OSCL-LXR linux-6.0.1/​scripts/​selinux/​mdp/​mdp.c	Source navigation Diff markup Identifier search General search
	Version: linux-6.0.1 spark-3.0.0 hadoop-3.2.0-src hadoop-3.3.0-src spark-2.4.7 linux-4.15.13 hadoop-2.7.4-src Revert   Change

 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  *
  * mdp - make dummy policy
  *
  * When pointed at a kernel tree, builds a dummy policy for that kernel
  * with exactly one type with full rights to itself.
  *
  * Copyright (C) IBM Corporation, 2006
  *
  * Authors: Serge E. Hallyn <serue@us.ibm.com>
  */
 
 
 /* NOTE: we really do want to use the kernel headers here */
 #define __EXPORTED_HEADERS__
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <linux/kconfig.h>
 
 static void usage(char *name)
 {
     printf("usage: %s [-m] policy_file context_file\n", name);
     exit(1);
 }
 
 /* Class/perm mapping support */
 struct security_class_mapping {
     const char *name;
     const char *perms[sizeof(unsigned) * 8 + 1];
 };
 
 #include "classmap.h"
 #include "initial_sid_to_string.h"
 #include "policycap_names.h"
 
 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 
 int main(int argc, char *argv[])
 {
     int i, j, mls = 0;
     int initial_sid_to_string_len;
     char **arg, *polout, *ctxout;
 
     FILE *fout;
 
     if (argc < 3)
         usage(argv[0]);
     arg = argv+1;
     if (argc==4 && strcmp(argv[1], "-m") == 0) {
         mls = 1;
         arg++;
     }
     polout = *arg++;
     ctxout = *arg;
 
     fout = fopen(polout, "w");
     if (!fout) {
         printf("Could not open %s for writing\n", polout);
         usage(argv[0]);
     }
 
     /* print out the classes */
     for (i = 0; secclass_map[i].name; i++)
         fprintf(fout, "class %s\n", secclass_map[i].name);
     fprintf(fout, "\n");
 
     initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
     /* print out the sids */
     for (i = 1; i < initial_sid_to_string_len; i++) {
         const char *name = initial_sid_to_string[i];
 
         if (name)
             fprintf(fout, "sid %s\n", name);
         else
             fprintf(fout, "sid unused%d\n", i);
     }
     fprintf(fout, "\n");
 
     /* print out the class permissions */
     for (i = 0; secclass_map[i].name; i++) {
         const struct security_class_mapping *map = &secclass_map[i];
         fprintf(fout, "class %s\n", map->name);
         fprintf(fout, "{\n");
         for (j = 0; map->perms[j]; j++)
             fprintf(fout, "\t%s\n", map->perms[j]);
         fprintf(fout, "}\n\n");
     }
     fprintf(fout, "\n");
 
     /* print out mls declarations and constraints */
     if (mls) {
         fprintf(fout, "sensitivity s0;\n");
         fprintf(fout, "sensitivity s1;\n");
         fprintf(fout, "dominance { s0 s1 }\n");
         fprintf(fout, "category c0;\n");
         fprintf(fout, "category c1;\n");
         fprintf(fout, "level s0:c0.c1;\n");
         fprintf(fout, "level s1:c0.c1;\n");
 #define SYSTEMLOW "s0"
 #define SYSTEMHIGH "s1:c0.c1"
         for (i = 0; secclass_map[i].name; i++) {
             const struct security_class_mapping *map = &secclass_map[i];
 
             fprintf(fout, "mlsconstrain %s {\n", map->name);
             for (j = 0; map->perms[j]; j++)
                 fprintf(fout, "\t%s\n", map->perms[j]);
             /*
              * This requires all subjects and objects to be
              * single-level (l2 eq h2), and that the subject
              * level dominate the object level (h1 dom h2)
              * in order to have any permissions to it.
              */
             fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
         }
     }
 
     /* enable all policy capabilities */
     for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
         fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
 
     /* types, roles, and allows */
     fprintf(fout, "type base_t;\n");
     fprintf(fout, "role base_r;\n");
     fprintf(fout, "role base_r types { base_t };\n");
     for (i = 0; secclass_map[i].name; i++)
         fprintf(fout, "allow base_t base_t:%s *;\n",
             secclass_map[i].name);
     fprintf(fout, "user user_u roles { base_r }");
     if (mls)
         fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
             SYSTEMLOW, SYSTEMHIGH);
     fprintf(fout, ";\n");
 
 #define SUBJUSERROLETYPE "user_u:base_r:base_t"
 #define OBJUSERROLETYPE "user_u:object_r:base_t"
 
     /* default sids */
     for (i = 1; i < initial_sid_to_string_len; i++) {
         const char *name = initial_sid_to_string[i];
 
         if (name)
             fprintf(fout, "sid %s ", name);
         else
             fprintf(fout, "sid unused%d\n", i);
         fprintf(fout, SUBJUSERROLETYPE "%s\n",
             mls ? ":" SYSTEMLOW : "");
     }
     fprintf(fout, "\n");
 
 #define FS_USE(behavior, fstype)                \
     fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
         behavior, fstype, mls ? ":" SYSTEMLOW : "")
 
     /*
      * Filesystems whose inode labels can be fetched via getxattr.
      */
 #ifdef CONFIG_EXT2_FS_SECURITY
     FS_USE("xattr", "ext2");
 #endif
 #ifdef CONFIG_EXT4_FS_SECURITY
 #ifdef CONFIG_EXT4_USE_FOR_EXT2
     FS_USE("xattr", "ext2");
 #endif
     FS_USE("xattr", "ext3");
     FS_USE("xattr", "ext4");
 #endif
 #ifdef CONFIG_JFS_SECURITY
     FS_USE("xattr", "jfs");
 #endif
 #ifdef CONFIG_REISERFS_FS_SECURITY
     FS_USE("xattr", "reiserfs");
 #endif
 #ifdef CONFIG_JFFS2_FS_SECURITY
     FS_USE("xattr", "jffs2");
 #endif
 #ifdef CONFIG_XFS_FS
     FS_USE("xattr", "xfs");
 #endif
 #ifdef CONFIG_GFS2_FS
     FS_USE("xattr", "gfs2");
 #endif
 #ifdef CONFIG_BTRFS_FS
     FS_USE("xattr", "btrfs");
 #endif
 #ifdef CONFIG_F2FS_FS_SECURITY
     FS_USE("xattr", "f2fs");
 #endif
 #ifdef CONFIG_OCFS2_FS
     FS_USE("xattr", "ocsfs2");
 #endif
 #ifdef CONFIG_OVERLAY_FS
     FS_USE("xattr", "overlay");
 #endif
 #ifdef CONFIG_SQUASHFS_XATTR
     FS_USE("xattr", "squashfs");
 #endif
 
     /*
      * Filesystems whose inodes are labeled from allocating task.
      */
     FS_USE("task", "pipefs");
     FS_USE("task", "sockfs");
 
     /*
      * Filesystems whose inode labels are computed from both
      * the allocating task and the superblock label.
      */
 #ifdef CONFIG_UNIX98_PTYS
     FS_USE("trans", "devpts");
 #endif
 #ifdef CONFIG_HUGETLBFS
     FS_USE("trans", "hugetlbfs");
 #endif
 #ifdef CONFIG_TMPFS
     FS_USE("trans", "tmpfs");
 #endif
 #ifdef CONFIG_DEVTMPFS
     FS_USE("trans", "devtmpfs");
 #endif
 #ifdef CONFIG_POSIX_MQUEUE
     FS_USE("trans", "mqueue");
 #endif
 
 #define GENFSCON(fstype, prefix)                 \
     fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
         fstype, prefix, mls ? ":" SYSTEMLOW : "")
 
     /*
      * Filesystems whose inodes are labeled from path prefix match
      * relative to the filesystem root.  Depending on the filesystem,
      * only a single label for all inodes may be supported.  Here
      * we list the filesystem types for which per-file labeling is
      * supported using genfscon; any other filesystem type can also
      * be added by only with a single entry for all of its inodes.
      */
 #ifdef CONFIG_PROC_FS
     GENFSCON("proc", "/");
 #endif
 #ifdef CONFIG_SECURITY_SELINUX
     GENFSCON("selinuxfs", "/");
 #endif
 #ifdef CONFIG_SYSFS
     GENFSCON("sysfs", "/");
 #endif
 #ifdef CONFIG_DEBUG_FS
     GENFSCON("debugfs", "/");
 #endif
 #ifdef CONFIG_TRACING
     GENFSCON("tracefs", "/");
 #endif
 #ifdef CONFIG_PSTORE
     GENFSCON("pstore", "/");
 #endif
     GENFSCON("cgroup", "/");
     GENFSCON("cgroup2", "/");
 
     fclose(fout);
 
     fout = fopen(ctxout, "w");
     if (!fout) {
         printf("Wrote policy, but cannot open %s for writing\n", ctxout);
         usage(argv[0]);
     }
     fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
     fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
     fclose(fout);
 
     return 0;
 }

This page was automatically generated by the 2.1.0 LXR engine. The LXR team