phhusson / sepolicy-inject Goto Github PK
View Code? Open in Web Editor NEWA fork of selinux-inject ( https://bitbucket.org/joshua_brindle/sepolicy-inject )
A fork of selinux-inject ( https://bitbucket.org/joshua_brindle/sepolicy-inject )
Injects allow rules into binary SELinux kernel policies Injecting a rule: $ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy Injecting multiple permissions: $ ./sepolicy-inject -s shell -t system -c file -p read,write,open -P sepolicy Add a type_attribute to a domain: $ ./sepolicy-inject -s su -a mlstrustedsubject -P sepolicy Injecting a permissive domain: $ ./sepolicy-inject -Z shell -P sepolicy Change a permissive domain to non-permissive: $ ./sepolicy-inject -z shell -P sepolicy Test a SELinux type exists: $ ./sepolicy-inject -e -s shell -P sepolicy Test a SELinux class exists: $ ./sepolicy-inject -e -c service_manager -P sepolicy Add a transition: $ ./sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy Add a filename transition: $ ./sepolicy-inject -s su_daemon -f device -c file -g "socket" -t su_device -P sepolicy
sepolicy-inject.c: in function ‘add_file_transition’中:
sepolicy-inject.c:356:18: error:‘filename_trans_t {或称 struct filename_trans}’ has no member named ‘otype’; did you mean ‘stype’?
new_transition->otype = tgt->s.value;
^~~~~
stype
sepolicy-inject.c:359:16: error:‘filename_trans_t {或称 struct filename_trans}’没有名为‘next’的成员
new_transition->next = policy->filename_trans;
^~
sepolicy-inject.c:361:25: error:从不兼容的指针类型赋值 [-Werror=incompatible-pointer-types]
policy->filename_trans = new_transition;
Hello again. For some reason, the new sepolicy-inject gives me errors when adding rules to Marshmallow sepolicy. I have attached the sepolicy here for your reference/testing. Rename .txt to .zip.
These are the errors I get:
error(s) encountered while parsing configuration
Could not load policy
libsepol.policydb_read: policydb version 30 does not match my version range 15-29
It works with the previous version without the multi perm support fyi. Thanks for your help :)
cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11 sepolicy-inject.c libs/x86_64/libsepol.a -o sepolicy-inject
sepolicy-inject.c: In function ‘main’:
sepolicy-inject.c:590:107: error: the address of ‘auto_allow’ will always evaluate as ‘true’ [-Werror=address]
if (((!source || !target || !class || !perm) && !permissive && !fcon && !attr &&!filetrans && !exists && !auto_allow) || !policy)
^
cc1: all warnings being treated as errors
make: *** [sepolicy-inject] Error 1
I am getting this error on building.
can i get a prebuilt binary ??
make
cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11 sepolicy-inject.c libs/x86_64/libsepol.a -o sepolicy-inject
sepolicy-inject.c:17:25: fatal error: sepol/debug.h: No such file or directory
compilation terminated.
make: *** [: sepolicy-inject] Error 1
Hi,
I have a problem recompiling an existing sepolicy file.. i can reverse an existing sepolicy to .conf using "sedump" tool, dumping it back to sepolicy file using "checkpolicy" tool.
I have all the required tools but my device is stuck in an endless loop at boot after recompiling so my solution was to inject rules to the current sepolicy file which works, but for my needs I need to remove certain rules.
Is there a way you can modify the code of the tool so it will have options to remove an entire "allow rule" or an entire "transition"?
Thanks.
Any chance of adding classes to sepolicy if they don't exist? I get many errors like this:
perm transition,siginh,rlimitinh,dyntransition does not exist in class process
Could not add rule
Thanks again for your support :)
I mean Completely remove the rules and Make the file smaller.
Rather than modifying the flag.
Hi,
I am trying to build this tool but I am getting errors:
$ make
cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11 sepolicy-inject.c libs/x86/libsepol.a -o sepolicy-inject
sepolicy-inject.c: In function ‘add_file_transition’:
sepolicy-inject.c:352:9: error: unknown type name ‘filename_trans_t’; did you mean ‘filename_trans_key_t’?
352 | filename_trans_t *new_transition = cmalloc(sizeof(*new_transition));
| ^~~~~~~~~~~~~~~~
| filename_trans_key_t
sepolicy-inject.c:353:23: error: request for member ‘stype’ in something not a structure or union
353 | new_transition->stype = src->s.value;
| ^~
sepolicy-inject.c:354:23: error: request for member ‘ttype’ in something not a structure or union
354 | new_transition->ttype = orig->s.value;
| ^~
sepolicy-inject.c:355:23: error: request for member ‘tclass’ in something not a structure or union
355 | new_transition->tclass = cls->s.value;
| ^~
sepolicy-inject.c:356:23: error: request for member ‘otype’ in something not a structure or union
356 | new_transition->otype = tgt->s.value;
| ^~
sepolicy-inject.c:357:23: error: request for member ‘name’ in something not a structure or union
357 | new_transition->name = strdup(filename);
| ^~
sepolicy-inject.c:358:23: error: request for member ‘next’ in something not a structure or union
358 | new_transition->next = policy->filename_trans;
| ^~
sepolicy-inject.c:360:32: error: assignment to ‘hashtab_t’ {aka ‘struct hashtab_val *’} from incompatible pointer type ‘int *’ [-Werror=incompatible-pointer-types]
360 | policy->filename_trans = new_transition;
| ^
cc1: all warnings being treated as errors
make: *** [<builtin>: sepolicy-inject] Error 1
What should I do?
Hello, I am interested in this project and the new features you have added. Unfortunately I am not able to compile the source. I am able to compile the original joshua_brindle source without issue. The errors I get are as follows:
superr@studio:~/android/sepolicy-inject$ make
cc -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing sepolicy-inject.c /usr/lib/x86_64-linux-gnu/libsepol.a -o sepolicy-inject
sepolicy-inject.c: In function ‘create_domain’:
sepolicy-inject.c:106:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for(unsigned i=0; i<policy->p_roles.nprim; ++i) {
^
sepolicy-inject.c:106:2: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
sepolicy-inject.c: In function ‘add_type’:
sepolicy-inject.c:290:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for(int i=0; i<policy->p_classes.nprim; ++i) {
^
sepolicy-inject.c:292:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for(constraint_node_t *n = cl->constraints; n ; n=n->next) {
^
sepolicy-inject.c:293:4: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for(constraint_expr_t *e = n->expr; e; e=e->next) {
^
<builtin>: recipe for target 'sepolicy-inject' failed
make: *** [sepolicy-inject] Error 1
superr@studio:~/android/sepolicy-inject$
I tried using the -std=c99 option but then I get the following:
superr@studio:~/android/sepolicy-inject$ make
cc -g -Wall -Werror -Wshadow -std=c99 -O2 -pipe -fno-strict-aliasing sepolicy-inject.c /usr/lib/x86_64-linux-gnu/libsepol.a -o sepolicy-inject
sepolicy-inject.c: In function ‘create_domain’:
sepolicy-inject.c:91:2: error: implicit declaration of function ‘strdup’ [-Werror=implicit-function-declaration]
int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
^
sepolicy-inject.c:91:43: error: passing argument 3 of ‘symtab_insert’ makes pointer from integer without a cast [-Werror]
int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
^
In file included from sepolicy-inject.c:18:0:
/usr/include/sepol/policydb/policydb.h:638:12: note: expected ‘hashtab_key_t’ but argument is of type ‘int’
extern int symtab_insert(policydb_t * x, uint32_t sym,
^
sepolicy-inject.c: In function ‘add_file_transition’:
sepolicy-inject.c:268:23: error: assignment makes pointer from integer without a cast [-Werror]
new_transition->name = strdup(filename);
^
cc1: all warnings being treated as errors
<builtin>: recipe for target 'sepolicy-inject' failed
make: *** [sepolicy-inject] Error 1
superr@studio:~/android/sepolicy-inject$
I hope you can help and thanks for the tool :)
i want to use the sepolicy-inject on windows,but i have some troubles.i want to rebuild the project with mingw, and i need know the ver of libsepol to rebuild it.can anyone give me some advice?thanks!! @phhusson
I have a sepolicy file with below issue
[ 17.586354] type=1400 audit(1479189872.070:249): avc: denied { ioctl } for pid=1515 comm="Binder_3" path="socket:[13175]" dev="sockfs" ino=13175 ioctlcmd=7704
and I found the solution below
http://seandroid-list.tycho.nsa.narkive.com/AgNxhgCu/ioctlcmd-7704-denied-on-unix-stream-socket-for-surfaceflinger-and-system-server-domain
but I cannot figure out the way to inject this setting
+define(IOCTLTEST',
0x00007704')
+allow surfaceflinger surfaceflinger:unix_stream_socket { IOCTLTEST };
can anyone share a hint?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.