Integrate with unified daemon
This commit is contained in:
parent
838b2757eb
commit
a65c7ee2fc
17
api.c
17
api.c
@ -2,44 +2,55 @@
|
||||
#include "sepolicy.h"
|
||||
|
||||
int sepol_allow(char *s, char *t, char *c, char *p) {
|
||||
// printf("allow %s %s %s %s\n", s, t, c, p);
|
||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
||||
}
|
||||
|
||||
int sepol_deny(char *s, char *t, char *c, char *p) {
|
||||
// printf("deny %s %s %s %s\n", s, t, c, p);
|
||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
||||
}
|
||||
|
||||
int sepol_auditallow(char *s, char *t, char *c, char *p) {
|
||||
// printf("auditallow %s %s %s %s\n", s, t, c, p);
|
||||
return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
||||
}
|
||||
|
||||
int sepol_auditdeny(char *s, char *t, char *c, char *p) {
|
||||
// printf("auditdeny %s %s %s %s\n", s, t, c, p);
|
||||
return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
||||
}
|
||||
|
||||
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) {
|
||||
if (o == NULL)
|
||||
if (o == NULL) {
|
||||
// printf("add_trans %s %s %s %s\n", s, t, c ,d);
|
||||
return add_transition(s, t, c, d);
|
||||
else
|
||||
} else {
|
||||
// printf("add_file_trans %s %s %s %s %s\n", s, t, c ,d, o);
|
||||
return add_file_transition(s, t, c, d, o);
|
||||
}
|
||||
}
|
||||
|
||||
int sepol_permissive(char *s) {
|
||||
// printf("permissive %s\n", s);
|
||||
return set_domain_state(s, 1);
|
||||
}
|
||||
|
||||
int sepol_enforce(char *s) {
|
||||
// printf("enforce %s\n", s);
|
||||
return set_domain_state(s, 0);
|
||||
}
|
||||
|
||||
int sepol_create(char *s) {
|
||||
// printf("create %s\n", s);
|
||||
return create_domain(s);
|
||||
}
|
||||
|
||||
int sepol_attradd(char *s, char *a) {
|
||||
// printf("attradd %s %s\n", s, a);
|
||||
return add_typeattribute(s, a);
|
||||
}
|
||||
|
||||
int sepol_exists(char* source) {
|
||||
return !! hashtab_search(policy->p_types.table, source);
|
||||
return !! hashtab_search(policydb->p_types.table, source);
|
||||
}
|
||||
|
@ -53,10 +53,10 @@ static void usage(char *arg0) {
|
||||
"%s [--options...] [policystatements...]\n\n"
|
||||
"Options:\n"
|
||||
" --live: directly load patched policy to device\n"
|
||||
" --magisk: complete (very large!) patches for Magisk and MagiskSU\n"
|
||||
// " --magisk: complete (very large!) patches for Magisk and MagiskSU\n"
|
||||
" --minimal: minimal patches, used for boot image patches\n"
|
||||
" --load <infile>: load policies from <infile>\n"
|
||||
" (load from current policies if not specified)"
|
||||
" (load from current policies if not specified)\n"
|
||||
" --save <outfile>: save policies to <outfile>\n"
|
||||
, arg0);
|
||||
statements();
|
||||
@ -270,7 +270,7 @@ static void syntax_error_msg() {
|
||||
|
||||
int magiskpolicy_main(int argc, char *argv[]) {
|
||||
char *infile = NULL, *outfile = NULL, *tok, *saveptr;
|
||||
int live = 0, minimal = 0, full = 0;
|
||||
int live = 0, minimal = 0;
|
||||
struct vector rules;
|
||||
|
||||
vec_init(&rules);
|
||||
@ -280,8 +280,6 @@ int magiskpolicy_main(int argc, char *argv[]) {
|
||||
if (argv[i][0] == '-' && argv[i][1] == '-') {
|
||||
if (strcmp(argv[i], "--live") == 0)
|
||||
live = 1;
|
||||
else if (strcmp(argv[i], "--magisk") == 0)
|
||||
full = 1;
|
||||
else if (strcmp(argv[i], "--minimal") == 0)
|
||||
minimal = 1;
|
||||
else if (strcmp(argv[i], "--load") == 0) {
|
||||
@ -298,28 +296,17 @@ int magiskpolicy_main(int argc, char *argv[]) {
|
||||
vec_push_back(&rules, argv[i]);
|
||||
}
|
||||
|
||||
policydb_t policydb;
|
||||
sidtab_t sidtab;
|
||||
|
||||
policy = &policydb;
|
||||
|
||||
// Use current policy if not specified
|
||||
if(!infile)
|
||||
infile = "/sys/fs/selinux/policy";
|
||||
|
||||
sepol_set_policydb(&policydb);
|
||||
sepol_set_sidtab(&sidtab);
|
||||
|
||||
if (load_policy(infile)) {
|
||||
if (load_policydb(infile)) {
|
||||
fprintf(stderr, "Could not load policy\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (policydb_load_isids(&policydb, &sidtab))
|
||||
return 1;
|
||||
|
||||
if (full) sepol_full_rules();
|
||||
else if (minimal) sepol_min_rules();
|
||||
if (minimal)
|
||||
sepol_min_rules();
|
||||
|
||||
for (int i = 0; i < rules.size; ++i) {
|
||||
// Since strtok will modify the origin string, copy the policy for error messages
|
||||
@ -363,15 +350,15 @@ int magiskpolicy_main(int argc, char *argv[]) {
|
||||
vec_destroy(&rules);
|
||||
|
||||
if (live)
|
||||
if (dump_policy("/sys/fs/selinux/load"))
|
||||
if (dump_policydb("/sys/fs/selinux/load"))
|
||||
return 1;
|
||||
|
||||
if (outfile) {
|
||||
unlink(outfile);
|
||||
if (dump_policy(outfile))
|
||||
if (dump_policydb(outfile))
|
||||
return 1;
|
||||
}
|
||||
|
||||
policydb_destroy(&policydb);
|
||||
destroy_policydb();
|
||||
return 0;
|
||||
}
|
||||
|
@ -8,6 +8,11 @@
|
||||
|
||||
#define ALL NULL
|
||||
|
||||
// policydb functions
|
||||
int load_policydb(const char *filename);
|
||||
int dump_policydb(const char *filename);
|
||||
void destroy_policydb();
|
||||
|
||||
// Handy functions
|
||||
int sepol_allow(char *s, char *t, char *c, char *p);
|
||||
int sepol_deny(char *s, char *t, char *c, char *p);
|
||||
@ -21,7 +26,8 @@ int sepol_attradd(char *s, char *a);
|
||||
int sepol_exists(char *source);
|
||||
|
||||
// Built in rules
|
||||
void sepol_full_rules();
|
||||
void sepol_min_rules();
|
||||
void sepol_med_rules();
|
||||
void sepol_full_rules();
|
||||
|
||||
#endif
|
||||
|
123
rules.c
123
rules.c
@ -65,14 +65,16 @@ void samsung() {
|
||||
}
|
||||
|
||||
void allowSuClient(char *target) {
|
||||
sepol_allow(target, "rootfs", "file", "execute_no_trans");
|
||||
sepol_allow(target, "rootfs", "file", "execute");
|
||||
sepol_allow(target, "rootfs", "file", ALL);
|
||||
sepol_allow(target, "rootfs", "lnk_file", ALL);
|
||||
sepol_allow(target, "su", "unix_stream_socket", "connectto");
|
||||
sepol_allow(target, "su", "unix_stream_socket", "getopt");
|
||||
sepol_allow(target, "su_device", "dir", "search");
|
||||
sepol_allow(target, "su_device", "dir", "read");
|
||||
sepol_allow(target, "su_device", "sock_file", "read");
|
||||
sepol_allow(target, "su_device", "sock_file", "write");
|
||||
sepol_allow("su", target, "fd", "use");
|
||||
sepol_allow("su", target, "fifo_file", ALL);
|
||||
}
|
||||
|
||||
void suRights() {
|
||||
@ -83,6 +85,16 @@ void suRights() {
|
||||
sepol_allow("servicemanager", "su", "process", "getattr");
|
||||
sepol_allow("servicemanager", "su", "binder", "transfer");
|
||||
sepol_allow("system_server", "su", "binder", "call");
|
||||
|
||||
sepol_allow("su", "servicemanager", "dir", "search");
|
||||
sepol_allow("su", "servicemanager", "dir", "read");
|
||||
sepol_allow("su", "servicemanager", "file", "open");
|
||||
sepol_allow("su", "servicemanager", "file", "read");
|
||||
sepol_allow("su", "servicemanager", "process", "getattr");
|
||||
sepol_allow("su", "servicemanager", "binder", "transfer");
|
||||
sepol_allow("su", "servicemanager", "binder", "call");
|
||||
sepol_allow("su", "system_server", "binder", "transfer");
|
||||
sepol_allow("su", "system_server", "binder", "call");
|
||||
}
|
||||
|
||||
void otherToSU() {
|
||||
@ -129,61 +141,17 @@ void otherToSU() {
|
||||
sepol_allow("audioserver", "audioserver", "process", "execmem");
|
||||
}
|
||||
|
||||
void sepol_full_rules() {
|
||||
// Samsung specific
|
||||
// Prevent system from loading policy
|
||||
if(sepol_exists("knox_system_app"))
|
||||
samsung();
|
||||
|
||||
// Min rules first
|
||||
sepol_min_rules();
|
||||
|
||||
// Create domains if they don't exist
|
||||
if (!sepol_exists("su_device"))
|
||||
sepol_create("su_device");
|
||||
sepol_enforce("su_device");
|
||||
|
||||
// Patch su to everything
|
||||
sepol_allow("su", ALL, ALL, ALL);
|
||||
|
||||
// Autotransition su's socket to su_device
|
||||
sepol_typetrans("su", "device", "file", "su_device", NULL);
|
||||
sepol_typetrans("su", "device", "dir", "su_device", NULL);
|
||||
sepol_allow("su_device", "tmpfs", "filesystem", "associate");
|
||||
|
||||
// Transition from untrusted_app to su_client
|
||||
allowSuClient("shell");
|
||||
allowSuClient("untrusted_app");
|
||||
allowSuClient("system_app");
|
||||
allowSuClient("platform_app");
|
||||
if (sepol_exists("priv_app"))
|
||||
allowSuClient("priv_app");
|
||||
if (sepol_exists("ssd_tool"))
|
||||
allowSuClient("ssd_tool");
|
||||
|
||||
// Allow init to execute su daemon/transition
|
||||
sepol_allow("init", "su", "process", "transition");
|
||||
sepol_allow("init", "su", "process", "rlimitinh");
|
||||
sepol_allow("init", "su", "process", "siginh");
|
||||
sepol_allow("init", "su", "process", "noatsecure");
|
||||
suRights();
|
||||
otherToSU();
|
||||
|
||||
// Need to set su_device/su as trusted to be accessible from other categories
|
||||
sepol_attradd("su_device", "mlstrustedobject");
|
||||
sepol_attradd("su", "mlstrustedsubject");
|
||||
|
||||
}
|
||||
|
||||
// Minimal to run Magisk script before live patching
|
||||
// Minimal boot image patch, Samsung requires these patches
|
||||
void sepol_min_rules() {
|
||||
|
||||
if (!sepol_exists("su"))
|
||||
sepol_create("su");
|
||||
if (!sepol_exists("su_device"))
|
||||
sepol_create("su_device");
|
||||
sepol_permissive("su");
|
||||
sepol_permissive("init");
|
||||
|
||||
sepol_attradd("su", "mlstrustedsubject");
|
||||
sepol_attradd("su_device", "mlstrustedobject");
|
||||
|
||||
// Let init run stuffs in su context
|
||||
sepol_allow("kernel", "su", "fd", "use");
|
||||
@ -192,11 +160,27 @@ void sepol_min_rules() {
|
||||
sepol_allow("init", "system_file", "lnk_file", ALL);
|
||||
sepol_allow("init", "system_file", "file", ALL);
|
||||
|
||||
// Misc: basic shell scripts, prop management etc.
|
||||
// Samsung specific
|
||||
// Prevent system from loading policy
|
||||
if(sepol_exists("knox_system_app"))
|
||||
samsung();
|
||||
|
||||
// Shell, prop management, simple su rights
|
||||
sepol_allow("su", "property_socket", "sock_file", "write");
|
||||
if (sepol_exists("default_prop"))
|
||||
sepol_allow("su", "default_prop", "property_service", "set");
|
||||
sepol_allow("su", "init", "unix_stream_socket", "connectto");
|
||||
sepol_allow("su", "rootfs", "file", "entrypoint");
|
||||
sepol_allow("su", "devpts", "chr_file", ALL);
|
||||
sepol_allow("su", "untrusted_app_devpts", "chr_file", ALL);
|
||||
sepol_allow("su", "su_device", "dir", ALL);
|
||||
sepol_allow("su", "su_device", "sock_file", ALL);
|
||||
sepol_allow("su", "zygote_exec", "file", ALL);
|
||||
sepol_allow("su", "zygote_exec", "lnk_file", ALL);
|
||||
sepol_allow("su", "app_data_file", "dir", ALL);
|
||||
sepol_allow("su", "app_data_file", "file", ALL);
|
||||
sepol_allow("su", "toolbox_exec", "file", ALL);
|
||||
sepol_allow("su", "shell_exec", "file", ALL);
|
||||
sepol_allow("su", "su", "unix_dgram_socket", ALL);
|
||||
sepol_allow("su", "su", "unix_stream_socket", ALL);
|
||||
sepol_allow("su", "su", "process", ALL);
|
||||
@ -206,10 +190,10 @@ void sepol_min_rules() {
|
||||
sepol_allow("su", "su", "lnk_file", ALL);
|
||||
sepol_allow("su", "su", "dir", ALL);
|
||||
|
||||
// Allow su to do anything to files/dir/links
|
||||
sepol_allow("su", ALL, "file", ALL);
|
||||
sepol_allow("su", ALL, "dir", ALL);
|
||||
sepol_allow("su", ALL, "lnk_file", ALL);
|
||||
// Autotransition su socket to su_device
|
||||
sepol_typetrans("su", "device", "file", "su_device", NULL);
|
||||
sepol_typetrans("su", "device", "dir", "su_device", NULL);
|
||||
sepol_allow("su_device", "tmpfs", "filesystem", "associate");
|
||||
|
||||
// For sepolicy live patching
|
||||
sepol_allow("su", "kernel", "security", "read_policy");
|
||||
@ -226,5 +210,32 @@ void sepol_min_rules() {
|
||||
// Xposed
|
||||
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
||||
sepol_allow("system_server", "dex2oat_exec", "file", ALL);
|
||||
|
||||
}
|
||||
|
||||
void sepol_med_rules() {
|
||||
sepol_min_rules();
|
||||
|
||||
// Allow su to do anything to any files/dir/links
|
||||
sepol_allow("su", ALL, "file", ALL);
|
||||
sepol_allow("su", ALL, "dir", ALL);
|
||||
sepol_allow("su", ALL, "lnk_file", ALL);
|
||||
|
||||
// Allow these client to access su
|
||||
allowSuClient("shell");
|
||||
allowSuClient("untrusted_app");
|
||||
allowSuClient("system_app");
|
||||
allowSuClient("platform_app");
|
||||
if (sepol_exists("priv_app"))
|
||||
allowSuClient("priv_app");
|
||||
if (sepol_exists("ssd_tool"))
|
||||
allowSuClient("ssd_tool");
|
||||
|
||||
suRights();
|
||||
otherToSU();
|
||||
}
|
||||
|
||||
void sepol_full_rules() {
|
||||
// Patch su to everything
|
||||
sepol_allow("su", ALL, ALL, ALL);
|
||||
}
|
||||
|
||||
|
135
sepolicy.c
135
sepolicy.c
@ -1,6 +1,8 @@
|
||||
#include "magiskpolicy.h"
|
||||
#include "sepolicy.h"
|
||||
|
||||
policydb_t *policydb = NULL;
|
||||
|
||||
static void *cmalloc(size_t s) {
|
||||
void *t = malloc(s);
|
||||
if (t == NULL) {
|
||||
@ -11,19 +13,19 @@ static void *cmalloc(size_t s) {
|
||||
}
|
||||
|
||||
static int get_attr(char *type, int value) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
type_datum_t *attr = hashtab_search(policydb->p_types.table, type);
|
||||
if (!attr)
|
||||
return 1;
|
||||
|
||||
if (attr->flavor != TYPE_ATTRIB)
|
||||
return 1;
|
||||
|
||||
return !! ebitmap_get_bit(&policy->attr_type_map[attr->s.value-1], value-1);
|
||||
//return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1);
|
||||
return !! ebitmap_get_bit(&policydb->attr_type_map[attr->s.value-1], value-1);
|
||||
//return !! ebitmap_get_bit(&policydb->type_attr_map[value-1], attr->s.value-1);
|
||||
}
|
||||
|
||||
static int get_attr_id(char *type) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
type_datum_t *attr = hashtab_search(policydb->p_types.table, type);
|
||||
if (!attr)
|
||||
return 1;
|
||||
|
||||
@ -34,16 +36,16 @@ static int get_attr_id(char *type) {
|
||||
}
|
||||
|
||||
static int set_attr(char *type, int value) {
|
||||
type_datum_t *attr = hashtab_search(policy->p_types.table, type);
|
||||
type_datum_t *attr = hashtab_search(policydb->p_types.table, type);
|
||||
if (!attr)
|
||||
return 1;
|
||||
|
||||
if (attr->flavor != TYPE_ATTRIB)
|
||||
return 1;
|
||||
|
||||
if(ebitmap_set_bit(&policy->type_attr_map[value-1], attr->s.value-1, 1))
|
||||
if(ebitmap_set_bit(&policydb->type_attr_map[value-1], attr->s.value-1, 1))
|
||||
return 1;
|
||||
if(ebitmap_set_bit(&policy->attr_type_map[attr->s.value-1], value-1, 1))
|
||||
if(ebitmap_set_bit(&policydb->attr_type_map[attr->s.value-1], value-1, 1))
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
@ -57,13 +59,13 @@ static int add_irule(int s, int t, int c, int p, int effect, int not) {
|
||||
key.target_type = t;
|
||||
key.target_class = c;
|
||||
key.specified = effect;
|
||||
av = avtab_search(&policy->te_avtab, &key);
|
||||
av = avtab_search(&policydb->te_avtab, &key);
|
||||
|
||||
if (av == NULL) {
|
||||
av = cmalloc(sizeof(*av));
|
||||
memset(av, 0, sizeof(*av));
|
||||
av->data |= 1U << (p - 1);
|
||||
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
||||
int ret = avtab_insert(&policydb->te_avtab, &key, av);
|
||||
if (ret) {
|
||||
fprintf(stderr, "Error inserting into avtab\n");
|
||||
return 1;
|
||||
@ -82,19 +84,19 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl
|
||||
int ret = 0;
|
||||
|
||||
if (src == NULL) {
|
||||
hashtab_for_each(policy->p_types.table, &cur) {
|
||||
hashtab_for_each(policydb->p_types.table, &cur) {
|
||||
src = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
}
|
||||
} else if (tgt == NULL) {
|
||||
hashtab_for_each(policy->p_types.table, &cur) {
|
||||
hashtab_for_each(policydb->p_types.table, &cur) {
|
||||
tgt = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
}
|
||||
} else if (cls == NULL) {
|
||||
hashtab_for_each(policy->p_classes.table, &cur) {
|
||||
hashtab_for_each(policydb->p_classes.table, &cur) {
|
||||
cls = cur->datum;
|
||||
if(add_rule_auto(src, tgt, cls, perm, effect, not))
|
||||
return 1;
|
||||
@ -118,18 +120,18 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl
|
||||
int i, j;
|
||||
if (src->flavor == TYPE_ATTRIB) {
|
||||
if (tgt->flavor == TYPE_ATTRIB) {
|
||||
ebitmap_for_each_bit(&policy->attr_type_map[src->s.value-1], s_node, i)
|
||||
ebitmap_for_each_bit(&policy->attr_type_map[tgt->s.value-1], t_node, j)
|
||||
ebitmap_for_each_bit(&policydb->attr_type_map[src->s.value-1], s_node, i)
|
||||
ebitmap_for_each_bit(&policydb->attr_type_map[tgt->s.value-1], t_node, j)
|
||||
if(ebitmap_node_get_bit(s_node, i) && ebitmap_node_get_bit(t_node, j))
|
||||
ret |= add_irule(i + 1, j + 1, cls->s.value, perm->s.value, effect, not);
|
||||
|
||||
} else {
|
||||
ebitmap_for_each_bit(&policy->attr_type_map[src->s.value-1], s_node, i)
|
||||
ebitmap_for_each_bit(&policydb->attr_type_map[src->s.value-1], s_node, i)
|
||||
if(ebitmap_node_get_bit(s_node, i))
|
||||
ret |= add_irule(i + 1, tgt->s.value, cls->s.value, perm->s.value, effect, not);
|
||||
}
|
||||
} else if (tgt->flavor == TYPE_ATTRIB) {
|
||||
ebitmap_for_each_bit(&policy->attr_type_map[tgt->s.value-1], t_node, j)
|
||||
ebitmap_for_each_bit(&policydb->attr_type_map[tgt->s.value-1], t_node, j)
|
||||
if(ebitmap_node_get_bit(t_node, j))
|
||||
ret |= add_irule(src->s.value, j + 1, cls->s.value, perm->s.value, effect, not);
|
||||
} else
|
||||
@ -138,13 +140,18 @@ static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cl
|
||||
return ret;
|
||||
}
|
||||
|
||||
int load_policy(const char *filename) {
|
||||
int load_policydb(const char *filename) {
|
||||
int fd;
|
||||
struct stat sb;
|
||||
struct policy_file pf;
|
||||
void *map;
|
||||
int ret;
|
||||
|
||||
if (policydb)
|
||||
destroy_policydb();
|
||||
|
||||
policydb = cmalloc(sizeof(*policydb));
|
||||
|
||||
fd = open(filename, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
fprintf(stderr, "Can't open '%s': %s\n",
|
||||
@ -168,26 +175,28 @@ int load_policy(const char *filename) {
|
||||
pf.type = PF_USE_MEMORY;
|
||||
pf.data = map;
|
||||
pf.len = sb.st_size;
|
||||
if (policydb_init(policy)) {
|
||||
if (policydb_init(policydb)) {
|
||||
fprintf(stderr, "policydb_init: Out of memory!\n");
|
||||
return 1;
|
||||
}
|
||||
ret = policydb_read(policy, &pf, 0);
|
||||
ret = policydb_read(policydb, &pf, 0);
|
||||
if (ret) {
|
||||
fprintf(stderr, "error(s) encountered while parsing configuration\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
close(fd);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int dump_policy(const char *filename) {
|
||||
int dump_policydb(const char *filename) {
|
||||
int fd, ret;
|
||||
void *data = NULL;
|
||||
size_t len;
|
||||
policydb_to_image(NULL, policy, &data, &len);
|
||||
policydb_to_image(NULL, policydb, &data, &len);
|
||||
if (data == NULL) {
|
||||
fprintf(stderr, "Fail to dump policydb image!");
|
||||
fprintf(stderr, "Fail to dump policy image!");
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -207,8 +216,14 @@ int dump_policy(const char *filename) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
void destroy_policydb() {
|
||||
policydb_destroy(policydb);
|
||||
free(policydb);
|
||||
policydb = NULL;
|
||||
}
|
||||
|
||||
int create_domain(char *d) {
|
||||
symtab_datum_t *src = hashtab_search(policy->p_types.table, d);
|
||||
symtab_datum_t *src = hashtab_search(policydb->p_types.table, d);
|
||||
if(src)
|
||||
return 1;
|
||||
|
||||
@ -218,40 +233,38 @@ int create_domain(char *d) {
|
||||
typdatum->flavor = TYPE_TYPE;
|
||||
|
||||
uint32_t value = 0;
|
||||
int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
|
||||
int r = symtab_insert(policydb, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
|
||||
typdatum->s.value = value;
|
||||
|
||||
if (ebitmap_set_bit(&policy->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) {
|
||||
if (ebitmap_set_bit(&policydb->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
policy->type_attr_map = realloc(policy->type_attr_map, sizeof(ebitmap_t)*policy->p_types.nprim);
|
||||
policy->attr_type_map = realloc(policy->attr_type_map, sizeof(ebitmap_t)*policy->p_types.nprim);
|
||||
ebitmap_init(&policy->type_attr_map[value-1]);
|
||||
ebitmap_init(&policy->attr_type_map[value-1]);
|
||||
ebitmap_set_bit(&policy->type_attr_map[value-1], value-1, 1);
|
||||
policydb->type_attr_map = realloc(policydb->type_attr_map, sizeof(ebitmap_t)*policydb->p_types.nprim);
|
||||
policydb->attr_type_map = realloc(policydb->attr_type_map, sizeof(ebitmap_t)*policydb->p_types.nprim);
|
||||
ebitmap_init(&policydb->type_attr_map[value-1]);
|
||||
ebitmap_init(&policydb->attr_type_map[value-1]);
|
||||
ebitmap_set_bit(&policydb->type_attr_map[value-1], value-1, 1);
|
||||
|
||||
//Add the domain to all roles
|
||||
for(unsigned i=0; i<policy->p_roles.nprim; ++i) {
|
||||
for(unsigned i=0; i<policydb->p_roles.nprim; ++i) {
|
||||
//Not sure all those three calls are needed
|
||||
ebitmap_set_bit(&policy->role_val_to_struct[i]->types.negset, value-1, 0);
|
||||
ebitmap_set_bit(&policy->role_val_to_struct[i]->types.types, value-1, 1);
|
||||
type_set_expand(&policy->role_val_to_struct[i]->types, &policy->role_val_to_struct[i]->cache, policy, 0);
|
||||
ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.negset, value-1, 0);
|
||||
ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.types, value-1, 1);
|
||||
type_set_expand(&policydb->role_val_to_struct[i]->types, &policydb->role_val_to_struct[i]->cache, policydb, 0);
|
||||
}
|
||||
|
||||
|
||||
src = hashtab_search(policy->p_types.table, d);
|
||||
src = hashtab_search(policydb->p_types.table, d);
|
||||
if(!src)
|
||||
return 1;
|
||||
|
||||
extern int policydb_index_decls(policydb_t * p);
|
||||
if(policydb_index_decls(policy))
|
||||
if(policydb_index_decls(NULL, policydb))
|
||||
return 1;
|
||||
|
||||
if(policydb_index_classes(policy))
|
||||
if(policydb_index_classes(policydb))
|
||||
return 1;
|
||||
|
||||
if(policydb_index_others(NULL, policy, 0))
|
||||
if(policydb_index_others(NULL, policydb, 0))
|
||||
return 1;
|
||||
|
||||
return set_attr("domain", value);
|
||||
@ -261,20 +274,20 @@ int set_domain_state(char* s, int state) {
|
||||
type_datum_t *type;
|
||||
hashtab_ptr_t cur;
|
||||
if (s == NULL) {
|
||||
hashtab_for_each(policy->p_types.table, &cur) {
|
||||
hashtab_for_each(policydb->p_types.table, &cur) {
|
||||
type = cur->datum;
|
||||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, state)) {
|
||||
if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
type = hashtab_search(policy->p_types.table, s);
|
||||
type = hashtab_search(policydb->p_types.table, s);
|
||||
if (type == NULL) {
|
||||
fprintf(stderr, "type %s does not exist\n", s);
|
||||
return 1;
|
||||
}
|
||||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, state)) {
|
||||
if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) {
|
||||
fprintf(stderr, "Could not set bit in permissive map\n");
|
||||
return 1;
|
||||
}
|
||||
@ -290,22 +303,22 @@ int add_transition(char *s, char *t, char *c, char *d) {
|
||||
avtab_datum_t *av;
|
||||
avtab_key_t key;
|
||||
|
||||
src = hashtab_search(policy->p_types.table, s);
|
||||
src = hashtab_search(policydb->p_types.table, s);
|
||||
if (src == NULL) {
|
||||
fprintf(stderr, "source type %s does not exist\n", s);
|
||||
return 1;
|
||||
}
|
||||
tgt = hashtab_search(policy->p_types.table, t);
|
||||
tgt = hashtab_search(policydb->p_types.table, t);
|
||||
if (tgt == NULL) {
|
||||
fprintf(stderr, "target type %s does not exist\n", t);
|
||||
return 1;
|
||||
}
|
||||
cls = hashtab_search(policy->p_classes.table, c);
|
||||
cls = hashtab_search(policydb->p_classes.table, c);
|
||||
if (cls == NULL) {
|
||||
fprintf(stderr, "class %s does not exist\n", c);
|
||||
return 1;
|
||||
}
|
||||
def = hashtab_search(policy->p_types.table, d);
|
||||
def = hashtab_search(policydb->p_types.table, d);
|
||||
if (def == NULL) {
|
||||
fprintf(stderr, "default type %s does not exist\n", d);
|
||||
return 1;
|
||||
@ -315,12 +328,12 @@ int add_transition(char *s, char *t, char *c, char *d) {
|
||||
key.target_type = tgt->s.value;
|
||||
key.target_class = cls->s.value;
|
||||
key.specified = AVTAB_TRANSITION;
|
||||
av = avtab_search(&policy->te_avtab, &key);
|
||||
av = avtab_search(&policydb->te_avtab, &key);
|
||||
|
||||
if (av == NULL) {
|
||||
av = cmalloc(sizeof(*av));
|
||||
av->data = def->s.value;
|
||||
int ret = avtab_insert(&policy->te_avtab, &key, av);
|
||||
int ret = avtab_insert(&policydb->te_avtab, &key, av);
|
||||
if (ret) {
|
||||
fprintf(stderr, "Error inserting into avtab\n");
|
||||
return 1;
|
||||
@ -337,22 +350,22 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) {
|
||||
type_datum_t *src, *tgt, *def;
|
||||
class_datum_t *cls;
|
||||
|
||||
src = hashtab_search(policy->p_types.table, s);
|
||||
src = hashtab_search(policydb->p_types.table, s);
|
||||
if (src == NULL) {
|
||||
fprintf(stderr, "source type %s does not exist\n", s);
|
||||
return 1;
|
||||
}
|
||||
tgt = hashtab_search(policy->p_types.table, t);
|
||||
tgt = hashtab_search(policydb->p_types.table, t);
|
||||
if (tgt == NULL) {
|
||||
fprintf(stderr, "target type %s does not exist\n", t);
|
||||
return 1;
|
||||
}
|
||||
cls = hashtab_search(policy->p_classes.table, c);
|
||||
cls = hashtab_search(policydb->p_classes.table, c);
|
||||
if (cls == NULL) {
|
||||
fprintf(stderr, "class %s does not exist\n", c);
|
||||
return 1;
|
||||
}
|
||||
def = hashtab_search(policy->p_types.table, d);
|
||||
def = hashtab_search(policydb->p_types.table, d);
|
||||
if (def == NULL) {
|
||||
fprintf(stderr, "default type %s does not exist\n", d);
|
||||
return 1;
|
||||
@ -367,7 +380,7 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) {
|
||||
filename_trans_datum_t *new_trans_datam = cmalloc(sizeof(*new_trans_datam));
|
||||
new_trans_datam->otype = def->s.value;
|
||||
|
||||
hashtab_insert(policy->filename_trans, (hashtab_key_t) new_trans_key, new_trans_datam);
|
||||
hashtab_insert(policydb->filename_trans, (hashtab_key_t) new_trans_key, new_trans_datam);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -375,7 +388,7 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename) {
|
||||
int add_typeattribute(char *domainS, char *attr) {
|
||||
type_datum_t *domain;
|
||||
|
||||
domain = hashtab_search(policy->p_types.table, domainS);
|
||||
domain = hashtab_search(policydb->p_types.table, domainS);
|
||||
if (domain == NULL) {
|
||||
fprintf(stderr, "source type %s does not exist\n", domainS);
|
||||
return 1;
|
||||
@ -386,8 +399,8 @@ int add_typeattribute(char *domainS, char *attr) {
|
||||
int typeId = get_attr_id(attr);
|
||||
//Now let's update all constraints!
|
||||
//(kernel doesn't support (yet?) type_names rules)
|
||||
for(int i=0; i<policy->p_classes.nprim; ++i) {
|
||||
class_datum_t *cl = policy->class_val_to_struct[i];
|
||||
for(int i=0; i<policydb->p_classes.nprim; ++i) {
|
||||
class_datum_t *cl = policydb->class_val_to_struct[i];
|
||||
for(constraint_node_t *n = cl->constraints; n ; n=n->next) {
|
||||
for(constraint_expr_t *e = n->expr; e; e=e->next) {
|
||||
if(e->expr_type == CEXPR_NAMES) {
|
||||
@ -407,7 +420,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
|
||||
perm_datum_t *perm = NULL;
|
||||
|
||||
if (s) {
|
||||
src = hashtab_search(policy->p_types.table, s);
|
||||
src = hashtab_search(policydb->p_types.table, s);
|
||||
if (src == NULL) {
|
||||
fprintf(stderr, "source type %s does not exist\n", s);
|
||||
return 1;
|
||||
@ -415,7 +428,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
|
||||
}
|
||||
|
||||
if (t) {
|
||||
tgt = hashtab_search(policy->p_types.table, t);
|
||||
tgt = hashtab_search(policydb->p_types.table, t);
|
||||
if (tgt == NULL) {
|
||||
fprintf(stderr, "target type %s does not exist\n", t);
|
||||
return 1;
|
||||
@ -423,7 +436,7 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
|
||||
}
|
||||
|
||||
if (c) {
|
||||
cls = hashtab_search(policy->p_classes.table, c);
|
||||
cls = hashtab_search(policydb->p_classes.table, c);
|
||||
if (cls == NULL) {
|
||||
fprintf(stderr, "class %s does not exist\n", c);
|
||||
return 1;
|
||||
|
@ -33,11 +33,9 @@
|
||||
for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
|
||||
|
||||
// Global policydb
|
||||
policydb_t *policy;
|
||||
extern policydb_t *policydb;
|
||||
|
||||
// sepolicy manipulation functions
|
||||
int load_policy(const char *filename);
|
||||
int dump_policy(const char *filename);
|
||||
int create_domain(char *d);
|
||||
int set_domain_state(char* s, int state);
|
||||
int add_transition(char *s, char *t, char *c, char *d);
|
||||
@ -45,4 +43,6 @@ int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
|
||||
int add_typeattribute(char *domainS, char *attr);
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||
|
||||
extern int policydb_index_decls(sepol_handle_t * handle, policydb_t * p);
|
||||
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user