dec443e7c5
searchpolicy.py provides a subset of the functionality of sesearch.
The primary benefit being that it's entirely built in-tree and thus
can be packaged for use in automated tests included compatibility
test suites.
Example
searchpolicy.py --libpath out/host/linux-x86/lib64/ --allow --source domain
Bug: 63397379
Test: Identical output with sesearch for the following commands
--allow --source domain
--allow --target domain
--allow --target appdomain -p ioctl,open
--allow --source lmkd -c file -p ioctl,open
--allow --source lmkd -c file,dir -p ioctl,open
Change-Id: I89a6c333f1f519d9171fbc1aafe27eaf5ad247f0
73 lines
2.3 KiB
Python
73 lines
2.3 KiB
Python
#!/usr/bin/env python
|
|
|
|
import argparse
|
|
import policy
|
|
|
|
parser = argparse.ArgumentParser(
|
|
description="SELinux policy rule search tool. Intended to have a similar "
|
|
+ "API as sesearch, but simplified to use only code availabe in AOSP")
|
|
parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
|
|
parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
|
|
tertypes = parser.add_argument_group("TE Rule Types")
|
|
tertypes.add_argument("--allow", action="append_const",
|
|
const="allow", dest="tertypes",
|
|
help="Search allow rules.")
|
|
expr = parser.add_argument_group("Expressions")
|
|
expr.add_argument("-s", "--source",
|
|
help="Source type/role of the TE/RBAC rule.")
|
|
expr.add_argument("-t", "--target",
|
|
help="Target type/role of the TE/RBAC rule.")
|
|
expr.add_argument("-c", "--class", dest="tclass",
|
|
help="Comma separated list of object classes")
|
|
expr.add_argument("-p", "--perms", metavar="PERMS",
|
|
help="Comma separated list of permissions.")
|
|
|
|
args = parser.parse_args()
|
|
|
|
if not args.tertypes:
|
|
parser.error("Must specify \"--allow\"")
|
|
|
|
if not args.policy:
|
|
parser.error("Must include path to policy")
|
|
if not args.libpath:
|
|
parser.error("Must include path to libsepolwrap library")
|
|
|
|
if not (args.source or args.target or args.tclass or args.perms):
|
|
parser.error("Must something to filter on, e.g. --source, --target, etc.")
|
|
|
|
pol = policy.Policy(args.policy, None, args.libpath)
|
|
|
|
if args.source:
|
|
scontext = {args.source}
|
|
else:
|
|
scontext = set()
|
|
if args.target:
|
|
tcontext = {args.target}
|
|
else:
|
|
tcontext = set()
|
|
if args.tclass:
|
|
tclass = set(args.tclass.split(","))
|
|
else:
|
|
tclass = set()
|
|
if args.perms:
|
|
perms = set(args.perms.split(","))
|
|
else:
|
|
perms = set()
|
|
|
|
TERules = pol.QueryTERule(scontext=scontext,
|
|
tcontext=tcontext,
|
|
tclass=tclass,
|
|
perms=perms)
|
|
|
|
# format rules for printing
|
|
rules = []
|
|
for r in TERules:
|
|
if len(r.perms) > 1:
|
|
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
|
|
" ".join(r.perms) + " };")
|
|
else:
|
|
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
|
|
" ".join(r.perms) + ";")
|
|
|
|
for r in sorted(rules):
|
|
print r
|