2022-05-12 02:03:42 -07:00
|
|
|
#include <base.hpp>
|
2021-09-06 00:46:30 +08:00
|
|
|
#include <vector>
|
2019-02-10 03:57:51 -05:00
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
#include "policy.hpp"
|
2018-11-29 03:46:29 -05:00
|
|
|
|
2022-01-20 01:58:11 -08:00
|
|
|
using namespace std;
|
2018-11-08 04:20:16 -05:00
|
|
|
|
|
|
|
[[noreturn]] static void usage(char *arg0) {
|
2020-12-30 22:11:24 -08:00
|
|
|
fprintf(stderr,
|
2022-01-20 01:58:11 -08:00
|
|
|
R"EOF(MagiskPolicy - SELinux Policy Patch Tool
|
2019-12-09 04:14:30 -05:00
|
|
|
|
|
|
|
Usage: %s [--options...] [policy statements...]
|
|
|
|
|
|
|
|
Options:
|
|
|
|
--help show help message for policy statements
|
2022-01-20 01:58:11 -08:00
|
|
|
--load FILE load monolithic sepolicy from FILE
|
2019-12-09 04:14:30 -05:00
|
|
|
--load-split load from precompiled sepolicy or compile
|
2022-01-20 01:58:11 -08:00
|
|
|
split cil policies
|
2019-12-09 04:14:30 -05:00
|
|
|
--compile-split compile split cil policies
|
2022-01-20 01:58:11 -08:00
|
|
|
--save FILE dump monolithic sepolicy to FILE
|
|
|
|
--live immediately load sepolicy into the kernel
|
|
|
|
--magisk apply built-in Magisk sepolicy rules
|
2019-12-09 04:14:30 -05:00
|
|
|
--apply FILE apply rules from FILE, read and parsed
|
|
|
|
line by line as policy statements
|
2022-01-20 01:58:11 -08:00
|
|
|
(multiple --apply are allowed)
|
2023-08-01 18:03:54 -07:00
|
|
|
--print-rules print all rules in the loaded sepolicy
|
2019-12-09 04:14:30 -05:00
|
|
|
|
2022-01-20 01:58:11 -08:00
|
|
|
If neither --load, --load-split, nor --compile-split is specified,
|
|
|
|
it will load from current live policies (/sys/fs/selinux/policy)
|
2019-12-09 04:14:30 -05:00
|
|
|
|
|
|
|
)EOF", arg0);
|
2020-12-30 22:11:24 -08:00
|
|
|
exit(1);
|
2018-11-08 04:20:16 -05:00
|
|
|
}
|
|
|
|
|
2022-03-17 03:36:40 -07:00
|
|
|
int main(int argc, char *argv[]) {
|
2020-12-30 22:11:24 -08:00
|
|
|
cmdline_logging();
|
|
|
|
const char *out_file = nullptr;
|
2022-01-20 01:58:11 -08:00
|
|
|
vector<string_view> rule_files;
|
2020-12-30 22:11:24 -08:00
|
|
|
sepolicy *sepol = nullptr;
|
|
|
|
bool magisk = false;
|
|
|
|
bool live = false;
|
2023-08-01 18:03:54 -07:00
|
|
|
bool print = false;
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
if (argc < 2) usage(argv[0]);
|
|
|
|
int i = 1;
|
|
|
|
for (; i < argc; ++i) {
|
|
|
|
// Parse options
|
|
|
|
if (argv[i][0] == '-' && argv[i][1] == '-') {
|
|
|
|
auto option = argv[i] + 2;
|
|
|
|
if (option == "live"sv)
|
|
|
|
live = true;
|
|
|
|
else if (option == "magisk"sv)
|
|
|
|
magisk = true;
|
2023-08-01 18:03:54 -07:00
|
|
|
else if (option == "print-rules"sv)
|
|
|
|
print = true;
|
2020-12-30 22:11:24 -08:00
|
|
|
else if (option == "load"sv) {
|
|
|
|
if (argv[i + 1] == nullptr)
|
|
|
|
usage(argv[0]);
|
|
|
|
sepol = sepolicy::from_file(argv[i + 1]);
|
|
|
|
if (!sepol) {
|
|
|
|
fprintf(stderr, "Cannot load policy from %s\n", argv[i + 1]);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
++i;
|
|
|
|
} else if (option == "load-split"sv) {
|
|
|
|
sepol = sepolicy::from_split();
|
|
|
|
if (!sepol) {
|
|
|
|
fprintf(stderr, "Cannot load split cil\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
} else if (option == "compile-split"sv) {
|
|
|
|
sepol = sepolicy::compile_split();
|
|
|
|
if (!sepol) {
|
|
|
|
fprintf(stderr, "Cannot compile split cil\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
} else if (option == "save"sv) {
|
|
|
|
if (argv[i + 1] == nullptr)
|
|
|
|
usage(argv[0]);
|
|
|
|
out_file = argv[i + 1];
|
|
|
|
++i;
|
|
|
|
} else if (option == "apply"sv) {
|
|
|
|
if (argv[i + 1] == nullptr)
|
|
|
|
usage(argv[0]);
|
2021-09-06 00:46:30 +08:00
|
|
|
rule_files.emplace_back(argv[i + 1]);
|
2020-12-30 22:11:24 -08:00
|
|
|
++i;
|
|
|
|
} else if (option == "help"sv) {
|
2024-03-21 14:07:28 -07:00
|
|
|
rust::print_statement_help();
|
|
|
|
exit(0);
|
2020-12-30 22:11:24 -08:00
|
|
|
} else {
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use current policy if nothing is loaded
|
|
|
|
if (sepol == nullptr && !(sepol = sepolicy::from_file(SELINUX_POLICY))) {
|
|
|
|
fprintf(stderr, "Cannot load policy from " SELINUX_POLICY "\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2023-08-01 18:03:54 -07:00
|
|
|
if (print) {
|
|
|
|
sepol->print_rules();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-12-30 22:11:24 -08:00
|
|
|
if (magisk)
|
|
|
|
sepol->magisk_rules();
|
|
|
|
|
2021-09-06 00:46:30 +08:00
|
|
|
if (!rule_files.empty())
|
|
|
|
for (const auto &rule_file : rule_files)
|
|
|
|
sepol->load_rule_file(rule_file.data());
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
for (; i < argc; ++i)
|
|
|
|
sepol->parse_statement(argv[i]);
|
|
|
|
|
|
|
|
if (live && !sepol->to_file(SELINUX_LOAD)) {
|
|
|
|
fprintf(stderr, "Cannot apply policy\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (out_file && !sepol->to_file(out_file)) {
|
|
|
|
fprintf(stderr, "Cannot dump policy to %s\n", out_file);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
delete sepol;
|
|
|
|
return 0;
|
2018-11-08 04:20:16 -05:00
|
|
|
}
|