int matchpathcon_main(int argc, char **argv)
{
int error = 0;
unsigned opts;
char *fcontext, *prefix, *path;
opt_complementary = "-1" /* at least one param reqd */
":?:f--p:p--f"; /* mutually exclusive */
opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
argv += optind;
if (opts & OPT_NOT_TRANS) {
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
}
if (opts & OPT_FCONTEXT) {
if (matchpathcon_init(fcontext))
bb_perror_msg_and_die("error while processing %s", fcontext);
}
if (opts & OPT_PREFIX) {
if (matchpathcon_init_prefix(NULL, prefix))
bb_perror_msg_and_die("error while processing %s", prefix);
}
while ((path = *argv++) != NULL) {
security_context_t con;
int rc;
if (!(opts & OPT_VERIFY)) {
error += print_matchpathcon(path, opts & OPT_NOT_PRINT);
continue;
}
if (selinux_file_context_verify(path, 0)) {
printf("%s verified\n", path);
continue;
}
if (opts & OPT_NOT_TRANS)
rc = lgetfilecon_raw(path, &con);
else
rc = lgetfilecon(path, &con);
if (rc >= 0) {
printf("%s has context %s, should be ", path, con);
error += print_matchpathcon(path, 1);
freecon(con);
continue;
}
printf("actual context unknown: %s, should be ", strerror(errno));
error += print_matchpathcon(path, 1);
}
matchpathcon_fini();
return error;
}
int lgetfilecon(const char *path, char ** context)
{
int ret;
char * rcontext;
*context = NULL;
ret = lgetfilecon_raw(path, &rcontext);
if (ret > 0) {
ret = selinux_raw_to_trans_context(rcontext, context);
freecon(rcontext);
}
if (ret >= 0 && *context)
return strlen(*context) + 1;
return ret;
}
static security_context_t get_scon(void)
{
static char dummy_NIL[1] = "";
security_context_t con = NULL;
int ret = -1;
int raw = TRUE;
switch (opts->from_type) {
case OPTS_FROM_ARG:
if (!(con = strdup(opts->f.arg)))
err(EXIT_FAILURE,
" Couldn't allocate security context");
raw = !opts->disp_raw; /* always do conversion */
break;
case OPTS_FROM_STDIN:
{
char buf[4096] = "";
char *ptr = buf;
while (!*ptr) {
if (!(ptr = fgets(buf, sizeof(buf), stdin)))
err(EXIT_FAILURE,
" Couldn't read security context");
ptr += strspn(ptr, " \n\t");
ptr[strcspn(ptr, " \n\t")] = 0;
}
if (!(con = strdup(ptr)))
err(EXIT_FAILURE,
" Couldn't allocate security context");
raw = !opts->disp_raw; /* always do conversion */
break;
}
case OPTS_FROM_CUR:
ret = getcon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current security context");
break;
case OPTS_FROM_CUREXE:
ret = getexeccon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current exec security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_CURFS:
ret = getfscreatecon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current fs security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_CURKEY:
ret = getkeycreatecon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current key security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_PROC:
ret = getpidcon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
break;
case OPTS_FROM_PROCEXE:
ret = my_getpidexeccon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_PROCFS:
ret = my_getpidfscreatecon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
/* disabled -- override with normal context ...
{
opts->from_type = OPTS_FROM_PROC;
return (get_scon());
} */
break;
case OPTS_FROM_PROCKEY:
ret = my_getpidkeycreatecon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_FILE:
ret = getfilecon_raw(opts->f.file, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for file %s",
opts->f.file);
break;
case OPTS_FROM_LINK:
ret = lgetfilecon_raw(opts->f.link, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for symlink %s",
opts->f.link);
break;
default:
assert(FALSE);
}
if (opts->disp_raw != raw) {
security_context_t ncon = NULL;
if (opts->disp_raw)
selinux_trans_to_raw_context(con, &ncon);
else
selinux_raw_to_trans_context(con, &ncon);
freecon(con);
con = ncon;
}
return (con);
}
int main(int argc, char **argv)
{
int i, init = 0, force_mode = 0;
int header = 1, opt;
int verify = 0;
int notrans = 0;
int error = 0;
int quiet = 0;
if (argc < 2)
usage(argv[0]);
while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
switch (opt) {
case 'n':
header = 0;
break;
case 'm':
force_mode = string_to_mode(optarg);
if (force_mode < 0) {
fprintf(stderr, "%s: mode %s is invalid\n", argv[0], optarg);
exit(1);
}
break;
case 'V':
verify = 1;
break;
case 'N':
notrans = 1;
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
break;
case 'f':
if (init) {
fprintf(stderr,
"%s: -f and -p are exclusive\n",
argv[0]);
exit(1);
}
init = 1;
if (matchpathcon_init(optarg)) {
fprintf(stderr,
"Error while processing %s: %s\n",
optarg,
errno ? strerror(errno) : "invalid");
exit(1);
}
break;
case 'P':
if (selinux_set_policy_root(optarg) < 0 ) {
fprintf(stderr,
"Error setting policy root %s: %s\n",
optarg,
errno ? strerror(errno) : "invalid");
exit(1);
}
break;
case 'p':
if (init) {
fprintf(stderr,
"%s: -f and -p are exclusive\n",
argv[0]);
exit(1);
}
init = 1;
if (matchpathcon_init_prefix(NULL, optarg)) {
fprintf(stderr,
"Error while processing %s: %s\n",
optarg,
errno ? strerror(errno) : "invalid");
exit(1);
}
break;
case 'q':
quiet = 1;
break;
default:
usage(argv[0]);
}
}
for (i = optind; i < argc; i++) {
int rc, mode = 0;
struct stat buf;
char *path = argv[i];
int len = strlen(path);
if (len > 1 && path[len - 1 ] == '/')
path[len - 1 ] = '\0';
if (lstat(path, &buf) == 0)
mode = buf.st_mode;
if (force_mode)
mode = force_mode;
if (verify) {
rc = selinux_file_context_verify(path, mode);
if (quiet) {
if (rc == 1)
continue;
else
exit(1);
}
if (rc == -1) {
printf("%s error: %s\n", path, strerror(errno));
exit(1);
} else if (rc == 1) {
printf("%s verified.\n", path);
} else {
char * con;
error = 1;
if (notrans)
rc = lgetfilecon_raw(path, &con);
else
rc = lgetfilecon(path, &con);
if (rc >= 0) {
printf("%s has context %s, should be ",
path, con);
printmatchpathcon(path, 0, mode);
freecon(con);
} else {
printf
("actual context unknown: %s, should be ",
strerror(errno));
printmatchpathcon(path, 0, mode);
}
}
} else {
error |= printmatchpathcon(path, header, mode);
}
}
matchpathcon_fini();
return error;
}
int matchpathcon_main(int argc, char **argv)
{
int i;
int header = 1;
int verify = 0;
int notrans = 0;
int error = 0;
unsigned long opts;
char *fcontext, *prefix;
if (argc < 2)
bb_show_usage();
opts = bb_getopt_ulflags(argc, argv, "nNf:p:V", &fcontext, &prefix);
if (opts & BB_GETOPT_ERROR)
bb_show_usage();
if (opts & MATCHPATHCON_OPT_NOT_PRINT)
header = 0;
if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
notrans = 1;
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
}
if ((opts & MATCHPATHCON_OPT_FCONTEXT) && (opts & MATCHPATHCON_OPT_PREFIX))
bb_error_msg_and_die("-f and -p are exclusive");
if (opts & MATCHPATHCON_OPT_FCONTEXT) {
if (matchpathcon_init(fcontext))
bb_error_msg_and_die("Error while processing %s: %s",
fcontext, errno ? strerror(errno) : "invalid");
}
if (opts & MATCHPATHCON_OPT_PREFIX) {
if (matchpathcon_init_prefix(NULL, prefix))
bb_error_msg_and_die("Error while processing %s: %s",
prefix, errno ? strerror(errno) : "invalid");
}
if (opts & MATCHPATHCON_OPT_VERIFY)
verify = 1;
for (i = optind; i < argc; i++) {
if (verify) {
if (selinux_file_context_verify(argv[i], 0)) {
printf("%s verified.\n", argv[i]);
} else {
security_context_t con;
int rc;
if (notrans)
rc = lgetfilecon_raw(argv[i], &con);
else
rc = lgetfilecon(argv[i], &con);
if (rc >= 0) {
printf("%s has context %s, should be ",
argv[i], con);
error += printmatchpathcon(argv[i], 0);
freecon(con);
} else {
printf
("actual context unknown: %s, should be ",
strerror(errno));
error += printmatchpathcon(argv[i], 0);
}
}
} else {
error += printmatchpathcon(argv[i], header);
}
}
matchpathcon_fini();
return error;
}
