From patchwork Thu Oct 11 12:35:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 10636603 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3DEA116B1 for ; Thu, 11 Oct 2018 12:37:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3223A2B45A for ; Thu, 11 Oct 2018 12:37:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 257622B45D; Thu, 11 Oct 2018 12:37:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from USFB19PA12.eemsg.mail.mil (uphb19pa09.eemsg.mail.mil [214.24.26.83]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CED4F2B45A for ; Thu, 11 Oct 2018 12:37:19 +0000 (UTC) X-EEMSG-check-008: 222198898|USFB19PA12_EEMSG_MP8.csd.disa.mil Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA12.eemsg.mail.mil with ESMTP; 11 Oct 2018 12:37:17 +0000 X-IronPort-AV: E=Sophos;i="5.54,368,1534809600"; d="scan'208";a="16722909" IronPort-PHdr: 9a23:Ql9BIhzbP7dYtDrXCy+O+j09IxM/srCxBDY+r6Qd1uoVKvad9pjvdHbS+e9qxAeQG9mDtLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb5Q6o0WTC/5Kl1ThHmhjoMOzog/G3JlsB8iaRWqw+jqRNi2Y7ZeIGbOuRwcK3eet0VR2RBUNtJVyFDH4+xYYQAAPYOM+lGtInwvEcOoBmkCAWwHu7j1iFEi3nr1qM6yeQhFgTG0RQkEd0UtXTbss71P7oMXO+v1qnI0SvMb+lL0jr66ojJfAwuruuWXbJsb8bc0lUvFgPZgVWQrozpJTWV1v8XvGSB4OpgUvyvhnchpgpsoTav3t8hhpTGi48a0FzJ9Th1zJwrKdC3VkJ3e8OoHZ1NvC+ALYR2WNktQ2RwtSY/zb0JpIC0cTARyJQi2x7fc/uHc5WU4h77VOaePzN4hHV9dbKjnRmy60mgyvDnVsWuzFZLrjZKktnLtnwX0Rzc9tOHRedn8kek2DaP0xjf6uBCIU8qiarWM4Mtz7E/m5YJsUnPAzX6lFv5gaOIbEko5/Ck6+H9bbXnop+cOZV0igb7Mqk2gcywH+A4MgkIX2iG9uWwzabs/UrkQLVMkvI5jLLZvYvGJcUbuqG5AwhV3pwl6xakFTiqytsYnX4ZLF5dYhKIk5DpO03SIPD/Ffq/gVOskDFxyPDaPr3uGJPNI2PBkLfme7Z97lRTyBEvzd9B/ZJUEasNIPXpWk/+rNbYFAM2MxSow+b7D9VwzoEeWWCVDaCFM6PSqliI5uQuI+mSf4IVtjL9K+Uq5vH1kH85n0MdfbSz0ZsQcnC4EexsI1+Fbnr0ntcBDWAKsxIwTezrjF2CVCBcZ2ypUqIy+D40FYWmDZ3ZSYC1mryB2yW7EYNKaWBaEFyMFm3od4qcUfcWdC2SOtNhkiADVbW5VoAuyRSutAj8y7p7M+bZ4TMYuoz51Nh05uzTkhcy+SZyD8uDz2GHV3t0kX8QRz8qwKB/plRwxUmb0adimfxYFMdT6uhRUgggL57czvd6C8j2Wg3bYtiGVkyqQtK8ATE+Vtgx2cMBY15hG9W+iRDOxymqDKUWl7yMGZw56aHc0GLyJ8Z61nbKzq4hj0MpQsFXL22pmrZ/9xTPB47Oi0iWjbuldb4d3CHT7meO1nCBs11dUAJqVqXFR38fbFPMrdvl/kPCU6OuCbM/PwRd08GCLrVFasb1jVRGQ/fuI8/ebH6wm2iuAxaI2rKMY5Dwd2UbwirdFFAOkxoP8naeKQg+GiChrnrEDDNzCF3ieEzs8exxqX+hSE870R2KZVV717Wp4h4VmeCcS/QL07IftichsTJ0HE2h39/NENqAoQ1hfatZYdwn5ldLz2TZuBJhPpa4NaBtmkYecxhrv0Ppzxh2BJ9Pkcw2rHw01gpyMrmV0E1feDOCxp/wJ7jXJnP1/BC1ZK7cwkve38qO+qcT9PQ4rE3uvAeoFkom93VozcJV3mCG6ZrUFgoSVoj9UkEt9xh1v7vaeDUy55vI1X1wNqm5qiLN284zC+s/0RuvY9BfMKaYGwDoCM0aG9KiKOo0lFi1dhgEJvxd9LYoP8O6cPuLwLCrPOd8kzK6imRH+ppx3V6M9yp7TO7I0I0Iw/WZ3guBTTj8llChvtrwmYBeajEYBnC/xjT8BI5Neq1yep4GCWOvI82s2tVynoXtVGBc9F6iAVMGxcCodAGJb1zl3A1Q00UXrmC8mSeiyTx7jS0ppLKF3CPS2+TiaAYHOmlTSWl4ilfsJYy0gM4AXEe0aAgomgCo5V3nx6dHv6RzNW7TQV1HfyLuNWFtTrOwtqaeY85I8J4osjtYUOKnYV2BSb7yvR0a0zjlH2RA2DA3bTaquo/2nxZikmKSMG5zrGbFecF33Rrf/MbTReNV3jUYXCl3kz/XBkSiMNmz5tiUiozDvf6kV2K6TJFTai7rzZ6atCSn+2JqDxq/n+q8mtL5CwQ61zH018VyXyXSsBn8epXr17i9Me9/YEloAkLz5tFkGoF4j4QwhIsc2X4EiZWJ5XAHi3v8Mc1H2aLia3oAXSYLzMTI4Ajhw0BsMnOJx575V3mEzMtufd+6bnkR2iIn4MBAEL2U46BcnStpvlq4qhrcYfZnkTcb1fsu73sajvoHuAUz0yqdBaoSElNAPSz2kBSI7c6xo7lLZGq1driwzkV+l8i7DL6eugFcRGr5epA6EC919Mp/NFbM32Pv6oH4Ytbfd8kethuKnBfclOhaNIg+luIUiiZ9P2Lyo2ElwfYhjRNyxZG6oJSHK2J18aK3GB5XKCD6Z9gJ9THrkaZemd2W0pu1EZp9HzUHRpzoTeinEDgKr/ToKx6OECEgqnecAbffBRGQ51x4oHLJEpCrK3aXKWIYzdp8WhaSOlZTgAcOXDU1hpQ5DBylxNT9cEdl4TAc/kX3pQBLxuJsNhn/SXvfpByyZjcvVpeQMABa7hpc6EfRMMye6P9zHi5D85K9rA2NMHGbZx9SAWAHQEOEG0vjPr6o5dXa9OiYHOW+JePUYbqSsexeS+uIxZW334R9/jaMOcKPPn95AvImxEVMRnF5FN7fmzkVTCwXjS3NZdaBpBig4i13sty/8PPzVQLt5YuOC6NSMdJr+xC3naeMKfWdhCN4KTZEzJMD22XEyL8F3F4dkytubSWiEawctS7RS6LdgqxXDh4fayxtL8ZI6qU83gdDOcHFltP1yr54jvkwC1hbT1DhnN+mZdASKWGnKFzHHFqLNKiBJTDTxcH4f7mzSblLgeVXsB2woiqbHFXlPjSYlDnpVgqjMedSgyGHJBZeop2ycg5xCWj/S9Lrcge7P8FsjTIo27I0nG/FNW4HPDdnckNNtKCf7SRWgvVnAWxO8HpkIfOCmymH8+nSMowWvudzAiRoi+Ja52w3xKZS7CFCQvx6hTXdrtpvo1y9iOaA1CBnUB1UpjZMnoKLsl1oOb/F+ZlYRXbE4BUN4H2NBBsQudtlC8Dgu7tLx9fVjqLzMjBC8tzP/cQCG8fUNdiHMHs9MRvpAjLUChUKTSKzP2HFm0NdiO2S9mGSrpUirpjsn4AORaFdVF00EfMXEUtlHNofIJttWTMki7GbhtYS5XWitBnRWNlavpffW/KJH/rvLDeZjb9ZZxoH2r73MYMTNojn1EN4cVl6gJ7GG0zOUtBRuidhdBM7oF1R8HhiSW0+w17lagKo4H8UCf60nh43hxBjbuQs9Dbj+Uw4KkDMpCQujEk7gc/ljiyJcD7tMKewWplbBDDwt0gwLpz0XR56bQiynExiMzfEQahegqB7emBqkgDcv4JDGfBBTaFeZh8f2+2Xbe0y0VtAsiWn2VNH5ezdBJR5igQqd4WhoGhd1AJ9ctE1P7fQK7BTzllQnK6OuTWo1u8pyg8EO0kN6H+SeDIPuEEQObkmOiuo/uho6QOcnjtOY3UDWOQxrfJr7Ew9Pf6MzyX6075MMkqxLfCQL7uFu2jcks6FWkkw1kUJl0ZZ/bh21sMjc1GMWU420bWfDQgEO83ZJA5JaMpS8WTccjyVseXR2551OZuyFvzwR++UqKkUml6kHBouH4kU9MQOBIOs0EbDIsr8ML4F0w8i5Br1K1WBDfRJfh2LkDMGo8GwzJ93wYddKSsHAWV4Kym34KjYphMyivqZQNg2emsaXpcDNn8uVsy2gTJWv3RBDDmy0+IW0guC4iT9pivOEjbzccBvZPCOZRNjENu24ykw87CqiV7L9ZXTP2T6Os54ut/M9+wau5eHC/VbTbRmvUbTgY9YSGCuU27IDN66OoPwZ5MqbdPqFnawSka/hC4tT8ftINatKbCFjhvyRYZJtomXxjMjONS8FjEfGhdwu/oM6Lh6ZQIdf5oxeQTouBgmN6yjPAeY1c2jQ3qqKTtTVPRf0fm2Z7lMwCY2aO+11mcgRIkgz+ar6U4NWI0KjhbGyPahYIlRTzP+FWFDdAXUuyU5jXRhOfgvzeslxhPHr0UcOSiRdON1cGxEo808BVSKLHV4EGo3XVmcgpbC4g63xL0S+jNdn9dN3e1evnn+pYXTYDW2WKyksZ/VqTYvbcA6o61tNozuOteGu47DkTzeVpbQthaIXzK9F/pfhtdfOjlYQOVSlWEjJ8MGpZJL6VAtWccmO7xPFK4sq6iyaTp/ES4d1zIWV5+b0TwZhee8xqHamQuOf5QkLBwEqo9Ngt8HXy5xeCMeq7epV5/KmG+cVmgLPAAT4BxX6wIOioB8YuLo7JfGQZJX1zFWpPd0XTfRGZlz61v3UGeWjkbkSP+5ieymwRpSzO7w0tkcQBN/FVJdyPhImUQ1M7x3Nq0QvpLQsjCSa0P6vWXtyO+4K1lN08HUcEf4DIXdv2rmTiIc4WEURZNIyHzHF5QdiRB5aKEwpFVIOo+mZF3z5zk5x4RtA7m4VNykx1c/onYAXCemCd1BC/tpsFjPQj1qf4irqIn5O5VVWmJQ+oeSq1FXkEV3NC621IRTJtpR4jEWWjhPujKdsMG0SMJdxc98F4UMLctnu3fhBKNEP4Cco3syurH0y3/Z/TU8vE27xDW1Fa+4VfhW/3YCGgUzOmSRtlUvD/Y28mjM6FzNtUp0/+hDDLiVkUpxuCp9HoxJBjtR03ClLkh8TH5Cs+pAM6TZac1cQ/41ZR+0IBwzDvsm0kOG/E1umnf5eSNyvBNA+y/BRwk0STUVgrD1lD0ascGnPD8XRolGbTo/cijFLBibljpPvBZFbEFqWY4WDcpZ+70B2otU5MXCQ162KS4ZRBxiKh440f1HmE5BsUWYfDvQDQ+2evfPrBJ3Z8aRrMimLPjj+gdIlJ/nuvgi96ofX32mhRGtQdfGoo/9t9yFrFGBe7vjPu2nf3DBUCbDggyqibcjFZnK8DDZMBBHJJli1XokfZ/hBHbQMhRHPKIaKVBUVaJ7adVauuBVfdJkeKIS9KBxARKIWw3gF5ayrPlcKVbTXy7RIz+G8uylroLZ9abdRvT4ZsyQ23bHRLp6Po9g5jnnB7jq0YFf+k3s2vdu7096UkbJMySArNTnOwMK69KvdlP4sZ01ATzWAJlxkH33xkFDbcYXQDOl8I4eyJxH7Hb8U+V40lL8sOdK7blr9ZE346x1ycezPardNfZavlV7DRWPGgpq8ZEtAGx+R29PeO8RNOnecrgZjcz0rOD3DaMX4gWP++NFcdvHO13Bms6nBzGZThxEmhsBqTEEIQaH0v6FmrV7ScC7qujl1EMt5EK+Lh0dzLx344eL5LaIrvfNbxTN1bgERrTqRsTro7Qjp0yS/uYkmKcTdGJ6ZQOnEe4dVtMSx2r7wqAqyDgjE8XdEL76//5DTX05lCr6m59hB1UWBu8UHb2T8IRcmWc4m+rZOscKfaBCnmaPCAOrE74DyX6t8CuXI2hljwrQ0xHxX2O89lv2ojJ5QSfWydfsjFZVXKGtBUhORyqpJVN4sDSXMQrpqtr4o6I14VoyMmz5qd2NlWyhOKhNE834PtycLjE+pEgLg50pWtyvxYcbFMK/INgP/nF+YP/e5nilkiBbpadImZbe7tuT+vrJAXmql7eapKmVxDBE1ng4ukky6t+kNvHJ6dyFXfCo12IKQidkvAvBWR+1paDBo1ASJ0OLzF/BmJYWMdFBwXk4ykbm6fAmQNIy9wVeFYHAaugApT/pOzv0xlCfbMwxViWE1TtYAE71G0FiGKcgwGLwoN7JlXDI9lIzWIZwcVDniAdsD4U8LkIt9EQXwjQdHgcQcxybC6uoBUv9J4seSUcDcQiH3KS9eqovxU1zxbev6/XJbe1yAKoNMvhdgxWLnFhcHZIWqrMRT65me19a767XvQniC47oX/T8knowL/K1SNhA8c8Fr3si/hq/Rx245JdN8bkbjJGIdrZabpXXvcF87kJn5TsReSxXhBhwkQm1UecGpODs+tLbqoan6v6yVKYxQOUa7xY1B3xkj5vxnF8sv8ra1+JdSo3Jk4Tw7hpBI3mQuIbVyxN8M/YBK5q3fLZ88HUKPy8eJ3YQMteNc/k85zViMC7P51xDHswMeckYM9TTlgxOjE3mRq1T/NLBGlCEE4dza9wo723vxTAx8Js8VPvg6TCvKZDb7lFNJO9DjD53mdLDvucVx/3SBDIQ4XmDZBh/2jmCxIWVC/bs4eWMz8nZV1YcESEqU4ddJTyC+Qu8S+qrlZXpVB2b6svygJI4aUKRSWa9nKMfsqZDCeRAkDn03iBCFoDpgPKYq9is53FUtl1AC4l+9gDFGKNDPpV7PhT4i8arRkhgBiflfsHbaAYusvKMxugQ++V+K1f+ZYgDLxIGzrL67mBVThFvSL7tpVuZW/geZN54R/PFtHxV7phgK6AXNliHuJPqtitIqEwxAAIxc78woDlaeVXPkQBWQKv0pqAPihEdUd94vk9MH3i8OGQg6DrbBuxpi/yKBfgU9CiDZrIBXl8uMS5kRR6xnpJ0dOiHh/dC50FPmy5m6NMjySBrXlPouzLnrrgRgxo86bq4s3MHonUDQeKAxXSbQW5fxegH2P9PQ03p7kaxNTxZNIY= X-IPAS-Result: A2B9AABbQ79b/wHyM5BiGwEBAQEDAQEBBwMBAQGBVAMBAQELAYFZKoFlKIxqi1dMAQEBAQEBBoIviAaOFIFdLhMBiRchNwoNAQMBAQEBAQECAWwogjYkgmADAwECNxQgCwMDCQEBQAgIAwEtFREOCwUYBIJAP4F1DadPhHeEYoclhCCBEIEHgRKCXQeEeQESAWyFCwKBKAGNSo8dBgOQSQsXkBGXaiJkcSsIAhgpSoEegU6CJhcRjiNTewEBiSaCPgEB Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 11 Oct 2018 12:37:16 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCbExv028183; Thu, 11 Oct 2018 08:37:15 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w9BCZItJ030948 for ; Thu, 11 Oct 2018 08:35:18 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCZHD9028155; Thu, 11 Oct 2018 08:35:18 -0400 From: James Carter To: selinux@vger.kernel.org Date: Thu, 11 Oct 2018 08:35:43 -0400 Message-Id: <20181011123543.14822-3-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181011123543.14822-1-jwcart2@tycho.nsa.gov> References: <20181011123543.14822-1-jwcart2@tycho.nsa.gov> Subject: [PATCH 2/2] checkpolicy: Add option to sort ocontexts when creating a binary policy X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add an option, specified by "-S" or "--sort", to sort the ocontexts before writing out the binary policy. Binary policies created by semanage and secilc are always sorted, so this option allows checkpolicy to be consistent with those. It has not been made the default to maintain backwards compatibility for anyone who might be depending on the unsorted behavior of checkpolicy. Signed-off-by: James Carter --- checkpolicy/checkpolicy.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index 12c4c405..14dc91a3 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -111,9 +111,9 @@ unsigned int policyvers = POLICYDB_VERSION_MAX; static __attribute__((__noreturn__)) void usage(const char *progname) { printf - ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M]" - "[-c policyvers (%d-%d)] [-o output_file] [-t target_platform (selinux,xen)]" - "[input_file]\n", + ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] " + "[-c policyvers (%d-%d)] [-o output_file] [-S] " + "[-t target_platform (selinux,xen)] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); } @@ -394,7 +394,7 @@ int main(int argc, char **argv) size_t scontext_len, pathlen; unsigned int i; unsigned int protocol, port; - unsigned int binary = 0, debug = 0, cil = 0, conf = 0; + unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0; struct val_to_name v; int ret, ch, fd, target = SEPOL_TARGET_SELINUX; unsigned int nel, uret; @@ -418,11 +418,12 @@ int main(int argc, char **argv) {"mls", no_argument, NULL, 'M'}, {"cil", no_argument, NULL, 'C'}, {"conf",no_argument, NULL, 'F'}, + {"sort", no_argument, NULL, 'S'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFVc:h", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:h", long_options, NULL)) != -1) { switch (ch) { case 'o': outfile = optarg; @@ -462,6 +463,9 @@ int main(int argc, char **argv) break; } usage(argv[0]); + case 'S': + sort = 1; + break; case 'M': mlspol = 1; break; @@ -637,6 +641,14 @@ int main(int argc, char **argv) policy_file_init(&pf); pf.type = PF_USE_STDIO; pf.fp = outfp; + if (sort) { + ret = policydb_sort_ocontexts(&policydb); + if (ret) { + fprintf(stderr, "%s: error sorting ocontexts\n", + argv[0]); + exit(1); + } + } ret = policydb_write(&policydb, &pf); } else { ret = sepol_kernel_policydb_to_conf(outfp, policydbp);