xref: /aosp_15_r20/system/sepolicy/tools/sepolicy-check.c (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

#include <getopt.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/expand.h>

#define EQUALS 0
#define NOT 1
#define ANY 2

void usage(char *arg0) {
	fprintf(stderr, "%s -s <source> -t <target> -c <class> -p <perm> -P <policy file>\n", arg0);
	exit(1);
}

void *cmalloc(size_t s) {
	void *t = malloc(s);
	if (t == NULL) {
		fprintf(stderr, "Out of memory\n");
		exit(1);
	}
	return t;
}

int parse_ops(char **arg) {
	switch (*arg[0]) {
		case '-':
			*arg = *arg + 1;
			return NOT;
		case '*':
			return ANY;
		default:
			return EQUALS;
	}
}

int check(int op, uint16_t arg1, uint16_t arg2) {
	switch (op) {
		case EQUALS:
			return arg1 == arg2;
		case NOT:
			return arg1 != arg2;
		case ANY:
			return 1;
		default:
			fprintf(stderr, "Bad op while checking!");
			return 2;
	}
}

int check_perm(avtab_ptr_t current, perm_datum_t *perm) {
	uint16_t perm_bitmask = 1U << (perm->s.value - 1);
	return (current->datum.data & perm_bitmask) != 0;
}


int expand_and_check(int s_op, uint32_t source_type,
		     int t_op, uint32_t target_type,
		     int c_op, uint32_t target_class,
		     perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) {
	avtab_t exp_avtab;
	avtab_ptr_t cur;
	unsigned int i;
	int match;

	if (avtab_init(&exp_avtab)) {
		fputs("out of memory\n", stderr);
		return -1;
	}

	if (expand_avtab(policy, avtab, &exp_avtab)) {
		fputs("out of memory\n", stderr);
		avtab_destroy(&exp_avtab);
		return -1;
	}

	for (i = 0; i < exp_avtab.nslot; i++) {
		for (cur = exp_avtab.htable[i]; cur; cur = cur->next) {
			match = 1;
			match &= check(s_op, source_type, cur->key.source_type);
			match &= check(t_op, target_type, cur->key.target_type);
			match &= check(c_op, target_class, cur->key.target_class);
			match &= check_perm(cur, perm);
			if (match) {
				avtab_destroy(&exp_avtab);
				return 1;
			}
		}
	}

	avtab_destroy(&exp_avtab);
	return 0;
}

/*
 * Checks to see if a rule matching the given arguments already exists.
 *
 * The format for the arguments is as follows:
 *
 * - A bare string is treated as a literal and will be matched by equality.
 * - A string starting with "-" will be matched by inequality.
 * - A string starting with "*" will be treated as a wildcard.
 *
 * The return codes for this function are as follows:
 *
 * - 0 indicates a successful return without a match
 * - 1 indicates a successful return with a match
 * - -1 indicates an error
 */
int check_rule(char *s, char *t, char *c, char *p, policydb_t *policy) {
	type_datum_t *src = NULL;
	type_datum_t *tgt = NULL;
	class_datum_t *cls = NULL;
	perm_datum_t *perm = NULL;
	int s_op = parse_ops(&s);
	int t_op = parse_ops(&t);
	int c_op = parse_ops(&c);
	int p_op = parse_ops(&p);
	avtab_key_t key;
	int match;

	key.source_type = key.target_type = key.target_class = 0;

	if (s_op != ANY) {
		src = hashtab_search(policy->p_types.table, s);
		if (src == NULL) {
			fprintf(stderr, "source type %s does not exist\n", s);
			return -1;
		}
	}
	if (t_op != ANY) {
		tgt = hashtab_search(policy->p_types.table, t);
		if (tgt == NULL) {
			fprintf(stderr, "target type %s does not exist\n", t);
			return -1;
		}
	}
	if (c_op != ANY) {
		cls = hashtab_search(policy->p_classes.table, c);
		if (cls == NULL) {
			fprintf(stderr, "class %s does not exist\n", c);
			return -1;
		}
	}
	if (p_op != ANY) {
		perm = hashtab_search(cls->permissions.table, p);
		if (perm == NULL) {
			if (cls->comdatum == NULL) {
				fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
				return -1;
			}
			perm = hashtab_search(cls->comdatum->permissions.table, p);
			if (perm == NULL) {
				fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
				return -1;
			}
		}
	}

	if (s_op != ANY)
		key.source_type = src->s.value;
	if (t_op != ANY)
		key.target_type = tgt->s.value;
	if (c_op != ANY)
		key.target_class = cls->s.value;

	/* Check unconditional rules after attribute expansion. */
	match = expand_and_check(s_op, key.source_type,
				 t_op, key.target_type,
				 c_op, key.target_class,
				 perm, policy, &policy->te_avtab);
	if (match)
		return match;

	/* Check conditional rules after attribute expansion. */
	return expand_and_check(s_op, key.source_type,
				t_op, key.target_type,
				c_op, key.target_class,
				perm, policy, &policy->te_cond_avtab);
}

int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
	int fd;
	struct stat sb;
	void *map;
	int ret;

	fd = open(filename, O_RDONLY);
	if (fd < 0) {
		fprintf(stderr, "Can't open '%s':  %s\n", filename, strerror(errno));
		return 1;
	}
	if (fstat(fd, &sb) < 0) {
		fprintf(stderr, "Can't stat '%s':  %s\n", filename, strerror(errno));
		close(fd);
		return 1;
	}
	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
	if (map == MAP_FAILED) {
		fprintf(stderr, "Can't mmap '%s':  %s\n", filename, strerror(errno));
		close(fd);
		return 1;
	}

	policy_file_init(pf);
	pf->type = PF_USE_MEMORY;
	pf->data = map;
	pf->len = sb.st_size;
	if (policydb_init(policydb)) {
		fprintf(stderr, "Could not initialize policydb!\n");
		close(fd);
		munmap(map, sb.st_size);
		return 1;
	}
	ret = policydb_read(policydb, pf, 0);
	if (ret) {
		fprintf(stderr, "error(s) encountered while parsing configuration\n");
		close(fd);
		munmap(map, sb.st_size);
		return 1;
	}

	return 0;
}


int main(int argc, char **argv)
{
	char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
	policydb_t policydb;
	struct policy_file pf;
	sidtab_t sidtab;
	char ch;
	int match = 1;

	struct option long_options[] = {
			{"source", required_argument, NULL, 's'},
			{"target", required_argument, NULL, 't'},
			{"class", required_argument, NULL, 'c'},
			{"perm", required_argument, NULL, 'p'},
			{"policy", required_argument, NULL, 'P'},
			{NULL, 0, NULL, 0}
	};

	while ((ch = getopt_long(argc, argv, "s:t:c:p:P:", long_options, NULL)) != -1) {
		switch (ch) {
			case 's':
				source = optarg;
				break;
			case 't':
				target = optarg;
				break;
			case 'c':
				class = optarg;
				break;
			case 'p':
				perm = optarg;
				break;
			case 'P':
				policy = optarg;
				break;
			default:
				usage(argv[0]);
		}
	}

	if (!source || !target || !class || !perm || !policy)
		usage(argv[0]);

	sepol_set_policydb(&policydb);
	sepol_set_sidtab(&sidtab);

	if (load_policy(policy, &policydb, &pf))
		goto out;

	match = check_rule(source, target, class, perm, &policydb);
	if (match < 0) {
		fprintf(stderr, "Error checking rules!\n");
		goto out;
	} else if (match > 0) {
		printf("Match found!\n");
		goto out;
	}

	match = 0;

out:
	policydb_destroy(&policydb);
	return match;
}