phhusson / sepolicy-inject Goto Github PK

A fork of selinux-inject ( https://bitbucket.org/joshua_brindle/sepolicy-inject )

Makefile 1.33% C 98.67%

sepolicy-inject's Introduction

Injects allow rules into binary SELinux kernel policies

Injecting a rule:
$ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy

Injecting multiple permissions:
$ ./sepolicy-inject -s shell -t system -c file -p read,write,open -P sepolicy

Add a type_attribute to a domain:
$ ./sepolicy-inject -s su -a mlstrustedsubject -P sepolicy

Injecting a permissive domain:
$ ./sepolicy-inject -Z shell -P sepolicy

Change a permissive domain to non-permissive:
$ ./sepolicy-inject -z shell -P sepolicy 

Test a SELinux type exists:
$ ./sepolicy-inject -e -s shell -P sepolicy 

Test a SELinux class exists:
$ ./sepolicy-inject -e -c service_manager -P sepolicy 

Add a transition:
$ ./sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy

Add a filename transition:
$ ./sepolicy-inject -s su_daemon -f device -c file -g "socket" -t su_device -P sepolicy

sepolicy-inject's People

Contributors

Stargazers

Watchers

sepolicy-inject's Issues

compile errors

sepolicy-inject.c: in function ‘add_file_transition’中:
sepolicy-inject.c:356:18: error：‘filename_trans_t {或称 struct filename_trans}’ has no member named ‘otype’; did you mean ‘stype’?
new_transition->otype = tgt->s.value;
^~~~~
stype
sepolicy-inject.c:359:16: error：‘filename_trans_t {或称 struct filename_trans}’没有名为‘next’的成员
new_transition->next = policy->filename_trans;
^~
sepolicy-inject.c:361:25: error：从不兼容的指针类型赋值 [-Werror=incompatible-pointer-types]
policy->filename_trans = new_transition;

errors modifying Marshmallow sepolicy

Hello again. For some reason, the new sepolicy-inject gives me errors when adding rules to Marshmallow sepolicy. I have attached the sepolicy here for your reference/testing. Rename .txt to .zip.

These are the errors I get:

error(s) encountered while parsing configuration
Could not load policy
libsepol.policydb_read: policydb version 30 does not match my version range 15-29

It works with the previous version without the multi perm support fyi. Thanks for your help :)

sepolicy_Nexus9.txt

An error about Compiler

cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11    sepolicy-inject.c  libs/x86_64/libsepol.a  -o sepolicy-inject
sepolicy-inject.c: In function ‘main’:
sepolicy-inject.c:590:107: error: the address of ‘auto_allow’ will always evaluate as ‘true’ [-Werror=address]
  if (((!source || !target || !class || !perm) && !permissive && !fcon && !attr &&!filetrans && !exists && !auto_allow) || !policy)
                                                                                                           ^
cc1: all warnings being treated as errors
make: *** [sepolicy-inject] Error 1

fatal error: sepol/debug.h: No such file or directory

I am getting this error on building.
can i get a prebuilt binary ??

make
cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11 sepolicy-inject.c libs/x86_64/libsepol.a -o sepolicy-inject
sepolicy-inject.c:17:25: fatal error: sepol/debug.h: No such file or directory
compilation terminated.
make: *** [: sepolicy-inject] Error 1

remove rules

Hi,
I have a problem recompiling an existing sepolicy file.. i can reverse an existing sepolicy to .conf using "sedump" tool, dumping it back to sepolicy file using "checkpolicy" tool.

I have all the required tools but my device is stuck in an endless loop at boot after recompiling so my solution was to inject rules to the current sepolicy file which works, but for my needs I need to remove certain rules.

Is there a way you can modify the code of the tool so it will have options to remove an entire "allow rule" or an entire "transition"?
Thanks.

add classes if they don't exist

Any chance of adding classes to sepolicy if they don't exist? I get many errors like this:

perm transition,siginh,rlimitinh,dyntransition does not exist in class process
Could not add rule

Thanks again for your support :)

How to delete a rule?

I mean Completely remove the rules and Make the file smaller.
Rather than modifying the flag.

Impossible to build due to errors during 'make'

Hi,

I am trying to build this tool but I am getting errors:

$ make
cc -g -Wall -Werror -Wshadow -O2 -pipe -std=gnu11    sepolicy-inject.c  libs/x86/libsepol.a  -o sepolicy-inject
sepolicy-inject.c: In function ‘add_file_transition’:
sepolicy-inject.c:352:9: error: unknown type name ‘filename_trans_t’; did you mean ‘filename_trans_key_t’?
  352 |         filename_trans_t *new_transition = cmalloc(sizeof(*new_transition));
      |         ^~~~~~~~~~~~~~~~
      |         filename_trans_key_t
sepolicy-inject.c:353:23: error: request for member ‘stype’ in something not a structure or union
  353 |         new_transition->stype = src->s.value;
      |                       ^~
sepolicy-inject.c:354:23: error: request for member ‘ttype’ in something not a structure or union
  354 |         new_transition->ttype = orig->s.value;
      |                       ^~
sepolicy-inject.c:355:23: error: request for member ‘tclass’ in something not a structure or union
  355 |         new_transition->tclass = cls->s.value;
      |                       ^~
sepolicy-inject.c:356:23: error: request for member ‘otype’ in something not a structure or union
  356 |         new_transition->otype = tgt->s.value;
      |                       ^~
sepolicy-inject.c:357:23: error: request for member ‘name’ in something not a structure or union
  357 |         new_transition->name = strdup(filename);
      |                       ^~
sepolicy-inject.c:358:23: error: request for member ‘next’ in something not a structure or union
  358 |         new_transition->next = policy->filename_trans;
      |                       ^~
sepolicy-inject.c:360:32: error: assignment to ‘hashtab_t’ {aka ‘struct hashtab_val *’} from incompatible pointer type ‘int *’ [-Werror=incompatible-pointer-types]
  360 |         policy->filename_trans = new_transition;
      |                                ^
cc1: all warnings being treated as errors
make: *** [<builtin>: sepolicy-inject] Error 1

What should I do?

compile errors

Hello, I am interested in this project and the new features you have added. Unfortunately I am not able to compile the source. I am able to compile the original joshua_brindle source without issue. The errors I get are as follows:

superr@studio:~/android/sepolicy-inject$ make
cc -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing    sepolicy-inject.c  /usr/lib/x86_64-linux-gnu/libsepol.a  -o sepolicy-inject
sepolicy-inject.c: In function ‘create_domain’:
sepolicy-inject.c:106:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
  for(unsigned i=0; i<policy->p_roles.nprim; ++i) {
  ^
sepolicy-inject.c:106:2: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
sepolicy-inject.c: In function ‘add_type’:
sepolicy-inject.c:290:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
  for(int i=0; i<policy->p_classes.nprim; ++i) {
  ^
sepolicy-inject.c:292:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
   for(constraint_node_t *n = cl->constraints; n ; n=n->next) {
   ^
sepolicy-inject.c:293:4: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
    for(constraint_expr_t *e = n->expr; e; e=e->next) {
    ^
<builtin>: recipe for target 'sepolicy-inject' failed
make: *** [sepolicy-inject] Error 1
superr@studio:~/android/sepolicy-inject$

I tried using the -std=c99 option but then I get the following:

superr@studio:~/android/sepolicy-inject$ make
cc -g -Wall -Werror -Wshadow -std=c99 -O2 -pipe -fno-strict-aliasing    sepolicy-inject.c  /usr/lib/x86_64-linux-gnu/libsepol.a  -o sepolicy-inject
sepolicy-inject.c: In function ‘create_domain’:
sepolicy-inject.c:91:2: error: implicit declaration of function ‘strdup’ [-Werror=implicit-function-declaration]
  int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
  ^
sepolicy-inject.c:91:43: error: passing argument 3 of ‘symtab_insert’ makes pointer from integer without a cast [-Werror]
  int r = symtab_insert(policy, SYM_TYPES, strdup(d), typdatum, SCOPE_DECL, 1, &value);
                                           ^
In file included from sepolicy-inject.c:18:0:
/usr/include/sepol/policydb/policydb.h:638:12: note: expected ‘hashtab_key_t’ but argument is of type ‘int’
 extern int symtab_insert(policydb_t * x, uint32_t sym,
            ^
sepolicy-inject.c: In function ‘add_file_transition’:
sepolicy-inject.c:268:23: error: assignment makes pointer from integer without a cast [-Werror]
  new_transition->name = strdup(filename);
                       ^
cc1: all warnings being treated as errors
<builtin>: recipe for target 'sepolicy-inject' failed
make: *** [sepolicy-inject] Error 1
superr@studio:~/android/sepolicy-inject$

I hope you can help and thanks for the tool :)

which version is the libsepol?

i want to use the sepolicy-inject on windows,but i have some troubles.i want to rebuild the project with mingw, and i need know the ver of libsepol to rebuild it.can anyone give me some advice?thanks!! @phhusson

how to inject macro? finding solution for ioctlcmd=7704 denied on unix_stream_socket for system_server domain

I have a sepolicy file with below issue
[ 17.586354] type=1400 audit(1479189872.070:249): avc: denied { ioctl } for pid=1515 comm="Binder_3" path="socket:[13175]" dev="sockfs" ino=13175 ioctlcmd=7704

and I found the solution below
http://seandroid-list.tycho.nsa.narkive.com/AgNxhgCu/ioctlcmd-7704-denied-on-unix-stream-socket-for-surfaceflinger-and-system-server-domain

but I cannot figure out the way to inject this setting
+define(IOCTLTEST', 0x00007704')
+allow surfaceflinger surfaceflinger:unix_stream_socket { IOCTLTEST };

can anyone share a hint?

phhusson / sepolicy-inject Goto Github PK

sepolicy-inject's Introduction

sepolicy-inject's People

Contributors

Stargazers

Watchers

Forkers

sepolicy-inject's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs