From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <551AF573.3050700@tycho.nsa.gov> Date: Tue, 31 Mar 2015 15:28:51 -0400 From: James Carter MIME-Version: 1.0 To: Steve Lawrence , selinux@tycho.nsa.gov Subject: Re: [PATCH 3/3 v3] checkpolicy: Add support for generating CIL References: <1427822281-14769-1-git-send-email-jwcart2@tycho.nsa.gov> <1427822281-14769-4-git-send-email-jwcart2@tycho.nsa.gov> <551AF368.50607@tresys.com> In-Reply-To: <551AF368.50607@tresys.com> Content-Type: text/plain; charset=windows-1252; format=flowed List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/31/2015 03:20 PM, Steve Lawrence wrote: > On 03/31/2015 01:18 PM, James Carter wrote: >> Add support to checkpolicy and checkmodule for generating CIL as their >> output. >> >> Add new options "-C" and "--cil" to specify CIL as the output format. >> >> Signed-off-by: James Carter >> --- >> checkpolicy/checkmodule.c | 59 +++++++++++++++++++++-------------- >> checkpolicy/checkpolicy.c | 79 ++++++++++++++++++++++++++++++----------------- >> 2 files changed, 86 insertions(+), 52 deletions(-) >> >> diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c >> index 0255928..b1be640 100644 >> --- a/checkpolicy/checkmodule.c >> +++ b/checkpolicy/checkmodule.c > > [snip] > >> @@ -295,10 +283,33 @@ int main(int argc, char **argv) >> >> printf("%s: policy configuration loaded\n", argv[0]); >> >> - if (outfile && >> - write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) { >> + if (outfile) { >> + FILE *outfp = fopen(outfile, "w"); >> + >> + if (!outfp) { >> + perror(outfile); >> + exit(1); >> + } >> + >> + if (!cil) { >> + printf("%s: writing binary representation (version %d) to %s\n", >> + argv[0], policyvers, file); >> + >> + if (write_binary_policy(&modpolicydb, outfp) != 0) { >> + fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); >> + exit(1); >> + } >> + } else { >> + printf("%s: writing CIL to %s\n",argv[0], outfile); >> + sepol_module_policydb_to_cil(outfp, &modpolicydb, 0); > > Maybe add a check for the return code of sepol_module_policydb_to_cil > and fprintf an error message, like above with write_binary_policy? > >> + } >> + >> + fclose(outfp); >> + } else if (cil) { >> + fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); >> exit(1); >> } >> + >> policydb_destroy(&modpolicydb); >> >> return 0; >> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c >> index 61a2e89..d96399d 100644 >> --- a/checkpolicy/checkpolicy.c >> +++ b/checkpolicy/checkpolicy.c > > [snip] > >> @@ -602,29 +612,42 @@ int main(int argc, char **argv) >> printf("%s: policy configuration loaded\n", argv[0]); >> >> if (outfile) { >> - printf >> - ("%s: writing binary representation (version %d) to %s\n", >> - argv[0], policyvers, outfile); >> outfp = fopen(outfile, "w"); >> if (!outfp) { >> perror(outfile); >> exit(1); >> } >> >> - policydb.policy_type = POLICY_KERN; >> policydb.policyvers = policyvers; >> >> - policy_file_init(&pf); >> - pf.type = PF_USE_STDIO; >> - pf.fp = outfp; >> - ret = policydb_write(&policydb, &pf); >> - if (ret) { >> - fprintf(stderr, "%s: error writing %s\n", >> - argv[0], outfile); >> - exit(1); >> + if (!cil) { >> + printf >> + ("%s: writing binary representation (version %d) to %s\n", >> + argv[0], policyvers, outfile); >> + policydb.policy_type = POLICY_KERN; >> + >> + policy_file_init(&pf); >> + pf.type = PF_USE_STDIO; >> + pf.fp = outfp; >> + ret = policydb_write(&policydb, &pf); >> + if (ret) { >> + fprintf(stderr, "%s: error writing %s\n", >> + argv[0], outfile); >> + exit(1); >> + } >> + } else { >> + printf("%s: writing CIL to %s\n",argv[0], outfile); >> + sepol_module_policydb_to_cil(outfp, policydbp, 1); > > Same issue here. Add error checking/message? Yes, both of these should be checking for an error and printing an error message. Jim > >> + } >> + >> + if (outfile) { >> + fclose(outfp); >> } >> - fclose(outfp); >> + } else if (cil) { >> + fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); >> + exit(1); >> } >> + >> if (!debug) { >> policydb_destroy(&policydb); >> exit(0); >> -- James Carter National Security Agency