Message ID | 20230331173442.101678-2-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | b7b32cf40b94 |
Delegated to: | Petr Lautrbach |
Headers | show |
Series | [1/3] checkpolicy: add option to skip checking neverallow rules | expand |
On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Add the ability to show booleans, classes, roles, types and type > attributes of policies. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > Almost all of the time seinfo(8) is a superior tool and several policy > details are still not supported, e.g. genfscon, ocontexts and class > constraints. > dispol was however useful in the past to analyze some OSS-Fuzz generated > policies, since seinfo trips over non-ascii identifier names. > --- > checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 94 insertions(+) > > diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c > index 36a3362c..adac2370 100644 > --- a/checkpolicy/test/dispol.c > +++ b/checkpolicy/test/dispol.c > @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp) > return 0; > } > > +static int display_booleans(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "booleans:\n"); > + for (i = 0; i < p->p_bools.nprim; i++) { > + fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i], > + p->bool_val_to_struct[i]->state); > + } > + return 0; > +} > + > static void display_policycaps(policydb_t * p, FILE * fp) > { > ebitmap_node_t *node; > @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp) > } > } > > +static int display_classes(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "classes:\n"); > + for (i = 0; i < p->p_classes.nprim; i++) { > + if (!p->p_class_val_to_name[i]) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]); > + } > + return 0; > +} > + > static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, > uint32_t symbol_value, const char *prefix) > { > @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp) > } > } > > +static int display_roles(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "roles:\n"); > + for (i = 0; i < p->p_roles.nprim; i++) { > + if (!p->p_role_val_to_name[i]) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]); > + } > + return 0; > +} > + > +static int display_types(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "types:\n"); > + for (i = 0; i < p->p_types.nprim; i++) { > + if (!p->p_type_val_to_name[i]) > + continue; > + > + if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > + } > + return 0; > +} > + > +static int display_attributes(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "attributes:\n"); > + for (i = 0; i < p->p_types.nprim; i++) { > + if (!p->p_type_val_to_name[i]) > + continue; > + > + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > + } > + return 0; > +} > + > static void display_role_trans(policydb_t *p, FILE *fp) > { > role_trans_t *rt; > @@ -381,6 +455,11 @@ static int menu(void) > printf("8) display role transitions\n"); > printf("\n"); > printf("c) display policy capabilities\n"); > + printf("b) display booleans\n"); > + printf("C) display classes\n"); > + printf("r) display roles\n"); > + printf("t) display types\n"); > + printf("a) display type attributes\n"); > printf("p) display the list of permissive types\n"); > printf("u) display unknown handling setting\n"); > printf("F) display filename_trans rules\n"); > @@ -511,12 +590,27 @@ int main(int argc, char **argv) > case '8': > display_role_trans(&policydb, out_fp); > break; > + case 'a': > + display_attributes(&policydb, out_fp); > + break; > + case 'b': > + display_booleans(&policydb, out_fp); > + break; > case 'c': > display_policycaps(&policydb, out_fp); > break; > + case 'C': > + display_classes(&policydb, out_fp); > + break; > case 'p': > display_permissive(&policydb, out_fp); > break; > + case 'r': > + display_roles(&policydb, out_fp); > + break; > + case 't': > + display_types(&policydb, out_fp); > + break; > case 'u': > case 'U': > display_handle_unknown(&policydb, out_fp); > -- > 2.40.0 >
On Mon, Apr 24, 2023 at 3:07 PM James Carter <jwcart2@gmail.com> wrote: > > On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Add the ability to show booleans, classes, roles, types and type > > attributes of policies. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > This patch has been merged since it was independent of the other two. (The other two were not merged.) Thanks, Jim > > --- > > Almost all of the time seinfo(8) is a superior tool and several policy > > details are still not supported, e.g. genfscon, ocontexts and class > > constraints. > > dispol was however useful in the past to analyze some OSS-Fuzz generated > > policies, since seinfo trips over non-ascii identifier names. > > --- > > checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 94 insertions(+) > > > > diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c > > index 36a3362c..adac2370 100644 > > --- a/checkpolicy/test/dispol.c > > +++ b/checkpolicy/test/dispol.c > > @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp) > > return 0; > > } > > > > +static int display_booleans(policydb_t * p, FILE *fp) > > +{ > > + uint32_t i; > > + > > + fprintf(fp, "booleans:\n"); > > + for (i = 0; i < p->p_bools.nprim; i++) { > > + fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i], > > + p->bool_val_to_struct[i]->state); > > + } > > + return 0; > > +} > > + > > static void display_policycaps(policydb_t * p, FILE * fp) > > { > > ebitmap_node_t *node; > > @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp) > > } > > } > > > > +static int display_classes(policydb_t * p, FILE *fp) > > +{ > > + uint32_t i; > > + > > + fprintf(fp, "classes:\n"); > > + for (i = 0; i < p->p_classes.nprim; i++) { > > + if (!p->p_class_val_to_name[i]) > > + continue; > > + > > + fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]); > > + } > > + return 0; > > +} > > + > > static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, > > uint32_t symbol_value, const char *prefix) > > { > > @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp) > > } > > } > > > > +static int display_roles(policydb_t * p, FILE *fp) > > +{ > > + uint32_t i; > > + > > + fprintf(fp, "roles:\n"); > > + for (i = 0; i < p->p_roles.nprim; i++) { > > + if (!p->p_role_val_to_name[i]) > > + continue; > > + > > + fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]); > > + } > > + return 0; > > +} > > + > > +static int display_types(policydb_t * p, FILE *fp) > > +{ > > + uint32_t i; > > + > > + fprintf(fp, "types:\n"); > > + for (i = 0; i < p->p_types.nprim; i++) { > > + if (!p->p_type_val_to_name[i]) > > + continue; > > + > > + if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) > > + continue; > > + > > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > > + } > > + return 0; > > +} > > + > > +static int display_attributes(policydb_t * p, FILE *fp) > > +{ > > + uint32_t i; > > + > > + fprintf(fp, "attributes:\n"); > > + for (i = 0; i < p->p_types.nprim; i++) { > > + if (!p->p_type_val_to_name[i]) > > + continue; > > + > > + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) > > + continue; > > + > > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > > + } > > + return 0; > > +} > > + > > static void display_role_trans(policydb_t *p, FILE *fp) > > { > > role_trans_t *rt; > > @@ -381,6 +455,11 @@ static int menu(void) > > printf("8) display role transitions\n"); > > printf("\n"); > > printf("c) display policy capabilities\n"); > > + printf("b) display booleans\n"); > > + printf("C) display classes\n"); > > + printf("r) display roles\n"); > > + printf("t) display types\n"); > > + printf("a) display type attributes\n"); > > printf("p) display the list of permissive types\n"); > > printf("u) display unknown handling setting\n"); > > printf("F) display filename_trans rules\n"); > > @@ -511,12 +590,27 @@ int main(int argc, char **argv) > > case '8': > > display_role_trans(&policydb, out_fp); > > break; > > + case 'a': > > + display_attributes(&policydb, out_fp); > > + break; > > + case 'b': > > + display_booleans(&policydb, out_fp); > > + break; > > case 'c': > > display_policycaps(&policydb, out_fp); > > break; > > + case 'C': > > + display_classes(&policydb, out_fp); > > + break; > > case 'p': > > display_permissive(&policydb, out_fp); > > break; > > + case 'r': > > + display_roles(&policydb, out_fp); > > + break; > > + case 't': > > + display_types(&policydb, out_fp); > > + break; > > case 'u': > > case 'U': > > display_handle_unknown(&policydb, out_fp); > > -- > > 2.40.0 > >
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index 36a3362c..adac2370 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp) return 0; } +static int display_booleans(policydb_t * p, FILE *fp) +{ + uint32_t i; + + fprintf(fp, "booleans:\n"); + for (i = 0; i < p->p_bools.nprim; i++) { + fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i], + p->bool_val_to_struct[i]->state); + } + return 0; +} + static void display_policycaps(policydb_t * p, FILE * fp) { ebitmap_node_t *node; @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp) } } +static int display_classes(policydb_t * p, FILE *fp) +{ + uint32_t i; + + fprintf(fp, "classes:\n"); + for (i = 0; i < p->p_classes.nprim; i++) { + if (!p->p_class_val_to_name[i]) + continue; + + fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]); + } + return 0; +} + static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, uint32_t symbol_value, const char *prefix) { @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp) } } +static int display_roles(policydb_t * p, FILE *fp) +{ + uint32_t i; + + fprintf(fp, "roles:\n"); + for (i = 0; i < p->p_roles.nprim; i++) { + if (!p->p_role_val_to_name[i]) + continue; + + fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]); + } + return 0; +} + +static int display_types(policydb_t * p, FILE *fp) +{ + uint32_t i; + + fprintf(fp, "types:\n"); + for (i = 0; i < p->p_types.nprim; i++) { + if (!p->p_type_val_to_name[i]) + continue; + + if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) + continue; + + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); + } + return 0; +} + +static int display_attributes(policydb_t * p, FILE *fp) +{ + uint32_t i; + + fprintf(fp, "attributes:\n"); + for (i = 0; i < p->p_types.nprim; i++) { + if (!p->p_type_val_to_name[i]) + continue; + + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) + continue; + + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); + } + return 0; +} + static void display_role_trans(policydb_t *p, FILE *fp) { role_trans_t *rt; @@ -381,6 +455,11 @@ static int menu(void) printf("8) display role transitions\n"); printf("\n"); printf("c) display policy capabilities\n"); + printf("b) display booleans\n"); + printf("C) display classes\n"); + printf("r) display roles\n"); + printf("t) display types\n"); + printf("a) display type attributes\n"); printf("p) display the list of permissive types\n"); printf("u) display unknown handling setting\n"); printf("F) display filename_trans rules\n"); @@ -511,12 +590,27 @@ int main(int argc, char **argv) case '8': display_role_trans(&policydb, out_fp); break; + case 'a': + display_attributes(&policydb, out_fp); + break; + case 'b': + display_booleans(&policydb, out_fp); + break; case 'c': display_policycaps(&policydb, out_fp); break; + case 'C': + display_classes(&policydb, out_fp); + break; case 'p': display_permissive(&policydb, out_fp); break; + case 'r': + display_roles(&policydb, out_fp); + break; + case 't': + display_types(&policydb, out_fp); + break; case 'u': case 'U': display_handle_unknown(&policydb, out_fp);
Add the ability to show booleans, classes, roles, types and type attributes of policies. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- Almost all of the time seinfo(8) is a superior tool and several policy details are still not supported, e.g. genfscon, ocontexts and class constraints. dispol was however useful in the past to analyze some OSS-Fuzz generated policies, since seinfo trips over non-ascii identifier names. --- checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+)