commit 13b6b7e88f6ac006b53764b33348a73343742148
author Stephen Smalley <sds@tycho.nsa.gov> Wed Aug 05 12:43:15 2015 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Wed Aug 12 18:37:02 2015 +0000
tree 6f4c69b6e7d3a892665d26ab6f2f40f850b68971
parent c2d01914d12b1c153b5ef32293079764a4342169

checkfc: add support for comparing two file_contexts files.

Extend checkfc to support comparing two file_contexts or
file_contexts.bin files.  This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.

Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.

Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

tools/README

diff --git a/tools/README b/tools/README
index 899b981..6035c03 100644
--- a/tools/README
+++ b/tools/README
@@ -10,10 +10,20 @@
    argument in order to check the validity of the security contexts
    in the file_contexts or property_contexts file.
 
-   Usage:
+   Usage1:
    checkfc sepolicy file_contexts
    checkfc -p sepolicy property_contexts
 
+   Also used to compare two file_contexts or file_contexts.bin files.
+   Displays one of subset, equal, superset, or incomparable.
+
+   Usage2:
+   checkfc -c file_contexts1 file_contexts2
+
+   Example:
+   $ checkfc -c out/target/product/shamu/system/etc/general_file_contexts out/target/product/shamu/root/file_contexts.bin
+   subset
+
 checkseapp
     A utility for merging together the main seapp_contexts
     configuration and the device-specific one, and simultaneously

tools/checkfc.c

diff --git a/tools/checkfc.c b/tools/checkfc.c
index eb256a3..3b9a216 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -1,6 +1,7 @@
 #include <getopt.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdbool.h>
 #include <sepol/sepol.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
@@ -18,12 +19,13 @@
 }
 
 static void usage(char *name) {
-    fprintf(stderr, "usage:  %s [OPTIONS] sepolicy context_file\n\n", name);
+    fprintf(stderr, "usage1:  %s [-p] sepolicy context_file\n\n", name);
     fprintf(stderr, "Parses a context file and checks for syntax errors.\n");
     fprintf(stderr, "The context_file is assumed to be a file_contexts file\n");
-    fprintf(stderr, "unless explicitly switched by an option.\n\n");
-    fprintf(stderr, "    OPTIONS:\n");
-    fprintf(stderr, "     -p : context file represents a property_context file.\n");
+    fprintf(stderr, "unless the -p option is used to indicate the property backend.\n\n");
+
+    fprintf(stderr, "usage2:  %s -c file_contexts1 file_contexts2\n\n", name);
+    fprintf(stderr, "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n");
     fprintf(stderr, "\n");
     exit(1);
 }
@@ -39,11 +41,15 @@
   unsigned int backend = SELABEL_CTX_FILE;
 
   FILE *fp;
-  struct selabel_handle *sehnd;
+  bool compare = false;
+  struct selabel_handle *sehnd[2];
   char c;
 
-  while ((c = getopt(argc, argv, "ph")) != -1) {
+  while ((c = getopt(argc, argv, "cph")) != -1) {
     switch (c) {
+      case 'c':
+        compare = true;
+        break;
       case 'p':
         backend = SELABEL_CTX_ANDROID_PROP;
         break;
@@ -56,10 +62,36 @@
 
   int index = optind;
   if (argc - optind != 2) {
-    fprintf(stderr, "Expected sepolicy file and context file as arguments.\n");
     usage(argv[0]);
   }
 
+  if (compare && backend != SELABEL_CTX_FILE) {
+    usage(argv[0]);
+  }
+
+  if (compare) {
+    enum selabel_cmp_result result;
+    char *result_str[] = { "subset", "equal", "superset", "incomparable" };
+    int i;
+
+    opts[0].value = NULL; /* not validating against a policy when comparing */
+
+    for (i = 0; i < 2; i++) {
+        opts[1].value = argv[index+i];
+        sehnd[i] = selabel_open(backend, opts, 2);
+        if (!sehnd[i]) {
+            fprintf(stderr, "Error loading context file from %s\n", argv[index+i]);
+            exit(1);
+        }
+    }
+
+    result = selabel_cmp(sehnd[0], sehnd[1]);
+    for (i = 0; i < 2; i++)
+        selabel_close(sehnd[i]);
+    printf("%s\n", result_str[result]);
+    exit(0);
+  }
+
   // remaining args are sepolicy file and context file
   char *sepolicyFile = argv[index];
   char *contextFile = argv[index + 1];
@@ -67,11 +99,11 @@
   fp = fopen(sepolicyFile, "r");
   if (!fp) {
     perror(sepolicyFile);
-    exit(2);
+    exit(1);
   }
   if (sepol_set_policydb_from_file(fp) < 0) {
     fprintf(stderr, "Error loading policy from %s\n", sepolicyFile);
-    exit(3);
+    exit(1);
   }
 
   selinux_set_callback(SELINUX_CB_VALIDATE,
@@ -79,14 +111,14 @@
 
   opts[1].value = contextFile;
 
-  sehnd = selabel_open(backend, opts, 2);
-  if (!sehnd) {
+  sehnd[0] = selabel_open(backend, opts, 2);
+  if (!sehnd[0]) {
     fprintf(stderr, "Error loading context file from %s\n", contextFile);
-    exit(4);
+    exit(1);
   }
   if (nerr) {
     fprintf(stderr, "Invalid context file found in %s\n", contextFile);
-    exit(5);
+    exit(1);
   }
 
   exit(0);