On Mon, Apr 24, 2023 at 3:07 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Add the ability to show booleans, classes, roles, types and type
> > attributes of policies.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
This patch has been merged since it was independent of the other two.
(The other two were not merged.)
Thanks,
Jim
> > ---
> > Almost all of the time seinfo(8) is a superior tool and several policy
> > details are still not supported, e.g. genfscon, ocontexts and class
> > constraints.
> > dispol was however useful in the past to analyze some OSS-Fuzz generated
> > policies, since seinfo trips over non-ascii identifier names.
> > ---
> > checkpolicy/test/dispol.c | 94 +++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 94 insertions(+)
> >
> > diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> > index 36a3362c..adac2370 100644
> > --- a/checkpolicy/test/dispol.c
> > +++ b/checkpolicy/test/dispol.c
> > @@ -274,6 +274,18 @@ static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
> > return 0;
> > }
> >
> > +static int display_booleans(policydb_t * p, FILE *fp)
> > +{
> > + uint32_t i;
> > +
> > + fprintf(fp, "booleans:\n");
> > + for (i = 0; i < p->p_bools.nprim; i++) {
> > + fprintf(fp, "\t%s : %d\n", p->p_bool_val_to_name[i],
> > + p->bool_val_to_struct[i]->state);
> > + }
> > + return 0;
> > +}
> > +
> > static void display_policycaps(policydb_t * p, FILE * fp)
> > {
> > ebitmap_node_t *node;
> > @@ -292,6 +304,20 @@ static void display_policycaps(policydb_t * p, FILE * fp)
> > }
> > }
> >
> > +static int display_classes(policydb_t * p, FILE *fp)
> > +{
> > + uint32_t i;
> > +
> > + fprintf(fp, "classes:\n");
> > + for (i = 0; i < p->p_classes.nprim; i++) {
> > + if (!p->p_class_val_to_name[i])
> > + continue;
> > +
> > + fprintf(fp, "\t%s\n", p->p_class_val_to_name[i]);
> > + }
> > + return 0;
> > +}
> > +
> > static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
> > uint32_t symbol_value, const char *prefix)
> > {
> > @@ -312,6 +338,54 @@ static void display_permissive(policydb_t *p, FILE *fp)
> > }
> > }
> >
> > +static int display_roles(policydb_t * p, FILE *fp)
> > +{
> > + uint32_t i;
> > +
> > + fprintf(fp, "roles:\n");
> > + for (i = 0; i < p->p_roles.nprim; i++) {
> > + if (!p->p_role_val_to_name[i])
> > + continue;
> > +
> > + fprintf(fp, "\t%s\n", p->p_role_val_to_name[i]);
> > + }
> > + return 0;
> > +}
> > +
> > +static int display_types(policydb_t * p, FILE *fp)
> > +{
> > + uint32_t i;
> > +
> > + fprintf(fp, "types:\n");
> > + for (i = 0; i < p->p_types.nprim; i++) {
> > + if (!p->p_type_val_to_name[i])
> > + continue;
> > +
> > + if (p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
> > + continue;
> > +
> > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> > + }
> > + return 0;
> > +}
> > +
> > +static int display_attributes(policydb_t * p, FILE *fp)
> > +{
> > + uint32_t i;
> > +
> > + fprintf(fp, "attributes:\n");
> > + for (i = 0; i < p->p_types.nprim; i++) {
> > + if (!p->p_type_val_to_name[i])
> > + continue;
> > +
> > + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB)
> > + continue;
> > +
> > + fprintf(fp, "\t%s\n", p->p_type_val_to_name[i]);
> > + }
> > + return 0;
> > +}
> > +
> > static void display_role_trans(policydb_t *p, FILE *fp)
> > {
> > role_trans_t *rt;
> > @@ -381,6 +455,11 @@ static int menu(void)
> > printf("8) display role transitions\n");
> > printf("\n");
> > printf("c) display policy capabilities\n");
> > + printf("b) display booleans\n");
> > + printf("C) display classes\n");
> > + printf("r) display roles\n");
> > + printf("t) display types\n");
> > + printf("a) display type attributes\n");
> > printf("p) display the list of permissive types\n");
> > printf("u) display unknown handling setting\n");
> > printf("F) display filename_trans rules\n");
> > @@ -511,12 +590,27 @@ int main(int argc, char **argv)
> > case '8':
> > display_role_trans(&policydb, out_fp);
> > break;
> > + case 'a':
> > + display_attributes(&policydb, out_fp);
> > + break;
> > + case 'b':
> > + display_booleans(&policydb, out_fp);
> > + break;
> > case 'c':
> > display_policycaps(&policydb, out_fp);
> > break;
> > + case 'C':
> > + display_classes(&policydb, out_fp);
> > + break;
> > case 'p':
> > display_permissive(&policydb, out_fp);
> > break;
> > + case 'r':
> > + display_roles(&policydb, out_fp);
> > + break;
> > + case 't':
> > + display_types(&policydb, out_fp);
> > + break;
> > case 'u':
> > case 'U':
> > display_handle_unknown(&policydb, out_fp);
> > --
> > 2.40.0
> >
