示例#1
0
int linker_test_init(void)
{
	int i;

	if (test_load_policy(&linkedbase, POLICY_BASE, mls, "test-linker", policies[BASEMOD]))
		return -1;

	if (test_load_policy(&basenomods, POLICY_BASE, mls, "test-linker", policies[BASEMOD]))
		return -1;

	for (i = 0; i < NUM_MODS; i++) {

		modules[i] = calloc(1, sizeof(*modules[i]));
		if (!modules[i]) {
			fprintf(stderr, "out of memory!\n");
			return -1;
		}

		if (test_load_policy(modules[i], POLICY_MOD, mls, "test-linker", policies[i]))
			return -1;

	}

	if (link_modules(NULL, &linkedbase, modules, NUM_MODS, 0)) {
		fprintf(stderr, "link modules failed\n");
		return -1;
	}

	if (link_modules(NULL, &basenomods, NULL, 0, 0)) {
		fprintf(stderr, "link modules failed\n");
		return -1;
	}

	return 0;
}
示例#2
0
/* Links the module packages into the base.  Returns 0 on success, -1
 * if a requirement was not met, or -2 for all other errors. */
int sepol_link_packages(sepol_handle_t *handle,
			sepol_module_package_t *base,
                        sepol_module_package_t **modules, int num_modules,
                        int verbose) 
{
        policydb_t **mod_pols = NULL;
        int i, retval;

        if ((mod_pols = calloc(num_modules, sizeof(*mod_pols))) == NULL) {
		ERR(handle, "Out of memory!");
                return -2;
        }
        for (i = 0; i < num_modules; i++) {
                mod_pols[i] = &modules[i]->policy->p;
        }

        retval = link_modules(handle, &base->policy->p, mod_pols, num_modules,
                              verbose);
        free(mod_pols);
        if (retval == -3) {
                return -1;
        }
        else if (retval < 0) {
                return -2;
        }

        if (link_file_contexts(base, modules, num_modules) == -1) {
		ERR(handle, "Out of memory!");
                return -2;
        }
        return 0;
}
示例#3
0
int sepol_link_modules(sepol_handle_t * handle,
		       sepol_policydb_t * base,
		       sepol_policydb_t ** modules, size_t len, int verbose)
{
	return link_modules(handle, &base->p, (policydb_t **) modules, len,
			    verbose);
}
示例#4
0
/* Takes base, some number of modules, links them, and expands them
   reads source from myfiles array, which has the base string followed by
   each module string */
int expander_policy_init(policydb_t * mybase, int num_modules, policydb_t ** mymodules, policydb_t * myexpanded, const char *const *myfiles)
{
	char *filename[num_modules + 1];
	int i;

	for (i = 0; i < num_modules + 1; i++) {
		filename[i] = calloc(PATH_MAX, sizeof(char));
		if (snprintf(filename[i], PATH_MAX, "policies/test-expander/%s%s", myfiles[i], mls ? ".mls" : ".std") < 0)
			return -1;
	}

	if (policydb_init(mybase)) {
		fprintf(stderr, "out of memory!\n");
		return -1;
	}

	for (i = 0; i < num_modules; i++) {
		if (policydb_init(mymodules[i])) {
			fprintf(stderr, "out of memory!\n");
			return -1;
		}
	}

	if (policydb_init(myexpanded)) {
		fprintf(stderr, "out of memory!\n");
		return -1;
	}

	mybase->policy_type = POLICY_BASE;
	mybase->mls = mls;

	if (read_source_policy(mybase, filename[0], myfiles[0])) {
		fprintf(stderr, "read source policy failed %s\n", filename[0]);
		return -1;
	}

	for (i = 1; i < num_modules + 1; i++) {
		mymodules[i - 1]->policy_type = POLICY_MOD;
		mymodules[i - 1]->mls = mls;
		if (read_source_policy(mymodules[i - 1], filename[i], myfiles[i])) {
			fprintf(stderr, "read source policy failed %s\n", filename[i]);
			return -1;
		}
	}

	if (link_modules(NULL, mybase, mymodules, num_modules, 0)) {
		fprintf(stderr, "link modules failed\n");
		return -1;
	}

	if (expand_module(NULL, mybase, myexpanded, 0, 0)) {
		fprintf(stderr, "expand modules failed\n");
		return -1;
	}

	for (i = 0; i < num_modules + 1; i++) {
		free(filename[i]);
	}
	return 0;
}
示例#5
0
int cond_test_init(void)
{
	if (policydb_init(&base_expanded)) {
		fprintf(stderr, "out of memory!\n");
		policydb_destroy(&basemod);
		return -1;
	}

	if (test_load_policy(&basemod, POLICY_BASE, 1, "test-cond", "refpolicy-base.conf"))
		goto cleanup;

	if (link_modules(NULL, &basemod, NULL, 0, 0)) {
		fprintf(stderr, "link modules failed\n");
		goto cleanup;
	}

	if (expand_module(NULL, &basemod, &base_expanded, 0, 1)) {
		fprintf(stderr, "expand module failed\n");
		goto cleanup;
	}

	return 0;

      cleanup:
	policydb_destroy(&basemod);
	policydb_destroy(&base_expanded);
	return -1;
}
int main(int argc, char **argv)
{
	char *file = txtfile, *outfile = NULL;
	unsigned int binary = 0;
	int ch;
	int show_version = 0;
	policydb_t modpolicydb;
	struct option long_options[] = {
		{"help", no_argument, NULL, 'h'},
		{"output", required_argument, NULL, 'o'},
		{"binary", no_argument, NULL, 'b'},
		{"version", no_argument, NULL, 'V'},
		{"handle-unknown", optional_argument, NULL, 'U'},
		{"mls", no_argument, NULL, 'M'},
		{NULL, 0, NULL, 0}
	};

	while ((ch = getopt_long(argc, argv, "ho:bVU:mM", long_options, NULL)) != -1) {
		switch (ch) {
		case 'h':
			usage(argv[0]);
			break;
		case 'o':
			outfile = optarg;
			break;
		case 'b':
			binary = 1;
			file = binfile;
			break;
		case 'V':
			show_version = 1;
			break;
		case 'U':
			if (!strcasecmp(optarg, "deny")) {
				handle_unknown = DENY_UNKNOWN;
				break;
			}
			if (!strcasecmp(optarg, "reject")) {
				handle_unknown = REJECT_UNKNOWN;
				break;
			}
			if (!strcasecmp(optarg, "allow")) {
				handle_unknown = ALLOW_UNKNOWN;
				break;
			}
			usage(argv[0]);
		case 'm':
			policy_type = POLICY_MOD;
			policyvers = MOD_POLICYDB_VERSION_MAX;
			break;
		case 'M':
			mlspol = 1;
			break;
		default:
			usage(argv[0]);
		}
	}

	if (show_version) {
		printf("Module versions %d-%d\n",
		       MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
		exit(0);
	}

	if (handle_unknown && (policy_type != POLICY_BASE)) {
		printf("Handling of unknown classes and permissions is only ");
		printf("valid in the base module\n");
		exit(1);
	}

	if (optind != argc) {
		file = argv[optind++];
		if (optind != argc)
			usage(argv[0]);
	}
	printf("%s:  loading policy configuration from %s\n", argv[0], file);

	/* Set policydb and sidtab used by libsepol service functions
	   to my structures, so that I can directly populate and
	   manipulate them. */
	sepol_set_policydb(&modpolicydb);
	sepol_set_sidtab(&sidtab);

	if (binary) {
		if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) {
			exit(1);
		}
	} else {
		if (policydb_init(&modpolicydb)) {
			fprintf(stderr, "%s: out of memory!\n", argv[0]);
			return -1;
		}

		modpolicydb.policy_type = policy_type;
		modpolicydb.mls = mlspol;
		modpolicydb.handle_unknown = handle_unknown;

		if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
			exit(1);
		}

		if (hierarchy_check_constraints(NULL, &modpolicydb)) {
			return -1;
		}
	}

	if (modpolicydb.policy_type == POLICY_BASE) {
		/* Verify that we can successfully expand the base module. */
		policydb_t kernpolicydb;

		if (policydb_init(&kernpolicydb)) {
			fprintf(stderr, "%s:  policydb_init failed\n", argv[0]);
			exit(1);
		}
		if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) {
			fprintf(stderr, "%s:  link modules failed\n", argv[0]);
			exit(1);
		}
		if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) {
			fprintf(stderr, "%s:  expand module failed\n", argv[0]);
			exit(1);
		}
		policydb_destroy(&kernpolicydb);
	}

	if (policydb_load_isids(&modpolicydb, &sidtab))
		exit(1);

	sepol_sidtab_destroy(&sidtab);

	printf("%s:  policy configuration loaded\n", argv[0]);

	if (outfile &&
	    write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) {
		exit(1);
	}
	policydb_destroy(&modpolicydb);

	return 0;
}