[RFC PATCH 1/3] libsepol: export initial SIDs

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Tue, 7 Jun 2022 19:41:43 +0200

Export initial SIDs, so they can be used for example in checkpolicy.

Add helper functions for name lookup.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 libsepol/include/sepol/policydb/initialsids.h | 89 +++++++++++++++++++
 libsepol/include/sepol/policydb/policydb.h    |  2 +-
 libsepol/src/kernel_to_cil.c                  |  1 +
 libsepol/src/kernel_to_common.h               | 53 -----------
 libsepol/src/kernel_to_conf.c                 |  1 +
 libsepol/src/module_to_cil.c                  |  1 +
 6 files changed, 93 insertions(+), 54 deletions(-)
 create mode 100644 libsepol/include/sepol/policydb/initialsids.h

diff --git a/libsepol/include/sepol/policydb/initialsids.h b/libsepol/include/sepol/policydb/initialsids.h
new file mode 100644
index 00000000..7b2fe021
--- /dev/null
+++ b/libsepol/include/sepol/policydb/initialsids.h
@@ -0,0 +1,89 @@
+#ifndef _SEPOL_POLICYDB_INITIALSIDS_H_
+#define _SEPOL_POLICYDB_INITIALSIDS_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+// initial sid names aren't actually stored in the pp files, need to a have
+// a mapping, taken from the linux kernel
+static const char * const selinux_sid_to_str[] = {
+	"null",
+	"kernel",
+	"security",
+	"unlabeled",
+	"fs",
+	"file",
+	"file_labels",
+	"init",
+	"any_socket",
+	"port",
+	"netif",
+	"netmsg",
+	"node",
+	"igmp_packet",
+	"icmp_socket",
+	"tcp_socket",
+	"sysctl_modprobe",
+	"sysctl",
+	"sysctl_fs",
+	"sysctl_kernel",
+	"sysctl_net",
+	"sysctl_net_unix",
+	"sysctl_vm",
+	"sysctl_dev",
+	"kmod",
+	"policy",
+	"scmp_packet",
+	"devnull",
+};
+
+#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
+
+static inline unsigned int selinux_str_to_sid(const char *name)
+{
+	unsigned i;
+
+	for (i = 1; i < SELINUX_SID_SZ; i++) {
+		if (strcmp(name, selinux_sid_to_str[i]) == 0)
+			return i;
+	}
+
+	return 0;
+}
+
+static const char * const xen_sid_to_str[] = {
+	"null",
+	"xen",
+	"dom0",
+	"domio",
+	"domxen",
+	"unlabeled",
+	"security",
+	"ioport",
+	"iomem",
+	"irq",
+	"device",
+	"domU",
+	"domDM",
+};
+
+#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
+
+static inline unsigned int xen_str_to_sid(const char *name)
+{
+	unsigned i;
+
+	for (i = 1; i < XEN_SID_SZ; i++) {
+		if (strcmp(name, xen_sid_to_str[i]) == 0)
+			return i;
+	}
+
+	return 0;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				/* _SEPOL_POLICYDB_INITIALSIDS_H_ */
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index de0068a6..2ce4da5d 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -340,7 +340,7 @@ typedef struct range_trans_rule {
  */
 typedef struct ocontext {
 	union {
-		char *name;	/* name of initial SID, fs, netif, fstype, path */
+		char *name;	/* name of initial SID (not saved in binary policy), fs, netif, fstype, path */
 		struct {
 			uint8_t protocol;
 			uint16_t low_port;
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 9128ac55..42251684 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -20,6 +20,7 @@
 #include <sepol/policydb/avtab.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/initialsids.h>
 #include <sepol/policydb/polcaps.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 159c4289..5e8482bf 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -10,59 +10,6 @@
 #define DEFAULT_LEVEL "systemlow"
 #define DEFAULT_OBJECT "object_r"
 
-// initial sid names aren't actually stored in the pp files, need to a have
-// a mapping, taken from the linux kernel
-static const char * const selinux_sid_to_str[] = {
-	"null",
-	"kernel",
-	"security",
-	"unlabeled",
-	"fs",
-	"file",
-	"file_labels",
-	"init",
-	"any_socket",
-	"port",
-	"netif",
-	"netmsg",
-	"node",
-	"igmp_packet",
-	"icmp_socket",
-	"tcp_socket",
-	"sysctl_modprobe",
-	"sysctl",
-	"sysctl_fs",
-	"sysctl_kernel",
-	"sysctl_net",
-	"sysctl_net_unix",
-	"sysctl_vm",
-	"sysctl_dev",
-	"kmod",
-	"policy",
-	"scmp_packet",
-	"devnull",
-};
-
-#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
-
-static const char * const xen_sid_to_str[] = {
-	"null",
-	"xen",
-	"dom0",
-	"domio",
-	"domxen",
-	"unlabeled",
-	"security",
-	"ioport",
-	"iomem",
-	"irq",
-	"device",
-	"domU",
-	"domDM",
-};
-
-#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
-
 static const uint32_t avtab_flavors[] = {
 	AVTAB_ALLOWED,
 	AVTAB_AUDITALLOW,
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 63dffd9b..51a8270d 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -19,6 +19,7 @@
 #include <sepol/policydb/avtab.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/initialsids.h>
 #include <sepol/policydb/polcaps.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index b35bf055..1945b369 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -47,6 +47,7 @@
 #include <sepol/module_to_cil.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/initialsids.h>
 #include <sepol/policydb/polcaps.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
-- 
2.36.1







