123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296 |
- #include <getopt.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/mman.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <stdio.h>
- #include <sepol/policydb/policydb.h>
- #include <sepol/policydb/services.h>
- #include <sepol/policydb/expand.h>
- #define EQUALS 0
- #define NOT 1
- #define ANY 2
- void usage(char *arg0) {
- fprintf(stderr, "%s -s <source> -t <target> -c <class> -p <perm> -P <policy file>\n", arg0);
- exit(1);
- }
- void *cmalloc(size_t s) {
- void *t = malloc(s);
- if (t == NULL) {
- fprintf(stderr, "Out of memory\n");
- exit(1);
- }
- return t;
- }
- int parse_ops(char **arg) {
- switch (*arg[0]) {
- case '-':
- *arg = *arg + 1;
- return NOT;
- case '*':
- return ANY;
- default:
- return EQUALS;
- }
- }
- int check(int op, uint16_t arg1, uint16_t arg2) {
- switch (op) {
- case EQUALS:
- return arg1 == arg2;
- case NOT:
- return arg1 != arg2;
- case ANY:
- return 1;
- default:
- fprintf(stderr, "Bad op while checking!");
- return 2;
- }
- }
- int check_perm(avtab_ptr_t current, perm_datum_t *perm) {
- uint16_t perm_bitmask = 1U << (perm->s.value - 1);
- return (current->datum.data & perm_bitmask) != 0;
- }
- int expand_and_check(int s_op, uint32_t source_type,
- int t_op, uint32_t target_type,
- int c_op, uint32_t target_class,
- perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) {
- avtab_t exp_avtab;
- avtab_ptr_t cur;
- unsigned int i;
- int match;
- if (avtab_init(&exp_avtab)) {
- fputs("out of memory\n", stderr);
- return -1;
- }
- if (expand_avtab(policy, avtab, &exp_avtab)) {
- fputs("out of memory\n", stderr);
- avtab_destroy(&exp_avtab);
- return -1;
- }
- for (i = 0; i < exp_avtab.nslot; i++) {
- for (cur = exp_avtab.htable[i]; cur; cur = cur->next) {
- match = 1;
- match &= check(s_op, source_type, cur->key.source_type);
- match &= check(t_op, target_type, cur->key.target_type);
- match &= check(c_op, target_class, cur->key.target_class);
- match &= check_perm(cur, perm);
- if (match) {
- avtab_destroy(&exp_avtab);
- return 1;
- }
- }
- }
- avtab_destroy(&exp_avtab);
- return 0;
- }
- /*
- * Checks to see if a rule matching the given arguments already exists.
- *
- * The format for the arguments is as follows:
- *
- * - A bare string is treated as a literal and will be matched by equality.
- * - A string starting with "-" will be matched by inequality.
- * - A string starting with "*" will be treated as a wildcard.
- *
- * The return codes for this function are as follows:
- *
- * - 0 indicates a successful return without a match
- * - 1 indicates a successful return with a match
- * - -1 indicates an error
- */
- int check_rule(char *s, char *t, char *c, char *p, policydb_t *policy) {
- type_datum_t *src = NULL;
- type_datum_t *tgt = NULL;
- class_datum_t *cls = NULL;
- perm_datum_t *perm = NULL;
- int s_op = parse_ops(&s);
- int t_op = parse_ops(&t);
- int c_op = parse_ops(&c);
- int p_op = parse_ops(&p);
- avtab_key_t key;
- int match;
- key.source_type = key.target_type = key.target_class = 0;
- if (s_op != ANY) {
- src = hashtab_search(policy->p_types.table, s);
- if (src == NULL) {
- fprintf(stderr, "source type %s does not exist\n", s);
- return -1;
- }
- }
- if (t_op != ANY) {
- tgt = hashtab_search(policy->p_types.table, t);
- if (tgt == NULL) {
- fprintf(stderr, "target type %s does not exist\n", t);
- return -1;
- }
- }
- if (c_op != ANY) {
- cls = hashtab_search(policy->p_classes.table, c);
- if (cls == NULL) {
- fprintf(stderr, "class %s does not exist\n", c);
- return -1;
- }
- }
- if (p_op != ANY) {
- perm = hashtab_search(cls->permissions.table, p);
- if (perm == NULL) {
- if (cls->comdatum == NULL) {
- fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
- return -1;
- }
- perm = hashtab_search(cls->comdatum->permissions.table, p);
- if (perm == NULL) {
- fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
- return -1;
- }
- }
- }
- if (s_op != ANY)
- key.source_type = src->s.value;
- if (t_op != ANY)
- key.target_type = tgt->s.value;
- if (c_op != ANY)
- key.target_class = cls->s.value;
- /* Check unconditional rules after attribute expansion. */
- match = expand_and_check(s_op, key.source_type,
- t_op, key.target_type,
- c_op, key.target_class,
- perm, policy, &policy->te_avtab);
- if (match)
- return match;
- /* Check conditional rules after attribute expansion. */
- return expand_and_check(s_op, key.source_type,
- t_op, key.target_type,
- c_op, key.target_class,
- perm, policy, &policy->te_cond_avtab);
- }
- int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
- int fd;
- struct stat sb;
- void *map;
- int ret;
- fd = open(filename, O_RDONLY);
- if (fd < 0) {
- fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno));
- return 1;
- }
- if (fstat(fd, &sb) < 0) {
- fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
- }
- map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED) {
- fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
- }
- policy_file_init(pf);
- pf->type = PF_USE_MEMORY;
- pf->data = map;
- pf->len = sb.st_size;
- if (policydb_init(policydb)) {
- fprintf(stderr, "Could not initialize policydb!\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
- }
- ret = policydb_read(policydb, pf, 0);
- if (ret) {
- fprintf(stderr, "error(s) encountered while parsing configuration\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
- }
- return 0;
- }
- int main(int argc, char **argv)
- {
- char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
- policydb_t policydb;
- struct policy_file pf;
- sidtab_t sidtab;
- char ch;
- int match = 1;
- struct option long_options[] = {
- {"source", required_argument, NULL, 's'},
- {"target", required_argument, NULL, 't'},
- {"class", required_argument, NULL, 'c'},
- {"perm", required_argument, NULL, 'p'},
- {"policy", required_argument, NULL, 'P'},
- {NULL, 0, NULL, 0}
- };
- while ((ch = getopt_long(argc, argv, "s:t:c:p:P:", long_options, NULL)) != -1) {
- switch (ch) {
- case 's':
- source = optarg;
- break;
- case 't':
- target = optarg;
- break;
- case 'c':
- class = optarg;
- break;
- case 'p':
- perm = optarg;
- break;
- case 'P':
- policy = optarg;
- break;
- default:
- usage(argv[0]);
- }
- }
- if (!source || !target || !class || !perm || !policy)
- usage(argv[0]);
- sepol_set_policydb(&policydb);
- sepol_set_sidtab(&sidtab);
- if (load_policy(policy, &policydb, &pf))
- goto out;
- match = check_rule(source, target, class, perm, &policydb);
- if (match < 0) {
- fprintf(stderr, "Error checking rules!\n");
- goto out;
- } else if (match > 0) {
- printf("Match found!\n");
- goto out;
- }
- match = 0;
- out:
- policydb_destroy(&policydb);
- return match;
- }
|