checkpolicy: Add debug feature to display constraints / validatetrans

Allow mls/constraint mls/validatetrans constraints to be displayed
in debug mode. If POLICY_KERN version is >=
POLICYDB_VERSION_CONSTRAINT_NAMES then the policy defined
types/attributes will be returned.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This commit is contained in:
Richard Haines 2013-11-03 19:12:29 +00:00 committed by Stephen Smalley
parent e1551b91af
commit ab9cbb1f8e
1 changed files with 109 additions and 1 deletions

View File

@ -377,7 +377,7 @@ static int check_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
sepol_security_class_t tclass; sepol_security_class_t tclass;
sepol_security_id_t ssid, tsid, *sids; sepol_security_id_t ssid, tsid, *sids, oldsid, newsid, tasksid;
sepol_security_context_t scontext; sepol_security_context_t scontext;
struct sepol_av_decision avd; struct sepol_av_decision avd;
class_datum_t *cladatum; class_datum_t *cladatum;
@ -395,6 +395,9 @@ int main(int argc, char **argv)
char *name; char *name;
int state; int state;
int show_version = 0; int show_version = 0;
char *reason_buf = NULL;
unsigned int reason;
int flags;
struct policy_file pf; struct policy_file pf;
struct option long_options[] = { struct option long_options[] = {
{"output", required_argument, NULL, 'o'}, {"output", required_argument, NULL, 'o'},
@ -644,6 +647,8 @@ int main(int argc, char **argv)
printf("f) display conditional bools\n"); printf("f) display conditional bools\n");
printf("g) display conditional expressions\n"); printf("g) display conditional expressions\n");
printf("h) change a boolean value\n"); printf("h) change a boolean value\n");
printf("i) display constraint expressions\n");
printf("j) display validatetrans expressions\n");
#ifdef EQUIVTYPES #ifdef EQUIVTYPES
printf("z) Show equivalent types\n"); printf("z) Show equivalent types\n");
#endif #endif
@ -1060,6 +1065,109 @@ int main(int argc, char **argv)
change_bool(name, state); change_bool(name, state);
free(name); free(name);
break; break;
case 'i':
printf("source sid? ");
FGETS(ans, sizeof(ans), stdin);
ssid = atoi(ans);
printf("target sid? ");
FGETS(ans, sizeof(ans), stdin);
tsid = atoi(ans);
printf("target class? ");
FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
if (!tclass
|| tclass > policydb.p_classes.nprim) {
printf("\nNo such class.\n");
break;
}
cladatum =
policydb.class_val_to_struct[tclass - 1];
} else {
ans[strlen(ans) - 1] = 0;
cladatum =
(class_datum_t *) hashtab_search(policydb.
p_classes.
table,
ans);
if (!cladatum) {
printf("\nNo such class\n");
break;
}
tclass = cladatum->s.value;
}
flags = SHOW_GRANTED;
if (sepol_compute_av_reason_buffer(ssid, tsid,
tclass, 0, &avd, &reason,
&reason_buf, flags)) {
printf("\nconstraint error\n");
break;
}
if (reason_buf) {
printf("\nConstraint expressions:\n%s",
reason_buf);
free(reason_buf);
} else {
printf("\nNo constraints found.\n");
}
break;
case 'j':
printf("old sid? ");
FGETS(ans, sizeof(ans), stdin);
oldsid = atoi(ans);
printf("new sid? ");
FGETS(ans, sizeof(ans), stdin);
newsid = atoi(ans);
printf("task sid? ");
FGETS(ans, sizeof(ans), stdin);
tasksid = atoi(ans);
printf("target class? ");
FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
if (!tclass
|| tclass > policydb.p_classes.nprim) {
printf("\nNo such class.\n");
break;
}
cladatum =
policydb.class_val_to_struct[tclass - 1];
} else {
ans[strlen(ans) - 1] = 0;
cladatum =
(class_datum_t *) hashtab_search(policydb.
p_classes.
table,
ans);
if (!cladatum) {
printf("\nNo such class\n");
break;
}
tclass = cladatum->s.value;
}
flags = SHOW_GRANTED;
if (sepol_validate_transition_reason_buffer(oldsid,
newsid, tasksid, tclass,
&reason_buf, flags)) {
printf("\nvalidatetrans error\n");
break;
}
if (reason_buf) {
printf("\nValidatetrans expressions:\n%s",
reason_buf);
free(reason_buf);
} else {
printf(
"\nNo validatetrans expressions found.\n");
}
break;
#ifdef EQUIVTYPES #ifdef EQUIVTYPES
case 'z': case 'z':
identify_equiv_types(); identify_equiv_types();