Commits

Stephen Smalley  committed cdba467

Extend to check indirect allow rules and conditional rules.

$ sepolicy-check -s untrusted_app -t mediaserver -c binder -p call -P out/target/product/manta/root/sepolicy
Match found!

Also removed loading of initial SIDs as that is not required for
this functionality and it leaks memory as it is never freed.
valgrind now reports no leaks.

Change-Id: Ic7a26fd01c57914e4e96db504d669f5367542a35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits 51f449e
  • Branches seandroid, seandroid-4.3 1
    1. seandroid-4.4

Comments (0)

Files changed (1)

File tools/sepolicy-check.c

 #include <stdio.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
+#include <sepol/policydb/expand.h>
 
 #define EQUALS 0
 #define NOT 1
 	return (current->datum.data & perm_bitmask) != 0;
 }
 
+
+int expand_and_check(int s_op, uint32_t source_type,
+		     int t_op, uint32_t target_type,
+		     int c_op, uint32_t target_class,
+		     perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) {
+	avtab_t exp_avtab;
+	avtab_ptr_t cur;
+	unsigned int i;
+	int match;
+
+	if (avtab_init(&exp_avtab)) {
+		fputs("out of memory\n", stderr);
+		return -1;
+	}
+
+	if (expand_avtab(policy, avtab, &exp_avtab)) {
+		fputs("out of memory\n", stderr);
+		avtab_destroy(&exp_avtab);
+		return -1;
+	}
+
+	for (i = 0; i < exp_avtab.nslot; i++) {
+		for (cur = exp_avtab.htable[i]; cur; cur = cur->next) {
+			match = 1;
+			match &= check(s_op, source_type, cur->key.source_type);
+			match &= check(t_op, target_type, cur->key.target_type);
+			match &= check(c_op, target_class, cur->key.target_class);
+			match &= check_perm(cur, perm);
+			if (match) {
+				avtab_destroy(&exp_avtab);
+				return 1;
+			}
+		}
+	}
+
+	avtab_destroy(&exp_avtab);
+	return 0;
+}
+
 /*
  * Checks to see if a rule matching the given arguments already exists.
  *
 	int c_op = parse_ops(&c);
 	int p_op = parse_ops(&p);
 	avtab_key_t key;
-	avtab_ptr_t cur;
-	unsigned int i;
 	int match;
 
 	if (s_op != ANY) {
 	if (c_op != ANY)
 		key.target_class = cls->s.value;
 
-	for (i = 0; i < policy->te_avtab.nslot; i++) {
-		for (cur = policy->te_avtab.htable[i]; cur; cur = cur->next) {
-			match = 1;
-			match &= check(s_op, key.source_type, cur->key.source_type);
-			match &= check(t_op, key.target_type, cur->key.target_type);
-			match &= check(c_op, key.target_class, cur->key.target_class);
-			match &= check_perm(cur, perm);
-			if (match)
-				return 1;
-		}
-	}
+	/* Check unconditional rules after attribute expansion. */
+	match = expand_and_check(s_op, key.source_type,
+				 t_op, key.target_type,
+				 c_op, key.target_class,
+				 perm, policy, &policy->te_avtab);
+	if (match)
+		return match;
 
-	return 0;
+	/* Check conditional rules after attribute expansion. */
+	return expand_and_check(s_op, key.source_type,
+				t_op, key.target_type,
+				c_op, key.target_class,
+				perm, policy, &policy->te_cond_avtab);
 }
 
 int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
 	if (load_policy(policy, &policydb, &pf))
 		goto out;
 
-	if (policydb_load_isids(&policydb, &sidtab))
-		goto out;
-
 	match = check_rule(source, target, class, perm, &policydb);
 	if (match < 0) {
 		fprintf(stderr, "Error checking rules!\n");