root/scripts/selinux/mdp/mdp.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. usage
  2. main

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /*
   3  *
   4  * mdp - make dummy policy
   5  *
   6  * When pointed at a kernel tree, builds a dummy policy for that kernel
   7  * with exactly one type with full rights to itself.
   8  *
   9  * Copyright (C) IBM Corporation, 2006
  10  *
  11  * Authors: Serge E. Hallyn <serue@us.ibm.com>
  12  */
  13 
  14 
  15 /* NOTE: we really do want to use the kernel headers here */
  16 #define __EXPORTED_HEADERS__
  17 
  18 #include <stdio.h>
  19 #include <stdlib.h>
  20 #include <unistd.h>
  21 #include <string.h>
  22 #include <linux/kconfig.h>
  23 
  24 static void usage(char *name)
  25 {
  26         printf("usage: %s [-m] policy_file context_file\n", name);
  27         exit(1);
  28 }
  29 
  30 /* Class/perm mapping support */
  31 struct security_class_mapping {
  32         const char *name;
  33         const char *perms[sizeof(unsigned) * 8 + 1];
  34 };
  35 
  36 #include "classmap.h"
  37 #include "initial_sid_to_string.h"
  38 
  39 int main(int argc, char *argv[])
  40 {
  41         int i, j, mls = 0;
  42         int initial_sid_to_string_len;
  43         char **arg, *polout, *ctxout;
  44 
  45         FILE *fout;
  46 
  47         if (argc < 3)
  48                 usage(argv[0]);
  49         arg = argv+1;
  50         if (argc==4 && strcmp(argv[1], "-m") == 0) {
  51                 mls = 1;
  52                 arg++;
  53         }
  54         polout = *arg++;
  55         ctxout = *arg;
  56 
  57         fout = fopen(polout, "w");
  58         if (!fout) {
  59                 printf("Could not open %s for writing\n", polout);
  60                 usage(argv[0]);
  61         }
  62 
  63         /* print out the classes */
  64         for (i = 0; secclass_map[i].name; i++)
  65                 fprintf(fout, "class %s\n", secclass_map[i].name);
  66         fprintf(fout, "\n");
  67 
  68         initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
  69         /* print out the sids */
  70         for (i = 1; i < initial_sid_to_string_len; i++)
  71                 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
  72         fprintf(fout, "\n");
  73 
  74         /* print out the class permissions */
  75         for (i = 0; secclass_map[i].name; i++) {
  76                 struct security_class_mapping *map = &secclass_map[i];
  77                 fprintf(fout, "class %s\n", map->name);
  78                 fprintf(fout, "{\n");
  79                 for (j = 0; map->perms[j]; j++)
  80                         fprintf(fout, "\t%s\n", map->perms[j]);
  81                 fprintf(fout, "}\n\n");
  82         }
  83         fprintf(fout, "\n");
  84 
  85         /* print out mls declarations and constraints */
  86         if (mls) {
  87                 fprintf(fout, "sensitivity s0;\n");
  88                 fprintf(fout, "sensitivity s1;\n");
  89                 fprintf(fout, "dominance { s0 s1 }\n");
  90                 fprintf(fout, "category c0;\n");
  91                 fprintf(fout, "category c1;\n");
  92                 fprintf(fout, "level s0:c0.c1;\n");
  93                 fprintf(fout, "level s1:c0.c1;\n");
  94 #define SYSTEMLOW "s0"
  95 #define SYSTEMHIGH "s1:c0.c1"
  96                 for (i = 0; secclass_map[i].name; i++) {
  97                         struct security_class_mapping *map = &secclass_map[i];
  98 
  99                         fprintf(fout, "mlsconstrain %s {\n", map->name);
 100                         for (j = 0; map->perms[j]; j++)
 101                                 fprintf(fout, "\t%s\n", map->perms[j]);
 102                         /*
 103                          * This requires all subjects and objects to be
 104                          * single-level (l2 eq h2), and that the subject
 105                          * level dominate the object level (h1 dom h2)
 106                          * in order to have any permissions to it.
 107                          */
 108                         fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
 109                 }
 110         }
 111 
 112         /* types, roles, and allows */
 113         fprintf(fout, "type base_t;\n");
 114         fprintf(fout, "role base_r;\n");
 115         fprintf(fout, "role base_r types { base_t };\n");
 116         for (i = 0; secclass_map[i].name; i++)
 117                 fprintf(fout, "allow base_t base_t:%s *;\n",
 118                         secclass_map[i].name);
 119         fprintf(fout, "user user_u roles { base_r }");
 120         if (mls)
 121                 fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
 122                         SYSTEMLOW, SYSTEMHIGH);
 123         fprintf(fout, ";\n");
 124 
 125 #define SUBJUSERROLETYPE "user_u:base_r:base_t"
 126 #define OBJUSERROLETYPE "user_u:object_r:base_t"
 127 
 128         /* default sids */
 129         for (i = 1; i < initial_sid_to_string_len; i++)
 130                 fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
 131                         initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
 132         fprintf(fout, "\n");
 133 
 134 #define FS_USE(behavior, fstype)                            \
 135         fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
 136                 behavior, fstype, mls ? ":" SYSTEMLOW : "")
 137 
 138         /*
 139          * Filesystems whose inode labels can be fetched via getxattr.
 140          */
 141 #ifdef CONFIG_EXT2_FS_SECURITY
 142         FS_USE("xattr", "ext2");
 143 #endif
 144 #ifdef CONFIG_EXT4_FS_SECURITY
 145 #ifdef CONFIG_EXT4_USE_FOR_EXT2
 146         FS_USE("xattr", "ext2");
 147 #endif
 148         FS_USE("xattr", "ext3");
 149         FS_USE("xattr", "ext4");
 150 #endif
 151 #ifdef CONFIG_JFS_SECURITY
 152         FS_USE("xattr", "jfs");
 153 #endif
 154 #ifdef CONFIG_REISERFS_FS_SECURITY
 155         FS_USE("xattr", "reiserfs");
 156 #endif
 157 #ifdef CONFIG_JFFS2_FS_SECURITY
 158         FS_USE("xattr", "jffs2");
 159 #endif
 160 #ifdef CONFIG_XFS_FS
 161         FS_USE("xattr", "xfs");
 162 #endif
 163 #ifdef CONFIG_GFS2_FS
 164         FS_USE("xattr", "gfs2");
 165 #endif
 166 #ifdef CONFIG_BTRFS_FS
 167         FS_USE("xattr", "btrfs");
 168 #endif
 169 #ifdef CONFIG_F2FS_FS_SECURITY
 170         FS_USE("xattr", "f2fs");
 171 #endif
 172 #ifdef CONFIG_OCFS2_FS
 173         FS_USE("xattr", "ocsfs2");
 174 #endif
 175 #ifdef CONFIG_OVERLAY_FS
 176         FS_USE("xattr", "overlay");
 177 #endif
 178 #ifdef CONFIG_SQUASHFS_XATTR
 179         FS_USE("xattr", "squashfs");
 180 #endif
 181 
 182         /*
 183          * Filesystems whose inodes are labeled from allocating task.
 184          */
 185         FS_USE("task", "pipefs");
 186         FS_USE("task", "sockfs");
 187 
 188         /*
 189          * Filesystems whose inode labels are computed from both
 190          * the allocating task and the superblock label.
 191          */
 192 #ifdef CONFIG_UNIX98_PTYS
 193         FS_USE("trans", "devpts");
 194 #endif
 195 #ifdef CONFIG_HUGETLBFS
 196         FS_USE("trans", "hugetlbfs");
 197 #endif
 198 #ifdef CONFIG_TMPFS
 199         FS_USE("trans", "tmpfs");
 200 #endif
 201 #ifdef CONFIG_DEVTMPFS
 202         FS_USE("trans", "devtmpfs");
 203 #endif
 204 #ifdef CONFIG_POSIX_MQUEUE
 205         FS_USE("trans", "mqueue");
 206 #endif
 207 
 208 #define GENFSCON(fstype, prefix)                             \
 209         fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
 210                 fstype, prefix, mls ? ":" SYSTEMLOW : "")
 211 
 212         /*
 213          * Filesystems whose inodes are labeled from path prefix match
 214          * relative to the filesystem root.  Depending on the filesystem,
 215          * only a single label for all inodes may be supported.  Here
 216          * we list the filesystem types for which per-file labeling is
 217          * supported using genfscon; any other filesystem type can also
 218          * be added by only with a single entry for all of its inodes.
 219          */
 220 #ifdef CONFIG_PROC_FS
 221         GENFSCON("proc", "/");
 222 #endif
 223 #ifdef CONFIG_SECURITY_SELINUX
 224         GENFSCON("selinuxfs", "/");
 225 #endif
 226 #ifdef CONFIG_SYSFS
 227         GENFSCON("sysfs", "/");
 228 #endif
 229 #ifdef CONFIG_DEBUG_FS
 230         GENFSCON("debugfs", "/");
 231 #endif
 232 #ifdef CONFIG_TRACING
 233         GENFSCON("tracefs", "/");
 234 #endif
 235 #ifdef CONFIG_PSTORE
 236         GENFSCON("pstore", "/");
 237 #endif
 238         GENFSCON("cgroup", "/");
 239         GENFSCON("cgroup2", "/");
 240 
 241         fclose(fout);
 242 
 243         fout = fopen(ctxout, "w");
 244         if (!fout) {
 245                 printf("Wrote policy, but cannot open %s for writing\n", ctxout);
 246                 usage(argv[0]);
 247         }
 248         fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
 249         fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
 250         fclose(fout);
 251 
 252         return 0;
 253 }

/* [<][>][^][v][top][bottom][index][help] */