[PATCH 4/8] busybox -- libselinux utilities applets

Bernhard Fischer rep.dot.nop at gmail.com
Tue Jan 30 09:28:17 UTC 2007 

On Mon, Jan 29, 2007 at 11:06:25PM +0900, KaiGai Kohei wrote:
>Denis, Thanks for your comments.
>
>Denis Vlasenko wrote:
>>On Thursday 25 January 2007 15:44, KaiGai Kohei wrote:
>>>[4/8] busybox-libselinux-04-getsebool.patch
>>>  getsebool reports the a particular or all SELinux
>>>  boolean variable.
>>>  SELinux boolean variable is a interface to configure
>>>  the condition of security policy. We can enable or
>>>  disable the part of the security policy via boolean
>>>  variable.
>>>
>>>Signed-off-by: Hiroshi Shinji <shiroshi at my.email.ne.jp>
>>>Signed-off-by: KaiGai Kohei <kaigai at kaigai.gr.jp>
>>>
>>>--
>>>KaiGai Kohei <kaigai at kaigai.gr.jp>
>>
>>--- selinux/getsebool.c (revision 0)
>>+++ selinux/getsebool.c (revision 0)
>>@@ -0,0 +1,98 @@
>>+/*
>>+ * getsebool
>>+ *
>>+ * Based on libselinux 1.33.1
>>+ * Port to BusyBox  Hiroshi Shinji <shiroshi at my.email.ne.jp>
>>+ *
>>+ */
>>+
>>+#include "busybox.h"
>>+#include <unistd.h>
>>+#include <stdlib.h>
>>+#include <stdio.h>
>>+#include <getopt.h>
>>+#include <errno.h>
>>+#include <string.h>
>>+#include <selinux/selinux.h>
>
>I removed above redundant headers.
>
>>+#define GETSEBOOL_OPT_ALL      1
>>+
>>+int getsebool_main(int argc, char **argv)
>>+{
>>+       int i, rc = 0, active, pending, len = 0;
>>+       char **names;
>>+       unsigned long opt;
>>+
>>+       opt = getopt32(argc, argv, "a");
>>+
>>+       if(opt & BB_GETOPT_ERROR) {
>>+               bb_show_usage();
>>+       }
>>
>>Is it needed? I mean, can you give an example where it is needed?
>
>No. The above block is unnecessary.
>
>>+
>>+       if (!len) {
>>+               if (argc < 2)
>>+                       bb_show_usage();
>>+               len = argc - 1;
>>+               names = malloc(sizeof(char *) * len);
>>+               if (!names) {
>>+                       bb_error_msg_and_die("out of memory");
>>+               }
>>
>>xmalloc will do dying for you! :)
>>
>>+               for (i = 0; i < len; i++) {
>>+                       names[i] = strdup(argv[i + 1]);
>>
>>xstrdup. Gotta love busybox. We love to die, and love to get rid
>>of useless error paths.
>
>Thanks for the useful information.
>I replaced them with xmalloc() and xstrdup().
>
>>+      out:
>>+       for (i = 0; i < len; i++)
>>+               free(names[i]);
>>+       free(names);
>>
>>	Add if (ENABLE_FEATURE_CLEAN_UP) in front of for().
>
>OK, I appended if (ENABLE_FEATURE_CLEAN_UP) { ... } block.
>
>BTW, I found both '#if ENABLE_FEATURE_CLEAN_UP' and 'if 
>(ENABLE_FEATURE_CLEAN_UP)'
>in the source tree. Which manner is preferable?

The prefered one is in C (rather than preprocessor).
See below..
>
>Thanks,
>-- 
>KaiGai Kohei <kaigai at kaigai.gr.jp>

>Index: selinux/getsebool.c
>===================================================================
>--- selinux/getsebool.c	(revision 0)
>+++ selinux/getsebool.c	(revision 0)
>@@ -0,0 +1,83 @@
>+/*
>+ * getsebool
>+ *
>+ * Based on libselinux 1.33.1
>+ * Port to BusyBox  Hiroshi Shinji <shiroshi at my.email.ne.jp>
>+ *
>+ */
>+
>+#include "busybox.h"
>+#include <selinux/selinux.h>
>+
>+#define GETSEBOOL_OPT_ALL	1
>+
>+int getsebool_main(int argc, char **argv)
>+{
>+	int i, rc = 0, active, pending, len = 0;
>+	char **names;
>+	unsigned long opt;
>+
>+	opt = getopt32(argc, argv, "a");
>+
>+	if(opt & GETSEBOOL_OPT_ALL) {

missing space after "if"

>+		if (argc > 2)
>+			bb_show_usage();
>+		if (is_selinux_enabled() <= 0) {
>+			bb_error_msg_and_die("SELinux is disabled");

You're doing this alot. Please move this out to a
int xis_selinux_enabled(void) {
	smallint ret = is_selinux_enabled();
	if (ret != 1)
		bb_error_msg_and_die("SELinux is disabled");
	return ret;
}
in e.g. libbb/xfuncs.c and use it in your other SElinux applets, too.

>+		}
>+		errno = 0;

hm?

>+		rc = security_get_boolean_names(&names, &len);
>+		if (rc) {
->+			bb_error_msg_and_die("cannot get boolean names:  %s",
->+					     strerror(errno));

bb_perror_msg_and_die("cannot get boolean name");
should do too

>+		}
>+		if (!len) {
>+			printf("No booleans\n");

puts smaller?
>+			return 0;
>+		}
>+	}

See how you didn't use opt much?
I'd rather say 
xis_selinux_enabled();
opt_complementary="-1";/* need at least 1 non-option arg*/
if (getopt32(argc, argv, "a")) {
	rc = security_get_boolean_names(&names, &len);
	if (rc ...
}

>+
>+	if (is_selinux_enabled() <= 0)
>+		bb_error_msg_and_die("SELinux is disabled");

That can't be right, no?
You called security_get_boolean_names() before checking if selinux is
enabled or not. Does this work?

What about removing that is_selinux_enabled block here, move the call to 
xis_selinux_enabled from the "if(opt & GETSEBOOL_OPT_ALL) {" block to
below the "if (opt..)" block so you check for enabled only once (before
get_boolean_nam())

>+
>+	if (!len) {
>+		if (argc < 2)
>+			bb_show_usage();
>+		len = argc - 1;
>+		names = xmalloc(sizeof(char *) * len);
>+		for (i = 0; i < len; i++)
>+			names[i] = xstrdup(argv[i + 1]);
>+	}
>+
>+	for (i = 0; i < len; i++) {
>+		active = security_get_boolean_active(names[i]);
>+		if (active < 0) {
>+			bb_error_msg("error getting active value for %s", names[i]);
>+			rc = -1;
>+			goto out;
>+		}
>+		pending = security_get_boolean_pending(names[i]);
>+		if (pending < 0) {
>+			bb_error_msg("error getting pending value for %s", names[i]);
>+			rc = -1;
>+			goto out;
>+		}
>+		if (pending != active) {
>+			printf("%s --> %s pending: %s\n", names[i],
>+			       (active ? "on" : "off"),
>+			       (pending ? "on" : "off"));
>+		} else {
>+			printf("%s --> %s\n", names[i],
>+			       (active ? "on" : "off"));
>+		}
>+	}
>+
>+      out:
>+	if (ENABLE_FEATURE_CLEAN_UP) {
>+		for (i = 0; i < len; i++)
>+			free(names[i]);
>+		free(names);
>+	}
>+
>+	return rc;
>+}

>_______________________________________________
>busybox mailing list
>busybox at busybox.net
>http://busybox.net/cgi-bin/mailman/listinfo/busybox

More information about the busybox mailing list