[PATCH v2 1/3] checkpolicy: remove a redundant if-condition

[PATCH v2 1/3] checkpolicy: remove a redundant if-condition

[Masatake YAMATO]

Inner if-condition in following code is redundant:

	if (outfile) {
		/* ... just referring outfile ... */
		if (outfile) {
			do_something();
		}
	}

We can simplify this to:

	if (outfile) {
		/* ... just referring outfile ... */
		do_something();
	}

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index f928ec06..e18de171 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -682,9 +682,7 @@ int main(int argc, char **argv)
 			}
 		}
 
-		if (outfile) {
-			fclose(outfp);
-		}
+		fclose(outfp);
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);
-- 
2.21.0

[PATCH v2 2/3] checkpolicy: update the description for -o option in the man page

[Masatake YAMATO]

Write about policy.conf and CIL files.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.8 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 1552f497..db57751c 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -40,7 +40,8 @@ Enable the MLS policy when checking and compiling the policy.
 Specify the policy version, defaults to the latest.
 .TP
 .B \-o,\-\-output filename
-Write a binary policy file to the specified filename.
+Write a policy file (binary, policy.conf, or CIL policy)
+to the specified filename.
 .TP
 .B \-S,\-\-sort
 Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
-- 
2.21.0

[PATCH v2 3/3] checkpolicy: allow to write policy to stdout

[Masatake YAMATO]

If - is given as filename for -o option, checkpolicy
writes the policy to standard output. This helps users
to read policy.conf and/or CIL policy file with pager
like less command:

 $ checkpolicy -M -F -b /sys/fs/selinux/policy  -o - | less

The users don't have to make a temporary file.
/dev/stdout can be used instead. However, - reduces the number of
typing for the purpose. Using - for standard output (and/or standard
input) is popular convention.

Change(s) in v2:
* Check the availability of output stream only when opening
  a regualar file. Suggested by Stephen Smalley <sds@tycho.nsa.gov>.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.8 |  5 +++--
 checkpolicy/checkpolicy.c | 22 +++++++++++++++-------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index db57751c..bdfd6acd 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@@ -41,7 +41,8 @@ Specify the policy version, defaults to the latest.
 .TP
 .B \-o,\-\-output filename
 Write a policy file (binary, policy.conf, or CIL policy)
-to the specified filename.
+to the specified filename. If - is given as filename,
+write it to standard output.
 .TP
 .B \-S,\-\-sort
 Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index e18de171..7c5b63f8 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
-	     "[-c policyvers (%d-%d)] [-o output_file] [-S] "
+	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
 	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
@@ -390,7 +390,8 @@ int main(int argc, char **argv)
 	struct sepol_av_decision avd;
 	class_datum_t *cladatum;
 	const char *file = txtfile;
-	char ans[80 + 1], *outfile = NULL, *path, *fstype;
+	char ans[80 + 1], *path, *fstype;
+	const char *outfile = NULL;
 	size_t scontext_len, pathlen;
 	unsigned int i;
 	unsigned int protocol, port;
@@ -638,10 +639,15 @@ int main(int argc, char **argv)
 	}
 
 	if (outfile) {
-		outfp = fopen(outfile, "w");
-		if (!outfp) {
-			perror(outfile);
-			exit(1);
+		if (!strcmp(outfile, "-")) {
+			outfp = stdout;
+			outfile = "<STDOUT>";
+		} else {
+			outfp = fopen(outfile, "w");
+			if (!outfp) {
+				perror(outfile);
+				exit(1);
+			}
 		}
 
 		policydb.policyvers = policyvers;
@@ -682,7 +688,9 @@ int main(int argc, char **argv)
 			}
 		}
 
-		fclose(outfp);
+		if (outfp != stdout) {
+			fclose(outfp);
+		}
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);
-- 
2.21.0

Re: [PATCH v2 3/3] checkpolicy: allow to write policy to stdout

[Stephen Smalley]

On 10/19/19 6:26 AM, Masatake YAMATO wrote:
> If - is given as filename for -o option, checkpolicy
> writes the policy to standard output. This helps users
> to read policy.conf and/or CIL policy file with pager
> like less command:
> 
>   $ checkpolicy -M -F -b /sys/fs/selinux/policy  -o - | less
> 
> The users don't have to make a temporary file.
> /dev/stdout can be used instead. However, - reduces the number of
> typing for the purpose. Using - for standard output (and/or standard
> input) is popular convention.
> 
> Change(s) in v2:
> * Check the availability of output stream only when opening
>    a regualar file. Suggested by Stephen Smalley <sds@tycho.nsa.gov>.
> 
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>

Thanks, applied.

> ---
>   checkpolicy/checkpolicy.8 |  5 +++--
>   checkpolicy/checkpolicy.c | 22 +++++++++++++++-------
>   2 files changed, 18 insertions(+), 9 deletions(-)
> 
> diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
> index db57751c..bdfd6acd 100644
> --- a/checkpolicy/checkpolicy.8
> +++ b/checkpolicy/checkpolicy.8
> @@ -3,7 +3,7 @@
>   checkpolicy \- SELinux policy compiler
>   .SH SYNOPSIS
>   .B checkpolicy
> -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
> +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
>   .br
>   .SH "DESCRIPTION"
>   This manual page describes the
> @@ -41,7 +41,8 @@ Specify the policy version, defaults to the latest.
>   .TP
>   .B \-o,\-\-output filename
>   Write a policy file (binary, policy.conf, or CIL policy)
> -to the specified filename.
> +to the specified filename. If - is given as filename,
> +write it to standard output.
>   .TP
>   .B \-S,\-\-sort
>   Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index e18de171..7c5b63f8 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
>   {
>   	printf
>   	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
> -	     "[-c policyvers (%d-%d)] [-o output_file] [-S] "
> +	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
>   	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
>   	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
>   	exit(1);
> @@ -390,7 +390,8 @@ int main(int argc, char **argv)
>   	struct sepol_av_decision avd;
>   	class_datum_t *cladatum;
>   	const char *file = txtfile;
> -	char ans[80 + 1], *outfile = NULL, *path, *fstype;
> +	char ans[80 + 1], *path, *fstype;
> +	const char *outfile = NULL;
>   	size_t scontext_len, pathlen;
>   	unsigned int i;
>   	unsigned int protocol, port;
> @@ -638,10 +639,15 @@ int main(int argc, char **argv)
>   	}
>   
>   	if (outfile) {
> -		outfp = fopen(outfile, "w");
> -		if (!outfp) {
> -			perror(outfile);
> -			exit(1);
> +		if (!strcmp(outfile, "-")) {
> +			outfp = stdout;
> +			outfile = "<STDOUT>";
> +		} else {
> +			outfp = fopen(outfile, "w");
> +			if (!outfp) {
> +				perror(outfile);
> +				exit(1);
> +			}
>   		}
>   
>   		policydb.policyvers = policyvers;
> @@ -682,7 +688,9 @@ int main(int argc, char **argv)
>   			}
>   		}
>   
> -		fclose(outfp);
> +		if (outfp != stdout) {
> +			fclose(outfp);
> +		}
>   	} else if (cil) {
>   		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
>   		exit(1);
>