summaryrefslogtreecommitdiffstats
path: root/scripts/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/selinux')
-rw-r--r--scripts/selinux/Makefile4
-rw-r--r--scripts/selinux/genheaders/.gitignore1
-rw-r--r--scripts/selinux/genheaders/Makefile5
-rw-r--r--scripts/selinux/genheaders/genheaders.c118
-rw-r--r--scripts/selinux/mdp/mdp.c151
5 files changed, 154 insertions, 125 deletions
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index ca4b1ec01822..e8049da1831f 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
-subdir-y := mdp
-subdir- += mdp
+subdir-y := mdp genheaders
+subdir- += mdp genheaders
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000000..4c0b646ff8d5
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
+genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000000..417b165008ee
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y := genheaders
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always := $(hostprogs-y)
+clean-files := $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000000..24626968055d
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+ const char *name;
+ const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
+
+const char *progname;
+
+static void usage(void)
+{
+ printf("usage: %s flask.h av_permissions.h\n", progname);
+ exit(1);
+}
+
+static char *stoupperx(const char *s)
+{
+ char *s2 = strdup(s);
+ char *p;
+
+ if (!s2) {
+ fprintf(stderr, "%s: out of memory\n", progname);
+ exit(3);
+ }
+
+ for (p = s2; *p; p++)
+ *p = toupper(*p);
+ return s2;
+}
+
+int main(int argc, char *argv[])
+{
+ int i, j, k;
+ int isids_len;
+ FILE *fout;
+
+ progname = argv[0];
+
+ if (argc < 3)
+ usage();
+
+ fout = fopen(argv[1], "w");
+ if (!fout) {
+ fprintf(stderr, "Could not open %s for writing: %s\n",
+ argv[1], strerror(errno));
+ exit(2);
+ }
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ map->name = stoupperx(map->name);
+ for (j = 0; map->perms[j]; j++)
+ map->perms[j] = stoupperx(map->perms[j]);
+ }
+
+ isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ for (i = 1; i < isids_len; i++)
+ initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
+
+ fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
+ fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ fprintf(fout, "#define SECCLASS_%s", map->name);
+ for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
+ fprintf(fout, " ");
+ fprintf(fout, "%2d\n", i+1);
+ }
+
+ fprintf(fout, "\n");
+
+ for (i = 1; i < isids_len; i++) {
+ char *s = initial_sid_to_string[i];
+ fprintf(fout, "#define SECINITSID_%s", s);
+ for (j = 0; j < max(1, 40 - strlen(s)); j++)
+ fprintf(fout, " ");
+ fprintf(fout, "%2d\n", i);
+ }
+ fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+ fprintf(fout, "\n#endif\n");
+ fclose(fout);
+
+ fout = fopen(argv[2], "w");
+ if (!fout) {
+ fprintf(stderr, "Could not open %s for writing: %s\n",
+ argv[2], strerror(errno));
+ exit(4);
+ }
+
+ fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
+ fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ for (j = 0; map->perms[j]; j++) {
+ fprintf(fout, "#define %s__%s", map->name,
+ map->perms[j]);
+ for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
+ fprintf(fout, " ");
+ fprintf(fout, "0x%08xUL\n", (1<<j));
+ }
+ }
+
+ fprintf(fout, "\n#endif\n");
+ fclose(fout);
+ exit(0);
+}
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
#include <unistd.h>
#include <string.h>
-#include "flask.h"
-
static void usage(char *name)
{
printf("usage: %s [-m] policy_file context_file\n", name);
exit(1);
}
-static void find_common_name(char *cname, char *dest, int len)
-{
- char *start, *end;
-
- start = strchr(cname, '_')+1;
- end = strchr(start, '_');
- if (!start || !end || start-cname > len || end-start > len) {
- printf("Error with commons defines\n");
- exit(1);
- }
- strncpy(dest, start, end-start);
- dest[end-start] = '\0';
-}
-
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
- NULL
+/* Class/perm mapping support */
+struct security_class_mapping {
+ const char *name;
+ const char *perms[sizeof(unsigned) * 8 + 1];
};
-#undef S_
+#include "classmap.h"
#include "initial_sid_to_string.h"
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-struct common {
- char *cname;
- char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
- int class;
- char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
- int class;
- int perm_i;
- char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
-
int main(int argc, char *argv[])
{
int i, j, mls = 0;
+ int initial_sid_to_string_len;
char **arg, *polout, *ctxout;
- int classlist_len, initial_sid_to_string_len;
+
FILE *fout;
if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
usage(argv[0]);
}
- classlist_len = sizeof(classlist) / sizeof(char *);
/* print out the classes */
- for (i=1; i < classlist_len; i++) {
- if(classlist[i])
- fprintf(fout, "class %s\n", classlist[i]);
- else
- fprintf(fout, "class user%d\n", i);
- }
+ for (i = 0; secclass_map[i].name; i++)
+ fprintf(fout, "class %s\n", secclass_map[i].name);
fprintf(fout, "\n");
initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
/* print out the sids */
- for (i=1; i < initial_sid_to_string_len; i++)
+ for (i = 1; i < initial_sid_to_string_len; i++)
fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
fprintf(fout, "\n");
- /* print out the commons */
- for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
- char cname[101];
- find_common_name(common[i].cname, cname, 100);
- cname[100] = '\0';
- fprintf(fout, "common %s\n{\n", cname);
- for (j=0; common[i].perms[j]; j++)
- fprintf(fout, "\t%s\n", common[i].perms[j]);
- fprintf(fout, "}\n\n");
- }
- fprintf(fout, "\n");
-
/* print out the class permissions */
- for (i=1; i < classlist_len; i++) {
- if (classlist[i]) {
- int firstperm = -1, numperms = 0;
-
- fprintf(fout, "class %s\n", classlist[i]);
- /* does it inherit from a common? */
- for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
- if (av_inherit[j].class == i)
- fprintf(fout, "inherits %s\n", av_inherit[j].common);
-
- for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
- if (av_perms[j].class == i) {
- if (firstperm == -1)
- firstperm = j;
- numperms++;
- }
- }
- if (!numperms) {
- fprintf(fout, "\n");
- continue;
- }
-
- fprintf(fout, "{\n");
- /* print out the av_perms */
- for (j=0; j < numperms; j++) {
- fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
- }
- fprintf(fout, "}\n\n");
- }
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ fprintf(fout, "class %s\n", map->name);
+ fprintf(fout, "{\n");
+ for (j = 0; map->perms[j]; j++)
+ fprintf(fout, "\t%s\n", map->perms[j]);
+ fprintf(fout, "}\n\n");
}
fprintf(fout, "\n");
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
/* types, roles, and allows */
fprintf(fout, "type base_t;\n");
fprintf(fout, "role base_r types { base_t };\n");
- for (i=1; i < classlist_len; i++) {
- if (classlist[i])
- fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
- else
- fprintf(fout, "allow base_t base_t:user%d *;\n", i);
- }
+ for (i = 0; secclass_map[i].name; i++)
+ fprintf(fout, "allow base_t base_t:%s *;\n",
+ secclass_map[i].name);
fprintf(fout, "user user_u roles { base_r };\n");
fprintf(fout, "\n");
/* default sids */
- for (i=1; i < initial_sid_to_string_len; i++)
+ for (i = 1; i < initial_sid_to_string_len; i++)
fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
fprintf(fout, "\n");
-
fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");