topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2025-02-08 12:26:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

secilc: Add options to control the expansion of attributes

Browse Source 
Added "-G, --expand_generated" option to specify that all automatically
generated attributes should be expanded and removed.

Added "-X, --expand_size <SIZE>" option to specify which attributes
are expanded when building a kernel policy. All attributes that have
less types assigned to it than SIZE will be expanded when writing AV
rules.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2017-04-12 13:46:53 -04:00
parent 0be23c3f15
commit ea175157dd
3 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
secilc/secil2conf.c
View File

@ -124,6 +124,8 @@ int main(int argc, char *argv[])
cil_db_init(&db);
cil_set_preserve_tunables(db, preserve_tunables);
cil_set_mls(db, mls);
cil_set_attrs_expand_generated(db, 0);
cil_set_attrs_expand_size(db, 0);
for (i = optind; i < argc; i++) {
file = fopen(argv[i], "r");

10
secilc/secilc.8.xml
View File

@ -80,6 +80,16 @@
<listitem><para>Do not check <emphasis role="bold">neverallow</emphasis> rules.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-G, --expand-generated</option></term>
<listitem><para>Expand and remove auto-generated attributes</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-X, --attrs-size &lt;size></option></term>
<listitem><para>Expand type attributes with fewer than <emphasis role="bold">&lt;SIZE></emphasis> members.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-v, --verbose</option></term>
<listitem><para>Increment verbosity level.</para></listitem>

31
secilc/secilc.c
View File

@ -64,6 +64,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
printf(" -P, --preserve-tunables treat tunables as booleans\n");
printf(" -N, --disable-neverallow do not check neverallow rules\n");
printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n");
printf(" members.\n");
printf(" -v, --verbose increment verbosity level\n");
printf(" -h, --help display usage information\n");
exit(1);
@ -90,6 +93,8 @@ int main(int argc, char *argv[])
int preserve_tunables = 0;
int handle_unknown = -1;
int policyvers = POLICYDB_VERSION_MAX;
int attrs_expand_generated = 0;
int attrs_expand_size = -1;
int opt_char;
int opt_index = 0;
char *fc_buf = NULL;
@ -107,12 +112,14 @@ int main(int argc, char *argv[])
{"preserve-tunables", no_argument, 0, 'P'},
{"output", required_argument, 0, 'o'},
{"filecontexts", required_argument, 0, 'f'},
{"expand-generated", no_argument, 0, 'G'},
{"expand-size", required_argument, 0, 'X'},
{0, 0, 0, 0}
};
int i;
while (1) {
opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDNc:", long_opts, &opt_index);
opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDNc:GX:", long_opts, &opt_index);
if (opt_char == -1) {
break;
}
@ -180,6 +187,24 @@ int main(int argc, char *argv[])
case 'f':
filecontexts = strdup(optarg);
break;
case 'G':
attrs_expand_generated = 1;
break;
case 'X': {
char *endptr = NULL;
errno = 0;
attrs_expand_size = strtol(optarg, &endptr, 10);
if (errno != 0 || endptr == optarg || *endptr != '\0') {
fprintf(stderr, "Bad attribute expand size: %s\n", optarg);
usage(argv[0]);
}
if (attrs_expand_size < 0) {
fprintf(stderr, "Attribute expand size must be > 0\n");
usage(argv[0]);
}
break;
}
case 'h':
usage(argv[0]);
case '?':
@ -210,6 +235,10 @@ int main(int argc, char *argv[])
cil_set_mls(db, mls);
cil_set_target_platform(db, target);
cil_set_policy_version(db, policyvers);
cil_set_attrs_expand_generated(db, attrs_expand_generated);
if (attrs_expand_size >= 0) {
cil_set_attrs_expand_size(db, (unsigned)attrs_expand_size);
}
for (i = optind; i < argc; i++) {
file = fopen(argv[i], "r");