new applets: selinux utils by KaiGai Kohei <kaigai@kaigai.gr.jp>

2007-02-06 19:28:50 +00:00
parent b292264bfd
commit d46d3c292e
14 changed files with 361 additions and 10 deletions
--- a/selinux/Config.in
+++ b/selinux/Config.in
@@ -0,0 +1,47 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+
+menu "Selinux Utilities"
+	depends on SELINUX
+
+config GETENFORCE
+	bool "getenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get the current mode of SELinux.
+
+config GETSEBOOL
+	bool "getsebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get SELinux boolean values.
+
+config MATCHPATHCON
+	bool "matchpathcon"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get default security context of the
+	  specified path from the file contexts configuration.
+
+config SELINUXENABLED
+	bool "selinuxenabled"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for this command to be used within shell scripts
+	  to determine if selinux is enabled.
+
+config SETENFORCE
+	bool "setenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to modify the mode SELinux is running in.
+
+endmenu
+
--- a/selinux/Kbuild
+++ b/selinux/Kbuild
@@ -0,0 +1,13 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+
+lib-y:=
+lib-$(CONFIG_GETENFORCE)	+= getenforce.o
+lib-$(CONFIG_GETSEBOOL)		+= getsebool.o
+lib-$(CONFIG_MATCHPATHCON)	+= matchpathcon.o
+lib-$(CONFIG_SELINUXENABLED)	+= selinuxenabled.o
+lib-$(CONFIG_SETENFORCE)	+= setenforce.o
--- a/selinux/getenforce.c
+++ b/selinux/getenforce.c
@@ -0,0 +1,33 @@
+/*
+ * getenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+int getenforce_main(int argc, char **argv)
+{
+	int rc;
+
+	rc = is_selinux_enabled();
+	if (rc < 0)
+		bb_error_msg_and_die("is_selinux_enabled() failed");
+
+	if (rc == 1) {
+		rc = security_getenforce();
+		if (rc < 0)
+			bb_error_msg_and_die("getenforce() failed");
+
+		if (rc)
+			puts("Enforcing");
+		else
+			puts("Permissive");
+	} else {
+		puts("Disabled");
+	}
+
+	return 0;
+}
--- a/selinux/getsebool.c
+++ b/selinux/getsebool.c
@@ -0,0 +1,65 @@
+/*
+ * getsebool
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+int getsebool_main(int argc, char **argv)
+{
+	int i, rc = 0, active, pending, len = 0;
+	char **names;
+	unsigned opt;
+
+	selinux_or_die();
+	opt = getopt32(argc, argv, "a");
+
+	if (opt) { /* -a */
+		if (argc > 2)
+			bb_show_usage();
+
+		rc = security_get_boolean_names(&names, &len);
+		if (rc)
+			bb_perror_msg_and_die("cannot get boolean names");
+
+		if (!len) {
+			puts("No booleans");
+			return 0;
+		}
+	}
+
+	if (!len) {
+		if (argc < 2)
+			bb_show_usage();
+		len = argc - 1;
+		names = xmalloc(sizeof(char *) * len);
+		for (i = 0; i < len; i++)
+			names[i] = xstrdup(argv[i + 1]);
+	}
+
+	for (i = 0; i < len; i++) {
+		active = security_get_boolean_active(names[i]);
+		if (active < 0) {
+			bb_error_msg_and_die("error getting active value for %s", names[i]);
+		}
+		pending = security_get_boolean_pending(names[i]);
+		if (pending < 0) {
+			bb_error_msg_and_die("error getting pending value for %s", names[i]);
+		}
+		printf("%s --> %s", names[i], (active ? "on" : "off"));
+		if (pending != active)
+			printf(" pending: %s", (pending ? "on" : "off"));
+		putchar('\n');
+	}
+
+	if (ENABLE_FEATURE_CLEAN_UP) {
+		for (i = 0; i < len; i++)
+			free(names[i]);
+		free(names);
+	}
+
+	return rc;
+}
--- a/selinux/matchpathcon.c
+++ b/selinux/matchpathcon.c
@@ -0,0 +1,85 @@
+/* matchpathcon  -  get the default security context for the specified
+ *                  path from the file contexts configuration.
+ *                  based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include "busybox.h"
+
+static int print_matchpathcon(char *path, int noprint)
+{
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		bb_perror_msg("matchpathcon(%s) failed", path);
+		return 1;
+	}
+	if (!noprint)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+
+	freecon(buf);
+	return 0;
+}
+
+#define OPT_NOT_PRINT   (1<<0)  /* -n */
+#define OPT_NOT_TRANS   (1<<1)  /* -N */
+#define OPT_FCONTEXT    (1<<2)  /* -f */
+#define OPT_PREFIX      (1<<3)  /* -p */
+#define OPT_VERIFY      (1<<4)  /* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+	int error = 0;
+	unsigned opts;
+	char *fcontext, *prefix, *path;
+
+	opt_complementary = "-1:" /* at least one param reqd */
+		"f--p:p--f"; /* mutually exclusive */
+	opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+	argv += optind;
+
+	if (opts & OPT_NOT_TRANS) {
+		set_matchpathcon_flags(NOTRANS);
+	}
+	if (opts & OPT_FCONTEXT) {
+		if (matchpathcon_init(fcontext))
+			bb_perror_msg_and_die("error while processing %s", fcontext);
+	}
+	if (opts & OPT_PREFIX) {
+		if (matchpathcon_init_prefix(NULL, prefix))
+			bb_perror_msg_and_die("error while processing %s", prefix);
+	}
+
+	while((path = *argv++) != NULL) {
+		security_context_t con;
+		int rc;
+
+		if (!(opts & OPT_VERIFY)) {
+			error += print_matchpathcon(path, opt & OPT_NOT_PRINT);
+			continue;
+		}
+
+		if (selinux_file_context_verify(path, 0)) {
+			printf("%s verified\n", path);
+			continue;
+		}
+
+		if (opts & OPT_NOT_TRANS)
+			rc = lgetfilecon_raw(path, &con);
+		else
+			rc = lgetfilecon(path, &con);
+
+		if (rc >= 0) {
+			printf("%s has context %s, should be ", path, con);
+			error += print_matchpathcon(path, 1);
+			freecon(con);
+			continue;
+		}
+		printf("actual context unknown: %s, should be ", strerror(errno));
+		error += print_matchpathcon(path, 1);
+	}
+	matchpathcon_fini();
+	return error;
+}
--- a/selinux/selinuxenabled.c
+++ b/selinux/selinuxenabled.c
@@ -0,0 +1,13 @@
+/*
+ * selinuxenabled
+ * 
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+
+int selinuxenabled_main(int argc, char **argv)
+{
+	return !is_selinux_enabled();
+}
--- a/selinux/setenforce.c
+++ b/selinux/setenforce.c
@@ -0,0 +1,44 @@
+/*
+ * setenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+static const smallint setenforce_mode[] = {
+	0,
+	1,
+	0,
+	1,
+};
+static const char *const setenforce_cmd[] = {
+	"0",
+	"1",
+	"permissive",
+	"enforcing",
+	NULL,
+};
+
+int setenforce_main(int argc, char **argv)
+{
+	int i, rc;
+
+	if (argc != 2)
+		bb_show_usage();
+
+	selinux_or_die();
+
+	for (i = 0; setenforce_cmd[i]; i++) {
+		if (strcasecmp(argv[1], setenforce_cmd[i]) != 0)
+			continue;
+		rc = security_setenforce(setenforce_mode[i]);
+		if (rc < 0)
+			bb_perror_msg_and_die("setenforce() failed");
+		return 0;
+	}
+
+	bb_show_usage();
+}