[PATCH 0/5] dispol: add batch execution mode

[PATCH 0/5] dispol: add batch execution mode

[Masatake YAMATO]

dispol command requires interaction, and is not suitable for using
in a script. This patch set introduces -b that is for running
dispol in non-interactively.

An example:

    $ ./dispol -b 1 /sys/fs/selinux/policy
    allow deltacloudd_log_t tmp_t : filesystem { associate };
    allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
    ...

Masatake YAMATO (5):
  dispol: extend usage() to take exit status
  dispol: add an option for printing the command usage
  dispol: introduce a local variable representing the input file
  dispol: introduce -b option to run commands in batch
  dispol: add the list of commands for batch mode to help message

 checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
 1 file changed, 69 insertions(+), 27 deletions(-)

-- 
2.21.0

[PATCH 1/5] dispol: extend usage() to take error code as an argument

[Masatake YAMATO]

This allows dispol command to exit successfully after
printing help messages.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index d72d9fb3..1d9556f4 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,11 @@
 
 static policydb_t policydb;
 
-static __attribute__((__noreturn__)) void usage(const char *progname)
+static __attribute__((__noreturn__)) void usage(const char *progname,
+						int status)
 {
 	printf("usage:  %s binary_pol_file\n\n", progname);
-	exit(1);
+	exit(status);
 }
 
 int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
@@ -395,7 +396,7 @@ int main(int argc, char **argv)
 	struct policy_file pf;
 
 	if (argc != 2)
-		usage(argv[0]);
+		usage(argv[0], 1);
 
 	fd = open(argv[1], O_RDONLY);
 	if (fd < 0) {
-- 
2.21.0

[PATCH 1/5] dispol: extend usage() to take exit status

[Masatake YAMATO]

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index d72d9fb3..6c4829c4 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,10 @@
 
 static policydb_t policydb;
 
-static __attribute__((__noreturn__)) void usage(const char *progname)
+static __attribute__((__noreturn__)) void usage(const char *progname, int status)
 {
 	printf("usage:  %s binary_pol_file\n\n", progname);
-	exit(1);
+	exit(status);
 }
 
 int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
@@ -395,7 +395,7 @@ int main(int argc, char **argv)
 	struct policy_file pf;
 
 	if (argc != 2)
-		usage(argv[0]);
+		usage(argv[0], 1);
 
 	fd = open(argv[1], O_RDONLY);
 	if (fd < 0) {
-- 
2.21.0

[PATCH 2/5] dispol: add an option for printing the command usage

[Masatake YAMATO]

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 1d9556f4..37b22cf8 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -39,7 +39,7 @@ static policydb_t policydb;
 static __attribute__((__noreturn__)) void usage(const char *progname,
 						int status)
 {
-	printf("usage:  %s binary_pol_file\n\n", progname);
+	printf("usage:  %s [-h] binary_pol_file\n\n", progname);
 	exit(status);
 }
 
@@ -395,7 +395,11 @@ int main(int argc, char **argv)
 	int state;
 	struct policy_file pf;
 
-	if (argc != 2)
+	if (argc <= 1)
+		usage(argv[0], 1);
+	else if (strcmp(argv[1], "-h") == 0)
+		usage(argv[0], 0);
+	else if (argc != 2)
 		usage(argv[0], 1);
 
 	fd = open(argv[1], O_RDONLY);
-- 
2.21.0

[PATCH 3/5] dispol: introduce a local variable representing the input file

[Masatake YAMATO]

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 37b22cf8..26bbba7a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -394,6 +394,7 @@ int main(int argc, char **argv)
 	char *name;
 	int state;
 	struct policy_file pf;
+	char *pf_name;
 
 	if (argc <= 1)
 		usage(argv[0], 1);
@@ -401,23 +402,24 @@ int main(int argc, char **argv)
 		usage(argv[0], 0);
 	else if (argc != 2)
 		usage(argv[0], 1);
+	pf_name = argv[1];
 
-	fd = open(argv[1], O_RDONLY);
+	fd = open(pf_name, O_RDONLY);
 	if (fd < 0) {
 		fprintf(stderr, "Can't open '%s':  %s\n",
-			argv[1], strerror(errno));
+			pf_name, strerror(errno));
 		exit(1);
 	}
 	if (fstat(fd, &sb) < 0) {
 		fprintf(stderr, "Can't stat '%s':  %s\n",
-			argv[1], strerror(errno));
+			pf_name, strerror(errno));
 		exit(1);
 	}
 	map =
 	    mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
 	if (map == MAP_FAILED) {
 		fprintf(stderr, "Can't map '%s':  %s\n",
-			argv[1], strerror(errno));
+			pf_name, strerror(errno));
 		exit(1);
 	}
 
-- 
2.21.0

[PATCH 4/5] dispol: introduce -b option to run commands in batch

[Masatake YAMATO]

dispol command requires interaction. It not suitable for using
in a script. This change introduces -b that is for running
dispol in non-interactively.

An example:

    $ ./dispol -b 1 /sys/fs/selinux/policy
    allow deltacloudd_log_t tmp_t : filesystem { associate };
    allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
    ...

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 49 ++++++++++++++++++++++++++++++---------
 1 file changed, 38 insertions(+), 11 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 26bbba7a..0eaa830a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -39,7 +39,7 @@ static policydb_t policydb;
 static __attribute__((__noreturn__)) void usage(const char *progname,
 						int status)
 {
-	printf("usage:  %s [-h] binary_pol_file\n\n", progname);
+	printf("usage:  %s [-h] [-b cmds] binary_pol_file\n\n", progname);
 	exit(status);
 }
 
@@ -395,14 +395,21 @@ int main(int argc, char **argv)
 	int state;
 	struct policy_file pf;
 	char *pf_name;
+	char *cmds = NULL;
 
 	if (argc <= 1)
 		usage(argv[0], 1);
 	else if (strcmp(argv[1], "-h") == 0)
 		usage(argv[0], 0);
-	else if (argc != 2)
+	else if (strcmp(argv[1], "-b") == 0) {
+		if (argc != 4)
+			usage(argv[0], 1);
+		cmds = argv[2];
+		pf_name = argv[3];
+	} else if (argc == 2)
+		pf_name = argv[1];
+	else
 		usage(argv[0], 1);
-	pf_name = argv[1];
 
 	fd = open(pf_name, O_RDONLY);
 	if (fd < 0) {
@@ -424,7 +431,8 @@ int main(int argc, char **argv)
 	}
 
 	/* read the binary policy */
-	fprintf(out_fp, "Reading policy...\n");
+	if (!cmds)
+		fprintf(out_fp, "Reading policy...\n");
 	policy_file_init(&pf);
 	pf.type = PF_USE_MEMORY;
 	pf.data = map;
@@ -433,7 +441,7 @@ int main(int argc, char **argv)
 		fprintf(stderr, "%s:  Out of memory!\n", argv[0]);
 		exit(1);
 	}
-	ret = policydb_read(&policydb, &pf, 1);
+	ret = policydb_read(&policydb, &pf, cmds == NULL);
 	if (ret) {
 		fprintf(stderr,
 			"%s:  error(s) encountered while parsing configuration\n",
@@ -441,16 +449,30 @@ int main(int argc, char **argv)
 		exit(1);
 	}
 
-	fprintf(stdout, "binary policy file loaded\n\n");
+	if (!cmds)
+		fprintf(stdout, "binary policy file loaded\n\n");
 	close(fd);
 
-	menu();
+	if (!cmds)
+		menu();
 	for (;;) {
-		printf("\nCommand (\'m\' for menu):  ");
-		if (fgets(ans, sizeof(ans), stdin) == NULL) {
-			fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+		if (cmds) {
+			ans[0] = *cmds++;
+			if (ans[0] == '\0')
+				ans[0] = 'q';
+			else if (strchr("7fm", ans[0])) {
+				fprintf(stderr,
+					"Unacceptable command in batch mode: %c\n",
+					ans[0]);
+				exit(1);
+			}
+		} else {
+			printf("\nCommand (\'m\' for menu):  ");
+			if (fgets(ans, sizeof(ans), stdin) == NULL) {
+				fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
 					strerror(errno));
-			continue;
+				continue;
+			}
 		}
 		switch (ans[0]) {
 
@@ -551,6 +573,11 @@ int main(int argc, char **argv)
 			menu();
 			break;
 		default:
+			if (cmds) {
+				fprintf(stderr,
+					"Invalid command: %c\n", ans[0]);
+				exit(1);
+			}
 			printf("\nInvalid choice\n");
 			menu();
 			break;
-- 
2.21.0

[PATCH 5/5] dispol: add the list of commands for batch mode to help message

[Masatake YAMATO]

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/test/dispol.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 0eaa830a..f6e6a26a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,14 @@
 
 static policydb_t policydb;
 
+int menu(int interactive);
+
 static __attribute__((__noreturn__)) void usage(const char *progname,
 						int status)
 {
 	printf("usage:  %s [-h] [-b cmds] binary_pol_file\n\n", progname);
+	printf("acceptable commands for -b option:\n");
+	menu(0);
 	exit(status);
 }
 
@@ -361,25 +365,30 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
 	hashtab_map(p->filename_trans, filenametr_display, &args);
 }
 
-int menu(void)
+int menu(int interactive)
 {
-	printf("\nSelect a command:\n");
+	if (interactive)
+		printf("\nSelect a command:\n");
 	printf("1)  display unconditional AVTAB\n");
 	printf("2)  display conditional AVTAB (entirely)\n");
 	printf("3)  display conditional AVTAB (only ENABLED rules)\n");
 	printf("4)  display conditional AVTAB (only DISABLED rules)\n");
 	printf("5)  display conditional bools\n");
 	printf("6)  display conditional expressions\n");
-	printf("7)  change a boolean value\n");
+	if (interactive)
+		printf("7)  change a boolean value\n");
 	printf("8)  display role transitions\n");
-	printf("\n");
+	if (interactive)
+		printf("\n");
 	printf("c)  display policy capabilities\n");
 	printf("p)  display the list of permissive types\n");
 	printf("u)  display unknown handling setting\n");
 	printf("F)  display filename_trans rules\n");
-	printf("\n");
-	printf("f)  set output file\n");
-	printf("m)  display menu\n");
+	if (interactive) {
+		printf("\n");
+		printf("f)  set output file\n");
+		printf("m)  display menu\n");
+	}
 	printf("q)  quit\n");
 	return 0;
 }
@@ -454,7 +463,7 @@ int main(int argc, char **argv)
 	close(fd);
 
 	if (!cmds)
-		menu();
+		menu(cmds == NULL);
 	for (;;) {
 		if (cmds) {
 			ans[0] = *cmds++;
@@ -570,7 +579,7 @@ int main(int argc, char **argv)
 			exit(0);
 			break;
 		case 'm':
-			menu();
+			menu(1);
 			break;
 		default:
 			if (cmds) {
@@ -579,7 +588,7 @@ int main(int argc, char **argv)
 				exit(1);
 			}
 			printf("\nInvalid choice\n");
-			menu();
+			menu(1);
 			break;
 
 		}
-- 
2.21.0

Re: [PATCH 0/5] dispol: add batch execution mode

[Stephen Smalley]

On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> dispol command requires interaction, and is not suitable for using
> in a script. This patch set introduces -b that is for running
> dispol in non-interactively.
> 
> An example:
> 
>      $ ./dispol -b 1 /sys/fs/selinux/policy
>      allow deltacloudd_log_t tmp_t : filesystem { associate };
>      allow kern_unconfined sysctl_type : lnk_file { ioctl read ...

What is your intended use case for this support, i.e. how do you 
envision using dispol in scripts?

If you just want to decompile policy, I'd recommend using checkpolicy 
-F/--conf or checkpolicy -c/--cil, ala:
checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
or
checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil

>      ...
> 
> Masatake YAMATO (5):
>    dispol: extend usage() to take exit status
>    dispol: add an option for printing the command usage
>    dispol: introduce a local variable representing the input file
>    dispol: introduce -b option to run commands in batch
>    dispol: add the list of commands for batch mode to help message
> 
>   checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
>   1 file changed, 69 insertions(+), 27 deletions(-)
> 

Re: [PATCH 1/5] dispol: extend usage() to take exit status

[Stephen Smalley]

On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>

You appear to have sent two slightly different versions of this patch?

> ---
>   checkpolicy/test/dispol.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index d72d9fb3..6c4829c4 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -36,10 +36,10 @@
>   
>   static policydb_t policydb;
>   
> -static __attribute__((__noreturn__)) void usage(const char *progname)
> +static __attribute__((__noreturn__)) void usage(const char *progname, int status)
>   {
>   	printf("usage:  %s binary_pol_file\n\n", progname);
> -	exit(1);
> +	exit(status);
>   }
>   
>   int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
> @@ -395,7 +395,7 @@ int main(int argc, char **argv)
>   	struct policy_file pf;
>   
>   	if (argc != 2)
> -		usage(argv[0]);
> +		usage(argv[0], 1);
>   
>   	fd = open(argv[1], O_RDONLY);
>   	if (fd < 0) {
> 

Re: [PATCH 0/5] dispol: add batch execution mode

[Stephen Smalley]

On 10/8/19 8:48 AM, Stephen Smalley wrote:
> On 10/8/19 2:44 AM, Masatake YAMATO wrote:
>> dispol command requires interaction, and is not suitable for using
>> in a script. This patch set introduces -b that is for running
>> dispol in non-interactively.
>>
>> An example:
>>
>>      $ ./dispol -b 1 /sys/fs/selinux/policy
>>      allow deltacloudd_log_t tmp_t : filesystem { associate };
>>      allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
> 
> What is your intended use case for this support, i.e. how do you 
> envision using dispol in scripts?
> 
> If you just want to decompile policy, I'd recommend using checkpolicy 
> -F/--conf or checkpolicy -c/--cil, ala:
> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
> or
> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil

Or you could just use sesearch -A if you wanted to just dump all allow 
rules, for example, or seinfo -b for all booleans, ...

dispol/dismod have always just been test/debug/developer utilities and 
predated the ability to decompile policies with checkpolicy, so I'm not 
sure if they are even still useful to keep around.  Is anyone still 
using them?

> 
>>      ...
>>
>> Masatake YAMATO (5):
>>    dispol: extend usage() to take exit status
>>    dispol: add an option for printing the command usage
>>    dispol: introduce a local variable representing the input file
>>    dispol: introduce -b option to run commands in batch
>>    dispol: add the list of commands for batch mode to help message
>>
>>   checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
>>   1 file changed, 69 insertions(+), 27 deletions(-)
>>
> 

Re: [Non-DoD Source] [PATCH 2/5] dispol: add an option for printing the command usage

[Stephen Smalley]

On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>
> ---
>   checkpolicy/test/dispol.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index 1d9556f4..37b22cf8 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -39,7 +39,7 @@ static policydb_t policydb;
>   static __attribute__((__noreturn__)) void usage(const char *progname,
>   						int status)
>   {
> -	printf("usage:  %s binary_pol_file\n\n", progname);
> +	printf("usage:  %s [-h] binary_pol_file\n\n", progname);
>   	exit(status);
>   }
>   
> @@ -395,7 +395,11 @@ int main(int argc, char **argv)
>   	int state;
>   	struct policy_file pf;
>   
> -	if (argc != 2)
> +	if (argc <= 1)
> +		usage(argv[0], 1);
> +	else if (strcmp(argv[1], "-h") == 0)
> +		usage(argv[0], 0);
> +	else if (argc != 2)
>   		usage(argv[0], 1);

Use getopt(3) or getopt_long(3) please for option handling.

>   
>   	fd = open(argv[1], O_RDONLY);
> 

Re: [PATCH 0/5] dispol: add batch execution mode

[Masatake YAMATO]

On Tue, 8 Oct 2019 10:31:37 -0400, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/8/19 8:48 AM, Stephen Smalley wrote:
>> On 10/8/19 2:44 AM, Masatake YAMATO wrote:
>>> dispol command requires interaction, and is not suitable for using
>>> in a script. This patch set introduces -b that is for running
>>> dispol in non-interactively.
>>>
>>> An example:
>>>
>>>      $ ./dispol -b 1 /sys/fs/selinux/policy
>>>      allow deltacloudd_log_t tmp_t : filesystem { associate };
>>>      allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
>> What is your intended use case for this support, i.e. how do you
>> envision using dispol in scripts?
>> If you just want to decompile policy, I'd recommend using checkpolicy
>> -F/--conf or checkpolicy -c/--cil, ala:
>> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
>> or
>> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
> 
> Or you could just use sesearch -A if you wanted to just dump all allow
> rules, for example, or seinfo -b for all booleans, ...
> 
> dispol/dismod have always just been test/debug/developer utilities and
> predated the ability to decompile policies with checkpolicy, so I'm
> not sure if they are even still useful to keep around.  Is anyone
> still using them?

Thank you for the comment.

I didn't know that checkpolicy can be used for decompiling policies.  I
read checkpolicy.8, and I found what I want is the way to write
decompiled policies to standard output. So I can read the result with
less command, or filter with grep. I frequently do the similar with
objdump. I would like to withdraw the patches about dispol.

Instead, I proposed '-o -' for writing decompiled policies to standard
output in another mail-thread. Could you review the proposal?

Masatake YAMATO

>> 
>>>      ...
>>>
>>> Masatake YAMATO (5):
>>>    dispol: extend usage() to take exit status
>>>    dispol: add an option for printing the command usage
>>>    dispol: introduce a local variable representing the input file
>>>    dispol: introduce -b option to run commands in batch
>>>    dispol: add the list of commands for batch mode to help message
>>>
>>>   checkpolicy/test/dispol.c | 96
>>> ++++++++++++++++++++++++++++-----------
>>>   1 file changed, 69 insertions(+), 27 deletions(-)
>>>
>> 
>