File: sepol_check_access.c

package info (click to toggle)
libsepol 3.9-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,652 kB
  • sloc: ansic: 97,126; makefile: 215; lex: 65
file content (130 lines) | stat: -rw-r--r-- 2,845 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <sepol/policydb/services.h>
#include <sepol/sepol.h>


int main(int argc, char *argv[])
{
	FILE *fp;
	sepol_security_id_t ssid, tsid;
	sepol_security_class_t tclass;
	const char *permlist;
	sepol_access_vector_t av;
	struct sepol_av_decision avd;
	unsigned int reason;
	char *reason_buf;
	int i;

	if (argc != 6) {
		printf("usage:  %s policy source_context target_context class permission[,permission2[,...]]\n", argv[0]);
		return 1;
	}

	fp = fopen(argv[1], "r");
	if (!fp) {
		fprintf(stderr, "Can't open policy %s:  %s\n", argv[1], strerror(errno));
		return 1;
	}
	if (sepol_set_policydb_from_file(fp) < 0) {
		fprintf(stderr, "Error while processing policy %s:  %s\n", argv[1], strerror(errno));
		fclose(fp);
		return 1;
	}
	fclose(fp);

	if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) {
		fprintf(stderr, "Invalid source context %s\n", argv[2]);
		return 1;
	}

	if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) {
		fprintf(stderr, "Invalid target context %s\n", argv[3]);
		return 1;
	}

	if (sepol_string_to_security_class(argv[4], &tclass) < 0) {
		fprintf(stderr, "Invalid security class %s\n", argv[4]);
		return 1;
	}

	permlist = argv[5];
	do {
		char *tmp = NULL;
		const char *perm;
		const char *delim = strchr(permlist, ',');

		if (delim) {
			tmp = strndup(permlist, delim - permlist);
			if (!tmp) {
				fprintf(stderr, "Failed to allocate memory:  %s\n", strerror(errno));
				return 1;
			}
		}

		perm = tmp ? tmp : permlist;

		if (sepol_string_to_av_perm(tclass, perm, &av) < 0) {
			fprintf(stderr, "Invalid permission %s for security class %s:  %s\n", perm, argv[4], strerror(errno));
			free(tmp);
			return 1;
		}

		free(tmp);

		permlist = strchr(permlist, ',');
	} while (permlist++);

	if (av == 0) {
		fprintf(stderr, "Empty permission set computed from %s\n", argv[5]);
		return 1;
	}

	if (sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0) < 0) {
		fprintf(stderr, "Failed to compute av decision:  %s\n", strerror(errno));
		return 1;
	}

	if ((avd.allowed & av) == av) {
		printf("requested permission %s allowed\n", argv[5]);
		free(reason_buf);
		return 0;
	}

	printf("requested permission %s denied by ", argv[5]);
	i = 0;
	if (reason & SEPOL_COMPUTEAV_TE) {
		printf("te-rule");
		i++;
	}
	if (reason & SEPOL_COMPUTEAV_CONS) {
		if (i > 0)
			printf(", ");
		printf("constraint");
		i++;
	}
	if (reason & SEPOL_COMPUTEAV_RBAC) {
		if (i > 0)
			printf(", ");
		printf("role-transition");
		i++;
	}
	if (reason & SEPOL_COMPUTEAV_BOUNDS) {
		if (i > 0)
			printf(", ");
		printf("type-bound");
		//i++;
	}

	if ((reason & SEPOL_COMPUTEAV_CONS) && reason_buf)
		printf("; reason:\n%s", reason_buf);

	free(reason_buf);

	printf("\n");

	return 7;
}