13b6b7e88f
Extend checkfc to support comparing two file_contexts or file_contexts.bin files. This is for use by the CTS SELinuxHostTest to compare the AOSP general_file_contexts with the device file_contexts.bin file. Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986. Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
63 lines
2.4 KiB
Text
63 lines
2.4 KiB
Text
This directory contains a number of tools related to policy, some of
|
|
which are used in building and validating the policy and others are
|
|
available for help in auditing and analyzing policy. The tools are
|
|
described further below.
|
|
|
|
checkfc
|
|
A utility for checking the validity of a file_contexts or a
|
|
property_contexts configuration file. Used as part of the policy
|
|
build to validate both files. Requires the sepolicy file as an
|
|
argument in order to check the validity of the security contexts
|
|
in the file_contexts or property_contexts file.
|
|
|
|
Usage1:
|
|
checkfc sepolicy file_contexts
|
|
checkfc -p sepolicy property_contexts
|
|
|
|
Also used to compare two file_contexts or file_contexts.bin files.
|
|
Displays one of subset, equal, superset, or incomparable.
|
|
|
|
Usage2:
|
|
checkfc -c file_contexts1 file_contexts2
|
|
|
|
Example:
|
|
$ checkfc -c out/target/product/shamu/system/etc/general_file_contexts out/target/product/shamu/root/file_contexts.bin
|
|
subset
|
|
|
|
checkseapp
|
|
A utility for merging together the main seapp_contexts
|
|
configuration and the device-specific one, and simultaneously
|
|
checking the validity of the configurations. Used as part of the
|
|
policy build process to merge and validate the configuration.
|
|
|
|
Usage:
|
|
checkseapp -p sepolicy input_seapp_contexts0 [input_seapp_contexts1...] -o seapp_contexts
|
|
|
|
insertkeys.py
|
|
A helper script for mapping tags in the signature stanzas of
|
|
mac_permissions.xml to public keys found in pem files. This
|
|
script is described further in the top-level sepolicy/README.
|
|
|
|
post_process_mac_perms
|
|
A tool to help modify an existing mac_permissions.xml with additional app
|
|
certs not already found in that policy. This becomes useful when a directory
|
|
containing apps is searched and the certs from those apps are added to the
|
|
policy not already explicitly listed.
|
|
|
|
Usage:
|
|
post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY
|
|
|
|
-s SEINFO, --seinfo SEINFO seinfo tag for each generated stanza
|
|
-d DIR, --dir DIR Directory to search for apks
|
|
-f POLICY, --file POLICY mac_permissions.xml policy file
|
|
|
|
sepolicy-check
|
|
A tool for auditing a sepolicy file for any allow rule that grants
|
|
a given permission.
|
|
|
|
Usage:
|
|
sepolicy-check -s <domain> -t <type> -c <class> -p <permission> -P out/target/product/<board>/root/sepolicy
|
|
|
|
sepolicy-analyze
|
|
A tool for performing various kinds of analysis on a sepolicy
|
|
file.
|