Skip to content
Snippets Groups Projects
Select Git revision
  • ab2b079dedaa8f7cf58723d537a7817f42b865f8
  • test default
2 results

searchpolicy.py

Blame
    • user avatar
    add searchpolicy.py for automated tests
    Jeff Vander Stoep authored 
    searchpolicy.py provides a subset of the functionality of sesearch.

The primary benefit being that it's entirely built in-tree and thus
can be packaged for use in automated tests included compatibility
test suites.

Example
searchpolicy.py --libpath out/host/linux-x86/lib64/ --allow --source domain

Bug: 63397379
Test: Identical output with sesearch for the following commands
    --allow --source domain
    --allow --target domain
    --allow --target appdomain -p ioctl,open
    --allow --source lmkd -c file -p ioctl,open
    --allow --source lmkd -c file,dir -p ioctl,open
Change-Id: I89a6c333f1f519d9171fbc1aafe27eaf5ad247f0
    dec443e7
    History
    user avatar dec443e7
    History
    searchpolicy.py 2.35 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74 
    

    

    

    #!/usr/bin/env python

import argparse
import policy

parser = argparse.ArgumentParser(
    description="SELinux policy rule search tool. Intended to have a similar "
        + "API as sesearch, but simplified to use only code availabe in AOSP")
parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
tertypes = parser.add_argument_group("TE Rule Types")
tertypes.add_argument("--allow", action="append_const",
                    const="allow", dest="tertypes",
                    help="Search allow rules.")
expr = parser.add_argument_group("Expressions")
expr.add_argument("-s", "--source",
                  help="Source type/role of the TE/RBAC rule.")
expr.add_argument("-t", "--target",
                  help="Target type/role of the TE/RBAC rule.")
expr.add_argument("-c", "--class", dest="tclass",
                  help="Comma separated list of object classes")
expr.add_argument("-p", "--perms", metavar="PERMS",
                  help="Comma separated list of permissions.")

args = parser.parse_args()

if not args.tertypes:
    parser.error("Must specify \"--allow\"")

if not args.policy:
    parser.error("Must include path to policy")
if not args.libpath:
    parser.error("Must include path to libsepolwrap library")

if not (args.source or args.target or args.tclass or args.perms):
    parser.error("Must something to filter on, e.g. --source, --target, etc.")

pol = policy.Policy(args.policy, None, args.libpath)

if args.source:
    scontext = {args.source}
else:
    scontext = set()
if args.target:
    tcontext = {args.target}
else:
    tcontext = set()
if args.tclass:
    tclass = set(args.tclass.split(","))
else:
    tclass = set()
if args.perms:
    perms = set(args.perms.split(","))
else:
    perms = set()

TERules = pol.QueryTERule(scontext=scontext,
                       tcontext=tcontext,
                       tclass=tclass,
                       perms=perms)

# format rules for printing
rules = []
for r in TERules:
    if len(r.perms) > 1:
        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
                " ".join(r.perms) + " };")
    else:
        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
                " ".join(r.perms) + ";")

for r in sorted(rules):
    print r