1 #include <errno.h>
2 #include <stdio.h>
3 #include <stdlib.h>
4 #include <string.h>
5
6 #include <sepol/policydb/services.h>
7 #include <sepol/sepol.h>
8
9
main(int argc,char * argv[])10 int main(int argc, char *argv[])
11 {
12 FILE *fp;
13 sepol_security_id_t ssid, tsid;
14 sepol_security_class_t tclass;
15 struct sepol_av_decision avd;
16 int rc;
17
18 if (argc != 5) {
19 printf("usage: %s policy scontext tcontext tclass\n", argv[0]);
20 return 1;
21 }
22
23 fp = fopen(argv[1], "r");
24 if (!fp) {
25 fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno));
26 return 1;
27 }
28 if (sepol_set_policydb_from_file(fp) < 0) {
29 fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno));
30 fclose(fp);
31 return 1;
32 }
33 fclose(fp);
34
35 if (sepol_context_to_sid(argv[2], strlen(argv[2]), &ssid) < 0) {
36 fprintf(stderr, "Invalid source context %s\n", argv[2]);
37 return 1;
38 }
39
40 if (sepol_context_to_sid(argv[3], strlen(argv[3]), &tsid) < 0) {
41 fprintf(stderr, "Invalid target context %s\n", argv[3]);
42 return 1;
43 }
44
45 if (sepol_string_to_security_class(argv[4], &tclass) < 0) {
46 fprintf(stderr, "Invalid security class %s\n", argv[4]);
47 return 1;
48 }
49
50 rc = sepol_compute_av(ssid, tsid, tclass, 0, &avd);
51 switch (rc) {
52 case 0:
53 printf("allowed: %s\n", sepol_av_perm_to_string(tclass, avd.allowed));
54 printf("decided: %s\n", sepol_av_perm_to_string(tclass, avd.decided));
55 printf("auditallow: %s\n", sepol_av_perm_to_string(tclass, avd.auditallow));
56 printf("auditdeny: %s\n", sepol_av_perm_to_string(tclass, avd.auditdeny));
57 break;
58 case -EINVAL:
59 printf("Invalid request\n");
60 break;
61 default:
62 printf("Failed to compute av decision: %d\n", rc);
63 }
64
65 return rc != 0;
66 }
67