linux/scripts/selinux/mdp/mdp.c
<<
>>
Prefs 
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/*
   3 *
   4 * mdp - make dummy policy
   5 *
   6 * When pointed at a kernel tree, builds a dummy policy for that kernel
   7 * with exactly one type with full rights to itself.
   8 *
   9 * Copyright (C) IBM Corporation, 2006
  10 *
  11 * Authors: Serge E. Hallyn <serue@us.ibm.com>
  12 */
  13
  14
  15/* NOTE: we really do want to use the kernel headers here */
  16#define __EXPORTED_HEADERS__
  17
  18#include <stdio.h>
  19#include <stdlib.h>
  20#include <unistd.h>
  21#include <string.h>
  22#include <linux/kconfig.h>
  23
  24static void usage(char *name)
  25{
  26        printf("usage: %s [-m] policy_file context_file\n", name);
  27        exit(1);
  28}
  29
  30/* Class/perm mapping support */
  31struct security_class_mapping {
  32        const char *name;
  33        const char *perms[sizeof(unsigned) * 8 + 1];
  34};
  35
  36#include "classmap.h"
  37#include "initial_sid_to_string.h"
  38#include "policycap_names.h"
  39
  40#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
  41
  42int main(int argc, char *argv[])
  43{
  44        int i, j, mls = 0;
  45        int initial_sid_to_string_len;
  46        char **arg, *polout, *ctxout;
  47
  48        FILE *fout;
  49
  50        if (argc < 3)
  51                usage(argv[0]);
  52        arg = argv+1;
  53        if (argc==4 && strcmp(argv[1], "-m") == 0) {
  54                mls = 1;
  55                arg++;
  56        }
  57        polout = *arg++;
  58        ctxout = *arg;
  59
  60        fout = fopen(polout, "w");
  61        if (!fout) {
  62                printf("Could not open %s for writing\n", polout);
  63                usage(argv[0]);
  64        }
  65
  66        /* print out the classes */
  67        for (i = 0; secclass_map[i].name; i++)
  68                fprintf(fout, "class %s\n", secclass_map[i].name);
  69        fprintf(fout, "\n");
  70
  71        initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
  72        /* print out the sids */
  73        for (i = 1; i < initial_sid_to_string_len; i++) {
  74                const char *name = initial_sid_to_string[i];
  75
  76                if (name)
  77                        fprintf(fout, "sid %s\n", name);
  78                else
  79                        fprintf(fout, "sid unused%d\n", i);
  80        }
  81        fprintf(fout, "\n");
  82
  83        /* print out the class permissions */
  84        for (i = 0; secclass_map[i].name; i++) {
  85                struct security_class_mapping *map = &secclass_map[i];
  86                fprintf(fout, "class %s\n", map->name);
  87                fprintf(fout, "{\n");
  88                for (j = 0; map->perms[j]; j++)
  89                        fprintf(fout, "\t%s\n", map->perms[j]);
  90                fprintf(fout, "}\n\n");
  91        }
  92        fprintf(fout, "\n");
  93
  94        /* print out mls declarations and constraints */
  95        if (mls) {
  96                fprintf(fout, "sensitivity s0;\n");
  97                fprintf(fout, "sensitivity s1;\n");
  98                fprintf(fout, "dominance { s0 s1 }\n");
  99                fprintf(fout, "category c0;\n");
 100                fprintf(fout, "category c1;\n");
 101                fprintf(fout, "level s0:c0.c1;\n");
 102                fprintf(fout, "level s1:c0.c1;\n");
 103#define SYSTEMLOW "s0"
 104#define SYSTEMHIGH "s1:c0.c1"
 105                for (i = 0; secclass_map[i].name; i++) {
 106                        struct security_class_mapping *map = &secclass_map[i];
 107
 108                        fprintf(fout, "mlsconstrain %s {\n", map->name);
 109                        for (j = 0; map->perms[j]; j++)
 110                                fprintf(fout, "\t%s\n", map->perms[j]);
 111                        /*
 112                         * This requires all subjects and objects to be
 113                         * single-level (l2 eq h2), and that the subject
 114                         * level dominate the object level (h1 dom h2)
 115                         * in order to have any permissions to it.
 116                         */
 117                        fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
 118                }
 119        }
 120
 121        /* enable all policy capabilities */
 122        for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
 123                fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
 124
 125        /* types, roles, and allows */
 126        fprintf(fout, "type base_t;\n");
 127        fprintf(fout, "role base_r;\n");
 128        fprintf(fout, "role base_r types { base_t };\n");
 129        for (i = 0; secclass_map[i].name; i++)
 130                fprintf(fout, "allow base_t base_t:%s *;\n",
 131                        secclass_map[i].name);
 132        fprintf(fout, "user user_u roles { base_r }");
 133        if (mls)
 134                fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
 135                        SYSTEMLOW, SYSTEMHIGH);
 136        fprintf(fout, ";\n");
 137
 138#define SUBJUSERROLETYPE "user_u:base_r:base_t"
 139#define OBJUSERROLETYPE "user_u:object_r:base_t"
 140
 141        /* default sids */
 142        for (i = 1; i < initial_sid_to_string_len; i++) {
 143                const char *name = initial_sid_to_string[i];
 144
 145                if (name)
 146                        fprintf(fout, "sid %s ", name);
 147                else
 148                        fprintf(fout, "sid unused%d\n", i);
 149                fprintf(fout, SUBJUSERROLETYPE "%s\n",
 150                        mls ? ":" SYSTEMLOW : "");
 151        }
 152        fprintf(fout, "\n");
 153
 154#define FS_USE(behavior, fstype)                            \
 155        fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
 156                behavior, fstype, mls ? ":" SYSTEMLOW : "")
 157
 158        /*
 159         * Filesystems whose inode labels can be fetched via getxattr.
 160         */
 161#ifdef CONFIG_EXT2_FS_SECURITY
 162        FS_USE("xattr", "ext2");
 163#endif
 164#ifdef CONFIG_EXT4_FS_SECURITY
 165#ifdef CONFIG_EXT4_USE_FOR_EXT2
 166        FS_USE("xattr", "ext2");
 167#endif
 168        FS_USE("xattr", "ext3");
 169        FS_USE("xattr", "ext4");
 170#endif
 171#ifdef CONFIG_JFS_SECURITY
 172        FS_USE("xattr", "jfs");
 173#endif
 174#ifdef CONFIG_REISERFS_FS_SECURITY
 175        FS_USE("xattr", "reiserfs");
 176#endif
 177#ifdef CONFIG_JFFS2_FS_SECURITY
 178        FS_USE("xattr", "jffs2");
 179#endif
 180#ifdef CONFIG_XFS_FS
 181        FS_USE("xattr", "xfs");
 182#endif
 183#ifdef CONFIG_GFS2_FS
 184        FS_USE("xattr", "gfs2");
 185#endif
 186#ifdef CONFIG_BTRFS_FS
 187        FS_USE("xattr", "btrfs");
 188#endif
 189#ifdef CONFIG_F2FS_FS_SECURITY
 190        FS_USE("xattr", "f2fs");
 191#endif
 192#ifdef CONFIG_OCFS2_FS
 193        FS_USE("xattr", "ocsfs2");
 194#endif
 195#ifdef CONFIG_OVERLAY_FS
 196        FS_USE("xattr", "overlay");
 197#endif
 198#ifdef CONFIG_SQUASHFS_XATTR
 199        FS_USE("xattr", "squashfs");
 200#endif
 201
 202        /*
 203         * Filesystems whose inodes are labeled from allocating task.
 204         */
 205        FS_USE("task", "pipefs");
 206        FS_USE("task", "sockfs");
 207
 208        /*
 209         * Filesystems whose inode labels are computed from both
 210         * the allocating task and the superblock label.
 211         */
 212#ifdef CONFIG_UNIX98_PTYS
 213        FS_USE("trans", "devpts");
 214#endif
 215#ifdef CONFIG_HUGETLBFS
 216        FS_USE("trans", "hugetlbfs");
 217#endif
 218#ifdef CONFIG_TMPFS
 219        FS_USE("trans", "tmpfs");
 220#endif
 221#ifdef CONFIG_DEVTMPFS
 222        FS_USE("trans", "devtmpfs");
 223#endif
 224#ifdef CONFIG_POSIX_MQUEUE
 225        FS_USE("trans", "mqueue");
 226#endif
 227
 228#define GENFSCON(fstype, prefix)                             \
 229        fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
 230                fstype, prefix, mls ? ":" SYSTEMLOW : "")
 231
 232        /*
 233         * Filesystems whose inodes are labeled from path prefix match
 234         * relative to the filesystem root.  Depending on the filesystem,
 235         * only a single label for all inodes may be supported.  Here
 236         * we list the filesystem types for which per-file labeling is
 237         * supported using genfscon; any other filesystem type can also
 238         * be added by only with a single entry for all of its inodes.
 239         */
 240#ifdef CONFIG_PROC_FS
 241        GENFSCON("proc", "/");
 242#endif
 243#ifdef CONFIG_SECURITY_SELINUX
 244        GENFSCON("selinuxfs", "/");
 245#endif
 246#ifdef CONFIG_SYSFS
 247        GENFSCON("sysfs", "/");
 248#endif
 249#ifdef CONFIG_DEBUG_FS
 250        GENFSCON("debugfs", "/");
 251#endif
 252#ifdef CONFIG_TRACING
 253        GENFSCON("tracefs", "/");
 254#endif
 255#ifdef CONFIG_PSTORE
 256        GENFSCON("pstore", "/");
 257#endif
 258        GENFSCON("cgroup", "/");
 259        GENFSCON("cgroup2", "/");
 260
 261        fclose(fout);
 262
 263        fout = fopen(ctxout, "w");
 264        if (!fout) {
 265                printf("Wrote policy, but cannot open %s for writing\n", ctxout);
 266                usage(argv[0]);
 267        }
 268        fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
 269        fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
 270        fclose(fout);
 271
 272        return 0;
 273}
 274
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.