On Wed, Apr 17, 2019 at 9:37 AM Gary Tierney <gary.tierney@xxxxxxxxxxxx> wrote:
>
> Currently checkpolicy can produce binary policies for earlier policy versions
> to provide support for building policies on one machine and loading/analyzing
> them on another machine with an earlier version of the kernel or libsepol,
> respectively. However, checkmodule was lacking this capability.
>
> This commit adds an identical `-c` flag that can be passed to checkmodule that
> will build a modular policy file of the specified version.
>
> Signed-off-by: Gary Tierney <gary.tierney@xxxxxxxxxxxx>
> ---
> checkpolicy/checkmodule.8 | 5 ++++-
> checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++--
> 2 files changed, 31 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
> index cf76591c24d0..e55582f30ec0 100644
> --- a/checkpolicy/checkmodule.8
> +++ b/checkpolicy/checkmodule.8
> @@ -38,7 +38,7 @@ Generate a non-base policy module.
> Enable the MLS/MCS support when checking and compiling the policy module.
> .TP
> .B \-V,\-\-version
> - Show policy versions created by this program. Note that you cannot currently build older versions.
> +Show policy versions created by this program.
> .TP
> .B \-o,\-\-output filename
> Write a binary policy module file to the specified filename.
> @@ -47,6 +47,9 @@ and will not generate a binary module at all.
> .TP
> .B \-U,\-\-handle-unknown <action>
> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
> +.TP
> +.B \-c policyvers
> +Specify the policy version, defaults to the latest.
>
> .SH EXAMPLE
> .nf
> diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
> index 8edc1f8c7bbd..3bb9e5a4a6b3 100644
> --- a/checkpolicy/checkmodule.c
> +++ b/checkpolicy/checkmodule.c
> @@ -142,6 +142,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
> printf(" -m build a policy module instead of a base module\n");
> printf(" -M enable MLS policy\n");
> printf(" -o FILE write module to FILE (else just check syntax)\n");
> + printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n",
> + MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
> exit(1);
> }
>
> @@ -163,7 +165,7 @@ int main(int argc, char **argv)
> {NULL, 0, NULL, 0}
> };
>
> - while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) {
> + while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) {
> switch (ch) {
> case 'h':
> usage(argv[0]);
> @@ -194,7 +196,6 @@ int main(int argc, char **argv)
> usage(argv[0]);
> case 'm':
> policy_type = POLICY_MOD;
> - policyvers = MOD_POLICYDB_VERSION_MAX;
> break;
> case 'M':
> mlspol = 1;
> @@ -202,6 +203,30 @@ int main(int argc, char **argv)
> case 'C':
> cil = 1;
> break;
> + case 'c': {
> + long int n;
> + errno = 0;
> + n = strtol(optarg, NULL, 10);
> +
> + if (errno) {
Get rid of this newline between the strtol() and errno.
> + fprintf(stderr,
> + "Invalid policyvers specified: %s\n",
> + optarg);
> + usage(argv[0]);
> + }
> +
> + if (n < MOD_POLICYDB_VERSION_MIN
> + || n > MOD_POLICYDB_VERSION_MAX) {
> + fprintf(stderr,
> + "policyvers value %ld not in range %d-%d\n",
> + n, MOD_POLICYDB_VERSION_MIN,
> + MOD_POLICYDB_VERSION_MAX);
> + usage(argv[0]);
> + }
> +
> + policyvers = n;
> + break;
> + }
> default:
> usage(argv[0]);
> }
> --
> 2.17.2
>
