[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH 7/8] busybox -- libselinux utilities applets
From: KaiGai Kohei <kaigai () kaigai ! gr ! jp>
Date: 2007-01-29 13:43:43
Message-ID: 45BDFA0F.7020706 () kaigai ! gr ! jp
[Download RAW message or body]
Denis,
Thanks for your comments.
Denis Vlasenko wrote:
> On Thursday 25 January 2007 15:45, KaiGai Kohei wrote:
>> [7/8] busybox-libselinux-07-matchpathcon.patch
>> matchpathcon - get the default security context for
>> the specified path from the file contexts configuration.
>> Security context is a identifier for SELinux.
>> Any files has a own security context, and SELinux use it
>> to evaluate the attribute of the file.
>> When we are setting up a system, we have to attach a security
>> context for each files. so, we can obtain the most appropriate
>> security context by using matchpathcon.
>>
>> Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>
>>
>> --
>> KaiGai Kohei <kaigai@kaigai.gr.jp>
>
>
> --- selinux/matchpathcon.c (revision 0)
> +++ selinux/matchpathcon.c (revision 0)
> @@ -0,0 +1,108 @@
> +/* matchpathcon - get the default security context for the specified
> + * path from the file contexts configuration.
> + * based on libselinux-1.32
> + * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
> + *
> + */
> +#include <unistd.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <getopt.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <selinux/selinux.h>
> +#include "busybox.h"
I removed above redundant headers.
> +
> +static int printmatchpathcon(char *path, int header)
> +{
> + char *buf;
> + int rc = matchpathcon(path, 0, &buf);
> + if (rc < 0) {
> + fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
> + strerror(errno));
> + return 1;
> + }
> + if (header)
> + printf("%s\t%s\n", path, buf);
> + else
> + printf("%s\n", buf);
> +
> + freecon(buf);
> + return 0;
> +}
> +
> +#define MATCHPATHCON_OPT_NOT_PRINT (1<<0) /* -n */
> +#define MATCHPATHCON_OPT_NOT_TRANS (1<<1) /* -N */
> +#define MATCHPATHCON_OPT_FCONTEXT (1<<2) /* -f */
> +#define MATCHPATHCON_OPT_PREFIX (1<<3) /* -p */
> +#define MATCHPATHCON_OPT_VERIFY (1<<4) /* -V */
> +
> +int matchpathcon_main(int argc, char **argv)
> +{
> + int i;
> + int header = 1;
> + int verify = 0;
> + int notrans = 0;
> + int error = 0;
> + unsigned long opts;
> + char *fcontext, *prefix;
> +
> + if (argc < 2)
> + bb_show_usage();
> +
> + opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
> + if (opts & BB_GETOPT_ERROR)
> + bb_show_usage();
> + if (opts & MATCHPATHCON_OPT_NOT_PRINT)
> + header = 0;
> + if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
> + notrans = 1;
> + set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
> + }
> + if ((opts & MATCHPATHCON_OPT_FCONTEXT) && (opts & MATCHPATHCON_OPT_PREFIX))
> + bb_error_msg_and_die("-f and -p are exclusive");
>
> This can be forced by just setting opt_complementary.
> There are a lot of examples in the tree.
The fixed patch uses opt_complementary and omit unnecessary as follows:
:
opt_complementary = "?:f--p:p--f";
opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
:
> + if (opts & MATCHPATHCON_OPT_FCONTEXT) {
> + if (matchpathcon_init(fcontext))
> + bb_error_msg_and_die("Error while processing %s: %s",
>
> "<applet>: Error while...." -- 'E' shpould be 'e' (small letter) here
> (and everywhere in bb_[ph]errorXXX)
OK, fixed.
- <snip> -
> Typically I avoid excessive indentation:
>
> if (!verify) {
> error += printmatchpathcon(argv[i], header);
> continue;
> }
> ...here entire old "if(verify)" block needs no indent now:
> if (selinux_file_context_verify(argv[i], 0)) {
> printf("%s verified.\n", argv[i]);
> } else {
> ....
OK, I changed the code path as follows:
if (!verify) {
error += printmatchpathcon(argv[i], header);
continue;
}
if (selinux_file_context_verify(argv[i], 0)) {
printf("%s verified.\n", argv[i]);
continue;
}
:
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
["busybox-libselinux-07-matchpathcon.v2.patch" (text/x-patch)]
Index: selinux/matchpathcon.c
===================================================================
--- selinux/matchpathcon.c (revision 0)
+++ selinux/matchpathcon.c (revision 0)
@@ -0,0 +1,98 @@
+/* matchpathcon - get the default security context for the specified
+ * path from the file contexts configuration.
+ * based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include "busybox.h"
+#include <selinux/selinux.h>
+
+static int printmatchpathcon(char *path, int header)
+{
+ char *buf;
+ int rc = matchpathcon(path, 0, &buf);
+ if (rc < 0) {
+ fprintf(stderr, "matchpathcon(%s) failed: %s\n",
+ path, strerror(errno));
+ return 1;
+ }
+ if (header)
+ printf("%s\t%s\n", path, buf);
+ else
+ printf("%s\n", buf);
+
+ freecon(buf);
+ return 0;
+}
+
+#define MATCHPATHCON_OPT_NOT_PRINT (1<<0) /* -n */
+#define MATCHPATHCON_OPT_NOT_TRANS (1<<1) /* -N */
+#define MATCHPATHCON_OPT_FCONTEXT (1<<2) /* -f */
+#define MATCHPATHCON_OPT_PREFIX (1<<3) /* -p */
+#define MATCHPATHCON_OPT_VERIFY (1<<4) /* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+ int i;
+ int header = 1;
+ int verify = 0;
+ int notrans = 0;
+ int error = 0;
+ unsigned long opts;
+ char *fcontext, *prefix;
+
+ if (argc < 2)
+ bb_show_usage();
+
+ opt_complementary = "?:f--p:p--f";
+ opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+ if (opts & MATCHPATHCON_OPT_NOT_PRINT)
+ header = 0;
+ if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
+ notrans = 1;
+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ }
+ if (opts & MATCHPATHCON_OPT_FCONTEXT) {
+ if (matchpathcon_init(fcontext))
+ bb_error_msg_and_die("error while processing %s: %s",
+ fcontext, errno ? strerror(errno) : "invalid");
+ }
+ if (opts & MATCHPATHCON_OPT_PREFIX) {
+ if (matchpathcon_init_prefix(NULL, prefix))
+ bb_error_msg_and_die("error while processing %s: %s",
+ prefix, errno ? strerror(errno) : "invalid");
+ }
+ if (opts & MATCHPATHCON_OPT_VERIFY)
+ verify = 1;
+
+ for (i = optind; i < argc; i++) {
+ security_context_t con;
+ int rc;
+
+ if (!verify) {
+ error += printmatchpathcon(argv[i], header);
+ continue;
+ }
+
+ if (selinux_file_context_verify(argv[i], 0)) {
+ printf("%s verified.\n", argv[i]);
+ continue;
+ }
+
+ if (notrans)
+ rc = lgetfilecon_raw(argv[i], &con);
+ else
+ rc = lgetfilecon(argv[i], &con);
+
+ if (rc >= 0) {
+ printf("%s has context %s, should be ", argv[i], con);
+ error += printmatchpathcon(argv[i], 0);
+ freecon(con);
+ } else {
+ printf("actual context unknown: %s, should be ", strerror(errno));
+ error += printmatchpathcon(argv[i], 0);
+ }
+ }
+ matchpathcon_fini();
+ return error;
+}
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic