1#include <errno.h> 2#include <stdio.h> 3#include <stdlib.h> 4#include <string.h> 5 6#include <sepol/policydb/services.h> 7#include <sepol/sepol.h> 8 9 10int main(int argc, char *argv[]) 11{ 12 FILE *fp; 13 sepol_security_id_t ssid, tsid; 14 sepol_security_class_t tclass; 15 const char *permlist; 16 sepol_access_vector_t av; 17 struct sepol_av_decision avd; 18 unsigned int reason; 19 char *reason_buf; 20 int i; 21 22 if (argc != 6) { 23 printf("usage: %s policy source_context target_context class permission[,permission2[,...]]\n", argv[0]); 24 return 1; 25 } 26 27 fp = fopen(argv[1], "r"); 28 if (!fp) { 29 fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); 30 return 1; 31 } 32 if (sepol_set_policydb_from_file(fp) < 0) { 33 fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); 34 fclose(fp); 35 return 1; 36 } 37 fclose(fp); 38 39 if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) { 40 fprintf(stderr, "Invalid source context %s\n", argv[2]); 41 return 1; 42 } 43 44 if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) { 45 fprintf(stderr, "Invalid target context %s\n", argv[3]); 46 return 1; 47 } 48 49 if (sepol_string_to_security_class(argv[4], &tclass) < 0) { 50 fprintf(stderr, "Invalid security class %s\n", argv[4]); 51 return 1; 52 } 53 54 permlist = argv[5]; 55 do { 56 char *tmp = NULL; 57 const char *perm; 58 const char *delim = strchr(permlist, ','); 59 60 if (delim) { 61 tmp = strndup(permlist, delim - permlist); 62 if (!tmp) { 63 fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno)); 64 return 1; 65 } 66 } 67 68 perm = tmp ? tmp : permlist; 69 70 if (sepol_string_to_av_perm(tclass, perm, &av) < 0) { 71 fprintf(stderr, "Invalid permission %s for security class %s: %s\n", perm, argv[4], strerror(errno)); 72 free(tmp); 73 return 1; 74 } 75 76 free(tmp); 77 78 permlist = strchr(permlist, ','); 79 } while (permlist++); 80 81 if (av == 0) { 82 fprintf(stderr, "Empty permission set computed from %s\n", argv[5]); 83 return 1; 84 } 85 86 if (sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0) < 0) { 87 fprintf(stderr, "Failed to compute av decision: %s\n", strerror(errno)); 88 return 1; 89 } 90 91 if ((avd.allowed & av) == av) { 92 printf("requested permission %s allowed\n", argv[5]); 93 free(reason_buf); 94 return 0; 95 } 96 97 printf("requested permission %s denied by ", argv[5]); 98 i = 0; 99 if (reason & SEPOL_COMPUTEAV_TE) { 100 printf("te-rule"); 101 i++; 102 } 103 if (reason & SEPOL_COMPUTEAV_CONS) { 104 if (i > 0) 105 printf(", "); 106 printf("constraint"); 107 i++; 108 } 109 if (reason & SEPOL_COMPUTEAV_RBAC) { 110 if (i > 0) 111 printf(", "); 112 printf("role-transition"); 113 i++; 114 } 115 if (reason & SEPOL_COMPUTEAV_BOUNDS) { 116 if (i > 0) 117 printf(", "); 118 printf("type-bound"); 119 //i++; 120 } 121 122 if ((reason & SEPOL_COMPUTEAV_CONS) && reason_buf) 123 printf("; reason:\n%s", reason_buf); 124 125 free(reason_buf); 126 127 printf("\n"); 128 129 return 7; 130} 131