From 62ec721cb757fbfc10a5106692dd996845878c45 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 9 Apr 2015 10:45:29 -0400 Subject: dispol: Extend to display operations. Also drop expanding of rules; just display the rules in their original form. I think expansion was a relic of an older policy version where we did not preserve attributes in the kernel policy. In any event, it seems more useful to display the rules unmodified. Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61 Signed-off-by: Stephen Smalley --- test/dispol.c | 77 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/test/dispol.c b/test/dispol.c index 9d66358..7be9267 100644 --- a/test/dispol.c +++ b/test/dispol.c @@ -21,7 +21,6 @@ #include #include #include -#include #include #include #include @@ -55,6 +54,29 @@ int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, return 0; } +#define operation_perm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f))) + +int render_operations(avtab_operations_t *ops, avtab_key_t * key, FILE * fp) +{ + uint16_t value; + unsigned int bit = 0; + + fprintf(fp, "{ "); + for (bit = 0; bit < sizeof(ops->perms)*8; bit++) { + if (!operation_perm_test(bit, ops->perms)) + continue; + if (key->specified & AVTAB_OPNUM) { + value = ops->type<<8 | bit; + fprintf(fp, "0x%hx ", value); + } else if (key->specified & AVTAB_OPTYPE) { + value = bit << 8; + fprintf(fp, "0x%hx-0x%hx ", value, value|0xff); + } + } + fprintf(fp, "}"); + return 0; +} + int render_type(uint32_t type, policydb_t * p, FILE * fp) { fprintf(fp, "%s", p->p_type_val_to_name[type - 1]); @@ -148,6 +170,16 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, render_type(datum->data, p, fp); fprintf(fp, ";\n"); } + } else if (key->specified & AVTAB_OP) { + if (key->specified & (AVTAB_OPNUM_ALLOWED|AVTAB_OPTYPE_ALLOWED)) + fprintf(fp, "allow "); + else if (key->specified & (AVTAB_OPNUM_AUDITALLOW|AVTAB_OPTYPE_AUDITALLOW)) + fprintf(fp, "auditallow "); + else if (key->specified & (AVTAB_OPNUM_DONTAUDIT|AVTAB_OPTYPE_DONTAUDIT)) + fprintf(fp, "dontaudit "); + render_key(key, p, fp); + render_operations(datum->ops, key, fp); + fprintf(fp, ";\n"); } else { fprintf(fp, " ERROR: no valid rule type specified\n"); return -1; @@ -159,27 +191,15 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) { unsigned int i; avtab_ptr_t cur; - avtab_t expa; - - if (avtab_init(&expa)) - goto oom; - if (expand_avtab(p, a, &expa)) { - avtab_destroy(&expa); - goto oom; - } /* hmm...should have used avtab_map. */ - for (i = 0; i < expa.nslot; i++) { - for (cur = expa.htable[i]; cur; cur = cur->next) { + for (i = 0; i < a->nslot; i++) { + for (cur = a->htable[i]; cur; cur = cur->next) { render_av_rule(&cur->key, &cur->datum, what, p, fp); } } - avtab_destroy(&expa); fprintf(fp, "\n"); return 0; - oom: - fprintf(stderr, "out of memory\n"); - return 1; } int display_bools(policydb_t * p, FILE * fp) @@ -231,47 +251,26 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) int display_cond_expressions(policydb_t * p, FILE * fp) { cond_node_t *cur; - cond_av_list_t *av_cur, *expl = NULL; - avtab_t expa; + cond_av_list_t *av_cur; for (cur = p->cond_list; cur != NULL; cur = cur->next) { fprintf(fp, "expression: "); display_expr(p, cur->expr, fp); fprintf(fp, "current state: %d\n", cur->cur_state); fprintf(fp, "True list:\n"); - if (avtab_init(&expa)) - goto oom; - if (expand_cond_av_list(p, cur->true_list, &expl, &expa)) { - avtab_destroy(&expa); - goto oom; - } - for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) { + for (av_cur = cur->true_list; av_cur != NULL; av_cur = av_cur->next) { fprintf(fp, "\t"); render_av_rule(&av_cur->node->key, &av_cur->node->datum, RENDER_CONDITIONAL, p, fp); } - cond_av_list_destroy(expl); - avtab_destroy(&expa); fprintf(fp, "False list:\n"); - if (avtab_init(&expa)) - goto oom; - if (expand_cond_av_list(p, cur->false_list, &expl, &expa)) { - avtab_destroy(&expa); - goto oom; - } - for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) { + for (av_cur = cur->false_list; av_cur != NULL; av_cur = av_cur->next) { fprintf(fp, "\t"); render_av_rule(&av_cur->node->key, &av_cur->node->datum, RENDER_CONDITIONAL, p, fp); } - cond_av_list_destroy(expl); - avtab_destroy(&expa); } return 0; - - oom: - fprintf(stderr, "out of memory\n"); - return 1; } int display_handle_unknown(policydb_t * p, FILE * out_fp) -- cgit v1.2.3