Add the ability to show booleans, classes, roles, types and type
attributes of policies.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
Almost all of the time seinfo(8) is a superior tool and several policy
details are still not supported, e.g. genfscon, ocontexts and class
constraints.
dispol was however useful in the past to analyze some OSS-Fuzz generated
policies, since seinfo trips over non-ascii identifier names.
---
checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 36a3362c..adac2370 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
return 0;
}
+static int display_booleans(policydb_t * p, FILE *fp)
+{
+ uint32_t i;
+
+ fprintf(fp, "booleans:\n");
+ for (i = 0; i < p->p_bools.nprim; i++) {
+ fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i],
+ p->bool_val_to_struct[i]->state);
+ }
+ return 0;
+}
+
static void display_policycaps(policydb_t * p, FILE * fp)
{
ebitmap_node_t *node;
@@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp)
}
}
+static int display_classes(policydb_t * p, FILE *fp)
+{
+ uint32_t i;
+
+ fprintf(fp, "classes:\n");
+ for (i = 0; i < p->p_classes.nprim; i++) {
+ if (!p->p_class_val_to_name[i])
+ continue;
+
+ fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]);
+ }
+ return 0;
+}
+
static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
uint32_t symbol_value, const char *prefix)
{
@@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp)
}
}
+static int display_roles(policydb_t * p, FILE *fp)
+{
+ uint32_t i;
+
+ fprintf(fp, "roles:\n");
+ for (i = 0; i < p->p_roles.nprim; i++) {
+ if (!p->p_role_val_to_name[i])
+ continue;
+
+ fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]);
+ }
+ return 0;
+}
+
+static int display_types(policydb_t * p, FILE *fp)
+{
+ uint32_t i;
+
+ fprintf(fp, "types:\n");
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (!p->p_type_val_to_name[i])
+ continue;
+
+ if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
+ continue;
+
+ fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
+ }
+ return 0;
+}
+
+static int display_attributes(policydb_t * p, FILE *fp)
+{
+ uint32_t i;
+
+ fprintf(fp, "attributes:\n");
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (!p->p_type_val_to_name[i])
+ continue;
+
+ if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB)
+ continue;
+
+ fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
+ }
+ return 0;
+}
+
static void display_role_trans(policydb_t *p, FILE *fp)
{
role_trans_t *rt;
@@ -381,6 +455,11 @@ static int menu(void)
printf("8) display role transitions\n");
printf("\n");
printf("c) display policy capabilities\n");
+ printf("b) display booleans\n");
+ printf("C) display classes\n");
+ printf("r) display roles\n");
+ printf("t) display types\n");
+ printf("a) display type attributes\n");
printf("p) display the list of permissive types\n");
printf("u) display unknown handling setting\n");
printf("F) display filename_trans rules\n");
@@ -511,12 +590,27 @@ int main(int argc, char **argv)
case '8':
display_role_trans(&policydb, out_fp);
break;
+ case 'a':
+ display_attributes(&policydb, out_fp);
+ break;
+ case 'b':
+ display_booleans(&policydb, out_fp);
+ break;
case 'c':
display_policycaps(&policydb, out_fp);
break;
+ case 'C':
+ display_classes(&policydb, out_fp);
+ break;
case 'p':
display_permissive(&policydb, out_fp);
break;
+ case 'r':
+ display_roles(&policydb, out_fp);
+ break;
+ case 't':
+ display_types(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
--
2.40.0
