checkfc.c revision ad3cb39e54040e5a03328d8006f428579d1654e0
1d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig#include <getopt.h> 2ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts#include <stdbool.h> 301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley#include <stdio.h> 401a58af19494420bb259505bc5404790a21fdd64Stephen Smalley#include <stdlib.h> 5ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts#include <string.h> 6ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts#include <sepol/module.h> 7ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts#include <sepol/policydb/policydb.h> 801a58af19494420bb259505bc5404790a21fdd64Stephen Smalley#include <sepol/sepol.h> 901a58af19494420bb259505bc5404790a21fdd64Stephen Smalley#include <selinux/selinux.h> 1001a58af19494420bb259505bc5404790a21fdd64Stephen Smalley#include <selinux/label.h> 1101a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 12ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL }; 13ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL }; 14ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL }; 15ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 16ad3cb39e54040e5a03328d8006f428579d1654e0William Robertstypedef enum filemode filemode; 17ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsenum filemode { 18ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts filemode_file_contexts = 0, 19ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts filemode_property_contexts, 20ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts filemode_service_contexts 21ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts}; 22ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 23ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic struct { 24ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* policy */ 25ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct { 26ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts union { 27ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* Union these so we don't have to cast */ 28ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policydb_t *sdb; 29ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts policydb_t *pdb; 30ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts }; 31ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policy_file_t *pf; 32ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_handle_t *handle; 33ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts FILE *file; 34ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts#define SEHANDLE_CNT 2 35ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct selabel_handle *sehnd[SEHANDLE_CNT]; 36ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } sepolicy; 37ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 38ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* assertions */ 39ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct { 40ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char * const *attrs; /* for the original set to print on error */ 41ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_t set; /* the ebitmap representation of the attrs */ 42ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } assert; 43ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 44ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} global_state; 45ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 46ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic const char * const *filemode_to_assert_attrs(filemode mode) 47ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 48ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts switch (mode) { 49ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts case filemode_file_contexts: 50ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return CHECK_FC_ASSERT_ATTRS; 51ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts case filemode_property_contexts: 52ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return CHECK_PC_ASSERT_ATTRS; 53ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts case filemode_service_contexts: 54ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return CHECK_SC_ASSERT_ATTRS; 55ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 56ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* die on invalid parameters */ 57ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode); 58ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 59ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 60ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 61ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic int get_attr_bit(policydb_t *policydb, const char *attr_name) 62ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 63ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct type_datum *attr = hashtab_search(policydb->p_types.table, (char *)attr_name); 64ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!attr) { 65ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", attr_name); 66ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return -1; 67ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 68ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 69ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (attr->flavor != TYPE_ATTRIB) { 70ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: \"%s\" is not an attribute in this policy.\n", attr_name); 71ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return -1; 72ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 73ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 74ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return attr->s.value - 1; 75ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 76ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 77ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic bool ebitmap_attribute_assertion_init(ebitmap_t *assertions, const char * const attributes[]) 78ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 79ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 80ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts while (*attributes) { 81ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 82ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int bit_pos = get_attr_bit(global_state.sepolicy.pdb, *attributes); 83ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (bit_pos < 0) { 84ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* get_attr_bit() logs error */ 85ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return false; 86ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 87ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 88ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int err = ebitmap_set_bit(assertions, bit_pos, 1); 89ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (err) { 90ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: setting bit on assertion ebitmap!\n"); 91ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return false; 92ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 93ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts attributes++; 94ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 95ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return true; 96ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 97ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 98ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic bool is_type_of_attribute_set(policydb_t *policydb, const char *type_name, 99ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_t *attr_set) 100ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 101ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct type_datum *type = hashtab_search(policydb->p_types.table, (char *)type_name); 102ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!type) { 103ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", type_name); 104ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return false; 105ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 106ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 107ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (type->flavor != TYPE_TYPE) { 108ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: \"%s\" is not a type in this policy.\n", type_name); 109ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return false; 110ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 111ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 112ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_t dst; 113ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_init(&dst); 114ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 115ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* Take the intersection, if the set is empty, then its a failure */ 116ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int rc = ebitmap_and(&dst, attr_set, &policydb->type_attr_map[type->s.value - 1]); 117ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (rc) { 118ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: Could not perform ebitmap_and: %d\n", rc); 119ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 120ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 121ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 122ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts bool res = (bool)ebitmap_length(&dst); 123ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 124ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_destroy(&dst); 125ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return res; 126ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 127ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 128ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic void dump_char_array(FILE *stream, const char * const *strings) 129ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 130ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 131ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char * const *p = strings; 132ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 133ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stream, "\""); 134ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 135ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts while (*p) { 136ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char *s = *p++; 137ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char *fmt = *p ? "%s, " : "%s\""; 138ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stream, fmt, s); 139ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 140ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 14101a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 14201a58af19494420bb259505bc5404790a21fdd64Stephen Smalleystatic int validate(char **contextp) 14301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley{ 144ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts bool res; 145ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts char *context = *contextp; 146ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 147ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_context_t *ctx; 148ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int rc = sepol_context_from_string(global_state.sepolicy.handle, context, 149ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts &ctx); 150ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (rc < 0) { 151ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: Could not allocate context from string"); 152ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 153ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 154ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 155ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts rc = sepol_context_check(global_state.sepolicy.handle, 156ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.sepolicy.sdb, ctx); 157ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (rc < 0) { 158ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts goto out; 159ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 160ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 161ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char *type_name = sepol_context_get_type(ctx); 162ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 163ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts uint32_t len = ebitmap_length(&global_state.assert.set); 164ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (len > 0) { 165ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts res = !is_type_of_attribute_set(global_state.sepolicy.pdb, type_name, 166ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts &global_state.assert.set); 167ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (res) { 168ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: type \"%s\" is not of set: ", type_name); 169ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts dump_char_array(stderr, global_state.assert.attrs); 170ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "\n"); 171ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* The calls above did not affect rc, so set error before going to out */ 172ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts rc = -1; 173ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts goto out; 174ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 175ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 176ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* Success: Although it should be 0, we explicitly set rc to 0 for clarity */ 177ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts rc = 0; 178ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 179ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts out: 180ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_context_free(ctx); 181ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts return rc; 18201a58af19494420bb259505bc5404790a21fdd64Stephen Smalley} 18301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 184d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craigstatic void usage(char *name) { 185ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "usage1: %s [-p|-s] sepolicy context_file\n\n" 186ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts "Parses a context file and checks for syntax errors.\n" 187ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts "The context_file is assumed to be a file_contexts file\n" 188ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts "unless the -p or -s option is used to indicate the property or service backend respectively.\n\n" 189ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 190ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts "usage2: %s -c file_contexts1 file_contexts2\n\n" 191ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n", 192ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts name, name); 193d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig exit(1); 194d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig} 195d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig 196ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic void cleanup(void) { 197ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 198ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (global_state.sepolicy.file) { 199ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fclose(global_state.sepolicy.file); 200ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 201ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 202ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (global_state.sepolicy.sdb) { 203ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policydb_free(global_state.sepolicy.sdb); 204ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 205ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 206ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (global_state.sepolicy.pf) { 207ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policy_file_free(global_state.sepolicy.pf); 208ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 209ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 210ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (global_state.sepolicy.handle) { 211ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_handle_destroy(global_state.sepolicy.handle); 212ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 213ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 214ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts ebitmap_destroy(&global_state.assert.set); 215ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 216ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int i; 217ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts for (i = 0; i < SEHANDLE_CNT; i++) { 218ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts struct selabel_handle *sehnd = global_state.sepolicy.sehnd[i]; 219ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (sehnd) { 220ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts selabel_close(sehnd); 221ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 222ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 223ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 224ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 225ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic void do_compare_and_die_on_error(struct selinux_opt opts[], unsigned int backend, char *paths[]) 226ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 227ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts enum selabel_cmp_result result; 228ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts char *result_str[] = { "subset", "equal", "superset", "incomparable" }; 229ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int i; 230ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 231ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts opts[0].value = NULL; /* not validating against a policy when comparing */ 232ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 233ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts for (i = 0; i < SEHANDLE_CNT; i++) { 234ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts opts[1].value = paths[i]; 235ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.sepolicy.sehnd[i] = selabel_open(backend, opts, 2); 236ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!global_state.sepolicy.sehnd[i]) { 237ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: could not load context file from %s\n", paths[i]); 238ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 239ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 240ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 241ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 242ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts result = selabel_cmp(global_state.sepolicy.sehnd[0], global_state.sepolicy.sehnd[1]); 243ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts printf("%s\n", result_str[result]); 244ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 245ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 246ad3cb39e54040e5a03328d8006f428579d1654e0William Robertsstatic void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode, 247ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts const char *sepolicy_file, const char *context_file) 248ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts{ 249ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.sepolicy.file = fopen(sepolicy_file, "r"); 250ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!global_state.sepolicy.file) { 251ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts perror("Error: could not open policy file"); 252ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 253ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 254ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 255ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.sepolicy.handle = sepol_handle_create(); 256ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!global_state.sepolicy.handle) { 257ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: could not create policy handle: %s\n", strerror(errno)); 258ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 259ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 260ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 261ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (sepol_policy_file_create(&global_state.sepolicy.pf) < 0) { 262ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts perror("Error: could not create policy handle"); 263ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 264ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 265ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 266ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policy_file_set_fp(global_state.sepolicy.pf, global_state.sepolicy.file); 267ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts sepol_policy_file_set_handle(global_state.sepolicy.pf, global_state.sepolicy.handle); 268ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 269ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts int rc = sepol_policydb_create(&global_state.sepolicy.sdb); 270ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (rc < 0) { 271ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts perror("Error: could not create policy db"); 272ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 273ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 274ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 275ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts rc = sepol_policydb_read(global_state.sepolicy.sdb, global_state.sepolicy.pf); 276ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (rc < 0) { 277ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts perror("Error: could not read file into policy db"); 278ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 279ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 280ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 281ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.assert.attrs = filemode_to_assert_attrs(mode); 282ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 283ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts bool ret = ebitmap_attribute_assertion_init(&global_state.assert.set, global_state.assert.attrs); 284ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!ret) { 285ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* error messages logged by ebitmap_attribute_assertion_init() */ 286ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 287ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 288ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 289ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts selinux_set_callback(SELINUX_CB_VALIDATE, 290ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts (union selinux_callback)&validate); 291ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 292ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts opts[1].value = context_file; 293ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 294ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2); 295ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (!global_state.sepolicy.sehnd[0]) { 296ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts fprintf(stderr, "Error: could not load context file from %s\n", context_file); 297ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts exit(1); 298ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } 299ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts} 300ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 30101a58af19494420bb259505bc5404790a21fdd64Stephen Smalleyint main(int argc, char **argv) 30201a58af19494420bb259505bc5404790a21fdd64Stephen Smalley{ 30301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley struct selinux_opt opts[] = { 30401a58af19494420bb259505bc5404790a21fdd64Stephen Smalley { SELABEL_OPT_VALIDATE, (void*)1 }, 30501a58af19494420bb259505bc5404790a21fdd64Stephen Smalley { SELABEL_OPT_PATH, NULL } 30601a58af19494420bb259505bc5404790a21fdd64Stephen Smalley }; 307d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig 308d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig // Default backend unless changed by input argument. 309d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig unsigned int backend = SELABEL_CTX_FILE; 310d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig 31113b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley bool compare = false; 312d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig char c; 31301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 314ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts filemode mode = filemode_file_contexts; 315ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts 316ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts while ((c = getopt(argc, argv, "cps")) != -1) { 317d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig switch (c) { 31813b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley case 'c': 31913b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley compare = true; 32013b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley break; 321d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig case 'p': 322ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts mode = filemode_property_contexts; 323ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts backend = SELABEL_CTX_ANDROID_PROP; 324ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts break; 325ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts case 's': 326ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts mode = filemode_service_contexts; 327d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig backend = SELABEL_CTX_ANDROID_PROP; 328d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig break; 329d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig case 'h': 330d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig default: 331d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig usage(argv[0]); 332d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig break; 333d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig } 334d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig } 335d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig 336d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig int index = optind; 337d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig if (argc - optind != 2) { 338d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig usage(argv[0]); 33901a58af19494420bb259505bc5404790a21fdd64Stephen Smalley } 34001a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 34113b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley if (compare && backend != SELABEL_CTX_FILE) { 34213b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley usage(argv[0]); 34313b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley } 34413b6b7e88f6ac006b53764b33348a73343742148Stephen Smalley 345ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts atexit(cleanup); 346d98d26ef3c1fe9b44497ed4e2a1fcf66505092baRobert Craig 347ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts if (compare) { 348ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts do_compare_and_die_on_error(opts, backend, &(argv[index])); 349ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts } else { 350ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts /* remaining args are sepolicy file and context file */ 351ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts char *sepolicy_file = argv[index]; 352ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts char *context_file = argv[index + 1]; 35301a58af19494420bb259505bc5404790a21fdd64Stephen Smalley 354ad3cb39e54040e5a03328d8006f428579d1654e0William Roberts do_fc_check_and_die_on_error(opts, backend, mode, sepolicy_file, context_file); 35501a58af19494420bb259505bc5404790a21fdd64Stephen Smalley } 35601a58af19494420bb259505bc5404790a21fdd64Stephen Smalley exit(0); 35701a58af19494420bb259505bc5404790a21fdd64Stephen Smalley} 358