From patchwork Tue Feb 22 13:54:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12755128 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68836C433F5 for ; Tue, 22 Feb 2022 13:54:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229470AbiBVNzI (ORCPT ); Tue, 22 Feb 2022 08:55:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232012AbiBVNzI (ORCPT ); Tue, 22 Feb 2022 08:55:08 -0500 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE04C117C9B for ; Tue, 22 Feb 2022 05:54:42 -0800 (PST) Received: by mail-ej1-x631.google.com with SMTP id p9so43182825ejd.6 for ; Tue, 22 Feb 2022 05:54:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=kIoRwgmVgKQy25Inw+UMQd/SObWedY+q5OKWEnnmw3M=; b=Zo3VL/f3Cd4mg701y4asaFAc/GYvw52E7LjsalCkEQ0FnJQGeeR1T+M5DaoczMVD8o 5QaqMQZdVF8cTbs59DQ9yy+ixU69+nt+/NuDSR0f9nIZ6aERcJEQIdGPVzjMeHZtHWHJ ldRVbq6jehupI1GtKyKuqLW4xKpA4F0KFew8SMa8+4LpoTDyA8DnA4Dfh1YH8V3ee5YG vDYPbLnylkjFVokoUfHGwxIZgAluO8L2T59yRTJVZQfc6PBRXxtxwq+miI4Zo8CZQI5h kUW3WZWmfVnTPxBWKQuprrqB0AF/Hkziyalqzm1CqLzTaKqq3YC30BswidTghBffMUpF 0tOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kIoRwgmVgKQy25Inw+UMQd/SObWedY+q5OKWEnnmw3M=; b=EjvIOHMuZV54HpRjRvACNaHl5ZWVZ9UpLORhtu36Zaq1aCv2If1u1u3hMjjKkHEPje 5ASyxcApjVyG+D7DDZ6gdOtb2TDUV2izuLv1wAkSLTSoyXBviZK89cTSiTHt67unKcHO ysQZ4/4d4iAb1Qjiyii2j1Aqau9J/7CZL8FMnOynfKFcqldCzaj9FltxPi2tJq5hYS36 T7hCzryx0YLX0hxeFgkpX/8C3bGdMB3zgVRkotUmW5EIijyu2vAu1dfSlB42RK6M6zJn 6A9TpL9/L5aKi+LR10UoP6WtcempuuviR1wBNZEjh05v4HesyzaA7oxZYRyUu+wiS7Py lK/w== X-Gm-Message-State: AOAM5321d8rKywAeGG1Hb9P2j61iubCXGlIKYeS9YfruvUVcSxeve+DH sgzz0JafGw3hEsTApho4soMGJNHgwLk= X-Google-Smtp-Source: ABdhPJwS5ycb1UfOpaomS6Y5yvy56JPlB+XlxiCeJus3V5H+Z8pb1FVXAfg7NkLWUGwySmfi/jrEoA== X-Received: by 2002:a17:906:d8d2:b0:6cf:6273:9c37 with SMTP id re18-20020a170906d8d200b006cf62739c37mr20562473ejb.727.1645538081244; Tue, 22 Feb 2022 05:54:41 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-065-014.77.3.pool.telefonica.de. [77.3.65.14]) by smtp.gmail.com with ESMTPSA id l13sm4688424edr.61.2022.02.22.05.54.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Feb 2022 05:54:40 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v2 1/4] libsepol: add sepol_av_perm_to_string Date: Tue, 22 Feb 2022 14:54:32 +0100 Message-Id: <20220222135435.31216-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204133507.26977-1-cgzones@googlemail.com> References: <20220204133507.26977-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a wrapper around the utility function sepol_av_to_string() on the service internal policy. This allows callers to convert a permission bit set into a string representation without access to the internal policy structure. Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/include/sepol/policydb/services.h | 9 +++++++++ libsepol/src/services.c | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 048f8a5a..44de3863 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -103,6 +103,15 @@ extern int sepol_string_to_av_perm(sepol_security_class_t tclass, const char *perm_name, sepol_access_vector_t *av); +/* + * Return a string representation of the permission av bit associated with + * tclass. + * Returns a pointer to an internal buffer, overridden by the next call to + * this function or sepol_av_to_string(). + */ + extern const char *sepol_av_perm_to_string(sepol_security_class_t tclass, + sepol_access_vector_t av); + /* * Compute a SID to use for labeling a new object in the * class `tclass' based on a SID pair. diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 7becfd1b..b2fb804e 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1233,6 +1233,12 @@ out: return STATUS_ERR; } + const char *sepol_av_perm_to_string(sepol_security_class_t tclass, + sepol_access_vector_t av) +{ + return sepol_av_to_string(policydb, tclass, av); +} + /* * Write the security context string representation of * the context associated with `sid' into a dynamically From patchwork Tue Feb 22 13:54:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12755129 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BDD6C433EF for ; Tue, 22 Feb 2022 13:54:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232364AbiBVNzJ (ORCPT ); Tue, 22 Feb 2022 08:55:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232012AbiBVNzJ (ORCPT ); Tue, 22 Feb 2022 08:55:09 -0500 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 805AC119411 for ; Tue, 22 Feb 2022 05:54:43 -0800 (PST) Received: by mail-ej1-x633.google.com with SMTP id d10so43153006eje.10 for ; Tue, 22 Feb 2022 05:54:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=GJVbpNI2CUbpr0oKChgmLgGjXwbhlKQVK6Hbhg0SoSE=; b=Yuv/sayGFRP7IfhovASACMkCwirGmXvfBX8esp5VrlfGHl5xGky3xQzMXvZdy2Mq4g fy6N7kPZ/o1l4+GvXLmu20RYtMRvwmF37HXJ+hTH42rEpHwqVee/0a3Mb0tcel7576zS hFygyAIyujJXKW4Zz2lkSuuR3YhY+s6rW2wiyAGmif2syN+NRreJLghB8BFeIBhQX+zP Tor94/DMm1HfNoeFTT92iIFcZvcSrH6tkek89l/rfT3VajLJeeoebDLWLNphkF9jSnZK UyMboQVvDSDmWSHyN2HNW+nAP+O7V72nO/u3KTgvEO8NjhJsT4eCVGW2znQB5v95VFqu lQmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GJVbpNI2CUbpr0oKChgmLgGjXwbhlKQVK6Hbhg0SoSE=; b=S5NO0CI0qw/CcN4wKuYIuXf6IRQdY2BeOn/EJolnukvBiywd7s3yzQ+oJRXPvfxB9X 9JWVkAb67QZ6KLBonzQVNbSHfFWsVPcYobJDH242WQaxVpoSRYAZj4es3igaqdwPqtpE sQ9MR6pBpVa8KCDrX24/L5QNChSkhJpNrGntT+51411FC0Z3kre5lY9iRUEcXekO3ai/ 9rbDqVVb1/7IKz+UTqRYbws6sDipRSydfhgOwHCoFwYovnfIM715ume7e0UpDcvlcT9r mZ97v+i6tuewxMEE+0QN11xWTnkOtmFqcrNc9bXksLhZrn7HAk9H/MgA3dT+rPb4pHLM 9Dug== X-Gm-Message-State: AOAM530cQz6ftsykdNKYODnVlVKFRvqa0aStFj9Z21I3Wr20Eke+Eihb JZPUf93svoWrvkTyPp8pB3JFZ0dZkgM= X-Google-Smtp-Source: ABdhPJz8zLmCE3GHfo7XxXgqfIWfWvx4gozU5nXeeHAiX1xlilPQrMSmda8dXHx3gVVQOQeXVJ0bBQ== X-Received: by 2002:a17:906:5e13:b0:6cf:42c:56b7 with SMTP id n19-20020a1709065e1300b006cf042c56b7mr19578796eju.725.1645538082037; Tue, 22 Feb 2022 05:54:42 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-065-014.77.3.pool.telefonica.de. [77.3.65.14]) by smtp.gmail.com with ESMTPSA id l13sm4688424edr.61.2022.02.22.05.54.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Feb 2022 05:54:41 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v2 2/4] libsepol: introduce sepol_const_security_context_t typedef Date: Tue, 22 Feb 2022 14:54:33 +0100 Message-Id: <20220222135435.31216-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220222135435.31216-1-cgzones@googlemail.com> References: <20220204133507.26977-1-cgzones@googlemail.com> <20220222135435.31216-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The typedef `sepol_security_context_t` is used for contexts. For the read-only input parameter in `sepol_context_to_sid()` `const sepol_security_context_t` is used as type, which does not expand to the expected `const char*` but `char *const`. Introduce a corresponding typedef for `const char*`. Signed-off-by: Christian Göttsche --- libsepol/include/sepol/policydb/flask_types.h | 1 + libsepol/include/sepol/policydb/services.h | 2 +- libsepol/src/context.c | 2 +- libsepol/src/services.c | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libsepol/include/sepol/policydb/flask_types.h b/libsepol/include/sepol/policydb/flask_types.h index 7bec5129..02c22eac 100644 --- a/libsepol/include/sepol/policydb/flask_types.h +++ b/libsepol/include/sepol/policydb/flask_types.h @@ -27,6 +27,7 @@ extern "C" { * understanding of the security policy. */ typedef char *sepol_security_context_t; +typedef const char *sepol_const_security_context_t; /* * An access vector (AV) is a collection of related permissions diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 44de3863..bcb0930f 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -155,7 +155,7 @@ extern int sepol_sid_to_context(sepol_security_id_t sid, /* IN */ * Return a SID associated with the security context that * has the string representation specified by `scontext'. */ -extern int sepol_context_to_sid(const sepol_security_context_t scontext, /* IN */ +extern int sepol_context_to_sid(sepol_const_security_context_t scontext, /* IN */ size_t scontext_len, /* IN */ sepol_security_id_t * out_sid); /* OUT */ diff --git a/libsepol/src/context.c b/libsepol/src/context.c index e81b28c6..5cc90afb 100644 --- a/libsepol/src/context.c +++ b/libsepol/src/context.c @@ -22,7 +22,7 @@ int policydb_context_isvalid(const policydb_t * p, const context_struct_t * c) int sepol_check_context(const char *context) { - return sepol_context_to_sid((const sepol_security_context_t)context, + return sepol_context_to_sid(context, strlen(context) + 1, NULL); } diff --git a/libsepol/src/services.c b/libsepol/src/services.c index b2fb804e..c3897c91 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1269,7 +1269,7 @@ int sepol_sid_to_context(sepol_security_id_t sid, * Return a SID associated with the security context that * has the string representation specified by `scontext'. */ -int sepol_context_to_sid(const sepol_security_context_t scontext, +int sepol_context_to_sid(sepol_const_security_context_t scontext, size_t scontext_len, sepol_security_id_t * sid) { From patchwork Tue Feb 22 13:54:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12755130 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECCE7C433FE for ; Tue, 22 Feb 2022 13:54:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232012AbiBVNzK (ORCPT ); Tue, 22 Feb 2022 08:55:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52886 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232359AbiBVNzJ (ORCPT ); Tue, 22 Feb 2022 08:55:09 -0500 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B5E310E047 for ; Tue, 22 Feb 2022 05:54:44 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id vz16so43251577ejb.0 for ; Tue, 22 Feb 2022 05:54:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=2inaDl8WI+CFg/Q7OxRf0iskS8aLjWaAzTvoH2VWFd4=; b=E7aRwANleecJr3OZlZS0MX+QMGbxaPK7I0CicekZsWPcH5AJVCygbuXCGuEGpbmfTm +OXR86HZM9ViYIA+kDfWQDucjRp3ZDd/NOH//xqvJJAG0gvMCQYEpGM8m6Za0OFtKj06 XizuXLC9PviADTB7nu1DuaMBr4QyeqlRuiK2nTGHdPbjChHCpU5IRgpMen1qsw/CsSxd B2cGcaOPOKLGNKP5giY+dWqcbxPUlf1SAqes4iuWfCx1jv8vJK8A3aiHegZ7W+HBPMBz pXQfLWt9wtg4on4yt/KjtAShPcVpeK+3HiGfETeZ3G3LOeyHOlxxzEAN5BjXlCpbV/da pOeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2inaDl8WI+CFg/Q7OxRf0iskS8aLjWaAzTvoH2VWFd4=; b=r4uJKQfRr8Gqf53FBYQCy+FmLVDND45s2yKNSIFjORrFGs0oaGj7K//vjbhTWBcnmP u1L6ayOa9Sor4wAmhSMzpnaEef4SWvzLzAlrfXrhU3U6LTnoFN+CsFqOKBKTJ+2S5QuF F3Dn7q0cAMz9aVOoD9DYX9aJ9du555Dr7+547AB7Anzo2i4XHRvY1WlA0LaCo56bQBu9 bqveTmuydKN/YaZmvmro61aU7XaVEZyppBSuNfgeIVd2hg2oM0qAtYHxoFYjnkZ//wrC QmK11s/BmE11MvVN2q6exmy9pbL4uFt57w2Lms1PDiDNJw7pTaTlTxd95B0c1yMNgEMy ptmA== X-Gm-Message-State: AOAM533QOcAaaBz1yAxuVb6WI1Qqs/Ymdi3vd5xn3Q/xJ8nRA1m3JzG/ ObquQQ7auB4ugeKDwIe8iP6oi04SH7I= X-Google-Smtp-Source: ABdhPJy3KLeD9O/hkNuV1xpE05l3BvFzNO7Sns8CKqw6tMMuDMBePjTwESR1SgCnz8Ov5eRXuNS4KA== X-Received: by 2002:a17:906:719a:b0:6ba:493e:3bfc with SMTP id h26-20020a170906719a00b006ba493e3bfcmr19180511ejk.16.1645538082681; Tue, 22 Feb 2022 05:54:42 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-065-014.77.3.pool.telefonica.de. [77.3.65.14]) by smtp.gmail.com with ESMTPSA id l13sm4688424edr.61.2022.02.22.05.54.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Feb 2022 05:54:42 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v2 3/4] libsepol: export functions for policy analysis Date: Tue, 22 Feb 2022 14:54:34 +0100 Message-Id: <20220222135435.31216-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220222135435.31216-1-cgzones@googlemail.com> References: <20220204133507.26977-1-cgzones@googlemail.com> <20220222135435.31216-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Export functions needed for converting security identifiers from and to strings and functions computing security server decisions. These can be used to debug or run tests on binary policies without running on a SELinux enabled kernel. TODO: These functions have currently a non consistent return behavior: some are returning -1 on failure and set errno most but not all of the time, some return a negative errno like value. Maybe this should be addressed before exporting them? Signed-off-by: Christian Göttsche --- libsepol/src/libsepol.map.in | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in index 0e05d606..844924fc 100644 --- a/libsepol/src/libsepol.map.in +++ b/libsepol/src/libsepol.map.in @@ -274,3 +274,18 @@ LIBSEPOL_3.0 { cil_write_resolve_ast; cil_set_qualified_names; } LIBSEPOL_1.1; + +LIBSEPOL_3.4 { + global: + sepol_av_perm_to_string; + sepol_change_sid; + sepol_compute_av; + sepol_compute_av_reason; + sepol_compute_av_reason_buffer; + sepol_context_to_sid; + sepol_member_sid; + sepol_sid_to_context; + sepol_string_to_av_perm; + sepol_string_to_security_class; + sepol_validate_transition_reason_buffer; +} LIBSEPOL_3.0; From patchwork Tue Feb 22 13:54:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12755131 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BA26C433EF for ; Tue, 22 Feb 2022 13:54:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232394AbiBVNzN (ORCPT ); Tue, 22 Feb 2022 08:55:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232359AbiBVNzK (ORCPT ); Tue, 22 Feb 2022 08:55:10 -0500 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F11E5117C9B for ; Tue, 22 Feb 2022 05:54:44 -0800 (PST) Received: by mail-ej1-x62e.google.com with SMTP id a23so43025647eju.3 for ; Tue, 22 Feb 2022 05:54:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=ZSfKa5NJAUkB5EtruIW01DZgJkOUsDe1CXpXfBfFkzc=; b=AtBsgIt3+lM7r/51w8qiEA0AMl+1wtIywnt8NND+xQip0Gd3k15NJbiWc7TWVaJtXs 3HtFYkutnnJjZJ1tE/heCfY/uDptqo2QcuxVRIvQBVQJg8E3cLZ19jRIm4l03yfxf1DR TsvxQ3kcigG1ja6OtuDfQTYXr5JksKjF5ey88zknhaQELjWai8Z/6iknrJk1jhKIh7lx telQi2uNX6t3WklYrfL4cfqWzArbUJna/AcR/lV5JiahpnjJ+mhbfnHZ+DbtH8G1to0H 72AQYXxQFGk5FT15GTMKMj/mwqsrLqRMC/VEDeMQfAART3dPdmVdIoDjQYhACsFVKjyM pMYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZSfKa5NJAUkB5EtruIW01DZgJkOUsDe1CXpXfBfFkzc=; b=TxPRvEzhjREWuRT+idqWGzvItUI/reaq0pCDfWXVX9rWv3VdtWmAWnWuu7wPvTHfJl OFfJv9EeHYUljUx0llOXs6x2rpokJXZ1BusfKMW3WIASxf88ag8P9vw7IzkRBTDwjFlU SKVg0cB0j6F0k9nqF3N7x44DvyN4+q0p2aNSNKSTtY4Qxq5GYl60p3vGEuPEQ+t0CsDk zakVoRFdoPTzvAuaIoTA0gJ7CzccXzKM1mCp6Ah9mFNYtkZILVuH9+xP1dde1k2jJ3nc gHH2IOWf9Lyu6Bg6hwimRDeuOr/hM1JQZxh/AYiomUFyIaKmWvh5yt5W4Tx7+WgxLKke pHpw== X-Gm-Message-State: AOAM530rorkaSedujtEW1K9QcJAKmWYgZAd5RwrVu+PtKedvvTSWlqfB FkDOQtik0HUCMSB5d6rv/QsZ2PVL+qw= X-Google-Smtp-Source: ABdhPJy2LB+r86u8y/oJu25Cyso7xtSHodIp+zzIsOhkMKDUU/1/xFpjqcfk5paD4fonygy3EYWFow== X-Received: by 2002:a17:906:a213:b0:6b5:b0f9:7567 with SMTP id r19-20020a170906a21300b006b5b0f97567mr19902930ejy.129.1645538083441; Tue, 22 Feb 2022 05:54:43 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-065-014.77.3.pool.telefonica.de. [77.3.65.14]) by smtp.gmail.com with ESMTPSA id l13sm4688424edr.61.2022.02.22.05.54.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Feb 2022 05:54:42 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v2 4/4] libsepol: add policy utilities Date: Tue, 22 Feb 2022 14:54:35 +0100 Message-Id: <20220222135435.31216-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220222135435.31216-1-cgzones@googlemail.com> References: <20220204133507.26977-1-cgzones@googlemail.com> <20220222135435.31216-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These are similar to the libselinux utilities but operate on a binary policy instead of the running kernel. This allows to run them on SELinux disabled or even non Linux systems, e.g. for development or continuous integration. sepol_check_access: (similar to selinux_check_access) Check access: $ sepol_check_access policy.bin staff_u:staff_r:gpg_t:s0 sysadm_u:sysadm_r:gpg_t:s0 process fork requested permission fork denied by constraint; reason: constrain process { fork setexec setfscreate setcurrent execmem execstack execheap setkeycreate setsockcreate } ((r1 == r2 -Fail-) ); Constraint DENIED constrain process { signull getsched getsession getpgid getcap getattr getrlimit } ((r1 == r2 -Fail-) or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-) and (t1 == rbacproc_read -Fail-) or (t1 == rbacproc_full -Fail-) or (t1 == systemd_user_instance_domain -Fail-) and (u2 == system_u -Fail-) and (r2 == system_r -Fail-) and (t2 == systemd_t -Fail-) ); Constraint DENIED constrain process { sigchld sigkill sigstop signal ptrace setsched setpgid setcap share setrlimit } ((r1 == r2 -Fail-) or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-) and (t1 == rbacproc_full -Fail-) or (t1 == systemd_user_instance_domain -Fail-) and (u2 == system_u -Fail-) and (r2 == system_r -Fail-) and (t2 == systemd_t -Fail-) ); Constraint DENIED sepol_compute_av: (similar to compute_av) Compute access vectors: $ sepol_compute_av policy.bin staff_u:staff_r:gpg_t:s0 staff_u:staff_r:gpg_t:s0 process allowed: fork sigchld signull signal getsched setsched setpgid getcap setcap setrlimit decided: fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit auditallow: auditdeny: fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit sepol_compute_member: (similar to compute_member) Compute a SID to use when selecting a member of a polyinstantiated object: $ sepol_compute_member policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tmp_t:s0 dir system_u:object_r:user_tmp_t:s0 sepol_compute_relabel: (similar to compute_relabel) Compute a SID to use for relabeling an object: $ sepol_compute_relabel policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tty_device_t:s0 chr_file staff_u:object_r:user_tty_device_t:s0 sepol_validate_transition: (similar to validatetrans) Compute a validatetrans decision: $ sepol_validate_transition policy.bin system_u:object_r:user_tmp_t:s0 system_u:object_r:shadow_t:s0 file staff_u:staff_r:staff_t:s0 allowed Signed-off-by: Christian Göttsche --- v2: link dynamically after exporting all the necessary functions --- libsepol/.gitignore | 5 + libsepol/utils/sepol_check_access.c | 130 +++++++++++++++++++++ libsepol/utils/sepol_compute_av.c | 66 +++++++++++ libsepol/utils/sepol_compute_member.c | 64 ++++++++++ libsepol/utils/sepol_compute_relabel.c | 64 ++++++++++ libsepol/utils/sepol_validate_transition.c | 74 ++++++++++++ 6 files changed, 403 insertions(+) create mode 100644 libsepol/utils/sepol_check_access.c create mode 100644 libsepol/utils/sepol_compute_av.c create mode 100644 libsepol/utils/sepol_compute_member.c create mode 100644 libsepol/utils/sepol_compute_relabel.c create mode 100644 libsepol/utils/sepol_validate_transition.c diff --git a/libsepol/.gitignore b/libsepol/.gitignore index 77bb5911..abfb603b 100644 --- a/libsepol/.gitignore +++ b/libsepol/.gitignore @@ -1,2 +1,7 @@ utils/chkcon +utils/sepol_check_access +utils/sepol_compute_av +utils/sepol_compute_member +utils/sepol_compute_relabel +utils/sepol_validate_transition libsepol.map diff --git a/libsepol/utils/sepol_check_access.c b/libsepol/utils/sepol_check_access.c new file mode 100644 index 00000000..d0470156 --- /dev/null +++ b/libsepol/utils/sepol_check_access.c @@ -0,0 +1,130 @@ +#include +#include +#include +#include + +#include +#include + + +int main(int argc, char *argv[]) +{ + FILE *fp; + sepol_security_id_t ssid, tsid; + sepol_security_class_t tclass; + const char *permlist; + sepol_access_vector_t av; + struct sepol_av_decision avd; + unsigned int reason; + char *reason_buf; + int i; + + if (argc != 6) { + printf("usage: %s policy source_context target_context class permission[,permission2[,...]]\n", argv[0]); + return 1; + } + + fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); + return 1; + } + if (sepol_set_policydb_from_file(fp) < 0) { + fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); + fclose(fp); + return 1; + } + fclose(fp); + + if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) { + fprintf(stderr, "Invalid source context %s\n", argv[2]); + return 1; + } + + if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) { + fprintf(stderr, "Invalid target context %s\n", argv[3]); + return 1; + } + + if (sepol_string_to_security_class(argv[4], &tclass) < 0) { + fprintf(stderr, "Invalid security class %s\n", argv[4]); + return 1; + } + + permlist = argv[5]; + do { + char *tmp = NULL; + const char *perm; + const char *delim = strchr(permlist, ','); + + if (delim) { + tmp = strndup(permlist, delim - permlist); + if (!tmp) { + fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno)); + return 1; + } + } + + perm = tmp ? tmp : permlist; + + if (sepol_string_to_av_perm(tclass, perm, &av) < 0) { + fprintf(stderr, "Invalid permission %s for security class %s: %s\n", perm, argv[4], strerror(errno)); + free(tmp); + return 1; + } + + free(tmp); + + permlist = strchr(permlist, ','); + } while (permlist++); + + if (av == 0) { + fprintf(stderr, "Empty permission set computed from %s\n", argv[5]); + return 1; + } + + if (sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0) < 0) { + fprintf(stderr, "Failed to compute av decision: %s\n", strerror(errno)); + return 1; + } + + if ((avd.allowed & av) == av) { + printf("requested permission %s allowed\n", argv[5]); + free(reason_buf); + return 0; + } + + printf("requested permission %s denied by ", argv[5]); + i = 0; + if (reason & SEPOL_COMPUTEAV_TE) { + printf("te-rule"); + i++; + } + if (reason & SEPOL_COMPUTEAV_CONS) { + if (i > 0) + printf(", "); + printf("constraint"); + i++; + } + if (reason & SEPOL_COMPUTEAV_RBAC) { + if (i > 0) + printf(", "); + printf("transition-constraint"); + i++; + } + if (reason & SEPOL_COMPUTEAV_BOUNDS) { + if (i > 0) + printf(", "); + printf("type-bound"); + //i++; + } + + if ((reason & SEPOL_COMPUTEAV_CONS) && reason_buf) + printf("; reason:\n%s", reason_buf); + + free(reason_buf); + + printf("\n"); + + return 7; +} diff --git a/libsepol/utils/sepol_compute_av.c b/libsepol/utils/sepol_compute_av.c new file mode 100644 index 00000000..d64dc31d --- /dev/null +++ b/libsepol/utils/sepol_compute_av.c @@ -0,0 +1,66 @@ +#include +#include +#include +#include + +#include +#include + + +int main(int argc, char *argv[]) +{ + FILE *fp; + sepol_security_id_t ssid, tsid; + sepol_security_class_t tclass; + struct sepol_av_decision avd; + int rc; + + if (argc != 5) { + printf("usage: %s policy scontext tcontext tclass\n", argv[0]); + return 1; + } + + fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); + return 1; + } + if (sepol_set_policydb_from_file(fp) < 0) { + fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); + fclose(fp); + return 1; + } + fclose(fp); + + if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) { + fprintf(stderr, "Invalid source context %s\n", argv[2]); + return 1; + } + + if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) { + fprintf(stderr, "Invalid target context %s\n", argv[3]); + return 1; + } + + if (sepol_string_to_security_class(argv[4], &tclass) < 0) { + fprintf(stderr, "Invalid security class %s\n", argv[4]); + return 1; + } + + rc = sepol_compute_av(ssid, tsid, tclass, 0, &avd); + switch (rc) { + case 0: + printf("allowed: %s\n", sepol_av_perm_to_string(tclass, avd.allowed)); + printf("decided: %s\n", sepol_av_perm_to_string(tclass, avd.decided)); + printf("auditallow: %s\n", sepol_av_perm_to_string(tclass, avd.auditallow)); + printf("auditdeny: %s\n", sepol_av_perm_to_string(tclass, avd.auditdeny)); + break; + case -EINVAL: + printf("Invalid request\n"); + break; + default: + printf("Failed to compute av decision: %d\n", rc); + } + + return rc != 0; +} diff --git a/libsepol/utils/sepol_compute_member.c b/libsepol/utils/sepol_compute_member.c new file mode 100644 index 00000000..3d67335d --- /dev/null +++ b/libsepol/utils/sepol_compute_member.c @@ -0,0 +1,64 @@ +#include +#include +#include +#include + +#include +#include + + +int main(int argc, char *argv[]) +{ + FILE *fp; + sepol_security_id_t ssid, tsid, out_sid; + sepol_security_class_t tclass; + char *context; + size_t context_len; + + if (argc != 5) { + printf("usage: %s policy scontext tcontext tclass\n", argv[0]); + return 1; + } + + fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); + return 1; + } + if (sepol_set_policydb_from_file(fp) < 0) { + fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); + fclose(fp); + return 1; + } + fclose(fp); + + if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) { + fprintf(stderr, "Invalid source context %s\n", argv[2]); + return 1; + } + + if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) { + fprintf(stderr, "Invalid target context %s\n", argv[3]); + return 1; + } + + if (sepol_string_to_security_class(argv[4], &tclass) < 0) { + fprintf(stderr, "Invalid security class %s\n", argv[4]); + return 1; + } + + if (sepol_member_sid(ssid, tsid, tclass, &out_sid) < 0) { + fprintf(stderr, "Failed to compute member sid: %s\n", strerror(errno)); + return 1; + } + + if (sepol_sid_to_context(out_sid, &context, &context_len) < 0) { + fprintf(stderr, "Failed to convert sid %u: %s\n", out_sid, strerror(errno)); + return 1; + } + + printf("%s\n", context); + free(context); + + return 0; +} diff --git a/libsepol/utils/sepol_compute_relabel.c b/libsepol/utils/sepol_compute_relabel.c new file mode 100644 index 00000000..db664ce8 --- /dev/null +++ b/libsepol/utils/sepol_compute_relabel.c @@ -0,0 +1,64 @@ +#include +#include +#include +#include + +#include +#include + + +int main(int argc, char *argv[]) +{ + FILE *fp; + sepol_security_id_t ssid, tsid, out_sid; + sepol_security_class_t tclass; + char *context; + size_t context_len; + + if (argc != 5) { + printf("usage: %s policy scontext tcontext tclass\n", argv[0]); + return 1; + } + + fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); + return 1; + } + if (sepol_set_policydb_from_file(fp) < 0) { + fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); + fclose(fp); + return 1; + } + fclose(fp); + + if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) { + fprintf(stderr, "Invalid source context %s\n", argv[2]); + return 1; + } + + if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) { + fprintf(stderr, "Invalid target context %s\n", argv[3]); + return 1; + } + + if (sepol_string_to_security_class(argv[4], &tclass) < 0) { + fprintf(stderr, "Invalid security class %s\n", argv[4]); + return 1; + } + + if (sepol_change_sid(ssid, tsid, tclass, &out_sid) < 0) { + fprintf(stderr, "Failed to compute changed sid: %s\n", strerror(errno)); + return 1; + } + + if (sepol_sid_to_context(out_sid, &context, &context_len) < 0) { + fprintf(stderr, "Failed to convert sid %u: %s\n", out_sid, strerror(errno)); + return 1; + } + + printf("%s\n", context); + free(context); + + return 0; +} diff --git a/libsepol/utils/sepol_validate_transition.c b/libsepol/utils/sepol_validate_transition.c new file mode 100644 index 00000000..8243c37d --- /dev/null +++ b/libsepol/utils/sepol_validate_transition.c @@ -0,0 +1,74 @@ +#include +#include +#include +#include + +#include +#include + + +int main(int argc, char *argv[]) +{ + FILE *fp; + sepol_security_id_t oldsid, newsid, tasksid; + sepol_security_class_t tclass; + char *reason = NULL; + int ret; + + if (argc != 6) { + printf("usage: %s policy oldcontext newcontext tclass taskcontext\n", argv[0]); + return 1; + } + + fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); + return 1; + } + if (sepol_set_policydb_from_file(fp) < 0) { + fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); + fclose(fp); + return 1; + } + fclose(fp); + + if (sepol_context_to_sid(argv[2], strlen(argv[2]), &oldsid) < 0) { + fprintf(stderr, "Invalid old context %s\n", argv[2]); + return 1; + } + + if (sepol_context_to_sid(argv[3], strlen(argv[3]), &newsid) < 0) { + fprintf(stderr, "Invalid new context %s\n", argv[3]); + return 1; + } + + if (sepol_string_to_security_class(argv[4], &tclass) < 0) { + fprintf(stderr, "Invalid security class %s\n", argv[4]); + return 1; + } + + if (sepol_context_to_sid(argv[5], strlen(argv[5]), &tasksid) < 0) { + fprintf(stderr, "Invalid task context %s\n", argv[5]); + return 1; + } + + ret = sepol_validate_transition_reason_buffer(oldsid, newsid, tasksid, tclass, &reason, SHOW_GRANTED); + switch (ret) { + case 0: + printf("allowed\n"); + ret = 0; + break; + case -EPERM: + printf("denied\n"); + printf("%s\n", reason ? reason : "unknown - possible BUG()"); + ret = 7; + break; + default: + printf("sepol_validate_transition_reason_buffer returned %d errno: %s\n", ret, strerror(errno)); + ret = 1; + } + + free(reason); + + return ret; +}