Find attributes for a type with sepol

Find attributes for a type with sepol

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 143 bytes --]

How would one find all the attributes of a type with libsepol, can someone point me to any relevant structures or functions?

Thanks,
Bill

[-- Attachment #2: Type: text/html, Size: 1907 bytes --]

Re: Find attributes for a type with sepol

[James Carter]

On 09/23/2015 06:39 PM, Roberts, William C wrote:
> How would one find all the attributes of a type with libsepol, can someone point me to any relevant structures or functions?
>

The policydb_t structure has type_attr_map field which maps types to an ebitmap 
of attributes.

Jim



-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: Find attributes for a type with sepol

[Stephen Smalley]

On 09/24/2015 08:43 AM, James Carter wrote:
> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>> How would one find all the attributes of a type with libsepol, can
>> someone point me to any relevant structures or functions?
>>
> 
> The policydb_t structure has type_attr_map field which maps types to an
> ebitmap of attributes.

It also has the reverse map (attr_type_map) if you want that.

In Android, external/sepolicy/tools/sepolicy-analyze has examples of
using both maps.

Re: Find attributes for a type with sepol

[Joshua Brindle]

Stephen Smalley wrote:
> On 09/24/2015 08:43 AM, James Carter wrote:
>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>> How would one find all the attributes of a type with libsepol, can
>>> someone point me to any relevant structures or functions?
>>>
>> The policydb_t structure has type_attr_map field which maps types to an
>> ebitmap of attributes.
>
> It also has the reverse map (attr_type_map) if you want that.
>
> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
> using both maps.
>

seinfo also knows how to do it, if you need more examples:

$ seinfo -x -tuntrusted_app sepolicy
    untrusted_app
       bluetoothdomain
       netdomain
       appdomain
       domain

Re: Find attributes for a type with sepol

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 1388 bytes --]

Out of curiosity, whats the purpose of the types field in the struct
type_datum? This seems to never have anything in it.

Also, conditional.h has a field called bool, this would seem to conflict
with stdbool.h, whats the consensus on renaming this to boolean perhaps?


On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle <brindle@quarksecurity.com>
wrote:

> Stephen Smalley wrote:
>
>> On 09/24/2015 08:43 AM, James Carter wrote:
>>
>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>>
>>>> How would one find all the attributes of a type with libsepol, can
>>>> someone point me to any relevant structures or functions?
>>>>
>>>> The policydb_t structure has type_attr_map field which maps types to an
>>> ebitmap of attributes.
>>>
>>
>> It also has the reverse map (attr_type_map) if you want that.
>>
>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
>> using both maps.
>>
>>
> seinfo also knows how to do it, if you need more examples:
>
> $ seinfo -x -tuntrusted_app sepolicy
>    untrusted_app
>       bluetoothdomain
>       netdomain
>       appdomain
>       domain
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>



-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 2507 bytes --]

Re: Find attributes for a type with sepol

[Joshua Brindle]

William Roberts wrote:
> Out of curiosity, whats the purpose of the types field in the struct
> type_datum? This seems to never have anything in it.
>

type_datum is used for both types and attributes (as designated by the 
flavor field). In the attribute case the types field is the ebitmap of 
types have have this attribute. It is set in checkpolicy, look at 
policy_define.c:define_typeattribute().


> Also, conditional.h has a field called bool, this would seem to conflict
> with stdbool.h, whats the consensus on renaming this to boolean perhaps?
>

probably...

>
> On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle<brindle@quarksecurity.com>
> wrote:
>
>> Stephen Smalley wrote:
>>
>>> On 09/24/2015 08:43 AM, James Carter wrote:
>>>
>>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>>>
>>>>> How would one find all the attributes of a type with libsepol, can
>>>>> someone point me to any relevant structures or functions?
>>>>>
>>>>> The policydb_t structure has type_attr_map field which maps types to an
>>>> ebitmap of attributes.
>>>>
>>> It also has the reverse map (attr_type_map) if you want that.
>>>
>>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
>>> using both maps.
>>>
>>>
>> seinfo also knows how to do it, if you need more examples:
>>
>> $ seinfo -x -tuntrusted_app sepolicy
>>     untrusted_app
>>        bluetoothdomain
>>        netdomain
>>        appdomain
>>        domain
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
>
>

Re: Find attributes for a type with sepol

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 1902 bytes --]

On Sep 29, 2015 12:12 PM, "Joshua Brindle" <brindle@quarksecurity.com>
wrote:
>
> William Roberts wrote:
>>
>> Out of curiosity, whats the purpose of the types field in the struct
>> type_datum? This seems to never have anything in it.
>>
>
> type_datum is used for both types and attributes (as designated by the
flavor field). In the attribute case the types field is the ebitmap of
types have have this attribute.

What about if its a type, is it an ebitmap of attrs?

It is set in checkpolicy, look at policy_define.c:define_typeattribute().
>
>
>
>> Also, conditional.h has a field called bool, this would seem to conflict
>> with stdbool.h, whats the consensus on renaming this to boolean perhaps?
>>
>
> probably...
>
>
>>
>> On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle<brindle@quarksecurity.com
>
>> wrote:
>>
>>> Stephen Smalley wrote:
>>>
>>>> On 09/24/2015 08:43 AM, James Carter wrote:
>>>>
>>>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>>>>
>>>>>> How would one find all the attributes of a type with libsepol, can
>>>>>> someone point me to any relevant structures or functions?
>>>>>>
>>>>>> The policydb_t structure has type_attr_map field which maps types to
an
>>>>>
>>>>> ebitmap of attributes.
>>>>>
>>>> It also has the reverse map (attr_type_map) if you want that.
>>>>
>>>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
>>>> using both maps.
>>>>
>>>>
>>> seinfo also knows how to do it, if you need more examples:
>>>
>>> $ seinfo -x -tuntrusted_app sepolicy
>>>     untrusted_app
>>>        bluetoothdomain
>>>        netdomain
>>>        appdomain
>>>        domain
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>>
>>
>

[-- Attachment #2: Type: text/html, Size: 3083 bytes --]

Re: Find attributes for a type with sepol

[Joshua Brindle]

William Roberts wrote:
> On Sep 29, 2015 12:12 PM, "Joshua Brindle"<brindle@quarksecurity.com>
> wrote:
>> William Roberts wrote:
>>> Out of curiosity, whats the purpose of the types field in the struct
>>> type_datum? This seems to never have anything in it.
>>>
>> type_datum is used for both types and attributes (as designated by the
> flavor field). In the attribute case the types field is the ebitmap of
> types have have this attribute.
>
> What about if its a type, is it an ebitmap of attrs?

No, but as Stephen said below there is a type_attr_map that contains that.

>
> It is set in checkpolicy, look at policy_define.c:define_typeattribute().
>>
>>
>>> Also, conditional.h has a field called bool, this would seem to conflict
>>> with stdbool.h, whats the consensus on renaming this to boolean perhaps?
>>>
>> probably...
>>
>>
>>> On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle<brindle@quarksecurity.com
>>> wrote:
>>>
>>>> Stephen Smalley wrote:
>>>>
>>>>> On 09/24/2015 08:43 AM, James Carter wrote:
>>>>>
>>>>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>>>>>
>>>>>>> How would one find all the attributes of a type with libsepol, can
>>>>>>> someone point me to any relevant structures or functions?
>>>>>>>
>>>>>>> The policydb_t structure has type_attr_map field which maps types to
> an
>>>>>> ebitmap of attributes.
>>>>>>
>>>>> It also has the reverse map (attr_type_map) if you want that.
>>>>>
>>>>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
>>>>> using both maps.
>>>>>
>>>>>
>>>> seinfo also knows how to do it, if you need more examples:
>>>>
>>>> $ seinfo -x -tuntrusted_app sepolicy
>>>>      untrusted_app
>>>>         bluetoothdomain
>>>>         netdomain
>>>>         appdomain
>>>>         domain
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>>>
>>>
>>>
>

Re: Find attributes for a type with sepol

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 2268 bytes --]

On Sep 29, 2015 12:35 PM, "Joshua Brindle" <brindle@quarksecurity.com>
wrote:
>
> William Roberts wrote:
>>
>> On Sep 29, 2015 12:12 PM, "Joshua Brindle"<brindle@quarksecurity.com>
>> wrote:
>>>
>>> William Roberts wrote:
>>>>
>>>> Out of curiosity, whats the purpose of the types field in the struct
>>>> type_datum? This seems to never have anything in it.
>>>>
>>> type_datum is used for both types and attributes (as designated by the
>>
>> flavor field). In the attribute case the types field is the ebitmap of
>> types have have this attribute.
>>
>> What about if its a type, is it an ebitmap of attrs?
>
>
> No, but as Stephen said below there is a type_attr_map that contains that.

OK that explains why its empty.

>
>
>>
>> It is set in checkpolicy, look at policy_define.c:define_typeattribute().
>>>
>>>
>>>
>>>> Also, conditional.h has a field called bool, this would seem to
conflict
>>>> with stdbool.h, whats the consensus on renaming this to boolean
perhaps?
>>>>
>>> probably...
>>>
>>>
>>>> On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle<
brindle@quarksecurity.com
>>>> wrote:
>>>>
>>>>> Stephen Smalley wrote:
>>>>>
>>>>>> On 09/24/2015 08:43 AM, James Carter wrote:
>>>>>>
>>>>>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
>>>>>>>
>>>>>>>> How would one find all the attributes of a type with libsepol, can
>>>>>>>> someone point me to any relevant structures or functions?
>>>>>>>>
>>>>>>>> The policydb_t structure has type_attr_map field which maps types
to
>>
>> an
>>>>>>>
>>>>>>> ebitmap of attributes.
>>>>>>>
>>>>>> It also has the reverse map (attr_type_map) if you want that.
>>>>>>
>>>>>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
>>>>>> using both maps.
>>>>>>
>>>>>>
>>>>> seinfo also knows how to do it, if you need more examples:
>>>>>
>>>>> $ seinfo -x -tuntrusted_app sepolicy
>>>>>      untrusted_app
>>>>>         bluetoothdomain
>>>>>         netdomain
>>>>>         appdomain
>>>>>         domain
>>>>>
>>>>> _______________________________________________
>>>>> Selinux mailing list
>>>>> Selinux@tycho.nsa.gov
>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>> To get help, send an email containing "help" to
>>>>> Selinux-request@tycho.nsa.gov.
>>>>>
>>>>
>>>>
>>
>

[-- Attachment #2: Type: text/html, Size: 4001 bytes --]

Re: Find attributes for a type with sepol

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]

On Tue, Sep 29, 2015 at 12:36 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:

>
> On Sep 29, 2015 12:35 PM, "Joshua Brindle" <brindle@quarksecurity.com>
> wrote:
> >
> > William Roberts wrote:
> >>
> >> On Sep 29, 2015 12:12 PM, "Joshua Brindle"<brindle@quarksecurity.com>
> >> wrote:
> >>>
> >>> William Roberts wrote:
> >>>>
> >>>> Out of curiosity, whats the purpose of the types field in the struct
> >>>> type_datum? This seems to never have anything in it.
> >>>>
> >>> type_datum is used for both types and attributes (as designated by the
> >>
> >> flavor field). In the attribute case the types field is the ebitmap of
> >> types have have this attribute.
> >>
> >> What about if its a type, is it an ebitmap of attrs?
> >
> >
> > No, but as Stephen said below there is a type_attr_map that contains
> that.
>
> OK that explains why its empty.
>
So is this information only available at compile time? I see that the types
field is
empty for both attributes and types. Perhaps my code is wrong to do this,
but
I can loop over the ebitmap entries from the attr_type and type_attr maps
just
fine.

>
> >> It is set in checkpolicy, look at
> policy_define.c:define_typeattribute().
> >>>
> >>>
> >>>
> >>>> Also, conditional.h has a field called bool, this would seem to
> conflict
> >>>> with stdbool.h, whats the consensus on renaming this to boolean
> perhaps?
> >>>>
> >>> probably...
> >>>
> >>>
> >>>> On Thu, Sep 24, 2015 at 6:58 AM, Joshua Brindle<
> brindle@quarksecurity.com
> >>>> wrote:
> >>>>
> >>>>> Stephen Smalley wrote:
> >>>>>
> >>>>>> On 09/24/2015 08:43 AM, James Carter wrote:
> >>>>>>
> >>>>>>> On 09/23/2015 06:39 PM, Roberts, William C wrote:
> >>>>>>>
> >>>>>>>> How would one find all the attributes of a type with libsepol, can
> >>>>>>>> someone point me to any relevant structures or functions?
> >>>>>>>>
> >>>>>>>> The policydb_t structure has type_attr_map field which maps types
> to
> >>
> >> an
> >>>>>>>
> >>>>>>> ebitmap of attributes.
> >>>>>>>
> >>>>>> It also has the reverse map (attr_type_map) if you want that.
> >>>>>>
> >>>>>> In Android, external/sepolicy/tools/sepolicy-analyze has examples of
> >>>>>> using both maps.
> >>>>>>
> >>>>>>
> >>>>> seinfo also knows how to do it, if you need more examples:
> >>>>>
> >>>>> $ seinfo -x -tuntrusted_app sepolicy
> >>>>>      untrusted_app
> >>>>>         bluetoothdomain
> >>>>>         netdomain
> >>>>>         appdomain
> >>>>>         domain
> >>>>>
> >>>>> _______________________________________________
> >>>>> Selinux mailing list
> >>>>> Selinux@tycho.nsa.gov
> >>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> >>>>> To get help, send an email containing "help" to
> >>>>> Selinux-request@tycho.nsa.gov.
> >>>>>
> >>>>
> >>>>
> >>
> >
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>



-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 5559 bytes --]

Re: Find attributes for a type with sepol

[Stephen Smalley]

On 09/29/2015 04:19 PM, William Roberts wrote:
> So is this information only available at compile time? I see that the
> types field is
> empty for both attributes and types. Perhaps my code is wrong to do
> this, but
> I can loop over the ebitmap entries from the attr_type and type_attr
> maps just
> fine.

Yes, it is discarded from the binary policy, which instead has 
type_attr_map and attr_type_map.

Re: Find attributes for a type with sepol

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]

On Tue, Sep 29, 2015 at 1:25 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On 09/29/2015 04:19 PM, William Roberts wrote:
>
>> So is this information only available at compile time? I see that the
>> types field is
>> empty for both attributes and types. Perhaps my code is wrong to do
>> this, but
>> I can loop over the ebitmap entries from the attr_type and type_attr
>> maps just
>> fine.
>>
>
> Yes, it is discarded from the binary policy, which instead has
> type_attr_map and attr_type_map.
>
> According to a comment in the struct attr_type_map is discarded as well,
which would make sense
given that the per-attribute type map is thrown away as well.

aosp/external/selinux/libsepol/include/sepol$ grep -rn 'attr_type_map' *
policydb/policydb.h:575: ebitmap_t *attr_type_map; /* not saved in the
binary policy */


-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 1786 bytes --]

Re: Find attributes for a type with sepol

[Stephen Smalley]

On 09/29/2015 04:51 PM, William Roberts wrote:
>
>
> On Tue, Sep 29, 2015 at 1:25 PM, Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>> wrote:
>
>     On 09/29/2015 04:19 PM, William Roberts wrote:
>
>         So is this information only available at compile time? I see
>         that the
>         types field is
>         empty for both attributes and types. Perhaps my code is wrong to do
>         this, but
>         I can loop over the ebitmap entries from the attr_type and type_attr
>         maps just
>         fine.
>
>
>     Yes, it is discarded from the binary policy, which instead has
>     type_attr_map and attr_type_map.
>
> According to a comment in the struct attr_type_map is discarded as well,
> which would make sense
> given that the per-attribute type map is thrown away as well.
>
> aosp/external/selinux/libsepol/include/sepol$ grep -rn 'attr_type_map' *
> policydb/policydb.h:575:ebitmap_t *attr_type_map;/* not saved in the
> binary policy */

It is re-created on load; see policydb_read().  So it is always 
available to you.