1*2d543d20SAndroid Build Coastguard Worker #include <errno.h>
2*2d543d20SAndroid Build Coastguard Worker #include <stdio.h>
3*2d543d20SAndroid Build Coastguard Worker #include <stdlib.h>
4*2d543d20SAndroid Build Coastguard Worker #include <string.h>
5*2d543d20SAndroid Build Coastguard Worker
6*2d543d20SAndroid Build Coastguard Worker #include <sepol/policydb/services.h>
7*2d543d20SAndroid Build Coastguard Worker #include <sepol/sepol.h>
8*2d543d20SAndroid Build Coastguard Worker
9*2d543d20SAndroid Build Coastguard Worker
main(int argc,char * argv[])10*2d543d20SAndroid Build Coastguard Worker int main(int argc, char *argv[])
11*2d543d20SAndroid Build Coastguard Worker {
12*2d543d20SAndroid Build Coastguard Worker FILE *fp;
13*2d543d20SAndroid Build Coastguard Worker sepol_security_id_t ssid, tsid;
14*2d543d20SAndroid Build Coastguard Worker sepol_security_class_t tclass;
15*2d543d20SAndroid Build Coastguard Worker const char *permlist;
16*2d543d20SAndroid Build Coastguard Worker sepol_access_vector_t av;
17*2d543d20SAndroid Build Coastguard Worker struct sepol_av_decision avd;
18*2d543d20SAndroid Build Coastguard Worker unsigned int reason;
19*2d543d20SAndroid Build Coastguard Worker char *reason_buf;
20*2d543d20SAndroid Build Coastguard Worker int i;
21*2d543d20SAndroid Build Coastguard Worker
22*2d543d20SAndroid Build Coastguard Worker if (argc != 6) {
23*2d543d20SAndroid Build Coastguard Worker printf("usage: %s policy source_context target_context class permission[,permission2[,...]]\n", argv[0]);
24*2d543d20SAndroid Build Coastguard Worker return 1;
25*2d543d20SAndroid Build Coastguard Worker }
26*2d543d20SAndroid Build Coastguard Worker
27*2d543d20SAndroid Build Coastguard Worker fp = fopen(argv[1], "r");
28*2d543d20SAndroid Build Coastguard Worker if (!fp) {
29*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno));
30*2d543d20SAndroid Build Coastguard Worker return 1;
31*2d543d20SAndroid Build Coastguard Worker }
32*2d543d20SAndroid Build Coastguard Worker if (sepol_set_policydb_from_file(fp) < 0) {
33*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno));
34*2d543d20SAndroid Build Coastguard Worker fclose(fp);
35*2d543d20SAndroid Build Coastguard Worker return 1;
36*2d543d20SAndroid Build Coastguard Worker }
37*2d543d20SAndroid Build Coastguard Worker fclose(fp);
38*2d543d20SAndroid Build Coastguard Worker
39*2d543d20SAndroid Build Coastguard Worker if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) {
40*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Invalid source context %s\n", argv[2]);
41*2d543d20SAndroid Build Coastguard Worker return 1;
42*2d543d20SAndroid Build Coastguard Worker }
43*2d543d20SAndroid Build Coastguard Worker
44*2d543d20SAndroid Build Coastguard Worker if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) {
45*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Invalid target context %s\n", argv[3]);
46*2d543d20SAndroid Build Coastguard Worker return 1;
47*2d543d20SAndroid Build Coastguard Worker }
48*2d543d20SAndroid Build Coastguard Worker
49*2d543d20SAndroid Build Coastguard Worker if (sepol_string_to_security_class(argv[4], &tclass) < 0) {
50*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Invalid security class %s\n", argv[4]);
51*2d543d20SAndroid Build Coastguard Worker return 1;
52*2d543d20SAndroid Build Coastguard Worker }
53*2d543d20SAndroid Build Coastguard Worker
54*2d543d20SAndroid Build Coastguard Worker permlist = argv[5];
55*2d543d20SAndroid Build Coastguard Worker do {
56*2d543d20SAndroid Build Coastguard Worker char *tmp = NULL;
57*2d543d20SAndroid Build Coastguard Worker const char *perm;
58*2d543d20SAndroid Build Coastguard Worker const char *delim = strchr(permlist, ',');
59*2d543d20SAndroid Build Coastguard Worker
60*2d543d20SAndroid Build Coastguard Worker if (delim) {
61*2d543d20SAndroid Build Coastguard Worker tmp = strndup(permlist, delim - permlist);
62*2d543d20SAndroid Build Coastguard Worker if (!tmp) {
63*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno));
64*2d543d20SAndroid Build Coastguard Worker return 1;
65*2d543d20SAndroid Build Coastguard Worker }
66*2d543d20SAndroid Build Coastguard Worker }
67*2d543d20SAndroid Build Coastguard Worker
68*2d543d20SAndroid Build Coastguard Worker perm = tmp ? tmp : permlist;
69*2d543d20SAndroid Build Coastguard Worker
70*2d543d20SAndroid Build Coastguard Worker if (sepol_string_to_av_perm(tclass, perm, &av) < 0) {
71*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Invalid permission %s for security class %s: %s\n", perm, argv[4], strerror(errno));
72*2d543d20SAndroid Build Coastguard Worker free(tmp);
73*2d543d20SAndroid Build Coastguard Worker return 1;
74*2d543d20SAndroid Build Coastguard Worker }
75*2d543d20SAndroid Build Coastguard Worker
76*2d543d20SAndroid Build Coastguard Worker free(tmp);
77*2d543d20SAndroid Build Coastguard Worker
78*2d543d20SAndroid Build Coastguard Worker permlist = strchr(permlist, ',');
79*2d543d20SAndroid Build Coastguard Worker } while (permlist++);
80*2d543d20SAndroid Build Coastguard Worker
81*2d543d20SAndroid Build Coastguard Worker if (av == 0) {
82*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Empty permission set computed from %s\n", argv[5]);
83*2d543d20SAndroid Build Coastguard Worker return 1;
84*2d543d20SAndroid Build Coastguard Worker }
85*2d543d20SAndroid Build Coastguard Worker
86*2d543d20SAndroid Build Coastguard Worker if (sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0) < 0) {
87*2d543d20SAndroid Build Coastguard Worker fprintf(stderr, "Failed to compute av decision: %s\n", strerror(errno));
88*2d543d20SAndroid Build Coastguard Worker return 1;
89*2d543d20SAndroid Build Coastguard Worker }
90*2d543d20SAndroid Build Coastguard Worker
91*2d543d20SAndroid Build Coastguard Worker if ((avd.allowed & av) == av) {
92*2d543d20SAndroid Build Coastguard Worker printf("requested permission %s allowed\n", argv[5]);
93*2d543d20SAndroid Build Coastguard Worker free(reason_buf);
94*2d543d20SAndroid Build Coastguard Worker return 0;
95*2d543d20SAndroid Build Coastguard Worker }
96*2d543d20SAndroid Build Coastguard Worker
97*2d543d20SAndroid Build Coastguard Worker printf("requested permission %s denied by ", argv[5]);
98*2d543d20SAndroid Build Coastguard Worker i = 0;
99*2d543d20SAndroid Build Coastguard Worker if (reason & SEPOL_COMPUTEAV_TE) {
100*2d543d20SAndroid Build Coastguard Worker printf("te-rule");
101*2d543d20SAndroid Build Coastguard Worker i++;
102*2d543d20SAndroid Build Coastguard Worker }
103*2d543d20SAndroid Build Coastguard Worker if (reason & SEPOL_COMPUTEAV_CONS) {
104*2d543d20SAndroid Build Coastguard Worker if (i > 0)
105*2d543d20SAndroid Build Coastguard Worker printf(", ");
106*2d543d20SAndroid Build Coastguard Worker printf("constraint");
107*2d543d20SAndroid Build Coastguard Worker i++;
108*2d543d20SAndroid Build Coastguard Worker }
109*2d543d20SAndroid Build Coastguard Worker if (reason & SEPOL_COMPUTEAV_RBAC) {
110*2d543d20SAndroid Build Coastguard Worker if (i > 0)
111*2d543d20SAndroid Build Coastguard Worker printf(", ");
112*2d543d20SAndroid Build Coastguard Worker printf("role-transition");
113*2d543d20SAndroid Build Coastguard Worker i++;
114*2d543d20SAndroid Build Coastguard Worker }
115*2d543d20SAndroid Build Coastguard Worker if (reason & SEPOL_COMPUTEAV_BOUNDS) {
116*2d543d20SAndroid Build Coastguard Worker if (i > 0)
117*2d543d20SAndroid Build Coastguard Worker printf(", ");
118*2d543d20SAndroid Build Coastguard Worker printf("type-bound");
119*2d543d20SAndroid Build Coastguard Worker //i++;
120*2d543d20SAndroid Build Coastguard Worker }
121*2d543d20SAndroid Build Coastguard Worker
122*2d543d20SAndroid Build Coastguard Worker if ((reason & SEPOL_COMPUTEAV_CONS) && reason_buf)
123*2d543d20SAndroid Build Coastguard Worker printf("; reason:\n%s", reason_buf);
124*2d543d20SAndroid Build Coastguard Worker
125*2d543d20SAndroid Build Coastguard Worker free(reason_buf);
126*2d543d20SAndroid Build Coastguard Worker
127*2d543d20SAndroid Build Coastguard Worker printf("\n");
128*2d543d20SAndroid Build Coastguard Worker
129*2d543d20SAndroid Build Coastguard Worker return 7;
130*2d543d20SAndroid Build Coastguard Worker }
131