diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:54:44 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:54:44 +0200 |
commit | 0ce79dd3761d52f34e370f573cd750ae7a578089 (patch) | |
tree | 6e1937c3f2634c2e2d2bccec9bf15cfadd1a5423 | |
parent | 47be9ff57e72906660bb62a515222f482131e1fb (diff) | |
download | setools-0ce79dd3761d52f34e370f573cd750ae7a578089.tar.gz setools-0ce79dd3761d52f34e370f573cd750ae7a578089.tar.xz setools-0ce79dd3761d52f34e370f573cd750ae7a578089.zip |
Merge 3.3.8 upstream setools
-rw-r--r-- | ChangeLog | 19 | ||||
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | apol/top.tcl | 8 | ||||
-rw-r--r-- | configure.ac | 72 | ||||
-rw-r--r-- | libapol/include/apol/Makefile.am | 1 | ||||
-rw-r--r-- | libapol/include/apol/policy-query.h | 1 | ||||
-rw-r--r-- | libapol/src/Makefile.am | 1 | ||||
-rw-r--r-- | libapol/src/libapol.map | 1 | ||||
-rw-r--r-- | libqpol/include/qpol/Makefile.am | 1 | ||||
-rw-r--r-- | libqpol/include/qpol/policy.h | 1 | ||||
-rw-r--r-- | libqpol/src/Makefile.am | 1 | ||||
-rw-r--r-- | libqpol/src/libqpol.map | 1 | ||||
-rw-r--r-- | libqpol/src/module_compiler.c | 12 | ||||
-rw-r--r-- | libqpol/src/module_compiler.h | 1 | ||||
-rw-r--r-- | libqpol/src/policy_define.c | 188 | ||||
-rw-r--r-- | libqpol/src/policy_define.h | 2 | ||||
-rw-r--r-- | libqpol/src/policy_parse.y | 13 | ||||
-rw-r--r-- | libqpol/src/policy_scan.l | 1 | ||||
-rw-r--r-- | man/replcon.1 | 2 | ||||
-rw-r--r-- | man/seinfo.1 | 6 | ||||
-rw-r--r-- | man/sesearch.1 | 2 | ||||
-rw-r--r-- | seaudit/progress.c | 5 | ||||
-rw-r--r-- | seaudit/seaudit-report.c | 2 | ||||
-rw-r--r-- | secmds/seinfo.c | 153 | ||||
-rw-r--r-- | secmds/sesearch.c | 168 | ||||
-rw-r--r-- | sediff/sediff.c | 2 |
26 files changed, 572 insertions, 94 deletions
@@ -1,3 +1,22 @@ +2013-01-08 Steve Lawrence <slawrence@tresys.com> + + * SETools 3.3.8 + * Fix bug preventing seaudit from starting by Jake Lightner. + +2013-01-08 Steve Lawrence <slawrence@tresys.com> + + * Add python bindings for seinfo and sesearch by Dan Walsh. + * seinfo exits with an error status by Dan Walsh. + * Support for named file transition rules by Dan Walsh. + * Add support for default types in sesearch by Steve Lawrence. + * Man page updates for seinfo, seaudit, and sediff by Dan Walsh. + +2012-03-26 Chris PeBenito <cpebenito@tresys.com> + * Fix file type drop down list for open/close Apol query. + +2012-03-06 Chris PeBenito <cpebenito@tresys.com> + * Fix compile errors on new parameter in libsepol role_set_expand(). + 2010-05-07 Spencer Shimko <sshimko@tresys.com> * SETools 3.3.7. diff --git a/Makefile.am b/Makefile.am index 5dc1b5d..176c8ea 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,7 +10,7 @@ if BUILD_GUI endif # sediffx is also built conditionally, from sediffx/Makefile.am -SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sechecker sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) +SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sechecker sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) python #old indent opts #INDENT_OPTS = -npro -nbad -bap -sob -ss -l132 -di1 -nbc -br -nbbb -c40 -cd40 -ncdb -ce -cli0 -cp40 -ncs -d0 -nfc1 -nfca -i8 -ts8 -ci8 -lp -ip0 -npcs -npsl -sc diff --git a/apol/top.tcl b/apol/top.tcl index e0f87a3..f930318 100644 --- a/apol/top.tcl +++ b/apol/top.tcl @@ -618,9 +618,7 @@ proc ApolTop::_goto {} { } proc ApolTop::_open_query_file {} { - set types { - {"Query files" {$ApolTop::query_file_ext}} - } + set types " {\"Query files\" { $ApolTop::query_file_ext }} " set query_file [tk_getOpenFile -filetypes $types -title "Open Apol Query" \ -defaultextension $ApolTop::query_file_ext -parent .] if {$query_file != {}} { @@ -657,9 +655,7 @@ proc ApolTop::_open_query_file {} { } proc ApolTop::_save_query_file {} { - set types { - {"Query files" {$ApolTop::query_file_ext}} - } + set types " {\"Query files\" {$ApolTop::query_file_ext}} " set query_file [tk_getSaveFile -title "Save Apol Query" \ -defaultextension $ApolTop::query_file_ext \ -filetypes $types -parent .] diff --git a/configure.ac b/configure.ac index b885981..577ce48 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(setools, 3.3.7, [Tresys Technology <setools@tresys.com>], [setools]) +AC_INIT(setools, 3.3.8, [Tresys Technology <setools@tresys.com>], [setools]) AC_PREREQ([2.59]) AC_CONFIG_SRCDIR(libqpol/src/policy.c) AC_CONFIG_HEADER(config.h) @@ -8,19 +8,19 @@ AM_INIT_AUTOMAKE([-Wno-portability]) dnl *** update these variables as versions change; also update AC_INIT *** libqpol_soversion=1 -libqpol_version=1.6 +libqpol_version=1.7 libapol_soversion=4 -libapol_version=4.3 +libapol_version=4.4 libpoldiff_soversion=1 -libpoldiff_version=1.3.2 +libpoldiff_version=1.3.3 libsefs_soversion=4 -libsefs_version=4.0.3 +libsefs_version=4.0.4 libseaudit_soversion=4 -libseaudit_version=4.4 +libseaudit_version=4.5 setoolsdir='${prefix}/share/setools-3.3' javadir='${prefix}/share/java' @@ -194,7 +194,7 @@ AC_ARG_ENABLE(swig-java, enable_jswig="$enableval") if test "x${enable_jswig}" = xyes; then if test ${do_swigify} = no; then - AC_PROG_SWIG(1.3.28) + AC_PROG_SWIG(2.0.0) fi AC_JAVA_OPTIONS if test "x$JAVAPREFIX" = x; then @@ -216,21 +216,23 @@ if test "x${enable_jswig}" = xyes; then do_swigify_java=yes do_swigify=yes fi + +AM_PATH_PYTHON(2.7) + AC_ARG_ENABLE(swig-python, AC_HELP_STRING([--enable-swig-python], [build SWIG interfaces for Python]), enable_pyswig="$enableval") if test "x${enable_pyswig}" = xyes; then if test ${do_swigify} = no; then - AC_PROG_SWIG(1.3.28) + AC_PROG_SWIG(2.0.0) fi - AM_PATH_PYTHON(2.3) SWIG_PYTHON do_swigify_python=yes do_swigify=yes fi if test ${do_swigify} = "yes"; then - AC_PROG_SWIG(1.3.28) + AC_PROG_SWIG(2.0.0) fi build_apol=yes AC_ARG_ENABLE(swig-tcl, @@ -239,7 +241,7 @@ AC_ARG_ENABLE(swig-tcl, enable_tclswig="$enableval", enable_tclswig="yes") if test "x${enable_tclswig}" = xyes; then if test ${do_swigify} = no; then - AC_PROG_SWIG(1.3.28) + AC_PROG_SWIG(2.0.0) fi TEA_INIT(3.5) TEA_PATH_TCLCONFIG @@ -497,17 +499,54 @@ sepol_save_CPPFLAGS="${CPPFLAGS}" CFLAGS="${CFLAGS} ${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG}" CPPFLAGS="${CPPFLAGS} ${SELINUX_CFLAGS}" -dnl check for user and role mapping, added in libsepol version 2.0.29 -AC_MSG_CHECKING([for user and role mappings]) +dnl check for role attribute, added in libsepol 2.0.46 +AC_MSG_CHECKING([for libsepol role_set_expand() role attribute support]) AC_COMPILE_IFELSE( [AC_LANG_SOURCE([ #include <sepol/policydb/expand.h> int main () { + return role_set_expand(NULL, NULL, NULL, NULL, NULL); +}])], + sepol_role_attrs="yes", + sepol_role_attrs="no") +AC_MSG_RESULT([${sepol_role_attrs}]) + +if test ${sepol_role_attrs} == "yes"; then + sepol_new_user_role_mapping="yes" + sepol_role_set_expand_base="yes" +else + dnl check for user and role mapping, added in libsepol version 2.0.29 + AC_MSG_CHECKING([for libsepol role_set_expand() user and role mappings]) + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([ +#include <sepol/policydb/expand.h> +int main () { return role_set_expand(NULL, NULL, NULL, NULL); }])], sepol_new_user_role_mapping="yes", sepol_new_user_role_mapping="no") -AC_MSG_RESULT([${sepol_new_user_role_mapping}]) + AC_MSG_RESULT([${sepol_new_user_role_mapping}]) + + if test ${sepol_new_user_role_mapping} == "no"; then + dnl if this is not the original role_set_expand(), this libsepol is too new + AC_MSG_CHECKING([for libsepol role_set_expand() original version]) + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([ +#include <sepol/policydb/expand.h> +int main () { + return role_set_expand(NULL, NULL, NULL); +}])], + sepol_role_set_expand_base="yes", + sepol_role_set_expand_base="no") + AC_MSG_RESULT([${sepol_role_set_expand_base}]) + + if test ${sepol_role_set_expand_base} == "no"; then + AC_MSG_ERROR([this version of libsepol is incompatible with SETools]) + fi + else + sepol_role_set_expand_base="yes" + fi +fi dnl check for permissive types, added in libsepol version 2.0.26 AC_CHECK_DECL([TYPE_FLAGS_PERMISSIVE], @@ -819,6 +858,9 @@ fi if test ${sepol_new_user_role_mapping} == "yes"; then AC_DEFINE(HAVE_SEPOL_USER_ROLE_MAPPING, 1, [if users and roles are mapped during policy expansion]) fi +if test ${sepol_role_attrs} == "yes"; then + AC_DEFINE(HAVE_SEPOL_ROLE_ATTRS, 1, [if role attributes are supported]) +fi if test ${use_shared} == "yes"; then AC_DEFINE(LINK_SHARED, 1, [link programs using shared libraries]) @@ -888,6 +930,8 @@ AC_CONFIG_FILES([Makefile VERSION \ sediff/Makefile \ man/Makefile \ debian/Makefile \ + python/Makefile \ + python/setools/Makefile \ packages/Makefile packages/rpm/Makefile \ packages/libqpol.pc packages/libapol.pc packages/libpoldiff.pc packages/libseaudit.pc packages/libsefs.pc]) diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am index 0883c10..e398ff2 100644 --- a/libapol/include/apol/Makefile.am +++ b/libapol/include/apol/Makefile.am @@ -27,6 +27,7 @@ apol_HEADERS = \ relabel-analysis.h \ render.h \ role-query.h \ + ftrule-query.h \ terule-query.h \ type-query.h \ types-relation-analysis.h \ diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h index 315f70e..665e4cb 100644 --- a/libapol/include/apol/policy-query.h +++ b/libapol/include/apol/policy-query.h @@ -71,6 +71,7 @@ extern "C" #include "terule-query.h" #include "condrule-query.h" #include "rbacrule-query.h" +#include "ftrule-query.h" #include "range_trans-query.h" #include "constraint-query.h" diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am index 3fa4f06..baaa4f6 100644 --- a/libapol/src/Makefile.am +++ b/libapol/src/Makefile.am @@ -40,6 +40,7 @@ libapol_a_SOURCES = \ render.c \ role-query.c \ terule-query.c \ + ftrule-query.c \ type-query.c \ types-relation-analysis.c \ user-query.c \ diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map index 4894374..7657a2d 100644 --- a/libapol/src/libapol.map +++ b/libapol/src/libapol.map @@ -34,6 +34,7 @@ VERS_4.0{ apol_protocol_to_str; apol_qpol_context_render; apol_range_trans_*; + apol_filename_trans_*; apol_relabel_*; apol_role_*; apol_role_allow_*; diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am index b55acb7..9b570e1 100644 --- a/libqpol/include/qpol/Makefile.am +++ b/libqpol/include/qpol/Makefile.am @@ -25,6 +25,7 @@ qpol_HEADERS = \ role_query.h \ syn_rule_query.h \ terule_query.h \ + ftrule_query.h \ type_query.h \ user_query.h \ util.h diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h index ae4ea08..bf85718 100644 --- a/libqpol/include/qpol/policy.h +++ b/libqpol/include/qpol/policy.h @@ -55,6 +55,7 @@ extern "C" #include <qpol/polcap_query.h> #include <qpol/portcon_query.h> #include <qpol/rbacrule_query.h> +#include <qpol/ftrule_query.h> #include <qpol/role_query.h> #include <qpol/syn_rule_query.h> #include <qpol/terule_query.h> diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am index 34d87a6..0889a61 100644 --- a/libqpol/src/Makefile.am +++ b/libqpol/src/Makefile.am @@ -48,6 +48,7 @@ libqpol_a_SOURCES = \ syn_rule_internal.h \ syn_rule_query.c \ terule_query.c \ + ftrule_query.c \ type_query.c \ user_query.c \ util.c \ diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map index dd293bc..6973cca 100644 --- a/libqpol/src/libqpol.map +++ b/libqpol/src/libqpol.map @@ -34,6 +34,7 @@ VERS_1.2 { qpol_policy_reevaluate_conds; qpol_portcon_*; qpol_range_trans_*; + qpol_filename_trans_*; qpol_role_*; qpol_syn_avrule_*; qpol_syn_terule_*; diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c index dc19798..b06e285 100644 --- a/libqpol/src/module_compiler.c +++ b/libqpol/src/module_compiler.c @@ -1247,6 +1247,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) } /* this doesn't actually append, but really prepends it */ +void append_filename_trans(filename_trans_rule_t * filename_trans_rules) +{ + avrule_decl_t *decl = stack_top->decl; + + /* filename transitions are not allowed within conditionals */ + assert(stack_top->type == 1); + + filename_trans_rules->next = decl->filename_trans_rules; + decl->filename_trans_rules = filename_trans_rules; +} + +/* this doesn't actually append, but really prepends it */ void append_range_trans(range_trans_rule_t * range_tr_rules) { avrule_decl_t *decl = stack_top->decl; diff --git a/libqpol/src/module_compiler.h b/libqpol/src/module_compiler.h index 489086d..d46dca6 100644 --- a/libqpol/src/module_compiler.h +++ b/libqpol/src/module_compiler.h @@ -86,6 +86,7 @@ void append_avrule(avrule_t * avrule); void append_role_trans(role_trans_rule_t * role_tr_rules); void append_role_allow(role_allow_rule_t * role_allow_rules); void append_range_trans(range_trans_rule_t * range_tr_rules); +void append_filename_trans(filename_trans_rule_t * filename_trans_rules); /* Create a new optional block and add it to the global policy. * During the second pass resolve the block's requirements. Return 0 diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c index c94f7aa..fad6b60 100644 --- a/libqpol/src/policy_define.c +++ b/libqpol/src/policy_define.c @@ -2132,7 +2132,9 @@ int define_role_trans(void) free(id); /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ -#ifdef HAVE_SEPOL_USER_ROLE_MAPPING +#ifdef HAVE_SEPOL_ROLE_ATTRS + if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) +#elif HAVE_SEPOL_USER_ROLE_MAPPING if (role_set_expand(&roles, &e_roles, policydbp, NULL)) #else if (role_set_expand(&roles, &e_roles, policydbp)) @@ -2226,6 +2228,190 @@ int define_role_allow(void) return 0; } +avrule_t *define_cond_filename_trans(void) +{ + yyerror("type transitions with a filename not allowed inside " + "conditionals\n"); + return COND_ERR; +} + +int define_filename_trans(void) +{ + char *id, *name = NULL; + type_set_t stypes, ttypes; + ebitmap_t e_stypes, e_ttypes; + ebitmap_t e_tclasses; + ebitmap_node_t *snode, *tnode, *cnode; + filename_trans_t *ft; + filename_trans_rule_t *ftr; + class_datum_t *cladatum; + type_datum_t *typdatum; + uint32_t otype; + unsigned int c, s, t; + int add; + + if (pass == 1) { + /* stype */ + while ((id = queue_remove(id_queue))) + free(id); + /* ttype */ + while ((id = queue_remove(id_queue))) + free(id); + /* tclass */ + while ((id = queue_remove(id_queue))) + free(id); + /* otype */ + id = queue_remove(id_queue); + free(id); + /* name */ + id = queue_remove(id_queue); + free(id); + return 0; + } + + + add = 1; + type_set_init(&stypes); + while ((id = queue_remove(id_queue))) { + if (set_types(&stypes, id, &add, 0)) + goto bad; + } + + add =1; + type_set_init(&ttypes); + while ((id = queue_remove(id_queue))) { + if (set_types(&ttypes, id, &add, 0)) + goto bad; + } + + ebitmap_init(&e_tclasses); + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + free(id); + goto bad; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + goto bad; + } + if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { + yyerror("Out of memory"); + goto bad; + } + free(id); + } + + id = (char *)queue_remove(id_queue); + if (!id) { + yyerror("no otype in transition definition?"); + goto bad; + } + if (!is_id_in_scope(SYM_TYPES, id)) { + yyerror2("type %s is not within scope", id); + free(id); + goto bad; + } + typdatum = hashtab_search(policydbp->p_types.table, id); + if (!typdatum) { + yyerror2("unknown type %s used in transition definition", id); + goto bad; + } + free(id); + otype = typdatum->s.value; + + name = queue_remove(id_queue); + if (!name) { + yyerror("no pathname specified in filename_trans definition?"); + goto bad; + } + + /* We expand the class set into seperate rules. We expand the types + * just to make sure there are not duplicates. They will get turned + * into seperate rules later */ + ebitmap_init(&e_stypes); + if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) + goto bad; + + ebitmap_init(&e_ttypes); + if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) + goto bad; + + ebitmap_for_each_bit(&e_tclasses, cnode, c) { + if (!ebitmap_node_get_bit(cnode, c)) + continue; + ebitmap_for_each_bit(&e_stypes, snode, s) { + if (!ebitmap_node_get_bit(snode, s)) + continue; + ebitmap_for_each_bit(&e_ttypes, tnode, t) { + if (!ebitmap_node_get_bit(tnode, t)) + continue; + + for (ft = policydbp->filename_trans; ft; ft = ft->next) { + if (ft->stype == (s + 1) && + ft->ttype == (t + 1) && + ft->tclass == (c + 1) && + !strcmp(ft->name, name)) { + yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", + name, + policydbp->p_type_val_to_name[s], + policydbp->p_type_val_to_name[t], + policydbp->p_class_val_to_name[c]); + goto bad; + } + } + + ft = malloc(sizeof(*ft)); + if (!ft) { + yyerror("out of memory"); + goto bad; + } + memset(ft, 0, sizeof(*ft)); + + ft->next = policydbp->filename_trans; + policydbp->filename_trans = ft; + + ft->name = strdup(name); + if (!ft->name) { + yyerror("out of memory"); + goto bad; + } + ft->stype = s + 1; + ft->ttype = t + 1; + ft->tclass = c + 1; + ft->otype = otype; + } + } + + /* Now add the real rule since we didn't find any duplicates */ + ftr = malloc(sizeof(*ftr)); + if (!ftr) { + yyerror("out of memory"); + goto bad; + } + filename_trans_rule_init(ftr); + append_filename_trans(ftr); + + ftr->name = strdup(name); + ftr->stypes = stypes; + ftr->ttypes = ttypes; + ftr->tclass = c + 1; + ftr->otype = otype; + } + + free(name); + ebitmap_destroy(&e_stypes); + ebitmap_destroy(&e_ttypes); + ebitmap_destroy(&e_tclasses); + + return 0; + +bad: + free(name); + return -1; +} + static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) { constraint_expr_t *h = NULL, *l = NULL, *e, *newe; diff --git a/libqpol/src/policy_define.h b/libqpol/src/policy_define.h index 7be626c..f273fed 100644 --- a/libqpol/src/policy_define.h +++ b/libqpol/src/policy_define.h @@ -26,6 +26,7 @@ avrule_t *define_cond_compute_type(int which); avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * stmt); avrule_t *define_cond_te_avtab(int which); +avrule_t *define_cond_filename_trans(void); cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2); int define_attrib(void); int define_av_perms(int inherits); @@ -58,6 +59,7 @@ int define_range_trans(int class_specified); int define_role_allow(void); int define_role_trans(void); int define_role_types(void); +int define_filename_trans(void); int define_sens(void); int define_te_avtab(int which); int define_typealias(void); diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y index 84f4114..dc16c6f 100644 --- a/libqpol/src/policy_parse.y +++ b/libqpol/src/policy_parse.y @@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of data */ %type <require_func> require_decl_def %token PATH +%token FILENAME %token CLONE %token COMMON %token CLASS @@ -360,7 +361,10 @@ cond_rule_def : cond_transition_def | require_block { $$ = NULL; } ; -cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' +cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' + { $$ = define_cond_filename_trans() ; + if ($$ == COND_ERR) return -1;} + | TYPE_TRANSITION names names ':' names identifier ';' { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; if ($$ == COND_ERR) return -1;} | TYPE_MEMBER names names ':' names identifier ';' @@ -395,7 +399,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); if ($$ == COND_ERR) return -1; } ; -transition_def : TYPE_TRANSITION names names ':' names identifier ';' +transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' + {if (define_filename_trans()) return -1; } + | TYPE_TRANSITION names names ':' names identifier ';' {if (define_compute_type(AVRULE_TRANSITION)) return -1;} | TYPE_MEMBER names names ':' names identifier ';' {if (define_compute_type(AVRULE_MEMBER)) return -1;} @@ -752,6 +758,9 @@ identifier : IDENTIFIER path : PATH { if (insert_id(yytext,0)) return -1; } ; +filename : FILENAME + { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } + ; number : NUMBER { $$ = strtoul(yytext,NULL,0); } ; diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l index 75485f3..30203cd 100644 --- a/libqpol/src/policy_scan.l +++ b/libqpol/src/policy_scan.l @@ -235,6 +235,7 @@ POLICYCAP { return(POLICYCAP); } permissive | PERMISSIVE { return(PERMISSIVE); } "/"({alnum}|[_\.\-/])* { return(PATH); } +\"({alnum}|[_\.\-])+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } diff --git a/man/replcon.1 b/man/replcon.1 index 8aca08a..478dc51 100644 --- a/man/replcon.1 +++ b/man/replcon.1 @@ -44,6 +44,8 @@ Search for files which include PATH. .IP "-c CLASS, --class=CLASS" Search only files of object class CLASS. .SH OPTIONS +.IP "-R, --regex" +Enable regular expressions .IP "-v, --verbose" Display context info during replacement. .IP "-h, --help" diff --git a/man/seinfo.1 b/man/seinfo.1 index 8612119..6bc17db 100644 --- a/man/seinfo.1 +++ b/man/seinfo.1 @@ -76,6 +76,10 @@ There is no expanded information for this component. .IP "--nodecon[=ADDR]" Print a list of node contexts or, if ADDR is provided, print the statement for the node with address ADDR. There is no expanded information for this component. +.IP "--polcap" +Print policy capabilities. +.IP "--permissive" +Print permissive types. .IP "--portcon[=PORT]" Print a list of port contexts or, if PORT is provided, print the statement for port PORT. There is no expanded information for this component. @@ -93,7 +97,7 @@ These details include the types assigned to an attribute or role and the permiss This option is not available for all component types; see the description of each component for the details this option will provide. .IP "--stats" Print policy statistics including policy type and version information and counts of all components and rules. -.IP "-l" +.IP "-l, --line-breaks" Print line breaks when displaying constraint statements. .IP "-h, --help" Print help information and exit. diff --git a/man/sesearch.1 b/man/sesearch.1 index d002faf..573aedd 100644 --- a/man/sesearch.1 +++ b/man/sesearch.1 @@ -66,6 +66,8 @@ all rules of that type are considered to match the expression. Find rules with type/attribute NAME as their source. .IP "-t NAME, --target=NAME" Find rules with type/attribute NAME as their target. +.IP "-D NAME, --default=NAME" +Find rules with type NAME as their default. .IP "--role_source=NAME" Find rules with role NAME as their source. .IP "--role_target=NAME" diff --git a/seaudit/progress.c b/seaudit/progress.c index 01b01fb..2e0abeb 100644 --- a/seaudit/progress.c +++ b/seaudit/progress.c @@ -99,10 +99,11 @@ void progress_hide(progress_t * progress) int progress_wait(progress_t * progress) { - GTimeVal wait_time = { 0, 50000 }; + gint64 end_time; g_mutex_lock(progress->mutex); while (!progress->done) { - g_cond_timed_wait(progress->cond, progress->mutex, &wait_time); + end_time = g_get_monotonic_time () + 50000; // need to be set before each wait + g_cond_wait_until(progress->cond, progress->mutex, end_time); if (progress->s != NULL) { gtk_label_set_text(GTK_LABEL(progress->label2), progress->s); free(progress->s); diff --git a/seaudit/seaudit-report.c b/seaudit/seaudit-report.c index af3c6fb..d436c18 100644 --- a/seaudit/seaudit-report.c +++ b/seaudit/seaudit-report.c @@ -100,7 +100,7 @@ static void seaudit_report_info_usage(const char *program_name, int brief) printf(" -s, --stdin read log data from standard input\n"); printf(" -m, --malformed include malformed log messages\n"); printf(" -o FILE, --output=FILE output to FILE\n"); - printf(" --config=FILE read configuration from FILE\n"); + printf(" -c FILE, --config=FILE read configuration from FILE\n"); printf(" --html set output format to HTML\n"); printf(" --stylesheet=FILE HTML style sheet for formatting HTML report\n"); printf(" (ignored if --html is not given)\n"); diff --git a/secmds/seinfo.c b/secmds/seinfo.c index fdf23e9..a970890 100644 --- a/secmds/seinfo.c +++ b/secmds/seinfo.c @@ -54,13 +54,13 @@ static char *policy_file = NULL; -static void print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); -static void print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); -static void print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand); -static void print_role_types(FILE * fp, const qpol_role_t * role_datum, const apol_policy_t * policydb, const int expand); -static void print_bool_state(FILE * fp, const qpol_bool_t * bool_datum, const apol_policy_t * policydb, const int expand); -static void print_class_perms(FILE * fp, const qpol_class_t * class_datum, const apol_policy_t * policydb, const int expand); -static void print_cat_sens(FILE * fp, const qpol_cat_t * cat_datum, const apol_policy_t * policydb, const int expand); +static int print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); +static int print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); +static int print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand); +static int print_role_types(FILE * fp, const qpol_role_t * role_datum, const apol_policy_t * policydb, const int expand); +static int print_bool_state(FILE * fp, const qpol_bool_t * bool_datum, const apol_policy_t * policydb, const int expand); +static int print_class_perms(FILE * fp, const qpol_class_t * class_datum, const apol_policy_t * policydb, const int expand); +static int print_cat_sens(FILE * fp, const qpol_cat_t * cat_datum, const apol_policy_t * policydb, const int expand); static int qpol_cat_datum_compare(const void *datum1, const void *datum2, void *data); static int qpol_level_datum_compare(const void *datum1, const void *datum2, void *data); @@ -446,7 +446,8 @@ static int print_classes(FILE * fp, const char *name, int expand, const apol_pol if (name != NULL) { if (qpol_policy_get_class_by_name(q, name, &class_datum)) goto cleanup; - print_class_perms(fp, class_datum, policydb, expand); + if (print_class_perms(fp, class_datum, policydb, expand)) + goto cleanup; } else { if (qpol_policy_get_class_iter(q, &iter)) goto cleanup; @@ -457,7 +458,8 @@ static int print_classes(FILE * fp, const char *name, int expand, const apol_pol for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&class_datum)) goto cleanup; - print_class_perms(fp, class_datum, policydb, expand); + if (print_class_perms(fp, class_datum, policydb, expand)) + goto cleanup; } qpol_iterator_destroy(&iter); } @@ -510,7 +512,8 @@ static int print_types(FILE * fp, const char *name, int expand, const apol_polic if (name != NULL) { if (qpol_policy_get_type_by_name(q, name, &type_datum)) goto cleanup; - print_type_attrs(fp, type_datum, policydb, expand); + if (print_type_attrs(fp, type_datum, policydb, expand)) + goto cleanup; } else { if (qpol_policy_get_type_iter(q, &iter)) goto cleanup; @@ -518,7 +521,8 @@ static int print_types(FILE * fp, const char *name, int expand, const apol_polic for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&type_datum)) goto cleanup; - print_type_attrs(fp, type_datum, policydb, expand); + if (print_type_attrs(fp, type_datum, policydb, expand)) + goto cleanup; } } @@ -569,7 +573,10 @@ static int print_attribs(FILE * fp, const char *name, int expand, const apol_pol } type_datum = apol_vector_get_element(v, (size_t) 0); - print_attr_types(fp, type_datum, policydb, expand); + if (!type_datum) + goto cleanup; + if (print_attr_types(fp, type_datum, policydb, expand)) + goto cleanup; } else { attr_query = apol_attr_query_create(); if (!attr_query) @@ -585,7 +592,8 @@ static int print_attribs(FILE * fp, const char *name, int expand, const apol_pol type_datum = (qpol_type_t *) apol_vector_get_element(v, (size_t) i); if (!type_datum) goto cleanup; - print_attr_types(fp, type_datum, policydb, expand); + if (print_attr_types(fp, type_datum, policydb, expand)) + goto cleanup; } } apol_vector_destroy(&v); @@ -623,7 +631,8 @@ static int print_roles(FILE * fp, const char *name, int expand, const apol_polic if (name != NULL) { if (qpol_policy_get_role_by_name(q, name, &role_datum)) goto cleanup; - print_role_types(fp, role_datum, policydb, expand); + if (print_role_types(fp, role_datum, policydb, expand)) + goto cleanup; } else { if (qpol_policy_get_role_iter(q, &iter)) goto cleanup; @@ -634,7 +643,8 @@ static int print_roles(FILE * fp, const char *name, int expand, const apol_polic for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&role_datum)) goto cleanup; - print_role_types(fp, role_datum, policydb, expand); + if (print_role_types(fp, role_datum, policydb, expand)) + goto cleanup; } qpol_iterator_destroy(&iter); } @@ -671,7 +681,8 @@ static int print_booleans(FILE * fp, const char *name, int expand, const apol_po if (name != NULL) { if (qpol_policy_get_bool_by_name(q, name, &bool_datum)) goto cleanup; - print_bool_state(fp, bool_datum, policydb, expand); + if (print_bool_state(fp, bool_datum, policydb, expand)) + goto cleanup; } else { if (qpol_policy_get_bool_iter(q, &iter)) goto cleanup; @@ -681,7 +692,8 @@ static int print_booleans(FILE * fp, const char *name, int expand, const apol_po for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&bool_datum)) goto cleanup; - print_bool_state(fp, bool_datum, policydb, expand); + if (print_bool_state(fp, bool_datum, policydb, expand)) + goto cleanup; } qpol_iterator_destroy(&iter); } @@ -719,7 +731,8 @@ static int print_users(FILE * fp, const char *name, int expand, const apol_polic if (name != NULL) { if (qpol_policy_get_user_by_name(q, name, &user_datum)) goto cleanup; - print_user_roles(fp, user_datum, policydb, expand); + if (print_user_roles(fp, user_datum, policydb, expand)) + goto cleanup; } else { if (qpol_policy_get_user_iter(q, &iter)) goto cleanup; @@ -730,7 +743,8 @@ static int print_users(FILE * fp, const char *name, int expand, const apol_polic for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { if (qpol_iterator_get_item(iter, (void **)&user_datum)) goto cleanup; - print_user_roles(fp, user_datum, policydb, expand); + if (print_user_roles(fp, user_datum, policydb, expand)) + goto cleanup; } qpol_iterator_destroy(&iter); } @@ -827,7 +841,7 @@ static int print_sens(FILE * fp, const char *name, int expand, const apol_policy */ static int print_cats(FILE * fp, const char *name, int expand, const apol_policy_t * policydb) { - int retval = 0; + int retval = -1; apol_cat_query_t *query = NULL; apol_vector_t *v = NULL; const qpol_cat_t *cat_datum = NULL; @@ -851,7 +865,8 @@ static int print_cats(FILE * fp, const char *name, int expand, const apol_policy cat_datum = apol_vector_get_element(v, i); if (!cat_datum) goto cleanup; - print_cat_sens(fp, cat_datum, policydb, expand); + if (print_cat_sens(fp, cat_datum, policydb, expand)) + goto cleanup; } @@ -911,9 +926,10 @@ static int print_fsuse(FILE * fp, const char *type, const apol_policy_t * policy fprintf(fp, " %s\n", tmp); free(tmp); } - if (type && !apol_vector_get_size(v)) + if (type && !apol_vector_get_size(v)) { ERR(policydb, "No fs_use statement for filesystem of type %s.", type); - + goto cleanup; + } retval = 0; cleanup: apol_fs_use_query_destroy(&query); @@ -949,7 +965,6 @@ static int print_genfscon(FILE * fp, const char *type, const apol_policy_t * pol ERR(policydb, "%s", strerror(ENOMEM)); goto cleanup; } - if (apol_genfscon_query_set_filesystem(policydb, query, type)) goto cleanup; if (apol_genfscon_get_by_query(policydb, query, &v)) @@ -967,8 +982,10 @@ static int print_genfscon(FILE * fp, const char *type, const apol_policy_t * pol free(tmp); } - if (type && !apol_vector_get_size(v)) + if (type && !apol_vector_get_size(v)) { ERR(policydb, "No genfscon statement for filesystem of type %s.", type); + goto cleanup; + } retval = 0; cleanup: @@ -1646,6 +1663,7 @@ cleanup: // close and destroy iterators etc. int main(int argc, char **argv) { + int rc = 0; int classes, types, attribs, roles, users, all, expand, stats, rt, optc, isids, bools, sens, cats, fsuse, genfs, netif, node, port, permissives, polcaps, constrain, linebreaks; apol_policy_t *policydb = NULL; @@ -1851,46 +1869,46 @@ int main(int argc, char **argv) /* display requested info */ if (stats || all) - print_stats(stdout, policydb); + rc = print_stats(stdout, policydb); if (classes || all) - print_classes(stdout, class_name, expand, policydb); + rc = print_classes(stdout, class_name, expand, policydb); if (types || all) - print_types(stdout, type_name, expand, policydb); + rc = print_types(stdout, type_name, expand, policydb); if (attribs || all) - print_attribs(stdout, attrib_name, expand, policydb); + rc = print_attribs(stdout, attrib_name, expand, policydb); if (roles || all) - print_roles(stdout, role_name, expand, policydb); + rc = print_roles(stdout, role_name, expand, policydb); if (users || all) - print_users(stdout, user_name, expand, policydb); + rc = print_users(stdout, user_name, expand, policydb); if (bools || all) - print_booleans(stdout, bool_name, expand, policydb); + rc = print_booleans(stdout, bool_name, expand, policydb); if (sens || all) - print_sens(stdout, sens_name, expand, policydb); + rc = print_sens(stdout, sens_name, expand, policydb); if (cats || all) - print_cats(stdout, cat_name, expand, policydb); + rc = print_cats(stdout, cat_name, expand, policydb); if (fsuse || all) - print_fsuse(stdout, fsuse_type, policydb); + rc = print_fsuse(stdout, fsuse_type, policydb); if (genfs || all) - print_genfscon(stdout, genfs_type, policydb); + rc = print_genfscon(stdout, genfs_type, policydb); if (netif || all) - print_netifcon(stdout, netif_name, policydb); + rc = print_netifcon(stdout, netif_name, policydb); if (node || all) - print_nodecon(stdout, node_addr, policydb); + rc = print_nodecon(stdout, node_addr, policydb); if (port || all) - print_portcon(stdout, port_num, protocol, policydb); + rc = print_portcon(stdout, port_num, protocol, policydb); if (isids || all) - print_isids(stdout, isid_name, expand, policydb); + rc = print_isids(stdout, isid_name, expand, policydb); if (permissives || all) - print_permissives(stdout, permissive_name, expand, policydb); + rc = print_permissives(stdout, permissive_name, expand, policydb); if (polcaps || all) - print_polcaps(stdout, polcap_name, expand, policydb); + rc = print_polcaps(stdout, polcap_name, expand, policydb); if (constrain || all) - print_constraints(stdout, expand, policydb, linebreaks); + rc = print_constraints(stdout, expand, policydb, linebreaks); apol_policy_destroy(&policydb); apol_policy_path_destroy(&pol_path); free(policy_file); - exit(0); + exit(rc); } /** @@ -1903,8 +1921,9 @@ int main(int argc, char **argv) * @param expand Flag indicating whether to print each type's * attributes */ -static void print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand) +static int print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; qpol_iterator_t *iter = NULL; unsigned char isattr, isalias; const char *type_name = NULL, *attr_name = NULL; @@ -1933,9 +1952,10 @@ static void print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const ap } } + retval = 0; cleanup: qpol_iterator_destroy(&iter); - return; + return retval; } /** @@ -1948,8 +1968,9 @@ static void print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const ap * @param expand Flag indicating whether to print each attribute's * types */ -static void print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand) +static int print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const qpol_type_t *attr_datum = NULL; qpol_iterator_t *iter = NULL; const char *attr_name = NULL, *type_name = NULL; @@ -1981,9 +2002,10 @@ static void print_attr_types(FILE * fp, const qpol_type_t * type_datum, const ap } + retval = 0; cleanup: qpol_iterator_destroy(&iter); - return; + return retval; } /** @@ -1996,8 +2018,9 @@ static void print_attr_types(FILE * fp, const qpol_type_t * type_datum, const ap * @param expand Flag indicating whether to print each user's * roles */ -static void print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand) +static int print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const qpol_role_t *role_datum = NULL; qpol_iterator_t *iter = NULL; const qpol_mls_range_t *range = NULL; @@ -2046,11 +2069,12 @@ static void print_user_roles(FILE * fp, const qpol_user_t * user_datum, const ap } } + retval = 0; cleanup: qpol_iterator_destroy(&iter); apol_mls_level_destroy(&ap_lvl); apol_mls_range_destroy(&ap_range); - return; + return retval; } /** @@ -2063,8 +2087,9 @@ static void print_user_roles(FILE * fp, const qpol_user_t * user_datum, const ap * @param expand Flag indicating whether to print each role's * types */ -static void print_role_types(FILE * fp, const qpol_role_t * role_datum, const apol_policy_t * policydb, const int expand) +static int print_role_types(FILE * fp, const qpol_role_t * role_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const char *role_name = NULL, *type_name = NULL; const qpol_role_t *dom_datum = NULL; const qpol_type_t *type_datum = NULL; @@ -2111,9 +2136,10 @@ static void print_role_types(FILE * fp, const qpol_role_t * role_datum, const ap } } + retval = 0; cleanup: qpol_iterator_destroy(&iter); - return; + return retval; } /** @@ -2126,22 +2152,27 @@ static void print_role_types(FILE * fp, const qpol_role_t * role_datum, const ap * @param expand Flag indicating whether to print each boolean's * initial state */ -static void print_bool_state(FILE * fp, const qpol_bool_t * bool_datum, const apol_policy_t * policydb, const int expand) +static int print_bool_state(FILE * fp, const qpol_bool_t * bool_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const char *bool_name = NULL; qpol_policy_t *q = apol_policy_get_qpol(policydb); int state; if (qpol_bool_get_name(q, bool_datum, &bool_name)) - return; + goto cleanup; fprintf(fp, " %s", bool_name); if (expand) { if (qpol_bool_get_state(q, bool_datum, &state)) - return; + goto cleanup; fprintf(fp, ": %s", state ? "TRUE" : "FALSE"); } fprintf(fp, "\n"); + + retval = 0; + cleanup: + return retval; } /** @@ -2154,8 +2185,9 @@ static void print_bool_state(FILE * fp, const qpol_bool_t * bool_datum, const ap * @param expand Flag indicating whether to print each object class' * permissions */ -static void print_class_perms(FILE * fp, const qpol_class_t * class_datum, const apol_policy_t * policydb, const int expand) +static int print_class_perms(FILE * fp, const qpol_class_t * class_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const char *class_name = NULL, *perm_name = NULL; qpol_iterator_t *iter = NULL; const qpol_common_t *common_datum = NULL; @@ -2194,9 +2226,10 @@ static void print_class_perms(FILE * fp, const qpol_class_t * class_datum, const qpol_iterator_destroy(&iter); } + retval = 0; cleanup: qpol_iterator_destroy(&iter); - return; + return retval; } /** @@ -2209,8 +2242,9 @@ static void print_class_perms(FILE * fp, const qpol_class_t * class_datum, const * @param expand Flag indicating whether to print each category's * sensitivities */ -static void print_cat_sens(FILE * fp, const qpol_cat_t * cat_datum, const apol_policy_t * policydb, const int expand) +static int print_cat_sens(FILE * fp, const qpol_cat_t * cat_datum, const apol_policy_t * policydb, const int expand) { + int retval = -1; const char *cat_name, *lvl_name; apol_level_query_t *query = NULL; apol_vector_t *v = NULL; @@ -2250,10 +2284,11 @@ static void print_cat_sens(FILE * fp, const qpol_cat_t * cat_datum, const apol_p } } + retval = 0; cleanup: apol_level_query_destroy(&query); apol_vector_destroy(&v); - return; + return retval; } /** diff --git a/secmds/sesearch.c b/secmds/sesearch.c index ec0315f..387d526 100644 --- a/secmds/sesearch.c +++ b/secmds/sesearch.c @@ -72,6 +72,7 @@ static struct option const longopts[] = { {"source", required_argument, NULL, 's'}, {"target", required_argument, NULL, 't'}, + {"default", required_argument, NULL, 'D'}, {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, {"class", required_argument, NULL, 'c'}, @@ -92,6 +93,7 @@ typedef struct options { char *src_name; char *tgt_name; + char *default_name; char *src_role_name; char *tgt_role_name; char *class_name; @@ -136,6 +138,7 @@ void usage(const char *program_name, int brief) printf("EXPRESSIONS:\n"); printf(" -s NAME, --source=NAME rules with type/attribute NAME as source\n"); printf(" -t NAME, --target=NAME rules with type/attribute NAME as target\n"); + printf(" -D NAME, --default=NAME rules with type NAME as default\n"); printf(" --role_source=NAME rules with role NAME as source\n"); printf(" --role_target=NAME rules with role NAME as target\n"); printf(" -c NAME, --class=NAME rules with class NAME as the object class\n"); @@ -293,7 +296,10 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t * tmp = apol_cond_expr_render(policy, cond); enable_char = (enabled ? 'E' : 'D'); branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); - asprintf(&expr, "[ %s ]", tmp); + if (asprintf(&expr, "[ %s ]", tmp) < 0) { + expr = NULL; + goto cleanup; + } free(tmp); tmp = NULL; if (!expr) @@ -356,7 +362,10 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt qpol_iterator_destroy(&iter); enable_char = (enabled ? 'E' : 'D'); branch_char = (list ? 'T' : 'F'); - asprintf(&expr, "[ %s ]", tmp); + if (asprintf(&expr, "[ %s ]", tmp) < 0) { + expr = NULL; + goto cleanup; + } free(tmp); tmp = NULL; if (!expr) @@ -412,6 +421,8 @@ static int perform_te_query(const apol_policy_t * policy, const options_t * opt, apol_terule_query_set_target(policy, teq, opt->tgt_name, opt->indirect); if (opt->bool_name) apol_terule_query_set_bool(policy, teq, opt->bool_name); + if (opt->default_name) + apol_terule_query_set_default(policy, teq, opt->default_name); if (opt->class_name) { if (opt->class_vector == NULL) { if (apol_terule_query_append_class(policy, teq, opt->class_name)) { @@ -488,11 +499,14 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t * tmp = apol_cond_expr_render(policy, cond); enable_char = (enabled ? 'E' : 'D'); branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); - asprintf(&expr, "[ %s ]", tmp); + if (asprintf(&expr, "[ %s ]", tmp) < 0) { + expr = NULL; + goto cleanup; + } free(tmp); tmp = NULL; if (!expr) - break; + goto cleanup; } } if (!(rule_str = apol_syn_terule_render(policy, rule))) @@ -553,7 +567,10 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt qpol_iterator_destroy(&iter); enable_char = (enabled ? 'E' : 'D'); branch_char = (list ? 'T' : 'F'); - asprintf(&expr, "[ %s ]", tmp); + if (asprintf(&expr, "[ %s ]", tmp) < 0) { + expr = NULL; + goto cleanup; + } free(tmp); tmp = NULL; if (!expr) @@ -575,6 +592,114 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt free(expr); } +static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) +{ + apol_filename_trans_query_t *ftq = NULL; + int error = 0; + + if (!policy || !opt || !v) { + ERR(policy, "%s", strerror(EINVAL)); + errno = EINVAL; + return -1; + } + + if (!opt->type && !opt->all) { + *v = NULL; + return 0; /* no search to do */ + } + + ftq = apol_filename_trans_query_create(); + if (!ftq) { + ERR(policy, "%s", strerror(ENOMEM)); + errno = ENOMEM; + return -1; + } + + apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); + if (opt->src_name) { + if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name, opt->indirect)) { + error = errno; + goto err; + } + } + + if (opt->tgt_name) { + if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { + error = errno; + goto err; + } + } + + if (opt->default_name) { + if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) { + error = errno; + goto err; + } + } + + if (opt->class_name) { + if (opt->class_vector == NULL) { + if (apol_filename_trans_query_append_class(policy, ftq, opt->class_name)) { + error = errno; + goto err; + } + } else { + for (size_t i = 0; i < apol_vector_get_size(opt->class_vector); ++i) { + char *class_name; + class_name = apol_vector_get_element(opt->class_vector, i); + if (!class_name) + continue; + if (apol_filename_trans_query_append_class(policy, ftq, class_name)) { + error = errno; + goto err; + } + } + } + } + + if (apol_filename_trans_get_by_query(policy, ftq, v)) { + error = errno; + goto err; + } + + apol_filename_trans_query_destroy(&ftq); + return 0; + + err: + apol_vector_destroy(v); + apol_filename_trans_query_destroy(&ftq); + ERR(policy, "%s", strerror(error)); + errno = error; + return -1; +} + +static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) +{ + size_t i, num_filename_trans = 0; + const qpol_filename_trans_t *filename_trans = NULL; + char *filename_trans_str = NULL; + qpol_iterator_t *iter = NULL; + + if (!(num_filename_trans = apol_vector_get_size(v))) + goto cleanup; + + fprintf(stdout, "Found %zd named file transition rules:\n", num_filename_trans); + + for (i = 0; i < num_filename_trans; i++) { + if (!(filename_trans = apol_vector_get_element(v, i))) + goto cleanup; + + if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans))) + goto cleanup; + fprintf(stdout, "%s\n", filename_trans_str); + free(filename_trans_str); + filename_trans_str = NULL; + } + + cleanup: + free(filename_trans_str); +} + static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) { apol_role_allow_query_t *raq = NULL; @@ -689,6 +814,13 @@ static int perform_rt_query(const apol_policy_t * policy, const options_t * opt, } } + if (opt->default_name) { + if (apol_role_trans_query_set_default(policy, rtq, opt->default_name)) { + error = errno; + goto err; + } + } + if (apol_role_trans_get_by_query(policy, rtq, v)) { error = errno; goto err; @@ -841,7 +973,7 @@ int main(int argc, char **argv) memset(&cmd_opts, 0, sizeof(cmd_opts)); cmd_opts.indirect = true; - while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dRnSChV", longopts, NULL)) != -1) { + while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { switch (optc) { case 0: break; @@ -869,6 +1001,18 @@ int main(int argc, char **argv) exit(1); } break; + case 'D': /* default */ + if (optarg == 0) { + usage(argv[0], 1); + printf("Missing default type for -D (--default)\n"); + exit(1); + } + cmd_opts.default_name = strdup(optarg); + if (!cmd_opts.default_name) { + + exit(1); + } + break; case EXPR_ROLE_SOURCE: if (optarg == 0) { usage(argv[0], 1); @@ -1128,6 +1272,17 @@ int main(int argc, char **argv) print_te_results(policy, &cmd_opts, v); fprintf(stdout, "\n"); } + + apol_vector_destroy(&v); + if (perform_ft_query(policy, &cmd_opts, &v)) { + rt = 1; + goto cleanup; + } + if (v) { + print_ft_results(policy, &cmd_opts, v); + fprintf(stdout, "\n"); + } + apol_vector_destroy(&v); if (perform_ra_query(policy, &cmd_opts, &v)) { rt = 1; @@ -1162,6 +1317,7 @@ int main(int argc, char **argv) apol_policy_path_destroy(&pol_path); free(cmd_opts.src_name); free(cmd_opts.tgt_name); + free(cmd_opts.default_name); free(cmd_opts.class_name); free(cmd_opts.permlist); free(cmd_opts.bool_name); diff --git a/sediff/sediff.c b/sediff/sediff.c index 6022775..341c650 100644 --- a/sediff/sediff.c +++ b/sediff/sediff.c @@ -420,7 +420,7 @@ int main(int argc, char **argv) poldiff_t *diff = NULL; size_t total = 0; - while ((optc = getopt_long(argc, argv, "ctarubANDLMCRqhV", longopts, NULL)) != -1) { + while ((optc = getopt_long(argc, argv, "ctarubAqhV", longopts, NULL)) != -1) { switch (optc) { case 0: break; |