On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Add the ability to show booleans, classes, roles, types and type > attributes of policies. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > Almost all of the time seinfo(8) is a superior tool and several policy > details are still not supported, e.g. genfscon, ocontexts and class > constraints. > dispol was however useful in the past to analyze some OSS-Fuzz generated > policies, since seinfo trips over non-ascii identifier names. > --- > checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 94 insertions(+) > > diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c > index 36a3362c..adac2370 100644 > --- a/checkpolicy/test/dispol.c > +++ b/checkpolicy/test/dispol.c > @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp) > return 0; > } > > +static int display_booleans(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "booleans:\n"); > + for (i = 0; i < p->p_bools.nprim; i++) { > + fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i], > + p->bool_val_to_struct[i]->state); > + } > + return 0; > +} > + > static void display_policycaps(policydb_t * p, FILE * fp) > { > ebitmap_node_t *node; > @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp) > } > } > > +static int display_classes(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "classes:\n"); > + for (i = 0; i < p->p_classes.nprim; i++) { > + if (!p->p_class_val_to_name[i]) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]); > + } > + return 0; > +} > + > static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, > uint32_t symbol_value, const char *prefix) > { > @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp) > } > } > > +static int display_roles(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "roles:\n"); > + for (i = 0; i < p->p_roles.nprim; i++) { > + if (!p->p_role_val_to_name[i]) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]); > + } > + return 0; > +} > + > +static int display_types(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "types:\n"); > + for (i = 0; i < p->p_types.nprim; i++) { > + if (!p->p_type_val_to_name[i]) > + continue; > + > + if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > + } > + return 0; > +} > + > +static int display_attributes(policydb_t * p, FILE *fp) > +{ > + uint32_t i; > + > + fprintf(fp, "attributes:\n"); > + for (i = 0; i < p->p_types.nprim; i++) { > + if (!p->p_type_val_to_name[i]) > + continue; > + > + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) > + continue; > + > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]); > + } > + return 0; > +} > + > static void display_role_trans(policydb_t *p, FILE *fp) > { > role_trans_t *rt; > @@ -381,6 +455,11 @@ static int menu(void) > printf("8) display role transitions\n"); > printf("\n"); > printf("c) display policy capabilities\n"); > + printf("b) display booleans\n"); > + printf("C) display classes\n"); > + printf("r) display roles\n"); > + printf("t) display types\n"); > + printf("a) display type attributes\n"); > printf("p) display the list of permissive types\n"); > printf("u) display unknown handling setting\n"); > printf("F) display filename_trans rules\n"); > @@ -511,12 +590,27 @@ int main(int argc, char **argv) > case '8': > display_role_trans(&policydb, out_fp); > break; > + case 'a': > + display_attributes(&policydb, out_fp); > + break; > + case 'b': > + display_booleans(&policydb, out_fp); > + break; > case 'c': > display_policycaps(&policydb, out_fp); > break; > + case 'C': > + display_classes(&policydb, out_fp); > + break; > case 'p': > display_permissive(&policydb, out_fp); > break; > + case 'r': > + display_roles(&policydb, out_fp); > + break; > + case 't': > + display_types(&policydb, out_fp); > + break; > case 'u': > case 'U': > display_handle_unknown(&policydb, out_fp); > -- > 2.40.0 >