sepolicy-analyze: Add attribute command.

Add an attribute command to sepolicy-analyze for displaying the list of types associated with an attribute in a policy. This is for use by CTS to check what domains and types are associated with certain attributes such as mlstrustedsubject and mlstrustedobject. Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

sepolicy-analyze: Add attribute command.
0233cd80 · Stephen Smalley · c9361731 · 0233cd80 · 0233cd80 · 0233cd80
Commit 0233cd80 authored 10 years ago by Stephen Smalley
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -7,7 +7,7 @@ LOCAL_MODULE := sepolicy-analyze
 LOCAL_MODULE_TAGS := optional
 LOCAL_C_INCLUDES := external/libsepol/include
 LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c utils.c
+LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
 LOCAL_STATIC_LIBRARIES := libsepol
 include $(BUILD_HOST_EXECUTABLE)
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -60,6 +60,11 @@ sepolicy-analyze
    Policy booleans are forbidden in Android policy, so if there is any
    output, the policy will fail CTS.
+    ATTRIBUTE (attribute)
+    sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>
+    Displays the types associated with the specified attribute name.
    NEVERALLOW CHECKING (neverallow)
    sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
    [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]

--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
+#include "attribute.h"
+void attribute_usage() {
+    fprintf(stderr, "\tattribute <attribute-name>\n");
+}
+static int list_attribute(policydb_t * policydb, char *name)
+{
+    struct type_datum *attr;
+    struct ebitmap_node *n;
+    unsigned int bit;
+    attr = hashtab_search(policydb->p_types.table, name);
+    if (!attr) {
+        fprintf(stderr, "%s is not defined in this policy.\n", name);
+        return -1;
+    }
+    if (attr->flavor != TYPE_ATTRIB) {
+        fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+        return -1;
+    }
+    ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
+        if (!ebitmap_node_get_bit(n, bit))
+            continue;
+        printf("%s\n", policydb->p_type_val_to_name[bit]);
+    }
+    return 0;
+}
+int attribute_func (int argc, char **argv, policydb_t *policydb) {
+    if (argc != 2) {
+        USAGE_ERROR = true;
+        return -1;
+    }
+    return list_attribute(policydb, argv[1]);
+}
--- a/tools/sepolicy-analyze/attribute.h
+++ b/tools/sepolicy-analyze/attribute.h
+#ifndef ATTRIBUTE_H
+#define ATTRIBUTE_H
+#include <sepol/policydb/policydb.h>
+#include "utils.h"
+void attribute_usage(void);
+int attribute_func(int argc, char **argv, policydb_t *policydb);
+#endif /* ATTRIBUTE_H */
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze/sepolicy-analyze.c
@@ -7,6 +7,7 @@
 #include "perm.h"
 #include "typecmp.h"
 #include "booleans.h"
+#include "attribute.h"
 #include "utils.h"
 #define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0]))
@@ -22,7 +23,8 @@ static struct {
    COMP(neverallow),
    COMP(permissive),
    COMP(typecmp),
-    COMP(booleans)
+    COMP(booleans),
+    COMP(attribute)
 };
 void usage(char *arg0)