On Fri, 2017-03-10 at 14:49 -0500, James Carter wrote:
> Use the same option "-C" used to ouput CIL from a policy.conf, but
> now
> generate CIL from a binary policy instead of giving an error.
>
> Use the option "-F" to generate a policy.conf file from a binary
> policy.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> ---
> checkpolicy/checkpolicy.c | 60 +++++++++++++++++++++++++++++++++--
> ------------
> 1 file changed, 42 insertions(+), 18 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index b98bfcd..9694f57 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -75,6 +75,8 @@
> #include <sys/mman.h>
>
> #include <sepol/module_to_cil.h>
> +#include <sepol/kernel_to_cil.h>
> +#include <sepol/kernel_to_conf.h>
> #include <sepol/policydb/policydb.h>
> #include <sepol/policydb/services.h>
> #include <sepol/policydb/conditional.h>
> @@ -105,7 +107,7 @@ unsigned int policyvers = POLICYDB_VERSION_MAX;
> static __attribute__((__noreturn__)) void usage(const char
> *progname)
> {
> printf
> - ("usage: %s [-b] [-C] [-d] [-U handle_unknown
> (allow,deny,reject)] [-M]"
> + ("usage: %s [-b] [-C] [-F] [-d] [-U handle_unknown
> (allow,deny,reject)] [-M]"
> "[-c policyvers (%d-%d)] [-o output_file] [-t
> target_platform (selinux,xen)]"
> "[input_file]\n",
> progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
> @@ -388,7 +390,7 @@ int main(int argc, char **argv)
> size_t scontext_len, pathlen;
> unsigned int i;
> unsigned int protocol, port;
> - unsigned int binary = 0, debug = 0, cil = 0;
> + unsigned int binary = 0, debug = 0, cil = 0, conf = 0;
> struct val_to_name v;
> int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
> unsigned int nel, uret;
> @@ -411,11 +413,12 @@ int main(int argc, char **argv)
> {"handle-unknown", required_argument, NULL, 'U'},
> {"mls", no_argument, NULL, 'M'},
> {"cil", no_argument, NULL, 'C'},
> + {"conf",no_argument, NULL, 'F'},
> {"help", no_argument, NULL, 'h'},
> {NULL, 0, NULL, 0}
> };
>
> - while ((ch = getopt_long(argc, argv, "o:t:dbU:MCVc:h",
> long_options, NULL)) != -1) {
> + while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFVc:h",
> long_options, NULL)) != -1) {
> switch (ch) {
> case 'o':
> outfile = optarg;
> @@ -461,6 +464,9 @@ int main(int argc, char **argv)
> case 'C':
> cil = 1;
> break;
> + case 'F':
> + conf = 1;
> + break;
> case 'c':{
> long int n;
> errno = 0;
> @@ -510,12 +516,17 @@ int main(int argc, char **argv)
> sepol_set_policydb(&policydb);
> sepol_set_sidtab(&sidtab);
>
> + if (cil && conf) {
> + fprintf(stderr, "Can't convert to CIL and
> policy.conf at the same time\n");
> + exit(1);
> + }
> +
> if (binary) {
> - if (cil) {
> - fprintf(stderr, "%s: Converting
> kernel policy to CIL is not supported\n",
> - argv[0]);
> - exit(1);
> - }
> + /* if (cil) { */
> + /* fprintf(stderr, "%s: Converting
> kernel policy to CIL is not supported\n", */
> + /* argv[0]); */
> + /* exit(1); */
> + /* } */
Just remove?
> fd = open(file, O_RDONLY);
> if (fd < 0) {
> fprintf(stderr, "Can't open '%s': %s\n",
> @@ -568,6 +579,10 @@ int main(int argc, char **argv)
> }
> }
> } else {
> + if (conf) {
> + fprintf(stderr, "Can only generate
> policy.conf from binary policy\n");
> + exit(1);
> + }
> if (policydb_init(&parse_policy))
> exit(1);
> /* We build this as a base policy first since that
> is all the parser understands */
> @@ -621,15 +636,20 @@ int main(int argc, char **argv)
> policydb.policyvers = policyvers;
>
> if (!cil) {
> - printf
> - ("%s: writing binary representation
> (version %d) to %s\n",
> - argv[0], policyvers, outfile);
> - policydb.policy_type = POLICY_KERN;
> -
> - policy_file_init(&pf);
> - pf.type = PF_USE_STDIO;
> - pf.fp = outfp;
> - ret = policydb_write(&policydb, &pf);
> + if (!conf) {
> + printf("%s: writing binary
> representation (version %d) to %s\n", argv[0], policyvers, outfile);
> +
> + policydb.policy_type = POLICY_KERN;
> +
> + policy_file_init(&pf);
> + pf.type = PF_USE_STDIO;
> + pf.fp = outfp;
> + ret = policydb_write(&policydb,
> &pf);
> + } else {
> + printf("%s: writing policy.conf to
> %s\n",
> + argv[0], outfile);
> + ret =
> sepol_kernel_policydb_to_conf(outfp, policydbp);
> + }
> if (ret) {
> fprintf(stderr, "%s: error writing
> %s\n",
> argv[0], outfile);
> @@ -637,7 +657,11 @@ int main(int argc, char **argv)
> }
> } else {
> printf("%s: writing CIL to %s\n",argv[0],
> outfile);
> - ret = sepol_module_policydb_to_cil(outfp,
> policydbp, 1);
> + if (binary) {
> + ret =
> sepol_kernel_policydb_to_cil(outfp, policydbp);
> + } else {
> + ret =
> sepol_module_policydb_to_cil(outfp, policydbp, 1);
> + }
> if (ret) {
> fprintf(stderr, "%s: error writing
> %s\n", argv[0], outfile);
> exit(1);
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
