2019-12-09 04:14:30 -05:00
|
|
|
|
#include <cstring>
|
|
|
|
|
|
#include <vector>
|
|
|
|
|
|
#include <string>
|
|
|
|
|
|
|
2022-05-12 02:03:42 -07:00
|
|
|
|
#include <base.hpp>
|
2019-12-09 04:14:30 -05:00
|
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
|
#include "policy.hpp"
|
2020-05-21 06:48:02 -07:00
|
|
|
|
|
2019-12-09 04:14:30 -05:00
|
|
|
|
using namespace std;
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_1 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("allow *source_type *target_type *class *perm_set"
|
|
|
|
|
|
"deny *source_type *target_type *class *perm_set"
|
|
|
|
|
|
"auditallow *source_type *target_type *class *perm_set"
|
|
|
|
|
|
"dontaudit *source_type *target_type *class *perm_set"
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_2 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("allowxperm *source_type *target_type *class operation xperm_set"
|
|
|
|
|
|
"auditallowxperm *source_type *target_type *class operation xperm_set"
|
|
|
|
|
|
"dontauditxperm *source_type *target_type *class operation xperm_set"
|
2023-07-31 09:28:27 -07:00
|
|
|
|
- The only supported operation right now is 'ioctl'
|
|
|
|
|
|
- xperm_set is one or multiple hexadecimal numeric values ranging from 0x0000 to 0xFFFF.
|
|
|
|
|
|
Multiple values consist of a space separated list enclosed in braces ({}).
|
|
|
|
|
|
Use the complement operator (~) to specify all permissions except those explicitly listed.
|
|
|
|
|
|
Use the range operator (-) to specify all permissions within the low – high range.
|
|
|
|
|
|
Use the match all operator (*) to match all ioctl commands.
|
|
|
|
|
|
The special value 0 is used to clear all rules.
|
|
|
|
|
|
Some examples:
|
|
|
|
|
|
allowxperm source target class ioctl 0x8910
|
|
|
|
|
|
allowxperm source target class ioctl { 0x8910-0x8926 0x892A-0x8935 }
|
|
|
|
|
|
allowxperm source target class ioctl ~{ 0x8910 0x892A }
|
|
|
|
|
|
allowxperm source target class ioctl *
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_3 =
|
2023-07-31 09:28:27 -07:00
|
|
|
|
R"EOF("permissive *type"
|
|
|
|
|
|
"enforce *type"
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_4 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("typeattribute ^type ^attribute"
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_5 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("type type_name ^(attribute)"
|
|
|
|
|
|
- Argument 'attribute' is optional, default to 'domain'
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_6 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("attribute attribute_name"
|
2019-12-09 04:14:30 -05:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
2020-02-02 01:16:42 +08:00
|
|
|
|
static const char *type_msg_7 =
|
2020-05-25 02:09:43 -07:00
|
|
|
|
R"EOF("type_transition source_type target_type class default_type (object_name)"
|
|
|
|
|
|
- Argument 'object_name' is optional
|
|
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_8 =
|
|
|
|
|
|
R"EOF("type_change source_type target_type class default_type"
|
|
|
|
|
|
"type_member source_type target_type class default_type"
|
|
|
|
|
|
)EOF";
|
|
|
|
|
|
|
|
|
|
|
|
static const char *type_msg_9 =
|
|
|
|
|
|
R"EOF("genfscon fs_name partial_path fs_context"
|
2020-02-02 01:16:42 +08:00
|
|
|
|
)EOF";
|
|
|
|
|
|
|
2019-12-09 04:14:30 -05:00
|
|
|
|
void statement_help() {
|
2020-12-30 22:11:24 -08:00
|
|
|
|
fprintf(stderr,
|
2019-12-09 04:14:30 -05:00
|
|
|
|
R"EOF(One policy statement should be treated as one parameter;
|
2020-05-21 06:48:02 -07:00
|
|
|
|
this means each policy statement should be enclosed in quotes.
|
2019-12-09 04:14:30 -05:00
|
|
|
|
Multiple policy statements can be provided in a single command.
|
|
|
|
|
|
|
2020-05-21 06:48:02 -07:00
|
|
|
|
Statements has a format of "<rule_name> [args...]".
|
2023-07-31 09:28:27 -07:00
|
|
|
|
Arguments labeled with (^) can accept one or more entries.
|
|
|
|
|
|
Multiple entries consist of a space separated list enclosed in braces ({}).
|
2020-05-25 02:09:43 -07:00
|
|
|
|
Arguments labeled with (*) are the same as (^), but additionally
|
|
|
|
|
|
support the match-all operator (*).
|
2020-05-21 06:48:02 -07:00
|
|
|
|
|
|
|
|
|
|
Example: "allow { s1 s2 } { t1 t2 } class *"
|
|
|
|
|
|
Will be expanded to:
|
|
|
|
|
|
|
|
|
|
|
|
allow s1 t1 class { all-permissions-of-class }
|
|
|
|
|
|
allow s1 t2 class { all-permissions-of-class }
|
|
|
|
|
|
allow s2 t1 class { all-permissions-of-class }
|
|
|
|
|
|
allow s2 t2 class { all-permissions-of-class }
|
2019-12-09 04:14:30 -05:00
|
|
|
|
|
|
|
|
|
|
Supported policy statements:
|
|
|
|
|
|
|
|
|
|
|
|
%s
|
|
|
|
|
|
%s
|
|
|
|
|
|
%s
|
|
|
|
|
|
%s
|
|
|
|
|
|
%s
|
|
|
|
|
|
%s
|
2020-02-02 01:16:42 +08:00
|
|
|
|
%s
|
2020-05-25 02:09:43 -07:00
|
|
|
|
%s
|
|
|
|
|
|
%s
|
|
|
|
|
|
)EOF", type_msg_1, type_msg_2, type_msg_3, type_msg_4,
|
|
|
|
|
|
type_msg_5, type_msg_6, type_msg_7, type_msg_8, type_msg_9);
|
2020-12-30 22:11:24 -08:00
|
|
|
|
exit(0);
|
2019-12-09 04:14:30 -05:00
|
|
|
|
}
|
