Gitiles
Code Review Sign In
review.blissroms.org / platform_external_selinux / refs/heads/r / . / secilc / secilc.c
blob: 186c5a7302217d437dde5beb19bef7453ecfcdae [file] [log] [blame]
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]1/*
2 * Copyright 2011 Tresys Technology, LLC. All rights reserved.
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]3 *
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]6 *
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]7 * 1. Redistributions of source code must retain the above copyright notice,
8 * this list of conditions and the following disclaimer.
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]9 *
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]13 *
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]24 *
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]25 * The views and conclusions contained in the software and documentation are those
26 * of the authors and should not be interpreted as representing official policies,
27 * either expressed or implied, of Tresys Technology, LLC.
28 */
29
30#include <stdlib.h>
31#include <stdio.h>
32#include <stdint.h>
33#include <string.h>
34#include <getopt.h>
35#include <sys/stat.h>
36
Stephen Smalleycacf51c2015-04-02 11:58:05 -0400[diff] [blame]37#ifdef ANDROID
bowgotsai86b71ed2016-09-30 11:17:55 +0800[diff] [blame]38#include <cil/cil.h>
Stephen Smalleycacf51c2015-04-02 11:58:05 -0400[diff] [blame]39#else
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]40#include <sepol/cil/cil.h>
Stephen Smalleycacf51c2015-04-02 11:58:05 -0400[diff] [blame]41#endif
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]42#include <sepol/policydb.h>
43
Nicolas Iooss840a7c92017-03-05 18:13:02 +0100[diff] [blame]44static __attribute__((__noreturn__)) void usage(const char *prog)
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]45{
46 printf("Usage: %s [OPTION]... FILE...\n", prog);
47 printf("\n");
48 printf("Options:\n");
49 printf(" -o, --output=<file> write binary policy to <file>\n");
50 printf(" (default: policy.<version>)\n");
51 printf(" -f, --filecontext=<file> write file contexts to <file>\n");
52 printf(" (default: file_contexts)\n");
53 printf(" -t, --target=<type> specify target architecture. may be selinux or\n");
54 printf(" xen. (default: selinux)\n");
55 printf(" -M, --mls true|false build an mls policy. Must be true or false.\n");
56 printf(" This will override the (mls boolean) statement\n");
57 printf(" if present in the policy\n");
58 printf(" -c, --policyvers=<version> build a binary policy with a given <version>\n");
59 printf(" (default: %i)\n", POLICYDB_VERSION_MAX);
60 printf(" -U, --handle-unknown=<action> how to handle unknown classes or permissions.\n");
61 printf(" may be deny, allow, or reject. (default: deny)\n");
62 printf(" This will override the (handleunknown action)\n");
63 printf(" statement if present in the policy\n");
64 printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
65 printf(" -P, --preserve-tunables treat tunables as booleans\n");
Dan Cashmanfafe4c22017-08-29 09:32:05 -0700[diff] [blame]66 printf(" -m, --multiple-decls allow some statements to be re-declared\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]67 printf(" -N, --disable-neverallow do not check neverallow rules\n");
James Carterea175152017-04-12 13:46:53 -0400[diff] [blame]68 printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
69 printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n");
70 printf(" members.\n");
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]71 printf(" -O, --optimize optimize final policy\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]72 printf(" -v, --verbose increment verbosity level\n");
73 printf(" -h, --help display usage information\n");
74 exit(1);
75}
76
77int main(int argc, char *argv[])
78{
79 int rc = SEPOL_ERR;
80 sepol_policydb_t *pdb = NULL;
81 struct sepol_policy_file *pf = NULL;
82 FILE *binary = NULL;
83 FILE *file_contexts;
84 FILE *file = NULL;
85 char *buffer = NULL;
86 struct stat filedata;
87 uint32_t file_size;
88 char *output = NULL;
89 char *filecontexts = NULL;
90 struct cil_db *db = NULL;
91 int target = SEPOL_TARGET_SELINUX;
92 int mls = -1;
93 int disable_dontaudit = 0;
Dan Cashmanfafe4c22017-08-29 09:32:05 -0700[diff] [blame]94 int multiple_decls = 0;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]95 int disable_neverallow = 0;
96 int preserve_tunables = 0;
97 int handle_unknown = -1;
98 int policyvers = POLICYDB_VERSION_MAX;
James Carterea175152017-04-12 13:46:53 -0400[diff] [blame]99 int attrs_expand_generated = 0;
100 int attrs_expand_size = -1;
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]101 int optimize = 0;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]102 int opt_char;
103 int opt_index = 0;
104 char *fc_buf = NULL;
105 size_t fc_size;
106 enum cil_log_level log_level = CIL_ERR;
107 static struct option long_opts[] = {
108 {"help", no_argument, 0, 'h'},
109 {"verbose", no_argument, 0, 'v'},
110 {"target", required_argument, 0, 't'},
111 {"mls", required_argument, 0, 'M'},
112 {"policyversion", required_argument, 0, 'c'},
113 {"handle-unknown", required_argument, 0, 'U'},
114 {"disable-dontaudit", no_argument, 0, 'D'},
Dan Cashmanfafe4c22017-08-29 09:32:05 -0700[diff] [blame]115 {"multiple-decls", no_argument, 0, 'm'},
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]116 {"disable-neverallow", no_argument, 0, 'N'},
117 {"preserve-tunables", no_argument, 0, 'P'},
118 {"output", required_argument, 0, 'o'},
119 {"filecontexts", required_argument, 0, 'f'},
James Carterea175152017-04-12 13:46:53 -0400[diff] [blame]120 {"expand-generated", no_argument, 0, 'G'},
121 {"expand-size", required_argument, 0, 'X'},
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]122 {"optimize", no_argument, 0, 'O'},
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]123 {0, 0, 0, 0}
124 };
125 int i;
126
127 while (1) {
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]128 opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNOc:GX:n", long_opts, &opt_index);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]129 if (opt_char == -1) {
130 break;
131 }
132 switch (opt_char) {
133 case 'v':
134 log_level++;
135 break;
136 case 't':
137 if (!strcmp(optarg, "selinux")) {
138 target = SEPOL_TARGET_SELINUX;
139 } else if (!strcmp(optarg, "xen")) {
140 target = SEPOL_TARGET_XEN;
141 } else {
142 fprintf(stderr, "Unknown target: %s\n", optarg);
143 usage(argv[0]);
144 }
145 break;
146 case 'M':
147 if (!strcasecmp(optarg, "true") || !strcasecmp(optarg, "1")) {
148 mls = 1;
149 } else if (!strcasecmp(optarg, "false") || !strcasecmp(optarg, "0")) {
150 mls = 0;
151 } else {
152 usage(argv[0]);
153 }
154 break;
155 case 'c': {
156 char *endptr = NULL;
157 errno = 0;
158 policyvers = strtol(optarg, &endptr, 10);
159 if (errno != 0 || endptr == optarg || *endptr != '\0') {
160 fprintf(stderr, "Bad policy version: %s\n", optarg);
161 usage(argv[0]);
162 }
163 if (policyvers > POLICYDB_VERSION_MAX || policyvers < POLICYDB_VERSION_MIN) {
164 fprintf(stderr, "Policy version must be between %d and %d\n",
165 POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
166 usage(argv[0]);
167 }
168 break;
169 }
170 case 'U':
171 if (!strcasecmp(optarg, "deny")) {
172 handle_unknown = SEPOL_DENY_UNKNOWN;
173 } else if (!strcasecmp(optarg, "allow")) {
174 handle_unknown = SEPOL_ALLOW_UNKNOWN;
175 } else if (!strcasecmp(optarg, "reject")) {
176 handle_unknown = SEPOL_REJECT_UNKNOWN;
177 } else {
178 usage(argv[0]);
179 }
180 break;
181 case 'D':
182 disable_dontaudit = 1;
183 break;
Dan Cashmanfafe4c22017-08-29 09:32:05 -0700[diff] [blame]184 case 'm':
185 multiple_decls = 1;
186 break;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]187 case 'N':
188 disable_neverallow = 1;
189 break;
190 case 'P':
191 preserve_tunables = 1;
192 break;
193 case 'o':
194 output = strdup(optarg);
195 break;
196 case 'f':
197 filecontexts = strdup(optarg);
198 break;
James Carterea175152017-04-12 13:46:53 -0400[diff] [blame]199 case 'G':
200 attrs_expand_generated = 1;
201 break;
202 case 'X': {
203 char *endptr = NULL;
204 errno = 0;
205 attrs_expand_size = strtol(optarg, &endptr, 10);
206 if (errno != 0 || endptr == optarg || *endptr != '\0') {
207 fprintf(stderr, "Bad attribute expand size: %s\n", optarg);
208 usage(argv[0]);
209 }
210
211 if (attrs_expand_size < 0) {
212 fprintf(stderr, "Attribute expand size must be > 0\n");
213 usage(argv[0]);
214 }
215 break;
216 }
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]217 case 'O':
218 optimize = 1;
219 break;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]220 case 'h':
221 usage(argv[0]);
222 case '?':
223 break;
224 default:
225 fprintf(stderr, "Unsupported option: %s\n", optarg);
226 usage(argv[0]);
227 }
228 }
229 if (optind >= argc) {
230 fprintf(stderr, "No cil files specified\n");
231 usage(argv[0]);
232 }
233
234 cil_set_log_level(log_level);
235
236 cil_db_init(&db);
237 cil_set_disable_dontaudit(db, disable_dontaudit);
Dan Cashmanfafe4c22017-08-29 09:32:05 -0700[diff] [blame]238 cil_set_multiple_decls(db, multiple_decls);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]239 cil_set_disable_neverallow(db, disable_neverallow);
240 cil_set_preserve_tunables(db, preserve_tunables);
241 if (handle_unknown != -1) {
242 rc = cil_set_handle_unknown(db, handle_unknown);
243 if (rc != SEPOL_OK) {
244 goto exit;
245 }
246 }
247
248 cil_set_mls(db, mls);
Steve Lawrence8147bc72015-02-13 12:30:32 -0500[diff] [blame]249 cil_set_target_platform(db, target);
250 cil_set_policy_version(db, policyvers);
James Carterea175152017-04-12 13:46:53 -0400[diff] [blame]251 cil_set_attrs_expand_generated(db, attrs_expand_generated);
252 if (attrs_expand_size >= 0) {
253 cil_set_attrs_expand_size(db, (unsigned)attrs_expand_size);
254 }
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]255
256 for (i = optind; i < argc; i++) {
257 file = fopen(argv[i], "r");
258 if (!file) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]259 fprintf(stderr, "Could not open file: %s\n", argv[i]);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]260 rc = SEPOL_ERR;
261 goto exit;
262 }
263 rc = stat(argv[i], &filedata);
264 if (rc == -1) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]265 fprintf(stderr, "Could not stat file: %s\n", argv[i]);
Nick Kralevich via Selinux28969672018-09-24 11:10:52 -0700[diff] [blame]266 rc = SEPOL_ERR;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]267 goto exit;
268 }
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]269 file_size = filedata.st_size;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]270
271 buffer = malloc(file_size);
272 rc = fread(buffer, file_size, 1, file);
273 if (rc != 1) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]274 fprintf(stderr, "Failure reading file: %s\n", argv[i]);
Nick Kralevich via Selinux28969672018-09-24 11:10:52 -0700[diff] [blame]275 rc = SEPOL_ERR;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]276 goto exit;
277 }
278 fclose(file);
279 file = NULL;
280
281 rc = cil_add_file(db, argv[i], buffer, file_size);
282 if (rc != SEPOL_OK) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]283 fprintf(stderr, "Failure adding %s\n", argv[i]);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]284 goto exit;
285 }
286
287 free(buffer);
288 buffer = NULL;
289 }
290
Steve Lawrence8147bc72015-02-13 12:30:32 -0500[diff] [blame]291 rc = cil_compile(db);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]292 if (rc != SEPOL_OK) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]293 fprintf(stderr, "Failed to compile cildb: %d\n", rc);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]294 goto exit;
295 }
296
Steve Lawrence8147bc72015-02-13 12:30:32 -0500[diff] [blame]297 rc = cil_build_policydb(db, &pdb);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]298 if (rc != SEPOL_OK) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]299 fprintf(stderr, "Failed to build policydb\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]300 goto exit;
301 }
302
Ondrej Mosnacekf7cb5902019-06-13 13:45:57 +0200[diff] [blame]303 if (optimize) {
304 rc = sepol_policydb_optimize(pdb);
305 if (rc != SEPOL_OK) {
306 fprintf(stderr, "Failed to optimize policydb\n");
307 goto exit;
308 }
309 }
310
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]311 if (output == NULL) {
312 int size = snprintf(NULL, 0, "policy.%d", policyvers);
313 output = malloc((size + 1) * sizeof(char));
314 if (output == NULL) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]315 fprintf(stderr, "Failed to create output filename\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]316 rc = SEPOL_ERR;
317 goto exit;
318 }
319 if (snprintf(output, size + 1, "policy.%d", policyvers) != size) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]320 fprintf(stderr, "Failed to create output filename\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]321 rc = SEPOL_ERR;
322 goto exit;
323 }
324 }
325
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]326 binary = fopen(output, "w");
327 if (binary == NULL) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]328 fprintf(stderr, "Failure opening binary file for writing\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]329 rc = SEPOL_ERR;
330 goto exit;
331 }
332
333 rc = sepol_policy_file_create(&pf);
334 if (rc != 0) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]335 fprintf(stderr, "Failed to create policy file: %d\n", rc);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]336 goto exit;
337 }
338
339 sepol_policy_file_set_fp(pf, binary);
340
341 rc = sepol_policydb_write(pdb, pf);
342 if (rc != 0) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]343 fprintf(stderr, "Failed to write binary policy: %d\n", rc);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]344 goto exit;
345 }
346
347 fclose(binary);
348 binary = NULL;
349
Steve Lawrence8147bc72015-02-13 12:30:32 -0500[diff] [blame]350 rc = cil_filecons_to_string(db, &fc_buf, &fc_size);
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]351 if (rc != SEPOL_OK) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]352 fprintf(stderr, "Failed to get file context data\n");
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]353 goto exit;
354 }
355
356 if (filecontexts == NULL) {
357 file_contexts = fopen("file_contexts", "w+");
358 } else {
359 file_contexts = fopen(filecontexts, "w+");
360 }
361
362 if (file_contexts == NULL) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]363 fprintf(stderr, "Failed to open file_contexts file\n");
Nick Kralevich via Selinux28969672018-09-24 11:10:52 -0700[diff] [blame]364 rc = SEPOL_ERR;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]365 goto exit;
366 }
Nick Kralevich via Selinux0a71c5f2018-09-24 11:10:51 -0700[diff] [blame]367
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]368 if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) != fc_size) {
Yuli Khodorkovskiy36f62b72015-03-31 10:17:01 -0400[diff] [blame]369 fprintf(stderr, "Failed to write file_contexts file\n");
Nick Kralevich via Selinux28969672018-09-24 11:10:52 -0700[diff] [blame]370 rc = SEPOL_ERR;
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]371 goto exit;
372 }
373
374 fclose(file_contexts);
375 file_contexts = NULL;
376
377 rc = SEPOL_OK;
378
379exit:
Steve Lawrenceb19eafb2014-08-26 08:02:58 -0400[diff] [blame]380 if (binary != NULL) {
381 fclose(binary);
382 }
383 if (file != NULL) {
384 fclose(file);
385 }
386 free(buffer);
387 free(output);
388 free(filecontexts);
389 cil_db_destroy(&db);
390 sepol_policydb_free(pdb);
391 sepol_policy_file_free(pf);
392 free(fc_buf);
393 return rc;
394}