Project restructure
This commit is contained in:
parent
7dea682713
commit
6900c197cd
@ -4,7 +4,7 @@ include $(CLEAR_VARS)
|
|||||||
LOCAL_MODULE := sepolicy-inject
|
LOCAL_MODULE := sepolicy-inject
|
||||||
LOCAL_MODULE_TAGS := optional
|
LOCAL_MODULE_TAGS := optional
|
||||||
LOCAL_STATIC_LIBRARIES := libsepol
|
LOCAL_STATIC_LIBRARIES := libsepol
|
||||||
LOCAL_SRC_FILES := sepolicy-inject.c builtin_rules.c
|
LOCAL_SRC_FILES := main.c sepolicy.c rules.c utils.c
|
||||||
LOCAL_C_INCLUDES := jni/selinux/libsepol/include/
|
LOCAL_C_INCLUDES := jni/selinux/libsepol/include/
|
||||||
LOCAL_CFLAGS += -std=gnu11
|
LOCAL_CFLAGS += -std=gnu11
|
||||||
include $(BUILD_EXECUTABLE)
|
include $(BUILD_EXECUTABLE)
|
||||||
|
247
main.c
Normal file
247
main.c
Normal file
@ -0,0 +1,247 @@
|
|||||||
|
#include "sepolicy-inject.h"
|
||||||
|
|
||||||
|
static void usage(char *arg0) {
|
||||||
|
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tInject a rule\n\n");
|
||||||
|
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
|
||||||
|
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tInject a permissive domain\n\n");
|
||||||
|
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tInject a non-permissive domain\n\n");
|
||||||
|
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
|
||||||
|
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
|
||||||
|
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
|
||||||
|
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv) {
|
||||||
|
char *infile = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
|
||||||
|
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
|
||||||
|
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
|
||||||
|
policydb_t policydb;
|
||||||
|
struct policy_file pf, outpf;
|
||||||
|
sidtab_t sidtab;
|
||||||
|
int ch;
|
||||||
|
FILE *fp;
|
||||||
|
int permissive_value = 0, noaudit = 0;
|
||||||
|
|
||||||
|
struct option long_options[] = {
|
||||||
|
{"attr", required_argument, NULL, 'a'},
|
||||||
|
{"exists", no_argument, NULL, 'e'},
|
||||||
|
{"source", required_argument, NULL, 's'},
|
||||||
|
{"target", required_argument, NULL, 't'},
|
||||||
|
{"class", required_argument, NULL, 'c'},
|
||||||
|
{"perm", required_argument, NULL, 'p'},
|
||||||
|
{"fcon", required_argument, NULL, 'f'},
|
||||||
|
{"filetransition", required_argument, NULL, 'g'},
|
||||||
|
{"noaudit", no_argument, NULL, 'n'},
|
||||||
|
{"file", required_argument, NULL, 'P'},
|
||||||
|
{"output", required_argument, NULL, 'o'},
|
||||||
|
{"permissive", required_argument, NULL, 'Z'},
|
||||||
|
{"not-permissive", required_argument, NULL, 'z'},
|
||||||
|
{"not", no_argument, NULL, 0},
|
||||||
|
{"live", no_argument, NULL, 0},
|
||||||
|
{"magisk", no_argument, NULL, 0},
|
||||||
|
{NULL, 0, NULL, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
int option_index = -1;
|
||||||
|
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
|
||||||
|
switch (ch) {
|
||||||
|
case 0:
|
||||||
|
if(strcmp(long_options[option_index].name, "not") == 0)
|
||||||
|
not = 1;
|
||||||
|
else if(strcmp(long_options[option_index].name, "live") == 0)
|
||||||
|
live = 1;
|
||||||
|
else if(strcmp(long_options[option_index].name, "magisk") == 0)
|
||||||
|
magisk = 1;
|
||||||
|
else
|
||||||
|
usage(argv[0]);
|
||||||
|
break;
|
||||||
|
case 'a':
|
||||||
|
attr = optarg;
|
||||||
|
break;
|
||||||
|
case 'e':
|
||||||
|
exists = 1;
|
||||||
|
break;
|
||||||
|
case 'f':
|
||||||
|
fcon = optarg;
|
||||||
|
break;
|
||||||
|
case 'g':
|
||||||
|
filetrans = optarg;
|
||||||
|
break;
|
||||||
|
case 's':
|
||||||
|
source = optarg;
|
||||||
|
break;
|
||||||
|
case 't':
|
||||||
|
target = optarg;
|
||||||
|
break;
|
||||||
|
case 'c':
|
||||||
|
class = optarg;
|
||||||
|
break;
|
||||||
|
case 'p':
|
||||||
|
perm = optarg;
|
||||||
|
break;
|
||||||
|
case 'P':
|
||||||
|
infile = optarg;
|
||||||
|
break;
|
||||||
|
case 'o':
|
||||||
|
outfile = optarg;
|
||||||
|
break;
|
||||||
|
case 'Z':
|
||||||
|
permissive = optarg;
|
||||||
|
permissive_value = 1;
|
||||||
|
break;
|
||||||
|
case 'z':
|
||||||
|
permissive = optarg;
|
||||||
|
permissive_value = 0;
|
||||||
|
break;
|
||||||
|
case 'n':
|
||||||
|
noaudit = 1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
usage(argv[0]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Use builtin rules if nothing specified
|
||||||
|
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
|
||||||
|
builtin = 1;
|
||||||
|
|
||||||
|
// Overwrite original if not specified
|
||||||
|
if(!outfile)
|
||||||
|
outfile = infile;
|
||||||
|
|
||||||
|
// Use current policy if not specified
|
||||||
|
if(!infile)
|
||||||
|
infile = "/sys/fs/selinux/policy";
|
||||||
|
|
||||||
|
sepol_set_policydb(&policydb);
|
||||||
|
sepol_set_sidtab(&sidtab);
|
||||||
|
|
||||||
|
if (load_policy(infile, &policydb, &pf)) {
|
||||||
|
fprintf(stderr, "Could not load policy\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (policydb_load_isids(&policydb, &sidtab))
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
policy = &policydb;
|
||||||
|
|
||||||
|
if (builtin) {
|
||||||
|
su_rules();
|
||||||
|
}
|
||||||
|
else if (magisk) {
|
||||||
|
magisk_rules();
|
||||||
|
}
|
||||||
|
else if (permissive) {
|
||||||
|
type_datum_t *type;
|
||||||
|
create_domain(permissive);
|
||||||
|
type = hashtab_search(policydb.p_types.table, permissive);
|
||||||
|
if (type == NULL) {
|
||||||
|
fprintf(stderr, "type %s does not exist\n", permissive);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
|
||||||
|
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
} else if(exists) {
|
||||||
|
if(source) {
|
||||||
|
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
|
||||||
|
if (!tmp)
|
||||||
|
exit(1);
|
||||||
|
else
|
||||||
|
exit(0);
|
||||||
|
} else if(class) {
|
||||||
|
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
|
||||||
|
if(!tmp)
|
||||||
|
exit(1);
|
||||||
|
else
|
||||||
|
exit(0);
|
||||||
|
} else {
|
||||||
|
usage(argv[0]);
|
||||||
|
}
|
||||||
|
} else if(filetrans) {
|
||||||
|
if(add_file_transition(source, fcon, target, class, filetrans))
|
||||||
|
return 1;
|
||||||
|
} else if(fcon) {
|
||||||
|
if(add_transition(source, fcon, target, class))
|
||||||
|
return 1;
|
||||||
|
} else if(attr) {
|
||||||
|
if(add_type(source, attr))
|
||||||
|
return 1;
|
||||||
|
} else if(noaudit) {
|
||||||
|
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not))
|
||||||
|
return 1;
|
||||||
|
} else {
|
||||||
|
//Add a rule to a whole set of typeattribute, not just a type
|
||||||
|
if (target != NULL) {
|
||||||
|
if(*target == '=') {
|
||||||
|
char *saveptr = NULL;
|
||||||
|
|
||||||
|
char *targetAttribute = strtok_r(target, "-", &saveptr);
|
||||||
|
|
||||||
|
char *vals[64];
|
||||||
|
int i = 0;
|
||||||
|
|
||||||
|
char *m = NULL;
|
||||||
|
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
|
||||||
|
vals[i++] = m;
|
||||||
|
}
|
||||||
|
vals[i] = NULL;
|
||||||
|
|
||||||
|
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not))
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (perm != NULL) {
|
||||||
|
char *saveptr = NULL;
|
||||||
|
|
||||||
|
char *p = strtok_r(perm, ",", &saveptr);
|
||||||
|
do {
|
||||||
|
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not)) {
|
||||||
|
fprintf(stderr, "Could not add rule\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
|
||||||
|
} else {
|
||||||
|
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not)) {
|
||||||
|
fprintf(stderr, "Could not add rule\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (live) {
|
||||||
|
if (live_patch()) {
|
||||||
|
fprintf(stderr, "Could not load new policy into kernel\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (outfile) {
|
||||||
|
fp = fopen(outfile, "w");
|
||||||
|
if (!fp) {
|
||||||
|
fprintf(stderr, "Could not open outfile\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
policy_file_init(&outpf);
|
||||||
|
outpf.type = PF_USE_STDIO;
|
||||||
|
outpf.fp = fp;
|
||||||
|
|
||||||
|
if (policydb_write(&policydb, &outpf)) {
|
||||||
|
fprintf(stderr, "Could not write policy\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
fclose(fp);
|
||||||
|
}
|
||||||
|
|
||||||
|
policydb_destroy(&policydb);
|
||||||
|
return 0;
|
||||||
|
}
|
@ -1,44 +1,4 @@
|
|||||||
#include <stdio.h>
|
#include "sepolicy-inject.h"
|
||||||
#include <sepol/policydb/policydb.h>
|
|
||||||
|
|
||||||
#define ALL NULL
|
|
||||||
|
|
||||||
extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy);
|
|
||||||
extern void create_domain(char *d, policydb_t *policy);
|
|
||||||
extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy);
|
|
||||||
extern int add_type(char *domainS, char *typeS, policydb_t *policy);
|
|
||||||
|
|
||||||
policydb_t *policy;
|
|
||||||
|
|
||||||
void allow(char *s, char *t, char *c, char *p) {
|
|
||||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy);
|
|
||||||
}
|
|
||||||
|
|
||||||
void noaudit(char *s, char *t, char *c, char *p) {
|
|
||||||
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy);
|
|
||||||
}
|
|
||||||
|
|
||||||
void deny(char *s, char *t, char *c, char *p) {
|
|
||||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy);
|
|
||||||
}
|
|
||||||
|
|
||||||
void setPermissive(char* permissive, int permissive_value) {
|
|
||||||
type_datum_t *type;
|
|
||||||
create_domain(permissive, policy);
|
|
||||||
type = hashtab_search(policy->p_types.table, permissive);
|
|
||||||
if (type == NULL) {
|
|
||||||
fprintf(stderr, "type %s does not exist\n", permissive);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) {
|
|
||||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
int exists(char* source) {
|
|
||||||
return (int) hashtab_search(policy->p_types.table, source);
|
|
||||||
}
|
|
||||||
|
|
||||||
void samsung() {
|
void samsung() {
|
||||||
deny("init", "kernel", "security", "load_policy");
|
deny("init", "kernel", "security", "load_policy");
|
||||||
@ -222,6 +182,12 @@ void suDaemonRights() {
|
|||||||
allow("su_daemon", "proc", "file", "open");
|
allow("su_daemon", "proc", "file", "open");
|
||||||
allow("su_daemon", "su_daemon", "process", "setcurrent");
|
allow("su_daemon", "su_daemon", "process", "setcurrent");
|
||||||
allow("su_daemon", "system_file", "file", "execute_no_trans");
|
allow("su_daemon", "system_file", "file", "execute_no_trans");
|
||||||
|
|
||||||
|
// Allow to adb shell su
|
||||||
|
allow("su_daemon", "adbd", "fd", "use");
|
||||||
|
allow("su_daemon", "adbd", "unix_stream_socket", "read");
|
||||||
|
allow("su_daemon", "adbd", "unix_stream_socket", "write");
|
||||||
|
allow("su_daemon", "adbd", "unix_stream_socket", "ioctl");
|
||||||
}
|
}
|
||||||
|
|
||||||
void suBind() {
|
void suBind() {
|
||||||
@ -274,36 +240,34 @@ void otherToSU() {
|
|||||||
allow(ALL, "su", "process", "sigchld");
|
allow(ALL, "su", "process", "sigchld");
|
||||||
|
|
||||||
// uNetworkL0
|
// uNetworkL0
|
||||||
add_type("su", "netdomain", policy);
|
add_type("su", "netdomain");
|
||||||
add_type("su", "bluetoothdomain", policy);
|
add_type("su", "bluetoothdomain");
|
||||||
|
|
||||||
// suBackL6
|
// suBackL6
|
||||||
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
||||||
allow("surfaceflinger", "app_data_file", "file", ALL);
|
allow("surfaceflinger", "app_data_file", "file", ALL);
|
||||||
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
||||||
add_type("surfaceflinger", "mlstrustedsubject", policy);
|
add_type("surfaceflinger", "mlstrustedsubject");
|
||||||
|
|
||||||
// suMiscL6
|
// suMiscL6
|
||||||
if (exists("audioserver"))
|
if (exists("audioserver"))
|
||||||
allow("audioserver", "audioserver", "process", "execmem");
|
allow("audioserver", "audioserver", "process", "execmem");
|
||||||
}
|
}
|
||||||
|
|
||||||
void phh_rules(policydb_t *policydb) {
|
void su_rules() {
|
||||||
policy = policydb;
|
|
||||||
|
|
||||||
// Samsung specific
|
// Samsung specific
|
||||||
// Prevent system from loading policy
|
// Prevent system from loading policy
|
||||||
if(exists("knox_system_app"))
|
if(exists("knox_system_app"))
|
||||||
samsung();
|
samsung();
|
||||||
|
|
||||||
// Create domains if they don't exist
|
// Create domains if they don't exist
|
||||||
setPermissive("su", 1);
|
permissive("su");
|
||||||
setPermissive("su_device", 0);
|
enforce("su_device");
|
||||||
setPermissive("su_daemon", 0);
|
enforce("su_daemon");
|
||||||
|
|
||||||
// Autotransition su's socket to su_device
|
// Autotransition su's socket to su_device
|
||||||
add_transition("su_daemon", "device", "su_device", "file", policy);
|
add_transition("su_daemon", "device", "su_device", "file");
|
||||||
add_transition("su_daemon", "device", "su_device", "dir", policy);
|
add_transition("su_daemon", "device", "su_device", "dir");
|
||||||
allow("su_device", "tmpfs", "filesystem", "associate");
|
allow("su_device", "tmpfs", "filesystem", "associate");
|
||||||
|
|
||||||
// Transition from untrusted_app to su_client
|
// Transition from untrusted_app to su_client
|
||||||
@ -329,22 +293,21 @@ void phh_rules(policydb_t *policydb) {
|
|||||||
otherToSU();
|
otherToSU();
|
||||||
|
|
||||||
// Need to set su_device/su as trusted to be accessible from other categories
|
// Need to set su_device/su as trusted to be accessible from other categories
|
||||||
add_type("su_device", "mlstrustedobject", policy);
|
attradd("su_device", "mlstrustedobject");
|
||||||
add_type("su_daemon", "mlstrustedsubject", policy);
|
attradd("su_daemon", "mlstrustedsubject");
|
||||||
add_type("su", "mlstrustedsubject", policy);
|
attradd("su", "mlstrustedsubject");
|
||||||
|
|
||||||
// Allow chcon to rootfs
|
// Allow chcon to anything
|
||||||
allow("rootfs", "labeledfs", "filesystem", "associate");
|
allow(ALL, "labeledfs", "filesystem", "associate");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Minimal to run Magisk script before live patching
|
// Minimal to run Magisk script before live patching
|
||||||
void magisk_rules(policydb_t *policydb) {
|
void magisk_rules() {
|
||||||
policy = policydb;
|
|
||||||
|
|
||||||
setPermissive("su", 1);
|
permissive("su");
|
||||||
setPermissive("init", 1);
|
permissive("init");
|
||||||
|
|
||||||
add_type("su", "mlstrustedsubject", policy);
|
attradd("su", "mlstrustedsubject");
|
||||||
|
|
||||||
allow("kernel", "su", "fd", "use");
|
allow("kernel", "su", "fd", "use");
|
||||||
allow("init", "su", "process", ALL);
|
allow("init", "su", "process", ALL);
|
50
sepolicy-inject.h
Normal file
50
sepolicy-inject.h
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
#ifndef SEPOLICY_INJECT_H
|
||||||
|
#define SEPOLICY_INJECT_H
|
||||||
|
|
||||||
|
#define ALL NULL
|
||||||
|
|
||||||
|
#include <getopt.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/mman.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <sepol/debug.h>
|
||||||
|
#include <sepol/policydb/policydb.h>
|
||||||
|
#include <sepol/policydb/expand.h>
|
||||||
|
#include <sepol/policydb/link.h>
|
||||||
|
#include <sepol/policydb/services.h>
|
||||||
|
#include <sepol/policydb/avrule_block.h>
|
||||||
|
#include <sepol/policydb/conditional.h>
|
||||||
|
#include <sepol/policydb/constraint.h>
|
||||||
|
|
||||||
|
// Global policydb
|
||||||
|
policydb_t *policy;
|
||||||
|
|
||||||
|
// sepolicy manipulation functions
|
||||||
|
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf);
|
||||||
|
void create_domain(char *d);
|
||||||
|
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename);
|
||||||
|
int add_transition(char *srcS, char *origS, char *tgtS, char *c);
|
||||||
|
int add_type(char *domainS, char *typeS);
|
||||||
|
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||||
|
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not);
|
||||||
|
int live_patch();
|
||||||
|
|
||||||
|
// Handy functions
|
||||||
|
void allow(char *s, char *t, char *c, char *p);
|
||||||
|
void deny(char *s, char *t, char *c, char *p);
|
||||||
|
void auditallow(char *s, char *t, char *c, char *p);
|
||||||
|
void auditdeny(char *s, char *t, char *c, char *p);
|
||||||
|
void permissive(char *s);
|
||||||
|
void enforce(char *s);
|
||||||
|
void attradd(char *s, char *a);
|
||||||
|
int exists(char *source);
|
||||||
|
|
||||||
|
// Built in rules
|
||||||
|
void su_rules();
|
||||||
|
void magisk_rules();
|
||||||
|
|
||||||
|
#endif
|
@ -1,49 +1,6 @@
|
|||||||
/*
|
#include "sepolicy-inject.h"
|
||||||
* This was derived from public domain works with updates to
|
|
||||||
* work with more modern SELinux libraries.
|
|
||||||
*
|
|
||||||
* It is released into the public domain.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <getopt.h>
|
static void *cmalloc(size_t s) {
|
||||||
#include <unistd.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <sys/mman.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <sepol/debug.h>
|
|
||||||
#include <sepol/policydb/policydb.h>
|
|
||||||
#include <sepol/policydb/expand.h>
|
|
||||||
#include <sepol/policydb/link.h>
|
|
||||||
#include <sepol/policydb/services.h>
|
|
||||||
#include <sepol/policydb/avrule_block.h>
|
|
||||||
#include <sepol/policydb/conditional.h>
|
|
||||||
#include <sepol/policydb/constraint.h>
|
|
||||||
|
|
||||||
extern void phh_rules(policydb_t *policydb);
|
|
||||||
extern void magisk_rules(policydb_t *policydb);
|
|
||||||
|
|
||||||
void usage(char *arg0) {
|
|
||||||
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tInject a rule\n\n");
|
|
||||||
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
|
|
||||||
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tInject a permissive domain\n\n");
|
|
||||||
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tInject a non-permissive domain\n\n");
|
|
||||||
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
|
|
||||||
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
|
|
||||||
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
|
|
||||||
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
void *cmalloc(size_t s) {
|
|
||||||
void *t = malloc(s);
|
void *t = malloc(s);
|
||||||
if (t == NULL) {
|
if (t == NULL) {
|
||||||
fprintf(stderr, "Out of memory\n");
|
fprintf(stderr, "Out of memory\n");
|
||||||
@ -52,7 +9,7 @@ void *cmalloc(size_t s) {
|
|||||||
return t;
|
return t;
|
||||||
}
|
}
|
||||||
|
|
||||||
int get_attr(char *type, int value, policydb_t *policy) {
|
static int get_attr(char *type, int value) {
|
||||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||||
if (!attr)
|
if (!attr)
|
||||||
exit(1);
|
exit(1);
|
||||||
@ -64,7 +21,7 @@ int get_attr(char *type, int value, policydb_t *policy) {
|
|||||||
//return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1);
|
//return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
int get_attr_id(char *type, policydb_t *policy) {
|
static int get_attr_id(char *type) {
|
||||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||||
if (!attr)
|
if (!attr)
|
||||||
exit(1);
|
exit(1);
|
||||||
@ -75,7 +32,7 @@ int get_attr_id(char *type, policydb_t *policy) {
|
|||||||
return attr->s.value;
|
return attr->s.value;
|
||||||
}
|
}
|
||||||
|
|
||||||
int set_attr(char *type, int value, policydb_t *policy) {
|
static int set_attr(char *type, int value) {
|
||||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||||
if (!attr)
|
if (!attr)
|
||||||
exit(1);
|
exit(1);
|
||||||
@ -91,7 +48,143 @@ int set_attr(char *type, int value, policydb_t *policy) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
void create_domain(char *d, policydb_t *policy) {
|
static int add_irule(int s, int t, int c, int p, int effect, int not) {
|
||||||
|
avtab_datum_t *av;
|
||||||
|
avtab_key_t key;
|
||||||
|
|
||||||
|
key.source_type = s;
|
||||||
|
key.target_type = t;
|
||||||
|
key.target_class = c;
|
||||||
|
key.specified = effect;
|
||||||
|
av = avtab_search(&policy->te_avtab, &key);
|
||||||
|
|
||||||
|
if (av == NULL) {
|
||||||
|
av = cmalloc(sizeof(*av));
|
||||||
|
av->data |= 1U << (p - 1);
|
||||||
|
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
||||||
|
if (ret) {
|
||||||
|
fprintf(stderr, "Error inserting into avtab\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(not)
|
||||||
|
av->data &= ~(1U << (p - 1));
|
||||||
|
else
|
||||||
|
av->data |= 1U << (p - 1);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not) {
|
||||||
|
hashtab_t type_table, class_table, perm_table;
|
||||||
|
hashtab_ptr_t cur;
|
||||||
|
|
||||||
|
type_table = policy->p_types.table;
|
||||||
|
class_table = policy->p_classes.table;
|
||||||
|
|
||||||
|
if (src == NULL) {
|
||||||
|
for (int i = 0; i < type_table->size; ++i) {
|
||||||
|
cur = type_table->htable[i];
|
||||||
|
while (cur != NULL) {
|
||||||
|
src = cur->datum;
|
||||||
|
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||||
|
return 1;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (tgt == NULL) {
|
||||||
|
for (int i = 0; i < type_table->size; ++i) {
|
||||||
|
cur = type_table->htable[i];
|
||||||
|
while (cur != NULL) {
|
||||||
|
tgt = cur->datum;
|
||||||
|
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||||
|
return 1;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (cls == NULL) {
|
||||||
|
for (int i = 0; i < class_table->size; ++i) {
|
||||||
|
cur = class_table->htable[i];
|
||||||
|
while (cur != NULL) {
|
||||||
|
cls = cur->datum;
|
||||||
|
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||||
|
return 1;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (perm == NULL) {
|
||||||
|
perm_table = cls->permissions.table;
|
||||||
|
for (int i = 0; i < perm_table->size; ++i) {
|
||||||
|
cur = perm_table->htable[i];
|
||||||
|
while (cur != NULL) {
|
||||||
|
perm = cur->datum;
|
||||||
|
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
|
||||||
|
return 1;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cls->comdatum != NULL) {
|
||||||
|
perm_table = cls->comdatum->permissions.table;
|
||||||
|
for (int i = 0; i < perm_table->size; ++i) {
|
||||||
|
cur = perm_table->htable[i];
|
||||||
|
while (cur != NULL) {
|
||||||
|
perm = cur->datum;
|
||||||
|
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
|
||||||
|
return 1;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
|
||||||
|
int fd;
|
||||||
|
struct stat sb;
|
||||||
|
void *map;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
fd = open(filename, O_RDONLY);
|
||||||
|
if (fd < 0) {
|
||||||
|
fprintf(stderr, "Can't open '%s': %s\n",
|
||||||
|
filename, strerror(errno));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (fstat(fd, &sb) < 0) {
|
||||||
|
fprintf(stderr, "Can't stat '%s': %s\n",
|
||||||
|
filename, strerror(errno));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
|
||||||
|
fd, 0);
|
||||||
|
if (map == MAP_FAILED) {
|
||||||
|
fprintf(stderr, "Can't mmap '%s': %s\n",
|
||||||
|
filename, strerror(errno));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
policy_file_init(pf);
|
||||||
|
pf->type = PF_USE_MEMORY;
|
||||||
|
pf->data = map;
|
||||||
|
pf->len = sb.st_size;
|
||||||
|
if (policydb_init(policydb)) {
|
||||||
|
fprintf(stderr, "policydb_init: Out of memory!\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
ret = policydb_read(policydb, pf, 1);
|
||||||
|
if (ret) {
|
||||||
|
fprintf(stderr, "error(s) encountered while parsing configuration\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void create_domain(char *d) {
|
||||||
symtab_datum_t *src = hashtab_search(policy->p_types.table, d);
|
symtab_datum_t *src = hashtab_search(policy->p_types.table, d);
|
||||||
if(src)
|
if(src)
|
||||||
return;
|
return;
|
||||||
@ -139,37 +232,10 @@ void create_domain(char *d, policydb_t *policy) {
|
|||||||
if(policydb_index_others(NULL, policy, 1))
|
if(policydb_index_others(NULL, policy, 1))
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
||||||
set_attr("domain", value, policy);
|
set_attr("domain", value);
|
||||||
}
|
}
|
||||||
|
|
||||||
int add_irule(int s, int t, int c, int p, int effect, int not, policydb_t* policy) {
|
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not) {
|
||||||
avtab_datum_t *av;
|
|
||||||
avtab_key_t key;
|
|
||||||
|
|
||||||
key.source_type = s;
|
|
||||||
key.target_type = t;
|
|
||||||
key.target_class = c;
|
|
||||||
key.specified = effect;
|
|
||||||
av = avtab_search(&policy->te_avtab, &key);
|
|
||||||
|
|
||||||
if (av == NULL) {
|
|
||||||
av = cmalloc(sizeof(*av));
|
|
||||||
av->data |= 1U << (p - 1);
|
|
||||||
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
|
||||||
if (ret) {
|
|
||||||
fprintf(stderr, "Error inserting into avtab\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(not)
|
|
||||||
av->data &= ~(1U << (p - 1));
|
|
||||||
else
|
|
||||||
av->data |= 1U << (p - 1);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not, policydb_t *policy) {
|
|
||||||
type_datum_t *src, *tgt;
|
type_datum_t *src, *tgt;
|
||||||
class_datum_t *cls;
|
class_datum_t *cls;
|
||||||
perm_datum_t *perm;
|
perm_datum_t *perm;
|
||||||
@ -235,13 +301,13 @@ int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(!found)
|
if(!found)
|
||||||
ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not, policy);
|
ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy) {
|
int add_transition(char *srcS, char *origS, char *tgtS, char *c) {
|
||||||
type_datum_t *src, *tgt, *orig;
|
type_datum_t *src, *tgt, *orig;
|
||||||
class_datum_t *cls;
|
class_datum_t *cls;
|
||||||
|
|
||||||
@ -291,7 +357,7 @@ int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *pol
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename, policydb_t *policy) {
|
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename) {
|
||||||
type_datum_t *src, *tgt, *orig;
|
type_datum_t *src, *tgt, *orig;
|
||||||
class_datum_t *cls;
|
class_datum_t *cls;
|
||||||
|
|
||||||
@ -329,7 +395,7 @@ int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* file
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
int add_type(char *domainS, char *typeS) {
|
||||||
type_datum_t *domain;
|
type_datum_t *domain;
|
||||||
|
|
||||||
domain = hashtab_search(policy->p_types.table, domainS);
|
domain = hashtab_search(policy->p_types.table, domainS);
|
||||||
@ -338,9 +404,9 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
set_attr(typeS, domain->s.value, policy);
|
set_attr(typeS, domain->s.value);
|
||||||
|
|
||||||
int typeId = get_attr_id(typeS, policy);
|
int typeId = get_attr_id(typeS);
|
||||||
//Now let's update all constraints!
|
//Now let's update all constraints!
|
||||||
//(kernel doesn't support (yet?) type_names rules)
|
//(kernel doesn't support (yet?) type_names rules)
|
||||||
for(int i=0; i<policy->p_classes.nprim; ++i) {
|
for(int i=0; i<policy->p_classes.nprim; ++i) {
|
||||||
@ -358,116 +424,7 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
|
int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
|
||||||
int fd;
|
|
||||||
struct stat sb;
|
|
||||||
void *map;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
fd = open(filename, O_RDONLY);
|
|
||||||
if (fd < 0) {
|
|
||||||
fprintf(stderr, "Can't open '%s': %s\n",
|
|
||||||
filename, strerror(errno));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
if (fstat(fd, &sb) < 0) {
|
|
||||||
fprintf(stderr, "Can't stat '%s': %s\n",
|
|
||||||
filename, strerror(errno));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
|
|
||||||
fd, 0);
|
|
||||||
if (map == MAP_FAILED) {
|
|
||||||
fprintf(stderr, "Can't mmap '%s': %s\n",
|
|
||||||
filename, strerror(errno));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
policy_file_init(pf);
|
|
||||||
pf->type = PF_USE_MEMORY;
|
|
||||||
pf->data = map;
|
|
||||||
pf->len = sb.st_size;
|
|
||||||
if (policydb_init(policydb)) {
|
|
||||||
fprintf(stderr, "policydb_init: Out of memory!\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
ret = policydb_read(policydb, pf, 1);
|
|
||||||
if (ret) {
|
|
||||||
fprintf(stderr, "error(s) encountered while parsing configuration\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not, policydb_t *policy) {
|
|
||||||
hashtab_t type_table, class_table, perm_table;
|
|
||||||
hashtab_ptr_t cur;
|
|
||||||
|
|
||||||
type_table = policy->p_types.table;
|
|
||||||
class_table = policy->p_classes.table;
|
|
||||||
|
|
||||||
if (src == NULL) {
|
|
||||||
for (int i = 0; i < type_table->size; ++i) {
|
|
||||||
cur = type_table->htable[i];
|
|
||||||
while (cur != NULL) {
|
|
||||||
src = cur->datum;
|
|
||||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
|
||||||
return 1;
|
|
||||||
cur = cur->next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else if (tgt == NULL) {
|
|
||||||
for (int i = 0; i < type_table->size; ++i) {
|
|
||||||
cur = type_table->htable[i];
|
|
||||||
while (cur != NULL) {
|
|
||||||
tgt = cur->datum;
|
|
||||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
|
||||||
return 1;
|
|
||||||
cur = cur->next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else if (cls == NULL) {
|
|
||||||
for (int i = 0; i < class_table->size; ++i) {
|
|
||||||
cur = class_table->htable[i];
|
|
||||||
while (cur != NULL) {
|
|
||||||
cls = cur->datum;
|
|
||||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
|
||||||
return 1;
|
|
||||||
cur = cur->next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else if (perm == NULL) {
|
|
||||||
perm_table = cls->permissions.table;
|
|
||||||
for (int i = 0; i < perm_table->size; ++i) {
|
|
||||||
cur = perm_table->htable[i];
|
|
||||||
while (cur != NULL) {
|
|
||||||
perm = cur->datum;
|
|
||||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
|
|
||||||
return 1;
|
|
||||||
cur = cur->next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cls->comdatum != NULL) {
|
|
||||||
perm_table = cls->comdatum->permissions.table;
|
|
||||||
for (int i = 0; i < perm_table->size; ++i) {
|
|
||||||
cur = perm_table->htable[i];
|
|
||||||
while (cur != NULL) {
|
|
||||||
perm = cur->datum;
|
|
||||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
|
|
||||||
return 1;
|
|
||||||
cur = cur->next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy);
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy) {
|
|
||||||
type_datum_t *src = NULL, *tgt = NULL;
|
type_datum_t *src = NULL, *tgt = NULL;
|
||||||
class_datum_t *cls = NULL;
|
class_datum_t *cls = NULL;
|
||||||
perm_datum_t *perm = NULL;
|
perm_datum_t *perm = NULL;
|
||||||
@ -513,16 +470,16 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return add_rule_auto(src, tgt, cls, perm, effect, not, policy);
|
return add_rule_auto(src, tgt, cls, perm, effect, not);
|
||||||
}
|
}
|
||||||
|
|
||||||
int live_patch(policydb_t *policydb) {
|
int live_patch() {
|
||||||
char *filename = "/sys/fs/selinux/load";
|
char *filename = "/sys/fs/selinux/load";
|
||||||
int fd, ret;
|
int fd, ret;
|
||||||
void *data = NULL;
|
void *data = NULL;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
|
||||||
policydb_to_image(NULL, policydb, &data, &len);
|
policydb_to_image(NULL, policy, &data, &len);
|
||||||
if (data == NULL) fprintf(stderr, "Error!");
|
if (data == NULL) fprintf(stderr, "Error!");
|
||||||
|
|
||||||
// based on libselinux security_load_policy()
|
// based on libselinux security_load_policy()
|
||||||
@ -541,231 +498,3 @@ int live_patch(policydb_t *policydb) {
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
|
|
||||||
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
|
|
||||||
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
|
|
||||||
policydb_t policydb;
|
|
||||||
struct policy_file pf, outpf;
|
|
||||||
sidtab_t sidtab;
|
|
||||||
int ch;
|
|
||||||
FILE *fp;
|
|
||||||
int permissive_value = 0, noaudit = 0;
|
|
||||||
|
|
||||||
struct option long_options[] = {
|
|
||||||
{"attr", required_argument, NULL, 'a'},
|
|
||||||
{"exists", no_argument, NULL, 'e'},
|
|
||||||
{"source", required_argument, NULL, 's'},
|
|
||||||
{"target", required_argument, NULL, 't'},
|
|
||||||
{"class", required_argument, NULL, 'c'},
|
|
||||||
{"perm", required_argument, NULL, 'p'},
|
|
||||||
{"fcon", required_argument, NULL, 'f'},
|
|
||||||
{"filetransition", required_argument, NULL, 'g'},
|
|
||||||
{"noaudit", no_argument, NULL, 'n'},
|
|
||||||
{"file", required_argument, NULL, 'P'},
|
|
||||||
{"output", required_argument, NULL, 'o'},
|
|
||||||
{"permissive", required_argument, NULL, 'Z'},
|
|
||||||
{"not-permissive", required_argument, NULL, 'z'},
|
|
||||||
{"not", no_argument, NULL, 0},
|
|
||||||
{"live", no_argument, NULL, 0},
|
|
||||||
{"magisk", no_argument, NULL, 0},
|
|
||||||
{NULL, 0, NULL, 0}
|
|
||||||
};
|
|
||||||
|
|
||||||
int option_index = -1;
|
|
||||||
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
|
|
||||||
switch (ch) {
|
|
||||||
case 0:
|
|
||||||
if(strcmp(long_options[option_index].name, "not") == 0)
|
|
||||||
not = 1;
|
|
||||||
else if(strcmp(long_options[option_index].name, "live") == 0)
|
|
||||||
live = 1;
|
|
||||||
else if(strcmp(long_options[option_index].name, "magisk") == 0)
|
|
||||||
magisk = 1;
|
|
||||||
else
|
|
||||||
usage(argv[0]);
|
|
||||||
break;
|
|
||||||
case 'a':
|
|
||||||
attr = optarg;
|
|
||||||
break;
|
|
||||||
case 'e':
|
|
||||||
exists = 1;
|
|
||||||
break;
|
|
||||||
case 'f':
|
|
||||||
fcon = optarg;
|
|
||||||
break;
|
|
||||||
case 'g':
|
|
||||||
filetrans = optarg;
|
|
||||||
break;
|
|
||||||
case 's':
|
|
||||||
source = optarg;
|
|
||||||
break;
|
|
||||||
case 't':
|
|
||||||
target = optarg;
|
|
||||||
break;
|
|
||||||
case 'c':
|
|
||||||
class = optarg;
|
|
||||||
break;
|
|
||||||
case 'p':
|
|
||||||
perm = optarg;
|
|
||||||
break;
|
|
||||||
case 'P':
|
|
||||||
policy = optarg;
|
|
||||||
break;
|
|
||||||
case 'o':
|
|
||||||
outfile = optarg;
|
|
||||||
break;
|
|
||||||
case 'Z':
|
|
||||||
permissive = optarg;
|
|
||||||
permissive_value = 1;
|
|
||||||
break;
|
|
||||||
case 'z':
|
|
||||||
permissive = optarg;
|
|
||||||
permissive_value = 0;
|
|
||||||
break;
|
|
||||||
case 'n':
|
|
||||||
noaudit = 1;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
usage(argv[0]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Use builtin rules if nothing specified
|
|
||||||
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
|
|
||||||
builtin = 1;
|
|
||||||
|
|
||||||
// Overwrite original if not specified
|
|
||||||
if(!outfile)
|
|
||||||
outfile = policy;
|
|
||||||
|
|
||||||
// Use current policy if not specified
|
|
||||||
if(!policy)
|
|
||||||
policy = "/sys/fs/selinux/policy";
|
|
||||||
|
|
||||||
sepol_set_policydb(&policydb);
|
|
||||||
sepol_set_sidtab(&sidtab);
|
|
||||||
|
|
||||||
if (load_policy(policy, &policydb, &pf)) {
|
|
||||||
fprintf(stderr, "Could not load policy\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (policydb_load_isids(&policydb, &sidtab))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
if (builtin) {
|
|
||||||
phh_rules(&policydb);
|
|
||||||
}
|
|
||||||
else if (magisk) {
|
|
||||||
magisk_rules(&policydb);
|
|
||||||
}
|
|
||||||
else if (permissive) {
|
|
||||||
type_datum_t *type;
|
|
||||||
create_domain(permissive, &policydb);
|
|
||||||
type = hashtab_search(policydb.p_types.table, permissive);
|
|
||||||
if (type == NULL) {
|
|
||||||
fprintf(stderr, "type %s does not exist\n", permissive);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
|
|
||||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
} else if(exists) {
|
|
||||||
if(source) {
|
|
||||||
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
|
|
||||||
if (!tmp)
|
|
||||||
exit(1);
|
|
||||||
else
|
|
||||||
exit(0);
|
|
||||||
} else if(class) {
|
|
||||||
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
|
|
||||||
if(!tmp)
|
|
||||||
exit(1);
|
|
||||||
else
|
|
||||||
exit(0);
|
|
||||||
} else {
|
|
||||||
usage(argv[0]);
|
|
||||||
}
|
|
||||||
} else if(filetrans) {
|
|
||||||
if(add_file_transition(source, fcon, target, class, filetrans, &policydb))
|
|
||||||
return 1;
|
|
||||||
} else if(fcon) {
|
|
||||||
if(add_transition(source, fcon, target, class, &policydb))
|
|
||||||
return 1;
|
|
||||||
} else if(attr) {
|
|
||||||
if(add_type(source, attr, &policydb))
|
|
||||||
return 1;
|
|
||||||
} else if(noaudit) {
|
|
||||||
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not, &policydb))
|
|
||||||
return 1;
|
|
||||||
} else {
|
|
||||||
//Add a rule to a whole set of typeattribute, not just a type
|
|
||||||
if (target != NULL) {
|
|
||||||
if(*target == '=') {
|
|
||||||
char *saveptr = NULL;
|
|
||||||
|
|
||||||
char *targetAttribute = strtok_r(target, "-", &saveptr);
|
|
||||||
|
|
||||||
char *vals[64];
|
|
||||||
int i = 0;
|
|
||||||
|
|
||||||
char *m = NULL;
|
|
||||||
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
|
|
||||||
vals[i++] = m;
|
|
||||||
}
|
|
||||||
vals[i] = NULL;
|
|
||||||
|
|
||||||
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not, &policydb))
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (perm != NULL) {
|
|
||||||
char *saveptr = NULL;
|
|
||||||
|
|
||||||
char *p = strtok_r(perm, ",", &saveptr);
|
|
||||||
do {
|
|
||||||
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not, &policydb)) {
|
|
||||||
fprintf(stderr, "Could not add rule\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
|
|
||||||
} else {
|
|
||||||
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not, &policydb)) {
|
|
||||||
fprintf(stderr, "Could not add rule\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (live) {
|
|
||||||
if (live_patch(&policydb)) {
|
|
||||||
fprintf(stderr, "Could not load new policy into kernel\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (outfile) {
|
|
||||||
fp = fopen(outfile, "w");
|
|
||||||
if (!fp) {
|
|
||||||
fprintf(stderr, "Could not open outfile\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
policy_file_init(&outpf);
|
|
||||||
outpf.type = PF_USE_STDIO;
|
|
||||||
outpf.fp = fp;
|
|
||||||
|
|
||||||
if (policydb_write(&policydb, &outpf)) {
|
|
||||||
fprintf(stderr, "Could not write policy\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
fclose(fp);
|
|
||||||
}
|
|
||||||
|
|
||||||
policydb_destroy(&policydb);
|
|
||||||
return 0;
|
|
||||||
}
|
|
48
utils.c
Normal file
48
utils.c
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
#include "sepolicy-inject.h"
|
||||||
|
|
||||||
|
static void set_domain(char* s, int value) {
|
||||||
|
type_datum_t *type;
|
||||||
|
if (!exists(s))
|
||||||
|
create_domain(s);
|
||||||
|
type = hashtab_search(policy->p_types.table, s);
|
||||||
|
if (type == NULL) {
|
||||||
|
fprintf(stderr, "type %s does not exist\n", s);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, value)) {
|
||||||
|
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void allow(char *s, char *t, char *c, char *p) {
|
||||||
|
add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
void deny(char *s, char *t, char *c, char *p) {
|
||||||
|
add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
void auditallow(char *s, char *t, char *c, char *p) {
|
||||||
|
add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
void auditdeny(char *s, char *t, char *c, char *p) {
|
||||||
|
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
void permissive(char *s) {
|
||||||
|
set_domain(s, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
void enforce(char *s) {
|
||||||
|
set_domain(s, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
void attradd(char *s, char *a) {
|
||||||
|
add_type(s, a);
|
||||||
|
}
|
||||||
|
|
||||||
|
int exists(char* source) {
|
||||||
|
return !! hashtab_search(policy->p_types.table, source);
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user