checkfc: add support for comparing two file_contexts files.
Extend checkfc to support comparing two file_contexts or
file_contexts.bin files. This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.
Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.
Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/tools/checkfc.c b/tools/checkfc.c
index eb256a3..3b9a216 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -1,6 +1,7 @@
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
+#include <stdbool.h>
#include <sepol/sepol.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
@@ -18,12 +19,13 @@
}
static void usage(char *name) {
- fprintf(stderr, "usage: %s [OPTIONS] sepolicy context_file\n\n", name);
+ fprintf(stderr, "usage1: %s [-p] sepolicy context_file\n\n", name);
fprintf(stderr, "Parses a context file and checks for syntax errors.\n");
fprintf(stderr, "The context_file is assumed to be a file_contexts file\n");
- fprintf(stderr, "unless explicitly switched by an option.\n\n");
- fprintf(stderr, " OPTIONS:\n");
- fprintf(stderr, " -p : context file represents a property_context file.\n");
+ fprintf(stderr, "unless the -p option is used to indicate the property backend.\n\n");
+
+ fprintf(stderr, "usage2: %s -c file_contexts1 file_contexts2\n\n", name);
+ fprintf(stderr, "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n");
fprintf(stderr, "\n");
exit(1);
}
@@ -39,11 +41,15 @@
unsigned int backend = SELABEL_CTX_FILE;
FILE *fp;
- struct selabel_handle *sehnd;
+ bool compare = false;
+ struct selabel_handle *sehnd[2];
char c;
- while ((c = getopt(argc, argv, "ph")) != -1) {
+ while ((c = getopt(argc, argv, "cph")) != -1) {
switch (c) {
+ case 'c':
+ compare = true;
+ break;
case 'p':
backend = SELABEL_CTX_ANDROID_PROP;
break;
@@ -56,10 +62,36 @@
int index = optind;
if (argc - optind != 2) {
- fprintf(stderr, "Expected sepolicy file and context file as arguments.\n");
usage(argv[0]);
}
+ if (compare && backend != SELABEL_CTX_FILE) {
+ usage(argv[0]);
+ }
+
+ if (compare) {
+ enum selabel_cmp_result result;
+ char *result_str[] = { "subset", "equal", "superset", "incomparable" };
+ int i;
+
+ opts[0].value = NULL; /* not validating against a policy when comparing */
+
+ for (i = 0; i < 2; i++) {
+ opts[1].value = argv[index+i];
+ sehnd[i] = selabel_open(backend, opts, 2);
+ if (!sehnd[i]) {
+ fprintf(stderr, "Error loading context file from %s\n", argv[index+i]);
+ exit(1);
+ }
+ }
+
+ result = selabel_cmp(sehnd[0], sehnd[1]);
+ for (i = 0; i < 2; i++)
+ selabel_close(sehnd[i]);
+ printf("%s\n", result_str[result]);
+ exit(0);
+ }
+
// remaining args are sepolicy file and context file
char *sepolicyFile = argv[index];
char *contextFile = argv[index + 1];
@@ -67,11 +99,11 @@
fp = fopen(sepolicyFile, "r");
if (!fp) {
perror(sepolicyFile);
- exit(2);
+ exit(1);
}
if (sepol_set_policydb_from_file(fp) < 0) {
fprintf(stderr, "Error loading policy from %s\n", sepolicyFile);
- exit(3);
+ exit(1);
}
selinux_set_callback(SELINUX_CB_VALIDATE,
@@ -79,14 +111,14 @@
opts[1].value = contextFile;
- sehnd = selabel_open(backend, opts, 2);
- if (!sehnd) {
+ sehnd[0] = selabel_open(backend, opts, 2);
+ if (!sehnd[0]) {
fprintf(stderr, "Error loading context file from %s\n", contextFile);
- exit(4);
+ exit(1);
}
if (nerr) {
fprintf(stderr, "Invalid context file found in %s\n", contextFile);
- exit(5);
+ exit(1);
}
exit(0);