Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
49e917d
Documentation
LICENSES
arch
block
certs
crypto
drivers
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
atomic
basic
coccinelle
dtc
dummy-tools
gcc-plugins
gdb
genksyms
kconfig
ksymoops
mod
package
selinux
genheaders
mdp
.gitignore
Makefile
dbus_contexts
mdp.c
Makefile
README
install_policy.sh
tracing
.gitignore
Kbuild.include
Kconfig.include
Lindent
Makefile
Makefile.asm-generic
Makefile.build
Makefile.clean
Makefile.dtbinst
Makefile.extrawarn
Makefile.gcc-plugins
Makefile.headersinst
Makefile.host
Makefile.kasan
Makefile.kcov
Makefile.kcsan
Makefile.lib
Makefile.modfinal
Makefile.modinst
Makefile.modpost
Makefile.modsign
Makefile.package
Makefile.ubsan
Makefile.userprogs
adjust_autoksyms.sh
asn1_compiler.c
bin2c.c
bloat-o-meter
bootgraph.pl
bpf_helpers_doc.py
cc-can-link.sh
check-sysctl-docs
check_extable.sh
checkincludes.pl
checkkconfigsymbols.py
checkpatch.pl
checkstack.pl
checksyscalls.sh
checkversion.pl
clang-version.sh
cleanfile
cleanpatch
coccicheck
config
const_structs.checkpatch
decode_stacktrace.sh
decodecode
depmod.sh
diffconfig
documentation-file-ref-check
export_report.pl
extract-cert.c
extract-ikconfig
extract-module-sig.pl
extract-sys-certs.pl
extract-vmlinux
extract_xc3028.pl
faddr2line
file-size.sh
find-unused-docs.sh
gcc-goto.sh
gcc-ld
gcc-plugin.sh
gcc-version.sh
gcc-x86_32-has-stack-protector.sh
gcc-x86_64-has-stack-protector.sh
gen_autoksyms.sh
gen_compile_commands.py
gen_ksymdeps.sh
get_abi.pl
get_dvb_firmware
get_maintainer.pl
gfp-translate
headerdep.pl
headers_check.pl
headers_install.sh
insert-sys-cert.c
jobserver-exec
kallsyms.c
kernel-doc
ld-version.sh
leaking_addresses.pl
link-vmlinux.sh
makelst
markup_oops.pl
mkcompile_h
mkmakefile
mksysmap
mkuboot.sh
module-common.lds
modules-check.sh
namespace.pl
nsdeps
objdiff
parse-maintainers.pl
patch-kernel
profile2linkerlist.pl
prune-kernel
recordmcount.c
recordmcount.h
recordmcount.pl
setlocalversion
show_delta
sign-file.c
sorttable.c
sorttable.h
spdxcheck-test.sh
spdxcheck.py
spelling.txt
sphinx-pre-install
split-man.pl
stackdelta
stackusage
subarch.include
tags.sh
tools-support-relr.sh
unifdef.c
ver_linux
xen-hypercalls.sh
xz_wrap.sh
security
sound
tools
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
Breadcrumbs
linux
/
scripts
/
selinux
/
mdp
/
mdp.c
Blame
Blame
Latest commit
History
History
266 lines (237 loc) · 6.42 KB
Breadcrumbs
linux
/
scripts
/
selinux
/
mdp
/
mdp.c
Top
File metadata and controls
Code
Blame
266 lines (237 loc) · 6.42 KB
Raw
// SPDX-License-Identifier: GPL-2.0-or-later /* * * mdp - make dummy policy * * When pointed at a kernel tree, builds a dummy policy for that kernel * with exactly one type with full rights to itself. * * Copyright (C) IBM Corporation, 2006 * * Authors: Serge E. Hallyn <serue@us.ibm.com> */ /* NOTE: we really do want to use the kernel headers here */ #define __EXPORTED_HEADERS__ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <linux/kconfig.h> static void usage(char *name) { printf("usage: %s [-m] policy_file context_file\n", name); exit(1); } /* Class/perm mapping support */ struct security_class_mapping { const char *name; const char *perms[sizeof(unsigned) * 8 + 1]; }; #include "classmap.h" #include "initial_sid_to_string.h" int main(int argc, char *argv[]) { int i, j, mls = 0; int initial_sid_to_string_len; char **arg, *polout, *ctxout; FILE *fout; if (argc < 3) usage(argv[0]); arg = argv+1; if (argc==4 && strcmp(argv[1], "-m") == 0) { mls = 1; arg++; } polout = *arg++; ctxout = *arg; fout = fopen(polout, "w"); if (!fout) { printf("Could not open %s for writing\n", polout); usage(argv[0]); } /* print out the classes */ for (i = 0; secclass_map[i].name; i++) fprintf(fout, "class %s\n", secclass_map[i].name); fprintf(fout, "\n"); initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); /* print out the sids */ for (i = 1; i < initial_sid_to_string_len; i++) { const char *name = initial_sid_to_string[i]; if (name) fprintf(fout, "sid %s\n", name); else fprintf(fout, "sid unused%d\n", i); } fprintf(fout, "\n"); /* print out the class permissions */ for (i = 0; secclass_map[i].name; i++) { struct security_class_mapping *map = &secclass_map[i]; fprintf(fout, "class %s\n", map->name); fprintf(fout, "{\n"); for (j = 0; map->perms[j]; j++) fprintf(fout, "\t%s\n", map->perms[j]); fprintf(fout, "}\n\n"); } fprintf(fout, "\n"); /* print out mls declarations and constraints */ if (mls) { fprintf(fout, "sensitivity s0;\n"); fprintf(fout, "sensitivity s1;\n"); fprintf(fout, "dominance { s0 s1 }\n"); fprintf(fout, "category c0;\n"); fprintf(fout, "category c1;\n"); fprintf(fout, "level s0:c0.c1;\n"); fprintf(fout, "level s1:c0.c1;\n"); #define SYSTEMLOW "s0" #define SYSTEMHIGH "s1:c0.c1" for (i = 0; secclass_map[i].name; i++) { struct security_class_mapping *map = &secclass_map[i]; fprintf(fout, "mlsconstrain %s {\n", map->name); for (j = 0; map->perms[j]; j++) fprintf(fout, "\t%s\n", map->perms[j]); /* * This requires all subjects and objects to be * single-level (l2 eq h2), and that the subject * level dominate the object level (h1 dom h2) * in order to have any permissions to it. */ fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n"); } } /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); fprintf(fout, "role base_r types { base_t };\n"); for (i = 0; secclass_map[i].name; i++) fprintf(fout, "allow base_t base_t:%s *;\n", secclass_map[i].name); fprintf(fout, "user user_u roles { base_r }"); if (mls) fprintf(fout, " level %s range %s - %s", SYSTEMLOW, SYSTEMLOW, SYSTEMHIGH); fprintf(fout, ";\n"); #define SUBJUSERROLETYPE "user_u:base_r:base_t" #define OBJUSERROLETYPE "user_u:object_r:base_t" /* default sids */ for (i = 1; i < initial_sid_to_string_len; i++) { const char *name = initial_sid_to_string[i]; if (name) fprintf(fout, "sid %s ", name); else fprintf(fout, "sid unused%d\n", i); fprintf(fout, SUBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : ""); } fprintf(fout, "\n"); #define FS_USE(behavior, fstype) \ fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \ behavior, fstype, mls ? ":" SYSTEMLOW : "") /* * Filesystems whose inode labels can be fetched via getxattr. */ #ifdef CONFIG_EXT2_FS_SECURITY FS_USE("xattr", "ext2"); #endif #ifdef CONFIG_EXT4_FS_SECURITY #ifdef CONFIG_EXT4_USE_FOR_EXT2 FS_USE("xattr", "ext2"); #endif FS_USE("xattr", "ext3"); FS_USE("xattr", "ext4"); #endif #ifdef CONFIG_JFS_SECURITY FS_USE("xattr", "jfs"); #endif #ifdef CONFIG_REISERFS_FS_SECURITY FS_USE("xattr", "reiserfs"); #endif #ifdef CONFIG_JFFS2_FS_SECURITY FS_USE("xattr", "jffs2"); #endif #ifdef CONFIG_XFS_FS FS_USE("xattr", "xfs"); #endif #ifdef CONFIG_GFS2_FS FS_USE("xattr", "gfs2"); #endif #ifdef CONFIG_BTRFS_FS FS_USE("xattr", "btrfs"); #endif #ifdef CONFIG_F2FS_FS_SECURITY FS_USE("xattr", "f2fs"); #endif #ifdef CONFIG_OCFS2_FS FS_USE("xattr", "ocsfs2"); #endif #ifdef CONFIG_OVERLAY_FS FS_USE("xattr", "overlay"); #endif #ifdef CONFIG_SQUASHFS_XATTR FS_USE("xattr", "squashfs"); #endif /* * Filesystems whose inodes are labeled from allocating task. */ FS_USE("task", "pipefs"); FS_USE("task", "sockfs"); /* * Filesystems whose inode labels are computed from both * the allocating task and the superblock label. */ #ifdef CONFIG_UNIX98_PTYS FS_USE("trans", "devpts"); #endif #ifdef CONFIG_HUGETLBFS FS_USE("trans", "hugetlbfs"); #endif #ifdef CONFIG_TMPFS FS_USE("trans", "tmpfs"); #endif #ifdef CONFIG_DEVTMPFS FS_USE("trans", "devtmpfs"); #endif #ifdef CONFIG_POSIX_MQUEUE FS_USE("trans", "mqueue"); #endif #define GENFSCON(fstype, prefix) \ fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \ fstype, prefix, mls ? ":" SYSTEMLOW : "") /* * Filesystems whose inodes are labeled from path prefix match * relative to the filesystem root. Depending on the filesystem, * only a single label for all inodes may be supported. Here * we list the filesystem types for which per-file labeling is * supported using genfscon; any other filesystem type can also * be added by only with a single entry for all of its inodes. */ #ifdef CONFIG_PROC_FS GENFSCON("proc", "/"); #endif #ifdef CONFIG_SECURITY_SELINUX GENFSCON("selinuxfs", "/"); #endif #ifdef CONFIG_SYSFS GENFSCON("sysfs", "/"); #endif #ifdef CONFIG_DEBUG_FS GENFSCON("debugfs", "/"); #endif #ifdef CONFIG_TRACING GENFSCON("tracefs", "/"); #endif #ifdef CONFIG_PSTORE GENFSCON("pstore", "/"); #endif GENFSCON("cgroup", "/"); GENFSCON("cgroup2", "/"); fclose(fout); fout = fopen(ctxout, "w"); if (!fout) { printf("Wrote policy, but cannot open %s for writing\n", ctxout); usage(argv[0]); } fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : ""); fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : ""); fclose(fout); return 0; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
You can’t perform that action at this time.