platform_system_sepolicy/tests/searchpolicy.py

#!/usr/bin/env python

import argparse
import policy

parser = argparse.ArgumentParser(
    description="SELinux policy rule search tool. Intended to have a similar "
        + "API as sesearch, but simplified to use only code availabe in AOSP")
parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
tertypes = parser.add_argument_group("TE Rule Types")
tertypes.add_argument("--allow", action="append_const",
                    const="allow", dest="tertypes",
                    help="Search allow rules.")
expr = parser.add_argument_group("Expressions")
expr.add_argument("-s", "--source",
                  help="Source type/role of the TE/RBAC rule.")
expr.add_argument("-t", "--target",
                  help="Target type/role of the TE/RBAC rule.")
expr.add_argument("-c", "--class", dest="tclass",
                  help="Comma separated list of object classes")
expr.add_argument("-p", "--perms", metavar="PERMS",
                  help="Comma separated list of permissions.")

args = parser.parse_args()

if not args.tertypes:
    parser.error("Must specify \"--allow\"")

if not args.policy:
    parser.error("Must include path to policy")
if not args.libpath:
    parser.error("Must include path to libsepolwrap library")

if not (args.source or args.target or args.tclass or args.perms):
    parser.error("Must something to filter on, e.g. --source, --target, etc.")

pol = policy.Policy(args.policy, None, args.libpath)

if args.source:
    scontext = {args.source}
else:
    scontext = set()
if args.target:
    tcontext = {args.target}
else:
    tcontext = set()
if args.tclass:
    tclass = set(args.tclass.split(","))
else:
    tclass = set()
if args.perms:
    perms = set(args.perms.split(","))
else:
    perms = set()

TERules = pol.QueryTERule(scontext=scontext,
                       tcontext=tcontext,
                       tclass=tclass,
                       perms=perms)

# format rules for printing
rules = []
for r in TERules:
    if len(r.perms) > 1:
        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
                " ".join(r.perms) + " };")
    else:
        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
                " ".join(r.perms) + ";")

for r in sorted(rules):
    print r
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`#!/usr/bin/env python`

			`import argparse`
			`import policy`

			`parser = argparse.ArgumentParser(`
			`description="SELinux policy rule search tool. Intended to have a similar "`
			`+ "API as sesearch, but simplified to use only code availabe in AOSP")`
			`parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")`
			`parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")`
			`tertypes = parser.add_argument_group("TE Rule Types")`
			`tertypes.add_argument("--allow", action="append_const",`
			`const="allow", dest="tertypes",`
			`help="Search allow rules.")`
			`expr = parser.add_argument_group("Expressions")`
			`expr.add_argument("-s", "--source",`
			`help="Source type/role of the TE/RBAC rule.")`
			`expr.add_argument("-t", "--target",`
			`help="Target type/role of the TE/RBAC rule.")`
			`expr.add_argument("-c", "--class", dest="tclass",`
			`help="Comma separated list of object classes")`
			`expr.add_argument("-p", "--perms", metavar="PERMS",`
			`help="Comma separated list of permissions.")`

			`args = parser.parse_args()`

			`if not args.tertypes:`
			`parser.error("Must specify \"--allow\"")`

			`if not args.policy:`
			`parser.error("Must include path to policy")`
			`if not args.libpath:`
			`parser.error("Must include path to libsepolwrap library")`

			`if not (args.source or args.target or args.tclass or args.perms):`
			`parser.error("Must something to filter on, e.g. --source, --target, etc.")`

			`pol = policy.Policy(args.policy, None, args.libpath)`

			`if args.source:`
			`scontext = {args.source}`
			`else:`
			`scontext = set()`
			`if args.target:`
			`tcontext = {args.target}`
			`else:`
			`tcontext = set()`
			`if args.tclass:`
			`tclass = set(args.tclass.split(","))`
			`else:`
			`tclass = set()`
			`if args.perms:`
			`perms = set(args.perms.split(","))`
			`else:`
			`perms = set()`

			`TERules = pol.QueryTERule(scontext=scontext,`
			`tcontext=tcontext,`
			`tclass=tclass,`
			`perms=perms)`

			`# format rules for printing`
			`rules = []`
			`for r in TERules:`
			`if len(r.perms) > 1:`
			`rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +`
			`" ".join(r.perms) + " };")`
			`else:`
			`rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +`
			`" ".join(r.perms) + ";")`

			`for r in sorted(rules):`
			`print r`