libsepol: Move secilc out of libsepol

Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>

Makefile

@@ -1,4 +1,4 @@
-SUBDIRS=libsepol libselinux libsemanage sepolgen checkpolicy policycoreutils # policy
+SUBDIRS=libsepol libselinux libsemanage sepolgen checkpolicy secilc policycoreutils # policy
 PYSUBDIRS=libselinux libsemanage
 DISTCLEANSUBIDRS=libselinux libsemanage
 

libsepol/Android.mk

@@ -135,18 +135,3 @@ LOCAL_SRC_FILES := $(common_src_files)
 LOCAL_MODULE_CLASS := STATIC_LIBRARIES
 
 include $(BUILD_STATIC_LIBRARY)
-
-##
-# secilc
-#
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := secilc
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := $(common_includes)
-LOCAL_CFLAGS := $(common_cflags)
-LOCAL_SRC_FILES := cil/secilc.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_MODULE_CLASS := EXECUTABLES
-
-include $(BUILD_HOST_EXECUTABLE)

libsepol/cil/Makefile

@@ -1,102 +0,0 @@
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-SHLIBDIR ?= $(DESTDIR)/lib
-INCLUDEDIR ?= $(PREFIX)/include
-SRCDIR ?= ./src
-TESTDIR ?= ./test
-UNITDIR ?= $(TESTDIR)/unit
-LIBCILDIR ?= $(SRCDIR)
-
-LEX = flex
-
-DEBUG = 0
-
-SECILC = secilc
-
-UNIT = unit_tests
-
-SECILC_SRCS := secilc.c
-SECILC_OBJS := $(patsubst %.c,%.o,$(SECILC_SRCS))
-
-TEST_SRCS := $(wildcard $(UNITDIR)/*.c)
-TEST_OBJS := $(patsubst %.c,%.o,$(TEST_SRCS))
-
-LIBCIL_GENERATED := $(LIBCILDIR)/cil_lexer.c
-LIBCIL_SRCS  := $(wildcard $(LIBCILDIR)/*.c) $(LIBCIL_GENERATED)
-LIBCIL_OBJS := $(patsubst %.c,%.o,$(LIBCIL_SRCS))
-LIBCIL_INCLUDES := $(wildcard $(LIBCILDIR)/*.h)
-
-LIBCIL_STATIC := $(SRCDIR)/libcil.a
-
-LIBSEPOL_STATIC = /usr/lib/libsepol.a
-
-LIBS =
-LDFLAGS =
-COVCFLAGS = -fprofile-arcs -ftest-coverage -O0
-
-CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused
-
-ifeq ($(DEBUG),1)
-	override CFLAGS += -g3 -O0 -gdwarf-2 -fno-strict-aliasing -DDEBUG
-	override LDFLAGS += -g
-else
-	override CFLAGS += -O2
-endif
-
-override CFLAGS += -I./include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
-
-ARCH := $(patsubst i%86,i386,$(shell uname -m))
-ifneq (,$(filter i386,$(ARCH)))
-	TLSFLAGS += -mno-tls-direct-seg-refs
-endif
-ifneq (,$(filter x86_64,$(ARCH)))
-	override LDFLAGS += -I/usr/lib64
-	override LIBSEPOL_STATIC = /usr/lib64/libsepol.a
-endif
-
-all: $(SECILC)
-
-%.o: %.c $(LIBCIL_INCLUDES)
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-$(LIBCIL_STATIC): $(LIBCIL_OBJS)
-	$(AR) rcs $@ $^
-	ranlib $@
-
-$(LIBCIL_GENERATED): $(LIBCILDIR)/cil_lexer.l
-	$(LEX) -t $< > $@
-
-$(UNIT): $(TEST_OBJS) $(LIBCIL_STATIC)
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBCIL_STATIC) $(LIBSEPOL_STATIC) $(LDFLAGS)
-
-$(SECILC): $(SECILC_OBJS) $(LIBCIL_STATIC)
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBCIL_STATIC) $(LIBSEPOL_STATIC) $(LDFLAGS)
-
-unit: $(SECILC) $(UNIT)
-
-# Requires lcov 1.9+ (--ignore-errors)
-coverage: CFLAGS += $(COVCFLAGS)
-coverage: clean unit
-	./unit_tests
-	test -d cov || mkdir cov
-	lcov --directory src --capture --output-file cov/app.info --ignore-errors source -b src
-	lcov --remove cov/app.info '/usr/include/*' --remove cov/app.info 'sepol/*' --output-file cov/app.info
-	genhtml -o ./cov/html ./cov/app.info
-
-test: $(SECILC)
-	./$(SECILC) test/policy.cil
-
-clean:
-	rm -f $(SECILC)
-	rm -f $(LIBCIL_STATIC)
-	rm -f $(TEST_OBJS) $(SECILC_OBJS)
-	rm -rf cov src/*.gcda src/*.gcno *.gcda *.gcno
-	rm -f $(LIBCIL_OBJS)
-
-bare: clean
-	rm -f $(LIBCIL_GENERATED)
-	rm -f $(UNIT)
-	rm -f policy.*
-	rm -f file_contexts
-
-.PHONY: all bare clean coverage test unit

libsepol/cil/test/policy.conf

@@ -1,143 +0,0 @@
-class file
-class process
-class char
-
-sid kernel
-sid security
-sid unlabeled
-
-common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
-
-class file inherits file { execute_no_trans entrypoint execmod open audit_access }
-class char inherits file { foo transition }
-class process { open }
-
-sensitivity s0 alias sens0;
-sensitivity s1;
-
-dominance { s0 s1 }
-
-category c0 alias cat0;
-category c1;
-category c2;
-
-level s0:c0.c2;
-level s1:c0.c2;
-
-mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
-mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
-mlsconstrain file { open } (l1 dom h2);
-mlsconstrain file { open } (h1 domby l2);
-mlsconstrain file { open } (l1 incomp l2);
-
-mlsvalidatetrans file (h1 domby l2);
-
-attribute foo_type;
-attribute bar_type;
-attribute baz_type;
-attribute exec_type;
-
-type bin_t, bar_type, exec_type;
-type kernel_t, foo_type, exec_type, baz_type;
-type security_t, baz_type;
-type unlabeled_t, baz_type;
-
-type exec_t, baz_type;
-type console_t, baz_type;
-type auditadm_t, baz_type;
-type console_device_t, baz_type;
-type user_tty_device_t, baz_type;
-type device_t, baz_type;
-type getty_t, baz_type;
-type a_t, baz_type;
-type b_t, baz_type;
-
-typealias bin_t alias sbin_t;
-
-bool secure_mode false;
-bool console_login true;
-bool b1 false;
-
-role system_r;
-role user_r;
-role system_r types bin_t; 
-role system_r types kernel_t; 
-role system_r types security_t; 
-role system_r types unlabeled_t; 
-
-policycap open_perms;
-permissive device_t;
-
-range_transition device_t console_t : file s0:c0 - s1:c0.c1;
-
-type_transition device_t console_t : file console_device_t;
-type_member device_t bin_t : file exec_t;
-
-if console_login{
-	type_change auditadm_t console_device_t : file user_tty_device_t;
-}
-
-role_transition system_r bin_t user_r;
-
-auditallow device_t auditadm_t: file { open };
-dontaudit device_t auditadm_t: file { read };
-
-allow system_r user_r;
-
-allow console_t console_device_t: char { write setattr };
-allow console_t console_device_t: file { open read getattr };
-allow foo_type self: file { execute };
-allow bin_t device_t: file { execute };
-allow bin_t exec_t: file { execute };
-allow bin_t bin_t: file { execute };
-allow a_t b_t : file { write };
-allow console_t console_device_t: file { read write getattr setattr lock append };
-allow kernel_t kernel_t : file { execute };
-
-if b1 {
-	allow a_t b_t : file { read };
-}
-
-if secure_mode{
-	auditallow device_t exec_t: file { read write };
-}
-
-if console_login{
-	allow getty_t console_device_t: file { getattr open read write append };
-}
-else {
-	dontaudit getty_t console_device_t: file { getattr open read write append };
-}
-
-if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
-	allow bin_t exec_t: file { execute };
-}
-
-user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; 
-user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
-
-validatetrans file (t1 == exec_t);
-
-constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-constrain file { open } (r1 dom r2);
-constrain file { open }	(r1 domby r2);
-constrain file { open }	(r1 incomp r2);
-constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-
-
-sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
-sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
-sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
-
-fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
-
-genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1

libsepol/src/libsepol.map.in

@@ -44,5 +44,6 @@ LIBSEPOL_1.1 {
 	cil_filecons_to_string;
 	cil_set_target_platform;
 	cil_set_policy_version;
+	cil_set_mls;
   local: *;
 } LIBSEPOL_1.0;

secilc/.gitignore

@@ -0,0 +1,6 @@
+secilc
+secilc.8
+policy.*
+file_contexts
+docs/html
+docs/pdf

secilc/Android.mk

@@ -0,0 +1,31 @@
+LOCAL_PATH:= $(call my-dir)
+
+common_src_files := secilc.c
+
+common_cflags := \
+	-Wall -Wshadow -O2 \
+	-pipe -fno-strict-aliasing \
+	-Wno-return-type
+
+ifeq ($(HOST_OS), darwin)
+common_cflags += -DDARWIN
+endif
+
+common_includes := \
+	$(LOCAL_PATH)/../libsepol/cil/include/ \
+	$(LOCAL_PATH)/../libsepol/include/ \
+
+##
+# secilc
+#
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := secilc
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := $(common_includes)
+LOCAL_CFLAGS := $(common_cflags)
+LOCAL_SRC_FILES := ./secilc.c
+LOCAL_SHARED_LIRARIES := libsepol
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+include $(BUILD_HOST_EXECUTABLE)

secilc/Makefile

@@ -0,0 +1,47 @@
+PREFIX ?= $(DESTDIR)/usr
+BINDIR ?= $(PREFIX)/bin
+MANDIR ?= $(PREFIX)/share/man
+LIBDIR ?= $(PREFIX)/lib
+INCLUDEDIR ?= $(PREFIX)/include
+
+LDLIBS = -lsepol -L$(LIBDIR)
+SECILC = secilc
+SECILC_SRCS := secilc.c
+SECILC_OBJS := $(patsubst %.c,%.o,$(SECILC_SRCS))
+
+# The secilc man page:
+MANPAGE = secilc.8
+XMLTO = xmlto
+
+CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused
+
+override CFLAGS += -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+
+$(SECILC): $(SECILC_OBJS)
+	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS)
+
+all: $(SECILC) man
+
+test: $(SECILC)
+	./$(SECILC) test/policy.cil
+
+man: $(MANPAGE).xml
+	$(XMLTO) man $(MANPAGE).xml
+
+install: all man
+	-mkdir -p $(BINDIR)
+	-mkdir -p $(MANDIR)/man8
+	install -m 755 $(SECILC) $(BINDIR)
+	install -m 644 $(MANPAGE) $(MANDIR)/man8
+
+doc:
+	$(MAKE) -C docs
+
+clean:
+	rm -f $(SECILC)
+	rm -f $(SECILC_OBJS)
+	rm -f policy.*
+	rm -f file_contexts
+	rm -f $(MANPAGE)
+
+.PHONY: all clean test install doc

secilc/README

@@ -11,34 +11,30 @@ INTRODUCTION
 DEPENDENCIES
 
 	gcc >= 4.5.1
-	libsepol-static >= 2.1.4
-	lcov >= 1.9
-	flex >= 2.5.35
+	libsepol >= 2.4
 
 
 BUILD STEPS
 
-	Open a terminal client and execute the following command to download the source code:
-
-			git clone https://github.com/SELinuxProject/cil.git
-
-	Change directory into the "cil" directory.
 	Run "make" with one of the following targets:
 
 	make
-		Build the CIL compiler (secilc)
+		Build the CIL compiler (secilc).
 
-	make unit
-		Build the unit_test application to run unit tests
+	make test
+		Pass a sample policy to test with the compiler.
 
-	make coverage
-		Build the unit test binary and create coverage reports
+	make install
+		Install the secilc compiler and man page to disk.
 
 	make clean
-		Remove temporary build files
+		Remove temporary build files.
+
+	make man
+		Build the secilc man page.
 
 	make bare
-		Remove temporary build files and compile binaries
+		Remove temporary build files and compile binaries.
 
 
 USAGE

secilc/docs/Makefile

@@ -1,6 +1,5 @@
 HTMLDIR ?= ./html
 PDFDIR ?= ./pdf
-MAN8DIR ?= ./man8
 
 # The CIL Reference Guide first part
 CIL_REF_GUIDE = CIL_Reference_Guide.xml
@@ -9,10 +8,6 @@ FILE_LIST ?= $(CIL_REF_GUIDE) $(wildcard cil*.xml)
 # xmlto generates a *.proc file that can be removed.
 PROC_FILE = CIL_Reference_Guide.proc
 
-# The secilc man page:
-MANPAGE = secilc.8.xml
-
-
 # look for xmlto and dblatex packages
 XMLTO = $(shell which xmlto 2> /dev/null | grep / | head -n1)
 DBLATEX = $(shell which dblatex 2> /dev/null | grep / | head -n1)
@@ -22,7 +17,7 @@ ifeq ($(XMLTO),)
 $(error xmlto package not found - install package.)
 endif
 
-all: html pdf man
+all: html pdf
 
 html: $(FILE_LIST)
 	$(XMLTO) html $(CIL_REF_GUIDE)
@@ -41,10 +36,6 @@ endif
 	@for m in *.pdf; do if [ -f $$m ]; then mv $$m $(PDFDIR); fi; done
 	@rm -f $(PROC_FILE)
 
-
-man: $(MANPAGE)
-	$(XMLTO) man $(MANPAGE)
-	@mkdir -p $(MAN8DIR)
-	@for m in *.8; do if [ -f $$m ]; then mv $$m $(MAN8DIR); fi; done
-	@rm -f $(MANPAGE).proc
-
+clean:
+	@rm -rf html/
+	@rm -rf pdf/

secilc/secilc.c

@@ -34,7 +34,7 @@
 #include <getopt.h>
 #include <sys/stat.h>
 
-#include <cil/cil.h>
+#include <sepol/cil/cil.h>
 #include <sepol/policydb.h>
 
 void usage(char *prog)
@@ -210,13 +210,13 @@ int main(int argc, char *argv[])
 	for (i = optind; i < argc; i++) {
 		file = fopen(argv[i], "r");
 		if (!file) {
-			cil_log(CIL_ERR, "Could not open file: %s\n", argv[i]);
+			fprintf(stderr, "Could not open file: %s\n", argv[i]);
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 		rc = stat(argv[i], &filedata);
 		if (rc == -1) {
-			cil_log(CIL_ERR, "Could not stat file: %s\n", argv[i]);
+			fprintf(stderr, "Could not stat file: %s\n", argv[i]);
 			goto exit;
 		}
 		file_size = filedata.st_size;	
@@ -224,7 +224,7 @@ int main(int argc, char *argv[])
 		buffer = malloc(file_size);
 		rc = fread(buffer, file_size, 1, file);
 		if (rc != 1) {
-			cil_log(CIL_ERR, "Failure reading file: %s\n", argv[i]);
+			fprintf(stderr, "Failure reading file: %s\n", argv[i]);
 			goto exit;
 		}
 		fclose(file);
@@ -232,7 +232,7 @@ int main(int argc, char *argv[])
 
 		rc = cil_add_file(db, argv[i], buffer, file_size);
 		if (rc != SEPOL_OK) {
-			cil_log(CIL_ERR, "Failure adding %s\n", argv[i]);
+			fprintf(stderr, "Failure adding %s\n", argv[i]);
 			goto exit;
 		}
 
@@ -242,13 +242,13 @@ int main(int argc, char *argv[])
 
 	rc = cil_compile(db);
 	if (rc != SEPOL_OK) {
-		cil_log(CIL_ERR, "Failed to compile cildb: %d\n", rc);
+		fprintf(stderr, "Failed to compile cildb: %d\n", rc);
 		goto exit;
 	}
 
 	rc = cil_build_policydb(db, &pdb);
 	if (rc != SEPOL_OK) {
-		cil_log(CIL_ERR, "Failed to build policydb\n");
+		fprintf(stderr, "Failed to build policydb\n");
 		goto exit;
 	}
 
@@ -256,29 +256,27 @@ int main(int argc, char *argv[])
 		int size = snprintf(NULL, 0, "policy.%d", policyvers);
 		output = malloc((size + 1) * sizeof(char));
 		if (output == NULL) {
-			cil_log(CIL_ERR, "Failed to create output filename\n");
+			fprintf(stderr, "Failed to create output filename\n");
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 		if (snprintf(output, size + 1, "policy.%d", policyvers) != size) {
-			cil_log(CIL_ERR, "Failed to create output filename\n");
+			fprintf(stderr, "Failed to create output filename\n");
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 	}
 
-	cil_log(CIL_INFO, "Writing binary to %s\n", output);
-
 	binary = fopen(output, "w");
 	if (binary == NULL) {
-		cil_log(CIL_ERR, "Failure opening binary file for writing\n");
+		fprintf(stderr, "Failure opening binary file for writing\n");
 		rc = SEPOL_ERR;
 		goto exit;
 	}
 
 	rc = sepol_policy_file_create(&pf);
 	if (rc != 0) {
-		cil_log(CIL_ERR, "Failed to create policy file: %d\n", rc);
+		fprintf(stderr, "Failed to create policy file: %d\n", rc);
 		goto exit;
 	}
 
@@ -286,18 +284,16 @@ int main(int argc, char *argv[])
 
 	rc = sepol_policydb_write(pdb, pf);
 	if (rc != 0) {
-		cil_log(CIL_ERR, "Failed to write binary policy: %d\n", rc);
+		fprintf(stderr, "Failed to write binary policy: %d\n", rc);
 		goto exit;
 	}
 
 	fclose(binary);
 	binary = NULL;
 
-	cil_log(CIL_INFO, "Writing file contexts\n");
-	
 	rc = cil_filecons_to_string(db, &fc_buf, &fc_size);
 	if (rc != SEPOL_OK) {
-		cil_log(CIL_ERR, "Failed to get file context data\n");
+		fprintf(stderr, "Failed to get file context data\n");
 		goto exit;
 	}
 
@@ -308,12 +304,12 @@ int main(int argc, char *argv[])
 	}
 
 	if (file_contexts == NULL) {
-		cil_log(CIL_ERR, "Failed to open file_contexts file\n");
+		fprintf(stderr, "Failed to open file_contexts file\n");
 		goto exit;
 	}
 	
 	if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) != fc_size) {
-		cil_log(CIL_ERR, "Failed to write file_contexts file\n");
+		fprintf(stderr, "Failed to write file_contexts file\n");
 		goto exit;
 	}
 
@@ -323,8 +319,6 @@ int main(int argc, char *argv[])
 	rc = SEPOL_OK;
 
 exit:
-	cil_log(CIL_INFO,"Exiting\n");
-
 	if (binary != NULL) {
 		fclose(binary);
 	}