xref: /aosp_15_r20/external/selinux/python/audit2allow/sepolgen-ifgen-attr-helper.c (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1 /* Authors: Frank Mayer <[email protected]>
2  *   and Karl MacMillan <[email protected]>
3  *
4  * Copyright (C) 2003,2010 Tresys Technology, LLC
5  *
6  *	This program is free software; you can redistribute it and/or
7  *  	modify it under the terms of the GNU General Public License as
8  *  	published by the Free Software Foundation, version 2.
9  *
10  * Adapted from dispol.c.
11  *
12  * This program is used by sepolgen-ifgen to get the access for all of
13  * the attributes in the policy so that it can resolve the
14  * typeattribute statements in the interfaces.
15  *
16  * It outputs the attribute access in a similar format to what sepolgen
17  * uses to store interface vectors:
18  *   [Attribute sandbox_x_domain]
19  *   sandbox_x_domain,samba_var_t,file,ioctl,read,getattr,lock,open
20  *   sandbox_x_domain,samba_var_t,dir,getattr,search,open
21  *   sandbox_x_domain,initrc_var_run_t,file,ioctl,read,getattr,lock,open
22  *
23  */
24 
25 #include <sepol/policydb/policydb.h>
26 #include <sepol/policydb/avtab.h>
27 #include <sepol/policydb/util.h>
28 
29 #include <selinux/selinux.h>
30 
31 #include <limits.h>
32 #include <stdio.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <fcntl.h>
36 #include <sys/mman.h>
37 #include <unistd.h>
38 
39 struct val_to_name {
40 	unsigned int val;
41 	char *name;
42 };
43 
perm_name(hashtab_key_t key,hashtab_datum_t datum,void * data)44 static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data)
45 {
46 	struct val_to_name *v = data;
47 	perm_datum_t *perdatum;
48 
49 	perdatum = (perm_datum_t *) datum;
50 
51 	if (v->val == perdatum->s.value) {
52 		v->name = key;
53 		return 1;
54 	}
55 
56 	return 0;
57 }
58 
render_access_mask(uint32_t av,avtab_key_t * key,policydb_t * policydbp,FILE * fp)59 static int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
60 		       FILE *fp)
61 {
62 	struct val_to_name v;
63 	class_datum_t *cladatum;
64 	char *perm = NULL;
65 	unsigned int i;
66 	int rc;
67 	uint32_t tclass = key->target_class;
68 
69 	cladatum = policydbp->class_val_to_struct[tclass - 1];
70 	for (i = 0; i < cladatum->permissions.nprim; i++) {
71 		if (av & (1 << i)) {
72 			v.val = i + 1;
73 			rc = hashtab_map(cladatum->permissions.table,
74 					 perm_name, &v);
75 			if (!rc && cladatum->comdatum) {
76 				rc = hashtab_map(cladatum->comdatum->
77 						 permissions.table, perm_name,
78 						 &v);
79 			}
80 			if (rc)
81 				perm = v.name;
82 			if (perm) {
83 				fprintf(fp, ",%s", perm);
84 			}
85 		}
86 	}
87 
88 	return 0;
89 }
90 
render_key(avtab_key_t * key,policydb_t * p,FILE * fp)91 static int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)
92 {
93 	char *stype, *ttype, *tclass;
94 	stype = p->p_type_val_to_name[key->source_type - 1];
95 	ttype = p->p_type_val_to_name[key->target_type - 1];
96 	tclass = p->p_class_val_to_name[key->target_class - 1];
97 	if (stype && ttype) {
98 		fprintf(fp, "%s,%s,%s", stype, ttype, tclass);
99 	} else {
100 		fprintf(stderr, "error rendering key\n");
101 		exit(1);
102 	}
103 
104 	return 0;
105 }
106 
107 struct callback_data
108 {
109 	uint32_t attr;
110 	policydb_t *policy;
111 	FILE *fp;
112 };
113 
output_avrule(avtab_key_t * key,avtab_datum_t * datum,void * args)114 static int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
115 {
116 	struct callback_data *cb_data = (struct callback_data *)args;
117 
118 	if (key->source_type != cb_data->attr)
119 		return 0;
120 
121 	if (!(key->specified & AVTAB_AV && key->specified & AVTAB_ALLOWED))
122 		return 0;
123 
124 	render_key(key, cb_data->policy, cb_data->fp);
125 	render_access_mask(datum->data, key, cb_data->policy, cb_data->fp);
126 	fprintf(cb_data->fp, "\n");
127 
128 	return 0;
129 }
130 
attribute_callback(hashtab_key_t key,hashtab_datum_t datum,void * datap)131 static int attribute_callback(hashtab_key_t key, hashtab_datum_t datum, void *datap)
132 {
133 	struct callback_data *cb_data = (struct callback_data *)datap;
134 	type_datum_t *t = (type_datum_t *)datum;
135 
136 	if (t->flavor == TYPE_ATTRIB) {
137 		fprintf(cb_data->fp, "[Attribute %s]\n", key);
138 		cb_data->attr = t->s.value;
139 		if (avtab_map(&cb_data->policy->te_avtab, output_avrule, cb_data) < 0)
140 			return -1;
141 		if (avtab_map(&cb_data->policy->te_cond_avtab, output_avrule, cb_data) < 0)
142 			return -1;
143 	}
144 
145 	return 0;
146 }
147 
load_policy(const char * filename)148 static policydb_t *load_policy(const char *filename)
149 {
150 	policydb_t *policydb;
151 	struct policy_file pf;
152 	FILE *fp;
153 	char pathname[PATH_MAX];
154 	int suffix_ver;
155 	int ret;
156 
157 	/* no explicit policy name given, try loaded policy on a SELinux enabled system */
158 	if (!filename) {
159 		filename = selinux_current_policy_path();
160 	}
161 
162 	/*
163 	 * Fallback to default store paths with version suffixes,
164 	 * starting from the maximum supported policy version.
165 	 */
166 	if (!filename) {
167 		for (suffix_ver = sepol_policy_kern_vers_max(); suffix_ver > 0; suffix_ver--) {
168 			snprintf(pathname, sizeof(pathname), "%s.%d", selinux_binary_policy_path(), suffix_ver);
169 
170 			if (access(pathname, F_OK) == 0) {
171 				filename = pathname;
172 				break;
173 			}
174 		}
175 
176 		if (!filename) {
177 			fprintf(stderr, "Can't find any policy at '%s'\n",
178 				selinux_binary_policy_path());
179 			return NULL;
180 		}
181 	}
182 
183 	fp = fopen(filename, "r");
184 	if (fp == NULL) {
185 		fprintf(stderr, "Can't open '%s':  %s\n",
186 			filename, strerror(errno));
187 		return NULL;
188 	}
189 
190 	policy_file_init(&pf);
191 	pf.type = PF_USE_STDIO;
192 	pf.fp = fp;
193 
194 	policydb = malloc(sizeof(policydb_t));
195 	if (policydb == NULL) {
196 		fprintf(stderr, "Out of memory!\n");
197 		fclose(fp);
198 		return NULL;
199 	}
200 
201 	if (policydb_init(policydb)) {
202 		fprintf(stderr, "Out of memory!\n");
203 		free(policydb);
204 		fclose(fp);
205 		return NULL;
206 	}
207 
208 	ret = policydb_read(policydb, &pf, 1);
209 	if (ret) {
210 		fprintf(stderr,
211 			"error(s) encountered while parsing configuration\n");
212 		free(policydb);
213 		fclose(fp);
214 		return NULL;
215 	}
216 
217 	fclose(fp);
218 
219 	return policydb;
220 
221 }
222 
usage(char * progname)223 static void usage(char *progname)
224 {
225 	printf("usage: %s out_file [policy_file]\n", progname);
226 }
227 
main(int argc,char ** argv)228 int main(int argc, char **argv)
229 {
230 	policydb_t *p;
231 	struct callback_data cb_data;
232 	FILE *fp;
233 
234 	if (argc != 2 && argc != 3) {
235 		usage(argv[0]);
236 		return -1;
237 	}
238 
239 	/* Open the policy. */
240 	p = load_policy(argv[2]);
241 	if (p == NULL)
242 		return -1;
243 
244 	/* Open the output policy. */
245 	fp = fopen(argv[1], "w");
246 	if (fp == NULL) {
247 		fprintf(stderr, "error opening output file\n");
248 		policydb_destroy(p);
249 		free(p);
250 		return -1;
251 	}
252 
253 	/* Find all of the attributes and output their access. */
254 	cb_data.policy = p;
255 	cb_data.fp = fp;
256 
257 	if (hashtab_map(p->p_types.table, attribute_callback, &cb_data)) {
258 		printf("error finding attributes\n");
259 	}
260 
261 	policydb_destroy(p);
262 	free(p);
263 	fclose(fp);
264 
265 	return 0;
266 }
267