sepolicy/tools/sepolicy-analyze/typecmp.c - nest-cam/4320010/sepolicy - Git at Google

 #include <getopt.h>
 #include <sepol/policydb/expand.h>

 #include "typecmp.h"

 void typecmp_usage() {
     fprintf(stderr, "\ttypecmp [-d|--diff] [-e|--equiv]\n");
 }

 static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
                             struct avtab_node *type_rules)
 {
     struct avtab_node *p, *c, *n;

     for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) {
         /*
          * Find the insertion point, keeping the list
          * ordered by source type, then target type, then
          * target class.
          */
         if (k->source_type < c->key.source_type)
             break;
         if (k->source_type == c->key.source_type &&
             k->target_type < c->key.target_type)
             break;
         if (k->source_type == c->key.source_type &&
             k->target_type == c->key.target_type &&
             k->target_class <= c->key.target_class)
             break;
     }

     if (c &&
         k->source_type == c->key.source_type &&
         k->target_type == c->key.target_type &&
         k->target_class == c->key.target_class) {
         c->datum.data |= d->data;
         return 0;
     }

     /* Insert the rule */
     n = malloc(sizeof(struct avtab_node));
     if (!n) {
         fprintf(stderr, "out of memory\n");
         exit(1);
     }

     n->key = *k;
     n->datum = *d;
     n->next = p->next;
     p->next = n;
     return 0;
 }

 static int create_type_rules_helper(avtab_key_t * k, avtab_datum_t * d,
                                     void *args)
 {
     struct avtab_node *type_rules = args;
     avtab_key_t key;

     /*
      * Insert the rule into the list for
      * the source type.  The source type value
      * is cleared as we want to compare against other type
      * rules with different source types.
      */
     key = *k;
     key.source_type = 0;
     if (k->source_type == k->target_type) {
         /* Clear target type as well; this is a self rule. */
         key.target_type = 0;
     }
     if (insert_type_rule(&key, d, &type_rules[k->source_type - 1]))
         return -1;

     if (k->source_type == k->target_type)
         return 0;

     /*
      * If the target type differs, then we also
      * insert the rule into the list for the target
      * type.  We clear the target type value so that
      * we can compare against other type rules with
      * different target types.
      */
     key = *k;
     key.target_type = 0;
     if (insert_type_rule(&key, d, &type_rules[k->target_type - 1]))
         return -1;

     return 0;
 }

 static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
 {
     if (k->specified & AVTAB_ALLOWED)
         return create_type_rules_helper(k, d, args);
     return 0;
 }

 static int create_type_rules_cond(avtab_key_t * k, avtab_datum_t * d,
                                   void *args)
 {
     if ((k->specified & (AVTAB_ALLOWED|AVTAB_ENABLED)) ==
         (AVTAB_ALLOWED|AVTAB_ENABLED))
         return create_type_rules_helper(k, d, args);
     return 0;
 }

 static void free_type_rules(struct avtab_node *l)
 {
     struct avtab_node *tmp;

     while (l) {
         tmp = l;
         l = l->next;
         free(tmp);
     }
 }

 static int find_match(policydb_t *policydb, struct avtab_node *l1,
                       int idx1, struct avtab_node *l2, int idx2)
 {
     struct avtab_node *c;
     uint32_t perms1, perms2;

     for (c = l2; c; c = c->next) {
         if (l1->key.source_type < c->key.source_type)
             break;
         if (l1->key.source_type == c->key.source_type &&
             l1->key.target_type < c->key.target_type)
             break;
         if (l1->key.source_type == c->key.source_type &&
             l1->key.target_type == c->key.target_type &&
             l1->key.target_class <= c->key.target_class)
             break;
     }

     if (c &&
         l1->key.source_type == c->key.source_type &&
         l1->key.target_type == c->key.target_type &&
         l1->key.target_class == c->key.target_class) {
         perms1 = l1->datum.data & ~c->datum.data;
         perms2 = c->datum.data & ~l1->datum.data;
         if (perms1 || perms2) {
             if (perms1)
                 display_allow(policydb, &l1->key, idx1, perms1);
             if (perms2)
                 display_allow(policydb, &c->key, idx2, perms2);
             printf("\n");
             return 1;
         }
     }

     return 0;
 }

 static int analyze_types(policydb_t * policydb, char diff, char equiv)
 {
     avtab_t exp_avtab, exp_cond_avtab;
     struct avtab_node *type_rules, *l1, *l2;
     struct type_datum *type;
     size_t i, j;

     /*
      * Create a list of access vector rules for each type
      * from the access vector table.
      */
     type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim);
     if (!type_rules) {
         fprintf(stderr, "out of memory\n");
         exit(1);
     }
     memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim);

     if (avtab_init(&exp_avtab) || avtab_init(&exp_cond_avtab)) {
         fputs("out of memory\n", stderr);
         return -1;
     }

     if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) {
         fputs("out of memory\n", stderr);
         avtab_destroy(&exp_avtab);
         return -1;
     }

     if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) {
         fputs("out of memory\n", stderr);
         avtab_destroy(&exp_avtab); /*  */
         return -1;
     }

     if (avtab_map(&exp_avtab, create_type_rules, type_rules))
         exit(1);

     if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules))
         exit(1);

     avtab_destroy(&exp_avtab);
     avtab_destroy(&exp_cond_avtab);

     /*
      * Compare the type lists and identify similar types.
      */
     for (i = 0; i < policydb->p_types.nprim - 1; i++) {
         if (!type_rules[i].next)
             continue;
         type = policydb->type_val_to_struct[i];
         if (type->flavor) {
             free_type_rules(type_rules[i].next);
             type_rules[i].next = NULL;
             continue;
         }
         for (j = i + 1; j < policydb->p_types.nprim; j++) {
             type = policydb->type_val_to_struct[j];
             if (type->flavor) {
                 free_type_rules(type_rules[j].next);
                 type_rules[j].next = NULL;
                 continue;
             }
             for (l1 = type_rules[i].next, l2 = type_rules[j].next;
                  l1 && l2; l1 = l1->next, l2 = l2->next) {
                 if (l1->key.source_type != l2->key.source_type)
                     break;
                 if (l1->key.target_type != l2->key.target_type)
                     break;
                 if (l1->key.target_class != l2->key.target_class
                     || l1->datum.data != l2->datum.data)
                     break;
             }
             if (l1 || l2) {
                 if (diff) {
                     printf
                         ("Types %s and %s differ, starting with:\n",
                          policydb->p_type_val_to_name[i],
                          policydb->p_type_val_to_name[j]);

                     if (l1 && l2) {
                         if (find_match(policydb, l1, i, l2, j))
                             continue;
                         if (find_match(policydb, l2, j, l1, i))
                             continue;
                     }
                     if (l1)
                         display_allow(policydb, &l1->key, i, l1->datum.data);
                     if (l2)
                         display_allow(policydb, &l2->key, j, l2->datum.data);
                     printf("\n");
                 }
                 continue;
             }
             free_type_rules(type_rules[j].next);
             type_rules[j].next = NULL;
             if (equiv) {
                 printf("Types %s and %s are equivalent.\n",
                        policydb->p_type_val_to_name[i],
                        policydb->p_type_val_to_name[j]);
             }
         }
         free_type_rules(type_rules[i].next);
         type_rules[i].next = NULL;
     }

     free(type_rules);
     return 0;
 }

 int typecmp_func (int argc, char **argv, policydb_t *policydb) {
     char ch, diff = 0, equiv = 0;

     struct option typecmp_options[] = {
         {"diff", no_argument, NULL, 'd'},
         {"equiv", no_argument, NULL, 'e'},
         {NULL, 0, NULL, 0}
     };

     while ((ch = getopt_long(argc, argv, "de", typecmp_options, NULL)) != -1) {
         switch (ch) {
         case 'd':
             diff = 1;
             break;
         case 'e':
             equiv = 1;
             break;
         default:
             USAGE_ERROR = true;
             return -1;
         }
     }

     if (!(diff || equiv)) {
         USAGE_ERROR = true;
         return -1;
     }
     return analyze_types(policydb, diff, equiv);
 }
	#include <getopt.h>
	#include <sepol/policydb/expand.h>

	#include "typecmp.h"

	void typecmp_usage() {
	fprintf(stderr, "\ttypecmp [-d\|--diff] [-e\|--equiv]\n");
	}

	static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
	struct avtab_node *type_rules)
	{
	struct avtab_node p, c, *n;

	for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) {
	/*
	* Find the insertion point, keeping the list
	* ordered by source type, then target type, then
	* target class.
	*/
	if (k->source_type < c->key.source_type)
	break;
	if (k->source_type == c->key.source_type &&
	k->target_type < c->key.target_type)
	break;
	if (k->source_type == c->key.source_type &&
	k->target_type == c->key.target_type &&
	k->target_class <= c->key.target_class)
	break;
	}

	if (c &&
	k->source_type == c->key.source_type &&
	k->target_type == c->key.target_type &&
	k->target_class == c->key.target_class) {
	c->datum.data \|= d->data;
	return 0;
	}

	/* Insert the rule */
	n = malloc(sizeof(struct avtab_node));
	if (!n) {
	fprintf(stderr, "out of memory\n");
	exit(1);
	}

	n->key = *k;
	n->datum = *d;
	n->next = p->next;
	p->next = n;
	return 0;
	}

	static int create_type_rules_helper(avtab_key_t * k, avtab_datum_t * d,
	void *args)
	{
	struct avtab_node *type_rules = args;
	avtab_key_t key;

	/*
	* Insert the rule into the list for
	* the source type. The source type value
	* is cleared as we want to compare against other type
	* rules with different source types.
	*/
	key = *k;
	key.source_type = 0;
	if (k->source_type == k->target_type) {
	/* Clear target type as well; this is a self rule. */
	key.target_type = 0;
	}
	if (insert_type_rule(&key, d, &type_rules[k->source_type - 1]))
	return -1;

	if (k->source_type == k->target_type)
	return 0;

	/*
	* If the target type differs, then we also
	* insert the rule into the list for the target
	* type. We clear the target type value so that
	* we can compare against other type rules with
	* different target types.
	*/
	key = *k;
	key.target_type = 0;
	if (insert_type_rule(&key, d, &type_rules[k->target_type - 1]))
	return -1;

	return 0;
	}

	static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
	{
	if (k->specified & AVTAB_ALLOWED)
	return create_type_rules_helper(k, d, args);
	return 0;
	}

	static int create_type_rules_cond(avtab_key_t * k, avtab_datum_t * d,
	void *args)
	{
	if ((k->specified & (AVTAB_ALLOWED\|AVTAB_ENABLED)) ==
	(AVTAB_ALLOWED\|AVTAB_ENABLED))
	return create_type_rules_helper(k, d, args);
	return 0;
	}

	static void free_type_rules(struct avtab_node *l)
	{
	struct avtab_node *tmp;

	while (l) {
	tmp = l;
	l = l->next;
	free(tmp);
	}
	}

	static int find_match(policydb_t policydb, struct avtab_node l1,
	int idx1, struct avtab_node *l2, int idx2)
	{
	struct avtab_node *c;
	uint32_t perms1, perms2;

	for (c = l2; c; c = c->next) {
	if (l1->key.source_type < c->key.source_type)
	break;
	if (l1->key.source_type == c->key.source_type &&
	l1->key.target_type < c->key.target_type)
	break;
	if (l1->key.source_type == c->key.source_type &&
	l1->key.target_type == c->key.target_type &&
	l1->key.target_class <= c->key.target_class)
	break;
	}

	if (c &&
	l1->key.source_type == c->key.source_type &&
	l1->key.target_type == c->key.target_type &&
	l1->key.target_class == c->key.target_class) {
	perms1 = l1->datum.data & ~c->datum.data;
	perms2 = c->datum.data & ~l1->datum.data;
	if (perms1 \|\| perms2) {
	if (perms1)
	display_allow(policydb, &l1->key, idx1, perms1);
	if (perms2)
	display_allow(policydb, &c->key, idx2, perms2);
	printf("\n");
	return 1;
	}
	}

	return 0;
	}

	static int analyze_types(policydb_t * policydb, char diff, char equiv)
	{
	avtab_t exp_avtab, exp_cond_avtab;
	struct avtab_node type_rules, l1, *l2;
	struct type_datum *type;
	size_t i, j;

	/*
	* Create a list of access vector rules for each type
	* from the access vector table.
	*/
	type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim);
	if (!type_rules) {
	fprintf(stderr, "out of memory\n");
	exit(1);
	}
	memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim);

	if (avtab_init(&exp_avtab) \|\| avtab_init(&exp_cond_avtab)) {
	fputs("out of memory\n", stderr);
	return -1;
	}

	if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) {
	fputs("out of memory\n", stderr);
	avtab_destroy(&exp_avtab);
	return -1;
	}

	if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) {
	fputs("out of memory\n", stderr);
	avtab_destroy(&exp_avtab); /* */
	return -1;
	}

	if (avtab_map(&exp_avtab, create_type_rules, type_rules))
	exit(1);

	if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules))
	exit(1);

	avtab_destroy(&exp_avtab);
	avtab_destroy(&exp_cond_avtab);

	/*
	* Compare the type lists and identify similar types.
	*/
	for (i = 0; i < policydb->p_types.nprim - 1; i++) {
	if (!type_rules[i].next)
	continue;
	type = policydb->type_val_to_struct[i];
	if (type->flavor) {
	free_type_rules(type_rules[i].next);
	type_rules[i].next = NULL;
	continue;
	}
	for (j = i + 1; j < policydb->p_types.nprim; j++) {
	type = policydb->type_val_to_struct[j];
	if (type->flavor) {
	free_type_rules(type_rules[j].next);
	type_rules[j].next = NULL;
	continue;
	}
	for (l1 = type_rules[i].next, l2 = type_rules[j].next;
	l1 && l2; l1 = l1->next, l2 = l2->next) {
	if (l1->key.source_type != l2->key.source_type)
	break;
	if (l1->key.target_type != l2->key.target_type)
	break;
	if (l1->key.target_class != l2->key.target_class
	\|\| l1->datum.data != l2->datum.data)
	break;
	}
	if (l1 \|\| l2) {
	if (diff) {
	printf
	("Types %s and %s differ, starting with:\n",
	policydb->p_type_val_to_name[i],
	policydb->p_type_val_to_name[j]);

	if (l1 && l2) {
	if (find_match(policydb, l1, i, l2, j))
	continue;
	if (find_match(policydb, l2, j, l1, i))
	continue;
	}
	if (l1)
	display_allow(policydb, &l1->key, i, l1->datum.data);
	if (l2)
	display_allow(policydb, &l2->key, j, l2->datum.data);
	printf("\n");
	}
	continue;
	}
	free_type_rules(type_rules[j].next);
	type_rules[j].next = NULL;
	if (equiv) {
	printf("Types %s and %s are equivalent.\n",
	policydb->p_type_val_to_name[i],
	policydb->p_type_val_to_name[j]);
	}
	}
	free_type_rules(type_rules[i].next);
	type_rules[i].next = NULL;
	}

	free(type_rules);
	return 0;
	}

	int typecmp_func (int argc, char *argv, policydb_t policydb) {
	char ch, diff = 0, equiv = 0;

	struct option typecmp_options[] = {
	{"diff", no_argument, NULL, 'd'},
	{"equiv", no_argument, NULL, 'e'},
	{NULL, 0, NULL, 0}
	};

	while ((ch = getopt_long(argc, argv, "de", typecmp_options, NULL)) != -1) {
	switch (ch) {
	case 'd':
	diff = 1;
	break;
	case 'e':
	equiv = 1;
	break;
	default:
	USAGE_ERROR = true;
	return -1;
	}
	}

	if (!(diff \|\| equiv)) {
	USAGE_ERROR = true;
	return -1;
	}
	return analyze_types(policydb, diff, equiv);
	}