1ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashmansepolicy-analyze 2ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman A component-ized tool for performing various kinds of analysis on a 3ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy file. The current kinds of analysis that are currently 4ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman supported include: 5ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 6ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman TYPE EQUIVALENCE (typecmp) 7ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e 8ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 9ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Display all type pairs that are "equivalent", i.e. they are 10ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman identical with respect to allow rules, including indirect allow 11ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman rules via attributes and default-enabled conditional rules 12ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman (i.e. default boolean values yield a true conditional expression). 13ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 14ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Equivalent types are candidates for being coalesced into a single 15ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman type. However, there may be legitimate reasons for them to remain 16ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman separate, for example: - the types may differ in a respect not 17ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman included in the current analysis, such as default-disabled 18ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman conditional rules, audit-related rules (auditallow or dontaudit), 19ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman default type transitions, or constraints (e.g. mls), or - the 20ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman current policy may be overly permissive with respect to one or the 21ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman other of the types and thus the correct action may be to tighten 22ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman access to one or the other rather than coalescing them together, 23ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman or - the domains that would in fact have different accesses to the 24ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman types may not yet be defined or may be unconfined in the policy 25ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman you are analyzing. 26ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 27ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman TYPE DIFFERENCE (typecmp) 28ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d 29ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 30ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Display type pairs that differ and the first difference found 31ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman between the two types. This may be used in looking for similar 32ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman types that are not equivalent but may be candidates for coalescing. 33ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 34ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman DUPLICATE ALLOW RULES (dups) 35ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy-analyze out/target/product/<board>/root/sepolicy dups 36ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 37ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Displays duplicate allow rules, i.e. pairs of allow rules that 38ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman grant the same permissions where one allow rule is written 39ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman directly in terms of individual types and the other is written in 40ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman terms of attributes associated with those same types. The rule 41ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman with individual types is a candidate for removal. The rule with 42ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman individual types may be directly represented in the source policy 43ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman or may be a result of expansion of a type negation (e.g. domain 44ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman -foo -bar is expanded to individual allow rules by the policy 45ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman compiler). Domains with unconfineddomain will typically have such 46ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman duplicate rules as a natural side effect and can be ignored. 47ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 48ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman PERMISSIVE DOMAINS (permissive) 49ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy-analyze out/target/product/<board>/root/sepolicy permissive 50ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 51ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Displays domains in the policy that are permissive, i.e. avc 52ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman denials are logged but not enforced for these domains. While 53ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman permissive domains can be helpful during development, they 54ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman should not be present in a final -user build. 55ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 56a7b2c5f4ab5fc393dd75af934e5daa13e2ac70a6Stephen Smalley BOOLEANS (booleans) 57a7b2c5f4ab5fc393dd75af934e5daa13e2ac70a6Stephen Smalley sepolicy-analyze out/target/product/<board>/root/sepolicy booleans 58a7b2c5f4ab5fc393dd75af934e5daa13e2ac70a6Stephen Smalley 59d1559144795a3a5100fb81c27e71765fe9578f06Stephen Smalley Displays the boolean names in the policy (if any). 60d1559144795a3a5100fb81c27e71765fe9578f06Stephen Smalley Policy booleans are forbidden in Android policy, so if there is any 61d1559144795a3a5100fb81c27e71765fe9578f06Stephen Smalley output, the policy will fail CTS. 62a7b2c5f4ab5fc393dd75af934e5daa13e2ac70a6Stephen Smalley 630233cd800efc7af1828bb69d236c8371ca238c66Stephen Smalley ATTRIBUTE (attribute) 640233cd800efc7af1828bb69d236c8371ca238c66Stephen Smalley sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name> 650233cd800efc7af1828bb69d236c8371ca238c66Stephen Smalley 660233cd800efc7af1828bb69d236c8371ca238c66Stephen Smalley Displays the types associated with the specified attribute name. 670233cd800efc7af1828bb69d236c8371ca238c66Stephen Smalley 68d444ebedac021e0468e8a1a3f3a699fbcc34b1f3Dan Cashman sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name> 69d444ebedac021e0468e8a1a3f3a699fbcc34b1f3Dan Cashman 70d444ebedac021e0468e8a1a3f3a699fbcc34b1f3Dan Cashman Displays the attributes associated with the specified type name. 71d444ebedac021e0468e8a1a3f3a699fbcc34b1f3Dan Cashman 729d46f9b4f09da557bc737b8a541c5af0fe2fff6eDan Cashman sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -l 739d46f9b4f09da557bc737b8a541c5af0fe2fff6eDan Cashman 749d46f9b4f09da557bc737b8a541c5af0fe2fff6eDan Cashman Displays all attributes in the policy. 759d46f9b4f09da557bc737b8a541c5af0fe2fff6eDan Cashman 76ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman NEVERALLOW CHECKING (neverallow) 77ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \ 78ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"] 79ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 80ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Check whether the sepolicy file violates any of the neverallow rules 81ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman from the neverallows.conf file or a given string, which contain neverallow 82ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman statements in the same format as the SELinux policy.conf file, i.e. after 83ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman m4 macro expansion of the rules from a .te file. You can use an entire 84ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman policy.conf file as the neverallows.conf file and sepolicy-analyze will 85ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman ignore everything except for the neverallows within it. You can also 86ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman specify this as a command-line string argument, which could be useful for 87ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman quickly checking an individual expanded rule or group of rules. If there are 88ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman no violations, sepolicy-analyze will exit successfully with no output. 89ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman Otherwise, sepolicy-analyze will report all violations and exit 90ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman with a non-zero exit status. 91ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 92ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman The -w or --warn option may be used to warn on any types, attributes, 93ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman classes, or permissions from a neverallow rule that could not be resolved 94ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman within the sepolicy file. This can be normal due to differences between 95ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman the policy from which the neverallow rules were taken and the policy 96ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman being checked. Such values are ignored for the purposes of neverallow 97ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman checking. 98ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman 99ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman The -d or --debug option may be used to cause sepolicy-analyze to emit the 100ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman neverallow rules as it parses them. This is principally a debugging facility 101ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman for the parser but could also be used to extract neverallow rules from 102ef4fd30672ebfeac1a0ad04f65deb7b38050b818dcashman a full policy.conf file and output them in a more easily parsed format. 103