Accept command-line input for neverallow-check.

Also, divide each sepolicy-analyze function into its own component for simplified command-line parsing and potentially eventual modularization. Bug: 18005561 Cherry-pick of commit: ef4fd30 with commit: 47c1461 squashed in. Bug: 19191637 Change-Id: Id66cad549b7311a6bbd92fd64b6ec2c60d0433a4
TeslaOS · Feb 6, 2015 · f82f5e0 · f82f5e0
1 parent 87f3802
commit f82f5e0
Show file tree

Hide file tree

Showing 16 changed files with 1,217 additions and 1,032 deletions.
diff --git a/tools/Android.mk b/tools/Android.mk
@@ -46,14 +46,4 @@ LOCAL_STATIC_LIBRARIES := libsepol
 
 include $(BUILD_HOST_EXECUTABLE)
 
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-analyze
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c
-LOCAL_STATIC_LIBRARIES := libsepol
-
-include $(BUILD_HOST_EXECUTABLE)
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/README b/tools/README
@@ -50,81 +50,4 @@ sepolicy-check
 
 sepolicy-analyze
     A tool for performing various kinds of analysis on a sepolicy
-    file.  The current kinds of analysis that are currently supported
-    include:
-
-    TYPE EQUIVALENCE
-    sepolicy-analyze -e -P out/target/product/<board>/root/sepolicy
-
-    Display all type pairs that are "equivalent", i.e. they are
-    identical with respect to allow rules, including indirect allow
-    rules via attributes and default-enabled conditional rules
-    (i.e. default boolean values yield a true conditional expression).
-
-    Equivalent types are candidates for being coalesced into a single
-    type.  However, there may be legitimate reasons for them to remain
-    separate, for example: - the types may differ in a respect not
-    included in the current analysis, such as default-disabled
-    conditional rules, audit-related rules (auditallow or dontaudit),
-    default type transitions, or constraints (e.g. mls), or - the
-    current policy may be overly permissive with respect to one or the
-    other of the types and thus the correct action may be to tighten
-    access to one or the other rather than coalescing them together,
-    or - the domains that would in fact have different accesses to the
-    types may not yet be defined or may be unconfined in the policy
-    you are analyzing.
-
-    TYPE DIFFERENCE
-    sepolicy-analyze -d -P out/target/product/<board>/root/sepolicy
-
-    Display type pairs that differ and the first difference found
-    between the two types.  This may be used in looking for similar
-    types that are not equivalent but may be candidates for coalescing.
-
-    DUPLICATE ALLOW RULES
-    sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy
-
-    Displays duplicate allow rules, i.e. pairs of allow rules that
-    grant the same permissions where one allow rule is written
-    directly in terms of individual types and the other is written in
-    terms of attributes associated with those same types.  The rule
-    with individual types is a candidate for removal.  The rule with
-    individual types may be directly represented in the source policy
-    or may be a result of expansion of a type negation (e.g. domain
-    -foo -bar is expanded to individual allow rules by the policy
-    compiler).  Domains with unconfineddomain will typically have such
-    duplicate rules as a natural side effect and can be ignored.
-
-    PERMISSIVE DOMAINS
-    sepolicy-analyze -p -P out/target/product/<board>/root/sepolicy
-
-    Displays domains in the policy that are permissive, i.e. avc
-    denials are logged but not enforced for these domains.  While
-    permissive domains can be helpful during development, they
-    should not be present in a final -user build.
-
-    NEVERALLOW CHECKING
-    sepolicy-analyze [-w] [-z] -n neverallows.conf -P out/target/product/<board>/root/sepolicy
-
-    Check whether the sepolicy file violates any of the neverallow rules
-    from neverallows.conf.  neverallows.conf is a file containing neverallow
-    statements in the same format as the SELinux policy.conf file, i.e. after
-    m4 macro expansion of the rules from a .te file.  You can use an entire
-    policy.conf file as the neverallows.conf file and sepolicy-analyze will
-    ignore everything except for the neverallows within it.  If there are
-    no violations, sepolicy-analyze will exit successfully with no output.
-    Otherwise, sepolicy-analyze will report all violations and exit
-    with a non-zero exit status.
-
-    The -w or --warn option may be used to warn on any types, attributes,
-    classes, or permissions from a neverallow rule that could not be resolved
-    within the sepolicy file.  This can be normal due to differences between
-    the policy from which the neverallow rules were taken and the policy
-    being checked.  Such values are ignored for the purposes of neverallow
-    checking.
-
-    The -z (-d was already taken!) or --debug option may be used to cause
-    sepolicy-analyze to emit the neverallow rules as it parses them from
-    the neverallows.conf file.  This is principally a debugging facility
-    for the parser but could also be used to extract neverallow rules from
-    a full policy.conf file and output them in a more easily parsed format.
+    file.