xref: /aosp_15_r20/system/sepolicy/tests/searchpolicy.py (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1#!/usr/bin/env python3
2#
3# Copyright 2021 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#     http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17import argparse
18import policy
19
20parser = argparse.ArgumentParser(
21    description="SELinux policy rule search tool. Intended to have a similar "
22        + "API as sesearch, but simplified to use only code availabe in AOSP")
23parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
24parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
25tertypes = parser.add_argument_group("TE Rule Types")
26tertypes.add_argument("--allow", action="append_const",
27                    const="allow", dest="tertypes",
28                    help="Search allow rules.")
29expr = parser.add_argument_group("Expressions")
30expr.add_argument("-s", "--source",
31                  help="Source type/role of the TE/RBAC rule.")
32expr.add_argument("-t", "--target",
33                  help="Target type/role of the TE/RBAC rule.")
34expr.add_argument("-c", "--class", dest="tclass",
35                  help="Comma separated list of object classes")
36expr.add_argument("-p", "--perms", metavar="PERMS",
37                  help="Comma separated list of permissions.")
38
39args = parser.parse_args()
40
41if not args.tertypes:
42    parser.error("Must specify \"--allow\"")
43
44if not args.policy:
45    parser.error("Must include path to policy")
46if not args.libpath:
47    parser.error("Must include path to libsepolwrap library")
48
49if not (args.source or args.target or args.tclass or args.perms):
50    parser.error("Must something to filter on, e.g. --source, --target, etc.")
51
52pol = policy.Policy(args.policy, None, args.libpath)
53
54if args.source:
55    scontext = {args.source}
56else:
57    scontext = set()
58if args.target:
59    tcontext = {args.target}
60else:
61    tcontext = set()
62if args.tclass:
63    tclass = set(args.tclass.split(","))
64else:
65    tclass = set()
66if args.perms:
67    perms = set(args.perms.split(","))
68else:
69    perms = set()
70
71TERules = pol.QueryTERule(scontext=scontext,
72                       tcontext=tcontext,
73                       tclass=tclass,
74                       perms=perms)
75
76# format rules for printing
77rules = []
78for r in TERules:
79    if len(r.perms) > 1:
80        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
81                " ".join(sorted(r.perms)) + " };")
82    else:
83        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
84                " ".join(sorted(r.perms)) + ";")
85
86for r in sorted(rules):
87    print(r)
88