sepolicy-analyze: Add attribute command.
Add an attribute command to sepolicy-analyze for displaying the list of types associated with an attribute in a policy. This is for use by CTS to check what domains and types are associated with certain attributes such as mlstrustedsubject and mlstrustedobject. Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
c93617315e
commit
0233cd800e
@ -7,7 +7,7 @@ LOCAL_MODULE := sepolicy-analyze
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_C_INCLUDES := external/libsepol/include
|
||||
LOCAL_CFLAGS := -Wall -Werror
|
||||
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c utils.c
|
||||
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
|
||||
LOCAL_STATIC_LIBRARIES := libsepol
|
||||
|
||||
include $(BUILD_HOST_EXECUTABLE)
|
||||
|
@ -60,6 +60,11 @@ sepolicy-analyze
|
||||
Policy booleans are forbidden in Android policy, so if there is any
|
||||
output, the policy will fail CTS.
|
||||
|
||||
ATTRIBUTE (attribute)
|
||||
sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>
|
||||
|
||||
Displays the types associated with the specified attribute name.
|
||||
|
||||
NEVERALLOW CHECKING (neverallow)
|
||||
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
|
||||
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
|
||||
|
39
tools/sepolicy-analyze/attribute.c
Normal file
39
tools/sepolicy-analyze/attribute.c
Normal file
@ -0,0 +1,39 @@
|
||||
#include "attribute.h"
|
||||
|
||||
void attribute_usage() {
|
||||
fprintf(stderr, "\tattribute <attribute-name>\n");
|
||||
}
|
||||
|
||||
static int list_attribute(policydb_t * policydb, char *name)
|
||||
{
|
||||
struct type_datum *attr;
|
||||
struct ebitmap_node *n;
|
||||
unsigned int bit;
|
||||
|
||||
attr = hashtab_search(policydb->p_types.table, name);
|
||||
if (!attr) {
|
||||
fprintf(stderr, "%s is not defined in this policy.\n", name);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (attr->flavor != TYPE_ATTRIB) {
|
||||
fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
|
||||
return -1;
|
||||
}
|
||||
|
||||
ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
|
||||
if (!ebitmap_node_get_bit(n, bit))
|
||||
continue;
|
||||
printf("%s\n", policydb->p_type_val_to_name[bit]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int attribute_func (int argc, char **argv, policydb_t *policydb) {
|
||||
if (argc != 2) {
|
||||
USAGE_ERROR = true;
|
||||
return -1;
|
||||
}
|
||||
return list_attribute(policydb, argv[1]);
|
||||
}
|
11
tools/sepolicy-analyze/attribute.h
Normal file
11
tools/sepolicy-analyze/attribute.h
Normal file
@ -0,0 +1,11 @@
|
||||
#ifndef ATTRIBUTE_H
|
||||
#define ATTRIBUTE_H
|
||||
|
||||
#include <sepol/policydb/policydb.h>
|
||||
|
||||
#include "utils.h"
|
||||
|
||||
void attribute_usage(void);
|
||||
int attribute_func(int argc, char **argv, policydb_t *policydb);
|
||||
|
||||
#endif /* ATTRIBUTE_H */
|
@ -7,6 +7,7 @@
|
||||
#include "perm.h"
|
||||
#include "typecmp.h"
|
||||
#include "booleans.h"
|
||||
#include "attribute.h"
|
||||
#include "utils.h"
|
||||
|
||||
#define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0]))
|
||||
@ -22,7 +23,8 @@ static struct {
|
||||
COMP(neverallow),
|
||||
COMP(permissive),
|
||||
COMP(typecmp),
|
||||
COMP(booleans)
|
||||
COMP(booleans),
|
||||
COMP(attribute)
|
||||
};
|
||||
|
||||
void usage(char *arg0)
|
||||
|
Loading…
Reference in New Issue
Block a user