1# Copyright 2018 - The Android Open Source Project
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7#     http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""SEPolicy-related commands."""
16
17from gsi_util.utils import cmd_utils
18
19
20def secilc(options, files):
21  """Invokes SELinux Common Intermediate Language (CIL) Compiler.
22
23  Args:
24    options: A dict of the options passed to 'secilc'.
25      e.g., dict(mls='true', multiple-decls=None, policyvers=30) ==>
26        '--mls true --multiple-decls --policyvers 30'.
27      e.g., dict(M='true', m=None, c=30) ==> '-M true -m -c 30'.
28    files: CIL files passed to 'secilc'.
29
30  Returns:
31    A tuple of (result_ok, stderr).
32
33  $ secilc --help
34  Usage: secilc [OPTION]... FILE...
35
36  Options:
37  -o, --output=<file>            write binary policy to <file>
38                                 (default: policy.<version>)
39  -f, --filecontext=<file>       write file contexts to <file>
40                                 (default: file_contexts)
41  -t, --target=<type>            specify target architecture. may be selinux or
42                                 xen. (default: selinux)
43  -M, --mls true|false           build an mls policy. Must be true or false.
44                                 This will override the (mls boolean) statement
45                                 if present in the policy
46  -c, --policyvers=<version>     build a binary policy with a given <version>
47                                 (default: 31)
48  -U, --handle-unknown=<action>  how to handle unknown classes or permissions.
49                                 may be deny, allow, or reject. (default: deny)
50                                 This will override the (handleunknown action)
51                                 statement if present in the policy
52  -D, --disable-dontaudit        do not add dontaudit rules to the binary policy
53  -P, --preserve-tunables        treat tunables as booleans
54  -m, --multiple-decls           allow some statements to be re-declared
55  -N, --disable-neverallow       do not check neverallow rules
56  -G, --expand-generated         Expand and remove auto-generated attributes
57  -X, --expand-size <SIZE>       Expand type attributes with fewer than <SIZE>
58                                 members.
59  -v, --verbose                  increment verbosity level
60  -h, --help                     display usage information
61  """
62
63  cmd = ['secilc']
64  for option in options:
65    # For short options. e.g., '-m', '-c 30'.
66    if len(option) == 1:
67      cmd.append('-' + option)
68    else:  # For long options. e.g., '--multiple-decls', '--policyvers 30'.
69      cmd.append('--' + option)
70    # Some option doesn't need value. e.g., -m, -G.
71    if options[option] is not None:
72      cmd.append(options[option])
73
74  # Adding CIL files.
75  cmd.extend(files)
76
77  # Uses 'log_stdout' and 'log_stderr' to disable output.
78  returncode, _, stderrdata = cmd_utils.run_command(cmd,
79                                                    raise_on_error=False,
80                                                    log_stdout=True,
81                                                    log_stderr=True,
82                                                    read_stderr=True)
83  return (returncode == 0, stderrdata)
84