ksud: support sepolicy check
This commit is contained in:
tiann
@@ -89,6 +89,12 @@ enum Sepolicy {
|
||||
/// sepolicy file path
|
||||
file: String,
|
||||
},
|
||||
|
||||
/// Check if sepolicy statement is supported/valid
|
||||
Check {
|
||||
/// sepolicy statements
|
||||
sepolicy: String,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(clap::Subcommand, Debug)]
|
||||
@@ -152,6 +158,7 @@ pub fn run() -> Result<()> {
|
||||
Commands::Sepolicy { command } => match command {
|
||||
Sepolicy::Patch { sepolicy } => crate::sepolicy::live_patch(&sepolicy),
|
||||
Sepolicy::Apply { file } => crate::sepolicy::apply_file(file),
|
||||
Sepolicy::Check { sepolicy } => crate::sepolicy::check_rule(&sepolicy),
|
||||
},
|
||||
Commands::Services => event::on_services(),
|
||||
|
||||
|
||||
@@ -529,7 +529,7 @@ where
|
||||
let result = func(id, update_dir);
|
||||
|
||||
if let Err(e) = std::fs::rename(modules_update_tmp_img, defs::MODULE_UPDATE_IMG) {
|
||||
warn!("Rename image failed, try copy it.");
|
||||
warn!("Rename image failed: {e}, try copy it.");
|
||||
std::fs::copy(modules_update_tmp_img, defs::MODULE_UPDATE_IMG)
|
||||
.with_context(|| "Failed to copy image.".to_string())?;
|
||||
let _ = std::fs::remove_file(modules_update_tmp_img);
|
||||
|
||||
@@ -692,7 +692,7 @@ impl From<AtomicStatement> for FfiPolicy {
|
||||
}
|
||||
|
||||
#[cfg(unix)]
|
||||
fn apply_one_rule<'a>(statement: &'a PolicyStatement<'a>) -> Result<()> {
|
||||
fn apply_one_rule<'a>(statement: &'a PolicyStatement<'a>, strict: bool) -> Result<()> {
|
||||
let policies: Vec<AtomicStatement> = statement.try_into()?;
|
||||
|
||||
for policy in policies {
|
||||
@@ -710,7 +710,10 @@ fn apply_one_rule<'a>(statement: &'a PolicyStatement<'a>) -> Result<()> {
|
||||
}
|
||||
|
||||
if result != crate::ksu::KERNEL_SU_OPTION {
|
||||
log::warn!("apply rule failed: {result}");
|
||||
log::warn!("apply rule: {:?} failed.", statement);
|
||||
if strict {
|
||||
return Err(anyhow::anyhow!("apply rule {:?} failed.", statement));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -718,7 +721,7 @@ fn apply_one_rule<'a>(statement: &'a PolicyStatement<'a>) -> Result<()> {
|
||||
}
|
||||
|
||||
#[cfg(not(unix))]
|
||||
fn apply_one_rule<'a>(_statement: &'a PolicyStatement<'a>) -> Result<()> {
|
||||
fn apply_one_rule<'a>(_statement: &'a PolicyStatement<'a>, _strict: bool) -> Result<()> {
|
||||
unimplemented!()
|
||||
}
|
||||
|
||||
@@ -726,7 +729,7 @@ pub fn live_patch(policy: &str) -> Result<()> {
|
||||
let result = parse_sepolicy(policy.trim());
|
||||
for statement in result {
|
||||
println!("{statement:?}");
|
||||
apply_one_rule(&statement)?;
|
||||
apply_one_rule(&statement, false)?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
@@ -735,3 +738,11 @@ pub fn apply_file<P: AsRef<Path>>(path: P) -> Result<()> {
|
||||
let input = std::fs::read_to_string(path)?;
|
||||
live_patch(&input)
|
||||
}
|
||||
|
||||
pub fn check_rule(policy: &str) -> Result<()> {
|
||||
let result = parse_sepolicy(policy.trim());
|
||||
for statement in result {
|
||||
apply_one_rule(&statement, true)?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
Reference in New Issue
Block a user