From a65c7ee2fcb0ecc546603e97384ef49ad6f245d5 Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Sun, 16 Apr 2017 02:29:42 +0800 Subject: [PATCH] Integrate with unified daemon --- api.c | 17 +++++-- magiskpolicy.c | 31 ++++-------- magiskpolicy.h | 8 ++- rules.c | 123 ++++++++++++++++++++++++-------------------- sepolicy.c | 135 +++++++++++++++++++++++++++---------------------- sepolicy.h | 6 +-- 6 files changed, 174 insertions(+), 146 deletions(-) diff --git a/api.c b/api.c index 080265e0f..d5d7c29f4 100644 --- a/api.c +++ b/api.c @@ -2,44 +2,55 @@ #include "sepolicy.h" int sepol_allow(char *s, char *t, char *c, char *p) { + // printf("allow %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_ALLOWED, 0); } int sepol_deny(char *s, char *t, char *c, char *p) { + // printf("deny %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_ALLOWED, 1); } int sepol_auditallow(char *s, char *t, char *c, char *p) { + // printf("auditallow %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0); } int sepol_auditdeny(char *s, char *t, char *c, char *p) { + // printf("auditdeny %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0); } int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) { - if (o == NULL) + if (o == NULL) { + // printf("add_trans %s %s %s %s\n", s, t, c ,d); return add_transition(s, t, c, d); - else + } else { + // printf("add_file_trans %s %s %s %s %s\n", s, t, c ,d, o); return add_file_transition(s, t, c, d, o); + } } int sepol_permissive(char *s) { + // printf("permissive %s\n", s); return set_domain_state(s, 1); } int sepol_enforce(char *s) { + // printf("enforce %s\n", s); return set_domain_state(s, 0); } int sepol_create(char *s) { + // printf("create %s\n", s); return create_domain(s); } int sepol_attradd(char *s, char *a) { + // printf("attradd %s %s\n", s, a); return add_typeattribute(s, a); } int sepol_exists(char* source) { - return !! hashtab_search(policy->p_types.table, source); + return !! hashtab_search(policydb->p_types.table, source); } diff --git a/magiskpolicy.c b/magiskpolicy.c index b8c244f0f..ca6486f58 100644 --- a/magiskpolicy.c +++ b/magiskpolicy.c @@ -53,10 +53,10 @@ static void usage(char *arg0) { "%s [--options...] [policystatements...]\n\n" "Options:\n" " --live: directly load patched policy to device\n" - " --magisk: complete (very large!) patches for Magisk and MagiskSU\n" + // " --magisk: complete (very large!) patches for Magisk and MagiskSU\n" " --minimal: minimal patches, used for boot image patches\n" " --load : load policies from \n" - " (load from current policies if not specified)" + " (load from current policies if not specified)\n" " --save : save policies to \n" , arg0); statements(); @@ -270,7 +270,7 @@ static void syntax_error_msg() { int magiskpolicy_main(int argc, char *argv[]) { char *infile = NULL, *outfile = NULL, *tok, *saveptr; - int live = 0, minimal = 0, full = 0; + int live = 0, minimal = 0; struct vector rules; vec_init(&rules); @@ -280,8 +280,6 @@ int magiskpolicy_main(int argc, char *argv[]) { if (argv[i][0] == '-' && argv[i][1] == '-') { if (strcmp(argv[i], "--live") == 0) live = 1; - else if (strcmp(argv[i], "--magisk") == 0) - full = 1; else if (strcmp(argv[i], "--minimal") == 0) minimal = 1; else if (strcmp(argv[i], "--load") == 0) { @@ -298,28 +296,17 @@ int magiskpolicy_main(int argc, char *argv[]) { vec_push_back(&rules, argv[i]); } - policydb_t policydb; - sidtab_t sidtab; - - policy = &policydb; - // Use current policy if not specified if(!infile) infile = "/sys/fs/selinux/policy"; - sepol_set_policydb(&policydb); - sepol_set_sidtab(&sidtab); - - if (load_policy(infile)) { + if (load_policydb(infile)) { fprintf(stderr, "Could not load policy\n"); return 1; } - if (policydb_load_isids(&policydb, &sidtab)) - return 1; - - if (full) sepol_full_rules(); - else if (minimal) sepol_min_rules(); + if (minimal) + sepol_min_rules(); for (int i = 0; i < rules.size; ++i) { // Since strtok will modify the origin string, copy the policy for error messages @@ -363,15 +350,15 @@ int magiskpolicy_main(int argc, char *argv[]) { vec_destroy(&rules); if (live) - if (dump_policy("/sys/fs/selinux/load")) + if (dump_policydb("/sys/fs/selinux/load")) return 1; if (outfile) { unlink(outfile); - if (dump_policy(outfile)) + if (dump_policydb(outfile)) return 1; } - policydb_destroy(&policydb); + destroy_policydb(); return 0; } diff --git a/magiskpolicy.h b/magiskpolicy.h index d9d66785f..e45f9cd2d 100644 --- a/magiskpolicy.h +++ b/magiskpolicy.h @@ -8,6 +8,11 @@ #define ALL NULL +// policydb functions +int load_policydb(const char *filename); +int dump_policydb(const char *filename); +void destroy_policydb(); + // Handy functions int sepol_allow(char *s, char *t, char *c, char *p); int sepol_deny(char *s, char *t, char *c, char *p); @@ -21,7 +26,8 @@ int sepol_attradd(char *s, char *a); int sepol_exists(char *source); // Built in rules -void sepol_full_rules(); void sepol_min_rules(); +void sepol_med_rules(); +void sepol_full_rules(); #endif diff --git a/rules.c b/rules.c index 6fcdb071c..13210bb56 100644 --- a/rules.c +++ b/rules.c @@ -65,14 +65,16 @@ void samsung() { } void allowSuClient(char *target) { - sepol_allow(target, "rootfs", "file", "execute_no_trans"); - sepol_allow(target, "rootfs", "file", "execute"); + sepol_allow(target, "rootfs", "file", ALL); + sepol_allow(target, "rootfs", "lnk_file", ALL); sepol_allow(target, "su", "unix_stream_socket", "connectto"); sepol_allow(target, "su", "unix_stream_socket", "getopt"); sepol_allow(target, "su_device", "dir", "search"); sepol_allow(target, "su_device", "dir", "read"); sepol_allow(target, "su_device", "sock_file", "read"); sepol_allow(target, "su_device", "sock_file", "write"); + sepol_allow("su", target, "fd", "use"); + sepol_allow("su", target, "fifo_file", ALL); } void suRights() { @@ -83,6 +85,16 @@ void suRights() { sepol_allow("servicemanager", "su", "process", "getattr"); sepol_allow("servicemanager", "su", "binder", "transfer"); sepol_allow("system_server", "su", "binder", "call"); + + sepol_allow("su", "servicemanager", "dir", "search"); + sepol_allow("su", "servicemanager", "dir", "read"); + sepol_allow("su", "servicemanager", "file", "open"); + sepol_allow("su", "servicemanager", "file", "read"); + sepol_allow("su", "servicemanager", "process", "getattr"); + sepol_allow("su", "servicemanager", "binder", "transfer"); + sepol_allow("su", "servicemanager", "binder", "call"); + sepol_allow("su", "system_server", "binder", "transfer"); + sepol_allow("su", "system_server", "binder", "call"); } void otherToSU() { @@ -129,61 +141,17 @@ void otherToSU() { sepol_allow("audioserver", "audioserver", "process", "execmem"); } -void sepol_full_rules() { - // Samsung specific - // Prevent system from loading policy - if(sepol_exists("knox_system_app")) - samsung(); - - // Min rules first - sepol_min_rules(); - - // Create domains if they don't exist - if (!sepol_exists("su_device")) - sepol_create("su_device"); - sepol_enforce("su_device"); - - // Patch su to everything - sepol_allow("su", ALL, ALL, ALL); - - // Autotransition su's socket to su_device - sepol_typetrans("su", "device", "file", "su_device", NULL); - sepol_typetrans("su", "device", "dir", "su_device", NULL); - sepol_allow("su_device", "tmpfs", "filesystem", "associate"); - - // Transition from untrusted_app to su_client - allowSuClient("shell"); - allowSuClient("untrusted_app"); - allowSuClient("system_app"); - allowSuClient("platform_app"); - if (sepol_exists("priv_app")) - allowSuClient("priv_app"); - if (sepol_exists("ssd_tool")) - allowSuClient("ssd_tool"); - - // Allow init to execute su daemon/transition - sepol_allow("init", "su", "process", "transition"); - sepol_allow("init", "su", "process", "rlimitinh"); - sepol_allow("init", "su", "process", "siginh"); - sepol_allow("init", "su", "process", "noatsecure"); - suRights(); - otherToSU(); - - // Need to set su_device/su as trusted to be accessible from other categories - sepol_attradd("su_device", "mlstrustedobject"); - sepol_attradd("su", "mlstrustedsubject"); - -} - -// Minimal to run Magisk script before live patching +// Minimal boot image patch, Samsung requires these patches void sepol_min_rules() { - if (!sepol_exists("su")) sepol_create("su"); + if (!sepol_exists("su_device")) + sepol_create("su_device"); sepol_permissive("su"); sepol_permissive("init"); sepol_attradd("su", "mlstrustedsubject"); + sepol_attradd("su_device", "mlstrustedobject"); // Let init run stuffs in su context sepol_allow("kernel", "su", "fd", "use"); @@ -192,11 +160,27 @@ void sepol_min_rules() { sepol_allow("init", "system_file", "lnk_file", ALL); sepol_allow("init", "system_file", "file", ALL); - // Misc: basic shell scripts, prop management etc. + // Samsung specific + // Prevent system from loading policy + if(sepol_exists("knox_system_app")) + samsung(); + + // Shell, prop management, simple su rights sepol_allow("su", "property_socket", "sock_file", "write"); if (sepol_exists("default_prop")) sepol_allow("su", "default_prop", "property_service", "set"); sepol_allow("su", "init", "unix_stream_socket", "connectto"); + sepol_allow("su", "rootfs", "file", "entrypoint"); + sepol_allow("su", "devpts", "chr_file", ALL); + sepol_allow("su", "untrusted_app_devpts", "chr_file", ALL); + sepol_allow("su", "su_device", "dir", ALL); + sepol_allow("su", "su_device", "sock_file", ALL); + sepol_allow("su", "zygote_exec", "file", ALL); + sepol_allow("su", "zygote_exec", "lnk_file", ALL); + sepol_allow("su", "app_data_file", "dir", ALL); + sepol_allow("su", "app_data_file", "file", ALL); + sepol_allow("su", "toolbox_exec", "file", ALL); + sepol_allow("su", "shell_exec", "file", ALL); sepol_allow("su", "su", "unix_dgram_socket", ALL); sepol_allow("su", "su", "unix_stream_socket", ALL); sepol_allow("su", "su", "process", ALL); @@ -206,10 +190,10 @@ void sepol_min_rules() { sepol_allow("su", "su", "lnk_file", ALL); sepol_allow("su", "su", "dir", ALL); - // Allow su to do anything to files/dir/links - sepol_allow("su", ALL, "file", ALL); - sepol_allow("su", ALL, "dir", ALL); - sepol_allow("su", ALL, "lnk_file", ALL); + // Autotransition su socket to su_device + sepol_typetrans("su", "device", "file", "su_device", NULL); + sepol_typetrans("su", "device", "dir", "su_device", NULL); + sepol_allow("su_device", "tmpfs", "filesystem", "associate"); // For sepolicy live patching sepol_allow("su", "kernel", "security", "read_policy"); @@ -226,5 +210,32 @@ void sepol_min_rules() { // Xposed sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid"); sepol_allow("system_server", "dex2oat_exec", "file", ALL); - } + +void sepol_med_rules() { + sepol_min_rules(); + + // Allow su to do anything to any files/dir/links + sepol_allow("su", ALL, "file", ALL); + sepol_allow("su", ALL, "dir", ALL); + sepol_allow("su", ALL, "lnk_file", ALL); + + // Allow these client to access su + allowSuClient("shell"); + allowSuClient("untrusted_app"); + allowSuClient("system_app"); + allowSuClient("platform_app"); + if (sepol_exists("priv_app")) + allowSuClient("priv_app"); + if (sepol_exists("ssd_tool")) + allowSuClient("ssd_tool"); + + suRights(); + otherToSU(); +} + +void sepol_full_rules() { + // Patch su to everything + sepol_allow("su", ALL, ALL, ALL); +} + diff --git a/sepolicy.c b/sepolicy.c index 5694e8558..1e783d8e9 100644 --- a/sepolicy.c +++ b/sepolicy.c @@ -1,6 +1,8 @@ #include "magiskpolicy.h" #include "sepolicy.h" +policydb_t *policydb = NULL; + static void *cmalloc(size_t s) { void *t = malloc(s); if (t == NULL) { @@ -11,19 +13,19 @@ static void *cmalloc(size_t s) { } static int get_attr(char *type, int value) { - type_datum_t *attr = hashtab_search(policy->p_types.table, type); + type_datum_t *attr = hashtab_search(policydb->p_types.table, type); if (!attr) return 1; if (attr->flavor != TYPE_ATTRIB) return 1; - return !! ebitmap_get_bit(&policy->attr_type_map[attr->s.value-1], value-1); - //return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1); + return !! ebitmap_get_bit(&policydb->attr_type_map[attr->s.value-1], value-1); + //return !! ebitmap_get_bit(&policydb->type_attr_map[value-1], attr->s.value-1); } static int get_attr_id(char *type) { - type_datum_t *attr = hashtab_search(policy->p_types.table, type); + type_datum_t *attr = hashtab_search(policydb->p_types.table, type); if (!attr) return 1; @@ -34,16 +36,16 @@ static int get_attr_id(char *type) { } static int set_attr(char *type, int value) { - type_datum_t *attr = hashtab_search(policy->p_types.table, type); + type_datum_t *attr = hashtab_search(policydb->p_types.table, type); if (!attr) return 1; if (attr->flavor != TYPE_ATTRIB) return 1; - if(ebitmap_set_bit(&policy->type_attr_map[value-1], attr->s.value-1, 1)) + if(ebitmap_set_bit(&policydb->type_attr_map[value-1], attr->s.value-1, 1)) return 1; - if(ebitmap_set_bit(&policy->attr_type_map[attr->s.value-1], value-1, 1)) + if(ebitmap_set_bit(&policydb->attr_type_map[attr->s.value-1], value-1, 1)) return 1; return 0; @@ -57,13 +59,13 @@ static int add_irule(int s, int t, int c, int p, int effect, int not) { key.target_type = t; key.target_class = c; key.specified = effect; - av = avtab_search(&policy->te_avtab, &key); + av = avtab_search(&policydb->te_avtab, &key); if (av == NULL) { av = cmalloc(sizeof(*av)); memset(av, 0, sizeof(*av)); av->data |= 1U << (p - 1); - int ret = avtab_insert(&policy->te_avtab, &key, av); + int ret = avtab_insert(&policydb->te_avtab, &key, av); if (ret) { fprintf(stderr, "Error inserting into avtab\n"); return 1; @@ -82,19 +84,19 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl int ret = 0; if (src == NULL) { - hashtab_for_each(policy->p_types.table, &cur) { + hashtab_for_each(policydb->p_types.table, &cur) { src = cur->datum; if(add_rule_auto(src, tgt, cls, perm, effect, not)) return 1; } } else if (tgt == NULL) { - hashtab_for_each(policy->p_types.table, &cur) { + hashtab_for_each(policydb->p_types.table, &cur) { tgt = cur->datum; if(add_rule_auto(src, tgt, cls, perm, effect, not)) return 1; } } else if (cls == NULL) { - hashtab_for_each(policy->p_classes.table, &cur) { + hashtab_for_each(policydb->p_classes.table, &cur) { cls = cur->datum; if(add_rule_auto(src, tgt, cls, perm, effect, not)) return 1; @@ -118,18 +120,18 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl int i, j; if (src->flavor == TYPE_ATTRIB) { if (tgt->flavor == TYPE_ATTRIB) { - ebitmap_for_each_bit(&policy->attr_type_map[src->s.value-1], s_node, i) - ebitmap_for_each_bit(&policy->attr_type_map[tgt->s.value-1], t_node, j) + ebitmap_for_each_bit(&policydb->attr_type_map[src->s.value-1], s_node, i) + ebitmap_for_each_bit(&policydb->attr_type_map[tgt->s.value-1], t_node, j) if(ebitmap_node_get_bit(s_node, i) && ebitmap_node_get_bit(t_node, j)) ret |= add_irule(i + 1, j + 1, cls->s.value, perm->s.value, effect, not); } else { - ebitmap_for_each_bit(&policy->attr_type_map[src->s.value-1], s_node, i) + ebitmap_for_each_bit(&policydb->attr_type_map[src->s.value-1], s_node, i) if(ebitmap_node_get_bit(s_node, i)) ret |= add_irule(i + 1, tgt->s.value, cls->s.value, perm->s.value, effect, not); } } else if (tgt->flavor == TYPE_ATTRIB) { - ebitmap_for_each_bit(&policy->attr_type_map[tgt->s.value-1], t_node, j) + ebitmap_for_each_bit(&policydb->attr_type_map[tgt->s.value-1], t_node, j) if(ebitmap_node_get_bit(t_node, j)) ret |= add_irule(src->s.value, j + 1, cls->s.value, perm->s.value, effect, not); } else @@ -138,13 +140,18 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl return ret; } -int load_policy(const char *filename) { +int load_policydb(const char *filename) { int fd; struct stat sb; struct policy_file pf; void *map; int ret; + if (policydb) + destroy_policydb(); + + policydb = cmalloc(sizeof(*policydb)); + fd = open(filename, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can't open '%s': %s\n", @@ -168,26 +175,28 @@ int load_policy(const char *filename) { pf.type = PF_USE_MEMORY; pf.data = map; pf.len = sb.st_size; - if (policydb_init(policy)) { + if (policydb_init(policydb)) { fprintf(stderr, "policydb_init: Out of memory!\n"); return 1; } - ret = policydb_read(policy, &pf, 0); + ret = policydb_read(policydb, &pf, 0); if (ret) { fprintf(stderr, "error(s) encountered while parsing configuration\n"); return 1; } + close(fd); + return 0; } -int dump_policy(const char *filename) { +int dump_policydb(const char *filename) { int fd, ret; void *data = NULL; size_t len; - policydb_to_image(NULL, policy, &data, &len); + policydb_to_image(NULL, policydb, &data, &len); if (data == NULL) { - fprintf(stderr, "Fail to dump policydb image!"); + fprintf(stderr, "Fail to dump policy image!"); return 1; } @@ -207,8 +216,14 @@ int dump_policy(const char *filename) { return 0; } +void destroy_policydb() { + policydb_destroy(policydb); + free(policydb); + policydb = NULL; +} + int create_domain(char *d) { - symtab_datum_t *src = hashtab_search(policy->p_types.table, d); + symtab_datum_t *src = hashtab_search(policydb->p_types.table, d); if(src) return 1; @@ -218,40 +233,38 @@ int create_domain(char *d) { typdatum->flavor = TYPE_TYPE; uint32_t value = 0; - int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value); + int r = symtab_insert(policydb, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value); typdatum->s.value = value; - if (ebitmap_set_bit(&policy->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) { + if (ebitmap_set_bit(&policydb->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) { return 1; } - policy->type_attr_map = realloc(policy->type_attr_map, sizeof(ebitmap_t)*policy->p_types.nprim); - policy->attr_type_map = realloc(policy->attr_type_map, sizeof(ebitmap_t)*policy->p_types.nprim); - ebitmap_init(&policy->type_attr_map[value-1]); - ebitmap_init(&policy->attr_type_map[value-1]); - ebitmap_set_bit(&policy->type_attr_map[value-1], value-1, 1); + policydb->type_attr_map = realloc(policydb->type_attr_map, sizeof(ebitmap_t)*policydb->p_types.nprim); + policydb->attr_type_map = realloc(policydb->attr_type_map, sizeof(ebitmap_t)*policydb->p_types.nprim); + ebitmap_init(&policydb->type_attr_map[value-1]); + ebitmap_init(&policydb->attr_type_map[value-1]); + ebitmap_set_bit(&policydb->type_attr_map[value-1], value-1, 1); //Add the domain to all roles - for(unsigned i=0; ip_roles.nprim; ++i) { + for(unsigned i=0; ip_roles.nprim; ++i) { //Not sure all those three calls are needed - ebitmap_set_bit(&policy->role_val_to_struct[i]->types.negset, value-1, 0); - ebitmap_set_bit(&policy->role_val_to_struct[i]->types.types, value-1, 1); - type_set_expand(&policy->role_val_to_struct[i]->types, &policy->role_val_to_struct[i]->cache, policy, 0); + ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.negset, value-1, 0); + ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.types, value-1, 1); + type_set_expand(&policydb->role_val_to_struct[i]->types, &policydb->role_val_to_struct[i]->cache, policydb, 0); } - - src = hashtab_search(policy->p_types.table, d); + src = hashtab_search(policydb->p_types.table, d); if(!src) return 1; - extern int policydb_index_decls(policydb_t * p); - if(policydb_index_decls(policy)) + if(policydb_index_decls(NULL, policydb)) return 1; - if(policydb_index_classes(policy)) + if(policydb_index_classes(policydb)) return 1; - if(policydb_index_others(NULL, policy, 0)) + if(policydb_index_others(NULL, policydb, 0)) return 1; return set_attr("domain", value); @@ -261,20 +274,20 @@ int set_domain_state(char* s, int state) { type_datum_t *type; hashtab_ptr_t cur; if (s == NULL) { - hashtab_for_each(policy->p_types.table, &cur) { + hashtab_for_each(policydb->p_types.table, &cur) { type = cur->datum; - if (ebitmap_set_bit(&policy->permissive_map, type->s.value, state)) { + if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) { fprintf(stderr, "Could not set bit in permissive map\n"); return 1; } } } else { - type = hashtab_search(policy->p_types.table, s); + type = hashtab_search(policydb->p_types.table, s); if (type == NULL) { fprintf(stderr, "type %s does not exist\n", s); return 1; } - if (ebitmap_set_bit(&policy->permissive_map, type->s.value, state)) { + if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) { fprintf(stderr, "Could not set bit in permissive map\n"); return 1; } @@ -290,22 +303,22 @@ int add_transition(char *s, char *t, char *c, char *d) { avtab_datum_t *av; avtab_key_t key; - src = hashtab_search(policy->p_types.table, s); + src = hashtab_search(policydb->p_types.table, s); if (src == NULL) { fprintf(stderr, "source type %s does not exist\n", s); return 1; } - tgt = hashtab_search(policy->p_types.table, t); + tgt = hashtab_search(policydb->p_types.table, t); if (tgt == NULL) { fprintf(stderr, "target type %s does not exist\n", t); return 1; } - cls = hashtab_search(policy->p_classes.table, c); + cls = hashtab_search(policydb->p_classes.table, c); if (cls == NULL) { fprintf(stderr, "class %s does not exist\n", c); return 1; } - def = hashtab_search(policy->p_types.table, d); + def = hashtab_search(policydb->p_types.table, d); if (def == NULL) { fprintf(stderr, "default type %s does not exist\n", d); return 1; @@ -315,12 +328,12 @@ int add_transition(char *s, char *t, char *c, char *d) { key.target_type = tgt->s.value; key.target_class = cls->s.value; key.specified = AVTAB_TRANSITION; - av = avtab_search(&policy->te_avtab, &key); + av = avtab_search(&policydb->te_avtab, &key); if (av == NULL) { av = cmalloc(sizeof(*av)); av->data = def->s.value; - int ret = avtab_insert(&policy->te_avtab, &key, av); + int ret = avtab_insert(&policydb->te_avtab, &key, av); if (ret) { fprintf(stderr, "Error inserting into avtab\n"); return 1; @@ -337,22 +350,22 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) { type_datum_t *src, *tgt, *def; class_datum_t *cls; - src = hashtab_search(policy->p_types.table, s); + src = hashtab_search(policydb->p_types.table, s); if (src == NULL) { fprintf(stderr, "source type %s does not exist\n", s); return 1; } - tgt = hashtab_search(policy->p_types.table, t); + tgt = hashtab_search(policydb->p_types.table, t); if (tgt == NULL) { fprintf(stderr, "target type %s does not exist\n", t); return 1; } - cls = hashtab_search(policy->p_classes.table, c); + cls = hashtab_search(policydb->p_classes.table, c); if (cls == NULL) { fprintf(stderr, "class %s does not exist\n", c); return 1; } - def = hashtab_search(policy->p_types.table, d); + def = hashtab_search(policydb->p_types.table, d); if (def == NULL) { fprintf(stderr, "default type %s does not exist\n", d); return 1; @@ -367,7 +380,7 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) { filename_trans_datum_t *new_trans_datam = cmalloc(sizeof(*new_trans_datam)); new_trans_datam->otype = def->s.value; - hashtab_insert(policy->filename_trans, (hashtab_key_t) new_trans_key, new_trans_datam); + hashtab_insert(policydb->filename_trans, (hashtab_key_t) new_trans_key, new_trans_datam); return 0; } @@ -375,7 +388,7 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) { int add_typeattribute(char *domainS, char *attr) { type_datum_t *domain; - domain = hashtab_search(policy->p_types.table, domainS); + domain = hashtab_search(policydb->p_types.table, domainS); if (domain == NULL) { fprintf(stderr, "source type %s does not exist\n", domainS); return 1; @@ -386,8 +399,8 @@ int add_typeattribute(char *domainS, char *attr) { int typeId = get_attr_id(attr); //Now let's update all constraints! //(kernel doesn't support (yet?) type_names rules) - for(int i=0; ip_classes.nprim; ++i) { - class_datum_t *cl = policy->class_val_to_struct[i]; + for(int i=0; ip_classes.nprim; ++i) { + class_datum_t *cl = policydb->class_val_to_struct[i]; for(constraint_node_t *n = cl->constraints; n ; n=n->next) { for(constraint_expr_t *e = n->expr; e; e=e->next) { if(e->expr_type == CEXPR_NAMES) { @@ -407,7 +420,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) { perm_datum_t *perm = NULL; if (s) { - src = hashtab_search(policy->p_types.table, s); + src = hashtab_search(policydb->p_types.table, s); if (src == NULL) { fprintf(stderr, "source type %s does not exist\n", s); return 1; @@ -415,7 +428,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) { } if (t) { - tgt = hashtab_search(policy->p_types.table, t); + tgt = hashtab_search(policydb->p_types.table, t); if (tgt == NULL) { fprintf(stderr, "target type %s does not exist\n", t); return 1; @@ -423,7 +436,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) { } if (c) { - cls = hashtab_search(policy->p_classes.table, c); + cls = hashtab_search(policydb->p_classes.table, c); if (cls == NULL) { fprintf(stderr, "class %s does not exist\n", c); return 1; diff --git a/sepolicy.h b/sepolicy.h index 4fafa6636..e7e2ca36d 100644 --- a/sepolicy.h +++ b/sepolicy.h @@ -33,11 +33,9 @@ for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next) // Global policydb -policydb_t *policy; +extern policydb_t *policydb; // sepolicy manipulation functions -int load_policy(const char *filename); -int dump_policy(const char *filename); int create_domain(char *d); int set_domain_state(char* s, int state); int add_transition(char *s, char *t, char *c, char *d); @@ -45,4 +43,6 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename); int add_typeattribute(char *domainS, char *attr); int add_rule(char *s, char *t, char *c, char *p, int effect, int not); +extern int policydb_index_decls(sepol_handle_t * handle, policydb_t * p); + #endif