[PATCH 7/8] busybox -- libselinux utilities applets
Denis Vlasenko
vda.linux at googlemail.com
Fri Jan 26 23:50:27 UTC 2007
On Thursday 25 January 2007 15:45, KaiGai Kohei wrote:
> [7/8] busybox-libselinux-07-matchpathcon.patch
> matchpathcon - get the default security context for
> the specified path from the file contexts configuration.
> Security context is a identifier for SELinux.
> Any files has a own security context, and SELinux use it
> to evaluate the attribute of the file.
> When we are setting up a system, we have to attach a security
> context for each files. so, we can obtain the most appropriate
> security context by using matchpathcon.
>
> Signed-off-by: KaiGai Kohei <kaigai at kaigai.gr.jp>
>
> --
> KaiGai Kohei <kaigai at kaigai.gr.jp>
--- selinux/matchpathcon.c (revision 0)
+++ selinux/matchpathcon.c (revision 0)
@@ -0,0 +1,108 @@
+/* matchpathcon - get the default security context for the specified
+ * path from the file contexts configuration.
+ * based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai at kaigai.gr.jp>
+ *
+ */
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include "busybox.h"
+
+static int printmatchpathcon(char *path, int header)
+{
+ char *buf;
+ int rc = matchpathcon(path, 0, &buf);
+ if (rc < 0) {
+ fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+ strerror(errno));
+ return 1;
+ }
+ if (header)
+ printf("%s\t%s\n", path, buf);
+ else
+ printf("%s\n", buf);
+
+ freecon(buf);
+ return 0;
+}
+
+#define MATCHPATHCON_OPT_NOT_PRINT (1<<0) /* -n */
+#define MATCHPATHCON_OPT_NOT_TRANS (1<<1) /* -N */
+#define MATCHPATHCON_OPT_FCONTEXT (1<<2) /* -f */
+#define MATCHPATHCON_OPT_PREFIX (1<<3) /* -p */
+#define MATCHPATHCON_OPT_VERIFY (1<<4) /* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+ int i;
+ int header = 1;
+ int verify = 0;
+ int notrans = 0;
+ int error = 0;
+ unsigned long opts;
+ char *fcontext, *prefix;
+
+ if (argc < 2)
+ bb_show_usage();
+
+ opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+ if (opts & BB_GETOPT_ERROR)
+ bb_show_usage();
+ if (opts & MATCHPATHCON_OPT_NOT_PRINT)
+ header = 0;
+ if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
+ notrans = 1;
+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ }
+ if ((opts & MATCHPATHCON_OPT_FCONTEXT) && (opts & MATCHPATHCON_OPT_PREFIX))
+ bb_error_msg_and_die("-f and -p are exclusive");
This can be forced by just setting opt_complementary.
There are a lot of examples in the tree.
+ if (opts & MATCHPATHCON_OPT_FCONTEXT) {
+ if (matchpathcon_init(fcontext))
+ bb_error_msg_and_die("Error while processing %s: %s",
"<applet>: Error while...." -- 'E' shpould be 'e' (small letter) here
(and everywhere in bb_[ph]errorXXX)
+ fcontext, errno ? strerror(errno) : "invalid");
+ }
+ if (opts & MATCHPATHCON_OPT_PREFIX) {
+ if (matchpathcon_init_prefix(NULL, prefix))
+ bb_error_msg_and_die("Error while processing %s: %s",
+ prefix, errno ? strerror(errno) : "invalid");
+ }
+ if (opts & MATCHPATHCON_OPT_VERIFY)
+ verify = 1;
+
+ for (i = optind; i < argc; i++) {
+ if (verify) {
+ if (selinux_file_context_verify(argv[i], 0)) {
+ printf("%s verified.\n", argv[i]);
+ } else {
+ security_context_t con;
+ int rc;
+ if (notrans)
+ rc = lgetfilecon_raw(argv[i], &con);
+ else
+ rc = lgetfilecon(argv[i], &con);
+
+ if (rc >= 0) {
+ printf("%s has context %s, should be ",
+ argv[i], con);
+ error += printmatchpathcon(argv[i], 0);
+ freecon(con);
+ } else {
+ printf
+ ("actual context unknown: %s, should be ",
+ strerror(errno));
+ error += printmatchpathcon(argv[i], 0);
+ }
+ }
+ } else {
+ error += printmatchpathcon(argv[i], header);
+ }
Typically I avoid excessive indentation:
if (!verify) {
error += printmatchpathcon(argv[i], header);
continue;
}
...here entire old "if(verify)" block needs no indent now:
if (selinux_file_context_verify(argv[i], 0)) {
printf("%s verified.\n", argv[i]);
} else {
....
+ }
+ matchpathcon_fini();
+ return error;
+}
--
vda
More information about the busybox
mailing list