selinux: Add support for parsing mac_permissions.xml and keys.conf
This commit is contained in:
Danny Lin
parent
fe09189d55
commit
3961bde95f
1 changed files with 166 additions and 0 deletions
166
src/sepolicy/keys.ts
Normal file
166
src/sepolicy/keys.ts
Normal file
|
|
@ -0,0 +1,166 @@
|
|||
import { promises as fs } from 'fs'
|
||||
import * as path from 'path'
|
||||
import * as xml2js from 'xml2js'
|
||||
|
||||
import { exists, listFilesRecursive } from '../util/fs'
|
||||
import { parseLines } from '../util/parse'
|
||||
import { EXT_SYS_PARTITIONS } from '../util/partitions'
|
||||
|
||||
export interface MacSigner {
|
||||
cert: string | Uint8Array
|
||||
seinfoId: string
|
||||
}
|
||||
|
||||
export interface KeyInfo {
|
||||
keyId: string
|
||||
certPaths: Map<string, string>
|
||||
}
|
||||
|
||||
function parseHex(hex: string) {
|
||||
let buf = new Uint8Array(hex.length / 2)
|
||||
for (let i = 0; i < hex.length; i += 2) {
|
||||
buf[i / 2] = parseInt(hex.slice(i, i + 2), 16)
|
||||
}
|
||||
|
||||
return buf
|
||||
}
|
||||
|
||||
async function parseMacPermissions(xml: string) {
|
||||
let doc = await xml2js.parseStringPromise(xml)
|
||||
let signers = []
|
||||
|
||||
if (doc.policy) {
|
||||
for (let { $: { signature: rawSig }, seinfo: [{ $: { value: seinfoId }}]} of doc.policy.signer) {
|
||||
// Parse base64 cert or leave it as a reference
|
||||
let cert = rawSig.startsWith('@') ? rawSig.slice(1) : parseHex(rawSig)
|
||||
signers.push({
|
||||
cert: cert,
|
||||
seinfoId: seinfoId,
|
||||
} as MacSigner)
|
||||
}
|
||||
}
|
||||
|
||||
return signers
|
||||
}
|
||||
|
||||
export async function readMacPermissionsRecursive(root: string) {
|
||||
let signers = []
|
||||
for await (let file of listFilesRecursive(root)) {
|
||||
if (path.basename(file) == 'mac_permissions.xml') {
|
||||
let xml = await fs.readFile(file, { encoding: 'utf8' })
|
||||
signers.push(...(await parseMacPermissions(xml)))
|
||||
}
|
||||
}
|
||||
|
||||
return signers
|
||||
}
|
||||
|
||||
export async function readPartMacPermissions(root: string) {
|
||||
let signers = []
|
||||
for (let partition of EXT_SYS_PARTITIONS) {
|
||||
let path = `${root}/${partition}/etc/selinux/${partition}_mac_permissions.xml`
|
||||
if (!(await exists(path))) {
|
||||
continue
|
||||
}
|
||||
|
||||
let xml = await fs.readFile(path, { encoding: 'utf8' })
|
||||
signers.push(...(await parseMacPermissions(xml)))
|
||||
}
|
||||
|
||||
return signers
|
||||
}
|
||||
|
||||
function parseKeysConf(conf: string) {
|
||||
let curKeyId: string | null = null
|
||||
let curPaths: Map<string, string> | null = null
|
||||
|
||||
let keys = []
|
||||
for (let line of parseLines(conf)) {
|
||||
let startBlock = line.match(/^\[@(.+)\]$/)
|
||||
if (startBlock != undefined) {
|
||||
// Finish last block
|
||||
if (curKeyId != null) {
|
||||
keys.push({
|
||||
keyId: curKeyId,
|
||||
certPaths: curPaths!,
|
||||
} as KeyInfo)
|
||||
}
|
||||
|
||||
curKeyId = startBlock[1]
|
||||
curPaths = new Map<string, string>()
|
||||
continue
|
||||
}
|
||||
|
||||
let pathLine = line.match(/^(.+)\s*:\s*(.+)$/)
|
||||
if (pathLine != undefined) {
|
||||
let [_, buildType, path] = pathLine
|
||||
if (curPaths != null) {
|
||||
curPaths.set(buildType, path)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Finish last block
|
||||
if (curKeyId != null) {
|
||||
keys.push({
|
||||
keyId: curKeyId,
|
||||
certPaths: curPaths!,
|
||||
} as KeyInfo)
|
||||
}
|
||||
|
||||
return keys
|
||||
}
|
||||
|
||||
export async function readKeysConfRecursive(root: string) {
|
||||
let keys = []
|
||||
for await (let file of listFilesRecursive(root)) {
|
||||
if (path.basename(file) == 'keys.conf') {
|
||||
let xml = await fs.readFile(file, { encoding: 'utf8' })
|
||||
keys.push(...parseKeysConf(xml))
|
||||
}
|
||||
}
|
||||
|
||||
return keys
|
||||
}
|
||||
|
||||
export function resolveKeys(srcKeys: Array<KeyInfo>, srcMacPerms: Array<MacSigner>, compiledMacPerms: Array<MacSigner>) {
|
||||
console.log({
|
||||
srcKeys: srcKeys,
|
||||
srcMacPerms: srcMacPerms,
|
||||
compiledMacPerms: compiledMacPerms,
|
||||
})
|
||||
// Build key ID -> paths map
|
||||
let keyToPaths = new Map(srcKeys.map(k => [k.keyId, Array.from(k.certPaths.values())]))
|
||||
|
||||
// Build seinfo -> paths map
|
||||
let seinfoToPaths = new Map(srcMacPerms.filter(s => typeof s.cert == 'string')
|
||||
.map(s => [s.seinfoId, keyToPaths.get(s.cert as string)!]))
|
||||
|
||||
// Build cert -> paths map
|
||||
return new Map(compiledMacPerms.filter(s => seinfoToPaths.has(s.seinfoId) && s.cert instanceof Uint8Array)
|
||||
.map(s => [s.cert as Uint8Array, seinfoToPaths.get(s.seinfoId)!]))
|
||||
}
|
||||
|
||||
function serializeCert(cert: Uint8Array) {
|
||||
let base64 = Buffer.from(cert).toString('base64')
|
||||
// Wrap to 76 chars to match Google's PEMs
|
||||
let wrapped = base64.replace(/(.{76})/g, '$1\n')
|
||||
|
||||
return `-----BEGIN CERTIFICATE-----
|
||||
${wrapped}
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
}
|
||||
|
||||
export async function writeMappedKeys(keys: Map<Uint8Array, Iterable<string>>) {
|
||||
for (let [cert, paths] of keys.entries()) {
|
||||
let serialized = serializeCert(cert)
|
||||
for (let path of paths) {
|
||||
console.log({
|
||||
path: path,
|
||||
cert: serialized,
|
||||
})
|
||||
await fs.writeFile(path, serialized)
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue