Project restructure
This commit is contained in:
parent
7dea682713
commit
6900c197cd
@ -4,7 +4,7 @@ include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := sepolicy-inject
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_STATIC_LIBRARIES := libsepol
|
||||
LOCAL_SRC_FILES := sepolicy-inject.c builtin_rules.c
|
||||
LOCAL_SRC_FILES := main.c sepolicy.c rules.c utils.c
|
||||
LOCAL_C_INCLUDES := jni/selinux/libsepol/include/
|
||||
LOCAL_CFLAGS += -std=gnu11
|
||||
include $(BUILD_EXECUTABLE)
|
||||
|
247
main.c
Normal file
247
main.c
Normal file
@ -0,0 +1,247 @@
|
||||
#include "sepolicy-inject.h"
|
||||
|
||||
static void usage(char *arg0) {
|
||||
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a rule\n\n");
|
||||
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
|
||||
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a permissive domain\n\n");
|
||||
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a non-permissive domain\n\n");
|
||||
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
|
||||
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
|
||||
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
char *infile = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
|
||||
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
|
||||
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
|
||||
policydb_t policydb;
|
||||
struct policy_file pf, outpf;
|
||||
sidtab_t sidtab;
|
||||
int ch;
|
||||
FILE *fp;
|
||||
int permissive_value = 0, noaudit = 0;
|
||||
|
||||
struct option long_options[] = {
|
||||
{"attr", required_argument, NULL, 'a'},
|
||||
{"exists", no_argument, NULL, 'e'},
|
||||
{"source", required_argument, NULL, 's'},
|
||||
{"target", required_argument, NULL, 't'},
|
||||
{"class", required_argument, NULL, 'c'},
|
||||
{"perm", required_argument, NULL, 'p'},
|
||||
{"fcon", required_argument, NULL, 'f'},
|
||||
{"filetransition", required_argument, NULL, 'g'},
|
||||
{"noaudit", no_argument, NULL, 'n'},
|
||||
{"file", required_argument, NULL, 'P'},
|
||||
{"output", required_argument, NULL, 'o'},
|
||||
{"permissive", required_argument, NULL, 'Z'},
|
||||
{"not-permissive", required_argument, NULL, 'z'},
|
||||
{"not", no_argument, NULL, 0},
|
||||
{"live", no_argument, NULL, 0},
|
||||
{"magisk", no_argument, NULL, 0},
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
|
||||
int option_index = -1;
|
||||
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
|
||||
switch (ch) {
|
||||
case 0:
|
||||
if(strcmp(long_options[option_index].name, "not") == 0)
|
||||
not = 1;
|
||||
else if(strcmp(long_options[option_index].name, "live") == 0)
|
||||
live = 1;
|
||||
else if(strcmp(long_options[option_index].name, "magisk") == 0)
|
||||
magisk = 1;
|
||||
else
|
||||
usage(argv[0]);
|
||||
break;
|
||||
case 'a':
|
||||
attr = optarg;
|
||||
break;
|
||||
case 'e':
|
||||
exists = 1;
|
||||
break;
|
||||
case 'f':
|
||||
fcon = optarg;
|
||||
break;
|
||||
case 'g':
|
||||
filetrans = optarg;
|
||||
break;
|
||||
case 's':
|
||||
source = optarg;
|
||||
break;
|
||||
case 't':
|
||||
target = optarg;
|
||||
break;
|
||||
case 'c':
|
||||
class = optarg;
|
||||
break;
|
||||
case 'p':
|
||||
perm = optarg;
|
||||
break;
|
||||
case 'P':
|
||||
infile = optarg;
|
||||
break;
|
||||
case 'o':
|
||||
outfile = optarg;
|
||||
break;
|
||||
case 'Z':
|
||||
permissive = optarg;
|
||||
permissive_value = 1;
|
||||
break;
|
||||
case 'z':
|
||||
permissive = optarg;
|
||||
permissive_value = 0;
|
||||
break;
|
||||
case 'n':
|
||||
noaudit = 1;
|
||||
break;
|
||||
default:
|
||||
usage(argv[0]);
|
||||
}
|
||||
}
|
||||
|
||||
// Use builtin rules if nothing specified
|
||||
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
|
||||
builtin = 1;
|
||||
|
||||
// Overwrite original if not specified
|
||||
if(!outfile)
|
||||
outfile = infile;
|
||||
|
||||
// Use current policy if not specified
|
||||
if(!infile)
|
||||
infile = "/sys/fs/selinux/policy";
|
||||
|
||||
sepol_set_policydb(&policydb);
|
||||
sepol_set_sidtab(&sidtab);
|
||||
|
||||
if (load_policy(infile, &policydb, &pf)) {
|
||||
fprintf(stderr, "Could not load policy\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (policydb_load_isids(&policydb, &sidtab))
|
||||
return 1;
|
||||
|
||||
policy = &policydb;
|
||||
|
||||
if (builtin) {
|
||||
su_rules();
|
||||
}
|
||||
else if (magisk) {
|
||||
magisk_rules();
|
||||
}
|
||||
else if (permissive) {
|
||||
type_datum_t *type;
|
||||
create_domain(permissive);
|
||||
type = hashtab_search(policydb.p_types.table, permissive);
|
||||
if (type == NULL) {
|
||||
fprintf(stderr, "type %s does not exist\n", permissive);
|
||||
return 1;
|
||||
}
|
||||
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return 1;
|
||||
}
|
||||
} else if(exists) {
|
||||
if(source) {
|
||||
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
|
||||
if (!tmp)
|
||||
exit(1);
|
||||
else
|
||||
exit(0);
|
||||
} else if(class) {
|
||||
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
|
||||
if(!tmp)
|
||||
exit(1);
|
||||
else
|
||||
exit(0);
|
||||
} else {
|
||||
usage(argv[0]);
|
||||
}
|
||||
} else if(filetrans) {
|
||||
if(add_file_transition(source, fcon, target, class, filetrans))
|
||||
return 1;
|
||||
} else if(fcon) {
|
||||
if(add_transition(source, fcon, target, class))
|
||||
return 1;
|
||||
} else if(attr) {
|
||||
if(add_type(source, attr))
|
||||
return 1;
|
||||
} else if(noaudit) {
|
||||
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not))
|
||||
return 1;
|
||||
} else {
|
||||
//Add a rule to a whole set of typeattribute, not just a type
|
||||
if (target != NULL) {
|
||||
if(*target == '=') {
|
||||
char *saveptr = NULL;
|
||||
|
||||
char *targetAttribute = strtok_r(target, "-", &saveptr);
|
||||
|
||||
char *vals[64];
|
||||
int i = 0;
|
||||
|
||||
char *m = NULL;
|
||||
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
|
||||
vals[i++] = m;
|
||||
}
|
||||
vals[i] = NULL;
|
||||
|
||||
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not))
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
if (perm != NULL) {
|
||||
char *saveptr = NULL;
|
||||
|
||||
char *p = strtok_r(perm, ",", &saveptr);
|
||||
do {
|
||||
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not)) {
|
||||
fprintf(stderr, "Could not add rule\n");
|
||||
return 1;
|
||||
}
|
||||
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
|
||||
} else {
|
||||
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not)) {
|
||||
fprintf(stderr, "Could not add rule\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (live) {
|
||||
if (live_patch()) {
|
||||
fprintf(stderr, "Could not load new policy into kernel\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (outfile) {
|
||||
fp = fopen(outfile, "w");
|
||||
if (!fp) {
|
||||
fprintf(stderr, "Could not open outfile\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
policy_file_init(&outpf);
|
||||
outpf.type = PF_USE_STDIO;
|
||||
outpf.fp = fp;
|
||||
|
||||
if (policydb_write(&policydb, &outpf)) {
|
||||
fprintf(stderr, "Could not write policy\n");
|
||||
return 1;
|
||||
}
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
policydb_destroy(&policydb);
|
||||
return 0;
|
||||
}
|
@ -1,44 +1,4 @@
|
||||
#include <stdio.h>
|
||||
#include <sepol/policydb/policydb.h>
|
||||
|
||||
#define ALL NULL
|
||||
|
||||
extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy);
|
||||
extern void create_domain(char *d, policydb_t *policy);
|
||||
extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy);
|
||||
extern int add_type(char *domainS, char *typeS, policydb_t *policy);
|
||||
|
||||
policydb_t *policy;
|
||||
|
||||
void allow(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy);
|
||||
}
|
||||
|
||||
void noaudit(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy);
|
||||
}
|
||||
|
||||
void deny(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy);
|
||||
}
|
||||
|
||||
void setPermissive(char* permissive, int permissive_value) {
|
||||
type_datum_t *type;
|
||||
create_domain(permissive, policy);
|
||||
type = hashtab_search(policy->p_types.table, permissive);
|
||||
if (type == NULL) {
|
||||
fprintf(stderr, "type %s does not exist\n", permissive);
|
||||
return;
|
||||
}
|
||||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
int exists(char* source) {
|
||||
return (int) hashtab_search(policy->p_types.table, source);
|
||||
}
|
||||
#include "sepolicy-inject.h"
|
||||
|
||||
void samsung() {
|
||||
deny("init", "kernel", "security", "load_policy");
|
||||
@ -222,6 +182,12 @@ void suDaemonRights() {
|
||||
allow("su_daemon", "proc", "file", "open");
|
||||
allow("su_daemon", "su_daemon", "process", "setcurrent");
|
||||
allow("su_daemon", "system_file", "file", "execute_no_trans");
|
||||
|
||||
// Allow to adb shell su
|
||||
allow("su_daemon", "adbd", "fd", "use");
|
||||
allow("su_daemon", "adbd", "unix_stream_socket", "read");
|
||||
allow("su_daemon", "adbd", "unix_stream_socket", "write");
|
||||
allow("su_daemon", "adbd", "unix_stream_socket", "ioctl");
|
||||
}
|
||||
|
||||
void suBind() {
|
||||
@ -274,36 +240,34 @@ void otherToSU() {
|
||||
allow(ALL, "su", "process", "sigchld");
|
||||
|
||||
// uNetworkL0
|
||||
add_type("su", "netdomain", policy);
|
||||
add_type("su", "bluetoothdomain", policy);
|
||||
add_type("su", "netdomain");
|
||||
add_type("su", "bluetoothdomain");
|
||||
|
||||
// suBackL6
|
||||
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
||||
allow("surfaceflinger", "app_data_file", "file", ALL);
|
||||
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
||||
add_type("surfaceflinger", "mlstrustedsubject", policy);
|
||||
add_type("surfaceflinger", "mlstrustedsubject");
|
||||
|
||||
// suMiscL6
|
||||
if (exists("audioserver"))
|
||||
allow("audioserver", "audioserver", "process", "execmem");
|
||||
}
|
||||
|
||||
void phh_rules(policydb_t *policydb) {
|
||||
policy = policydb;
|
||||
|
||||
void su_rules() {
|
||||
// Samsung specific
|
||||
// Prevent system from loading policy
|
||||
if(exists("knox_system_app"))
|
||||
samsung();
|
||||
|
||||
// Create domains if they don't exist
|
||||
setPermissive("su", 1);
|
||||
setPermissive("su_device", 0);
|
||||
setPermissive("su_daemon", 0);
|
||||
permissive("su");
|
||||
enforce("su_device");
|
||||
enforce("su_daemon");
|
||||
|
||||
// Autotransition su's socket to su_device
|
||||
add_transition("su_daemon", "device", "su_device", "file", policy);
|
||||
add_transition("su_daemon", "device", "su_device", "dir", policy);
|
||||
add_transition("su_daemon", "device", "su_device", "file");
|
||||
add_transition("su_daemon", "device", "su_device", "dir");
|
||||
allow("su_device", "tmpfs", "filesystem", "associate");
|
||||
|
||||
// Transition from untrusted_app to su_client
|
||||
@ -329,22 +293,21 @@ void phh_rules(policydb_t *policydb) {
|
||||
otherToSU();
|
||||
|
||||
// Need to set su_device/su as trusted to be accessible from other categories
|
||||
add_type("su_device", "mlstrustedobject", policy);
|
||||
add_type("su_daemon", "mlstrustedsubject", policy);
|
||||
add_type("su", "mlstrustedsubject", policy);
|
||||
attradd("su_device", "mlstrustedobject");
|
||||
attradd("su_daemon", "mlstrustedsubject");
|
||||
attradd("su", "mlstrustedsubject");
|
||||
|
||||
// Allow chcon to rootfs
|
||||
allow("rootfs", "labeledfs", "filesystem", "associate");
|
||||
// Allow chcon to anything
|
||||
allow(ALL, "labeledfs", "filesystem", "associate");
|
||||
}
|
||||
|
||||
// Minimal to run Magisk script before live patching
|
||||
void magisk_rules(policydb_t *policydb) {
|
||||
policy = policydb;
|
||||
void magisk_rules() {
|
||||
|
||||
setPermissive("su", 1);
|
||||
setPermissive("init", 1);
|
||||
permissive("su");
|
||||
permissive("init");
|
||||
|
||||
add_type("su", "mlstrustedsubject", policy);
|
||||
attradd("su", "mlstrustedsubject");
|
||||
|
||||
allow("kernel", "su", "fd", "use");
|
||||
allow("init", "su", "process", ALL);
|
50
sepolicy-inject.h
Normal file
50
sepolicy-inject.h
Normal file
@ -0,0 +1,50 @@
|
||||
#ifndef SEPOLICY_INJECT_H
|
||||
#define SEPOLICY_INJECT_H
|
||||
|
||||
#define ALL NULL
|
||||
|
||||
#include <getopt.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <sepol/debug.h>
|
||||
#include <sepol/policydb/policydb.h>
|
||||
#include <sepol/policydb/expand.h>
|
||||
#include <sepol/policydb/link.h>
|
||||
#include <sepol/policydb/services.h>
|
||||
#include <sepol/policydb/avrule_block.h>
|
||||
#include <sepol/policydb/conditional.h>
|
||||
#include <sepol/policydb/constraint.h>
|
||||
|
||||
// Global policydb
|
||||
policydb_t *policy;
|
||||
|
||||
// sepolicy manipulation functions
|
||||
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf);
|
||||
void create_domain(char *d);
|
||||
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename);
|
||||
int add_transition(char *srcS, char *origS, char *tgtS, char *c);
|
||||
int add_type(char *domainS, char *typeS);
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not);
|
||||
int live_patch();
|
||||
|
||||
// Handy functions
|
||||
void allow(char *s, char *t, char *c, char *p);
|
||||
void deny(char *s, char *t, char *c, char *p);
|
||||
void auditallow(char *s, char *t, char *c, char *p);
|
||||
void auditdeny(char *s, char *t, char *c, char *p);
|
||||
void permissive(char *s);
|
||||
void enforce(char *s);
|
||||
void attradd(char *s, char *a);
|
||||
int exists(char *source);
|
||||
|
||||
// Built in rules
|
||||
void su_rules();
|
||||
void magisk_rules();
|
||||
|
||||
#endif
|
@ -1,49 +1,6 @@
|
||||
/*
|
||||
* This was derived from public domain works with updates to
|
||||
* work with more modern SELinux libraries.
|
||||
*
|
||||
* It is released into the public domain.
|
||||
*
|
||||
*/
|
||||
#include "sepolicy-inject.h"
|
||||
|
||||
#include <getopt.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <sepol/debug.h>
|
||||
#include <sepol/policydb/policydb.h>
|
||||
#include <sepol/policydb/expand.h>
|
||||
#include <sepol/policydb/link.h>
|
||||
#include <sepol/policydb/services.h>
|
||||
#include <sepol/policydb/avrule_block.h>
|
||||
#include <sepol/policydb/conditional.h>
|
||||
#include <sepol/policydb/constraint.h>
|
||||
|
||||
extern void phh_rules(policydb_t *policydb);
|
||||
extern void magisk_rules(policydb_t *policydb);
|
||||
|
||||
void usage(char *arg0) {
|
||||
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a rule\n\n");
|
||||
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
|
||||
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a permissive domain\n\n");
|
||||
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tInject a non-permissive domain\n\n");
|
||||
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
|
||||
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
|
||||
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
|
||||
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void *cmalloc(size_t s) {
|
||||
static void *cmalloc(size_t s) {
|
||||
void *t = malloc(s);
|
||||
if (t == NULL) {
|
||||
fprintf(stderr, "Out of memory\n");
|
||||
@ -52,7 +9,7 @@ void *cmalloc(size_t s) {
|
||||
return t;
|
||||
}
|
||||
|
||||
int get_attr(char *type, int value, policydb_t *policy) {
|
||||
static int get_attr(char *type, int value) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
if (!attr)
|
||||
exit(1);
|
||||
@ -64,7 +21,7 @@ int get_attr(char *type, int value, policydb_t *policy) {
|
||||
//return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1);
|
||||
}
|
||||
|
||||
int get_attr_id(char *type, policydb_t *policy) {
|
||||
static int get_attr_id(char *type) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
if (!attr)
|
||||
exit(1);
|
||||
@ -75,7 +32,7 @@ int get_attr_id(char *type, policydb_t *policy) {
|
||||
return attr->s.value;
|
||||
}
|
||||
|
||||
int set_attr(char *type, int value, policydb_t *policy) {
|
||||
static int set_attr(char *type, int value) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
if (!attr)
|
||||
exit(1);
|
||||
@ -91,7 +48,143 @@ int set_attr(char *type, int value, policydb_t *policy) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
void create_domain(char *d, policydb_t *policy) {
|
||||
static int add_irule(int s, int t, int c, int p, int effect, int not) {
|
||||
avtab_datum_t *av;
|
||||
avtab_key_t key;
|
||||
|
||||
key.source_type = s;
|
||||
key.target_type = t;
|
||||
key.target_class = c;
|
||||
key.specified = effect;
|
||||
av = avtab_search(&policy->te_avtab, &key);
|
||||
|
||||
if (av == NULL) {
|
||||
av = cmalloc(sizeof(*av));
|
||||
av->data |= 1U << (p - 1);
|
||||
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
||||
if (ret) {
|
||||
fprintf(stderr, "Error inserting into avtab\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if(not)
|
||||
av->data &= ~(1U << (p - 1));
|
||||
else
|
||||
av->data |= 1U << (p - 1);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not) {
|
||||
hashtab_t type_table, class_table, perm_table;
|
||||
hashtab_ptr_t cur;
|
||||
|
||||
type_table = policy->p_types.table;
|
||||
class_table = policy->p_classes.table;
|
||||
|
||||
if (src == NULL) {
|
||||
for (int i = 0; i < type_table->size; ++i) {
|
||||
cur = type_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
src = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (tgt == NULL) {
|
||||
for (int i = 0; i < type_table->size; ++i) {
|
||||
cur = type_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
tgt = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (cls == NULL) {
|
||||
for (int i = 0; i < class_table->size; ++i) {
|
||||
cur = class_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
cls = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (perm == NULL) {
|
||||
perm_table = cls->permissions.table;
|
||||
for (int i = 0; i < perm_table->size; ++i) {
|
||||
cur = perm_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
perm = cur->datum;
|
||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
|
||||
if (cls->comdatum != NULL) {
|
||||
perm_table = cls->comdatum->permissions.table;
|
||||
for (int i = 0; i < perm_table->size; ++i) {
|
||||
cur = perm_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
perm = cur->datum;
|
||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
|
||||
int fd;
|
||||
struct stat sb;
|
||||
void *map;
|
||||
int ret;
|
||||
|
||||
fd = open(filename, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
fprintf(stderr, "Can't open '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
if (fstat(fd, &sb) < 0) {
|
||||
fprintf(stderr, "Can't stat '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
|
||||
fd, 0);
|
||||
if (map == MAP_FAILED) {
|
||||
fprintf(stderr, "Can't mmap '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
|
||||
policy_file_init(pf);
|
||||
pf->type = PF_USE_MEMORY;
|
||||
pf->data = map;
|
||||
pf->len = sb.st_size;
|
||||
if (policydb_init(policydb)) {
|
||||
fprintf(stderr, "policydb_init: Out of memory!\n");
|
||||
return 1;
|
||||
}
|
||||
ret = policydb_read(policydb, pf, 1);
|
||||
if (ret) {
|
||||
fprintf(stderr, "error(s) encountered while parsing configuration\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void create_domain(char *d) {
|
||||
symtab_datum_t *src = hashtab_search(policy->p_types.table, d);
|
||||
if(src)
|
||||
return;
|
||||
@ -139,37 +232,10 @@ void create_domain(char *d, policydb_t *policy) {
|
||||
if(policydb_index_others(NULL, policy, 1))
|
||||
exit(1);
|
||||
|
||||
set_attr("domain", value, policy);
|
||||
set_attr("domain", value);
|
||||
}
|
||||
|
||||
int add_irule(int s, int t, int c, int p, int effect, int not, policydb_t* policy) {
|
||||
avtab_datum_t *av;
|
||||
avtab_key_t key;
|
||||
|
||||
key.source_type = s;
|
||||
key.target_type = t;
|
||||
key.target_class = c;
|
||||
key.specified = effect;
|
||||
av = avtab_search(&policy->te_avtab, &key);
|
||||
|
||||
if (av == NULL) {
|
||||
av = cmalloc(sizeof(*av));
|
||||
av->data |= 1U << (p - 1);
|
||||
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
||||
if (ret) {
|
||||
fprintf(stderr, "Error inserting into avtab\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if(not)
|
||||
av->data &= ~(1U << (p - 1));
|
||||
else
|
||||
av->data |= 1U << (p - 1);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not, policydb_t *policy) {
|
||||
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not) {
|
||||
type_datum_t *src, *tgt;
|
||||
class_datum_t *cls;
|
||||
perm_datum_t *perm;
|
||||
@ -235,13 +301,13 @@ int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char
|
||||
}
|
||||
|
||||
if(!found)
|
||||
ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not, policy);
|
||||
ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy) {
|
||||
int add_transition(char *srcS, char *origS, char *tgtS, char *c) {
|
||||
type_datum_t *src, *tgt, *orig;
|
||||
class_datum_t *cls;
|
||||
|
||||
@ -291,7 +357,7 @@ int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *pol
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename, policydb_t *policy) {
|
||||
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename) {
|
||||
type_datum_t *src, *tgt, *orig;
|
||||
class_datum_t *cls;
|
||||
|
||||
@ -329,7 +395,7 @@ int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* file
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
||||
int add_type(char *domainS, char *typeS) {
|
||||
type_datum_t *domain;
|
||||
|
||||
domain = hashtab_search(policy->p_types.table, domainS);
|
||||
@ -338,9 +404,9 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
set_attr(typeS, domain->s.value, policy);
|
||||
set_attr(typeS, domain->s.value);
|
||||
|
||||
int typeId = get_attr_id(typeS, policy);
|
||||
int typeId = get_attr_id(typeS);
|
||||
//Now let's update all constraints!
|
||||
//(kernel doesn't support (yet?) type_names rules)
|
||||
for(int i=0; i<policy->p_classes.nprim; ++i) {
|
||||
@ -358,116 +424,7 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
|
||||
int fd;
|
||||
struct stat sb;
|
||||
void *map;
|
||||
int ret;
|
||||
|
||||
fd = open(filename, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
fprintf(stderr, "Can't open '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
if (fstat(fd, &sb) < 0) {
|
||||
fprintf(stderr, "Can't stat '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
|
||||
fd, 0);
|
||||
if (map == MAP_FAILED) {
|
||||
fprintf(stderr, "Can't mmap '%s': %s\n",
|
||||
filename, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
|
||||
policy_file_init(pf);
|
||||
pf->type = PF_USE_MEMORY;
|
||||
pf->data = map;
|
||||
pf->len = sb.st_size;
|
||||
if (policydb_init(policydb)) {
|
||||
fprintf(stderr, "policydb_init: Out of memory!\n");
|
||||
return 1;
|
||||
}
|
||||
ret = policydb_read(policydb, pf, 1);
|
||||
if (ret) {
|
||||
fprintf(stderr, "error(s) encountered while parsing configuration\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not, policydb_t *policy) {
|
||||
hashtab_t type_table, class_table, perm_table;
|
||||
hashtab_ptr_t cur;
|
||||
|
||||
type_table = policy->p_types.table;
|
||||
class_table = policy->p_classes.table;
|
||||
|
||||
if (src == NULL) {
|
||||
for (int i = 0; i < type_table->size; ++i) {
|
||||
cur = type_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
src = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (tgt == NULL) {
|
||||
for (int i = 0; i < type_table->size; ++i) {
|
||||
cur = type_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
tgt = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (cls == NULL) {
|
||||
for (int i = 0; i < class_table->size; ++i) {
|
||||
cur = class_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
cls = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
} else if (perm == NULL) {
|
||||
perm_table = cls->permissions.table;
|
||||
for (int i = 0; i < perm_table->size; ++i) {
|
||||
cur = perm_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
perm = cur->datum;
|
||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
|
||||
if (cls->comdatum != NULL) {
|
||||
perm_table = cls->comdatum->permissions.table;
|
||||
for (int i = 0; i < perm_table->size; ++i) {
|
||||
cur = perm_table->htable[i];
|
||||
while (cur != NULL) {
|
||||
perm = cur->datum;
|
||||
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
|
||||
return 1;
|
||||
cur = cur->next;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy) {
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
|
||||
type_datum_t *src = NULL, *tgt = NULL;
|
||||
class_datum_t *cls = NULL;
|
||||
perm_datum_t *perm = NULL;
|
||||
@ -513,16 +470,16 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t
|
||||
}
|
||||
}
|
||||
}
|
||||
return add_rule_auto(src, tgt, cls, perm, effect, not, policy);
|
||||
return add_rule_auto(src, tgt, cls, perm, effect, not);
|
||||
}
|
||||
|
||||
int live_patch(policydb_t *policydb) {
|
||||
int live_patch() {
|
||||
char *filename = "/sys/fs/selinux/load";
|
||||
int fd, ret;
|
||||
void *data = NULL;
|
||||
size_t len;
|
||||
|
||||
policydb_to_image(NULL, policydb, &data, &len);
|
||||
policydb_to_image(NULL, policy, &data, &len);
|
||||
if (data == NULL) fprintf(stderr, "Error!");
|
||||
|
||||
// based on libselinux security_load_policy()
|
||||
@ -541,231 +498,3 @@ int live_patch(policydb_t *policydb) {
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
|
||||
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
|
||||
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
|
||||
policydb_t policydb;
|
||||
struct policy_file pf, outpf;
|
||||
sidtab_t sidtab;
|
||||
int ch;
|
||||
FILE *fp;
|
||||
int permissive_value = 0, noaudit = 0;
|
||||
|
||||
struct option long_options[] = {
|
||||
{"attr", required_argument, NULL, 'a'},
|
||||
{"exists", no_argument, NULL, 'e'},
|
||||
{"source", required_argument, NULL, 's'},
|
||||
{"target", required_argument, NULL, 't'},
|
||||
{"class", required_argument, NULL, 'c'},
|
||||
{"perm", required_argument, NULL, 'p'},
|
||||
{"fcon", required_argument, NULL, 'f'},
|
||||
{"filetransition", required_argument, NULL, 'g'},
|
||||
{"noaudit", no_argument, NULL, 'n'},
|
||||
{"file", required_argument, NULL, 'P'},
|
||||
{"output", required_argument, NULL, 'o'},
|
||||
{"permissive", required_argument, NULL, 'Z'},
|
||||
{"not-permissive", required_argument, NULL, 'z'},
|
||||
{"not", no_argument, NULL, 0},
|
||||
{"live", no_argument, NULL, 0},
|
||||
{"magisk", no_argument, NULL, 0},
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
|
||||
int option_index = -1;
|
||||
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
|
||||
switch (ch) {
|
||||
case 0:
|
||||
if(strcmp(long_options[option_index].name, "not") == 0)
|
||||
not = 1;
|
||||
else if(strcmp(long_options[option_index].name, "live") == 0)
|
||||
live = 1;
|
||||
else if(strcmp(long_options[option_index].name, "magisk") == 0)
|
||||
magisk = 1;
|
||||
else
|
||||
usage(argv[0]);
|
||||
break;
|
||||
case 'a':
|
||||
attr = optarg;
|
||||
break;
|
||||
case 'e':
|
||||
exists = 1;
|
||||
break;
|
||||
case 'f':
|
||||
fcon = optarg;
|
||||
break;
|
||||
case 'g':
|
||||
filetrans = optarg;
|
||||
break;
|
||||
case 's':
|
||||
source = optarg;
|
||||
break;
|
||||
case 't':
|
||||
target = optarg;
|
||||
break;
|
||||
case 'c':
|
||||
class = optarg;
|
||||
break;
|
||||
case 'p':
|
||||
perm = optarg;
|
||||
break;
|
||||
case 'P':
|
||||
policy = optarg;
|
||||
break;
|
||||
case 'o':
|
||||
outfile = optarg;
|
||||
break;
|
||||
case 'Z':
|
||||
permissive = optarg;
|
||||
permissive_value = 1;
|
||||
break;
|
||||
case 'z':
|
||||
permissive = optarg;
|
||||
permissive_value = 0;
|
||||
break;
|
||||
case 'n':
|
||||
noaudit = 1;
|
||||
break;
|
||||
default:
|
||||
usage(argv[0]);
|
||||
}
|
||||
}
|
||||
|
||||
// Use builtin rules if nothing specified
|
||||
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
|
||||
builtin = 1;
|
||||
|
||||
// Overwrite original if not specified
|
||||
if(!outfile)
|
||||
outfile = policy;
|
||||
|
||||
// Use current policy if not specified
|
||||
if(!policy)
|
||||
policy = "/sys/fs/selinux/policy";
|
||||
|
||||
sepol_set_policydb(&policydb);
|
||||
sepol_set_sidtab(&sidtab);
|
||||
|
||||
if (load_policy(policy, &policydb, &pf)) {
|
||||
fprintf(stderr, "Could not load policy\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (policydb_load_isids(&policydb, &sidtab))
|
||||
return 1;
|
||||
|
||||
if (builtin) {
|
||||
phh_rules(&policydb);
|
||||
}
|
||||
else if (magisk) {
|
||||
magisk_rules(&policydb);
|
||||
}
|
||||
else if (permissive) {
|
||||
type_datum_t *type;
|
||||
create_domain(permissive, &policydb);
|
||||
type = hashtab_search(policydb.p_types.table, permissive);
|
||||
if (type == NULL) {
|
||||
fprintf(stderr, "type %s does not exist\n", permissive);
|
||||
return 1;
|
||||
}
|
||||
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return 1;
|
||||
}
|
||||
} else if(exists) {
|
||||
if(source) {
|
||||
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
|
||||
if (!tmp)
|
||||
exit(1);
|
||||
else
|
||||
exit(0);
|
||||
} else if(class) {
|
||||
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
|
||||
if(!tmp)
|
||||
exit(1);
|
||||
else
|
||||
exit(0);
|
||||
} else {
|
||||
usage(argv[0]);
|
||||
}
|
||||
} else if(filetrans) {
|
||||
if(add_file_transition(source, fcon, target, class, filetrans, &policydb))
|
||||
return 1;
|
||||
} else if(fcon) {
|
||||
if(add_transition(source, fcon, target, class, &policydb))
|
||||
return 1;
|
||||
} else if(attr) {
|
||||
if(add_type(source, attr, &policydb))
|
||||
return 1;
|
||||
} else if(noaudit) {
|
||||
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not, &policydb))
|
||||
return 1;
|
||||
} else {
|
||||
//Add a rule to a whole set of typeattribute, not just a type
|
||||
if (target != NULL) {
|
||||
if(*target == '=') {
|
||||
char *saveptr = NULL;
|
||||
|
||||
char *targetAttribute = strtok_r(target, "-", &saveptr);
|
||||
|
||||
char *vals[64];
|
||||
int i = 0;
|
||||
|
||||
char *m = NULL;
|
||||
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
|
||||
vals[i++] = m;
|
||||
}
|
||||
vals[i] = NULL;
|
||||
|
||||
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not, &policydb))
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
if (perm != NULL) {
|
||||
char *saveptr = NULL;
|
||||
|
||||
char *p = strtok_r(perm, ",", &saveptr);
|
||||
do {
|
||||
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not, &policydb)) {
|
||||
fprintf(stderr, "Could not add rule\n");
|
||||
return 1;
|
||||
}
|
||||
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
|
||||
} else {
|
||||
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not, &policydb)) {
|
||||
fprintf(stderr, "Could not add rule\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (live) {
|
||||
if (live_patch(&policydb)) {
|
||||
fprintf(stderr, "Could not load new policy into kernel\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (outfile) {
|
||||
fp = fopen(outfile, "w");
|
||||
if (!fp) {
|
||||
fprintf(stderr, "Could not open outfile\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
policy_file_init(&outpf);
|
||||
outpf.type = PF_USE_STDIO;
|
||||
outpf.fp = fp;
|
||||
|
||||
if (policydb_write(&policydb, &outpf)) {
|
||||
fprintf(stderr, "Could not write policy\n");
|
||||
return 1;
|
||||
}
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
policydb_destroy(&policydb);
|
||||
return 0;
|
||||
}
|
48
utils.c
Normal file
48
utils.c
Normal file
@ -0,0 +1,48 @@
|
||||
#include "sepolicy-inject.h"
|
||||
|
||||
static void set_domain(char* s, int value) {
|
||||
type_datum_t *type;
|
||||
if (!exists(s))
|
||||
create_domain(s);
|
||||
type = hashtab_search(policy->p_types.table, s);
|
||||
if (type == NULL) {
|
||||
fprintf(stderr, "type %s does not exist\n", s);
|
||||
return;
|
||||
}
|
||||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, value)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
void allow(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
||||
}
|
||||
|
||||
void deny(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
||||
}
|
||||
|
||||
void auditallow(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
||||
}
|
||||
|
||||
void auditdeny(char *s, char *t, char *c, char *p) {
|
||||
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
||||
}
|
||||
|
||||
void permissive(char *s) {
|
||||
set_domain(s, 1);
|
||||
}
|
||||
|
||||
void enforce(char *s) {
|
||||
set_domain(s, 0);
|
||||
}
|
||||
|
||||
void attradd(char *s, char *a) {
|
||||
add_type(s, a);
|
||||
}
|
||||
|
||||
int exists(char* source) {
|
||||
return !! hashtab_search(policy->p_types.table, source);
|
||||
}
|
Loading…
Reference in New Issue
Block a user