diff options
author | dcashman <dcashman@google.com> | 2014-10-20 09:52:55 -0700 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2014-10-31 11:38:32 -0700 |
commit | ef4fd30672ebfeac1a0ad04f65deb7b38050b818 (patch) | |
tree | d1934cf309a665cff0ec821c011c6c025ada7099 /tools/README | |
parent | 0ae33a8d1439800439db1c22da0d9a2073fb3a42 (diff) | |
download | android_external_sepolicy-ef4fd30672ebfeac1a0ad04f65deb7b38050b818.tar.gz android_external_sepolicy-ef4fd30672ebfeac1a0ad04f65deb7b38050b818.tar.bz2 android_external_sepolicy-ef4fd30672ebfeac1a0ad04f65deb7b38050b818.zip |
Accept command-line input for neverallow-check.
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19
Diffstat (limited to 'tools/README')
-rw-r--r-- | tools/README | 79 |
1 files changed, 1 insertions, 78 deletions
diff --git a/tools/README b/tools/README index 2aa520a..1ffe409 100644 --- a/tools/README +++ b/tools/README @@ -50,81 +50,4 @@ sepolicy-check sepolicy-analyze A tool for performing various kinds of analysis on a sepolicy - file. The current kinds of analysis that are currently supported - include: - - TYPE EQUIVALENCE - sepolicy-analyze -e -P out/target/product/<board>/root/sepolicy - - Display all type pairs that are "equivalent", i.e. they are - identical with respect to allow rules, including indirect allow - rules via attributes and default-enabled conditional rules - (i.e. default boolean values yield a true conditional expression). - - Equivalent types are candidates for being coalesced into a single - type. However, there may be legitimate reasons for them to remain - separate, for example: - the types may differ in a respect not - included in the current analysis, such as default-disabled - conditional rules, audit-related rules (auditallow or dontaudit), - default type transitions, or constraints (e.g. mls), or - the - current policy may be overly permissive with respect to one or the - other of the types and thus the correct action may be to tighten - access to one or the other rather than coalescing them together, - or - the domains that would in fact have different accesses to the - types may not yet be defined or may be unconfined in the policy - you are analyzing. - - TYPE DIFFERENCE - sepolicy-analyze -d -P out/target/product/<board>/root/sepolicy - - Display type pairs that differ and the first difference found - between the two types. This may be used in looking for similar - types that are not equivalent but may be candidates for coalescing. - - DUPLICATE ALLOW RULES - sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy - - Displays duplicate allow rules, i.e. pairs of allow rules that - grant the same permissions where one allow rule is written - directly in terms of individual types and the other is written in - terms of attributes associated with those same types. The rule - with individual types is a candidate for removal. The rule with - individual types may be directly represented in the source policy - or may be a result of expansion of a type negation (e.g. domain - -foo -bar is expanded to individual allow rules by the policy - compiler). Domains with unconfineddomain will typically have such - duplicate rules as a natural side effect and can be ignored. - - PERMISSIVE DOMAINS - sepolicy-analyze -p -P out/target/product/<board>/root/sepolicy - - Displays domains in the policy that are permissive, i.e. avc - denials are logged but not enforced for these domains. While - permissive domains can be helpful during development, they - should not be present in a final -user build. - - NEVERALLOW CHECKING - sepolicy-analyze [-w] [-z] -n neverallows.conf -P out/target/product/<board>/root/sepolicy - - Check whether the sepolicy file violates any of the neverallow rules - from neverallows.conf. neverallows.conf is a file containing neverallow - statements in the same format as the SELinux policy.conf file, i.e. after - m4 macro expansion of the rules from a .te file. You can use an entire - policy.conf file as the neverallows.conf file and sepolicy-analyze will - ignore everything except for the neverallows within it. If there are - no violations, sepolicy-analyze will exit successfully with no output. - Otherwise, sepolicy-analyze will report all violations and exit - with a non-zero exit status. - - The -w or --warn option may be used to warn on any types, attributes, - classes, or permissions from a neverallow rule that could not be resolved - within the sepolicy file. This can be normal due to differences between - the policy from which the neverallow rules were taken and the policy - being checked. Such values are ignored for the purposes of neverallow - checking. - - The -z (-d was already taken!) or --debug option may be used to cause - sepolicy-analyze to emit the neverallow rules as it parses them from - the neverallows.conf file. This is principally a debugging facility - for the parser but could also be used to extract neverallow rules from - a full policy.conf file and output them in a more easily parsed format. + file.
\ No newline at end of file |