> >                 case 'p':
> >                         display_permissive(&policydb, out_fp);
> >                         break;
> > +               case 'r':
> > +                       display_roles(&policydb, out_fp);
> > +                       break;
> > +               case 't':
> > +                       display_types(&policydb, out_fp);
> > +                       break;
> >                 case 'u':
> >                 case 'U':
> >                         display_handle_unknown(&policydb, out_fp);
> > --
> > 2.40.0
> >
diff mbox series

Patch

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 36a3362c..adac2370 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -274,6 +274,18 @@  static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
 	return 0;
 }
 
+static int display_booleans(policydb_t * p, FILE *fp)
+{
+	uint32_t i;
+
+	fprintf(fp, "booleans:\n");
+	for (i = 0; i < p->p_bools.nprim; i++) {
+		fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i],
+			p->bool_val_to_struct[i]->state);
+	}
+	return 0;
+}
+
 static void display_policycaps(policydb_t * p, FILE * fp)
 {
 	ebitmap_node_t *node;
@@ -292,6 +304,20 @@  static void display_policycaps(policydb_t * p, FILE * fp)
 	}
 }
 
+static int display_classes(policydb_t * p, FILE *fp)
+{
+	uint32_t i;
+
+	fprintf(fp, "classes:\n");
+	for (i = 0; i < p->p_classes.nprim; i++) {
+		if (!p->p_class_val_to_name[i])
+			continue;
+
+		fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]);
+	}
+	return 0;
+}
+
 static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
 		       uint32_t symbol_value, const char *prefix)
 {
@@ -312,6 +338,54 @@  static void display_permissive(policydb_t *p, FILE *fp)
 	}
 }
 
+static int display_roles(policydb_t * p, FILE *fp)
+{
+	uint32_t i;
+
+	fprintf(fp, "roles:\n");
+	for (i = 0; i < p->p_roles.nprim; i++) {
+		if (!p->p_role_val_to_name[i])
+			continue;
+
+		fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]);
+	}
+	return 0;
+}
+
+static int display_types(policydb_t * p, FILE *fp)
+{
+	uint32_t i;
+
+	fprintf(fp, "types:\n");
+	for (i = 0; i < p->p_types.nprim; i++) {
+		if (!p->p_type_val_to_name[i])
+			continue;
+
+		if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
+			continue;
+
+		fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
+	}
+	return 0;
+}
+
+static int display_attributes(policydb_t * p, FILE *fp)
+{
+	uint32_t i;
+
+	fprintf(fp, "attributes:\n");
+	for (i = 0; i < p->p_types.nprim; i++) {
+		if (!p->p_type_val_to_name[i])
+			continue;
+
+		if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB)
+			continue;
+
+		fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
+	}
+	return 0;
+}
+
 static void display_role_trans(policydb_t *p, FILE *fp)
 {
 	role_trans_t *rt;
@@ -381,6 +455,11 @@  static int menu(void)
 	printf("8)  display role transitions\n");
 	printf("\n");
 	printf("c)  display policy capabilities\n");
+	printf("b)  display booleans\n");
+	printf("C)  display classes\n");
+	printf("r)  display roles\n");
+	printf("t)  display types\n");
+	printf("a)  display type attributes\n");
 	printf("p)  display the list of permissive types\n");
 	printf("u)  display unknown handling setting\n");
 	printf("F)  display filename_trans rules\n");
@@ -511,12 +590,27 @@  int main(int argc, char **argv)
 		case '8':
 			display_role_trans(&policydb, out_fp);
 			break;
+		case 'a':
+			display_attributes(&policydb, out_fp);
+			break;
+		case 'b':
+			display_booleans(&policydb, out_fp);
+			break;
 		case 'c':
 			display_policycaps(&policydb, out_fp);
 			break;
+		case 'C':
+			display_classes(&policydb, out_fp);
+			break;
 		case 'p':
 			display_permissive(&policydb, out_fp);
 			break;
+		case 'r':
+			display_roles(&policydb, out_fp);
+			break;
+		case 't':
+			display_types(&policydb, out_fp);
+			break;
 		case 'u':
 		case 'U':
 			display_handle_unknown(&policydb, out_fp);