* [PATCH 0/2] checkmodule: allow building modules of a specific version
@ 2019-04-17 16:37 Gary Tierney
2019-04-17 16:37 ` [PATCH 1/2] checkmodule: add support for specifying module policy version Gary Tierney
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Gary Tierney @ 2019-04-17 16:37 UTC (permalink / raw)
To: selinux
These changes come from a report by a user on the Freenode IRC channel that
they were unable to build policies for a machine that has an older version of
libsepol installed.
A new `-c` option that mirrors checkpolicy's own has been added to checkmodule,
and the output of a simple test is shown below:
$ cat > test.te <<EOF
module test 1.0;
require {
type domain;
type file_type;
class file { read write };
}
allow domain file_type : file { read write };
EOF
$ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te
$ checkpolicy/test/dismod test.mod
Reading policy...
... snip ...
Binary policy module file loaded.
Module name: test
Module version: 1.0
Policy version: 10
Worthy of note, however, is that these policy version numbers differ from those
used by the kernel policy format.
Gary Tierney (2):
checkmodule: add support for specifying module policy version
dismod: print policy version of loaded modules
checkpolicy/checkmodule.8 | 5 ++++-
checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++--
checkpolicy/test/dismod.c | 4 ++--
3 files changed, 33 insertions(+), 5 deletions(-)
--
2.17.2
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH 1/2] checkmodule: add support for specifying module policy version 2019-04-17 16:37 [PATCH 0/2] checkmodule: allow building modules of a specific version Gary Tierney @ 2019-04-17 16:37 ` Gary Tierney 2019-04-18 15:11 ` William Roberts 2019-04-17 16:37 ` [PATCH 2/2] dismod: print policy version of loaded modules Gary Tierney 2019-04-18 13:17 ` [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version jwcart2 2 siblings, 1 reply; 9+ messages in thread From: Gary Tierney @ 2019-04-17 16:37 UTC (permalink / raw) To: selinux Currently checkpolicy can produce binary policies for earlier policy versions to provide support for building policies on one machine and loading/analyzing them on another machine with an earlier version of the kernel or libsepol, respectively. However, checkmodule was lacking this capability. This commit adds an identical `-c` flag that can be passed to checkmodule that will build a modular policy file of the specified version. Signed-off-by: Gary Tierney <gary.tierney@fastmail.com> --- checkpolicy/checkmodule.8 | 5 ++++- checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 index cf76591c24d0..e55582f30ec0 100644 --- a/checkpolicy/checkmodule.8 +++ b/checkpolicy/checkmodule.8 @@ -38,7 +38,7 @@ Generate a non-base policy module. Enable the MLS/MCS support when checking and compiling the policy module. .TP .B \-V,\-\-version - Show policy versions created by this program. Note that you cannot currently build older versions. +Show policy versions created by this program. .TP .B \-o,\-\-output filename Write a binary policy module file to the specified filename. @@ -47,6 +47,9 @@ and will not generate a binary module at all. .TP .B \-U,\-\-handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). +.TP +.B \-c policyvers +Specify the policy version, defaults to the latest. .SH EXAMPLE .nf diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index 8edc1f8c7bbd..3bb9e5a4a6b3 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -142,6 +142,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname) printf(" -m build a policy module instead of a base module\n"); printf(" -M enable MLS policy\n"); printf(" -o FILE write module to FILE (else just check syntax)\n"); + printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n", + MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); exit(1); } @@ -163,7 +165,7 @@ int main(int argc, char **argv) {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) { switch (ch) { case 'h': usage(argv[0]); @@ -194,7 +196,6 @@ int main(int argc, char **argv) usage(argv[0]); case 'm': policy_type = POLICY_MOD; - policyvers = MOD_POLICYDB_VERSION_MAX; break; case 'M': mlspol = 1; @@ -202,6 +203,30 @@ int main(int argc, char **argv) case 'C': cil = 1; break; + case 'c': { + long int n; + errno = 0; + n = strtol(optarg, NULL, 10); + + if (errno) { + fprintf(stderr, + "Invalid policyvers specified: %s\n", + optarg); + usage(argv[0]); + } + + if (n < MOD_POLICYDB_VERSION_MIN + || n > MOD_POLICYDB_VERSION_MAX) { + fprintf(stderr, + "policyvers value %ld not in range %d-%d\n", + n, MOD_POLICYDB_VERSION_MIN, + MOD_POLICYDB_VERSION_MAX); + usage(argv[0]); + } + + policyvers = n; + break; + } default: usage(argv[0]); } -- 2.17.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] checkmodule: add support for specifying module policy version 2019-04-17 16:37 ` [PATCH 1/2] checkmodule: add support for specifying module policy version Gary Tierney @ 2019-04-18 15:11 ` William Roberts 0 siblings, 0 replies; 9+ messages in thread From: William Roberts @ 2019-04-18 15:11 UTC (permalink / raw) To: Gary Tierney; +Cc: selinux On Wed, Apr 17, 2019 at 9:37 AM Gary Tierney <gary.tierney@fastmail.com> wrote: > > Currently checkpolicy can produce binary policies for earlier policy versions > to provide support for building policies on one machine and loading/analyzing > them on another machine with an earlier version of the kernel or libsepol, > respectively. However, checkmodule was lacking this capability. > > This commit adds an identical `-c` flag that can be passed to checkmodule that > will build a modular policy file of the specified version. > > Signed-off-by: Gary Tierney <gary.tierney@fastmail.com> > --- > checkpolicy/checkmodule.8 | 5 ++++- > checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- > 2 files changed, 31 insertions(+), 3 deletions(-) > > diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 > index cf76591c24d0..e55582f30ec0 100644 > --- a/checkpolicy/checkmodule.8 > +++ b/checkpolicy/checkmodule.8 > @@ -38,7 +38,7 @@ Generate a non-base policy module. > Enable the MLS/MCS support when checking and compiling the policy module. > .TP > .B \-V,\-\-version > - Show policy versions created by this program. Note that you cannot currently build older versions. > +Show policy versions created by this program. > .TP > .B \-o,\-\-output filename > Write a binary policy module file to the specified filename. > @@ -47,6 +47,9 @@ and will not generate a binary module at all. > .TP > .B \-U,\-\-handle-unknown <action> > Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). > +.TP > +.B \-c policyvers > +Specify the policy version, defaults to the latest. > > .SH EXAMPLE > .nf > diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c > index 8edc1f8c7bbd..3bb9e5a4a6b3 100644 > --- a/checkpolicy/checkmodule.c > +++ b/checkpolicy/checkmodule.c > @@ -142,6 +142,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname) > printf(" -m build a policy module instead of a base module\n"); > printf(" -M enable MLS policy\n"); > printf(" -o FILE write module to FILE (else just check syntax)\n"); > + printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n", > + MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); > exit(1); > } > > @@ -163,7 +165,7 @@ int main(int argc, char **argv) > {NULL, 0, NULL, 0} > }; > > - while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) { > + while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) { > switch (ch) { > case 'h': > usage(argv[0]); > @@ -194,7 +196,6 @@ int main(int argc, char **argv) > usage(argv[0]); > case 'm': > policy_type = POLICY_MOD; > - policyvers = MOD_POLICYDB_VERSION_MAX; > break; > case 'M': > mlspol = 1; > @@ -202,6 +203,30 @@ int main(int argc, char **argv) > case 'C': > cil = 1; > break; > + case 'c': { > + long int n; > + errno = 0; > + n = strtol(optarg, NULL, 10); > + > + if (errno) { Get rid of this newline between the strtol() and errno. > + fprintf(stderr, > + "Invalid policyvers specified: %s\n", > + optarg); > + usage(argv[0]); > + } > + > + if (n < MOD_POLICYDB_VERSION_MIN > + || n > MOD_POLICYDB_VERSION_MAX) { > + fprintf(stderr, > + "policyvers value %ld not in range %d-%d\n", > + n, MOD_POLICYDB_VERSION_MIN, > + MOD_POLICYDB_VERSION_MAX); > + usage(argv[0]); > + } > + > + policyvers = n; > + break; > + } > default: > usage(argv[0]); > } > -- > 2.17.2 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/2] dismod: print policy version of loaded modules 2019-04-17 16:37 [PATCH 0/2] checkmodule: allow building modules of a specific version Gary Tierney 2019-04-17 16:37 ` [PATCH 1/2] checkmodule: add support for specifying module policy version Gary Tierney @ 2019-04-17 16:37 ` Gary Tierney 2019-04-18 15:13 ` William Roberts 2019-04-18 13:17 ` [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version jwcart2 2 siblings, 1 reply; 9+ messages in thread From: Gary Tierney @ 2019-04-17 16:37 UTC (permalink / raw) To: selinux Signed-off-by: Gary Tierney <gary.tierney@fastmail.com> --- checkpolicy/test/dismod.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index d5c7eeab093a..075bd85df4e6 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -903,14 +903,14 @@ int main(int argc, char **argv) } if (policydb.policy_type == POLICY_BASE) { - printf("Binary base policy file loaded.\n\n"); + printf("Binary base policy file loaded.\n"); } else { printf("Binary policy module file loaded.\n"); printf("Module name: %s\n", policydb.name); printf("Module version: %s\n", policydb.version); - printf("\n"); } + printf("Policy version: %d\n\n", policydb.policyvers); menu(); for (;;) { printf("\nCommand (\'m\' for menu): "); -- 2.17.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] dismod: print policy version of loaded modules 2019-04-17 16:37 ` [PATCH 2/2] dismod: print policy version of loaded modules Gary Tierney @ 2019-04-18 15:13 ` William Roberts 0 siblings, 0 replies; 9+ messages in thread From: William Roberts @ 2019-04-18 15:13 UTC (permalink / raw) To: Gary Tierney; +Cc: selinux On Wed, Apr 17, 2019 at 9:39 AM Gary Tierney <gary.tierney@fastmail.com> wrote: > > Signed-off-by: Gary Tierney <gary.tierney@fastmail.com> > --- > checkpolicy/test/dismod.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c > index d5c7eeab093a..075bd85df4e6 100644 > --- a/checkpolicy/test/dismod.c > +++ b/checkpolicy/test/dismod.c > @@ -903,14 +903,14 @@ int main(int argc, char **argv) > } > > if (policydb.policy_type == POLICY_BASE) { > - printf("Binary base policy file loaded.\n\n"); > + printf("Binary base policy file loaded.\n"); > } else { > printf("Binary policy module file loaded.\n"); > printf("Module name: %s\n", policydb.name); > printf("Module version: %s\n", policydb.version); > - printf("\n"); > } > > + printf("Policy version: %d\n\n", policydb.policyvers); > menu(); > for (;;) { > printf("\nCommand (\'m\' for menu): "); > -- > 2.17.2 > I don't have a problem with this, does anyone else? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version 2019-04-17 16:37 [PATCH 0/2] checkmodule: allow building modules of a specific version Gary Tierney 2019-04-17 16:37 ` [PATCH 1/2] checkmodule: add support for specifying module policy version Gary Tierney 2019-04-17 16:37 ` [PATCH 2/2] dismod: print policy version of loaded modules Gary Tierney @ 2019-04-18 13:17 ` jwcart2 2019-04-18 15:18 ` William Roberts 2 siblings, 1 reply; 9+ messages in thread From: jwcart2 @ 2019-04-18 13:17 UTC (permalink / raw) To: Gary Tierney, selinux; +Cc: Steve Smalley On 4/17/19 12:37 PM, Gary Tierney wrote: > These changes come from a report by a user on the Freenode IRC channel that > they were unable to build policies for a machine that has an older version of > libsepol installed. > > A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, > and the output of a simple test is shown below: > > $ cat > test.te <<EOF > module test 1.0; > > require { > type domain; > type file_type; > class file { read write }; > } > > allow domain file_type : file { read write }; > EOF > $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te > $ checkpolicy/test/dismod test.mod > Reading policy... > ... snip ... > Binary policy module file loaded. > Module name: test > Module version: 1.0 > Policy version: 10 > > Worthy of note, however, is that these policy version numbers differ from those > used by the kernel policy format. > > Gary Tierney (2): > checkmodule: add support for specifying module policy version > dismod: print policy version of loaded modules > > checkpolicy/checkmodule.8 | 5 ++++- > checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- > checkpolicy/test/dismod.c | 4 ++-- > 3 files changed, 33 insertions(+), 5 deletions(-) > Acked-by: James Carter <jwcart2@tycho.nsa.gov> -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version 2019-04-18 13:17 ` [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version jwcart2 @ 2019-04-18 15:18 ` William Roberts 2019-04-18 17:49 ` jwcart2 0 siblings, 1 reply; 9+ messages in thread From: William Roberts @ 2019-04-18 15:18 UTC (permalink / raw) To: jwcart2; +Cc: Gary Tierney, selinux, Steve Smalley On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: > > On 4/17/19 12:37 PM, Gary Tierney wrote: > > These changes come from a report by a user on the Freenode IRC channel that > > they were unable to build policies for a machine that has an older version of > > libsepol installed. > > > > A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, > > and the output of a simple test is shown below: > > > > $ cat > test.te <<EOF > > module test 1.0; > > > > require { > > type domain; > > type file_type; > > class file { read write }; > > } > > > > allow domain file_type : file { read write }; > > EOF > > $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te > > $ checkpolicy/test/dismod test.mod > > Reading policy... > > ... snip ... > > Binary policy module file loaded. > > Module name: test > > Module version: 1.0 > > Policy version: 10 > > > > Worthy of note, however, is that these policy version numbers differ from those > > used by the kernel policy format. > > > > Gary Tierney (2): > > checkmodule: add support for specifying module policy version > > dismod: print policy version of loaded modules > > > > checkpolicy/checkmodule.8 | 5 ++++- > > checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- > > checkpolicy/test/dismod.c | 4 ++-- > > 3 files changed, 33 insertions(+), 5 deletions(-) > > > > Acked-by: James Carter <jwcart2@tycho.nsa.gov> James there's a superfluous newline between strtol() and errno. > > -- > James Carter <jwcart2@tycho.nsa.gov> > National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version 2019-04-18 15:18 ` William Roberts @ 2019-04-18 17:49 ` jwcart2 2019-04-19 17:21 ` jwcart2 0 siblings, 1 reply; 9+ messages in thread From: jwcart2 @ 2019-04-18 17:49 UTC (permalink / raw) To: William Roberts; +Cc: Gary Tierney, selinux, Steve Smalley On 4/18/19 11:18 AM, William Roberts wrote: > On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: >> >> On 4/17/19 12:37 PM, Gary Tierney wrote: >>> These changes come from a report by a user on the Freenode IRC channel that >>> they were unable to build policies for a machine that has an older version of >>> libsepol installed. >>> >>> A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, >>> and the output of a simple test is shown below: >>> >>> $ cat > test.te <<EOF >>> module test 1.0; >>> >>> require { >>> type domain; >>> type file_type; >>> class file { read write }; >>> } >>> >>> allow domain file_type : file { read write }; >>> EOF >>> $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te >>> $ checkpolicy/test/dismod test.mod >>> Reading policy... >>> ... snip ... >>> Binary policy module file loaded. >>> Module name: test >>> Module version: 1.0 >>> Policy version: 10 >>> >>> Worthy of note, however, is that these policy version numbers differ from those >>> used by the kernel policy format. >>> >>> Gary Tierney (2): >>> checkmodule: add support for specifying module policy version >>> dismod: print policy version of loaded modules >>> >>> checkpolicy/checkmodule.8 | 5 ++++- >>> checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- >>> checkpolicy/test/dismod.c | 4 ++-- >>> 3 files changed, 33 insertions(+), 5 deletions(-) >>> >> >> Acked-by: James Carter <jwcart2@tycho.nsa.gov> > > James there's a superfluous newline between strtol() and errno. > Thanks, I missed that. I don't see the need for another version of the patches. I can fix that minor issue when I merge the patches tomorrow. >> >> -- >> James Carter <jwcart2@tycho.nsa.gov> >> National Security Agency > -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version 2019-04-18 17:49 ` jwcart2 @ 2019-04-19 17:21 ` jwcart2 0 siblings, 0 replies; 9+ messages in thread From: jwcart2 @ 2019-04-19 17:21 UTC (permalink / raw) To: William Roberts; +Cc: Gary Tierney, selinux, Steve Smalley On 4/18/19 1:49 PM, jwcart2 wrote: > On 4/18/19 11:18 AM, William Roberts wrote: >> On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: >>> >>> On 4/17/19 12:37 PM, Gary Tierney wrote: >>>> These changes come from a report by a user on the Freenode IRC channel that >>>> they were unable to build policies for a machine that has an older version of >>>> libsepol installed. >>>> >>>> A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, >>>> and the output of a simple test is shown below: >>>> >>>> $ cat > test.te <<EOF >>>> module test 1.0; >>>> >>>> require { >>>> type domain; >>>> type file_type; >>>> class file { read write }; >>>> } >>>> >>>> allow domain file_type : file { read write }; >>>> EOF >>>> $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te >>>> $ checkpolicy/test/dismod test.mod >>>> Reading policy... >>>> ... snip ... >>>> Binary policy module file loaded. >>>> Module name: test >>>> Module version: 1.0 >>>> Policy version: 10 >>>> >>>> Worthy of note, however, is that these policy version numbers differ from those >>>> used by the kernel policy format. >>>> >>>> Gary Tierney (2): >>>> checkmodule: add support for specifying module policy version >>>> dismod: print policy version of loaded modules >>>> >>>> checkpolicy/checkmodule.8 | 5 ++++- >>>> checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- >>>> checkpolicy/test/dismod.c | 4 ++-- >>>> 3 files changed, 33 insertions(+), 5 deletions(-) >>>> >>> >>> Acked-by: James Carter <jwcart2@tycho.nsa.gov> >> >> James there's a superfluous newline between strtol() and errno. >> > > Thanks, I missed that. > > I don't see the need for another version of the patches. I can fix that minor > issue when I merge the patches tomorrow. > Merged with the extra newline removed. >>> >>> -- >>> James Carter <jwcart2@tycho.nsa.gov> >>> National Security Agency >> > > -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-04-19 19:44 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-04-17 16:37 [PATCH 0/2] checkmodule: allow building modules of a specific version Gary Tierney 2019-04-17 16:37 ` [PATCH 1/2] checkmodule: add support for specifying module policy version Gary Tierney 2019-04-18 15:11 ` William Roberts 2019-04-17 16:37 ` [PATCH 2/2] dismod: print policy version of loaded modules Gary Tierney 2019-04-18 15:13 ` William Roberts 2019-04-18 13:17 ` [Non-DoD Source] [PATCH 0/2] checkmodule: allow building modules of a specific version jwcart2 2019-04-18 15:18 ` William Roberts 2019-04-18 17:49 ` jwcart2 2019-04-19 17:21 ` jwcart2
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).