Checkpolicy has an option to produce CIL output and is dependent on the policydb-to-CIL conversion in libsepol for that option. Add support for converting extended permissions to CIL so that checlpolicy can generate CIL. Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx> --- libsepol/src/module_to_cil.c | 115 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 111 insertions(+), 4 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 508a861..556d11e 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -609,6 +609,103 @@ exit: return rc; } +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) + +static int xperms_to_cil(const av_extended_perms_t *xperms) +{ + uint16_t value; + uint16_t low_bit; + uint16_t low_value; + unsigned int bit; + unsigned int in_range = 0; + int first = 1; + + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + return -1; + + for (bit = 0; bit < sizeof(xperms->perms)*8; bit++) { + if (!xperm_test(bit, xperms->perms)) + continue; + + if (in_range && next_bit_in_range(bit, xperms->perms)) { + /* continue until high value found */ + continue; + } else if (next_bit_in_range(bit, xperms->perms)) { + /* low value */ + low_bit = bit; + in_range = 1; + continue; + } + + if (!first) + cil_printf(" "); + else + first = 0; + + if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { + value = xperms->driver<<8 | bit; + low_value = xperms->driver<<8 | low_bit; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, value); + in_range = 0; + } else { + cil_printf("0x%hx", value); + } + } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { + value = bit << 8; + low_value = low_bit << 8; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff)); + in_range = 0; + } else { + cil_printf("(range 0x%hx 0x%hx)", value, (uint16_t) (value|0xff)); + } + } + } + + return 0; +} + +static int avrulex_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const class_perm_node_t *classperms, const av_extended_perms_t *xperms) +{ + int rc = -1; + const char *rule; + const struct class_perm_node *classperm; + + switch (type) { + case AVRULE_XPERMS_ALLOWED: + rule = "allowxperm"; + break; + case AVRULE_XPERMS_AUDITALLOW: + rule = "auditallowxperm"; + break; + case AVRULE_XPERMS_DONTAUDIT: + rule = "dontauditxperm"; + break; + case AVRULE_XPERMS_NEVERALLOW: + rule = "neverallowxperm"; + break; + default: + log_err("Unknown avrule xperm type: %i", type); + rc = -1; + goto exit; + } + + for (classperm = classperms; classperm != NULL; classperm = classperm->next) { + cil_indent(indent); + cil_printf("(%s %s %s %s (%s (", rule, src, tgt, + "ioctl", pdb->p_class_val_to_name[classperm->tclass - 1]); + xperms_to_cil(xperms); + cil_printf("))\n"); + } + + return 0; + +exit: + return rc; +} + static int num_digits(int n) { int num = 1; @@ -1077,7 +1174,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a struct type_set *ts; for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename); } @@ -1095,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a for (s = 0; s < num_snames; s++) { for (t = 0; t < num_tnames; t++) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + } if (rc != 0) { goto exit; } } if (avrule->flags & RULE_SELF) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + } if (rc != 0) { goto exit; } @@ -1112,7 +1218,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a names_destroy(&snames, &num_snames); names_destroy(&tnames, &num_tnames); - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lme\n"); } } -- 2.7.4 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.