On 08/13/2015 07:09 AM, Richard Haines wrote:
> Add -p option that will take a binary policy file to validate
> context entries in the text file_contexts file.
>
> Should validation fail the binary file will not be written.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Thanks, applied.
> ---
> libselinux/man/man8/sefcontext_compile.8 | 15 ++++++-
> libselinux/utils/Makefile | 2 +-
> libselinux/utils/sefcontext_compile.c | 72 +++++++++++++++++++++++++++-----
> 3 files changed, 75 insertions(+), 14 deletions(-)
>
> diff --git a/libselinux/man/man8/sefcontext_compile.8 b/libselinux/man/man8/sefcontext_compile.8
> index 584c4c6..b77ff3a 100644
> --- a/libselinux/man/man8/sefcontext_compile.8
> +++ b/libselinux/man/man8/sefcontext_compile.8
> @@ -1,4 +1,4 @@
> -.TH "sefcontext_compile" "8" "12 Jun 2015" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
> +.TH "sefcontext_compile" "8" "12 Aug 2015" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
> .SH "NAME"
> sefcontext_compile \- compile file context regular expression files
> .
> @@ -6,6 +6,8 @@ sefcontext_compile \- compile file context regular expression files
> .B sefcontext_compile
> .RB [ \-o
> .IR outputfile ]
> +.RB [ \-p
> +.IR policyfile ]
> .I inputfile
> .
> .SH "DESCRIPTION"
> @@ -29,7 +31,16 @@ Specify an
> that must be a fully qualified file name as the
> .B .bin
> suffix is not automatically added.
> -.
> +.TP
> +.B \-p
> +Specify a binary
> +.I policyfile
> +that will be used to validate the context entries in the
> +.I inputfile
> +.br
> +If an invalid context is found the pcre formatted file will not be written and
> +an error will be returned.
> +
> .SH "RETURN VALUE"
> On error -1 is returned. On success 0 is returned.
>
> diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> index c36761d..cac85c7 100644
> --- a/libselinux/utils/Makefile
> +++ b/libselinux/utils/Makefile
> @@ -28,7 +28,7 @@ LDLIBS += -L../src -lselinux -L$(LIBDIR)
>
> TARGETS=$(patsubst %.c,%,$(wildcard *.c))
>
> -sefcontext_compile: LDLIBS += -lpcre ../src/libselinux.a
> +sefcontext_compile: LDLIBS += -lpcre ../src/libselinux.a -lsepol
>
> ifeq ($(DISABLE_AVC),y)
> UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
> diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
> index 4160632..d2578b6 100644
> --- a/libselinux/utils/sefcontext_compile.c
> +++ b/libselinux/utils/sefcontext_compile.c
> @@ -10,11 +10,22 @@
> #include <getopt.h>
> #include <limits.h>
> #include <selinux/selinux.h>
> +#include <sepol/sepol.h>
>
> #include "../src/label_file.h"
>
> -static int validate_context(char __attribute__ ((unused)) **ctx)
> +const char *policy_file;
> +static int ctx_err;
> +
> +static int validate_context(char **ctxp)
> {
> + char *ctx = *ctxp;
> +
> + if (policy_file && sepol_check_context(ctx) < 0) {
> + ctx_err = -1;
> + return ctx_err;
> + }
> +
> return 0;
> }
>
> @@ -38,8 +49,15 @@ static int process_file(struct selabel_handle *rec, const char *filename)
> rc = 0;
> while (getline(&line_buf, &line_len, context_file) > 0) {
> rc = process_line(rec, filename, prefix, line_buf, ++line_num);
> - if (rc)
> + if (rc || ctx_err) {
> + /* With -p option need to check and fail if ctx err as
> + * process_line() context validation on Linux does not
> + * return an error, but does print the error line to
> + * stderr. Android will set both to error and print
> + * the error line. */
> + rc = -1;
> goto out;
> + }
> }
> out:
> free(line_buf);
> @@ -263,13 +281,15 @@ static void free_specs(struct saved_data *data)
> static void usage(const char *progname)
> {
> fprintf(stderr,
> - "usage: %s [-o out_file] fc_file\n"
> - "Where:\n\t"
> - "-o Optional file name of the PCRE formatted binary\n\t"
> - " file to be output. If not specified the default\n\t"
> - " will be fc_file with the .bin suffix appended.\n\t"
> - "fc_file The text based file contexts file to be processed.\n",
> - progname);
> + "usage: %s [-o out_file] [-p policy_file] fc_file\n"
> + "Where:\n\t"
> + "-o Optional file name of the PCRE formatted binary\n\t"
> + " file to be output. If not specified the default\n\t"
> + " will be fc_file with the .bin suffix appended.\n\t"
> + "-p Optional binary policy file that will be used to\n\t"
> + " validate contexts defined in the fc_file.\n\t"
> + "fc_file The text based file contexts file to be processed.\n",
> + progname);
> exit(EXIT_FAILURE);
> }
>
> @@ -280,6 +300,7 @@ int main(int argc, char *argv[])
> char stack_path[PATH_MAX + 1];
> char *tmp = NULL;
> int fd, rc, opt;
> + FILE *policy_fp = NULL;
> struct stat buf;
> struct selabel_handle *rec = NULL;
> struct saved_data *data = NULL;
> @@ -287,11 +308,14 @@ int main(int argc, char *argv[])
> if (argc < 2)
> usage(argv[0]);
>
> - while ((opt = getopt(argc, argv, "o:")) > 0) {
> + while ((opt = getopt(argc, argv, "o:p:")) > 0) {
> switch (opt) {
> case 'o':
> out_file = optarg;
> break;
> + case 'p':
> + policy_file = optarg;
> + break;
> default:
> usage(argv[0]);
> }
> @@ -306,10 +330,30 @@ int main(int argc, char *argv[])
> exit(EXIT_FAILURE);
> }
>
> + /* Open binary policy if supplied. */
> + if (policy_file) {
> + policy_fp = fopen(policy_file, "r");
> +
> + if (!policy_fp) {
> + fprintf(stderr, "Failed to open policy: %s\n",
> + policy_file);
> + exit(EXIT_FAILURE);
> + }
> +
> + if (sepol_set_policydb_from_file(policy_fp) < 0) {
> + fprintf(stderr, "Failed to load policy: %s\n",
> + policy_file);
> + fclose(policy_fp);
> + exit(EXIT_FAILURE);
> + }
> + }
> +
> /* Generate dummy handle for process_line() function */
> rec = (struct selabel_handle *)calloc(1, sizeof(*rec));
> if (!rec) {
> fprintf(stderr, "Failed to calloc handle\n");
> + if (policy_fp)
> + fclose(policy_fp);
> exit(EXIT_FAILURE);
> }
> rec->backend = SELABEL_CTX_FILE;
> @@ -318,7 +362,8 @@ int main(int argc, char *argv[])
> * process_line function, however as the bin file being generated
> * may not be related to the currently loaded policy (that it
> * would be validated against), then set callback to ignore any
> - * validation. */
> + * validation - unless the -p option is used in which case if an
> + * error is detected, the process will be aborted. */
> rec->validating = 1;
> selinux_set_callback(SELINUX_CB_VALIDATE,
> (union selinux_callback)&validate_context);
> @@ -327,6 +372,8 @@ int main(int argc, char *argv[])
> if (!data) {
> fprintf(stderr, "Failed to calloc saved_data\n");
> free(rec);
> + if (policy_fp)
> + fclose(policy_fp);
> exit(EXIT_FAILURE);
> }
>
> @@ -376,6 +423,9 @@ int main(int argc, char *argv[])
>
> rc = 0;
> out:
> + if (policy_fp)
> + fclose(policy_fp);
> +
> free_specs(data);
> free(rec);
> free(data);
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
