From 60a7eaf2bb35ed5da2dc6230293b7273eda4f8e7 Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Tue, 13 Sep 2016 06:34:13 +0800 Subject: [PATCH] Refacter add_rule to auto mode --- sepolicy-inject.c | 168 +++++++++++++++++++++++++--------------------- 1 file changed, 92 insertions(+), 76 deletions(-) diff --git a/sepolicy-inject.c b/sepolicy-inject.c index ead7975c5..d926f699a 100644 --- a/sepolicy-inject.c +++ b/sepolicy-inject.c @@ -166,42 +166,6 @@ int add_irule(int s, int t, int c, int p, int effect, int not, policydb_t* polic return 0; } -int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy) { - type_datum_t *src, *tgt; - class_datum_t *cls; - perm_datum_t *perm; - - src = hashtab_search(policy->p_types.table, s); - if (src == NULL) { - fprintf(stderr, "source type %s does not exist\n", s); - return 1; - } - tgt = hashtab_search(policy->p_types.table, t); - if (tgt == NULL) { - fprintf(stderr, "target type %s does not exist\n", t); - return 1; - } - cls = hashtab_search(policy->p_classes.table, c); - if (cls == NULL) { - fprintf(stderr, "class %s does not exist\n", c); - return 1; - } - perm = hashtab_search(cls->permissions.table, p); - if (perm == NULL) { - if (cls->comdatum == NULL) { - fprintf(stderr, "perm %s does not exist in class %s\n", p, c); - return 1; - } - perm = hashtab_search(cls->comdatum->permissions.table, p); - if (perm == NULL) { - fprintf(stderr, "perm %s does not exist in class %s\n", p, c); - return 1; - } - } - - return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy); -} - int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not, policydb_t *policy) { type_datum_t *src, *tgt; class_datum_t *cls; @@ -433,8 +397,7 @@ int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { return 0; } -int auto_allow(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, policydb_t *policy) { - perm_datum_t *perm; +int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not, policydb_t *policy) { hashtab_t type_table, class_table, perm_table; hashtab_ptr_t cur; @@ -446,7 +409,7 @@ int auto_allow(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, policyd cur = type_table->htable[i]; while (cur != NULL) { src = cur->datum; - if(auto_allow(src, tgt, cls, policy)) + if(add_rule_auto(src, tgt, cls, perm, effect, not, policy)) return 1; cur = cur->next; } @@ -456,7 +419,7 @@ int auto_allow(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, policyd cur = type_table->htable[i]; while (cur != NULL) { tgt = cur->datum; - if(auto_allow(src, tgt, cls, policy)) + if(add_rule_auto(src, tgt, cls, perm, effect, not, policy)) return 1; cur = cur->next; } @@ -466,18 +429,18 @@ int auto_allow(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, policyd cur = class_table->htable[i]; while (cur != NULL) { cls = cur->datum; - if(auto_allow(src, tgt, cls, policy)) + if(add_rule_auto(src, tgt, cls, perm, effect, not, policy)) return 1; cur = cur->next; } } - } else { + } else if (perm == NULL) { perm_table = cls->permissions.table; for (int i = 0; i < perm_table->size; ++i) { cur = perm_table->htable[i]; while (cur != NULL) { perm = cur->datum; - if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, AVTAB_ALLOWED, 0, policy)) + if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy)) return 1; cur = cur->next; } @@ -489,16 +452,67 @@ int auto_allow(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, policyd cur = perm_table->htable[i]; while (cur != NULL) { perm = cur->datum; - if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, AVTAB_ALLOWED, 0, policy)) + if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy)) return 1; cur = cur->next; } } } + } else { + return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy); } return 0; } +int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy) { + type_datum_t *src = NULL, *tgt = NULL; + class_datum_t *cls = NULL; + perm_datum_t *perm = NULL; + + if (s) { + src = hashtab_search(policy->p_types.table, s); + if (src == NULL) { + fprintf(stderr, "source type %s does not exist\n", s); + return 1; + } + } + + if (t) { + tgt = hashtab_search(policy->p_types.table, t); + if (tgt == NULL) { + fprintf(stderr, "target type %s does not exist\n", t); + return 1; + } + } + + if (c) { + cls = hashtab_search(policy->p_classes.table, c); + if (cls == NULL) { + fprintf(stderr, "class %s does not exist\n", c); + return 1; + } + } + + if (p) { + if (c == NULL) { + fprintf(stderr, "No class is specified, cannot add perm [%s] \n", p); + return 1; + } + + if (cls != NULL) { + perm = hashtab_search(cls->permissions.table, p); + if (perm == NULL && cls->comdatum != NULL) { + perm = hashtab_search(cls->comdatum->permissions.table, p); + } + if (perm == NULL) { + fprintf(stderr, "perm %s does not exist in class %s\n", p, c); + return 1; + } + } + } + return add_rule_auto(src, tgt, cls, perm, effect, not, policy); +} + int live_patch(policydb_t *policydb) { char *filename = "/sys/fs/selinux/load"; int fd, ret; @@ -506,6 +520,7 @@ int live_patch(policydb_t *policydb) { size_t len; policydb_to_image(NULL, policydb, &data, &len); + if (data == NULL) fprintf(stderr, "Error!"); // based on libselinux security_load_policy() fd = open(filename, O_RDWR); @@ -528,7 +543,7 @@ int main(int argc, char **argv) { char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL; char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL; - int exists = 0, not = 0, autoAllow = 0, live = 0; + int exists = 0, not = 0, live = 0, builtin = 0; policydb_t policydb; struct policy_file pf, outpf; sidtab_t sidtab; @@ -546,12 +561,11 @@ int main(int argc, char **argv) {"fcon", required_argument, NULL, 'f'}, {"filetransition", required_argument, NULL, 'g'}, {"noaudit", no_argument, NULL, 'n'}, - {"policy", required_argument, NULL, 'P'}, + {"file", required_argument, NULL, 'P'}, {"output", required_argument, NULL, 'o'}, {"permissive", required_argument, NULL, 'Z'}, {"not-permissive", required_argument, NULL, 'z'}, {"not", no_argument, NULL, 0}, - {"auto", no_argument, NULL, 0}, {"live", no_argument, NULL, 0}, {NULL, 0, NULL, 0} }; @@ -562,8 +576,6 @@ int main(int argc, char **argv) case 0: if(strcmp(long_options[option_index].name, "not") == 0) not = 1; - else if(strcmp(long_options[option_index].name, "auto") == 0) - autoAllow = 1; else if(strcmp(long_options[option_index].name, "live") == 0) live = 1; else @@ -615,12 +627,15 @@ int main(int argc, char **argv) } } - if ((!source || !target || !class || !perm) && !permissive && !fcon && !attr &&!filetrans && !exists && !auto_allow ) - usage(argv[0]); + // Use builtin rules if nothing specified + if (!source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists) + builtin = 1; + // Overwrite original if not specified if(!outfile) outfile = policy; + // Use current policy if not specified if(!policy) policy = "/sys/fs/selinux/policy"; @@ -635,18 +650,11 @@ int main(int argc, char **argv) if (policydb_load_isids(&policydb, &sidtab)) return 1; - if (autoAllow) { - type_datum_t *src = NULL, *tgt = NULL; - class_datum_t *cls = NULL; - if (source) - src = hashtab_search(policydb.p_types.table, source); - if (target) - tgt = hashtab_search(policydb.p_types.table, target); - if (class) - cls = hashtab_search(policydb.p_classes.table, class); - if (auto_allow(src, tgt, cls, &policydb)) - return 1; - } else if (permissive) { + if (builtin) { + // TODO: Create builtin rules + // builtin(&policydb); + } + else if (permissive) { type_datum_t *type; create_domain(permissive, &policydb); type = hashtab_search(policydb.p_types.table, permissive); @@ -688,23 +696,26 @@ int main(int argc, char **argv) return 1; } else { //Add a rule to a whole set of typeattribute, not just a type - if(*target == '=') { - char *saveptr = NULL; + if (target != NULL) { + if(*target == '=') { + char *saveptr = NULL; - char *targetAttribute = strtok_r(target, "-", &saveptr); + char *targetAttribute = strtok_r(target, "-", &saveptr); - char *vals[64]; - int i = 0; + char *vals[64]; + int i = 0; - char *m = NULL; - while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) { - vals[i++] = m; + char *m = NULL; + while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) { + vals[i++] = m; + } + vals[i] = NULL; + + if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not, &policydb)) + return 1; } - vals[i] = NULL; - - if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not, &policydb)) - return 1; - } else { + } + if (perm != NULL) { char *saveptr = NULL; char *p = strtok_r(perm, ",", &saveptr); @@ -714,6 +725,11 @@ int main(int argc, char **argv) return 1; } } while( (p = strtok_r(NULL, ",", &saveptr)) != NULL); + } else { + if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not, &policydb)) { + fprintf(stderr, "Could not add rule\n"); + return 1; + } } }