-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5yTj8ACgkQrlYvE4MpobOHjQCcDHXx7NboF3R9JdkUzEMV0Bz7
AgwAoKwkRrJPKN2PWecUiDCO+HaQFztf
=8E6i
-----END PGP SIGNATURE-----
>From afdf4de9009d0cd882636a6a543d7f3e18146bb9 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Sun, 10 Jul 2011 11:53:29 +0200
Subject: [PATCH 06/67] policycoreutils: sepolgen-ifgen: FIXME new attr-helper
does something
Why do we need this? Should it be a library or something rather than a
freestanding helper program? I don't know...
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/Makefile | 2 +-
policycoreutils/sepolgen-ifgen/.gitignore | 1 +
policycoreutils/sepolgen-ifgen/Makefile | 25 ++
.../sepolgen-ifgen/sepolgen-ifgen-attr-helper.c | 232 ++++++++++++++++++++
4 files changed, 259 insertions(+), 1 deletions(-)
create mode 100644 policycoreutils/sepolgen-ifgen/.gitignore
create mode 100644 policycoreutils/sepolgen-ifgen/Makefile
create mode 100644 policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
index 86ed03f..7244a36 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --git a/policycoreutils/sepolgen-ifgen/.gitignore b/policycoreutils/sepolgen-ifgen/.gitignore
new file mode 100644
index 0000000..3816d2e
--- /dev/null
+++ b/policycoreutils/sepolgen-ifgen/.gitignore
@@ -0,0 +1 @@
+sepolgen-ifgen-attr-helper
diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
new file mode 100644
index 0000000..99f8fd0
--- /dev/null
+++ b/policycoreutils/sepolgen-ifgen/Makefile
@@ -0,0 +1,25 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+BINDIR ?= $(PREFIX)/bin
+LIBDIR ?= ${PREFIX}/lib
+INCLUDEDIR ?= $(PREFIX)/include
+
+CFLAGS ?= -Werror -Wall -W
+override CFLAGS += -I$(INCLUDEDIR)
+LDLIBS = $(LIBDIR)/libsepol.a
+
+all: sepolgen-ifgen-attr-helper
+
+sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o
+
+install: all
+ -mkdir -p $(BINDIR)
+ install -m 755 sepolgen-ifgen-attr-helper $(BINDIR)
+
+clean:
+ rm -f *~ *.o sepolgen-ifgen-attr-helper
+
+indent:
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel: ;
diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
new file mode 100644
index 0000000..1ce37b0
--- /dev/null
+++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
@@ -0,0 +1,232 @@
+/* Authors: Frank Mayer <mayerf@xxxxxxxxxx>
+ * and Karl MacMillan <kmacmillan@xxxxxxxxxx>
+ *
+ * Copyright (C) 2003,2010 Tresys Technology, LLC
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2.
+ *
+ * Adapted from dispol.c.
+ *
+ * This program is used by sepolgen-ifgen to get the access for all of
+ * the attributes in the policy so that it can resolve the
+ * typeattribute statements in the interfaces.
+ *
+ * It outputs the attribute access in a similar format to what sepolgen
+ * uses to store interface vectors:
+ * [Attribute sandbox_x_domain]
+ * sandbox_x_domain,samba_var_t,file,ioctl,read,getattr,lock,open
+ * sandbox_x_domain,samba_var_t,dir,getattr,search,open
+ * sandbox_x_domain,initrc_var_run_t,file,ioctl,read,getattr,lock,open
+ *
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/util.h>
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ struct val_to_name *v = data;
+ perm_datum_t *perdatum;
+
+ perdatum = (perm_datum_t *) datum;
+
+ if (v->val == perdatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
+ FILE *fp)
+{
+ struct val_to_name v;
+ class_datum_t *cladatum;
+ char *perm = NULL;
+ unsigned int i;
+ int rc;
+ uint32_t tclass = key->target_class;
+
+ cladatum = policydbp->class_val_to_struct[tclass - 1];
+ for (i = 0; i < cladatum->permissions.nprim; i++) {
+ if (av & (1 << i)) {
+ v.val = i + 1;
+ rc = hashtab_map(cladatum->permissions.table,
+ perm_name, &v);
+ if (!rc && cladatum->comdatum) {
+ rc = hashtab_map(cladatum->comdatum->
+ permissions.table, perm_name,
+ &v);
+ }
+ if (rc)
+ perm = v.name;
+ if (perm) {
+ fprintf(fp, ",%s", perm);
+ }
+ }
+ }
+
+ return 0;
+}
+
+static int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)
+{
+ char *stype, *ttype, *tclass;
+ stype = p->p_type_val_to_name[key->source_type - 1];
+ ttype = p->p_type_val_to_name[key->target_type - 1];
+ tclass = p->p_class_val_to_name[key->target_class - 1];
+ if (stype && ttype) {
+ fprintf(fp, "%s,%s,%s", stype, ttype, tclass);
+ } else {
+ fprintf(stderr, "error rendering key\n");
+ exit(1);
+ }
+
+ return 0;
+}
+
+struct callback_data
+{
+ uint32_t attr;
+ policydb_t *policy;
+ FILE *fp;
+};
+
+int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
+{
+ struct callback_data *cb_data = (struct callback_data *)args;
+
+ if (key->source_type != cb_data->attr)
+ return 0;
+
+ if (!(key->specified & AVTAB_AV && key->specified & AVTAB_ALLOWED))
+ return 0;
+
+ render_key(key, cb_data->policy, cb_data->fp);
+ render_access_mask(datum->data, key, cb_data->policy, cb_data->fp);
+ fprintf(cb_data->fp, "\n");
+
+ return 0;
+}
+
+static int attribute_callback(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ struct callback_data *cb_data = (struct callback_data *)datap;
+ type_datum_t *t = (type_datum_t *)datum;
+
+ if (t->flavor == TYPE_ATTRIB) {
+ fprintf(cb_data->fp, "[Attribute %s]\n", key);
+ cb_data->attr = t->s.value;
+ if (avtab_map(&cb_data->policy->te_avtab, output_avrule, cb_data) < 0)
+ return -1;
+ if (avtab_map(&cb_data->policy->te_cond_avtab, output_avrule, cb_data) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+static policydb_t *load_policy(const char *filename)
+{
+ policydb_t *policydb;
+ struct policy_file pf;
+ FILE *fp;
+ int ret;
+
+ fp = fopen(filename, "r");
+ if (fp == NULL) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ filename, strerror(errno));
+ return NULL;
+ }
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_STDIO;
+ pf.fp = fp;
+
+ policydb = malloc(sizeof(policydb_t));
+ if (policydb == NULL) {
+ fprintf(stderr, "Out of memory!\n");
+ return NULL;
+ }
+
+ if (policydb_init(policydb)) {
+ fprintf(stderr, "Out of memory!\n");
+ free(policydb);
+ return NULL;
+ }
+
+ ret = policydb_read(policydb, &pf, 1);
+ if (ret) {
+ fprintf(stderr,
+ "error(s) encountered while parsing configuration\n");
+ free(policydb);
+ return NULL;
+ }
+
+ fclose(fp);
+
+ return policydb;
+
+}
+
+void usage(char *progname)
+{
+ printf("usage: %s policy_file out_file\n", progname);
+}
+
+int main(int argc, char **argv)
+{
+ policydb_t *p;
+ struct callback_data cb_data;
+ FILE *fp;
+
+ if (argc != 3) {
+ usage(argv[0]);
+ return -1;
+ }
+
+ /* Open the policy. */
+ p = load_policy(argv[1]);
+ if (p == NULL)
+ return -1;
+
+ /* Open the output policy. */
+ fp = fopen(argv[2], "w");
+ if (fp == NULL) {
+ fprintf(stderr, "error opening output file\n");
+ policydb_destroy(p);
+ free(p);
+ return -1;
+ }
+
+ /* Find all of the attributes and output their access. */
+ cb_data.policy = p;
+ cb_data.fp = fp;
+
+ if (hashtab_map(p->p_types.table, attribute_callback, &cb_data)) {
+ printf("error finding attributes\n");
+ }
+
+ policydb_destroy(p);
+ free(p);
+ fclose(fp);
+
+ return 0;
+}
--
1.7.6.2
