0c407c3f1d
Print error description on failure after functions known to set errno. Also mention the library function name in getenforce, policyvers and setenforce instead of the program name twice. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
190 lines
4.4 KiB
C
190 lines
4.4 KiB
C
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <getopt.h>
|
|
#include <errno.h>
|
|
#include <selinux/selinux.h>
|
|
#include <selinux/label.h>
|
|
|
|
static size_t digest_len;
|
|
|
|
static __attribute__ ((__noreturn__)) void usage(const char *progname)
|
|
{
|
|
fprintf(stderr,
|
|
"usage: %s -b backend [-d] [-v] [-B] [-i] [-f file]\n\n"
|
|
"Where:\n\t"
|
|
"-b The backend - \"file\", \"media\", \"x\", \"db\" or "
|
|
"\"prop\"\n\t"
|
|
"-v Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
|
|
" on the list of specfiles to compare the SHA1 digests.\n\t"
|
|
"-B Use base specfiles only (valid for \"-b file\" only).\n\t"
|
|
"-i Do not request a digest.\n\t"
|
|
"-f Optional file containing the specs (defaults to\n\t"
|
|
" those used by loaded policy).\n\n",
|
|
progname);
|
|
exit(1);
|
|
}
|
|
|
|
static int run_check_digest(char *cmd, char *selabel_digest)
|
|
{
|
|
FILE *fp;
|
|
char files_digest[128];
|
|
char *files_ptr;
|
|
int rc = 0;
|
|
|
|
fp = popen(cmd, "r");
|
|
if (!fp) {
|
|
fprintf(stderr, "Failed to run command '%s': %s\n", cmd, strerror(errno));
|
|
return -1;
|
|
}
|
|
|
|
/* Only expect one line "(stdin)= x.." so read and find first space */
|
|
while (fgets(files_digest, sizeof(files_digest) - 1, fp) != NULL)
|
|
;
|
|
|
|
files_ptr = strstr(files_digest, " ");
|
|
|
|
rc = strncmp(selabel_digest, files_ptr + 1, digest_len * 2);
|
|
if (rc) {
|
|
printf("Failed validation:\n\tselabel_digest: %s\n\t"
|
|
"files_digest: %s\n",
|
|
selabel_digest, files_ptr + 1);
|
|
} else {
|
|
printf("Passed validation - digest: %s\n", selabel_digest);
|
|
}
|
|
|
|
pclose(fp);
|
|
return rc;
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int backend = 0, rc, opt, validate = 0;
|
|
char *baseonly = NULL, *file = NULL, *digest = (char *)1;
|
|
char **specfiles = NULL;
|
|
unsigned char *sha1_digest = NULL;
|
|
size_t i, num_specfiles;
|
|
|
|
char cmd_buf[4096];
|
|
char *cmd_ptr;
|
|
char *sha1_buf;
|
|
|
|
struct selabel_handle *hnd;
|
|
struct selinux_opt selabel_option[] = {
|
|
{ SELABEL_OPT_PATH, file },
|
|
{ SELABEL_OPT_BASEONLY, baseonly },
|
|
{ SELABEL_OPT_DIGEST, digest }
|
|
};
|
|
|
|
if (argc < 3)
|
|
usage(argv[0]);
|
|
|
|
while ((opt = getopt(argc, argv, "ib:Bvf:")) > 0) {
|
|
switch (opt) {
|
|
case 'b':
|
|
if (!strcasecmp(optarg, "file")) {
|
|
backend = SELABEL_CTX_FILE;
|
|
} else if (!strcmp(optarg, "media")) {
|
|
backend = SELABEL_CTX_MEDIA;
|
|
} else if (!strcmp(optarg, "x")) {
|
|
backend = SELABEL_CTX_X;
|
|
} else if (!strcmp(optarg, "db")) {
|
|
backend = SELABEL_CTX_DB;
|
|
} else if (!strcmp(optarg, "prop")) {
|
|
backend = SELABEL_CTX_ANDROID_PROP;
|
|
} else if (!strcmp(optarg, "service")) {
|
|
backend = SELABEL_CTX_ANDROID_SERVICE;
|
|
} else {
|
|
fprintf(stderr, "Unknown backend: %s\n",
|
|
optarg);
|
|
usage(argv[0]);
|
|
}
|
|
break;
|
|
case 'B':
|
|
baseonly = (char *)1;
|
|
break;
|
|
case 'v':
|
|
validate = 1;
|
|
break;
|
|
case 'i':
|
|
digest = NULL;
|
|
break;
|
|
case 'f':
|
|
file = optarg;
|
|
break;
|
|
default:
|
|
usage(argv[0]);
|
|
}
|
|
}
|
|
|
|
memset(cmd_buf, 0, sizeof(cmd_buf));
|
|
|
|
selabel_option[0].value = file;
|
|
selabel_option[1].value = baseonly;
|
|
selabel_option[2].value = digest;
|
|
|
|
hnd = selabel_open(backend, selabel_option, 3);
|
|
if (!hnd) {
|
|
switch (errno) {
|
|
case EOVERFLOW:
|
|
fprintf(stderr, "ERROR Number of specfiles or specfile"
|
|
" buffer caused an overflow.\n");
|
|
break;
|
|
default:
|
|
fprintf(stderr, "ERROR: selabel_open: %s\n",
|
|
strerror(errno));
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
|
|
&num_specfiles);
|
|
|
|
if (rc) {
|
|
switch (errno) {
|
|
case EINVAL:
|
|
fprintf(stderr, "No digest available.\n");
|
|
break;
|
|
default:
|
|
fprintf(stderr, "selabel_digest ERROR: %s\n",
|
|
strerror(errno));
|
|
}
|
|
goto err;
|
|
}
|
|
|
|
sha1_buf = malloc(digest_len * 2 + 1);
|
|
if (!sha1_buf) {
|
|
fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
|
|
strerror(errno));
|
|
rc = -1;
|
|
goto err;
|
|
}
|
|
|
|
printf("SHA1 digest: ");
|
|
for (i = 0; i < digest_len; i++)
|
|
sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
|
|
|
|
printf("%s\n", sha1_buf);
|
|
printf("calculated using the following specfile(s):\n");
|
|
|
|
if (specfiles) {
|
|
cmd_ptr = &cmd_buf[0];
|
|
sprintf(cmd_ptr, "/usr/bin/cat ");
|
|
cmd_ptr = &cmd_buf[0] + strlen(cmd_buf);
|
|
|
|
for (i = 0; i < num_specfiles; i++) {
|
|
sprintf(cmd_ptr, "%s ", specfiles[i]);
|
|
cmd_ptr += strlen(specfiles[i]) + 1;
|
|
printf("%s\n", specfiles[i]);
|
|
}
|
|
sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
|
|
|
|
if (validate)
|
|
rc = run_check_digest(cmd_buf, sha1_buf);
|
|
}
|
|
|
|
free(sha1_buf);
|
|
err:
|
|
selabel_close(hnd);
|
|
return rc;
|
|
}
|