Accept command-line input for neverallow-check.

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.

Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19

1 files changed, 1 insertions, 78 deletions

diff --git a/tools/README b/tools/README
index 2aa520a..1ffe409 100644
--- a/tools/README
+++ b/tools/README
@@ -50,81 +50,4 @@ sepolicy-check
 
 sepolicy-analyze
     A tool for performing various kinds of analysis on a sepolicy
-    file.  The current kinds of analysis that are currently supported
-    include:
-
-    TYPE EQUIVALENCE
-    sepolicy-analyze -e -P out/target/product/<board>/root/sepolicy
-
-    Display all type pairs that are "equivalent", i.e. they are
-    identical with respect to allow rules, including indirect allow
-    rules via attributes and default-enabled conditional rules
-    (i.e. default boolean values yield a true conditional expression).
-
-    Equivalent types are candidates for being coalesced into a single
-    type.  However, there may be legitimate reasons for them to remain
-    separate, for example: - the types may differ in a respect not
-    included in the current analysis, such as default-disabled
-    conditional rules, audit-related rules (auditallow or dontaudit),
-    default type transitions, or constraints (e.g. mls), or - the
-    current policy may be overly permissive with respect to one or the
-    other of the types and thus the correct action may be to tighten
-    access to one or the other rather than coalescing them together,
-    or - the domains that would in fact have different accesses to the
-    types may not yet be defined or may be unconfined in the policy
-    you are analyzing.
-
-    TYPE DIFFERENCE
-    sepolicy-analyze -d -P out/target/product/<board>/root/sepolicy
-
-    Display type pairs that differ and the first difference found
-    between the two types.  This may be used in looking for similar
-    types that are not equivalent but may be candidates for coalescing.
-
-    DUPLICATE ALLOW RULES
-    sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy
-
-    Displays duplicate allow rules, i.e. pairs of allow rules that
-    grant the same permissions where one allow rule is written
-    directly in terms of individual types and the other is written in
-    terms of attributes associated with those same types.  The rule
-    with individual types is a candidate for removal.  The rule with
-    individual types may be directly represented in the source policy
-    or may be a result of expansion of a type negation (e.g. domain
-    -foo -bar is expanded to individual allow rules by the policy
-    compiler).  Domains with unconfineddomain will typically have such
-    duplicate rules as a natural side effect and can be ignored.
-
-    PERMISSIVE DOMAINS
-    sepolicy-analyze -p -P out/target/product/<board>/root/sepolicy
-
-    Displays domains in the policy that are permissive, i.e. avc
-    denials are logged but not enforced for these domains.  While
-    permissive domains can be helpful during development, they
-    should not be present in a final -user build.
-
-    NEVERALLOW CHECKING
-    sepolicy-analyze [-w] [-z] -n neverallows.conf -P out/target/product/<board>/root/sepolicy
-
-    Check whether the sepolicy file violates any of the neverallow rules
-    from neverallows.conf.  neverallows.conf is a file containing neverallow
-    statements in the same format as the SELinux policy.conf file, i.e. after
-    m4 macro expansion of the rules from a .te file.  You can use an entire
-    policy.conf file as the neverallows.conf file and sepolicy-analyze will
-    ignore everything except for the neverallows within it.  If there are
-    no violations, sepolicy-analyze will exit successfully with no output.
-    Otherwise, sepolicy-analyze will report all violations and exit
-    with a non-zero exit status.
-
-    The -w or --warn option may be used to warn on any types, attributes,
-    classes, or permissions from a neverallow rule that could not be resolved
-    within the sepolicy file.  This can be normal due to differences between
-    the policy from which the neverallow rules were taken and the policy
-    being checked.  Such values are ignored for the purposes of neverallow
-    checking.
-
-    The -z (-d was already taken!) or --debug option may be used to cause
-    sepolicy-analyze to emit the neverallow rules as it parses them from
-    the neverallows.conf file.  This is principally a debugging facility
-    for the parser but could also be used to extract neverallow rules from
-    a full policy.conf file and output them in a more easily parsed format.
+    file.
\ No newline at end of file