Merge "Extend toolbox with SE Android support."

Author: Jean-Baptiste Queru

toolbox/Android.mk

@@ -57,6 +57,21 @@ TOOLS := \
 	touch \
 	lsof
 
+ifeq ($(HAVE_SELINUX),true)
+
+TOOLS += \
+	getenforce \
+	setenforce \
+	chcon \
+	restorecon \
+	runcon \
+	getsebool \
+	setsebool \
+	load_policy
+
+endif
+
+
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 TOOLS += r
 endif
@@ -68,6 +83,14 @@ LOCAL_SRC_FILES:= \
 
 LOCAL_SHARED_LIBRARIES := libcutils libc libusbhost
 
+ifeq ($(HAVE_SELINUX),true)
+
+LOCAL_CFLAGS += -DHAVE_SELINUX
+LOCAL_SHARED_LIBRARIES += libselinux
+LOCAL_C_INCLUDES += external/libselinux/include
+
+endif
+
 LOCAL_MODULE:= toolbox
 
 # Including this will define $(intermediates).

toolbox/chcon.c

@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int chcon_main(int argc, char **argv)
+{
+    int rc, i;
+
+    if (argc < 3) {
+        fprintf(stderr, "usage:  %s context path...\n", argv[0]);
+        exit(1);
+    }
+
+    for (i = 2; i < argc; i++) {
+        rc = setfilecon(argv[i], argv[1]);
+        if (rc < 0) {
+            fprintf(stderr, "%s:  Could not label %s with %s:  %s\n",
+                    argv[0], argv[i], argv[1], strerror(errno));
+            exit(2);
+        }
+    }
+    exit(0);
+}

toolbox/getenforce.c

@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int getenforce_main(int argc, char **argv)
+{
+    int rc;
+
+    rc = is_selinux_enabled();
+    if (rc <= 0) {
+        printf("Disabled\n");
+        return 0;
+    }
+
+    rc = security_getenforce();
+    if (rc < 0) {
+        fprintf(stderr, "Could not get enforcing status:  %s\n",
+                strerror(errno));
+        return 2;
+    }
+
+    if (rc)
+        printf("Enforcing\n");
+    else
+        printf("Permissive\n");
+
+    return 0;
+}

toolbox/getsebool.c

@@ -0,0 +1,104 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+
+static void usage(const char *progname)
+{
+    fprintf(stderr, "usage:  %s -a or %s boolean...\n", progname, progname);
+    exit(1);
+}
+
+int getsebool_main(int argc, char **argv)
+{
+    int i, get_all = 0, rc = 0, active, pending, len = 0, opt;
+    char **names;
+
+    while ((opt = getopt(argc, argv, "a")) > 0) {
+        switch (opt) {
+        case 'a':
+            if (argc > 2)
+                usage(argv[0]);
+            if (is_selinux_enabled() <= 0) {
+                fprintf(stderr, "%s:  SELinux is disabled\n",
+                        argv[0]);
+                return 1;
+            }
+            errno = 0;
+            rc = security_get_boolean_names(&names, &len);
+            if (rc) {
+                fprintf(stderr,
+                        "%s:  Unable to get boolean names:  %s\n",
+                        argv[0], strerror(errno));
+                return 1;
+            }
+            if (!len) {
+                printf("No booleans\n");
+                return 0;
+            }
+            get_all = 1;
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (is_selinux_enabled() <= 0) {
+        fprintf(stderr, "%s:  SELinux is disabled\n", argv[0]);
+        return 1;
+    }
+    if (!len) {
+        if (argc < 2)
+            usage(argv[0]);
+        len = argc - 1;
+        names = malloc(sizeof(char *) * len);
+        if (!names) {
+            fprintf(stderr, "%s:  out of memory\n", argv[0]);
+            return 2;
+        }
+        for (i = 0; i < len; i++) {
+            names[i] = strdup(argv[i + 1]);
+            if (!names[i]) {
+                fprintf(stderr, "%s:  out of memory\n",
+                        argv[0]);
+                return 2;
+            }
+        }
+    }
+
+    for (i = 0; i < len; i++) {
+        active = security_get_boolean_active(names[i]);
+        if (active < 0) {
+            if (get_all && errno == EACCES)
+                continue;
+            fprintf(stderr, "Error getting active value for %s\n",
+                    names[i]);
+            rc = -1;
+            goto out;
+        }
+        pending = security_get_boolean_pending(names[i]);
+        if (pending < 0) {
+            fprintf(stderr, "Error getting pending value for %s\n",
+                    names[i]);
+            rc = -1;
+            goto out;
+        }
+        if (pending != active) {
+            printf("%s --> %s pending: %s\n", names[i],
+                   (active ? "on" : "off"),
+                   (pending ? "on" : "off"));
+        } else {
+            printf("%s --> %s\n", names[i],
+                   (active ? "on" : "off"));
+        }
+    }
+
+out:
+    for (i = 0; i < len; i++)
+        free(names[i]);
+    free(names);
+    return rc;
+}

toolbox/id.c

@@ -5,6 +5,10 @@
 #include <pwd.h>
 #include <grp.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 static void print_uid(uid_t uid)
 {
     struct passwd *pw = getpwuid(uid);
@@ -30,6 +34,9 @@ int id_main(int argc, char **argv)
 {
     gid_t list[64];
     int n, max;
+#ifdef HAVE_SELINUX
+    char *secctx;
+#endif
 
     max = getgroups(64, list);
     if (max < 0) max = 0;
@@ -46,6 +53,12 @@ int id_main(int argc, char **argv)
             print_gid(list[n]);
         }
     }
+#ifdef HAVE_SELINUX
+    if (getcon(&secctx) == 0) {
+        printf(" context=%s", secctx);
+        free(secctx);
+    }
+#endif
     printf("\n");
     return 0;
 }

toolbox/load_policy.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int load_policy_main(int argc, char **argv)
+{
+    int fd, rc, vers;
+    struct stat sb;
+    void *map;
+    const char *path;
+
+    if (argc != 2) {
+        fprintf(stderr, "usage:  %s policy-file\n", argv[0]);
+        exit(1);
+    }
+
+    path = argv[1];
+    fd = open(path, O_RDONLY);
+    if (fd < 0) {
+        fprintf(stderr, "Could not open %s:  %s\n", path, strerror(errno));
+        exit(2);
+    }
+
+    if (fstat(fd, &sb) < 0) {
+        fprintf(stderr, "Could not stat %s:  %s\n", path, strerror(errno));
+        exit(3);
+    }
+
+    map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+    if (map == MAP_FAILED) {
+        fprintf(stderr, "Could not mmap %s:  %s\n", path, strerror(errno));
+        exit(4);
+    }
+
+    rc = security_load_policy(map, sb.st_size);
+    if (rc < 0) {
+        fprintf(stderr, "Could not load %s:  %s\n", path, strerror(errno));
+        exit(5);
+    }
+    munmap(map, sb.st_size);
+    close(fd);
+    exit(0);
+}

toolbox/ls.c

@@ -5,6 +5,10 @@
 #include <dirent.h>
 #include <errno.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include <sys/stat.h>
 #include <unistd.h>
 #include <time.h>
@@ -25,6 +29,7 @@
 #define LIST_SIZE           (1 << 4)
 #define LIST_LONG_NUMERIC   (1 << 5)
 #define LIST_CLASSIFY       (1 << 6)
+#define LIST_MACLABEL       (1 << 7)
 
 // fwd
 static int listpath(const char *name, int flags);
@@ -234,9 +239,75 @@ static int listfile_long(const char *path, int flags)
     return 0;
 }
 
+static int listfile_maclabel(const char *path, int flags)
+{
+    struct stat s;
+    char mode[16];
+    char user[16];
+    char group[16];
+    char *maclabel = NULL;
+    const char *name;
+
+    /* name is anything after the final '/', or the whole path if none*/
+    name = strrchr(path, '/');
+    if(name == 0) {
+        name = path;
+    } else {
+        name++;
+    }
+
+    if(lstat(path, &s) < 0) {
+        return -1;
+    }
+
+#ifdef HAVE_SELINUX
+    lgetfilecon(path, &maclabel);
+#else
+    maclabel = strdup("-");
+#endif
+    if (!maclabel) {
+        return -1;
+    }
+
+    mode2str(s.st_mode, mode);
+    user2str(s.st_uid, user);
+    group2str(s.st_gid, group);
+
+    switch(s.st_mode & S_IFMT) {
+    case S_IFLNK: {
+        char linkto[256];
+        int len;
+
+        len = readlink(path, linkto, sizeof(linkto));
+        if(len < 0) return -1;
+
+        if(len > sizeof(linkto)-1) {
+            linkto[sizeof(linkto)-4] = '.';
+            linkto[sizeof(linkto)-3] = '.';
+            linkto[sizeof(linkto)-2] = '.';
+            linkto[sizeof(linkto)-1] = 0;
+        } else {
+            linkto[len] = 0;
+        }
+
+        printf("%s %-8s %-8s          %s %s -> %s\n",
+               mode, user, group, maclabel, name, linkto);
+        break;
+    }
+    default:
+        printf("%s %-8s %-8s          %s %s\n",
+               mode, user, group, maclabel, name);
+
+    }
+
+    free(maclabel);
+
+    return 0;
+}
+
 static int listfile(const char *dirname, const char *filename, int flags)
 {
-    if ((flags & (LIST_LONG | LIST_SIZE | LIST_CLASSIFY)) == 0) {
+    if ((flags & LIST_LONG | LIST_SIZE | LIST_CLASSIFY | LIST_MACLABEL) == 0) {
         printf("%s\n", filename);
         return 0;
     }
@@ -251,7 +322,9 @@ static int listfile(const char *dirname, const char *filename, int flags)
         pathname = filename;
     }
 
-    if ((flags & LIST_LONG) != 0) {
+    if ((flags & LIST_MACLABEL) != 0) {
+        return listfile_maclabel(pathname, flags);
+    } else if ((flags & LIST_LONG) != 0) {
         return listfile_long(pathname, flags);
     } else /*((flags & LIST_SIZE) != 0)*/ {
         return listfile_size(pathname, filename, flags);
@@ -386,6 +459,7 @@ int ls_main(int argc, char **argv)
                     case 's': flags |= LIST_SIZE; break;
                     case 'R': flags |= LIST_RECURSIVE; break;
                     case 'd': flags |= LIST_DIRECTORIES; break;
+                    case 'Z': flags |= LIST_MACLABEL; break;
                     case 'a': flags |= LIST_ALL; break;
                     case 'F': flags |= LIST_CLASSIFY; break;
                     default: