Project restructure

This commit is contained in:
topjohnwu 2017-02-01 00:51:45 +08:00
parent 7dea682713
commit 6900c197cd
6 changed files with 526 additions and 489 deletions

View File

@ -4,7 +4,7 @@ include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy-inject LOCAL_MODULE := sepolicy-inject
LOCAL_MODULE_TAGS := optional LOCAL_MODULE_TAGS := optional
LOCAL_STATIC_LIBRARIES := libsepol LOCAL_STATIC_LIBRARIES := libsepol
LOCAL_SRC_FILES := sepolicy-inject.c builtin_rules.c LOCAL_SRC_FILES := main.c sepolicy.c rules.c utils.c
LOCAL_C_INCLUDES := jni/selinux/libsepol/include/ LOCAL_C_INCLUDES := jni/selinux/libsepol/include/
LOCAL_CFLAGS += -std=gnu11 LOCAL_CFLAGS += -std=gnu11
include $(BUILD_EXECUTABLE) include $(BUILD_EXECUTABLE)

247
main.c Normal file
View File

@ -0,0 +1,247 @@
#include "sepolicy-inject.h"
static void usage(char *arg0) {
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a rule\n\n");
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a permissive domain\n\n");
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a non-permissive domain\n\n");
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
exit(1);
}
int main(int argc, char **argv) {
char *infile = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
policydb_t policydb;
struct policy_file pf, outpf;
sidtab_t sidtab;
int ch;
FILE *fp;
int permissive_value = 0, noaudit = 0;
struct option long_options[] = {
{"attr", required_argument, NULL, 'a'},
{"exists", no_argument, NULL, 'e'},
{"source", required_argument, NULL, 's'},
{"target", required_argument, NULL, 't'},
{"class", required_argument, NULL, 'c'},
{"perm", required_argument, NULL, 'p'},
{"fcon", required_argument, NULL, 'f'},
{"filetransition", required_argument, NULL, 'g'},
{"noaudit", no_argument, NULL, 'n'},
{"file", required_argument, NULL, 'P'},
{"output", required_argument, NULL, 'o'},
{"permissive", required_argument, NULL, 'Z'},
{"not-permissive", required_argument, NULL, 'z'},
{"not", no_argument, NULL, 0},
{"live", no_argument, NULL, 0},
{"magisk", no_argument, NULL, 0},
{NULL, 0, NULL, 0}
};
int option_index = -1;
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
switch (ch) {
case 0:
if(strcmp(long_options[option_index].name, "not") == 0)
not = 1;
else if(strcmp(long_options[option_index].name, "live") == 0)
live = 1;
else if(strcmp(long_options[option_index].name, "magisk") == 0)
magisk = 1;
else
usage(argv[0]);
break;
case 'a':
attr = optarg;
break;
case 'e':
exists = 1;
break;
case 'f':
fcon = optarg;
break;
case 'g':
filetrans = optarg;
break;
case 's':
source = optarg;
break;
case 't':
target = optarg;
break;
case 'c':
class = optarg;
break;
case 'p':
perm = optarg;
break;
case 'P':
infile = optarg;
break;
case 'o':
outfile = optarg;
break;
case 'Z':
permissive = optarg;
permissive_value = 1;
break;
case 'z':
permissive = optarg;
permissive_value = 0;
break;
case 'n':
noaudit = 1;
break;
default:
usage(argv[0]);
}
}
// Use builtin rules if nothing specified
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
builtin = 1;
// Overwrite original if not specified
if(!outfile)
outfile = infile;
// Use current policy if not specified
if(!infile)
infile = "/sys/fs/selinux/policy";
sepol_set_policydb(&policydb);
sepol_set_sidtab(&sidtab);
if (load_policy(infile, &policydb, &pf)) {
fprintf(stderr, "Could not load policy\n");
return 1;
}
if (policydb_load_isids(&policydb, &sidtab))
return 1;
policy = &policydb;
if (builtin) {
su_rules();
}
else if (magisk) {
magisk_rules();
}
else if (permissive) {
type_datum_t *type;
create_domain(permissive);
type = hashtab_search(policydb.p_types.table, permissive);
if (type == NULL) {
fprintf(stderr, "type %s does not exist\n", permissive);
return 1;
}
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
fprintf(stderr, "Could not set bit in permissive map\n");
return 1;
}
} else if(exists) {
if(source) {
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
if (!tmp)
exit(1);
else
exit(0);
} else if(class) {
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
if(!tmp)
exit(1);
else
exit(0);
} else {
usage(argv[0]);
}
} else if(filetrans) {
if(add_file_transition(source, fcon, target, class, filetrans))
return 1;
} else if(fcon) {
if(add_transition(source, fcon, target, class))
return 1;
} else if(attr) {
if(add_type(source, attr))
return 1;
} else if(noaudit) {
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not))
return 1;
} else {
//Add a rule to a whole set of typeattribute, not just a type
if (target != NULL) {
if(*target == '=') {
char *saveptr = NULL;
char *targetAttribute = strtok_r(target, "-", &saveptr);
char *vals[64];
int i = 0;
char *m = NULL;
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
vals[i++] = m;
}
vals[i] = NULL;
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not))
return 1;
}
}
if (perm != NULL) {
char *saveptr = NULL;
char *p = strtok_r(perm, ",", &saveptr);
do {
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not)) {
fprintf(stderr, "Could not add rule\n");
return 1;
}
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
} else {
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not)) {
fprintf(stderr, "Could not add rule\n");
return 1;
}
}
}
if (live) {
if (live_patch()) {
fprintf(stderr, "Could not load new policy into kernel\n");
return 1;
}
}
if (outfile) {
fp = fopen(outfile, "w");
if (!fp) {
fprintf(stderr, "Could not open outfile\n");
return 1;
}
policy_file_init(&outpf);
outpf.type = PF_USE_STDIO;
outpf.fp = fp;
if (policydb_write(&policydb, &outpf)) {
fprintf(stderr, "Could not write policy\n");
return 1;
}
fclose(fp);
}
policydb_destroy(&policydb);
return 0;
}

View File

@ -1,44 +1,4 @@
#include <stdio.h> #include "sepolicy-inject.h"
#include <sepol/policydb/policydb.h>
#define ALL NULL
extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy);
extern void create_domain(char *d, policydb_t *policy);
extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy);
extern int add_type(char *domainS, char *typeS, policydb_t *policy);
policydb_t *policy;
void allow(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy);
}
void noaudit(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy);
}
void deny(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy);
}
void setPermissive(char* permissive, int permissive_value) {
type_datum_t *type;
create_domain(permissive, policy);
type = hashtab_search(policy->p_types.table, permissive);
if (type == NULL) {
fprintf(stderr, "type %s does not exist\n", permissive);
return;
}
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) {
fprintf(stderr, "Could not set bit in permissive map\n");
return;
}
}
int exists(char* source) {
return (int) hashtab_search(policy->p_types.table, source);
}
void samsung() { void samsung() {
deny("init", "kernel", "security", "load_policy"); deny("init", "kernel", "security", "load_policy");
@ -222,6 +182,12 @@ void suDaemonRights() {
allow("su_daemon", "proc", "file", "open"); allow("su_daemon", "proc", "file", "open");
allow("su_daemon", "su_daemon", "process", "setcurrent"); allow("su_daemon", "su_daemon", "process", "setcurrent");
allow("su_daemon", "system_file", "file", "execute_no_trans"); allow("su_daemon", "system_file", "file", "execute_no_trans");
// Allow to adb shell su
allow("su_daemon", "adbd", "fd", "use");
allow("su_daemon", "adbd", "unix_stream_socket", "read");
allow("su_daemon", "adbd", "unix_stream_socket", "write");
allow("su_daemon", "adbd", "unix_stream_socket", "ioctl");
} }
void suBind() { void suBind() {
@ -274,36 +240,34 @@ void otherToSU() {
allow(ALL, "su", "process", "sigchld"); allow(ALL, "su", "process", "sigchld");
// uNetworkL0 // uNetworkL0
add_type("su", "netdomain", policy); add_type("su", "netdomain");
add_type("su", "bluetoothdomain", policy); add_type("su", "bluetoothdomain");
// suBackL6 // suBackL6
allow("surfaceflinger", "app_data_file", "dir", ALL); allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL); allow("surfaceflinger", "app_data_file", "file", ALL);
allow("surfaceflinger", "app_data_file", "lnk_file", ALL); allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
add_type("surfaceflinger", "mlstrustedsubject", policy); add_type("surfaceflinger", "mlstrustedsubject");
// suMiscL6 // suMiscL6
if (exists("audioserver")) if (exists("audioserver"))
allow("audioserver", "audioserver", "process", "execmem"); allow("audioserver", "audioserver", "process", "execmem");
} }
void phh_rules(policydb_t *policydb) { void su_rules() {
policy = policydb;
// Samsung specific // Samsung specific
// Prevent system from loading policy // Prevent system from loading policy
if(exists("knox_system_app")) if(exists("knox_system_app"))
samsung(); samsung();
// Create domains if they don't exist // Create domains if they don't exist
setPermissive("su", 1); permissive("su");
setPermissive("su_device", 0); enforce("su_device");
setPermissive("su_daemon", 0); enforce("su_daemon");
// Autotransition su's socket to su_device // Autotransition su's socket to su_device
add_transition("su_daemon", "device", "su_device", "file", policy); add_transition("su_daemon", "device", "su_device", "file");
add_transition("su_daemon", "device", "su_device", "dir", policy); add_transition("su_daemon", "device", "su_device", "dir");
allow("su_device", "tmpfs", "filesystem", "associate"); allow("su_device", "tmpfs", "filesystem", "associate");
// Transition from untrusted_app to su_client // Transition from untrusted_app to su_client
@ -329,22 +293,21 @@ void phh_rules(policydb_t *policydb) {
otherToSU(); otherToSU();
// Need to set su_device/su as trusted to be accessible from other categories // Need to set su_device/su as trusted to be accessible from other categories
add_type("su_device", "mlstrustedobject", policy); attradd("su_device", "mlstrustedobject");
add_type("su_daemon", "mlstrustedsubject", policy); attradd("su_daemon", "mlstrustedsubject");
add_type("su", "mlstrustedsubject", policy); attradd("su", "mlstrustedsubject");
// Allow chcon to rootfs // Allow chcon to anything
allow("rootfs", "labeledfs", "filesystem", "associate"); allow(ALL, "labeledfs", "filesystem", "associate");
} }
// Minimal to run Magisk script before live patching // Minimal to run Magisk script before live patching
void magisk_rules(policydb_t *policydb) { void magisk_rules() {
policy = policydb;
setPermissive("su", 1); permissive("su");
setPermissive("init", 1); permissive("init");
add_type("su", "mlstrustedsubject", policy); attradd("su", "mlstrustedsubject");
allow("kernel", "su", "fd", "use"); allow("kernel", "su", "fd", "use");
allow("init", "su", "process", ALL); allow("init", "su", "process", ALL);
@ -427,4 +390,4 @@ void magisk_rules(policydb_t *policydb) {
allow("init", "su", "fd", "use"); allow("init", "su", "fd", "use");
allow("init", "kernel", "security", "read_policy"); allow("init", "kernel", "security", "read_policy");
allow("init", "kernel", "security", "load_policy"); allow("init", "kernel", "security", "load_policy");
} }

50
sepolicy-inject.h Normal file
View File

@ -0,0 +1,50 @@
#ifndef SEPOLICY_INJECT_H
#define SEPOLICY_INJECT_H
#define ALL NULL
#include <getopt.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <sepol/debug.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/avrule_block.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/constraint.h>
// Global policydb
policydb_t *policy;
// sepolicy manipulation functions
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf);
void create_domain(char *d);
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename);
int add_transition(char *srcS, char *origS, char *tgtS, char *c);
int add_type(char *domainS, char *typeS);
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not);
int live_patch();
// Handy functions
void allow(char *s, char *t, char *c, char *p);
void deny(char *s, char *t, char *c, char *p);
void auditallow(char *s, char *t, char *c, char *p);
void auditdeny(char *s, char *t, char *c, char *p);
void permissive(char *s);
void enforce(char *s);
void attradd(char *s, char *a);
int exists(char *source);
// Built in rules
void su_rules();
void magisk_rules();
#endif

View File

@ -1,49 +1,6 @@
/* #include "sepolicy-inject.h"
* This was derived from public domain works with updates to
* work with more modern SELinux libraries.
*
* It is released into the public domain.
*
*/
#include <getopt.h> static void *cmalloc(size_t s) {
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <sepol/debug.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/avrule_block.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/constraint.h>
extern void phh_rules(policydb_t *policydb);
extern void magisk_rules(policydb_t *policydb);
void usage(char *arg0) {
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a rule\n\n");
fprintf(stderr, "%s -s <source type> -a <type_attribute> -P <policy file>\n", arg0);
fprintf(stderr, "\tAdd a type_attribute to a domain\n\n");
fprintf(stderr, "%s -Z <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a permissive domain\n\n");
fprintf(stderr, "%s -z <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a non-permissive domain\n\n");
fprintf(stderr, "%s -e -s <source type> -P <policy file>\n", arg0);
fprintf(stderr, "\tCheck if a SELinux type exists\n\n");
fprintf(stderr, "%s -e -c <class> -P <policy file>\n", arg0);
fprintf(stderr, "\tCheck if a SELinux class exists\n\n");
fprintf(stderr, "All options can add -o <output file> to output to another file\n");
exit(1);
}
void *cmalloc(size_t s) {
void *t = malloc(s); void *t = malloc(s);
if (t == NULL) { if (t == NULL) {
fprintf(stderr, "Out of memory\n"); fprintf(stderr, "Out of memory\n");
@ -52,7 +9,7 @@ void *cmalloc(size_t s) {
return t; return t;
} }
int get_attr(char *type, int value, policydb_t *policy) { static int get_attr(char *type, int value) {
type_datum_t *attr = hashtab_search(policy->p_types.table, type); type_datum_t *attr = hashtab_search(policy->p_types.table, type);
if (!attr) if (!attr)
exit(1); exit(1);
@ -64,7 +21,7 @@ int get_attr(char *type, int value, policydb_t *policy) {
//return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1); //return !! ebitmap_get_bit(&policy->type_attr_map[value-1], attr->s.value-1);
} }
int get_attr_id(char *type, policydb_t *policy) { static int get_attr_id(char *type) {
type_datum_t *attr = hashtab_search(policy->p_types.table, type); type_datum_t *attr = hashtab_search(policy->p_types.table, type);
if (!attr) if (!attr)
exit(1); exit(1);
@ -75,7 +32,7 @@ int get_attr_id(char *type, policydb_t *policy) {
return attr->s.value; return attr->s.value;
} }
int set_attr(char *type, int value, policydb_t *policy) { static int set_attr(char *type, int value) {
type_datum_t *attr = hashtab_search(policy->p_types.table, type); type_datum_t *attr = hashtab_search(policy->p_types.table, type);
if (!attr) if (!attr)
exit(1); exit(1);
@ -91,7 +48,143 @@ int set_attr(char *type, int value, policydb_t *policy) {
return 0; return 0;
} }
void create_domain(char *d, policydb_t *policy) { static int add_irule(int s, int t, int c, int p, int effect, int not) {
avtab_datum_t *av;
avtab_key_t key;
key.source_type = s;
key.target_type = t;
key.target_class = c;
key.specified = effect;
av = avtab_search(&policy->te_avtab, &key);
if (av == NULL) {
av = cmalloc(sizeof(*av));
av->data |= 1U << (p - 1);
int ret = avtab_insert(&policy->te_avtab, &key, av);
if (ret) {
fprintf(stderr, "Error inserting into avtab\n");
return 1;
}
}
if(not)
av->data &= ~(1U << (p - 1));
else
av->data |= 1U << (p - 1);
return 0;
}
static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not) {
hashtab_t type_table, class_table, perm_table;
hashtab_ptr_t cur;
type_table = policy->p_types.table;
class_table = policy->p_classes.table;
if (src == NULL) {
for (int i = 0; i < type_table->size; ++i) {
cur = type_table->htable[i];
while (cur != NULL) {
src = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not))
return 1;
cur = cur->next;
}
}
} else if (tgt == NULL) {
for (int i = 0; i < type_table->size; ++i) {
cur = type_table->htable[i];
while (cur != NULL) {
tgt = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not))
return 1;
cur = cur->next;
}
}
} else if (cls == NULL) {
for (int i = 0; i < class_table->size; ++i) {
cur = class_table->htable[i];
while (cur != NULL) {
cls = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not))
return 1;
cur = cur->next;
}
}
} else if (perm == NULL) {
perm_table = cls->permissions.table;
for (int i = 0; i < perm_table->size; ++i) {
cur = perm_table->htable[i];
while (cur != NULL) {
perm = cur->datum;
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
return 1;
cur = cur->next;
}
}
if (cls->comdatum != NULL) {
perm_table = cls->comdatum->permissions.table;
for (int i = 0; i < perm_table->size; ++i) {
cur = perm_table->htable[i];
while (cur != NULL) {
perm = cur->datum;
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not))
return 1;
cur = cur->next;
}
}
}
} else {
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not);
}
return 0;
}
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
int fd;
struct stat sb;
void *map;
int ret;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
filename, strerror(errno));
return 1;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
filename, strerror(errno));
return 1;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n",
filename, strerror(errno));
return 1;
}
policy_file_init(pf);
pf->type = PF_USE_MEMORY;
pf->data = map;
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "policydb_init: Out of memory!\n");
return 1;
}
ret = policydb_read(policydb, pf, 1);
if (ret) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
return 1;
}
return 0;
}
void create_domain(char *d) {
symtab_datum_t *src = hashtab_search(policy->p_types.table, d); symtab_datum_t *src = hashtab_search(policy->p_types.table, d);
if(src) if(src)
return; return;
@ -139,37 +232,10 @@ void create_domain(char *d, policydb_t *policy) {
if(policydb_index_others(NULL, policy, 1)) if(policydb_index_others(NULL, policy, 1))
exit(1); exit(1);
set_attr("domain", value, policy); set_attr("domain", value);
} }
int add_irule(int s, int t, int c, int p, int effect, int not, policydb_t* policy) { int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not) {
avtab_datum_t *av;
avtab_key_t key;
key.source_type = s;
key.target_type = t;
key.target_class = c;
key.specified = effect;
av = avtab_search(&policy->te_avtab, &key);
if (av == NULL) {
av = cmalloc(sizeof(*av));
av->data |= 1U << (p - 1);
int ret = avtab_insert(&policy->te_avtab, &key, av);
if (ret) {
fprintf(stderr, "Error inserting into avtab\n");
return 1;
}
}
if(not)
av->data &= ~(1U << (p - 1));
else
av->data |= 1U << (p - 1);
return 0;
}
int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char *p, int effect, int not, policydb_t *policy) {
type_datum_t *src, *tgt; type_datum_t *src, *tgt;
class_datum_t *cls; class_datum_t *cls;
perm_datum_t *perm; perm_datum_t *perm;
@ -235,13 +301,13 @@ int add_typerule(char *s, char *targetAttribute, char **minusses, char *c, char
} }
if(!found) if(!found)
ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not, policy); ret |= add_irule(src->s.value, i+1, cls->s.value, perm->s.value, effect, not);
} }
} }
return ret; return ret;
} }
int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy) { int add_transition(char *srcS, char *origS, char *tgtS, char *c) {
type_datum_t *src, *tgt, *orig; type_datum_t *src, *tgt, *orig;
class_datum_t *cls; class_datum_t *cls;
@ -291,7 +357,7 @@ int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *pol
return 0; return 0;
} }
int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename, policydb_t *policy) { int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* filename) {
type_datum_t *src, *tgt, *orig; type_datum_t *src, *tgt, *orig;
class_datum_t *cls; class_datum_t *cls;
@ -329,7 +395,7 @@ int add_file_transition(char *srcS, char *origS, char *tgtS, char *c, char* file
return 0; return 0;
} }
int add_type(char *domainS, char *typeS, policydb_t *policy) { int add_type(char *domainS, char *typeS) {
type_datum_t *domain; type_datum_t *domain;
domain = hashtab_search(policy->p_types.table, domainS); domain = hashtab_search(policy->p_types.table, domainS);
@ -338,9 +404,9 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
return 1; return 1;
} }
set_attr(typeS, domain->s.value, policy); set_attr(typeS, domain->s.value);
int typeId = get_attr_id(typeS, policy); int typeId = get_attr_id(typeS);
//Now let's update all constraints! //Now let's update all constraints!
//(kernel doesn't support (yet?) type_names rules) //(kernel doesn't support (yet?) type_names rules)
for(int i=0; i<policy->p_classes.nprim; ++i) { for(int i=0; i<policy->p_classes.nprim; ++i) {
@ -358,116 +424,7 @@ int add_type(char *domainS, char *typeS, policydb_t *policy) {
return 0; return 0;
} }
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { int add_rule(char *s, char *t, char *c, char *p, int effect, int not) {
int fd;
struct stat sb;
void *map;
int ret;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
filename, strerror(errno));
return 1;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
filename, strerror(errno));
return 1;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n",
filename, strerror(errno));
return 1;
}
policy_file_init(pf);
pf->type = PF_USE_MEMORY;
pf->data = map;
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "policydb_init: Out of memory!\n");
return 1;
}
ret = policydb_read(policydb, pf, 1);
if (ret) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
return 1;
}
return 0;
}
int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not, policydb_t *policy) {
hashtab_t type_table, class_table, perm_table;
hashtab_ptr_t cur;
type_table = policy->p_types.table;
class_table = policy->p_classes.table;
if (src == NULL) {
for (int i = 0; i < type_table->size; ++i) {
cur = type_table->htable[i];
while (cur != NULL) {
src = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
return 1;
cur = cur->next;
}
}
} else if (tgt == NULL) {
for (int i = 0; i < type_table->size; ++i) {
cur = type_table->htable[i];
while (cur != NULL) {
tgt = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
return 1;
cur = cur->next;
}
}
} else if (cls == NULL) {
for (int i = 0; i < class_table->size; ++i) {
cur = class_table->htable[i];
while (cur != NULL) {
cls = cur->datum;
if(add_rule_auto(src, tgt, cls, perm, effect, not, policy))
return 1;
cur = cur->next;
}
}
} else if (perm == NULL) {
perm_table = cls->permissions.table;
for (int i = 0; i < perm_table->size; ++i) {
cur = perm_table->htable[i];
while (cur != NULL) {
perm = cur->datum;
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
return 1;
cur = cur->next;
}
}
if (cls->comdatum != NULL) {
perm_table = cls->comdatum->permissions.table;
for (int i = 0; i < perm_table->size; ++i) {
cur = perm_table->htable[i];
while (cur != NULL) {
perm = cur->datum;
if(add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy))
return 1;
cur = cur->next;
}
}
}
} else {
return add_irule(src->s.value, tgt->s.value, cls->s.value, perm->s.value, effect, not, policy);
}
return 0;
}
int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy) {
type_datum_t *src = NULL, *tgt = NULL; type_datum_t *src = NULL, *tgt = NULL;
class_datum_t *cls = NULL; class_datum_t *cls = NULL;
perm_datum_t *perm = NULL; perm_datum_t *perm = NULL;
@ -513,16 +470,16 @@ int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t
} }
} }
} }
return add_rule_auto(src, tgt, cls, perm, effect, not, policy); return add_rule_auto(src, tgt, cls, perm, effect, not);
} }
int live_patch(policydb_t *policydb) { int live_patch() {
char *filename = "/sys/fs/selinux/load"; char *filename = "/sys/fs/selinux/load";
int fd, ret; int fd, ret;
void *data = NULL; void *data = NULL;
size_t len; size_t len;
policydb_to_image(NULL, policydb, &data, &len); policydb_to_image(NULL, policy, &data, &len);
if (data == NULL) fprintf(stderr, "Error!"); if (data == NULL) fprintf(stderr, "Error!");
// based on libselinux security_load_policy() // based on libselinux security_load_policy()
@ -541,231 +498,3 @@ int live_patch(policydb_t *policydb) {
} }
return 0; return 0;
} }
int main(int argc, char **argv)
{
char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
policydb_t policydb;
struct policy_file pf, outpf;
sidtab_t sidtab;
int ch;
FILE *fp;
int permissive_value = 0, noaudit = 0;
struct option long_options[] = {
{"attr", required_argument, NULL, 'a'},
{"exists", no_argument, NULL, 'e'},
{"source", required_argument, NULL, 's'},
{"target", required_argument, NULL, 't'},
{"class", required_argument, NULL, 'c'},
{"perm", required_argument, NULL, 'p'},
{"fcon", required_argument, NULL, 'f'},
{"filetransition", required_argument, NULL, 'g'},
{"noaudit", no_argument, NULL, 'n'},
{"file", required_argument, NULL, 'P'},
{"output", required_argument, NULL, 'o'},
{"permissive", required_argument, NULL, 'Z'},
{"not-permissive", required_argument, NULL, 'z'},
{"not", no_argument, NULL, 0},
{"live", no_argument, NULL, 0},
{"magisk", no_argument, NULL, 0},
{NULL, 0, NULL, 0}
};
int option_index = -1;
while ((ch = getopt_long(argc, argv, "a:c:ef:g:s:t:p:P:o:Z:z:n", long_options, &option_index)) != -1) {
switch (ch) {
case 0:
if(strcmp(long_options[option_index].name, "not") == 0)
not = 1;
else if(strcmp(long_options[option_index].name, "live") == 0)
live = 1;
else if(strcmp(long_options[option_index].name, "magisk") == 0)
magisk = 1;
else
usage(argv[0]);
break;
case 'a':
attr = optarg;
break;
case 'e':
exists = 1;
break;
case 'f':
fcon = optarg;
break;
case 'g':
filetrans = optarg;
break;
case 's':
source = optarg;
break;
case 't':
target = optarg;
break;
case 'c':
class = optarg;
break;
case 'p':
perm = optarg;
break;
case 'P':
policy = optarg;
break;
case 'o':
outfile = optarg;
break;
case 'Z':
permissive = optarg;
permissive_value = 1;
break;
case 'z':
permissive = optarg;
permissive_value = 0;
break;
case 'n':
noaudit = 1;
break;
default:
usage(argv[0]);
}
}
// Use builtin rules if nothing specified
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
builtin = 1;
// Overwrite original if not specified
if(!outfile)
outfile = policy;
// Use current policy if not specified
if(!policy)
policy = "/sys/fs/selinux/policy";
sepol_set_policydb(&policydb);
sepol_set_sidtab(&sidtab);
if (load_policy(policy, &policydb, &pf)) {
fprintf(stderr, "Could not load policy\n");
return 1;
}
if (policydb_load_isids(&policydb, &sidtab))
return 1;
if (builtin) {
phh_rules(&policydb);
}
else if (magisk) {
magisk_rules(&policydb);
}
else if (permissive) {
type_datum_t *type;
create_domain(permissive, &policydb);
type = hashtab_search(policydb.p_types.table, permissive);
if (type == NULL) {
fprintf(stderr, "type %s does not exist\n", permissive);
return 1;
}
if (ebitmap_set_bit(&policydb.permissive_map, type->s.value, permissive_value)) {
fprintf(stderr, "Could not set bit in permissive map\n");
return 1;
}
} else if(exists) {
if(source) {
type_datum_t *tmp = hashtab_search(policydb.p_types.table, source);
if (!tmp)
exit(1);
else
exit(0);
} else if(class) {
class_datum_t *tmp = hashtab_search(policydb.p_classes.table, class);
if(!tmp)
exit(1);
else
exit(0);
} else {
usage(argv[0]);
}
} else if(filetrans) {
if(add_file_transition(source, fcon, target, class, filetrans, &policydb))
return 1;
} else if(fcon) {
if(add_transition(source, fcon, target, class, &policydb))
return 1;
} else if(attr) {
if(add_type(source, attr, &policydb))
return 1;
} else if(noaudit) {
if(add_rule(source, target, class, perm, AVTAB_AUDITDENY, not, &policydb))
return 1;
} else {
//Add a rule to a whole set of typeattribute, not just a type
if (target != NULL) {
if(*target == '=') {
char *saveptr = NULL;
char *targetAttribute = strtok_r(target, "-", &saveptr);
char *vals[64];
int i = 0;
char *m = NULL;
while( (m = strtok_r(NULL, "-", &saveptr)) != NULL) {
vals[i++] = m;
}
vals[i] = NULL;
if(add_typerule(source, targetAttribute+1, vals, class, perm, AVTAB_ALLOWED, not, &policydb))
return 1;
}
}
if (perm != NULL) {
char *saveptr = NULL;
char *p = strtok_r(perm, ",", &saveptr);
do {
if (add_rule(source, target, class, p, AVTAB_ALLOWED, not, &policydb)) {
fprintf(stderr, "Could not add rule\n");
return 1;
}
} while( (p = strtok_r(NULL, ",", &saveptr)) != NULL);
} else {
if (add_rule(source, target, class, perm, AVTAB_ALLOWED, not, &policydb)) {
fprintf(stderr, "Could not add rule\n");
return 1;
}
}
}
if (live) {
if (live_patch(&policydb)) {
fprintf(stderr, "Could not load new policy into kernel\n");
return 1;
}
}
if (outfile) {
fp = fopen(outfile, "w");
if (!fp) {
fprintf(stderr, "Could not open outfile\n");
return 1;
}
policy_file_init(&outpf);
outpf.type = PF_USE_STDIO;
outpf.fp = fp;
if (policydb_write(&policydb, &outpf)) {
fprintf(stderr, "Could not write policy\n");
return 1;
}
fclose(fp);
}
policydb_destroy(&policydb);
return 0;
}

48
utils.c Normal file
View File

@ -0,0 +1,48 @@
#include "sepolicy-inject.h"
static void set_domain(char* s, int value) {
type_datum_t *type;
if (!exists(s))
create_domain(s);
type = hashtab_search(policy->p_types.table, s);
if (type == NULL) {
fprintf(stderr, "type %s does not exist\n", s);
return;
}
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, value)) {
fprintf(stderr, "Could not set bit in permissive map\n");
return;
}
}
void allow(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
}
void deny(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
}
void auditallow(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
}
void auditdeny(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
}
void permissive(char *s) {
set_domain(s, 1);
}
void enforce(char *s) {
set_domain(s, 0);
}
void attradd(char *s, char *a) {
add_type(s, a);
}
int exists(char* source) {
return !! hashtab_search(policy->p_types.table, source);
}