tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

initial import from svn trunk revision 2950

Browse source
This commit is contained in:
Joshua Brindle 2008-08-19 15:30:36 -04:00
commit 13cd4c8960
860 changed files with 234200 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
Makefile Normal file
View file

@ -0,0 +1,37 @@
SUBDIRS=libsepol libselinux libsemanage sepolgen checkpolicy policycoreutils # policy
PYSUBDIRS=libselinux libsemanage
ifeq ($(DEBUG),1)
export CFLAGS = -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror
export LDFLAGS = -g
endif
install relabel:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
install-pywrap swigify:
@for subdir in $(PYSUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
clean:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
distclean:
@for subdir in libselinux libsemanage; do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
test:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
indent:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done

340
checkpolicy/COPYING Normal file
View file

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

354
checkpolicy/ChangeLog Normal file
View file

@ -0,0 +1,354 @@
2.0.16 2008-05-27
* Update checkpolicy for user and role mapping support from Joshua Brindle.
2.0.15 2008-05-05
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
Resolves bug 444451.
2.0.14 2008-03-24
* Add permissive domain support from Eric Paris.
2.0.13 2008-03-05
* Split out non-grammar parts of policy_parse.yacc into
policy_define.c and policy_define.h from Todd C. Miller.
2.0.12 2008-03-04
* Initialize struct policy_file before using it, from Todd C. Miller.
2.0.11 2008-03-03
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
2.0.10 2008-02-28
* Use yyerror2() where appropriate from Todd C. Miller.
2.0.9 2008-02-04
* Update dispol for libsepol avtab changes from Stephen Smalley.
2.0.8 2008-01-24
* Deprecate role dominance in parser.
2.0.7 2008-01-02
* Added support for policy capabilities from Todd Miller.
2.0.6 2007-11-15
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
2.0.5 2007-11-01
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
2.0.4 2007-09-18
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
the flag when a base module or kernel policy is built.
2.0.3 2007-05-31
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
2.0.2 2007-04-12
* Merged checkmodule man page fix from Dan Walsh.
2.0.1 2007-02-20
* Merged patch to allow dots in class identifiers from Caleb Case.
2.0.0 2007-02-01
* Merged patch to use new libsepol error codes by Karl MacMillan.
1.34.0 2007-01-18
* Updated version for stable branch.
1.33.1 2006-11-13
* Collapse user identifiers and identifiers together.
1.32 2006-10-17
* Updated version for release.
1.30.12 2006-09-28
* Merged user and range_transition support for modules from
Darrel Goeddel
1.30.11 2006-09-05
* merged range_transition enhancements and user module format
changes from Darrel Goeddel
1.30.10 2006-08-03
* Merged symtab datum patch from Karl MacMillan.
1.30.9 2006-06-29
* Lindent.
1.30.8 2006-06-29
* Merged patch to remove TE rule conflict checking from the parser
from Joshua Brindle. This can only be done properly by the
expander.
1.30.7 2006-06-27
* Merged patch to make checkpolicy/checkmodule handling of
duplicate/conflicting TE rules the same as the expander
from Joshua Brindle.
1.30.6 2006-06-26
* Merged optionals in base take 2 patch set from Joshua Brindle.
1.30.5 2006-05-05
* Merged compiler cleanup patch from Karl MacMillan.
* Merged fix warnings patch from Karl MacMillan.
1.30.4 2006-04-05
* Changed require_class to reject permissions that have not been
declared if building a base module.
1.30.3 2006-03-28
* Fixed checkmodule to call link_modules prior to expand_module
to handle optionals.
1.30.2 2006-03-28
* Fixed require_class to avoid shadowing permissions already defined
in an inherited common definition.
1.30.1 2006-03-22
* Moved processing of role and user require statements to 2nd pass.
1.30 2006-03-14
* Updated version for release.
1.29.5 2006-03-09
* Fixed bug in role dominance (define_role_dom).
1.29.4 2006-02-14
* Added a check for failure to declare each sensitivity in
a level definition.
1.29.3 2006-02-13
* Changed to clone level data for aliased sensitivities to
avoid double free upon sens_destroy. Bug reported by Kevin
Carr of Tresys Technology.
1.29.2 2006-02-13
* Merged optionals in base patch from Joshua Brindle.
1.29.1 2006-02-01
* Merged sepol_av_to_string patch from Joshua Brindle.
1.28 2005-12-07
* Updated version for release.
1.27.20 2005-12-02
* Merged checkmodule man page from Dan Walsh, and edited it.
1.27.19 2005-12-01
* Added error checking of all ebitmap_set_bit calls for out of
memory conditions.
1.27.18 2005-12-01
* Merged removal of compatibility handling of netlink classes
(requirement that policies with newer versions include the
netlink class definitions, remapping of fine-grained netlink
classes in newer source policies to single netlink class when
generating older policies) from George Coker.
1.27.17 2005-10-25
* Merged dismod fix from Joshua Brindle.
1.27.16 2005-10-20
* Removed obsolete cond_check_type_rules() function and call and
cond_optimize_lists() call from checkpolicy.c; these are handled
during parsing and expansion now.
1.27.15 2005-10-19
* Updated calls to expand_module for interface change.
1.27.14 2005-10-19
* Changed checkmodule to verify that expand_module succeeds
when building base modules.
1.27.13 2005-10-19
* Merged module compiler fixes from Joshua Brindle.
1.27.12 2005-10-19
* Removed direct calls to hierarchy_check_constraints() and
check_assertions() from checkpolicy since they are now called
internally by expand_module().
1.27.11 2005-10-18
* Updated for changes to sepol policydb_index_others interface.
1.27.10 2005-10-17
* Updated for changes to sepol expand_module and link_modules interfaces.
1.27.9 2005-10-13
* Merged support for require blocks inside conditionals from
Joshua Brindle (Tresys).
1.27.8 2005-10-06
* Updated for changes to libsepol.
1.27.7 2005-10-05
* Merged several bug fixes from Joshua Brindle (Tresys).
1.27.6 2005-10-03
* Merged MLS in modules patch from Joshua Brindle (Tresys).
1.27.5 2005-09-28
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
1.27.4 2005-09-26
* Merged bugfix for dup role transition error messages from
Karl MacMillan (Tresys).
1.27.3 2005-09-23
* Merged policyver/modulever patches from Joshua Brindle (Tresys).
1.27.2 2005-09-20
* Fixed parse_categories handling of undefined category.
1.27.1 2005-09-16
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
1.26 2005-09-06
* Updated version for release.
1.25.12 2005-08-22
* Fixed handling of validatetrans constraint expressions.
Bug reported by Dan Walsh for checkpolicy -M.
1.25.11 2005-08-18
* Merged use-after-free fix from Serge Hallyn (IBM).
Bug found by Coverity.
1.25.10 2005-08-15
* Fixed further memory leaks found by valgrind.
1.25.9 2005-08-15
* Changed checkpolicy to destroy the policydbs prior to exit
to allow leak detection.
* Fixed several memory leaks found by valgrind.
1.25.8 2005-08-11
* Updated checkpolicy and dispol for the new avtab format.
Converted users of ebitmaps to new inline operators.
Note: The binary policy format version has been incremented to
version 20 as a result of these changes. To build a policy
for a kernel that does not yet include these changes, use
the -c 19 option to checkpolicy.
1.25.7 2005-08-11
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
1.25.6 2005-08-10
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
1.25.5 2005-08-09
* Fixed call to hierarchy checking code to pass the right policydb.
1.25.4 2005-08-02
* Merged patch to update dismod for the relocation of the
module read/write code from libsemanage to libsepol, and
to enable build of test subdirectory from Jason Tang (Tresys).
1.25.3 2005-07-18
* Merged hierarchy check fix from Joshua Brindle (Tresys).
1.25.2 2005-07-06
* Merged loadable module support from Tresys Technology.
1.25.1 2005-06-24
* Merged patch to prohibit the use of * and ~ in type sets
(other than in neverallow statements) and in role sets
from Joshua Brindle (Tresys).
1.24 2005-06-20
* Updated version for release.
1.23.4 2005-05-19
* Merged cleanup patch from Dan Walsh.
1.23.3 2005-05-13
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.
1.23.2 2005-04-29
* Merged identifier fix from Joshua Brindle (Tresys).
1.23.1 2005-04-13
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.
1.22 2005-03-09
* Updated version for release.
1.21.4 2005-02-17
* Moved genpolusers utility to libsepol.
* Merged range_transition support from Darrel Goeddel (TCS).
1.21.3 2005-02-16
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
1.21.2 2005-02-09
* Changed relabel Makefile target to use restorecon.
1.21.1 2005-01-26
* Merged enhanced MLS support from Darrel Goeddel (TCS).
1.20 2005-01-04
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
* Changed genpolusers to handle multiple user config files.
* Merged nodecon ordering patch from Chad Hanson of TCS.
1.18 2004-10-07
* MLS build fix.
* Fixed Makefile dependencies (Chris PeBenito).
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
* Preserve portcon ordering and apply more checking.
1.16 2004-08-13
* Allow empty conditional clauses.
* Moved genpolbools utility to libsepol.
* Updated for libsepol set functions.
* Changed to link with libsepol.a.
* Moved core functionality into libsepol.
* Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
* Added genpolusers program.
* Fixed bug in checkpolicy conditional code.
1.14 2004-06-28
* Merged fix for MLS logic from Daniel Thayer of TCS.
* Require semicolon terminator for typealias statement.
1.12 2004-06-16
* Merged fine-grained netlink class support.
1.10 2004-04-07
* Merged ipv6 support from James Morris of RedHat.
* Fixed compute_av bug discovered by Chad Hanson of TCS.
1.8 2004-03-09
* Merged policydb MLS patch from Chad Hanson of TCS.
* Fixed mmap of policy file.
1.6 2004-02-18
* Merged conditional policy extensions from Tresys Technology.
* Added typealias declaration support per Russell Coker's request.
* Added support for excluding types from type sets based on
a patch by David Caplan, but reimplemented as a change to the
policy grammar.
* Merged patch from Colin Walters to report source file name and line
number for errors when available.
* Un-deprecated role transitions.
1.4 2003-12-01
* Regenerated headers.
* Merged patches from Bastian Blank and Joerg Hoh.
1.2 2003-09-30
* Merged MLS build patch from Karl MacMillan of Tresys.
* Merged checkpolicy man page from Magosanyi Arpad.
1.1 2003-08-13
* Fixed endian bug in policydb_write for behavior value.
* License -> GPL.
* Merged coding style cleanups from James Morris.
1.0 2003-07-11
* Initial public release.

64
checkpolicy/Makefile Normal file
View file

@ -0,0 +1,64 @@
#
# Makefile for building the checkpolicy program
#
PREFIX ?= $(DESTDIR)/usr
BINDIR ?= $(PREFIX)/bin
MANDIR ?= $(PREFIX)/share/man
LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
TARGETS = checkpolicy checkmodule
YACC = bison -y
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
override CFLAGS += -I. -I${INCLUDEDIR}
CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \
policy_define.o
CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
LDLIBS=$(LIBDIR)/libsepol.a -lfl
GENERATED=lex.yy.c y.tab.c y.tab.h
all: $(TARGETS)
$(MAKE) -C test
checkpolicy: $(CHECKPOLOBJS)
checkmodule: $(CHECKMODOBJS)
%.o: %.c
$(CC) $(CFLAGS) -o $@ -c $<
y.tab.o: y.tab.c
$(CC) $(filter-out -Werror, $(CFLAGS)) -o $@ -c $<
lex.yy.o: lex.yy.c
$(CC) $(filter-out -Werror, $(CFLAGS)) -o $@ -c $<
y.tab.c: policy_parse.y
$(YACC) -d policy_parse.y
lex.yy.c: policy_scan.l y.tab.c
$(LEX) policy_scan.l
install: all
-mkdir -p $(BINDIR)
-mkdir -p $(MANDIR)/man8
install -m 755 $(TARGETS) $(BINDIR)
install -m 644 checkpolicy.8 $(MANDIR)/man8
install -m 644 checkmodule.8 $(MANDIR)/man8
relabel: install
/sbin/restorecon $(BINDIR)/checkpolicy
/sbin/restorecon $(BINDIR)/checkmodule
clean:
-rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
$(MAKE) -C test clean
indent:
../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))

1
checkpolicy/VERSION Normal file
View file

@ -0,0 +1 @@
2.0.16

58
checkpolicy/checkmodule.8 Normal file
View file

@ -0,0 +1,58 @@
.TH CHECKMODULE 8
.SH NAME
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
.I "[-b] [-m] [-M] [-V] [-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
command.
.PP
.B checkmodule
is a program that checks and compiles a SELinux security policy module
into a binary representation. It can generate either a base policy
module (default) or a non-base policy module (-m option); typically,
you would build a non-base policy module to add to an existing module
store that already has a base module provided by the base policy. Use
semodule_package to combine this module with its optional file
contexts to create a policy package, and then use semodule to install
the module package into the module store and load the resulting policy.
.SH OPTIONS
.TP
.B \-b
Read an existing binary policy module file rather than a source policy
module file. This option is a development/debugging aid.
.TP
.B \-m
Generate a non-base policy module.
.TP
.B \-M
Enable the MLS/MCS support when checking and compiling the policy module.
.TP
.B \-V
Show policy versions created by this program
.TP
.B \-o filename
Write a binary policy module file to the specified filename.
Otherwise, checkmodule will only check the syntax of the module source file
and will not generate a binary module at all.
.SH EXAMPLE
.nf
# Build a MLS/MCS-enabled non-base policy module.
$ checkmodule -M -m httpd.te -o httpd.mod
.fi
.SH "SEE ALSO"
.B semodule(8), semodule_package(8)
SELinux documentation at http://www.nsa.gov/selinux,
especially "Configuring the SELinux Policy".
.SH AUTHOR
This manual page was copied from the checkpolicy man page
written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
and edited by Dan Walsh <dwalsh@redhat.com>.
The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.

291
checkpolicy/checkmodule.c Normal file
View file

@ -0,0 +1,291 @@
/*
* Authors: Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@tresys.com>
* Jason Tang <jtang@tresys.com>
*
*
* Copyright (C) 2004-5 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <getopt.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hierarchy.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/sidtab.h>
#include "queue.h"
#include "checkpolicy.h"
#include "parse_util.h"
extern char *optarg;
extern int optind;
static sidtab_t sidtab;
extern int mlspol;
static int handle_unknown = SEPOL_DENY_UNKNOWN;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
unsigned int policy_type = POLICY_BASE;
unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
static int read_binary_policy(policydb_t * p, char *file, char *progname)
{
int fd;
struct stat sb;
void *map;
struct policy_file f, *fp;
fd = open(file, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
file, strerror(errno));
return -1;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
file, strerror(errno));
return -1;
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
return -1;
}
policy_file_init(&f);
f.type = PF_USE_MEMORY;
f.data = map;
f.len = sb.st_size;
fp = &f;
if (policydb_init(p)) {
fprintf(stderr, "%s: policydb_init: Out of memory!\n",
progname);
return -1;
}
if (policydb_read(p, fp, 1)) {
fprintf(stderr,
"%s: error(s) encountered while parsing configuration\n",
progname);
return -1;
}
/* Check Policy Consistency */
if (p->mls) {
if (!mlspol) {
fprintf(stderr, "%s: MLS policy, but non-MLS"
" is specified\n", progname);
return -1;
}
} else {
if (mlspol) {
fprintf(stderr, "%s: non-MLS policy, but MLS"
" is specified\n", progname);
return -1;
}
}
return 0;
}
static int write_binary_policy(policydb_t * p, char *file, char *progname)
{
FILE *outfp = NULL;
struct policy_file pf;
int ret;
printf("%s: writing binary representation (version %d) to %s\n",
progname, policyvers, file);
outfp = fopen(file, "w");
if (!outfp) {
perror(file);
exit(1);
}
p->policy_type = policy_type;
p->policyvers = policyvers;
p->handle_unknown = handle_unknown;
policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = outfp;
ret = policydb_write(p, &pf);
if (ret) {
fprintf(stderr, "%s: error writing %s\n", progname, file);
return -1;
}
fclose(outfp);
return 0;
}
static void usage(char *progname)
{
printf("usage: %s [-V] [-b] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
txtfile);
printf(" -V show policy versions created by this program\n");
printf(" -b treat input as a binary policy file\n");
printf(" -U OPTION How to handle unknown classes and permissions\n");
printf(" deny: Deny unknown kernel checks\n");
printf(" reject: Reject loading of policy with unknowns\n");
printf(" allow: Allow unknown kernel checks\n");
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
exit(1);
}
int main(int argc, char **argv)
{
char *file = txtfile, *outfile = NULL;
unsigned int binary = 0;
int ch;
int show_version = 0;
policydb_t modpolicydb;
while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) {
switch (ch) {
case 'h':
usage(argv[0]);
break;
case 'o':
outfile = optarg;
break;
case 'b':
binary = 1;
file = binfile;
break;
case 'V':
show_version = 1;
break;
case 'U':
if (!strcasecmp(optarg, "deny")) {
handle_unknown = DENY_UNKNOWN;
break;
}
if (!strcasecmp(optarg, "reject")) {
handle_unknown = REJECT_UNKNOWN;
break;
}
if (!strcasecmp(optarg, "allow")) {
handle_unknown = ALLOW_UNKNOWN;
break;
}
usage(argv[0]);
case 'm':
policy_type = POLICY_MOD;
policyvers = MOD_POLICYDB_VERSION_MAX;
break;
case 'M':
mlspol = 1;
break;
default:
usage(argv[0]);
}
}
if (show_version) {
printf("Module versions %d-%d\n",
MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
exit(0);
}
if (handle_unknown && (policy_type != POLICY_BASE)) {
printf("Handling of unknown classes and permissions is only ");
printf("valid in the base module\n");
exit(1);
}
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
usage(argv[0]);
}
printf("%s: loading policy configuration from %s\n", argv[0], file);
/* Set policydb and sidtab used by libsepol service functions
to my structures, so that I can directly populate and
manipulate them. */
sepol_set_policydb(&modpolicydb);
sepol_set_sidtab(&sidtab);
if (binary) {
if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
}
} else {
if (policydb_init(&modpolicydb)) {
fprintf(stderr, "%s: out of memory!\n", argv[0]);
return -1;
}
modpolicydb.policy_type = policy_type;
modpolicydb.mls = mlspol;
modpolicydb.handle_unknown = handle_unknown;
if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
}
if (hierarchy_check_constraints(NULL, &modpolicydb)) {
return -1;
}
}
if (modpolicydb.policy_type == POLICY_BASE) {
/* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb;
if (policydb_init(&kernpolicydb)) {
fprintf(stderr, "%s: policydb_init failed\n", argv[0]);
exit(1);
}
if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) {
fprintf(stderr, "%s: link modules failed\n", argv[0]);
exit(1);
}
if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) {
fprintf(stderr, "%s: expand module failed\n", argv[0]);
exit(1);
}
policydb_destroy(&kernpolicydb);
}
if (policydb_load_isids(&modpolicydb, &sidtab))
exit(1);
sepol_sidtab_destroy(&sidtab);
printf("%s: policy configuration loaded\n", argv[0]);
if (outfile &&
write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) {
exit(1);
}
policydb_destroy(&modpolicydb);
return 0;
}
/* FLASK */

44
checkpolicy/checkpolicy.8 Normal file
View file

@ -0,0 +1,44 @@
.TH CHECKPOLICY 8
.SH NAME
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
.BR checkpolicy
command.
.PP
.B checkpolicy
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
policy.conf or policy, depending on whether the -b flag is specified.
.SH OPTIONS
.TP
.B \-b
Read an existing binary policy file rather than a source policy.conf file.
.TP
.B \-d
Enter debug mode after loading the policy.
.TP
.B \-M
Enable the MLS policy when checking and compiling the policy.
.TP
.B \-o filename
Write a binary policy file to the specified filename.
.TP
.B \-c policyvers
Specify the policy version, defaults to the latest.
.SH "SEE ALSO"
SELinux documentation at http://www.nsa.gov/selinux,
especially "Configuring the SELinux Policy".
.SH AUTHOR
This manual page was written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
and edited by Stephen Smalley <sds@epoch.ncsc.mil>.
The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.

1051
checkpolicy/checkpolicy.c Normal file
View file

File diff suppressed because it is too large Load diff

20
checkpolicy/checkpolicy.h Normal file
View file

@ -0,0 +1,20 @@
#ifndef _CHECKPOLICY_H_
#define _CHECKPOLICY_H_
#include <sepol/policydb/ebitmap.h>
typedef struct te_assert {
ebitmap_t stypes;
ebitmap_t ttypes;
ebitmap_t tclasses;
int self;
sepol_access_vector_t *avp;
unsigned long line;
struct te_assert *next;
} te_assert_t;
te_assert_t *te_assertions;
extern unsigned int policyvers;
#endif

1430
checkpolicy/module_compiler.c Normal file
View file

File diff suppressed because it is too large Load diff

105
checkpolicy/module_compiler.h Normal file
View file

@ -0,0 +1,105 @@
/* Author : Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@tresys.com>
* Jason Tang <jtang@tresys.com>
* Added support for binary policy modules
*
* Copyright (C) 2004 - 2005 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#ifndef MODULE_COMPILER_H
#define MODULE_COMPILER_H
#include <sepol/policydb/hashtab.h>
/* Called when checkpolicy begins to parse a policy -- either at the
* very beginning for a kernel/base policy, or after the module header
* for policy modules. Initialize the memory structures within.
* Return 0 on success, -1 on error. */
int define_policy(int pass, int module_header_given);
/* Declare a symbol declaration to the current avrule_decl. Check
* that insertion is allowed here and that the symbol does not already
* exist. Returns 0 on success, 1 if symbol was already there (caller
* needs to free() the datum), -1 if declarations not allowed, -2 for
* duplicate declarations, -3 for all else.
*/
int declare_symbol(uint32_t symbol_type,
hashtab_key_t key, hashtab_datum_t datum,
uint32_t * dest_value, uint32_t * datum_value);
role_datum_t *declare_role(void);
type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
user_datum_t *declare_user(void);
type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
/* Add a symbol to the current avrule_block's require section. Note
* that a module may not both declare and require the same symbol.
* Returns 0 on success, -1 on error. */
int require_symbol(uint32_t symbol_type,
hashtab_key_t key, hashtab_datum_t datum,
uint32_t * dest_value, uint32_t * datum_value);
/* Enable a permission for a class within the current avrule_decl.
* Return 0 on success, -1 if out of memory. */
int add_perm_to_class(uint32_t perm_value, uint32_t class_value);
/* Functions called from REQUIRE blocks. Add the first symbol on the
* id_queue to this avrule_decl's scope if not already there.
* c.f. require_symbol(). */
int require_class(int pass);
int require_role(int pass);
int require_type(int pass);
int require_attribute(int pass);
int require_user(int pass);
int require_bool(int pass);
int require_sens(int pass);
int require_cat(int pass);
/* Check if an identifier is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
/* Check if a particular permission is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
/* Search the current avrules block for a conditional with the same
* expression as 'cond'. If the conditional does not exist then
* create one. Either way, return the conditional. */
cond_list_t *get_current_cond_list(cond_list_t * cond);
/* Append rule to the current avrule_block. */
void append_cond_list(cond_list_t * cond);
void append_avrule(avrule_t * avrule);
void append_role_trans(role_trans_rule_t * role_tr_rules);
void append_role_allow(role_allow_rule_t * role_allow_rules);
void append_range_trans(range_trans_rule_t * range_tr_rules);
/* Create a new optional block and add it to the global policy.
* During the second pass resolve the block's requirements. Return 0
* on success, -1 on error.
*/
int begin_optional(int pass);
int end_optional(int pass);
/* ELSE blocks are similar to normal blocks with the following two
* limitations:
* - no declarations are allowed within else branches
* - no REQUIRES are allowed; the else branch inherits the parent's
* requirements
*/
int begin_optional_else(int pass);
/* Called whenever existing an avrule block. Check that the block had
* a non-empty REQUIRE section. If so pop the block off of the scop
* stack and return 0. If not then send an error to yyerror and
* return -1. */
int end_avrule_block(int pass);
#endif

78
checkpolicy/parse_util.c Normal file
View file

@ -0,0 +1,78 @@
/*
* Author: Karl MacMillan <kmacmillan@tresys.com>
*
* Copyright (C) 2006 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "parse_util.h"
#include "queue.h"
/* these are defined in policy_parse.y and are needed for read_source_policy */
extern FILE *yyin;
extern void init_parser(int);
extern int yyparse(void);
extern void yyrestart(FILE *);
extern queue_t id_queue;
extern unsigned int policydb_errors;
extern unsigned long policydb_lineno;
extern policydb_t *policydbp;
extern int mlspol;
extern void set_source_file(const char *name);
int read_source_policy(policydb_t * p, const char *file, const char *progname)
{
yyin = fopen(file, "r");
if (!yyin) {
fprintf(stderr, "%s: unable to open %s\n", progname, file);
return -1;
}
set_source_file(file);
if ((id_queue = queue_create()) == NULL) {
fprintf(stderr, "%s: out of memory!\n", progname);
return -1;
}
policydbp = p;
mlspol = p->mls;
init_parser(1);
if (yyparse() || policydb_errors) {
fprintf(stderr,
"%s: error(s) encountered while parsing configuration\n",
progname);
return -1;
}
rewind(yyin);
init_parser(2);
set_source_file(file);
yyrestart(yyin);
if (yyparse() || policydb_errors) {
fprintf(stderr,
"%s: error(s) encountered while parsing configuration\n",
progname);
return -1;
}
queue_destroy(id_queue);
if (policydb_errors)
return -1;
fclose(yyin);
return 0;
}

35
checkpolicy/parse_util.h Normal file
View file

@ -0,0 +1,35 @@
/*
* Author: Karl MacMillan <kmacmillan@tresys.com>
*
* Copyright (C) 2006 Tresys Technology, LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
/* Utility functions shared by checkpolicy and checkmodule */
#ifndef __PARSE_UTIL_H__
#define __PARSE_UTIL_H__
#include <sepol/policydb/policydb.h>
/* Read a source policy and populate the policydb passed in. The
* policydb must already have been created and configured (e.g.,
* expected policy type set. The string progname is used for
* error messages. No checking of assertions, hierarchy, etc.
* is done. */
int read_source_policy(policydb_t * p, const char *file, const char *progname);
#endif

3874
checkpolicy/policy_define.c Normal file
View file

File diff suppressed because it is too large Load diff

59
checkpolicy/policy_define.h Normal file
View file

@ -0,0 +1,59 @@
/* Functions used to define policy grammar components. */
#ifndef _POLICY_DEFINE_H_
#define _POLICY_DEFINE_H_
/*
* We need the following so we have a valid error return code in yacc
* when we have a parse error for a conditional rule. We can't check
* for NULL (ie 0) because that is a potentially valid return.
*/
#define COND_ERR ((avrule_t *)-1)
#define TRUE 1
#define FALSE 0
avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
avrule_t *define_cond_te_avtab(int which);
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
int define_attrib(void);
int define_av_perms(int inherits);
int define_bool(void);
int define_category(void);
int define_class(void);
int define_common_perms(void);
int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
int define_constraint(constraint_expr_t *expr);
int define_dominance(void);
int define_fs_context(unsigned int major, unsigned int minor);
int define_fs_use(int behavior);
int define_genfs_context(int has_type);
int define_initial_sid_context(void);
int define_initial_sid(void);
int define_ipv4_node_context(void);
int define_ipv6_node_context(void);
int define_level(void);
int define_netif_context(void);
int define_permissive(void);
int define_polcap(void);
int define_port_context(unsigned int low, unsigned int high);
int define_range_trans(int class_specified);
int define_role_allow(void);
int define_role_trans(void);
int define_role_types(void);
int define_sens(void);
int define_te_avtab(int which);
int define_typealias(void);
int define_typeattribute(void);
int define_type(int alias);
int define_user(void);
int define_validatetrans(constraint_expr_t *expr);
int insert_id(char *id,int push);
int insert_separator(int push);
role_datum_t *define_role_dom(role_datum_t *r);
role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
#endif /* _POLICY_DEFINE_H_ */

781
checkpolicy/policy_parse.y Normal file
View file

@ -0,0 +1,781 @@
/*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
*
* Updated: David Caplan, <dac@tresys.com>
*
* Added conditional policy language extensions
*
* Updated: Joshua Brindle <jbrindle@tresys.com>
* Karl MacMillan <kmacmillan@mentalrootkit.com>
* Jason Tang <jtang@tresys.com>
*
* Added support for binary policy modules
*
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat Inc.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/* FLASK */
%{
#include <sys/types.h>
#include <assert.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hierarchy.h>
#include <sepol/policydb/polcaps.h>
#include "queue.h"
#include "checkpolicy.h"
#include "module_compiler.h"
#include "policy_define.h"
extern policydb_t *policydbp;
extern unsigned int pass;
extern char yytext[];
extern int yylex(void);
extern int yywarn(char *msg);
extern int yyerror(char *msg);
typedef int (* require_func_t)();
%}
%union {
unsigned int val;
uintptr_t valptr;
void *ptr;
require_func_t require_func;
}
%type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
%type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
%type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
%type <ptr> role_def roles
%type <valptr> cexpr cexpr_prim op role_mls_op
%type <val> ipv4_addr_def number
%type <require_func> require_decl_def
%token PATH
%token CLONE
%token COMMON
%token CLASS
%token CONSTRAIN
%token VALIDATETRANS
%token INHERITS
%token SID
%token ROLE
%token ROLES
%token TYPEALIAS
%token TYPEATTRIBUTE
%token TYPE
%token TYPES
%token ALIAS
%token ATTRIBUTE
%token BOOL
%token IF
%token ELSE
%token TYPE_TRANSITION
%token TYPE_MEMBER
%token TYPE_CHANGE
%token ROLE_TRANSITION
%token RANGE_TRANSITION
%token SENSITIVITY
%token DOMINANCE
%token DOM DOMBY INCOMP
%token CATEGORY
%token LEVEL
%token RANGE
%token MLSCONSTRAIN
%token MLSVALIDATETRANS
%token USER
%token NEVERALLOW
%token ALLOW
%token AUDITALLOW
%token AUDITDENY
%token DONTAUDIT
%token SOURCE
%token TARGET
%token SAMEUSER
%token FSCON PORTCON NETIFCON NODECON
%token FSUSEXATTR FSUSETASK FSUSETRANS
%token GENFSCON
%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
%token NUMBER
%token EQUALS
%token NOTEQUAL
%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
%token PERMISSIVE
%left OR
%left XOR
%left AND
%right NOT
%left EQUALS NOTEQUAL
%%
policy : base_policy
| module_policy
;
base_policy : { if (define_policy(pass, 0) == -1) return -1; }
classes initial_sids access_vectors
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts
;
classes : class_def
| classes class_def
;
class_def : CLASS identifier
{if (define_class()) return -1;}
;
initial_sids : initial_sid_def
| initial_sids initial_sid_def
;
initial_sid_def : SID identifier
{if (define_initial_sid()) return -1;}
;
access_vectors : opt_common_perms av_perms
;
opt_common_perms : common_perms
|
;
common_perms : common_perms_def
| common_perms common_perms_def
;
common_perms_def : COMMON identifier '{' identifier_list '}'
{if (define_common_perms()) return -1;}
;
av_perms : av_perms_def
| av_perms av_perms_def
;
av_perms_def : CLASS identifier '{' identifier_list '}'
{if (define_av_perms(FALSE)) return -1;}
| CLASS identifier INHERITS identifier
{if (define_av_perms(TRUE)) return -1;}
| CLASS identifier INHERITS identifier '{' identifier_list '}'
{if (define_av_perms(TRUE)) return -1;}
;
opt_mls : mls
|
;
mls : sensitivities dominance opt_categories levels mlspolicy
;
sensitivities : sensitivity_def
| sensitivities sensitivity_def
;
sensitivity_def : SENSITIVITY identifier alias_def ';'
{if (define_sens()) return -1;}
| SENSITIVITY identifier ';'
{if (define_sens()) return -1;}
;
alias_def : ALIAS names
;
dominance : DOMINANCE identifier
{if (define_dominance()) return -1;}
| DOMINANCE '{' identifier_list '}'
{if (define_dominance()) return -1;}
;
opt_categories : categories
|
;
categories : category_def
| categories category_def
;
category_def : CATEGORY identifier alias_def ';'
{if (define_category()) return -1;}
| CATEGORY identifier ';'
{if (define_category()) return -1;}
;
levels : level_def
| levels level_def
;
level_def : LEVEL identifier ':' id_comma_list ';'
{if (define_level()) return -1;}
| LEVEL identifier ';'
{if (define_level()) return -1;}
;
mlspolicy : mlspolicy_decl
| mlspolicy mlspolicy_decl
;
mlspolicy_decl : mlsconstraint_def
| mlsvalidatetrans_def
;
mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
{ if (define_constraint((constraint_expr_t*)$4)) return -1; }
;
mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
{ if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
;
te_rbac : te_rbac_decl
| te_rbac te_rbac_decl
;
te_rbac_decl : te_decl
| rbac_decl
| cond_stmt_def
| optional_block
| policycap_def
| ';'
;
rbac_decl : role_type_def
| role_dominance
| role_trans_def
| role_allow_def
;
te_decl : attribute_def
| type_def
| typealias_def
| typeattribute_def
| bool_def
| transition_def
| range_trans_def
| te_avtab_def
| permissive_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) return -1;}
;
type_def : TYPE identifier alias_def opt_attr_list ';'
{if (define_type(1)) return -1;}
| TYPE identifier opt_attr_list ';'
{if (define_type(0)) return -1;}
;
typealias_def : TYPEALIAS identifier alias_def ';'
{if (define_typealias()) return -1;}
;
typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
{if (define_typeattribute()) return -1;}
;
opt_attr_list : ',' id_comma_list
|
;
bool_def : BOOL identifier bool_val ';'
{if (define_bool()) return -1;}
;
bool_val : CTRUE
{ if (insert_id("T",0)) return -1; }
| CFALSE
{ if (insert_id("F",0)) return -1; }
;
cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else
{ if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }}
;
cond_else : ELSE '{' cond_pol_list '}'
{ $$ = $3; }
| /* empty */
{ $$ = NULL; }
cond_expr : '(' cond_expr ')'
{ $$ = $2;}
| NOT cond_expr
{ $$ = define_cond_expr(COND_NOT, $2, 0);
if ($$ == 0) return -1; }
| cond_expr AND cond_expr
{ $$ = define_cond_expr(COND_AND, $1, $3);
if ($$ == 0) return -1; }
| cond_expr OR cond_expr
{ $$ = define_cond_expr(COND_OR, $1, $3);
if ($$ == 0) return -1; }
| cond_expr XOR cond_expr
{ $$ = define_cond_expr(COND_XOR, $1, $3);
if ($$ == 0) return -1; }
| cond_expr EQUALS cond_expr
{ $$ = define_cond_expr(COND_EQ, $1, $3);
if ($$ == 0) return -1; }
| cond_expr NOTEQUAL cond_expr
{ $$ = define_cond_expr(COND_NEQ, $1, $3);
if ($$ == 0) return -1; }
| cond_expr_prim
{ $$ = $1; }
;
cond_expr_prim : identifier
{ $$ = define_cond_expr(COND_BOOL,0, 0);
if ($$ == COND_ERR) return -1; }
;
cond_pol_list : cond_pol_list cond_rule_def
{ $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); }
| /* empty */
{ $$ = NULL; }
;
cond_rule_def : cond_transition_def
{ $$ = $1; }
| cond_te_avtab_def
{ $$ = $1; }
| require_block
{ $$ = NULL; }
;
cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
if ($$ == COND_ERR) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_MEMBER) ;
if ($$ == COND_ERR) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_CHANGE) ;
if ($$ == COND_ERR) return -1;}
;
cond_te_avtab_def : cond_allow_def
{ $$ = $1; }
| cond_auditallow_def
{ $$ = $1; }
| cond_auditdeny_def
{ $$ = $1; }
| cond_dontaudit_def
{ $$ = $1; }
;
cond_allow_def : ALLOW names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_ALLOWED) ;
if ($$ == COND_ERR) return -1; }
;
cond_auditallow_def : AUDITALLOW names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ;
if ($$ == COND_ERR) return -1; }
;
cond_auditdeny_def : AUDITDENY names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ;
if ($$ == COND_ERR) return -1; }
;
cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
if ($$ == COND_ERR) return -1; }
;
transition_def : TYPE_TRANSITION names names ':' names identifier ';'
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
{if (define_compute_type(AVRULE_MEMBER)) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
{if (define_compute_type(AVRULE_CHANGE)) return -1;}
;
range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
{ if (define_range_trans(0)) return -1; }
| RANGE_TRANSITION names names ':' names mls_range_def ';'
{ if (define_range_trans(1)) return -1; }
;
te_avtab_def : allow_def
| auditallow_def
| auditdeny_def
| dontaudit_def
| neverallow_def
;
allow_def : ALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
;
auditallow_def : AUDITALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; }
;
auditdeny_def : AUDITDENY names names ':' names names ';'
{if (define_te_avtab(AVRULE_AUDITDENY)) return -1; }
;
dontaudit_def : DONTAUDIT names names ':' names names ';'
{if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; }
;
neverallow_def : NEVERALLOW names names ':' names names ';'
{if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
;
role_type_def : ROLE identifier TYPES names ';'
{if (define_role_types()) return -1;}
| ROLE identifier';'
{if (define_role_types()) return -1;}
;
role_dominance : DOMINANCE '{' roles '}'
;
role_trans_def : ROLE_TRANSITION names names identifier ';'
{if (define_role_trans()) return -1; }
;
role_allow_def : ALLOW names names ';'
{if (define_role_allow()) return -1; }
;
roles : role_def
{ $$ = $1; }
| roles role_def
{ $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
;
role_def : ROLE identifier_push ';'
{$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
| ROLE identifier_push '{' roles '}'
{$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
;
opt_constraints : constraints
|
;
constraints : constraint_decl
| constraints constraint_decl
;
constraint_decl : constraint_def
| validatetrans_def
;
constraint_def : CONSTRAIN names names cexpr ';'
{ if (define_constraint((constraint_expr_t*)$4)) return -1; }
;
validatetrans_def : VALIDATETRANS names cexpr ';'
{ if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
;
cexpr : '(' cexpr ')'
{ $$ = $2; }
| NOT cexpr
{ $$ = define_cexpr(CEXPR_NOT, $2, 0);
if ($$ == 0) return -1; }
| cexpr AND cexpr
{ $$ = define_cexpr(CEXPR_AND, $1, $3);
if ($$ == 0) return -1; }
| cexpr OR cexpr
{ $$ = define_cexpr(CEXPR_OR, $1, $3);
if ($$ == 0) return -1; }
| cexpr_prim
{ $$ = $1; }
;
cexpr_prim : U1 op U2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
if ($$ == 0) return -1; }
| R1 role_mls_op R2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| T1 op T2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
| U1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
if ($$ == 0) return -1; }
| U2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| U3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| R1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| R2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| R3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| T1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
| T2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
| T3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| SAMEUSER
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
if ($$ == 0) return -1; }
| SOURCE ROLE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
if ($$ == 0) return -1; }
| TARGET ROLE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
if ($$ == 0) return -1; }
| ROLE role_mls_op
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
| SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
if ($$ == 0) return -1; }
| TARGET TYPE { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
if ($$ == 0) return -1; }
| L1 role_mls_op L2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
if ($$ == 0) return -1; }
| L1 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
if ($$ == 0) return -1; }
| H1 role_mls_op L2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
if ($$ == 0) return -1; }
| H1 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
if ($$ == 0) return -1; }
| L1 role_mls_op H1
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
if ($$ == 0) return -1; }
| L2 role_mls_op H2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
if ($$ == 0) return -1; }
;
op : EQUALS
{ $$ = CEXPR_EQ; }
| NOTEQUAL
{ $$ = CEXPR_NEQ; }
;
role_mls_op : op
{ $$ = $1; }
| DOM
{ $$ = CEXPR_DOM; }
| DOMBY
{ $$ = CEXPR_DOMBY; }
| INCOMP
{ $$ = CEXPR_INCOMP; }
;
users : user_def
| users user_def
;
user_def : USER identifier ROLES names opt_mls_user ';'
{if (define_user()) return -1;}
;
opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
|
;
initial_sid_contexts : initial_sid_context_def
| initial_sid_contexts initial_sid_context_def
;
initial_sid_context_def : SID identifier security_context_def
{if (define_initial_sid_context()) return -1;}
;
opt_fs_contexts : fs_contexts
|
;
fs_contexts : fs_context_def
| fs_contexts fs_context_def
;
fs_context_def : FSCON number number security_context_def security_context_def
{if (define_fs_context($2,$3)) return -1;}
;
net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
;
opt_port_contexts : port_contexts
|
;
port_contexts : port_context_def
| port_contexts port_context_def
;
port_context_def : PORTCON identifier number security_context_def
{if (define_port_context($3,$3)) return -1;}
| PORTCON identifier number '-' number security_context_def
{if (define_port_context($3,$5)) return -1;}
;
opt_netif_contexts : netif_contexts
|
;
netif_contexts : netif_context_def
| netif_contexts netif_context_def
;
netif_context_def : NETIFCON identifier security_context_def security_context_def
{if (define_netif_context()) return -1;}
;
opt_node_contexts : node_contexts
|
;
node_contexts : node_context_def
| node_contexts node_context_def
;
node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
{if (define_ipv4_node_context()) return -1;}
| NODECON ipv6_addr ipv6_addr security_context_def
{if (define_ipv6_node_context()) return -1;}
;
opt_fs_uses : fs_uses
|
;
fs_uses : fs_use_def
| fs_uses fs_use_def
;
fs_use_def : FSUSEXATTR identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
| FSUSETASK identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
| FSUSETRANS identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;}
;
opt_genfs_contexts : genfs_contexts
|
;
genfs_contexts : genfs_context_def
| genfs_contexts genfs_context_def
;
genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
{if (define_genfs_context(1)) return -1;}
| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
{if (define_genfs_context(1)) return -1;}
| GENFSCON identifier path security_context_def
{if (define_genfs_context(0)) return -1;}
;
ipv4_addr_def : IPV4_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
|
;
mls_range_def : mls_level_def '-' mls_level_def
{if (insert_separator(0)) return -1;}
| mls_level_def
{if (insert_separator(0)) return -1;}
;
mls_level_def : identifier ':' id_comma_list
{if (insert_separator(0)) return -1;}
| identifier
{if (insert_separator(0)) return -1;}
;
id_comma_list : identifier
| id_comma_list ',' identifier
;
tilde : '~'
;
asterisk : '*'
;
names : identifier
{ if (insert_separator(0)) return -1; }
| nested_id_set
{ if (insert_separator(0)) return -1; }
| asterisk
{ if (insert_id("*", 0)) return -1;
if (insert_separator(0)) return -1; }
| tilde identifier
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
| tilde nested_id_set
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
| identifier '-' { if (insert_id("-", 0)) return -1; } identifier
{ if (insert_separator(0)) return -1; }
;
tilde_push : tilde
{ if (insert_id("~", 1)) return -1; }
;
asterisk_push : asterisk
{ if (insert_id("*", 1)) return -1; }
;
names_push : identifier_push
| '{' identifier_list_push '}'
| asterisk_push
| tilde_push identifier_push
| tilde_push '{' identifier_list_push '}'
;
identifier_list_push : identifier_push
| identifier_list_push identifier_push
;
identifier_push : IDENTIFIER
{ if (insert_id(yytext, 1)) return -1; }
;
identifier_list : identifier
| identifier_list identifier
;
nested_id_set : '{' nested_id_list '}'
;
nested_id_list : nested_id_element | nested_id_list nested_id_element
;
nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
;
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
number : NUMBER
{ $$ = strtoul(yytext,NULL,0); }
;
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
policycap_def : POLICYCAP identifier ';'
{if (define_polcap()) return -1;}
;
permissive_def : PERMISSIVE identifier ';'
{if (define_permissive()) return -1;}
/*********** module grammar below ***********/
module_policy : module_def avrules_block
{ if (end_avrule_block(pass) == -1) return -1;
if (policydb_index_others(NULL, policydbp, 0)) return -1;
}
;
module_def : MODULE identifier version_identifier ';'
{ if (define_policy(pass, 1) == -1) return -1; }
;
version_identifier : VERSION_IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
| ipv4_addr_def /* version can look like ipv4 address */
;
avrules_block : avrule_decls avrule_user_defs
;
avrule_decls : avrule_decls avrule_decl
| avrule_decl
;
avrule_decl : rbac_decl
| te_decl
| cond_stmt_def
| require_block
| optional_block
| ';'
;
require_block : REQUIRE '{' require_list '}'
;
require_list : require_list require_decl
| require_decl
;
require_decl : require_class ';'
| require_decl_def require_id_list ';'
;
require_class : CLASS identifier names
{ if (require_class(pass)) return -1; }
;
require_decl_def : ROLE { $$ = require_role; }
| TYPE { $$ = require_type; }
| ATTRIBUTE { $$ = require_attribute; }
| USER { $$ = require_user; }
| BOOL { $$ = require_bool; }
| SENSITIVITY { $$ = require_sens; }
| CATEGORY { $$ = require_cat; }
;
require_id_list : identifier
{ if ($<require_func>0 (pass)) return -1; }
| require_id_list ',' identifier
{ if ($<require_func>0 (pass)) return -1; }
;
optional_block : optional_decl '{' avrules_block '}'
{ if (end_avrule_block(pass) == -1) return -1; }
optional_else
{ if (end_optional(pass) == -1) return -1; }
;
optional_else : else_decl '{' avrules_block '}'
{ if (end_avrule_block(pass) == -1) return -1; }
| /* empty */
;
optional_decl : OPTIONAL
{ if (begin_optional(pass) == -1) return -1; }
;
else_decl : ELSE
{ if (begin_optional_else(pass) == -1) return -1; }
;
avrule_user_defs : user_def avrule_user_defs
| /* empty */
;

275
checkpolicy/policy_scan.l Normal file
View file

@ -0,0 +1,275 @@
/*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
/* Updated: David Caplan, <dac@tresys.com>
*
* Added conditional policy language extensions
*
* Jason Tang <jtang@tresys.com>
*
* Added support for binary policy modules
*
* Copyright (C) 2003-5 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/* FLASK */
%{
#include <sys/types.h>
#include <limits.h>
#include <stdint.h>
#include <string.h>
typedef int (* require_func_t)();
#include "y.tab.h"
static char linebuf[2][255];
static unsigned int lno = 0;
int yywarn(char *msg);
void set_source_file(const char *name);
char source_file[PATH_MAX];
unsigned long source_lineno = 1;
unsigned long policydb_lineno = 1;
unsigned int policydb_errors = 0;
%}
%option noinput nounput
%array
letter [A-Za-z]
digit [0-9]
alnum [a-zA-Z0-9]
hexval [0-9A-Fa-f]
%%
\n.* { strncpy(linebuf[lno], yytext+1, 255);
linebuf[lno][254] = 0;
lno = 1 - lno;
policydb_lineno++;
source_lineno++;
yyless(1); }
CLONE |
clone { return(CLONE); }
COMMON |
common { return(COMMON); }
CLASS |
class { return(CLASS); }
CONSTRAIN |
constrain { return(CONSTRAIN); }
VALIDATETRANS |
validatetrans { return(VALIDATETRANS); }
INHERITS |
inherits { return(INHERITS); }
SID |
sid { return(SID); }
ROLE |
role { return(ROLE); }
ROLES |
roles { return(ROLES); }
TYPES |
types { return(TYPES); }
TYPEALIAS |
typealias { return(TYPEALIAS); }
TYPEATTRIBUTE |
typeattribute { return(TYPEATTRIBUTE); }
TYPE |
type { return(TYPE); }
BOOL |
bool { return(BOOL); }
IF |
if { return(IF); }
ELSE |
else { return(ELSE); }
ALIAS |
alias { return(ALIAS); }
ATTRIBUTE |
attribute { return(ATTRIBUTE); }
TYPE_TRANSITION |
type_transition { return(TYPE_TRANSITION); }
TYPE_MEMBER |
type_member { return(TYPE_MEMBER); }
TYPE_CHANGE |
type_change { return(TYPE_CHANGE); }
ROLE_TRANSITION |
role_transition { return(ROLE_TRANSITION); }
RANGE_TRANSITION |
range_transition { return(RANGE_TRANSITION); }
SENSITIVITY |
sensitivity { return(SENSITIVITY); }
DOMINANCE |
dominance { return(DOMINANCE); }
CATEGORY |
category { return(CATEGORY); }
LEVEL |
level { return(LEVEL); }
RANGE |
range { return(RANGE); }
MLSCONSTRAIN |
mlsconstrain { return(MLSCONSTRAIN); }
MLSVALIDATETRANS |
mlsvalidatetrans { return(MLSVALIDATETRANS); }
USER |
user { return(USER); }
NEVERALLOW |
neverallow { return(NEVERALLOW); }
ALLOW |
allow { return(ALLOW); }
AUDITALLOW |
auditallow { return(AUDITALLOW); }
AUDITDENY |
auditdeny { return(AUDITDENY); }
DONTAUDIT |
dontaudit { return(DONTAUDIT); }
SOURCE |
source { return(SOURCE); }
TARGET |
target { return(TARGET); }
SAMEUSER |
sameuser { return(SAMEUSER);}
module|MODULE { return(MODULE); }
require|REQUIRE { return(REQUIRE); }
optional|OPTIONAL { return(OPTIONAL); }
OR |
or { return(OR);}
AND |
and { return(AND);}
NOT |
not { return(NOT);}
xor |
XOR { return(XOR); }
eq |
EQ { return(EQUALS);}
true |
TRUE { return(CTRUE); }
false |
FALSE { return(CFALSE); }
dom |
DOM { return(DOM);}
domby |
DOMBY { return(DOMBY);}
INCOMP |
incomp { return(INCOMP);}
fscon |
FSCON { return(FSCON);}
portcon |
PORTCON { return(PORTCON);}
netifcon |
NETIFCON { return(NETIFCON);}
nodecon |
NODECON { return(NODECON);}
fs_use_xattr |
FS_USE_XATTR { return(FSUSEXATTR);}
fs_use_task |
FS_USE_TASK { return(FSUSETASK);}
fs_use_trans |
FS_USE_TRANS { return(FSUSETRANS);}
genfscon |
GENFSCON { return(GENFSCON);}
r1 |
R1 { return(R1); }
r2 |
R2 { return(R2); }
r3 |
R3 { return(R3); }
u1 |
U1 { return(U1); }
u2 |
U2 { return(U2); }
u3 |
U3 { return(U3); }
t1 |
T1 { return(T1); }
t2 |
T2 { return(T2); }
t3 |
T3 { return(T3); }
l1 |
L1 { return(L1); }
l2 |
L2 { return(L2); }
h1 |
H1 { return(H1); }
h2 |
H2 { return(H2); }
policycap |
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
"/"({alnum}|[_.-/])* { return(PATH); }
{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
{digit}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
"==" { return(EQUALS); }
"!=" { return (NOTEQUAL); }
"&&" { return (AND); }
"||" { return (OR); }
"!" { return (NOT); }
"^" { return (XOR); }
"," |
":" |
";" |
"(" |
")" |
"{" |
"}" |
"[" |
"-" |
"." |
"]" |
"~" |
"*" { return(yytext[0]); }
. { yywarn("unrecognized character");}
%%
int yyerror(char *msg)
{
if (source_file[0])
fprintf(stderr, "%s:%ld:",
source_file, source_lineno);
else
fprintf(stderr, "(unknown source)::");
fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n",
msg,
yytext,
policydb_lineno,
linebuf[0], linebuf[1]);
policydb_errors++;
return -1;
}
int yywarn(char *msg)
{
if (source_file[0])
fprintf(stderr, "%s:%ld:",
source_file, source_lineno);
else
fprintf(stderr, "(unknown source)::");
fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n",
msg,
yytext,
policydb_lineno,
linebuf[0], linebuf[1]);
return 0;
}
void set_source_file(const char *name)
{
source_lineno = 1;
strncpy(source_file, name, sizeof(source_file)-1);
source_file[sizeof(source_file)-1] = '\0';
}

180
checkpolicy/queue.c Normal file
View file

@ -0,0 +1,180 @@
/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
/* FLASK */
/*
* Implementation of the double-ended queue type.
*/
#include <stdlib.h>
#include "queue.h"
queue_t queue_create(void)
{
queue_t q;
q = (queue_t) malloc(sizeof(struct queue_info));
if (q == NULL)
return NULL;
q->head = q->tail = NULL;
return q;
}
int queue_insert(queue_t q, queue_element_t e)
{
queue_node_ptr_t newnode;
if (!q)
return -1;
newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node));
if (newnode == NULL)
return -1;
newnode->element = e;
newnode->next = NULL;
if (q->head == NULL) {
q->head = q->tail = newnode;
} else {
q->tail->next = newnode;
q->tail = newnode;
}
return 0;
}
int queue_push(queue_t q, queue_element_t e)
{
queue_node_ptr_t newnode;
if (!q)
return -1;
newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node));
if (newnode == NULL)
return -1;
newnode->element = e;
newnode->next = NULL;
if (q->head == NULL) {
q->head = q->tail = newnode;
} else {
newnode->next = q->head;
q->head = newnode;
}
return 0;
}
queue_element_t queue_remove(queue_t q)
{
queue_node_ptr_t node;
queue_element_t e;
if (!q)
return NULL;
if (q->head == NULL)
return NULL;
node = q->head;
q->head = q->head->next;
if (q->head == NULL)
q->tail = NULL;
e = node->element;
free(node);
return e;
}
queue_element_t queue_head(queue_t q)
{
if (!q)
return NULL;
if (q->head == NULL)
return NULL;
return q->head->element;
}
void queue_destroy(queue_t q)
{
queue_node_ptr_t p, temp;
if (!q)
return;
p = q->head;
while (p != NULL) {
temp = p;
p = p->next;
free(temp);
}
free(q);
}
int queue_map(queue_t q, int (*f) (queue_element_t, void *), void *vp)
{
queue_node_ptr_t p;
int ret;
if (!q)
return 0;
p = q->head;
while (p != NULL) {
ret = f(p->element, vp);
if (ret)
return ret;
p = p->next;
}
return 0;
}
void queue_map_remove_on_error(queue_t q,
int (*f) (queue_element_t, void *),
void (*g) (queue_element_t, void *), void *vp)
{
queue_node_ptr_t p, last, temp;
int ret;
if (!q)
return;
last = NULL;
p = q->head;
while (p != NULL) {
ret = f(p->element, vp);
if (ret) {
if (last) {
last->next = p->next;
if (last->next == NULL)
q->tail = last;
} else {
q->head = p->next;
if (q->head == NULL)
q->tail = NULL;
}
temp = p;
p = p->next;
g(temp->element, vp);
free(temp);
} else {
last = p;
p = p->next;
}
}
return;
}
/* FLASK */

62
checkpolicy/queue.h Normal file
View file

@ -0,0 +1,62 @@
/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
/* FLASK */
/*
* A double-ended queue is a singly linked list of
* elements of arbitrary type that may be accessed
* at either end.
*/
#ifndef _QUEUE_H_
#define _QUEUE_H_
typedef void *queue_element_t;
typedef struct queue_node *queue_node_ptr_t;
typedef struct queue_node {
queue_element_t element;
queue_node_ptr_t next;
} queue_node_t;
typedef struct queue_info {
queue_node_ptr_t head;
queue_node_ptr_t tail;
} queue_info_t;
typedef queue_info_t *queue_t;
queue_t queue_create(void);
int queue_insert(queue_t, queue_element_t);
int queue_push(queue_t, queue_element_t);
queue_element_t queue_remove(queue_t);
queue_element_t queue_head(queue_t);
void queue_destroy(queue_t);
/*
Applies the specified function f to each element in the
specified queue.
In addition to passing the element to f, queue_map
passes the specified void* pointer to f on each invocation.
If f returns a non-zero status, then queue_map will cease
iterating through the hash table and will propagate the error
return to its caller.
*/
int queue_map(queue_t, int (*f) (queue_element_t, void *), void *);
/*
Same as queue_map, except that if f returns a non-zero status,
then the element will be removed from the queue and the g
function will be applied to the element.
*/
void queue_map_remove_on_error(queue_t,
int (*f) (queue_element_t, void *),
void (*g) (queue_element_t, void *), void *);
#endif
/* FLASK */

21
checkpolicy/test/Makefile Normal file
View file

@ -0,0 +1,21 @@
#
# Makefile for building the dispol program
#
PREFIX ?= $(DESTDIR)/usr
BINDIR=$(PREFIX)/bin
LIBDIR=$(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
CFLAGS ?= -g -Wall -O2 -pipe
override CFLAGS += -I$(INCLUDEDIR)
LDLIBS=-lfl -lsepol -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
all: dispol dismod
dispol: dispol.o
dismod: dismod.o
clean:
-rm -f dispol dismod *.o

957
checkpolicy/test/dismod.c Normal file
View file

@ -0,0 +1,957 @@
/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
* Copyright (C) 2003,2004,2005 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/*
* dismod.c
*
* Test program to the contents of a binary policy in text
* form.
*
* dismod binary_mod_file
*/
#include <getopt.h>
#include <assert.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/module.h>
#include <sepol/policydb/util.h>
#include <sepol/policydb/polcaps.h>
#include <byteswap.h>
#include <endian.h>
#if __BYTE_ORDER == __LITTLE_ENDIAN
#define le32_to_cpu(x) (x)
#else
#define le32_to_cpu(x) bswap_32(x)
#endif
static policydb_t policydb;
extern unsigned int ss_initialized;
int policyvers = MOD_POLICYDB_VERSION_BASE;
static const char *symbol_labels[9] = {
"commons",
"classes", "roles ", "types ", "users ", "bools ",
"levels ", "cats ", "attribs"
};
void usage(char *progname)
{
printf("usage: %s binary_pol_file\n\n", progname);
exit(1);
}
static void render_access_mask(uint32_t mask, uint32_t class, policydb_t * p,
FILE * fp)
{
char *perm;
fprintf(fp, "{");
perm = sepol_av_to_string(p, class, mask);
if (perm)
fprintf(fp, "%s ", perm);
fprintf(fp, "}");
}
static void render_access_bitmap(ebitmap_t * map, uint32_t class,
policydb_t * p, FILE * fp)
{
unsigned int i;
char *perm;
fprintf(fp, "{");
for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
if (ebitmap_get_bit(map, i)) {
perm = sepol_av_to_string(p, class, 1 << i);
if (perm)
fprintf(fp, " %s", perm);
}
}
fprintf(fp, " }");
}
static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
uint32_t symbol_value, char *prefix)
{
char *id = p->sym_val_to_name[symbol_type][symbol_value];
scope_datum_t *scope =
(scope_datum_t *) hashtab_search(p->scope[symbol_type].table, id);
assert(scope != NULL);
if (scope->scope == SCOPE_REQ) {
fprintf(fp, " [%s%s]", prefix, id);
} else {
fprintf(fp, " %s%s", prefix, id);
}
}
int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
FILE * fp)
{
int i, num_types;
if (set->flags & TYPE_STAR) {
fprintf(fp, " * ");
return 0;
} else if (set->flags & TYPE_COMP) {
fprintf(fp, " ~");
}
num_types = 0;
if (flags & RULE_SELF) {
num_types++;
}
for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
i++) {
if (!ebitmap_get_bit(&set->types, i))
continue;
num_types++;
if (num_types > 1)
break;
}
if (num_types <= 1) {
for (i = ebitmap_startbit(&set->negset);
i < ebitmap_length(&set->negset); i++) {
if (!ebitmap_get_bit(&set->negset, i))
continue;
num_types++;
if (num_types > 1)
break;
}
}
if (num_types > 1)
fprintf(fp, "{");
for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
i++) {
if (!ebitmap_get_bit(&set->types, i))
continue;
display_id(policy, fp, SYM_TYPES, i, "");
}
for (i = ebitmap_startbit(&set->negset);
i < ebitmap_length(&set->negset); i++) {
if (!ebitmap_get_bit(&set->negset, i))
continue;
display_id(policy, fp, SYM_TYPES, i, "-");
}
if (flags & RULE_SELF) {
fprintf(fp, " self");
}
if (num_types > 1)
fprintf(fp, " }");
return 0;
}
int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
{
int i, num = 0;
if (roles->flags & ROLE_STAR) {
fprintf(fp, " * ");
return 0;
} else if (roles->flags & ROLE_COMP) {
fprintf(fp, " ~");
}
for (i = ebitmap_startbit(&roles->roles);
i < ebitmap_length(&roles->roles); i++) {
if (!ebitmap_get_bit(&roles->roles, i))
continue;
num++;
if (num > 1) {
fprintf(fp, "{");
break;
}
}
for (i = ebitmap_startbit(&roles->roles);
i < ebitmap_length(&roles->roles); i++) {
if (ebitmap_get_bit(&roles->roles, i))
display_id(p, fp, SYM_ROLES, i, "");
}
if (num > 1)
fprintf(fp, " }");
return 0;
}
/* 'what' values for this function */
#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
#define RENDER_ENABLED 0x0002
#define RENDER_DISABLED 0x0004
#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
FILE * fp)
{
class_perm_node_t *cur;
int num_classes;
if (avrule == NULL) {
fprintf(fp, " <empty>\n");
return 0;
}
if (avrule->specified & AVRULE_AV) {
if (avrule->specified & AVRULE_ALLOWED) {
fprintf(fp, " allow");
}
if (avrule->specified & AVRULE_AUDITALLOW) {
fprintf(fp, " auditallow ");
}
if (avrule->specified & AVRULE_DONTAUDIT) {
fprintf(fp, " dontaudit");
}
} else if (avrule->specified & AVRULE_TYPE) {
if (avrule->specified & AVRULE_TRANSITION) {
fprintf(fp, " type_transition");
}
if (avrule->specified & AVRULE_MEMBER) {
fprintf(fp, " type_member");
}
if (avrule->specified & AVRULE_CHANGE) {
fprintf(fp, " type_change");
}
} else if (avrule->specified & AVRULE_NEVERALLOW) {
fprintf(fp, " neverallow");
} else {
fprintf(fp, " ERROR: no valid rule type specified\n");
return -1;
}
if (display_type_set(&avrule->stypes, 0, policy, fp))
return -1;
if (display_type_set(&avrule->ttypes, avrule->flags, policy, fp))
return -1;
fprintf(fp, " :");
cur = avrule->perms;
num_classes = 0;
while (cur) {
num_classes++;
if (num_classes > 1)
break;
cur = cur->next;
}
if (num_classes > 1)
fprintf(fp, " {");
cur = avrule->perms;
while (cur) {
display_id(policy, fp, SYM_CLASSES, cur->class - 1, "");
cur = cur->next;
}
if (num_classes > 1)
fprintf(fp, " }");
fprintf(fp, " ");
if (avrule->specified & (AVRULE_AV | AVRULE_NEVERALLOW)) {
render_access_mask(avrule->perms->data, avrule->perms->class,
policy, fp);
} else if (avrule->specified & AVRULE_TYPE) {
display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
}
fprintf(fp, ";\n");
return 0;
}
int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
{
type_datum_t *type;
FILE *fp;
int i, first_attrib = 1;
type = (type_datum_t *) datum;
fp = (FILE *) data;
if (type->primary) {
display_id(&policydb, fp, SYM_TYPES, type->s.value - 1, "");
fprintf(fp, " [%d]: ", type->s.value);
} else {
/* as that aliases have no value of their own and that
* they can never be required by a module, use this
* alternative way of displaying a name */
fprintf(fp, " %s [%d]: ", (char *)key, type->s.value);
}
if (type->flavor == TYPE_ATTRIB) {
fprintf(fp, "attribute for types");
for (i = ebitmap_startbit(&type->types);
i < ebitmap_length(&type->types); i++) {
if (!ebitmap_get_bit(&type->types, i))
continue;
if (first_attrib) {
first_attrib = 0;
} else {
fprintf(fp, ",");
}
display_id(&policydb, fp, SYM_TYPES, i, "");
}
} else if (type->primary) {
fprintf(fp, "type");
} else {
fprintf(fp, "alias for type");
display_id(&policydb, fp, SYM_TYPES, type->s.value - 1, "");
}
fprintf(fp, " flags:%x\n", type->flags);
return 0;
}
int display_types(policydb_t * p, FILE * fp)
{
if (hashtab_map(p->p_types.table, display_type_callback, fp))
return -1;
return 0;
}
int display_users(policydb_t * p, FILE * fp)
{
int i, j;
ebitmap_t *bitmap;
for (i = 0; i < p->p_users.nprim; i++) {
display_id(p, fp, SYM_USERS, i, "");
fprintf(fp, ":");
bitmap = &(p->user_val_to_struct[i]->roles.roles);
for (j = ebitmap_startbit(bitmap); j < ebitmap_length(bitmap);
j++) {
if (ebitmap_get_bit(bitmap, j)) {
display_id(p, fp, SYM_ROLES, j, "");
}
}
fprintf(fp, "\n");
}
return 0;
}
int display_bools(policydb_t * p, FILE * fp)
{
int i;
for (i = 0; i < p->p_bools.nprim; i++) {
display_id(p, fp, SYM_BOOLS, i, "");
fprintf(fp, " : %d\n", p->bool_val_to_struct[i]->state);
}
return 0;
}
void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
{
cond_expr_t *cur;
for (cur = exp; cur != NULL; cur = cur->next) {
switch (cur->expr_type) {
case COND_BOOL:
fprintf(fp, "%s ",
p->p_bool_val_to_name[cur->bool - 1]);
break;
case COND_NOT:
fprintf(fp, "! ");
break;
case COND_OR:
fprintf(fp, "|| ");
break;
case COND_AND:
fprintf(fp, "&& ");
break;
case COND_XOR:
fprintf(fp, "^ ");
break;
case COND_EQ:
fprintf(fp, "== ");
break;
case COND_NEQ:
fprintf(fp, "!= ");
break;
default:
fprintf(fp, "error!");
break;
}
}
}
void display_policycon(policydb_t * p, FILE * fp)
{
#if 0
int i;
ocontext_t *cur;
char *name;
for (i = 0; i < POLICYCON_NUM; i++) {
fprintf(fp, "%s:", symbol_labels[i]);
for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
if (*(cur->u.name) == '\0') {
name = "{default}";
} else {
name = cur->u.name;
}
fprintf(fp, "\n%16s - %s:%s:%s", name,
p->p_user_val_to_name[cur->context[0].user - 1],
p->p_role_val_to_name[cur->context[0].role - 1],
p->p_type_val_to_name[cur->context[0].type -
1]);
}
fprintf(fp, "\n");
}
#endif
}
void display_initial_sids(policydb_t * p, FILE * fp)
{
ocontext_t *cur;
char *user, *role, *type;
fprintf(fp, "Initial SIDs:\n");
for (cur = p->ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) {
user = p->p_user_val_to_name[cur->context[0].user - 1];
role = p->p_role_val_to_name[cur->context[0].role - 1];
type = p->p_type_val_to_name[cur->context[0].type - 1];
fprintf(fp, "\t%s: sid %d, context %s:%s:%s\n",
cur->u.name, cur->sid[0], user, role, type);
}
#if 0
fprintf(fp, "Policy Initial SIDs:\n");
for (cur = p->ocontexts[OCON_POLICYISID]; cur != NULL; cur = cur->next) {
user = p->p_user_val_to_name[cur->context[0].user - 1];
role = p->p_role_val_to_name[cur->context[0].role - 1];
type = p->p_type_val_to_name[cur->context[0].type - 1];
fprintf(fp, "\t%s: sid %d, context %s:%s:%s\n",
cur->u.name, cur->sid[0], user, role, type);
}
#endif
}
void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
{
for (; tr; tr = tr->next) {
fprintf(fp, "role transition ");
display_mod_role_set(&tr->roles, p, fp);
display_type_set(&tr->types, 0, p, fp);
display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
fprintf(fp, "\n");
}
}
void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
{
for (; ra; ra = ra->next) {
fprintf(fp, "role allow ");
display_mod_role_set(&ra->roles, p, fp);
display_mod_role_set(&ra->new_roles, p, fp);
fprintf(fp, "\n");
}
}
int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
{
char *id;
role_datum_t *role;
FILE *fp;
id = key;
role = (role_datum_t *) datum;
fp = (FILE *) data;
fprintf(fp, "role:");
display_id(&policydb, fp, SYM_ROLES, role->s.value - 1, "");
fprintf(fp, " types: ");
display_type_set(&role->types, 0, &policydb, fp);
fprintf(fp, "\n");
return 0;
}
static int display_scope_index(scope_index_t * indices, policydb_t * p,
FILE * out_fp)
{
int i;
for (i = 0; i < SYM_NUM; i++) {
int any_found = 0, j;
fprintf(out_fp, "%s:", symbol_labels[i]);
for (j = ebitmap_startbit(&indices->scope[i]);
j < ebitmap_length(&indices->scope[i]); j++) {
if (ebitmap_get_bit(&indices->scope[i], j)) {
any_found = 1;
fprintf(out_fp, " %s",
p->sym_val_to_name[i][j]);
if (i == SYM_CLASSES) {
if (j < indices->class_perms_len) {
render_access_bitmap(indices->
class_perms_map
+ j, j + 1,
p, out_fp);
} else {
fprintf(out_fp,
"<no perms known>");
}
}
}
}
if (!any_found) {
fprintf(out_fp, " <empty>");
}
fprintf(out_fp, "\n");
}
return 0;
}
#if 0
int display_cond_expressions(policydb_t * p, FILE * fp)
{
cond_node_t *cur;
cond_av_list_t *av_cur;
for (cur = p->cond_list; cur != NULL; cur = cur->next) {
fprintf(fp, "expression: ");
display_expr(p, cur->expr, fp);
fprintf(fp, "current state: %d\n", cur->cur_state);
fprintf(fp, "True list:\n");
for (av_cur = cur->true_list; av_cur != NULL;
av_cur = av_cur->next) {
fprintf(fp, "\t");
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
RENDER_CONDITIONAL, p, fp);
}
fprintf(fp, "False list:\n");
for (av_cur = cur->false_list; av_cur != NULL;
av_cur = av_cur->next) {
fprintf(fp, "\t");
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
RENDER_CONDITIONAL, p, fp);
}
}
return 0;
}
int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
bool = hashtab_search(p->p_bools.table, name);
if (bool == NULL) {
fprintf(fp, "Could not find bool %s\n", name);
return -1;
}
bool->state = state;
evaluate_conds(p);
return 0;
}
#endif
int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
policydb_t * policy, FILE * out_fp)
{
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
(decl->enabled ? " [enabled]" : ""));
switch (field) {
case 0:{
cond_list_t *cond = decl->cond_list;
avrule_t *avrule;
while (cond) {
fprintf(out_fp, "expression: ");
display_expr(&policydb, cond->expr, out_fp);
fprintf(out_fp, "current state: %d\n",
cond->cur_state);
fprintf(out_fp, "True list:\n");
avrule = cond->avtrue_list;
while (avrule) {
display_avrule(avrule,
RENDER_UNCONDITIONAL,
&policydb, out_fp);
avrule = avrule->next;
}
fprintf(out_fp, "False list:\n");
avrule = cond->avfalse_list;
while (avrule) {
display_avrule(avrule,
RENDER_UNCONDITIONAL,
&policydb, out_fp);
avrule = avrule->next;
}
cond = cond->next;
}
break;
}
case 1:{
avrule_t *avrule = decl->avrules;
if (avrule == NULL) {
fprintf(out_fp, " <empty>\n");
}
while (avrule != NULL) {
if (display_avrule
(avrule, what, policy, out_fp)) {
return -1;
}
avrule = avrule->next;
}
break;
}
case 2:{ /* role_type_node */
break;
}
case 3:{
display_role_trans(decl->role_tr_rules, policy, out_fp);
break;
}
case 4:{
display_role_allow(decl->role_allow_rules, policy,
out_fp);
break;
}
case 5:{
if (display_scope_index
(&decl->required, policy, out_fp)) {
return -1;
}
break;
}
case 6:{
if (display_scope_index
(&decl->declared, policy, out_fp)) {
return -1;
}
break;
}
default:{
assert(0);
}
}
return 0; /* should never get here */
}
int display_avblock(int field, uint32_t what, policydb_t * policy,
FILE * out_fp)
{
avrule_block_t *block = policydb.global;
while (block != NULL) {
fprintf(out_fp, "--- begin avrule block ---\n");
avrule_decl_t *decl = block->branch_list;
while (decl != NULL) {
if (display_avdecl(decl, field, what, policy, out_fp)) {
return -1;
}
decl = decl->next;
}
block = block->next;
}
return 0;
}
int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and perms\n");
else if (p->handle_unknown == DENY_UNKNOWN)
fprintf(out_fp, "Deny unknown classes and perms\n");
else if (p->handle_unknown == REJECT_UNKNOWN)
fprintf(out_fp, "Reject unknown classes and perms\n");
return 0;
}
static int read_policy(char *filename, policydb_t * policy)
{
FILE *in_fp;
struct policy_file f;
int retval;
uint32_t buf[1];
if ((in_fp = fopen(filename, "rb")) == NULL) {
fprintf(stderr, "Can't open '%s': %s\n",
filename, strerror(errno));
exit(1);
}
policy_file_init(&f);
f.type = PF_USE_STDIO;
f.fp = in_fp;
/* peek at the first byte. if they are indicative of a
package use the package reader, otherwise use the normal
policy reader */
if (fread(buf, sizeof(uint32_t), 1, in_fp) != 1) {
fprintf(stderr, "Could not read from policy.\n");
exit(1);
}
rewind(in_fp);
if (le32_to_cpu(buf[0]) == SEPOL_MODULE_PACKAGE_MAGIC) {
sepol_module_package_t *package;
if (sepol_module_package_create(&package)) {
fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
exit(1);
}
package->policy = (sepol_policydb_t *) policy;
package->file_contexts = NULL;
retval =
sepol_module_package_read(package,
(sepol_policy_file_t *) & f, 1);
free(package->file_contexts);
} else {
if (policydb_init(policy)) {
fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
exit(1);
}
retval = policydb_read(policy, &f, 1);
}
fclose(in_fp);
return retval;
}
static void link_module(policydb_t * base, FILE * out_fp)
{
char module_name[80] = { 0 };
int ret;
policydb_t module, *mods = &module;
if (base->policy_type != POLICY_BASE) {
printf("Can only link if initial file was a base policy.\n");
return;
}
printf("\nModule filename: ");
fgets(module_name, sizeof(module_name), stdin);
module_name[strlen(module_name) - 1] = '\0'; /* remove LF */
if (module_name[0] == '\0') {
return;
}
/* read the binary policy */
fprintf(out_fp, "Reading module...\n");
if (read_policy(module_name, mods)) {
fprintf(stderr,
"%s: error(s) encountered while loading policy\n",
module_name);
exit(1);
}
if (module.policy_type != POLICY_MOD) {
fprintf(stderr, "This file is not a loadable policy module.\n");
exit(1);
}
if (policydb_index_classes(&module) ||
policydb_index_others(NULL, &module, 0)) {
fprintf(stderr, "Could not index module.\n");
exit(1);
}
ret = link_modules(NULL, base, &mods, 1, 0);
if (ret != 0) {
printf("Link failed (error %d)\n", ret);
printf("(You will probably need to restart dismod.)\n");
}
policydb_destroy(&module);
return;
}
static void display_policycaps(policydb_t * p, FILE * fp)
{
ebitmap_node_t *node;
const char *capname;
char buf[64];
int i;
fprintf(fp, "policy capabilities:\n");
ebitmap_for_each_bit(&p->policycaps, node, i) {
if (ebitmap_node_get_bit(node, i)) {
capname = sepol_polcap_getname(i);
if (capname == NULL) {
snprintf(buf, sizeof(buf), "unknown (%d)", i);
capname = buf;
}
fprintf(fp, "\t%s\n", capname);
}
}
}
int menu()
{
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB\n");
printf("3) display users\n");
printf("4) display bools\n");
printf("5) display roles\n");
printf("6) display types, attributes, and aliases\n");
printf("7) display role transitions\n");
printf("8) display role allows\n");
printf("9) Display policycon\n");
printf("0) Display initial SIDs\n");
printf("\n");
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
printf("c) Display policy capabilities\n");
printf("l) Link in a module\n");
printf("u) Display the unknown handling setting\n");
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
return 0;
}
int main(int argc, char **argv)
{
FILE *out_fp = stdout;
char ans[81], OutfileName[121];
if (argc != 2)
usage(argv[0]);
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
policydb_init(&policydb);
if (read_policy(argv[1], &policydb)) {
fprintf(stderr,
"%s: error(s) encountered while loading policy\n",
argv[0]);
exit(1);
}
if (policydb.policy_type != POLICY_BASE &&
policydb.policy_type != POLICY_MOD) {
fprintf(stderr,
"This file is neither a base nor loadable policy module.\n");
exit(1);
}
if (policydb_index_classes(&policydb)) {
fprintf(stderr, "Error indexing classes\n");
exit(1);
}
if (policydb_index_others(NULL, &policydb, 1)) {
fprintf(stderr, "Error indexing others\n");
exit(1);
}
if (policydb.policy_type == POLICY_BASE) {
printf("Binary base policy file loaded.\n\n");
} else {
printf("Binary policy module file loaded.\n");
printf("Module name: %s\n", policydb.name);
printf("Module version: %s\n", policydb.version);
printf("\n");
}
menu();
for (;;) {
printf("\nCommand (\'m\' for menu): ");
fgets(ans, sizeof(ans), stdin);
switch (ans[0]) {
case '1':{
fprintf(out_fp, "unconditional avtab:\n");
display_avblock(1, RENDER_UNCONDITIONAL,
&policydb, out_fp);
break;
}
case '2':
fprintf(out_fp, "conditional avtab:\n");
display_avblock(0, RENDER_UNCONDITIONAL, &policydb,
out_fp);
break;
case '3':
display_users(&policydb, out_fp);
break;
case '4':
display_bools(&policydb, out_fp);
break;
case '5':
if (hashtab_map
(policydb.p_roles.table, role_display_callback,
out_fp))
exit(1);
break;
case '6':
if (display_types(&policydb, out_fp)) {
fprintf(stderr, "Error displaying types\n");
exit(1);
}
break;
case '7':
fprintf(out_fp, "role transitions:\n");
display_avblock(3, 0, &policydb, out_fp);
break;
case '8':
fprintf(out_fp, "role allows:\n");
display_avblock(4, 0, &policydb, out_fp);
break;
case '9':
display_policycon(&policydb, out_fp);
break;
case '0':
display_initial_sids(&policydb, out_fp);
break;
case 'a':
fprintf(out_fp, "avrule block requirements:\n");
display_avblock(5, 0, &policydb, out_fp);
break;
case 'b':
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
case 'c':
display_policycaps(&policydb, out_fp);
break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
fgets(OutfileName, sizeof(OutfileName), stdin);
OutfileName[strlen(OutfileName) - 1] = '\0'; /* fix_string (remove LF) */
if (strlen(OutfileName) == 0)
out_fp = stdout;
else if ((out_fp = fopen(OutfileName, "w")) == NULL) {
fprintf(stderr, "Cannot open output file %s\n",
OutfileName);
out_fp = stdout;
}
if (out_fp != stdout)
printf("\nOutput to file: %s\n", OutfileName);
break;
case 'l':
link_module(&policydb, out_fp);
break;
case 'q':
policydb_destroy(&policydb);
exit(0);
break;
case 'm':
menu();
break;
default:
printf("\nInvalid choice\n");
menu();
break;
}
}
exit(EXIT_SUCCESS);
}

511
checkpolicy/test/dispol.c Normal file
View file

@ -0,0 +1,511 @@
/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
* Copyright (C) 2003 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
/*
* displaypol.c
*
* Test program to the contents of a binary policy in text
* form. This program currently only displays the
* avtab (including conditional avtab) rules.
*
* displaypol binary_pol_file
*/
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/avtab.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/util.h>
#include <sepol/policydb/polcaps.h>
#include <getopt.h>
#include <assert.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
static policydb_t policydb;
void usage(char *progname)
{
printf("usage: %s binary_pol_file\n\n", progname);
exit(1);
}
int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
FILE * fp)
{
char *perm;
fprintf(fp, "{");
perm = sepol_av_to_string(p, key->target_class, mask);
if (perm)
fprintf(fp, "%s ", perm);
fprintf(fp, "}");
return 0;
}
int render_type(uint32_t type, policydb_t * p, FILE * fp)
{
fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
return 0;
}
int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
{
char *stype, *ttype, *tclass;
stype = p->p_type_val_to_name[key->source_type - 1];
ttype = p->p_type_val_to_name[key->target_type - 1];
tclass = p->p_class_val_to_name[key->target_class - 1];
if (stype && ttype)
fprintf(fp, "%s %s : %s ", stype, ttype, tclass);
else if (stype)
fprintf(fp, "%s %u : %s ", stype, key->target_type, tclass);
else if (ttype)
fprintf(fp, "%u %s : %s ", key->source_type, ttype, tclass);
else
fprintf(fp, "%u %u : %s ", key->source_type, key->target_type,
tclass);
return 0;
}
/* 'what' values for this function */
#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
#define RENDER_ENABLED 0x0002
#define RENDER_DISABLED 0x0004
#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
policydb_t * p, FILE * fp)
{
if (!(what & RENDER_UNCONDITIONAL)) {
if (what != RENDER_CONDITIONAL && (((what & RENDER_ENABLED)
&& !(key->
specified &
AVTAB_ENABLED))
|| ((what & RENDER_DISABLED)
&& (key->
specified &
AVTAB_ENABLED)))) {
return 0; /* doesn't match selection criteria */
}
}
if (!(what & RENDER_UNCONDITIONAL)) {
if (key->specified & AVTAB_ENABLED)
fprintf(fp, "[enabled] ");
else if (!(key->specified & AVTAB_ENABLED))
fprintf(fp, "[disabled] ");
}
if (key->specified & AVTAB_AV) {
if (key->specified & AVTAB_ALLOWED) {
fprintf(fp, "allow ");
render_key(key, p, fp);
render_access_mask(datum->data, key, p, fp);
fprintf(fp, ";\n");
}
if (key->specified & AVTAB_AUDITALLOW) {
fprintf(fp, "auditallow ");
render_key(key, p, fp);
render_access_mask(datum->data, key, p, fp);
fprintf(fp, ";\n");
}
if (key->specified & AVTAB_AUDITDENY) {
fprintf(fp, "dontaudit ");
render_key(key, p, fp);
/* We inverse the mask for dontaudit since the mask is internally stored
* as a auditdeny mask */
render_access_mask(~datum->data, key, p, fp);
fprintf(fp, ";\n");
}
} else if (key->specified & AVTAB_TYPE) {
if (key->specified & AVTAB_TRANSITION) {
fprintf(fp, "type_transition ");
render_key(key, p, fp);
render_type(datum->data, p, fp);
fprintf(fp, ";\n");
}
if (key->specified & AVTAB_MEMBER) {
fprintf(fp, "type_member ");
render_key(key, p, fp);
render_type(datum->data, p, fp);
fprintf(fp, ";\n");
}
if (key->specified & AVTAB_CHANGE) {
fprintf(fp, "type_change ");
render_key(key, p, fp);
render_type(datum->data, p, fp);
fprintf(fp, ";\n");
}
} else {
fprintf(fp, " ERROR: no valid rule type specified\n");
return -1;
}
return 0;
}
int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
{
int i;
avtab_ptr_t cur;
avtab_t expa;
if (avtab_init(&expa))
goto oom;
if (expand_avtab(p, a, &expa)) {
avtab_destroy(&expa);
goto oom;
}
/* hmm...should have used avtab_map. */
for (i = 0; i < expa.nslot; i++) {
for (cur = expa.htable[i]; cur; cur = cur->next) {
render_av_rule(&cur->key, &cur->datum, what, p, fp);
}
}
avtab_destroy(&expa);
fprintf(fp, "\n");
return 0;
oom:
fprintf(stderr, "out of memory\n");
return 1;
}
int display_bools(policydb_t * p, FILE * fp)
{
int i;
for (i = 0; i < p->p_bools.nprim; i++) {
fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
p->bool_val_to_struct[i]->state);
}
return 0;
}
void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
{
cond_expr_t *cur;
for (cur = exp; cur != NULL; cur = cur->next) {
switch (cur->expr_type) {
case COND_BOOL:
fprintf(fp, "%s ",
p->p_bool_val_to_name[cur->bool - 1]);
break;
case COND_NOT:
fprintf(fp, "! ");
break;
case COND_OR:
fprintf(fp, "|| ");
break;
case COND_AND:
fprintf(fp, "&& ");
break;
case COND_XOR:
fprintf(fp, "^ ");
break;
case COND_EQ:
fprintf(fp, "== ");
break;
case COND_NEQ:
fprintf(fp, "!= ");
break;
default:
fprintf(fp, "error!");
break;
}
}
}
int display_cond_expressions(policydb_t * p, FILE * fp)
{
cond_node_t *cur;
cond_av_list_t *av_cur, *expl = NULL;
avtab_t expa;
for (cur = p->cond_list; cur != NULL; cur = cur->next) {
fprintf(fp, "expression: ");
display_expr(p, cur->expr, fp);
fprintf(fp, "current state: %d\n", cur->cur_state);
fprintf(fp, "True list:\n");
if (avtab_init(&expa))
goto oom;
if (expand_cond_av_list(p, cur->true_list, &expl, &expa)) {
avtab_destroy(&expa);
goto oom;
}
for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) {
fprintf(fp, "\t");
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
RENDER_CONDITIONAL, p, fp);
}
cond_av_list_destroy(expl);
avtab_destroy(&expa);
fprintf(fp, "False list:\n");
if (avtab_init(&expa))
goto oom;
if (expand_cond_av_list(p, cur->false_list, &expl, &expa)) {
avtab_destroy(&expa);
goto oom;
}
for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) {
fprintf(fp, "\t");
render_av_rule(&av_cur->node->key, &av_cur->node->datum,
RENDER_CONDITIONAL, p, fp);
}
cond_av_list_destroy(expl);
avtab_destroy(&expa);
}
return 0;
oom:
fprintf(stderr, "out of memory\n");
return 1;
}
int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and permisions\n");
else if (p->handle_unknown == DENY_UNKNOWN)
fprintf(out_fp, "Deny unknown classes and permisions\n");
else if (p->handle_unknown == REJECT_UNKNOWN)
fprintf(out_fp, "Reject unknown classes and permisions\n");
return 0;
}
int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
bool = hashtab_search(p->p_bools.table, name);
if (bool == NULL) {
fprintf(fp, "Could not find bool %s\n", name);
return -1;
}
bool->state = state;
evaluate_conds(p);
return 0;
}
static void display_policycaps(policydb_t * p, FILE * fp)
{
ebitmap_node_t *node;
const char *capname;
char buf[64];
int i;
fprintf(fp, "policy capabilities:\n");
ebitmap_for_each_bit(&p->policycaps, node, i) {
if (ebitmap_node_get_bit(node, i)) {
capname = sepol_polcap_getname(i);
if (capname == NULL) {
snprintf(buf, sizeof(buf), "unknown (%d)", i);
capname = buf;
}
fprintf(fp, "\t%s\n", capname);
}
}
}
static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
uint32_t symbol_value, char *prefix)
{
char *id = p->sym_val_to_name[symbol_type][symbol_value];
fprintf(fp, " %s%s", prefix, id);
}
static void display_permissive(policydb_t *p, FILE *fp)
{
ebitmap_node_t *node;
int i;
fprintf(fp, "permissive sids:\n");
ebitmap_for_each_bit(&p->permissive_map, node, i) {
if (ebitmap_node_get_bit(node, i)) {
fprintf(fp, "\t");
display_id(p, fp, SYM_TYPES, i - 1, "");
fprintf(fp, "\n");
}
}
}
int menu()
{
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB (entirely)\n");
printf("3) display conditional AVTAG (only ENABLED rules)\n");
printf("4) display conditional AVTAB (only DISABLED rules)\n");
printf("5) display conditional bools\n");
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
printf("c) display policy capabilities\n");
printf("p) display the list of permissive types\n");
printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
return 0;
}
int main(int argc, char **argv)
{
FILE *out_fp = stdout;
char ans[81], OutfileName[121];
int fd, ret;
struct stat sb;
void *map;
char *name;
int state;
struct policy_file pf;
if (argc != 2)
usage(argv[0]);
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
argv[1], strerror(errno));
exit(1);
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
argv[1], strerror(errno));
exit(1);
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n",
argv[1], strerror(errno));
exit(1);
}
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
if (policydb_init(&policydb)) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
exit(1);
}
ret = policydb_read(&policydb, &pf, 1);
if (ret) {
fprintf(stderr,
"%s: error(s) encountered while parsing configuration\n",
argv[0]);
exit(1);
}
fprintf(stdout, "binary policy file loaded\n\n");
close(fd);
menu();
for (;;) {
printf("\nCommand (\'m\' for menu): ");
fgets(ans, sizeof(ans), stdin);
switch (ans[0]) {
case '1':
display_avtab(&policydb.te_avtab, RENDER_UNCONDITIONAL,
&policydb, out_fp);
break;
case '2':
display_avtab(&policydb.te_cond_avtab,
RENDER_CONDITIONAL, &policydb, out_fp);
break;
case '3':
display_avtab(&policydb.te_cond_avtab, RENDER_ENABLED,
&policydb, out_fp);
break;
case '4':
display_avtab(&policydb.te_cond_avtab, RENDER_DISABLED,
&policydb, out_fp);
break;
case '5':
display_bools(&policydb, out_fp);
break;
case '6':
display_cond_expressions(&policydb, out_fp);
break;
case '7':
printf("name? ");
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
name = malloc((strlen(ans) + 1) * sizeof(char));
if (name == NULL) {
fprintf(stderr, "couldn't malloc string.\n");
break;
}
strcpy(name, ans);
printf("state? ");
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
if (atoi(ans))
state = 1;
else
state = 0;
change_bool(name, state, &policydb, out_fp);
free(name);
break;
case 'c':
display_policycaps(&policydb, out_fp);
break;
case 'p':
display_permissive(&policydb, out_fp);
break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
fgets(OutfileName, sizeof(OutfileName), stdin);
OutfileName[strlen(OutfileName) - 1] = '\0'; /* fix_string (remove LF) */
if (strlen(OutfileName) == 0)
out_fp = stdout;
else if ((out_fp = fopen(OutfileName, "w")) == NULL) {
fprintf(stderr, "Cannot open output file %s\n",
OutfileName);
out_fp = stdout;
}
if (out_fp != stdout)
printf("\nOutput to file: %s\n", OutfileName);
break;
case 'q':
policydb_destroy(&policydb);
exit(0);
break;
case 'm':
menu();
break;
default:
printf("\nInvalid choice\n");
menu();
break;
}
}
}
/* FLASK */

827
libselinux/ChangeLog Normal file
View file

@ -0,0 +1,827 @@
2.0.71 2008-08-05
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
2.0.70 2008-07-30
* Merge ruby bindings from Dan Walsh.
2.0.69 2008-07-29
* Handle duplicate file context regexes as a fatal error from Stephen Smalley.
This prevents adding them via semanage.
2.0.68 2008-07-18
* Fix audit2why shadowed variables from Stephen Smalley.
* Note that freecon NULL is legal in man page from Karel Zak.
2.0.67 2008-06-13
* New and revised AVC, label, and mapping man pages from Eamon Walsh.
2.0.66 2008-06-11
* Add swig python bindings for avc interfaces from Dan Walsh.
2.0.65 2008-05-27
* Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call matchpathcon_init_prefix if not already initialized.
* Add -q qualifier for -V option of matchpathcon and change it to indicate whether verification succeeded or failed via exit status.
2.0.64 2008-04-21
* Fixed selinux_set_callback man page.
2.0.63 2008-04-18
* Try loading the max of the kernel-supported version and the libsepol-supported version when no manipulation of the binary policy is needed from Stephen Smalley.
2.0.62 2008-04-18
* Fix memory leaks in matchpathcon from Eamon Walsh.
2.0.61 2008-03-31
* Man page typo fix from Jim Meyering.
2.0.60 2008-03-20
* Changed selinux_init_load_policy() to not warn about a failed mount of selinuxfs if selinux was disabled in the kernel.
2.0.59 2008-02-29
* Merged new X label "poly_selection" namespace from Eamon Walsh.
2.0.58 2008-02-28
* Merged reset_selinux_config() for load policy from Dan Walsh.
2.0.57 2008-02-25
* Merged avc_has_perm() errno fix from Eamon Walsh.
2.0.56 2008-02-21
* Regenerated Flask headers from refpolicy flask definitions.
2.0.55 2008-02-08
* Merged compute_member AVC function and manpages from Eamon Walsh.
2.0.54 2008-02-08
* Provide more error reporting on load policy failures from Stephen Smalley.
2.0.53 2008-02-07
* Merged new X label "poly_prop" namespace from Eamon Walsh.
2.0.52 2008-02-06
* Disable setlocaldefs if no local boolean or users files are present from Stephen Smalley.
2.0.51 2008-02-05
* Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen Smalley.
2.0.50 2008-01-28
* Merged fix for audit2why from Dan Walsh.
2.0.49 2008-01-23
* Merged audit2why python binding from Dan Walsh.
2.0.48 2008-01-23
* Merged updated swig bindings from Dan Walsh, including typemap for pid_t.
2.0.47 2007-12-21
* Fix for the avc: granted null message bug from Stephen Smalley.
2.0.46 2007-12-07
* matchpathcon(8) man page update from Dan Walsh.
2.0.45 2007-11-20
* dlopen libsepol.so.1 rather than libsepol.so from Stephen Smalley.
2.0.44 2007-11-20
* Based on a suggestion from Ulrich Drepper, defer regex compilation until we have a stem match, by Stephen Smalley.
A further optimization would be to defer regex compilation until we have a complete match of the constant prefix of the regex - TBD.
2.0.43 2007-11-15
* Regenerated Flask headers from policy.
2.0.42 2007-11-08
* AVC enforcing mode override patch from Eamon Walsh.
2.0.41 2007-11-06
* Aligned attributes in AVC netlink code from Eamon Walsh.
2.0.40 2007-11-01
* Merged refactored AVC netlink code from Eamon Walsh.
2.0.39 2007-10-19
* Merged new X label namespaces from Eamon Walsh.
2.0.38 2007-10-15
* Bux fix and minor refactoring in string representation code.
2.0.37 2007-10-05
* Merged selinux_get_callback, avc_open, empty string mapping from Eamon Walsh.
2.0.36 2007-09-27
* Fix segfault resulting from missing file_contexts file.
2.0.35 2007-09-24
* Make netlink socket close-on-exec to avoid descriptor leakage from Dan Walsh.
* Pass CFLAGS when using gcc for linking from Dennis Gilmore.
2.0.34 2007-09-18
* Fix selabel option flag setting for 64-bit from Stephen Smalley.
2.0.33 2007-09-12
* Re-map a getxattr return value of 0 to a getfilecon return value of -1 with errno EOPNOTSUPP from Stephen Smalley.
* Fall back to the compat code for security_class_to_string and security_av_perm_to_string from Stephen Smalley.
2.0.32 2007-09-10
* Fix swig binding for rpm_execcon from James Athey.
2.0.31 2007-08-23
* Fix file_contexts.homedirs path from Todd Miller.
2.0.30 2007-08-06
* Fix segfault resulting from uninitialized print-callback pointer.
2.0.29 2007-08-02
* Added x_contexts path function patch from Eamon Walsh.
2.0.28 2007-08-01
* Fix build for EMBEDDED=y from Yuichi Nakamura.
2.0.27 2007-07-25
* Fix markup problems in selinux man pages from Dan Walsh.
2.0.26 2007-07-23
* Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
* Added swigify to top-level Makefile from Dan Walsh.
2.0.25 2007-07-23
* Fix for string_to_security_class segfault on x86_64 from Stephen
Smalley.
2.0.24 2007-09-07
* Fix for getfilecon() for zero-length contexts from Stephen Smalley.
2.0.23 2007-06-22
* Refactored SWIG bindings from James Athey.
2.0.22 2007-06-20
* Labeling and callback interface patches from Eamon Walsh.
2.0.21 2007-06-11
* Class and permission mapping support patches from Eamon Walsh.
2.0.20 2007-06-07
* Object class discovery support patches from Chris PeBenito.
2.0.19 2007-06-05
* Refactoring and errno support in string representation code.
2.0.18 2007-05-31
* Merged patch to reduce size of libselinux and remove need for libsepol for embedded systems from Yuichi Nakamura.
This patch also turns the link-time dependency on libsepol into a runtime (dlopen) dependency even in the non-embedded case.
2.0.17 2007-05-31
* Updated Lindent script and reindented two header files.
2.0.16 2007-05-09
* Merged additional swig python bindings from Dan Walsh.
2.0.15 2007-04-27
* Merged helpful message when selinuxfs mount fails patch from Dax Kelson.
2.0.14 2007-04-24
* Merged build fix for avc_internal.c from Joshua Brindle.
2.0.13 2007-04-12
* Merged rpm_execcon python binding fix, matchpathcon man page fix, and getsebool -a handling for EACCES from Dan Walsh.
2.0.12 2007-04-09
* Merged support for getting initial contexts from James Carter.
2.0.11 2007-04-05
* Merged userspace AVC patch to follow kernel's behavior for permissive mode in caching previous denials from Eamon Walsh.
2.0.10 2007-04-05
* Merged sidput(NULL) patch from Eamon Walsh.
2.0.9 2007-03-30
* Merged class/av string conversion and avc_compute_create patch from Eamon Walsh.
2.0.8 2007-03-20
* Merged fix for avc.h #include's from Eamon Walsh.
2.0.7 2007-03-12
* Merged patch to drop support for CACHETRANS=0 config option from Steve Grubb.
2.0.6 2007-03-12
* Merged patch to drop support for old /etc/sysconfig/selinux and
/etc/security policy file layout from Steve Grubb.
2.0.5 2007-02-27
* Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
2.0.4 2007-02-23
* Removed sending of setrans init message.
2.0.3 2007-02-22
* Merged matchpathcon memory leak fix from Steve Grubb.
2.0.2 2007-02-21
* Merged more swig initializers from Dan Walsh.
2.0.1 2007-02-20
* Merged patch from Todd Miller to convert int types over to C99 style.
2.0.0 2007-02-01
* Merged patch from Todd Miller to remove sscanf in matchpathcon.c because
of the use of the non-standard format %as. (original patch changed
for style).
* Merged patch from Todd Miller to fix memory leak in matchpathcon.c.
1.34.1 2007-01-26
* Merged python binding fixes from Dan Walsh.
1.34.0 2007-01-18
* Updated version for stable branch.
1.33.6 2007-01-17
* Merged man page updates to make "apropos selinux" work from Dan Walsh.
1.33.5 2007-01-16
* Merged getdefaultcon utility from Dan Walsh.
1.33.4 2007-01-11
* Merged selinux_check_securetty_context() and support from Dan Walsh.
1.33.3 2007-01-04
* Merged patch for matchpathcon utility to use file mode information
when available from Dan Walsh.
1.33.2 2006-11-27
* Merged patch to compile with -fPIC instead of -fpic from
Manoj Srivastava to prevent hitting the global offset table
limit. Patch changed to include libsepol and libsemanage in
addition to libselinux.
1.33.1 2006-10-19
* Merged updated flask definitions from Darrel Goeddel.
This adds the context security class, and also adds
the string definitions for setsockcreate and polmatch.
1.32 2006-10-17
* Updated version for release.
1.30.30 2006-10-05
* Merged patch from Darrel Goeddel to always use untranslated
contexts in the userspace AVC.
1.30.29 2006-09-29
* Merged av_permissions.h update from Steve Grubb,
adding setsockcreate and polmatch definitions.
1.30.28 2006-09-13
* Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
* Merged c++ class identifier fix from Joe Nall.
1.30.27 2006-08-24
* Merged patch to not log avc stats upon a reset from Steve Grubb.
* Applied patch to revert compat_net setting upon policy load.
1.30.26 2006-08-11
* Merged file context homedir and local path functions from
Chris PeBenito.
1.30.25 2006-08-11
* Rework functions that access /proc/pid/attr to access the
per-thread nodes, and unify the code to simplify maintenance.
1.30.24 2006-08-10
* Merged return value fix for *getfilecon() from Dan Walsh.
1.30.23 2006-08-10
* Merged sockcreate interfaces from Eric Paris.
1.30.22 2006-08-03
* Merged no-tls-direct-seg-refs patch from Jeremy Katz.
1.30.21 2006-08-03
* Merged netfilter_contexts support patch from Chris PeBenito.
1.30.20 2006-08-01
* Merged context_*_set errno patch from Jim Meyering.
1.30.19 2006-06-29
* Lindent.
1.30.18 2006-06-27
* Merged {get,set}procattrcon patch set from Eric Paris.
* Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
1.30.17 2006-06-27
* Regenerated Flask headers from refpolicy.
1.30.16 2006-06-26
* Merged patch from Dan Walsh with:
- Added selinux_file_context_{cmp,verify}.
- Added selinux_lsetfilecon_default.
- Delay translation of contexts in matchpathcon.
1.30.15 2006-06-16
* Merged patch from Dan Walsh with:
* Added selinux_getpolicytype() function.
* Modified setrans code to skip processing if !mls_enabled.
1.30.14 2006-06-16
* Set errno in the !selinux_mnt case.
1.30.13 2006-06-02
* Allocate large buffers from the heap, not on stack.
Affects is_context_customizable, selinux_init_load_policy,
and selinux_getenforcemode.
1.30.12 2006-06-02
* Merged !selinux_mnt checks from Ian Kent.
1.30.11 2006-05-24
* Merged matchmediacon and trans_to_raw_context fixes from
Serge Hallyn.
1.30.10 2006-05-22
* Merged simple setrans client cache from Dan Walsh.
Merged avcstat patch from Russell Coker.
1.30.9 2006-05-22
* Modified selinux_mkload_policy() to also set /selinux/compat_net
appropriately for the loaded policy.
1.30.8 2006-05-17
* Added matchpathcon_fini() function to free memory allocated by
matchpathcon_init().
1.30.7 2006-05-16
* Merged setrans client cleanup patch from Steve Grubb.
1.30.6 2006-05-08
* Merged getfscreatecon man page fix from Dan Walsh.
* Updated booleans(8) man page to drop references to the old
booleans file and to note that setsebool can be used to set
the boot-time defaults via -P.
1.30.5 2006-05-05
* Merged fix warnings patch from Karl MacMillan.
1.30.4 2006-05-05
* Merged setrans client support from Dan Walsh.
This removes use of libsetrans.
* Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
* Merged swig typemap fixes from Glauber de Oliveira Costa.
1.30.3 2006-04-12
* Added distclean target to Makefile.
* Regenerated swig files.
1.30.2 2006-04-11
* Changed matchpathcon_init to verify that the spec file is
a regular file.
* Merged python binding t_output_helper removal patch from Dan Walsh.
1.30.1 2006-03-20
* Merged Makefile PYLIBVER definition patch from Dan Walsh.
1.30 2006-03-14
* Updated version for release.
1.29.8 2006-02-27
* Altered rpm_execcon fallback logic for permissive mode to also
handle case where /selinux/enforce is not available.
1.29.7 2006-01-20
* Merged install-pywrap Makefile patch from Joshua Brindle.
1.29.6 2006-01-18
* Merged pywrap Makefile patch from Dan Walsh.
1.29.5 2006-01-11
* Added getseuser test program.
1.29.4 2006-01-06
* Added format attribute to myprintf in matchpathcon.c and
removed obsoleted rootlen variable in init_selinux_config().
1.29.3 2006-01-04
* Merged several fixes and improvements from Ulrich Drepper
(Red Hat), including:
- corrected use of getline
- further calls to __fsetlocking for local files
- use of strdupa and asprintf
- proper handling of dirent in booleans code
- use of -z relro
- several other optimizations
* Merged getpidcon python wrapper from Dan Walsh (Red Hat).
1.29.2 2005-12-14
* Merged call to finish_context_translations from Dan Walsh.
This eliminates a memory leak from failing to release memory
allocated by libsetrans.
1.29.1 2005-12-08
* Merged patch for swig interfaces from Dan Walsh.
1.28 2005-12-07
* Updated version for release.
1.27.28 2005-12-01
* Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
modified matchpathcon implementation to make context validation/
canonicalization optional at matchpathcon_init time, deferring it
to a successful matchpathcon by default unless the new flag is set
by the caller.
1.27.27 2005-12-01
* Added matchpathcon_init_prefix() interface, and
reworked matchpathcon implementation to support selective
loading of file contexts entries based on prefix matching
between the pathname regex stems and the specified path
prefix (stem must be a prefix of the specified path prefix).
1.27.26 2005-11-29
* Merged getsebool patch from Dan Walsh.
1.27.25 2005-11-29
* Added -f file_contexts option to matchpathcon util.
Fixed warning message in matchpathcon_init().
1.27.24 2005-11-29
* Merged Makefile python definitions patch from Dan Walsh.
1.27.23 2005-11-28
* Merged swigify patch from Dan Walsh.
1.27.22 2005-11-15
* Merged make failure in rpm_execcon non-fatal in permissive mode
patch from Ivan Gyurdiev.
1.27.21 2005-11-08
* Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
and modified matchpathcon_init() to skip context translation
if it is set by the caller.
1.27.20 2005-11-07
* Added security_canonicalize_context() interface and
set_matchpathcon_canoncon() interface for obtaining
canonical contexts. Changed matchpathcon internals
to obtain canonical contexts by default. Provided
fallback for kernels that lack extended selinuxfs context
interface.
1.27.19 2005-11-04
* Merged seusers parser changes from Ivan Gyurdiev.
* Merged setsebool to libsemanage patch from Ivan Gyurdiev.
* Changed seusers parser to reject empty fields.
1.27.18 2005-11-03
* Merged seusers empty level handling patch from Jonathan Kim (TCS).
1.27.17 2005-10-27
* Changed default entry for seusers to use __default__ to avoid
ambiguity with users named "default".
1.27.16 2005-10-27
* Fixed init_selinux_config() handling of missing /etc/selinux/config
or missing SELINUXTYPE= definition.
* Merged selinux_translations_path() patch from Dan Walsh.
1.27.15 2005-10-25
* Added hidden_proto/def for get_default_context_with_role.
1.27.14 2005-10-25
* Merged selinux_path() and selinux_homedir_context_path()
functions from Joshua Brindle.
1.27.13 2005-10-19
* Merged fixes for make DESTDIR= builds from Joshua Brindle.
1.27.12 2005-10-18
* Merged get_default_context_with_rolelevel and man pages from
Dan Walsh (Red Hat).
1.27.11 2005-10-18
* Updated call to sepol_policydb_to_image for sepol changes.
1.27.10 2005-10-17
* Changed getseuserbyname to ignore empty lines and to handle
no matching entry in the same manner as no seusers file.
1.27.9 2005-10-13
* Changed selinux_mkload_policy to try downgrading the
latest policy version available to the kernel-supported version.
1.27.8 2005-10-11
* Changed selinux_mkload_policy to fall back to the maximum
policy version supported by libsepol if the kernel policy version
falls outside of the supported range.
1.27.7 2005-10-06
* Changed getseuserbyname to fall back to the Linux username and
NULL level if seusers config file doesn't exist unless
REQUIRESEUSERS=1 is set in /etc/selinux/config.
* Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
1.27.6 2005-10-06
* Added selinux_init_load_policy() function as an even higher level
interface for the initial policy load by /sbin/init. This obsoletes
the load_policy() function in the sysvinit-selinux.patch.
1.27.5 2005-10-06
* Added selinux_mkload_policy() function as a higher level interface
for loading policy than the security_load_policy() interface.
1.27.4 2005-10-05
* Merged fix for matchpathcon (regcomp error checking) from Johan
Fischer. Also added use of regerror to obtain the error string
for inclusion in the error message.
1.27.3 2005-10-03
* Changed getseuserbyname to not require (and ignore if present)
the MLS level in seusers.conf if MLS is disabled, setting *level
to NULL in this case.
1.27.2 2005-09-30
* Merged getseuserbyname patch from Dan Walsh.
1.27.1 2005-09-19
* Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
This allows file_contexts with MLS fields to be processed on
non-MLS-enabled systems with policies that are otherwise
identical (e.g. same type definitions).
* Merged get_ordered_context_list_with_level() function from
Dan Walsh, and added get_default_context_with_level().
This allows MLS level selection for users other than the
default level.
1.26 2005-09-06
* Updated version for release.
1.25.7 2005-09-01
* Merged modified form of patch to avoid dlopen/dlclose by
the static libselinux from Dan Walsh. Users of the static libselinux
will not have any context translation by default.
1.25.6 2005-08-31
* Added public functions to export context translation to
users of libselinux (selinux_trans_to_raw_context,
selinux_raw_to_trans_context).
1.25.5 2005-08-26
* Remove special definition for context_range_set; use
common code.
1.25.4 2005-08-25
* Hid translation-related symbols entirely and ensured that
raw functions have hidden definitions for internal use.
* Allowed setting NULL via context_set* functions.
* Allowed whitespace in MLS component of context.
* Changed rpm_execcon to use translated functions to workaround
lack of MLS level on upgraded systems.
1.25.3 2005-08-23
* Merged context translation patch, originally by TCS,
with modifications by Dan Walsh (Red Hat).
1.25.2 2005-08-11
* Merged several fixes for error handling paths in the
AVC sidtab, matchpathcon, booleans, context, and get_context_list
code from Serge Hallyn (IBM). Bugs found by Coverity.
1.25.1 2005-08-10
* Removed setupns; migrated to pam.
* Merged patches to rename checkPasswdAccess() from Joshua Brindle.
Original symbol is temporarily retained for compatibility until
all callers are updated.
1.24 2005-06-20
* Updated version for release.
1.23.12 2005-06-13
* Merged security_setupns() from Chad Sellers.
1.23.11 2005-05-19
* Merged avcstat and selinux man page from Dan Walsh.
* Changed security_load_booleans to process booleans.local
even if booleans file doesn't exist.
1.23.10 2005-04-29
* Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
1.23.9 2005-04-26
* Rewrote get_ordered_context_list and helpers, including
changing logic to allow variable MLS fields.
1.23.8 2005-04-25
* Merged matchpathcon and man page patch from Dan Walsh.
1.23.7 2005-04-12
* Changed boolean functions to return -1 with errno ENOENT
rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
mounted).
1.23.6 2005-04-08
* Fixed bug in matchpathcon_filespec_destroy.
1.23.5 2005-04-05
* Fixed bug in rpm_execcon error handling path.
1.23.4 2005-04-04
* Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
* Merged fix for getconlist utility from Andreas Steinmetz.
1.23.3 2005-03-29
* Merged security_set_boolean_list patch from Dan Walsh.
This introduces booleans.local support for setsebool.
1.23.2 2005-03-17
* Merged destructors patch from Tomas Mraz.
1.23.1 2005-03-16
* Added set_matchpathcon_flags() function for setting flags
controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
means only process the base file_contexts file, not
file_contexts.homedirs or file_contexts.local, and is for use by
setfiles -c.
* Updated matchpathcon.3 man page.
1.22 2005-03-09
* Updated version for release.
1.21.13 2005-03-08
* Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
1.21.12 2005-03-01
* Changed matchpathcon_common to ignore any non-format bits in the mode.
1.21.11 2005-02-22
* Merged several fixes from Ulrich Drepper.
1.21.10 2005-02-17
* Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
* Added selinux_users_path() for path to directory containing
system.users and local.users.
1.21.9 2005-02-09
* Changed relabel Makefile target to use restorecon.
1.21.8 2005-02-07
* Regenerated av_permissions.h.
1.21.7 2005-02-01
* Modified avc_dump_av to explicitly check for any permissions that
cannot be mapped to string names and display them as a hex value.
1.21.6 2005-01-31
* Regenerated av_permissions.h.
1.21.5 2005-01-28
* Generalized matchpathcon internals, exported more interfaces,
and moved additional code from setfiles into libselinux so that
setfiles can directly use matchpathcon.
1.21.4 2005-01-27
* Prevent overflow of spec array in matchpathcon.
1.21.3 2005-01-26
* Fixed several uses of internal functions to avoid relocations.
* Changed rpm_execcon to check is_selinux_enabled() and fallback to
a regular execve if not enabled (or unable to determine due to a lack
of /proc, e.g. chroot'd environment).
1.21.2 2005-01-24
* Merged minor fix for avcstat from Dan Walsh.
1.21.1 2005-01-19
* Merged patch from Dan Walsh, including:
- new is_context_customizable function
- changed matchpathcon to also use file_contexts.local if present
- man page cleanups
1.20 2005-01-04
* Changed matchpathcon to return -1 with errno ENOENT for
<<none>> entries, and also for an empty file_contexts configuration.
* Removed some trivial utils that were not useful or redundant.
* Changed BINDIR default to /usr/sbin to match change in Fedora.
* Added security_compute_member.
* Added man page for setcon.
* Merged more man pages from Dan Walsh.
* Merged avcstat from James Morris.
* Merged build fix for mips from Manoj Srivastava.
* Merged C++ support from John Ramsdell of MITRE.
* Merged setcon() function from Darrel Goeddel of TCS.
* Merged setsebool/togglesebool enhancement from Steve Grubb.
* Merged cleanup patches from Steve Grubb.
1.18 2004-11-01
* Merged cleanup patches from Steve Grubb.
* Added rpm_execcon.
* Merged setenforce and removable context patch from Dan Walsh.
* Merged build fix for alpha from Ulrich Drepper.
* Removed copyright/license from selinux_netlink.h - definitions only.
* Merged matchmediacon from Dan Walsh.
* Regenerated headers for new nscd permissions.
* Added get_default_context_with_role.
* Added set_matchpathcon_printf.
* Reworked av_inherit.h to allow easier re-use by kernel.
* Changed avc_has_perm_noaudit to not fail on netlink errors.
* Changed avc netlink code to check pid based on patch by Steve Grubb.
* Merged second optimization patch from Ulrich Drepper.
* Changed matchpathcon to skip invalid file_contexts entries.
* Made string tables private to libselinux.
* Merged strcat->stpcpy patch from Ulrich Drepper.
* Merged matchpathcon man page from Dan Walsh.
* Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
* Autobind netlink socket.
* Dropped compatibility code from security_compute_user.
* Merged fix for context_range_set from Chad Hanson.
* Merged allocation failure checking patch from Chad Hanson.
* Merged avc netlink error message patch from Colin Walters.
1.16 2004-08-19
* Regenerated headers for nscd class.
* Merged man pages from Dan Walsh.
* Merged context_new bug fix for MLS ranges from Chad Hanson.
* Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
* Renamed change_bool and show_bools to setsebool and getsebool.
* Merged security_load_booleans() function from Dan Walsh.
* Added selinux_booleans_path() function.
* Changed avc_init function prototype to use const.
* Regenerated headers for crontab permission.
* Added checkAccess from Dan Walsh.
* Merged getenforce patch from Dan Walsh.
* Regenerated headers for dbus classes.
1.14 2004-06-16
* Regenerated headers for fine-grained netlink classes.
* Merged selinux_config bug fix from Dan Walsh.
* Added userspace AVC man pages.
* Added man links for API calls to existing man pages documenting them.
* Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
* Merged patch to determine config file paths at runtime to support
reorganized layout.
* Regenerated flask headers with stable ordering.
* Merged patch for man pages from Russell Coker.
1.12 2004-05-10
* Updated flask files to include new SE-X security classes.
* Added security_disable function for runtime disable of SELinux prior
to initial policy load (for /sbin/init).
* Changed get_ordered_context_list to omit any reachable contexts
that are not explicitly listed in default_contexts, unless there
are no matches.
* Merged man pages from Russell Coker and Dan Walsh.
* Merged memory leak fixes from Dan Walsh.
* Merged policyvers errno patch from Chris PeBenito.
1.10 2004-04-05
* Merged getenforce patch from Dan Walsh.
* Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
Based on a patch by Russell Coker.
* Merged matchpathcon buffer size fix from Dan Walsh.
1.8 2004-03-09
* Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
* Added matchpathcon function.
* Updated userspace AVC to handle netlink selinux notifications.
1.6 2004-02-18
* Merged conditional policy extensions from Tresys Technology.
* Added userspace avc and SID table implementation.
* Fixed type on size in getpeercon per Thorsten Kukuk's advice.
* Fixed use of getpwnam_r per Thorsten Kukuk's advice.
* Changed to use getpwnam_r rather than getpwnam internally to
avoid clobbering any existing pwd struct obtained by the caller.
* Added getpeercon function to encapsulate getsockopt SO_PEERSEC
and handle allocation ala getfilecon.
* Changed is_selinux_enabled to return -1 on errors.
* Changed to discover selinuxfs mount point via /proc/mounts
so that the mount point can be changed without rebuilding.
1.4 2003-12-01
* Merged another cleanup patch from Bastian Blank and Joerg Hoh.
* Regenerate headers for new permissions.
* Merged static lib build patch from Bastian Blank and Joerg Hoh.
* Export SELINUXMNT definition, add SELINUXPOLICY definition.
* Add functions to provide access to enforce and policyvers.
* Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
* Fixed type for 'size' in *getfilecon.
* Dropped -lattr and changed #include's to <sys/xattr.h>
* Merged patch to move shared library to /lib from Dan Walsh.
* Changed get_ordered_context_list to support a failsafe context.
* Added selinuxenabled utility.
* Merged const patch from Thorsten Kukuk.
1.2 2003-09-30
* Change is_selinux_enabled to fail if policy isn't loaded.
* Changed Makefiles to allow non-root rpm builds.
* Added -lattr for libselinux.so to ensure proper binding.
1.1 2003-08-13
* Ensure that context strings are padded with a null byte
in case the kernel didn't include one.
* Regenerate headers, update helpers.c for code cleanup.
* Pass soname flag to linker (Colin Walters).
* Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
1.0 2003-07-11
* Initial public release.

21
libselinux/LICENSE Normal file
View file

@ -0,0 +1,21 @@
This library (libselinux) is public domain software, i.e. not copyrighted.
Warranty Exclusion
------------------
You agree that this software is a
non-commercially developed program that may contain "bugs" (as that
term is used in the industry) and that it may not function as intended.
The software is licensed "as is". NSA makes no, and hereby expressly
disclaims all, warranties, express, implied, statutory, or otherwise
with respect to the software, including noninfringement and the implied
warranties of merchantability and fitness for a particular purpose.
Limitation of Liability
-----------------------
In no event will NSA be liable for any damages, including loss of data,
lost profits, cost of cover, or other special, incidental,
consequential, direct or indirect damages arising from the software or
the use thereof, however caused and on any theory of liability. This
limitation will apply even if NSA has been advised of the possibility
of such damage. You acknowledge that this is a reasonable allocation of
risk.

59
libselinux/Makefile Normal file
View file

@ -0,0 +1,59 @@
DISABLE_AVC ?= n
DISABLE_SETRANS ?= n
DISABLE_RPM ?= n
DISABLE_BOOL ?= n
ifeq ($(EMBEDDED),y)
override DISABLE_AVC=y
override DISABLE_SETRANS=y
override DISABLE_RPM=y
override DISABLE_BOOL=y
endif
ifeq ($(DISABLE_AVC),y)
EMFLAGS+= -DDISABLE_AVC
endif
ifeq ($(DISABLE_BOOL),y)
EMFLAGS+= -DDISABLE_BOOL
endif
ifeq ($(DISABLE_SETRANS),y)
EMFLAGS+= -DDISABLE_SETRANS
endif
export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
all:
$(MAKE) -C src
$(MAKE) -C utils
swigify: all
$(MAKE) -C src swigify
pywrap:
$(MAKE) -C src pywrap
rubywrap:
$(MAKE) -C src rubywrap
install:
$(MAKE) -C include install
$(MAKE) -C src install
$(MAKE) -C utils install
$(MAKE) -C man install
install-pywrap:
$(MAKE) -C src install-pywrap
install-rubywrap:
$(MAKE) -C src install-rubywrap
relabel:
$(MAKE) -C src relabel
clean distclean:
$(MAKE) -C src $@
$(MAKE) -C utils clean
indent:
$(MAKE) -C src $@
$(MAKE) -C utils $@
$(MAKE) -C include $@
test:

1
libselinux/VERSION Normal file
View file

@ -0,0 +1 @@
2.0.71

11
libselinux/include/Makefile Normal file
View file

@ -0,0 +1,11 @@
# Installation directories.
PREFIX ?= $(DESTDIR)/usr
INCDIR ?= $(PREFIX)/include/selinux
install:
test -d $(INCDIR) || install -m 755 -d $(INCDIR)
install -m 644 $(wildcard selinux/*.h) $(INCDIR)
indent:
../../scripts/Lindent $(wildcard selinux/*.h)

1006
libselinux/include/selinux/av_permissions.h Normal file
View file

File diff suppressed because it is too large Load diff

433
libselinux/include/selinux/avc.h Normal file
View file

@ -0,0 +1,433 @@
/*
* Access vector cache interface for object managers.
*
* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
*/
#ifndef _SELINUX_AVC_H_
#define _SELINUX_AVC_H_
#include <stdint.h>
#include <errno.h>
#include <stdlib.h>
#include <selinux/selinux.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* SID format and operations
*/
struct security_id {
security_context_t ctx;
unsigned int refcnt;
};
typedef struct security_id *security_id_t;
#define SECSID_WILD (security_id_t)NULL /* unspecified SID */
/**
* avc_sid_to_context - get copy of context corresponding to SID.
* @sid: input SID
* @ctx: pointer to context reference
*
* Return a copy of the security context corresponding to the input
* @sid in the memory referenced by @ctx. The caller is expected to
* free the context with freecon(). Return %0 on success, -%1 on
* failure, with @errno set to %ENOMEM if insufficient memory was
* available to make the copy, or %EINVAL if the input SID is invalid.
*/
int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
/**
* avc_context_to_sid - get SID for context.
* @ctx: input security context
* @sid: pointer to SID reference
*
* Look up security context @ctx in SID table, making
* a new entry if @ctx is not found. Increment the
* reference counter for the SID. Store a pointer
* to the SID structure into the memory referenced by @sid,
* returning %0 on success or -%1 on error with @errno set.
*/
int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid);
/**
* sidget - increment SID reference counter.
* @sid: SID reference
*
* Increment the reference counter for @sid, indicating that
* @sid is in use by an (additional) object. Return the
* new reference count, or zero if @sid is invalid (has zero
* reference count). Note that avc_context_to_sid() also
* increments reference counts.
*/
int sidget(security_id_t sid);
/**
* sidput - decrement SID reference counter.
* @sid: SID reference
*
* Decrement the reference counter for @sid, indicating that
* a reference to @sid is no longer in use. Return the
* new reference count. When the reference count reaches
* zero, the SID is invalid, and avc_context_to_sid() must
* be called to obtain a new SID for the security context.
*/
int sidput(security_id_t sid);
/**
* avc_get_initial_sid - get SID for an initial kernel security identifier
* @name: input name of initial kernel security identifier
* @sid: pointer to a SID reference
*
* Get the context for an initial kernel security identifier specified by
* @name using security_get_initial_context() and then call
* avc_context_to_sid() to get the corresponding SID.
*/
int avc_get_initial_sid(const char *name, security_id_t * sid);
/*
* AVC entry
*/
struct avc_entry;
struct avc_entry_ref {
struct avc_entry *ae;
};
/**
* avc_entry_ref_init - initialize an AVC entry reference.
* @aeref: pointer to avc entry reference structure
*
* Use this macro to initialize an avc entry reference structure
* before first use. These structures are passed to avc_has_perm(),
* which stores cache entry references in them. They can increase
* performance on repeated queries.
*/
#define avc_entry_ref_init(aeref) ((aeref)->ae = NULL)
/*
* User-provided callbacks for memory, auditing, and locking
*/
/* These structures are passed by reference to avc_init(). Passing
* a NULL reference will cause the AVC to use a default. The default
* memory callbacks are malloc() and free(). The default logging method
* is to print on stderr. If no thread callbacks are passed, a separate
* listening thread won't be started for kernel policy change messages.
* If no locking callbacks are passed, no locking will take place.
*/
struct avc_memory_callback {
/* malloc() equivalent. */
void *(*func_malloc) (size_t size);
/* free() equivalent. */
void (*func_free) (void *ptr);
/* Note that these functions should set errno on failure.
If not, some avc routines may return -1 without errno set. */
};
struct avc_log_callback {
/* log the printf-style format and arguments. */
void (*func_log) (const char *fmt, ...);
/* store a string representation of auditdata (corresponding
to the given security class) into msgbuf. */
void (*func_audit) (void *auditdata, security_class_t cls,
char *msgbuf, size_t msgbufsize);
};
struct avc_thread_callback {
/* create and start a thread, returning an opaque pointer to it;
the thread should run the given function. */
void *(*func_create_thread) (void (*run) (void));
/* cancel a given thread and free its resources. */
void (*func_stop_thread) (void *thread);
};
struct avc_lock_callback {
/* create a lock and return an opaque pointer to it. */
void *(*func_alloc_lock) (void);
/* obtain a given lock, blocking if necessary. */
void (*func_get_lock) (void *lock);
/* release a given lock. */
void (*func_release_lock) (void *lock);
/* destroy a given lock (free memory, etc.) */
void (*func_free_lock) (void *lock);
};
/*
* Available options
*/
/* no-op option, useful for unused slots in an array of options */
#define AVC_OPT_UNUSED 0
/* override kernel enforcing mode (boolean value) */
#define AVC_OPT_SETENFORCE 1
/*
* AVC operations
*/
/**
* avc_init - Initialize the AVC.
* @msgprefix: prefix for log messages
* @mem_callbacks: user-supplied memory callbacks
* @log_callbacks: user-supplied logging callbacks
* @thread_callbacks: user-supplied threading callbacks
* @lock_callbacks: user-supplied locking callbacks
*
* Initialize the access vector cache. Return %0 on
* success or -%1 with @errno set on failure.
* If @msgprefix is NULL, use "uavc". If any callback
* structure references are NULL, use default methods
* for those callbacks (see the definition of the callback
* structures above).
*/
int avc_init(const char *msgprefix,
const struct avc_memory_callback *mem_callbacks,
const struct avc_log_callback *log_callbacks,
const struct avc_thread_callback *thread_callbacks,
const struct avc_lock_callback *lock_callbacks);
/**
* avc_open - Initialize the AVC.
* @opts: array of selabel_opt structures specifying AVC options or NULL.
* @nopts: number of elements in opts array or zero for no options.
*
* This function is identical to avc_init(), except the message prefix
* is set to "avc" and any callbacks desired should be specified via
* selinux_set_callback(). Available options are listed above.
*/
int avc_open(struct selinux_opt *opts, unsigned nopts);
/**
* avc_cleanup - Remove unused SIDs and AVC entries.
*
* Search the SID table for SID structures with zero
* reference counts, and remove them along with all
* AVC entries that reference them. This can be used
* to return memory to the system.
*/
void avc_cleanup(void);
/**
* avc_reset - Flush the cache and reset statistics.
*
* Remove all entries from the cache and reset all access
* statistics (as returned by avc_cache_stats()) to zero.
* The SID mapping is not affected. Return %0 on success,
* -%1 with @errno set on error.
*/
int avc_reset(void);
/**
* avc_destroy - Free all AVC structures.
*
* Destroy all AVC structures and free all allocated
* memory. User-supplied locking, memory, and audit
* callbacks will be retained, but security-event
* callbacks will not. All SID's will be invalidated.
* User must call avc_init() if further use of AVC is desired.
*/
void avc_destroy(void);
/**
* avc_has_perm_noaudit - Check permissions but perform no auditing.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @requested: requested permissions, interpreted based on @tclass
* @aeref: AVC entry reference
* @avd: access vector decisions
*
* Check the AVC to determine whether the @requested permissions are granted
* for the SID pair (@ssid, @tsid), interpreting the permissions
* based on @tclass, and call the security server on a cache miss to obtain
* a new decision and add it to the cache. Update @aeref to refer to an AVC
* entry with the resulting decisions, and return a copy of the decisions
* in @avd. Return %0 if all @requested permissions are granted, -%1 with
* @errno set to %EACCES if any permissions are denied, or to another value
* upon other errors. This function is typically called by avc_has_perm(),
* but may also be called directly to separate permission checking from
* auditing, e.g. in cases where a lock must be held for the check but
* should be released for the auditing.
*/
int avc_has_perm_noaudit(security_id_t ssid,
security_id_t tsid,
security_class_t tclass,
access_vector_t requested,
struct avc_entry_ref *aeref, struct av_decision *avd);
/**
* avc_has_perm - Check permissions and perform any appropriate auditing.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @requested: requested permissions, interpreted based on @tclass
* @aeref: AVC entry reference
* @auditdata: auxiliary audit data
*
* Check the AVC to determine whether the @requested permissions are granted
* for the SID pair (@ssid, @tsid), interpreting the permissions
* based on @tclass, and call the security server on a cache miss to obtain
* a new decision and add it to the cache. Update @aeref to refer to an AVC
* entry with the resulting decisions. Audit the granting or denial of
* permissions in accordance with the policy. Return %0 if all @requested
* permissions are granted, -%1 with @errno set to %EACCES if any permissions
* are denied or to another value upon other errors.
*/
int avc_has_perm(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t requested,
struct avc_entry_ref *aeref, void *auditdata);
/**
* avc_audit - Audit the granting or denial of permissions.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @requested: requested permissions
* @avd: access vector decisions
* @result: result from avc_has_perm_noaudit
* @auditdata: auxiliary audit data
*
* Audit the granting or denial of permissions in accordance
* with the policy. This function is typically called by
* avc_has_perm() after a permission check, but can also be
* called directly by callers who use avc_has_perm_noaudit()
* in order to separate the permission check from the auditing.
* For example, this separation is useful when the permission check must
* be performed under a lock, to allow the lock to be released
* before calling the auditing code.
*/
void avc_audit(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t requested,
struct av_decision *avd, int result, void *auditdata);
/**
* avc_compute_create - Compute SID for labeling a new object.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @newsid: pointer to SID reference
*
* Call the security server to obtain a context for labeling a
* new object. Look up the context in the SID table, making
* a new entry if not found. Increment the reference counter
* for the SID. Store a pointer to the SID structure into the
* memory referenced by @newsid, returning %0 on success or -%1 on
* error with @errno set.
*/
int avc_compute_create(security_id_t ssid,
security_id_t tsid,
security_class_t tclass, security_id_t * newsid);
/**
* avc_compute_member - Compute SID for polyinstantation.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @newsid: pointer to SID reference
*
* Call the security server to obtain a context for labeling an
* object instance. Look up the context in the SID table, making
* a new entry if not found. Increment the reference counter
* for the SID. Store a pointer to the SID structure into the
* memory referenced by @newsid, returning %0 on success or -%1 on
* error with @errno set.
*/
int avc_compute_member(security_id_t ssid,
security_id_t tsid,
security_class_t tclass, security_id_t * newsid);
/*
* security event callback facility
*/
/* security events */
#define AVC_CALLBACK_GRANT 1
#define AVC_CALLBACK_TRY_REVOKE 2
#define AVC_CALLBACK_REVOKE 4
#define AVC_CALLBACK_RESET 8
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
/**
* avc_add_callback - Register a callback for security events.
* @callback: callback function
* @events: bitwise OR of desired security events
* @ssid: source security identifier or %SECSID_WILD
* @tsid: target security identifier or %SECSID_WILD
* @tclass: target security class
* @perms: permissions
*
* Register a callback function for events in the set @events
* related to the SID pair (@ssid, @tsid) and
* and the permissions @perms, interpreting
* @perms based on @tclass. Returns %0 on success or
* -%1 if insufficient memory exists to add the callback.
*/
int avc_add_callback(int (*callback)
(uint32_t event, security_id_t ssid,
security_id_t tsid, security_class_t tclass,
access_vector_t perms,
access_vector_t * out_retained),
uint32_t events, security_id_t ssid,
security_id_t tsid, security_class_t tclass,
access_vector_t perms);
/*
* AVC statistics
*/
/* If set, cache statistics are tracked. This may
* become a compile-time option in the future.
*/
#define AVC_CACHE_STATS 1
struct avc_cache_stats {
unsigned entry_lookups;
unsigned entry_hits;
unsigned entry_misses;
unsigned entry_discards;
unsigned cav_lookups;
unsigned cav_hits;
unsigned cav_probes;
unsigned cav_misses;
};
/**
* avc_cache_stats - get cache access statistics.
* @stats: reference to statistics structure
*
* Fill the supplied structure with information about AVC
* activity since the last call to avc_init() or
* avc_reset(). See the structure definition for
* details.
*/
void avc_cache_stats(struct avc_cache_stats *stats);
/**
* avc_av_stats - log av table statistics.
*
* Log a message with information about the size and
* distribution of the access vector table. The audit
* callback is used to print the message.
*/
void avc_av_stats(void);
/**
* avc_sid_stats - log SID table statistics.
*
* Log a message with information about the size and
* distribution of the SID table. The audit callback
* is used to print the message.
*/
void avc_sid_stats(void);
#ifdef __cplusplus
}
#endif
#endif /* _SELINUX_AVC_H_ */

50
libselinux/include/selinux/context.h Normal file
View file

@ -0,0 +1,50 @@
#ifndef _SELINUX_CONTEXT_H_
#define _SELINUX_CONTEXT_H_
#ifdef __cplusplus
extern "C" {
#endif
/*
* Functions to deal with security contexts in user space.
*/
typedef struct {
void *ptr;
} context_s_t;
typedef context_s_t *context_t;
/* Return a new context initialized to a context string */
extern context_t context_new(const char *);
/*
* Return a pointer to the string value of the context_t
* Valid until the next call to context_str or context_free
* for the same context_t*
*/
extern char *context_str(context_t);
/* Free the storage used by a context */
extern void context_free(context_t);
/* Get a pointer to the string value of a context component */
extern const char *context_type_get(context_t);
extern const char *context_range_get(context_t);
extern const char *context_role_get(context_t);
extern const char *context_user_get(context_t);
/* Set a context component. Returns nonzero if unsuccessful */
extern int context_type_set(context_t, const char *);
extern int context_range_set(context_t, const char *);
extern int context_role_set(context_t, const char *);
extern int context_user_set(context_t, const char *);
#ifdef __cplusplus
}
#endif
#endif

111
libselinux/include/selinux/flask.h Normal file
View file

@ -0,0 +1,111 @@
/* This file is automatically generated. Do not edit. */
#ifndef _SELINUX_FLASK_H_
#define _SELINUX_FLASK_H_
/*
* Security object class definitions
*/
#define SECCLASS_SECURITY 1
#define SECCLASS_PROCESS 2
#define SECCLASS_SYSTEM 3
#define SECCLASS_CAPABILITY 4
#define SECCLASS_FILESYSTEM 5
#define SECCLASS_FILE 6
#define SECCLASS_DIR 7
#define SECCLASS_FD 8
#define SECCLASS_LNK_FILE 9
#define SECCLASS_CHR_FILE 10
#define SECCLASS_BLK_FILE 11
#define SECCLASS_SOCK_FILE 12
#define SECCLASS_FIFO_FILE 13
#define SECCLASS_SOCKET 14
#define SECCLASS_TCP_SOCKET 15
#define SECCLASS_UDP_SOCKET 16
#define SECCLASS_RAWIP_SOCKET 17
#define SECCLASS_NODE 18
#define SECCLASS_NETIF 19
#define SECCLASS_NETLINK_SOCKET 20
#define SECCLASS_PACKET_SOCKET 21
#define SECCLASS_KEY_SOCKET 22
#define SECCLASS_UNIX_STREAM_SOCKET 23
#define SECCLASS_UNIX_DGRAM_SOCKET 24
#define SECCLASS_SEM 25
#define SECCLASS_MSG 26
#define SECCLASS_MSGQ 27
#define SECCLASS_SHM 28
#define SECCLASS_IPC 29
#define SECCLASS_PASSWD 30
#define SECCLASS_DRAWABLE 31
#define SECCLASS_WINDOW 32
#define SECCLASS_GC 33
#define SECCLASS_FONT 34
#define SECCLASS_COLORMAP 35
#define SECCLASS_PROPERTY 36
#define SECCLASS_CURSOR 37
#define SECCLASS_XCLIENT 38
#define SECCLASS_XINPUT 39
#define SECCLASS_XSERVER 40
#define SECCLASS_XEXTENSION 41
#define SECCLASS_PAX 42
#define SECCLASS_NETLINK_ROUTE_SOCKET 43
#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
#define SECCLASS_NETLINK_NFLOG_SOCKET 46
#define SECCLASS_NETLINK_XFRM_SOCKET 47
#define SECCLASS_NETLINK_SELINUX_SOCKET 48
#define SECCLASS_NETLINK_AUDIT_SOCKET 49
#define SECCLASS_NETLINK_IP6FW_SOCKET 50
#define SECCLASS_NETLINK_DNRT_SOCKET 51
#define SECCLASS_DBUS 52
#define SECCLASS_NSCD 53
#define SECCLASS_ASSOCIATION 54
#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
#define SECCLASS_APPLETALK_SOCKET 56
#define SECCLASS_PACKET 57
#define SECCLASS_KEY 58
#define SECCLASS_CONTEXT 59
#define SECCLASS_DCCP_SOCKET 60
#define SECCLASS_MEMPROTECT 61
#define SECCLASS_DB_DATABASE 62
#define SECCLASS_DB_TABLE 63
#define SECCLASS_DB_PROCEDURE 64
#define SECCLASS_DB_COLUMN 65
#define SECCLASS_DB_TUPLE 66
#define SECCLASS_DB_BLOB 67
#define SECCLASS_PEER 68
#define SECCLASS_CAPABILITY2 69
/*
* Security identifier indices for initial entities
*/
#define SECINITSID_KERNEL 1
#define SECINITSID_SECURITY 2
#define SECINITSID_UNLABELED 3
#define SECINITSID_FS 4
#define SECINITSID_FILE 5
#define SECINITSID_FILE_LABELS 6
#define SECINITSID_INIT 7
#define SECINITSID_ANY_SOCKET 8
#define SECINITSID_PORT 9
#define SECINITSID_NETIF 10
#define SECINITSID_NETMSG 11
#define SECINITSID_NODE 12
#define SECINITSID_IGMP_PACKET 13
#define SECINITSID_ICMP_SOCKET 14
#define SECINITSID_TCP_SOCKET 15
#define SECINITSID_SYSCTL_MODPROBE 16
#define SECINITSID_SYSCTL 17
#define SECINITSID_SYSCTL_FS 18
#define SECINITSID_SYSCTL_KERNEL 19
#define SECINITSID_SYSCTL_NET 20
#define SECINITSID_SYSCTL_NET_UNIX 21
#define SECINITSID_SYSCTL_VM 22
#define SECINITSID_SYSCTL_DEV 23
#define SECINITSID_KMOD 24
#define SECINITSID_POLICY 25
#define SECINITSID_SCMP_PACKET 26
#define SECINITSID_DEVNULL 27
#define SECINITSID_NUM 27
#endif

82
libselinux/include/selinux/get_context_list.h Normal file
View file

@ -0,0 +1,82 @@
#ifndef _SELINUX_GET_SID_LIST_H_
#define _SELINUX_GET_SID_LIST_H_
#include <selinux/selinux.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SELINUX_DEFAULTUSER "user_u"
/* Get an ordered list of authorized security contexts for a user session
for 'user' spawned by 'fromcon' and set *conary to refer to the
NULL-terminated array of contexts. Every entry in the list will
be authorized by the policy, but the ordering is subject to user
customizable preferences. Returns number of entries in *conary.
If 'fromcon' is NULL, defaults to current context.
Caller must free via freeconary. */
extern int get_ordered_context_list(const char *user,
security_context_t fromcon,
security_context_t ** list);
/* As above, but use the provided MLS level rather than the
default level for the user. */
int get_ordered_context_list_with_level(const char *user,
const char *level,
security_context_t fromcon,
security_context_t ** list);
/* Get the default security context for a user session for 'user'
spawned by 'fromcon' and set *newcon to refer to it. The context
will be one of those authorized by the policy, but the selection
of a default is subject to user customizable preferences.
If 'fromcon' is NULL, defaults to current context.
Returns 0 on success or -1 otherwise.
Caller must free via freecon. */
extern int get_default_context(const char *user,
security_context_t fromcon,
security_context_t * newcon);
/* As above, but use the provided MLS level rather than the
default level for the user. */
int get_default_context_with_level(const char *user,
const char *level,
security_context_t fromcon,
security_context_t * newcon);
/* Same as get_default_context, but only return a context
that has the specified role. If no reachable context exists
for the user with that role, then return -1. */
int get_default_context_with_role(const char *user,
const char *role,
security_context_t fromcon,
security_context_t * newcon);
/* Same as get_default_context, but only return a context
that has the specified role and level. If no reachable context exists
for the user with that role, then return -1. */
int get_default_context_with_rolelevel(const char *user,
const char *level,
const char *role,
security_context_t fromcon,
security_context_t * newcon);
/* Given a list of authorized security contexts for the user,
query the user to select one and set *newcon to refer to it.
Caller must free via freecon.
Returns 0 on sucess or -1 otherwise. */
extern int query_user_context(security_context_t * list,
security_context_t * newcon);
/* Allow the user to manually enter a context as a fallback
if a list of authorized contexts could not be obtained.
Caller must free via freecon.
Returns 0 on success or -1 otherwise. */
extern int manual_user_enter_context(const char *user,
security_context_t * newcon);
#ifdef __cplusplus
}
#endif
#endif

23
libselinux/include/selinux/get_default_type.h Normal file
View file

@ -0,0 +1,23 @@
/* get_default_type.h - contains header information and function prototypes
* for functions to get the default type for a role
*/
#ifndef _SELINUX_GET_DEFAULT_TYPE_H_
#define _SELINUX_GET_DEFAULT_TYPE_H_
#ifdef __cplusplus
extern "C" {
#endif
/* Return path to default type file. */
const char *selinux_default_type_path(void);
/* Get the default type (domain) for 'role' and set 'type' to refer to it.
Caller must free via free().
Return 0 on success or -1 otherwise. */
int get_default_type(const char *role, char **type);
#ifdef __cplusplus
}
#endif
#endif /* ifndef _GET_DEFAULT_TYPE_H_ */

123
libselinux/include/selinux/label.h Normal file
View file

@ -0,0 +1,123 @@
/*
* Labeling interface for userspace object managers and others.
*
* Author : Eamon Walsh <ewalsh@tycho.nsa.gov>
*/
#ifndef _SELABEL_H_
#define _SELABEL_H_
#include <sys/types.h>
#include <selinux/selinux.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* Opaque type used for all label handles.
*/
struct selabel_handle;
/*
* Available backends.
*/
/* file contexts */
#define SELABEL_CTX_FILE 0
/* media contexts */
#define SELABEL_CTX_MEDIA 1
/* x contexts */
#define SELABEL_CTX_X 2
/*
* Available options
*/
/* no-op option, useful for unused slots in an array of options */
#define SELABEL_OPT_UNUSED 0
/* validate contexts before returning them (boolean value) */
#define SELABEL_OPT_VALIDATE 1
/* don't use local customizations to backend data (boolean value) */
#define SELABEL_OPT_BASEONLY 2
/* specify an alternate path to use when loading backend data */
#define SELABEL_OPT_PATH 3
/* select a subset of the search space as an optimization (file backend) */
#define SELABEL_OPT_SUBSET 4
/* total number of options */
#define SELABEL_NOPT 5
/*
* Label operations
*/
/**
* selabel_open - Create a labeling handle.
* @backend: one of the constants specifying a supported labeling backend.
* @opts: array of selabel_opt structures specifying label options or NULL.
* @nopts: number of elements in opts array or zero for no options.
*
* Open a labeling backend for use. The available backend identifiers are
* listed above. Options may be provided via the opts parameter; available
* options are listed above. Not all options may be supported by every
* backend. Return value is the created handle on success or NULL with
* @errno set on failure.
*/
struct selabel_handle *selabel_open(unsigned int backend,
struct selinux_opt *opts, unsigned nopts);
/**
* selabel_close - Close a labeling handle.
* @handle: specifies handle to close
*
* Destroy the specified handle, closing files, freeing allocated memory,
* etc. The handle may not be further used after it has been closed.
*/
void selabel_close(struct selabel_handle *handle);
/**
* selabel_lookup - Perform labeling lookup operation.
* @handle: specifies backend instance to query
* @con: returns the appropriate context with which to label the object
* @key: string input to lookup operation
* @type: numeric input to the lookup operation
*
* Perform a labeling lookup operation. Return %0 on success, -%1 with
* @errno set on failure. The key and type arguments are the inputs to the
* lookup operation; appropriate values are dictated by the backend in use.
* The result is returned in the memory pointed to by @con and must be freed
* by the user with freecon().
*/
int selabel_lookup(struct selabel_handle *handle, security_context_t *con,
const char *key, int type);
int selabel_lookup_raw(struct selabel_handle *handle, security_context_t *con,
const char *key, int type);
/**
* selabel_stats - log labeling operation statistics.
* @handle: specifies backend instance to query
*
* Log a message with information about the number of queries performed,
* number of unused matching entries, or other operational statistics.
* Message is backend-specific, some backends may not output a message.
*/
void selabel_stats(struct selabel_handle *handle);
/*
* Type codes used by specific backends
*/
/* X backend */
#define SELABEL_X_PROP 1
#define SELABEL_X_EXT 2
#define SELABEL_X_CLIENT 3
#define SELABEL_X_EVENT 4
#define SELABEL_X_SELN 5
#define SELABEL_X_POLYPROP 6
#define SELABEL_X_POLYSELN 7
#ifdef __cplusplus
}
#endif
#endif /* _SELABEL_H_ */

530
libselinux/include/selinux/selinux.h Normal file
View file

@ -0,0 +1,530 @@
#ifndef _SELINUX_H_
#define _SELINUX_H_
#include <sys/types.h>
#include <stdarg.h>
#ifdef __cplusplus
extern "C" {
#endif
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
extern int is_selinux_mls_enabled(void);
typedef char *security_context_t;
/* Free the memory allocated for a context by any of the below get* calls. */
extern void freecon(security_context_t con);
/* Free the memory allocated for a context array by security_compute_user. */
extern void freeconary(security_context_t * con);
/* Wrappers for the /proc/pid/attr API. */
/* Get current context, and set *con to refer to it.
Caller must free via freecon. */
extern int getcon(security_context_t * con);
extern int getcon_raw(security_context_t * con);
/* Set the current security context to con.
Note that use of this function requires that the entire application
be trusted to maintain any desired separation between the old and new
security contexts, unlike exec-based transitions performed via setexeccon.
When possible, decompose your application and use setexeccon()+execve()
instead. Note that the application may lose access to its open descriptors
as a result of a setcon() unless policy allows it to use descriptors opened
by the old context. */
extern int setcon(security_context_t con);
extern int setcon_raw(security_context_t con);
/* Get context of process identified by pid, and
set *con to refer to it. Caller must free via freecon. */
extern int getpidcon(pid_t pid, security_context_t * con);
extern int getpidcon_raw(pid_t pid, security_context_t * con);
/* Get previous context (prior to last exec), and set *con to refer to it.
Caller must free via freecon. */
extern int getprevcon(security_context_t * con);
extern int getprevcon_raw(security_context_t * con);
/* Get exec context, and set *con to refer to it.
Sets *con to NULL if no exec context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
extern int getexeccon(security_context_t * con);
extern int getexeccon_raw(security_context_t * con);
/* Set exec security context for the next execve.
Call with NULL if you want to reset to the default. */
extern int setexeccon(security_context_t con);
extern int setexeccon_raw(security_context_t con);
/* Get fscreate context, and set *con to refer to it.
Sets *con to NULL if no fs create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
extern int getfscreatecon(security_context_t * con);
extern int getfscreatecon_raw(security_context_t * con);
/* Set the fscreate security context for subsequent file creations.
Call with NULL if you want to reset to the default. */
extern int setfscreatecon(security_context_t context);
extern int setfscreatecon_raw(security_context_t context);
/* Get keycreate context, and set *con to refer to it.
Sets *con to NULL if no key create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
extern int getkeycreatecon(security_context_t * con);
extern int getkeycreatecon_raw(security_context_t * con);
/* Set the keycreate security context for subsequent key creations.
Call with NULL if you want to reset to the default. */
extern int setkeycreatecon(security_context_t context);
extern int setkeycreatecon_raw(security_context_t context);
/* Get sockcreate context, and set *con to refer to it.
Sets *con to NULL if no socket create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
extern int getsockcreatecon(security_context_t * con);
extern int getsockcreatecon_raw(security_context_t * con);
/* Set the sockcreate security context for subsequent socket creations.
Call with NULL if you want to reset to the default. */
extern int setsockcreatecon(security_context_t context);
extern int setsockcreatecon_raw(security_context_t context);
/* Wrappers for the xattr API. */
/* Get file context, and set *con to refer to it.
Caller must free via freecon. */
extern int getfilecon(const char *path, security_context_t * con);
extern int getfilecon_raw(const char *path, security_context_t * con);
extern int lgetfilecon(const char *path, security_context_t * con);
extern int lgetfilecon_raw(const char *path, security_context_t * con);
extern int fgetfilecon(int fd, security_context_t * con);
extern int fgetfilecon_raw(int fd, security_context_t * con);
/* Set file context */
extern int setfilecon(const char *path, security_context_t con);
extern int setfilecon_raw(const char *path, security_context_t con);
extern int lsetfilecon(const char *path, security_context_t con);
extern int lsetfilecon_raw(const char *path, security_context_t con);
extern int fsetfilecon(int fd, security_context_t con);
extern int fsetfilecon_raw(int fd, security_context_t con);
/* Wrappers for the socket API */
/* Get context of peer socket, and set *con to refer to it.
Caller must free via freecon. */
extern int getpeercon(int fd, security_context_t * con);
extern int getpeercon_raw(int fd, security_context_t * con);
/* Wrappers for the selinuxfs (policy) API. */
typedef unsigned int access_vector_t;
typedef unsigned short security_class_t;
struct av_decision {
access_vector_t allowed;
access_vector_t decided;
access_vector_t auditallow;
access_vector_t auditdeny;
unsigned int seqno;
};
/* Structure for passing options, used by AVC and label subsystems */
struct selinux_opt {
int type;
const char *value;
};
/* Callback facilities */
union selinux_callback {
/* log the printf-style format and arguments,
with the type code indicating the type of message */
int
#ifdef __GNUC__
__attribute__ ((format(printf, 2, 3)))
#endif
(*func_log) (int type, const char *fmt, ...);
/* store a string representation of auditdata (corresponding
to the given security class) into msgbuf. */
int (*func_audit) (void *auditdata, security_class_t cls,
char *msgbuf, size_t msgbufsize);
/* validate the supplied context, modifying if necessary */
int (*func_validate) (security_context_t *ctx);
};
#define SELINUX_CB_LOG 0
#define SELINUX_CB_AUDIT 1
#define SELINUX_CB_VALIDATE 2
extern union selinux_callback selinux_get_callback(int type);
extern void selinux_set_callback(int type, union selinux_callback cb);
/* Logging type codes, passed to the logging callback */
#define SELINUX_ERROR 0
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
/* Compute an access decision. */
extern int security_compute_av(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
access_vector_t requested,
struct av_decision *avd);
extern int security_compute_av_raw(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
access_vector_t requested,
struct av_decision *avd);
/* Compute a labeling decision and set *newcon to refer to it.
Caller must free via freecon. */
extern int security_compute_create(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
extern int security_compute_create_raw(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
/* Compute a relabeling decision and set *newcon to refer to it.
Caller must free via freecon. */
extern int security_compute_relabel(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
extern int security_compute_relabel_raw(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
/* Compute a polyinstantiation member decision and set *newcon to refer to it.
Caller must free via freecon. */
extern int security_compute_member(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
extern int security_compute_member_raw(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon);
/* Compute the set of reachable user contexts and set *con to refer to
the NULL-terminated array of contexts. Caller must free via freeconary. */
extern int security_compute_user(security_context_t scon,
const char *username,
security_context_t ** con);
extern int security_compute_user_raw(security_context_t scon,
const char *username,
security_context_t ** con);
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
/* Get the context of an initial kernel security identifier by name.
Caller must free via freecon */
extern int security_get_initial_context(const char *name,
security_context_t * con);
extern int security_get_initial_context_raw(const char *name,
security_context_t * con);
/*
* Make a policy image and load it.
* This function provides a higher level interface for loading policy
* than security_load_policy, internally determining the right policy
* version, locating and opening the policy file, mapping it into memory,
* manipulating it as needed for current boolean settings and/or local
* definitions, and then calling security_load_policy to load it.
*
* 'preservebools' is a boolean flag indicating whether current
* policy boolean values should be preserved into the new policy (if 1)
* or reset to the saved policy settings (if 0). The former case is the
* default for policy reloads, while the latter case is an option for policy
* reloads but is primarily for the initial policy load.
*/
extern int selinux_mkload_policy(int preservebools);
/*
* Perform the initial policy load.
* This function determines the desired enforcing mode, sets the
* the *enforce argument accordingly for the caller to use, sets the
* SELinux kernel enforcing status to match it, and loads the policy.
* It also internally handles the initial selinuxfs mount required to
* perform these actions.
*
* The function returns 0 if everything including the policy load succeeds.
* In this case, init is expected to re-exec itself in order to transition
* to the proper security context.
* Otherwise, the function returns -1, and init must check *enforce to
* determine how to proceed. If enforcing (*enforce > 0), then init should
* halt the system. Otherwise, init may proceed normally without a re-exec.
*/
extern int selinux_init_load_policy(int *enforce);
/* Translate boolean strict to name value pair. */
typedef struct {
char *name;
int value;
} SELboolean;
/* save a list of booleans in a single transaction. */
extern int security_set_boolean_list(size_t boolcnt,
SELboolean * boollist, int permanent);
/* Load policy boolean settings.
Path may be NULL, in which case the booleans are loaded from
the active policy boolean configuration file. */
extern int security_load_booleans(char *path);
/* Check the validity of a security context. */
extern int security_check_context(security_context_t con);
extern int security_check_context_raw(security_context_t con);
/* Canonicalize a security context. */
extern int security_canonicalize_context(security_context_t con,
security_context_t * canoncon);
extern int security_canonicalize_context_raw(security_context_t con,
security_context_t * canoncon);
/* Get the enforce flag value. */
extern int security_getenforce(void);
/* Set the enforce flag value. */
extern int security_setenforce(int value);
/* Disable SELinux at runtime (must be done prior to initial policy load). */
extern int security_disable(void);
/* Get the policy version number. */
extern int security_policyvers(void);
/* Get the boolean names */
extern int security_get_boolean_names(char ***names, int *len);
/* Get the pending value for the boolean */
extern int security_get_boolean_pending(const char *name);
/* Get the active value for the boolean */
extern int security_get_boolean_active(const char *name);
/* Set the pending value for the boolean */
extern int security_set_boolean(const char *name, int value);
/* Commit the pending values for the booleans */
extern int security_commit_booleans(void);
/* Userspace class mapping support */
struct security_class_mapping {
const char *name;
const char *perms[sizeof(access_vector_t) * 8 + 1];
};
int selinux_set_mapping(struct security_class_mapping *map);
/* Common helpers */
/* Convert between security class values and string names */
extern security_class_t string_to_security_class(const char *name);
extern const char *security_class_to_string(security_class_t cls);
/* Convert between individual access vector permissions and string names */
extern const char *security_av_perm_to_string(security_class_t tclass,
access_vector_t perm);
extern access_vector_t string_to_av_perm(security_class_t tclass,
const char *name);
/* Returns an access vector in a string representation. User must free the
* returned string via free(). */
extern int security_av_string(security_class_t tclass,
access_vector_t av, char **result);
/* Display an access vector in a string representation. */
extern void print_access_vector(security_class_t tclass, access_vector_t av);
/* Set the function used by matchpathcon_init when displaying
errors about the file_contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). */
extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
/* Set the function used by matchpathcon_init when checking the
validity of a context in the file contexts configuration. If not set,
then this defaults to a test based on security_check_context().
The function is also responsible for reporting any such error, and
may include the 'path' and 'lineno' in such error messages. */
extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
unsigned lineno,
char *context));
/* Same as above, but also allows canonicalization of the context,
by changing *context to refer to the canonical form. If not set,
and invalidcon is also not set, then this defaults to calling
security_canonicalize_context(). */
extern void set_matchpathcon_canoncon(int (*f) (const char *path,
unsigned lineno,
char **context));
/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
extern void set_matchpathcon_flags(unsigned int flags);
/* Load the file contexts configuration specified by 'path'
into memory for use by subsequent matchpathcon calls.
If 'path' is NULL, then load the active file contexts configuration,
i.e. the path returned by selinux_file_context_path().
Unless the MATCHPATHCON_BASEONLY flag has been set, this
function also checks for a 'path'.homedirs file and
a 'path'.local file and loads additional specifications
from them if present. */
extern int matchpathcon_init(const char *path);
/* Same as matchpathcon_init, but only load entries with
regexes that have stems that are prefixes of 'prefix'. */
extern int matchpathcon_init_prefix(const char *path, const char *prefix);
/* Free the memory allocated by matchpathcon_init. */
extern void matchpathcon_fini(void);
/* Match the specified pathname and mode against the file contexts
configuration and set *con to refer to the resulting context.
'mode' can be 0 to disable mode matching.
Caller must free via freecon.
If matchpathcon_init has not already been called, then this function
will call it upon its first invocation with a NULL path. */
extern int matchpathcon(const char *path,
mode_t mode, security_context_t * con);
/* Same as above, but return a specification index for
later use in a matchpathcon_filespec_add() call - see below. */
extern int matchpathcon_index(const char *path,
mode_t mode, security_context_t * con);
/* Maintain an association between an inode and a specification index,
and check whether a conflicting specification is already associated
with the same inode (e.g. due to multiple hard links). If so, then
use the latter of the two specifications based on their order in the
file contexts configuration. Return the used specification index. */
extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
/* Destroy any inode associations that have been added, e.g. to restart
for a new filesystem. */
extern void matchpathcon_filespec_destroy(void);
/* Display statistics on the hash table usage for the associations. */
extern void matchpathcon_filespec_eval(void);
/* Check to see whether any specifications had no matches and report them.
The 'str' is used as a prefix for any warning messages. */
extern void matchpathcon_checkmatches(char *str);
/* Match the specified media and against the media contexts
configuration and set *con to refer to the resulting context.
Caller must free con via freecon. */
extern int matchmediacon(const char *media, security_context_t * con);
/*
selinux_getenforcemode reads the /etc/selinux/config file and determines
whether the machine should be started in enforcing (1), permissive (0) or
disabled (-1) mode.
*/
extern int selinux_getenforcemode(int *enforce);
/*
selinux_getpolicytype reads the /etc/selinux/config file and determines
what the default policy for the machine is. Calling application must
free policytype.
*/
extern int selinux_getpolicytype(char **policytype);
/*
selinux_policy_root reads the /etc/selinux/config file and returns
the directory path under which the compiled policy file and context
configuration files exist.
*/
extern const char *selinux_policy_root(void);
/* These functions return the paths to specific files under the
policy root directory. */
extern const char *selinux_binary_policy_path(void);
extern const char *selinux_failsafe_context_path(void);
extern const char *selinux_removable_context_path(void);
extern const char *selinux_default_context_path(void);
extern const char *selinux_user_contexts_path(void);
extern const char *selinux_file_context_path(void);
extern const char *selinux_file_context_homedir_path(void);
extern const char *selinux_file_context_local_path(void);
extern const char *selinux_homedir_context_path(void);
extern const char *selinux_media_context_path(void);
extern const char *selinux_x_context_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_securetty_types_path(void);
extern const char *selinux_booleans_path(void);
extern const char *selinux_customizable_types_path(void);
extern const char *selinux_users_path(void);
extern const char *selinux_usersconf_path(void);
extern const char *selinux_translations_path(void);
extern const char *selinux_netfilter_context_path(void);
extern const char *selinux_path(void);
/* Check a permission in the passwd class.
Return 0 if granted or -1 otherwise. */
extern int selinux_check_passwd_access(access_vector_t requested);
extern int checkPasswdAccess(access_vector_t requested);
/* Check if the tty_context is defined as a securetty
Return 0 if secure, < 0 otherwise. */
extern int selinux_check_securetty_context(security_context_t tty_context);
/* Set the path to the selinuxfs mount point explicitly.
Normally, this is determined automatically during libselinux
initialization, but this is not always possible, e.g. for /sbin/init
which performs the initial mount of selinuxfs. */
void set_selinuxmnt(char *mnt);
/* Execute a helper for rpm in an appropriate security context. */
extern int rpm_execcon(unsigned int verified,
const char *filename,
char *const argv[], char *const envp[]);
/* Returns whether a file context is customizable, and should not
be relabeled . */
extern int is_context_customizable(security_context_t scontext);
/* Perform context translation between the human-readable format
("translated") and the internal system format ("raw").
Caller must free the resulting context via freecon.
Returns -1 upon an error or 0 otherwise.
If passed NULL, sets the returned context to NULL and returns 0. */
extern int selinux_trans_to_raw_context(security_context_t trans,
security_context_t * rawp);
extern int selinux_raw_to_trans_context(security_context_t raw,
security_context_t * transp);
/* Get the SELinux username and level to use for a given Linux username.
These values may then be passed into the get_ordered_context_list*
and get_default_context* functions to obtain a context for the user.
Returns 0 on success or -1 otherwise.
Caller must free the returned strings via free. */
extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
/* Compare two file contexts, return 0 if equivalent. */
int selinux_file_context_cmp(const security_context_t a,
const security_context_t b);
/*
* Verify the context of the file 'path' against policy.
* Return 0 if correct.
*/
int selinux_file_context_verify(const char *path, mode_t mode);
/* This function sets the file context on to the system defaults returns 0 on success */
int selinux_lsetfilecon_default(const char *path);
#ifdef __cplusplus
}
#endif
#endif

13
libselinux/man/Makefile Normal file
View file

@ -0,0 +1,13 @@
# Installation directories.
MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
install:
mkdir -p $(MAN3DIR)
mkdir -p $(MAN5DIR)
mkdir -p $(MAN8DIR)
install -m 644 man3/*.3 $(MAN3DIR)
install -m 644 man5/*.5 $(MAN5DIR)
install -m 644 man8/*.8 $(MAN8DIR)

184
libselinux/man/man3/avc_add_callback.3 Normal file
View file

@ -0,0 +1,184 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
.TH "avc_add_callback" "3" "9 June 2004" "" "SELinux API documentation"
.SH "NAME"
avc_add_callback \- additional event notification for SELinux userspace object managers.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_add_callback(int (*" callback ")(uint32_t " event ,
.in +\w'int avc_add_callback(int (*callback)('u
.BI "security_id_t " ssid ,
.BI "security_id_t " tsid ,
.BI "security_class_t " tclass ,
.BI "access_vector_t " perms ,
.BI "access_vector_t *" out_retained "),"
.in
.in +\w'int avc_add_callback('u
.BI "uint32_t " events ", security_id_t " ssid ,
.BI "security_id_t " tsid ", security_class_t " tclass ,
.BI "access_vector_t " perms ");"
.in
.SH "DESCRIPTION"
.B avc_add_callback
is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.
.I events
is the
.RI bitwise- or
of security events on which to register the callback; see
.B SECURITY EVENTS
below.
.IR ssid ,
.IR tsid ,
.IR tclass ,
and
.I perms
specify the source and target SID's, target class, and specific permissions that the callback wishes to monitor. The special symbol
.B SECSID_WILD
may be passed as the
.I source
or
.I target
and will cause any SID to match.
.I callback
is the callback function provided by the userspace object manager. The
.I event
argument indicates the security event which occured; the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on success, \-1 on error with errno set appropriately (but see
.B RETURN VALUE
below).
.SH "SECURITY EVENTS"
In all cases below,
.I ssid
and/or
.I tsid
may be set to
.BR SECSID_WILD ,
indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the
.I out_retained
parameter is unused.
.TP
.B AVC_CALLBACK_GRANT
Previously denied permissions are now granted for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.I perms
indicates the permissions to grant.
.TP
.B AVC_CALLBACK_TRY_REVOKE
Previously granted permissions are now conditionally revoked for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.I perms
indicates the permissions to revoke. The callback should set
.I out_retained
to the subset of
.I perms
which are retained as migrated permissions. Note that
.I out_retained
is ignored if the callback returns \-1.
.TP
.B AVC_CALLBACK_REVOKE
Previously granted permissions are now unconditionally revoked for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.I perms
indicates the permissions to revoke.
.TP
.B AVC_CALLBACK_RESET
Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
.TP
.B AVC_CALLBACK_AUDITALLOW_ENABLE
The permissions given by
.I perms
should now be audited when granted for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.TP
.B AVC_CALLBACK_AUDITALLOW_DISABLE
The permissions given by
.I perms
should no longer be audited when granted for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.TP
.B AVC_CALLBACK_AUDITDENY_ENABLE
The permissions given by
.I perms
should now be audited when denied for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.TP
.B AVC_CALLBACK_AUDITDENY_DISABLE
The permissions given by
.I perms
should no longer be audited when denied for
.IR ssid ,
.I tsid
with respect to
.IR tclass .
.SH "RETURN VALUE"
On success,
.B avc_add_callback
returns zero. On error, \-1 is returned and
.I errno
is set appropriately.
A return value of \-1 from a callback is interpreted as a failed policy operation. If such a return value is encountered, all remaining callbacks registered on the event are called. In threaded mode, the netlink handler thread may then terminate and cause the userspace AVC to return
.B EINVAL
on all further permission checks until
.BR avc_destroy (3)
is called. In non-threaded mode, the permission check on which the error occurred will return \-1 and the value of
.I errno
encountered to the caller. In both cases, a log message is produced and the kernel may be notified of the error.
.SH "ERRORS"
.TP
.B ENOMEM
An attempt to allocate memory failed.
.SH "NOTES"
If the userspace AVC is running in threaded mode, callbacks registered via
.B avc_add_callback
may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See
.BR avc_init (3).
Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is
.BR AVC_CALLBACK_RESET .
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_init (3),
.BR avc_has_perm (3),
.BR avc_context_to_sid (3),
.BR avc_cache_stats (3),
.BR security_compute_av (3)
.BR selinux (8)

1
libselinux/man/man3/avc_audit.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_has_perm.3

1
libselinux/man/man3/avc_av_stats.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_cache_stats.3

99
libselinux/man/man3/avc_cache_stats.3 Normal file
View file

@ -0,0 +1,99 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
.TH "avc_cache_stats" "3" "27 May 2004" "" "SELinux API documentation"
.SH "NAME"
avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "void avc_av_stats(void);"
.sp
.BI "void avc_sid_stats(void);"
.sp
.BI "void avc_cache_stats(struct avc_cache_stats *" stats ");"
.SH "DESCRIPTION"
The userspace AVC maintains two internal hash tables, one to store security ID's and one to cache access decisions.
.B avc_av_stats
and
.B avc_sid_stats
produce log messages indicating the status of the access decision and SID tables, respectively. The messages contain the number of entries in the table, number of hash buckets and number of buckets used, and maximum number of entries in a single bucket.
.B avc_cache_stats
populates a structure whose fields reflect cache activity:
.RS
.ta 4n 14n
.nf
struct avc_cache_stats {
unsigned entry_lookups;
unsigned entry_hits;
unsigned entry_misses;
unsigned entry_discards;
unsigned cav_lookups;
unsigned cav_hits;
unsigned cav_probes;
unsigned cav_misses;
};
.fi
.ta
.RE
.TP
.I entry_lookups
Number of queries made.
.TP
.I entry_hits
Number of times a decision was found in the
.I aeref
argument.
.TP
.I entry_misses
Number of times a decision was not found in the
.I aeref
argument.
.TP
.I entry_discards
Number of times a decision was not found in the
.I aeref
argument and the
.I aeref
argument was non-NULL.
.TP
.I cav_lookups
Number of cache lookups.
.TP
.I cav_hits
Number of cache hits.
.TP
.I cav_misses
Number of cache misses.
.TP
.I cav_probes
Number of entries examined while searching the cache.
.SH "NOTES"
When the cache is flushed as a result of a call to
.B avc_reset
or a policy change notification,
the statistics returned by
.B avc_cache_stats
are reset to zero. The SID table, however, is left
unchanged.
When a policy change notification is received, a call to
.B avc_av_stats
is made before the cache is flushed.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_init (3),
.BR avc_has_perm (3),
.BR avc_context_to_sid (3),
.BR avc_add_callback (3)
.BR selinux (8)

1
libselinux/man/man3/avc_cleanup.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_open.3

68
libselinux/man/man3/avc_compute_create.3 Normal file
View file

@ -0,0 +1,68 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
.TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation"
.SH "NAME"
avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_compute_create('u
.BI "security_class_t " tclass ", security_id_t *" newsid ");"
.sp
.in
.BI "int avc_compute_member(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_compute_member('u
.BI "security_class_t " tclass ", security_id_t *" newsid ");"
.in
.SH "DESCRIPTION"
.B avc_compute_create
is used to compute a SID to use for labeling a new object in a particular class based on a SID pair. This call is identical to
.BR security_compute_create ,
but does not require converting from userspace SID's to contexts and back again.
.B avc_compute_member
is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair. This call is identical to
.BR security_compute_member ,
but does not require converting from userspace SID's to contexts and back again.
These functions
return a SID for the computed context in the memory referenced by
.IR sid ,
incrementing its reference count by 1.
.SH "RETURN VALUE"
On success, zero is returned. On error, \-1 is returned and
.I errno
is set appropriately.
.SH "ERRORS"
.TP
.B EINVAL
The
.I tclass
and/or the security contexts referenced by
.I ssid
and
.I tsid
are not recognized by the currently loaded policy, or
.I tsid
or
.I ssid
has a zero reference count and is invalid.
.TP
.B ENOMEM
An attempt to allocate memory failed.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_init (3),
.BR avc_context_to_sid (3),
.BR security_compute_create (3),
.BR selinux (8)

1
libselinux/man/man3/avc_compute_member.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_compute_create.3

98
libselinux/man/man3/avc_context_to_sid.3 Normal file
View file

@ -0,0 +1,98 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
.TH "avc_context_to_sid" "3" "27 May 2004" "" "SELinux API documentation"
.SH "NAME"
avc_context_to_sid, avc_sid_to_context, sidput, sidget, avc_get_initial_sid \- obtain and manipulate SELinux security ID's.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");"
.sp
.BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");"
.sp
.BI "int sidget(security_id_t " sid ");"
.sp
.BI "int sidput(security_id_t " sid ");"
.sp
.BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");"
.sp
.SH "DESCRIPTION"
Security ID's (SID's) are reference-counted, opaque representations of security contexts.
.B avc_context_to_sid
returns a SID for the given
.I context
in the memory referenced by
.IR sid ,
incrementing its reference count by 1.
.B avc_sid_to_context
returns a copy of the context represented by
.I sid
in the memory referenced by
.IR ctx .
The user must free the copy with
.BR freecon (3).
.B sidget
increments the reference count of
.I sid
by 1.
.B sidput
decrements the reference count of
.I sid
by 1. If the count ever reaches zero, the SID becomes
invalid and must not be used any further.
.B avc_get_initial_sid
returns a SID for the kernel initial security identifier specified by
.I name
.SH "RETURN VALUE"
.B sidget
and
.B sidput
return the new reference count. A return value of zero indicates
an invalid SID.
.B avc_context_to_sid
and
.B avc_sid_to_context
return zero on success. On error, \-1 is returned and
.I errno
is set appropriately.
.SH "ERRORS"
.TP
.B EINVAL
The provided
.I sid
has a zero reference count and is invalid.
.TP
.B ENOMEM
An attempt to allocate memory failed.
.SH "NOTES"
The expected usage pattern for these functions is that
.B avc_context_to_sid
will be called once to obtain a SID for a newly created object,
.B sidget
will be called on a SID when its object is duplicated, and
.B sidput
will be called on a SID when its object is destroyed. Proper reference counting is necessary to ensure that SID's and associated cache entries are reclaimed from memory when no longer needed.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_init (3),
.BR avc_has_perm (3),
.BR avc_cache_stats (3),
.BR avc_add_callback (3),
.BR getcon (3),
.BR freecon (3)
.BR selinux (8)

1
libselinux/man/man3/avc_destroy.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_open.3

1
libselinux/man/man3/avc_entry_ref_init.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_has_perm.3

1
libselinux/man/man3/avc_get_initial_context.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_context_to_sid.3

155
libselinux/man/man3/avc_has_perm.3 Normal file
View file

@ -0,0 +1,155 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
.TH "avc_has_perm" "3" "27 May 2004" "" "SELinux API documentation"
.SH "NAME"
avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");"
.sp
.BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_has_perm('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
.BI "struct avc_entry_ref *" aeref ", void *" auditdata ");"
.in
.sp
.BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_has_perm('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
.BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");"
.in
.sp
.BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'void avc_audit('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
.BI "struct av_decision *" avd ", int " result ", void *" auditdata ");"
.in
.SH "DESCRIPTION"
.B avc_entry_ref_init
initializes an
.B avc_entry_ref
structure; see
.B ENTRY REFERENCES
below. This function may be implemented as a macro.
.B avc_has_perm
checks whether the
.I requested
permissions are granted
for subject SID
.IR ssid
and target SID
.IR tsid ,
interpreting the permissions
based on
.I tclass
and updating
.IR aeref ,
if non-NULL, to refer to a cache entry with the resulting decision. The granting or denial of permissions is audited in accordance with the policy. The
.I auditdata
parameter is for supplemental auditing; see
.B avc_audit
below.
.B avc_has_perm_noaudit
behaves as
.B avc_has_perm
without producing an audit message. The access decision is returned in
.I avd
and can be passed to
.B avc_audit
explicitly.
.B avc_audit
produces an audit message for the access query represented by
.IR ssid ,
.IR tsid ,
.IR tclass ,
and
.IR requested ,
with a decision represented by
.IR avd .
Pass the value returned by
.B avc_has_perm_noaudit
as
.IR result .
The
.I auditdata
parameter is passed to the user-supplied
.B func_audit
callback and can be used to add supplemental information to the audit message; see
.BR avc_init (3).
.SH "ENTRY REFERENCES"
Entry references can be used to speed cache performance for repeated queries on the same subject and target. The userspace AVC will check the
.I aeref
argument, if supplied, before searching the cache on a permission query. After a query is performed,
.I aeref
will be updated to reference the cache entry for that query. A subsequent query on the same subject and target will then have the decision at hand without having to walk the cache.
After declaring an
.B avc_entry_ref
structure, use
.B avc_entry_ref_init
to initialize it before passing it to
.B avc_has_perm
or
.B avc_has_perm_noaudit
for the first time.
Using an uninitialized structure will produce undefined behavior.
.SH "RETURN VALUE"
If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and
.I errno
is set appropriately.
In permissive mode, zero will be returned and
.I errno
unchanged even if permissions were denied.
.B avc_has_perm
will still produce an audit message in this case.
.SH "ERRORS"
.TP
.B EACCES
A requested permission was denied.
.TP
.B EINVAL
The
.I tclass
and/or the security contexts referenced by
.I ssid
and
.I tsid
are not recognized by the currently loaded policy.
.TP
.B ENOMEM
An attempt to allocate memory failed.
.SH "NOTES"
Internal errors encountered by the userspace AVC may cause certain values of
.I errno
to be returned unexpectedly. For example, netlink socket errors may produce
.B EACCES
or
.BR EINVAL .
Make sure that userspace object managers are granted appropriate access to
netlink by the policy.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_init (3),
.BR avc_context_to_sid (3),
.BR avc_cache_stats (3),
.BR avc_add_callback (3),
.BR security_compute_av (3)
.BR selinux(8)

1
libselinux/man/man3/avc_has_perm_noaudit.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_has_perm.3

195
libselinux/man/man3/avc_init.3 Normal file
View file

@ -0,0 +1,195 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
.TH "avc_init" "3" "27 May 2004" "" "SELinux API documentation"
.SH "NAME"
avc_init - legacy userspace SELinux AVC setup.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_init(const char *" msgprefix ,
.in +\w'int avc_init('u
.BI "const struct avc_memory_callback *" mem_callbacks ,
.BI "const struct avc_log_callback *" log_callbacks ,
.BI "const struct avc_thread_callback *" thread_callbacks ,
.BI "const struct avc_lock_callback *" lock_callbacks ");"
.SH "DESCRIPTION"
.B avc_init
is deprecated; please use
.BR avc_open (3)
in conjunction with
.BR selinux_set_callback (3)
in all new code.
.B avc_init
initializes the userspace AVC and must be called before any other AVC operation can be performed. A non-NULL
.I msgprefix
will be prepended to all audit messages produced by the userspace AVC. The default is `uavc'. The remaining arguments, if non-NULL, specify callbacks to be used by the userspace AVC.
.SH "CALLBACKS"
The userspace AVC can be directed how to perform memory allocation, logging, thread creation, and locking via callback functions passed to
.BR avc_init .
The purpose of this functionality is to allow the userspace AVC to be smoothly integrated into existing userspace object managers.
Use an
.B avc_memory_callback
structure to specify alternate functions for dynamic memory allocation.
.RS
.ta 4n 10n 24n
.nf
struct avc_memory_callback {
void *(*func_malloc)(size_t size);
void (*func_free)(void *ptr);
};
.fi
.ta
.RE
The two fields of the structure should be pointers to functions which behave as
.BR malloc (3)
and
.BR free (3),
which are used by default.
Use an
.B avc_log_callback
structure to specify alternate functions for logging.
.RS
.ta 4n 10n 24n
.nf
struct avc_log_callback {
void (*func_log)(const char *fmt, ...);
void (*func_audit)(void *auditdata,
security_class_t class,
char *msgbuf, size_t msgbufsize);
};
.fi
.ta
.RE
The
.B func_log
callback should accept a
.BR printf (3)
style format and arguments and log them as desired. The default behavior prints the message on the standard error. The
.B func_audit
callback should interpret the
.I auditdata
parameter for the given
.IR class ,
printing a human-readable interpretation to
.I msgbuf
using no more than
.I msgbufsize
characters. The default behavior is to ignore
.IR auditdata .
Use an
.B avc_thread_callback
structure to specify functions for starting and manipulating threads.
.RS
.ta 4n 10n 24n
.nf
struct avc_thread_callback {
void *(*func_create_thread)(void (*run)(void));
void (*func_stop_thread)(void *thread);
};
.fi
.ta
.RE
The
.B func_create_thread
callback should create a new thread and return a pointer which references it. The thread should execute the
.I run
argument, which does not return under normal conditions. The
.B func_stop_thread
callback should cancel the running thread referenced by
.IR thread .
By default, threading is not used; see
.B NETLINK NOTIFICATION
below.
Use an
.B avc_lock_callback
structure to specify functions to create, obtain, and release locks for use by threads.
.RS
.ta 4n 10n 24n
.nf
struct avc_lock_callback {
void *(*func_alloc_lock)(void);
void (*func_get_lock)(void *lock);
void (*func_release_lock)(void *lock);
void (*func_free_lock)(void *lock);
};
.fi
.ta
.RE
The
.B func_alloc_lock
callback should create a new lock, returning a pointer which references it. The
.B func_get_lock
callback should obtain
.IR lock ,
blocking if necessary. The
.B func_release_lock
callback should release
.IR lock .
The
.B func_free_lock
callback should destroy
.IR lock ,
freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking.
.SH "NETLINK NOTIFICATION"
Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
.BR avc_has_perm (3)
to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
.B avc_init
however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is returned and
.I errno
is set appropriately.
.SH "NOTES"
The
.I msgprefix
argument to
.B avc_init
currently has a length limit of 15 characters and will be truncated if necessary.
If a provided
.B func_malloc
callback does not set
.I errno
appropriately on error, userspace AVC calls may exhibit the
same behavior.
If a netlink thread has been created and an error occurs on the socket (such as an access error), the thread may terminate and cause the userspace AVC to return
.B EINVAL
on all further permission checks until
.B avc_destroy
is called.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR avc_open (3),
.BR selinux_set_callback (3),
.BR selinux (8)

70
libselinux/man/man3/avc_open.3 Normal file
View file

@ -0,0 +1,70 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008
.TH "avc_open" "3" "12 Jun 2008" "" "SELinux API documentation"
.SH "NAME"
avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");"
.sp
.BI "void avc_destroy(void);"
.sp
.BI "int avc_reset(void);"
.sp
.BI "void avc_cleanup(void);"
.SH "DESCRIPTION"
.B avc_open
initializes the userspace AVC and must be called before any other AVC operation can be performed.
.B avc_destroy
destroys the userspace AVC, freeing all internal memory structures. After this call has been made,
.B avc_open
must be called again before any AVC operations can be performed.
.B avc_reset
flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see
.B NETLINK NOTIFICATION
below.
.B avc_cleanup
forces the userspace AVC to search for and free all unused SID's and any access decision entries that refer to them. Normally, the userspace AVC lazily reclaims unused SID's.
.SH "OPTIONS"
The userspace AVC obeys callbacks set via
.BR selinux_set_callback (3),
in particular the logging and audit callbacks.
The options which may be passed to
.B avc_open
include the following:
.TP
.B AVC_OPT_SETENFORCE
This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.
.SH "NETLINK NOTIFICATION"
Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
.BR avc_has_perm (3)
to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is returned and
.I errno
is set appropriately.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR selinux (8),
.BR avc_has_perm (3),
.BR avc_context_to_sid (3),
.BR avc_cache_stats (3),
.BR avc_add_callback (3),
.BR selinux_set_callback (3),
.BR security_compute_av (3)

1
libselinux/man/man3/avc_reset.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_open.3

1
libselinux/man/man3/avc_sid_stats.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_cache_stats.3

1
libselinux/man/man3/avc_sid_to_context.3 Normal file
View file

@ -0,0 +1 @@
.so man3/avc_context_to_sid.3

1
libselinux/man/man3/checkPasswdAccess.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_compute_av.3

1
libselinux/man/man3/context_free.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

61
libselinux/man/man3/context_new.3 Normal file
View file

@ -0,0 +1,61 @@
.TH "context_new" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
.SH "NAME"
context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts
.SH "SYNOPSIS"
.B #include <selinux/context.h>
.B "context_t context_new(const char *" context_str );
.B "const char * context_str(context_t " con );
.B "void context_free(context_t " con );
.B "const char * context_type_get(context_t " con );
.B "const char * context_range_get(context_t " con );
.B "const char * context_role_get(context_t " con );
.B "const char * context_user_get(context_t " con );
.B "const char * context_type_set(context_t " con ", const char* " type);
.B "const char * context_range_set(context_t " con ", const char* " range);
.B "const char * context_role_set(context_t " con ", const char* " role );
.B "const char * context_user_set(context_t " con ", const char* " user );
.SH "DESCRIPTION"
These functions allow an application to manipulate the fields of a
security context string without requiring it to know the format of the
string.
context_new
Return a new context initialized to a context string
context_str
Return a pointer to the string value of the context_t
Valid until the next call to context_str or context_free
for the same context_t*
context_free
Free the storage used by a context
context_type_get, context_range_get, context_role_get, context_user_get
Get a pointer to the string value of a context component
NOTE: Values returned by the get functions are only valid until the next call
to a set function or context_free() for the same context_t structure.
context_type_set, context_range_set, context_role_set, context_user_set
Set a context component
.SH "RETURN VALUE"
On success, zero is returned. On failure, -1 is returned and errno is
set appropriately.
.SH "SEE ALSO"
.BR selinux "(8)"

1
libselinux/man/man3/context_range_get.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_range_set.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_role_get.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_role_set.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_type_get.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_type_set.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_user_get.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

1
libselinux/man/man3/context_user_set.3 Normal file
View file

@ -0,0 +1 @@
.so man3/context_new.3

25
libselinux/man/man3/freecon.3 Normal file
View file

@ -0,0 +1,25 @@
.TH "freecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
freecon, freeconary \- free memory associated with SELinux security contexts.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "void freecon(security_context_t "con );
.BI "void freeconary(security_context_t *" con );
.SH "DESCRIPTION"
.B freecon
frees the memory allocated for a security context.
.B freeconary
frees the memory allocated for a context array.
If
.I con
is NULL, no operation is performed.
.SH "SEE ALSO"
.BR selinux "(8)"

1
libselinux/man/man3/freeconary.3 Normal file
View file

@ -0,0 +1 @@
.so man3/freecon.3

1
libselinux/man/man3/fsetfilecon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/setfilecon.3

1
libselinux/man/man3/get_default_context.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

1
libselinux/man/man3/get_default_context_with_level.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

1
libselinux/man/man3/get_default_context_with_role.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

1
libselinux/man/man3/get_default_context_with_rolelevel.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

80
libselinux/man/man3/get_ordered_context_list.3 Normal file
View file

@ -0,0 +1,80 @@
.TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SELinux"
.SH "NAME"
get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/get_context_list.h>
.sp
.BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list );
.sp
.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t **" list );
.sp
.BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon );
.sp
.BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon );
.sp
.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
.sp
.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
.sp
.BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon );
.sp
.BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon );
.sp
.BI "int get_default_type(const char *" role ", char **" type );
.SH "DESCRIPTION"
.B get_ordered_context_list
invokes the
.B security_compute_user
function to obtain the list of contexts for the specified
.I user
that are reachable from the specified
.I fromcon
context. The function then orders the resulting list based on the global
.B /etc/selinux/<SELINUXTYPE>/contexts/default_contexts
file and the per-user
.B /etc/selinux/<SELINUXTYPE>/contexts/users/<username>
file if it exists. The
.I fromcon
parameter may be NULL to indicate that the current context should
be used. The function returns the number of contexts in the
list, or -1 upon errors. The list must be freed using the
.B freeconary
function.
.B get_ordered_context_list_with_level
invokes the get_ordered_context_list function and applies the specified level.
.B get_default_context
is the same as get_ordered_context_list but only returns a single context
which has to be freed with freecon.
.B get_default_context_with_level
invokes the get_default_context function and applies the specified level.
.B get_default_context_with_role
is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user.
.B get_default_context_with_rolelevel
invokes the get_default_context_with_role function and applies the specified level.
.B query_user_context
takes a list of contexts, queries the user via stdin/stdout as to which context
they want, and returns a new context as selected by the user (which has to be
freed with freecon).
.B manual_user_enter_context
allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon.
.B get_default_type
Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free.
.SH "RETURN VALUE"
get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors.
The other functions return 0 for success or -1 for errors.
.SH "SEE ALSO"
.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"

1
libselinux/man/man3/get_ordered_context_list_with_level.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

62
libselinux/man/man3/getcon.3 Normal file
View file

@ -0,0 +1,62 @@
.TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getcon, getprevcon, getpidcon \- get SELinux security context of a process.
getpeercon - get security context of a peer socket.
setcon - set current security context of a process.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getcon(security_context_t *" context );
.BI "int getprevcon(security_context_t *" context );
.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
.BI "int getpeercon(int " fd ", security_context_t *" context);
.BI "int setcon(security_context_t " context);
.SH "DESCRIPTION"
.B getcon
retrieves the context of the current process, which must be free'd with
freecon.
.B getprevcon
same as getcon but gets the context before the last exec.
.B getpidcon
returns the process context for the specified PID.
.B getpeercon
retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
.B setcon
sets the current security context of the process to a new value. Note
that use of this function requires that the entire application be
trusted to maintain any desired separation between the old and new
security contexts, unlike exec-based transitions performed via
setexeccon(3). When possible, decompose your applicaiton and use
setexeccon() and execve() instead.
Since access to file descriptors is revalidated upon use by SELinux,
the new context must be explicitly authorized in the policy to use the
descriptors opened by the old context if that is desired. Otherwise,
attempts by the process to use any existing descriptors (including
stdin, stdout, and stderr) after performing the setcon() will fail.
A multi-threaded application can perform a setcon() prior to creating
any child threads, in which case all of the child threads will inherit
the new context. However, setcon() will fail if there are any other
threads running in the same process.
If the process was being ptraced at the time of the setcon()
operation, ptrace permission will be revalidated against the new
context and the setcon() will fail if it is not allowed by policy.
.SH "RETURN VALUE"
On error -1 is returned. On success 0 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " setexeccon "(3)"

60
libselinux/man/man3/getexeccon.3 Normal file
View file

@ -0,0 +1,60 @@
.TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.
rpm_execcon \- run a helper for rpm in an appropriate security context
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getexeccon(security_context_t *" context );
.BI "int setexeccon(security_context_t "context );
.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
.SH "DESCRIPTION"
.B getexeccon
retrieves the context used for executing a new process.
This returned context should be freed with freecon if non-NULL.
getexeccon sets *con to NULL if no exec context has been explicitly
set by the program (i.e. using the default policy behavior).
.B setexeccon
sets the context used for the next execve call.
NULL can be passed to
setexeccon to reset to the default policy behavior.
The exec context is automatically reset after the next execve, so a
program doesn't need to explicitly sanitize it upon startup.
setexeccon can be applied prior to library
functions that internally perform an execve, e.g. execl*, execv*, popen,
in order to set an exec context for that operation.
Note: Signal handlers that perform an execve must take care to
save, reset, and restore the exec context to avoid unexpected behavior.
.B rpm_execcon
runs a helper for rpm in an appropriate security context. The
verified parameter should contain the return code from the signature
verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
nottrusted, 4 == nokey), although this information is not yet used by
the function. The function determines the proper security context for
the helper based on policy, sets the exec context accordingly, and
then executes the specified filename with the provided argument and
environment arrays.
.SH "RETURN VALUE"
On error -1 is returned.
On success getexeccon and setexeccon returns 0.
rpm_execcon only returns upon errors, as it calls execve(2).
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " getcon "(3)"

42
libselinux/man/man3/getfilecon.3 Normal file
View file

@ -0,0 +1,42 @@
.TH "getfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getfilecon(const char *" path ", security_context_t *" con );
.BI "int lgetfilecon(const char *" path ", security_context_t *" con );
.BI "int fgetfilecon(int "fd ", security_context_t *" con );
.SH "DESCRIPTION"
.B getfilecon
retrieves the context associated with the given path in the file system, the
length of the context is returned.
.B lgetfilecon
is identical to getfilecon, except in the case of a symbolic link, where the
link itself is interrogated, not the file that it refers to.
.B fgetfilecon
is identical to getfilecon, only the open file pointed to by filedes (as
returned by open(2)) is interrogated in place of path.
The returned context should be freed with freecon if non-NULL.
.SH "RETURN VALUE"
On success, a positive number is returned indicating the size of the
extended attribute value. On failure, \-1 is returned and errno is set
appropriately.
If the context does not exist, or the process has no access to
this attribute, errno is set to ENODATA.
If extended attributes are not supported by the filesystem, or are dis\-
abled, errno is set to ENOTSUP.
The errors documented for the stat(2) system call are also applicable
here.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"

38
libselinux/man/man3/getfscreatecon.3 Normal file
View file

@ -0,0 +1,38 @@
.TH "getfscreatecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getfscreatecon(security_context_t *" con );
.BI "int setfscreatecon(security_context_t "context );
.SH "DESCRIPTION"
.B getfscreatecon
retrieves the context used for creating a new file system object.
This returned context should be freed with freecon if non-NULL.
getfscreatecon sets *con to NULL if no fscreate context has been explicitly
set by the program (i.e. using the default policy behavior).
.B setfscreatecon
sets the context used for creating a new file system object.
NULL can be passed to
setfscreatecon to reset to the default policy behavior.
The fscreate context is automatically reset after the next execve, so a
program doesn't need to explicitly sanitize it upon startup.
setfscreatecon can be applied prior to library
functions that internally perform an file creation,
in order to set an file context on the objects.
Note: Signal handlers that perform an setfscreate must take care to
save, reset, and restore the fscreate context to avoid unexpected behavior.
.SH "RETURN VALUE"
On error -1 is returned.
On success 0 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)"

1
libselinux/man/man3/getpeercon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/getcon.3

1
libselinux/man/man3/getpidcon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/getcon.3

1
libselinux/man/man3/getprevcon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/getcon.3

28
libselinux/man/man3/getseuserbyname.3 Normal file
View file

@ -0,0 +1,28 @@
.TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SELinux API documentation"
.SH "NAME"
getseuserbyname \- get SELinux username and level for a given Linux username
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getseuserbyname(const char *" linuxuser ", char **" selinuxuser ", char **" level ");
.SH "DESCRIPTION"
.B getseuserbyname
retrieves the SELinux username and security level associated with
a given Linux username. The SELinux username and security level can
then be passed to other libselinux functions such as
get_ordered_context_list_with_level and get_default_context_with_level.
The returned SELinux username and level should be freed by the caller
using free.
.SH "RETURN VALUE"
On success, 0 is returned.
On failure, \-1 is returned and errno is set appropriately.
The errors documented for the stat(2) system call are also applicable
here.
.SH "SEE ALSO"
.BR selinux "(8)"

25
libselinux/man/man3/is_context_customizable.3 Normal file
View file

@ -0,0 +1,25 @@
.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
.SH "NAME"
is_context_customizable \- check whether SELinux context type is customizable by the administrator.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.B int is_context_customizable(security_context_t scon);
.SH "DESCRIPTION"
.B is_context_customizable
This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that
administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
.SH "RETURN VALUE"
returns 1 if security context is customizable or 0 if it is not.
returns -1 on error
.SH "FILE"
/etc/selinux/SELINUXTYPE/context/customizable_types
.SH "SEE ALSO"
.BR selinux "(8)"

15
libselinux/man/man3/is_selinux_enabled.3 Normal file
View file

@ -0,0 +1,15 @@
.TH "is_selinux_enabled" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
is_selinux_enabled \- check whether SELinux is enabled
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.B int is_selinux_enabled();
.SH "DESCRIPTION"
.B is_selinux_enabled
returns 1 if SELinux is running or 0 if it is not. May change soon.
.SH "SEE ALSO"
.BR selinux "(8)"

1
libselinux/man/man3/lsetfilecon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/setfilecon.3

1
libselinux/man/man3/manual_user_enter_context.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

26
libselinux/man/man3/matchmediacon.3 Normal file
View file

@ -0,0 +1,26 @@
.TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
.SH "NAME"
matchmediacon \- get the default SELinux security context for the specified mediatype from the policy.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int matchmediacon(const char *" media ", security_context_t *" con);"
.SH "DESCRIPTION"
.B matchmediacon
matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context.
.sp
.B Note:
Caller must free returned security context "con" using freecon.
.SH "RETURN VALUE"
Returns 0 on success or -1 otherwise.
.SH Files
/etc/selinux/POLICYTYPE/contexts/files/media
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3)

120
libselinux/man/man3/matchpathcon.3 Normal file
View file

@ -0,0 +1,120 @@
.TH "matchpathcon" "3" "16 March 2005" "sds@tycho.nsa.gov" "SELinux API documentation"
.SH "NAME"
matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int matchpathcon_init(const char *" path ");"
.BI "int matchpathcon_fini(void);"
.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
.sp
.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));"
.BI "void set_matchpathcon_flags(unsigned int " flags ");"
.SH "DESCRIPTION"
.B matchpathcon_init
loads the file contexts configuration specified by
.I path
into memory for use by subsequent
.B matchpathcon
calls. If
.I path
is NULL, then the active file contexts configuration is loaded by default,
i.e. the path returned by
.B selinux_file_context_path(3).
Unless the
.B MATCHPATHCON_BASEONLY
flag has been set via
.B set_matchpathcon_flags,
files with the same path prefix but a
.B .homedirs
and
.B .local
suffix are also looked up and loaded if present. These files provide
dynamically generated entries for user home directories and for local
customizations.
.sp
.B matchpathcon_fini
frees the memory allocated by a prior call to
.B matchpathcon_init.
This function can be used to free and reset the internal state between multiple
.B matchpathcon_init
calls, or to free memory when finished using
.B matchpathcon.
.sp
.B matchpathcon
matches the specified pathname and mode against the file contexts
configuration and sets the security context
.I con
to refer to the
resulting context. The caller must free the returned security context
.I con
using freecon when finished using it.
.I mode
can be 0 to disable mode matching, but
should be provided whenever possible, as it may affect the matching.
Only the file format bits (i.e. the file type) of the
.I mode
are used.
If
.B matchpathcon_init
has not already been called, then this function will call it upon
its first invocation with a NULL
.I path,
defaulting to the active file contexts configuration.
.sp
.B set_matchpathcon_printf
sets the function used by
.B matchpathcon_init
when displaying errors about the file contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect
error reporting to a different destination.
.sp
.B set_matchpathcon_invalidcon
sets the function used by
.B matchpathcon_init
when checking the validity of a context in the file contexts
configuration. If not set, then this defaults to a test based
on
.B security_check_context(3),
which checks validity against the active policy on a SELinux system.
This can be set to instead perform checking based on a binary policy file,
e.g. using
.B sepol_check_context(3),
as is done by
.B setfiles -c.
The function is also responsible for reporting any such error, and
may include the
.I path
and
.I lineno
in such error messages.
.sp
.B set_matchpathcon_flags
sets flags controlling the operation of
.B matchpathcon_init
or
.B matchpathcon.
If the
.B MATCHPATHCON_BASEONLY
flag is set, then only the base file contexts configuration file
will be processed, not any dynamically generated entries or local customizations.
.sp
.SH "RETURN VALUE"
Returns 0 on success or -1 otherwise.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"

1
libselinux/man/man3/query_user_context.3 Normal file
View file

@ -0,0 +1 @@
.so man3/get_ordered_context_list.3

1
libselinux/man/man3/rpm_execcon.3 Normal file
View file

@ -0,0 +1 @@
.so man3/getexeccon.3

1
libselinux/man/man3/security_av_perm_to_string.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_class_to_string.3

1
libselinux/man/man3/security_av_string.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_class_to_string.3

16
libselinux/man/man3/security_check_context.3 Normal file
View file

@ -0,0 +1,16 @@
.TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_check_context \- check the validity of a SELinux context
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int security_check_context(security_context_t "con );
.SH "DESCRIPTION"
.B security_check_context
returns 0 if SELinux is running and the context is valid, otherwise it
returns -1.
.SH "SEE ALSO"
.BR selinux "(8)"

80
libselinux/man/man3/security_class_to_string.3 Normal file
View file

@ -0,0 +1,80 @@
.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
.TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation"
.SH "NAME"
security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
between SELinux class and permission values and string names.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/flask.h>
.sp
.BI "const char * security_class_to_string(security_class_t " tclass ");"
.sp
.BI "const char * security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");"
.sp
.BI "int security_av_string(security_class_t " tclass ", access_vector_t " av ", char **" result ");"
.sp
.BI "security_class_t string_to_security_class(const char *" name ");"
.sp
.BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
.SH "DESCRIPTION"
.B security_class_to_string
returns a string name for class
.IR tclass ,
or NULL if the class is invalid. The returned string must not be modified or freed.
.B security_av_perm_to_string
returns a string name for the access vector bit
.I av
of class
.IR tclass ,
or NULL if either argument is invalid. The returned string must not be modified or freed.
.B security_av_string
computes a full access vector string representation using
.I tclass
and
.IR av ,
which may have multiple bits set. The string is returned in the memory pointed to by
.IR result ,
and should be freed by the caller using
.BR free (3).
.B string_to_security_class
returns the class value corresponding to the string name
.IR name ,
or zero if no such class exists.
.B string_to_av_perm
returns the access vector bit corresponding to the string name
.I name
and security class
.IR tclass ,
or zero if no such value exists.
.SH "RETURN VALUE"
.B security_av_string
returns returns zero on success or \-1 on error with
.I errno
set appropriately. All other functions return zero or NULL on error.
.SH "ERRORS"
.TP
.B EINVAL
A class or access vector argument is not recognized by the currently loaded policy.
.TP
.B ENOMEM
An attempt to allocate memory failed.
.SH "AUTHOR"
Eamon Walsh <ewalsh@tycho.nsa.gov>
.SH "SEE ALSO"
.BR selinux (8),
.BR getcon (3),
.BR getfilecon (3)

1
libselinux/man/man3/security_commit_booleans.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_load_booleans.3

68
libselinux/man/man3/security_compute_av.3 Normal file
View file

@ -0,0 +1,68 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_create, security_compute_relabel,
security_compute_member, security_compute_user, security_get_initial_context \- query
the SELinux policy database in the kernel.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/flask.h>
.sp
.BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd );
.sp
.BI "int security_compute_create(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
.sp
.BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
.sp
.BI "int security_compute_member(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
.sp
.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
.sp
.BI "int security_get_initial_context(const char *" name ", security_context_t
"con );
.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
.B security_compute_av
queries whether the policy permits the source context
.B scon
to access the target context
.B tcon
via class
.B tclass
with the
.B requested
access vector. See the cron source for a usage example.
.B security_compute_create
is used to compute a context to use for labeling a new object in a particular
class based on a SID pair.
.B security_compute_relabel
is used to compute the new context to use when relabeling an object, it is used
in the pam_selinux.so source and the newrole source to determine the correct
label for the tty at login time, but can be used for other things.
.B security_compute_member
is used to compute the context to use when labeling a polyinstantiated object
instance.
.B security_compute_user
is used to determine the set of user contexts that can be reached from a
source context. Is mainly used by
.B get_ordered_context_list.
.B security_get_initial_context
is used to get the context of a kernel initial security identifier specified by
.I name
.B checkPasswdAccess
This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
.SH "RETURN VALUE"
0 for success and on error -1 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"

1
libselinux/man/man3/security_compute_create.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_compute_av.3

1
libselinux/man/man3/security_compute_member.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_compute_av.3

1
libselinux/man/man3/security_compute_relabel.3 Normal file
View file

@ -0,0 +1 @@
.so man3/security_compute_av.3

Some files were not shown because too many files have changed in this diff Show more