~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,23 +1,10 @@
	1	+// SPDX-License-Identifier: GPL-2.0-or-later
1	2	/*
2	3	*
3	4	* mdp - make dummy policy
4	5	*
5	6	* When pointed at a kernel tree, builds a dummy policy for that kernel
6	7	* with exactly one type with full rights to itself.
7		- *
8		- * This program is free software; you can redistribute it and/or modify
9		- * it under the terms of the GNU General Public License as published by
10		- * the Free Software Foundation; either version 2 of the License, or
11		- * (at your option) any later version.
12		- *
13		- * This program is distributed in the hope that it will be useful,
14		- * but WITHOUT ANY WARRANTY; without even the implied warranty of
15		- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16		- * GNU General Public License for more details.
17		- *
18		- * You should have received a copy of the GNU General Public License
19		- * along with this program; if not, write to the Free Software
20		- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21	8	*
22	9	* Copyright (C) IBM Corporation, 2006
23	10	*
..	..	@@ -32,6 +19,7 @@
32	19	#include <stdlib.h>
33	20	#include <unistd.h>
34	21	#include <string.h>
	22	+#include <linux/kconfig.h>
35	23
36	24	static void usage(char *name)
37	25	{
..	..	@@ -47,6 +35,9 @@
47	35
48	36	#include "classmap.h"
49	37	#include "initial_sid_to_string.h"
	38	+#include "policycap_names.h"
	39	+
	40	+#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
50	41
51	42	int main(int argc, char *argv[])
52	43	{
..	..	@@ -79,8 +70,14 @@
79	70
80	71	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
81	72	/* print out the sids */
82		- for (i = 1; i < initial_sid_to_string_len; i++)
83		- fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
	73	+ for (i = 1; i < initial_sid_to_string_len; i++) {
	74	+ const char *name = initial_sid_to_string[i];
	75	+
	76	+ if (name)
	77	+ fprintf(fout, "sid %s\n", name);
	78	+ else
	79	+ fprintf(fout, "sid unused%d\n", i);
	80	+ }
84	81	fprintf(fout, "\n");
85	82
86	83	/* print out the class permissions */
..	..	@@ -94,11 +91,36 @@
94	91	}
95	92	fprintf(fout, "\n");
96	93
97		- /* NOW PRINT OUT MLS STUFF */
	94	+ /* print out mls declarations and constraints */
98	95	if (mls) {
99		- printf("MLS not yet implemented\n");
100		- exit(1);
	96	+ fprintf(fout, "sensitivity s0;\n");
	97	+ fprintf(fout, "sensitivity s1;\n");
	98	+ fprintf(fout, "dominance { s0 s1 }\n");
	99	+ fprintf(fout, "category c0;\n");
	100	+ fprintf(fout, "category c1;\n");
	101	+ fprintf(fout, "level s0:c0.c1;\n");
	102	+ fprintf(fout, "level s1:c0.c1;\n");
	103	+#define SYSTEMLOW "s0"
	104	+#define SYSTEMHIGH "s1:c0.c1"
	105	+ for (i = 0; secclass_map[i].name; i++) {
	106	+ struct security_class_mapping *map = &secclass_map[i];
	107	+
	108	+ fprintf(fout, "mlsconstrain %s {\n", map->name);
	109	+ for (j = 0; map->perms[j]; j++)
	110	+ fprintf(fout, "\t%s\n", map->perms[j]);
	111	+ /*
	112	+ * This requires all subjects and objects to be
	113	+ * single-level (l2 eq h2), and that the subject
	114	+ * level dominate the object level (h1 dom h2)
	115	+ * in order to have any permissions to it.
	116	+ */
	117	+ fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
	118	+ }
101	119	}
	120	+
	121	+ /* enable all policy capabilities */
	122	+ for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
	123	+ fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
102	124
103	125	/* types, roles, and allows */
104	126	fprintf(fout, "type base_t;\n");
..	..	@@ -107,34 +129,134 @@
107	129	for (i = 0; secclass_map[i].name; i++)
108	130	fprintf(fout, "allow base_t base_t:%s *;\n",
109	131	secclass_map[i].name);
110		- fprintf(fout, "user user_u roles { base_r };\n");
111		- fprintf(fout, "\n");
	132	+ fprintf(fout, "user user_u roles { base_r }");
	133	+ if (mls)
	134	+ fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
	135	+ SYSTEMLOW, SYSTEMHIGH);
	136	+ fprintf(fout, ";\n");
	137	+
	138	+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
	139	+#define OBJUSERROLETYPE "user_u:object_r:base_t"
112	140
113	141	/* default sids */
114		- for (i = 1; i < initial_sid_to_string_len; i++)
115		- fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
	142	+ for (i = 1; i < initial_sid_to_string_len; i++) {
	143	+ const char *name = initial_sid_to_string[i];
	144	+
	145	+ if (name)
	146	+ fprintf(fout, "sid %s ", name);
	147	+ else
	148	+ fprintf(fout, "sid unused%d\n", i);
	149	+ fprintf(fout, SUBJUSERROLETYPE "%s\n",
	150	+ mls ? ":" SYSTEMLOW : "");
	151	+ }
116	152	fprintf(fout, "\n");
117	153
118		- fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
119		- fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
120		- fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
121		- fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
122		- fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
123		- fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
124		- fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
125		- fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
	154	+#define FS_USE(behavior, fstype) \
	155	+ fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
	156	+ behavior, fstype, mls ? ":" SYSTEMLOW : "")
126	157
127		- fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
128		- fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
129		- fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
	158	+ /*
	159	+ * Filesystems whose inode labels can be fetched via getxattr.
	160	+ */
	161	+#ifdef CONFIG_EXT2_FS_SECURITY
	162	+ FS_USE("xattr", "ext2");
	163	+#endif
	164	+#ifdef CONFIG_EXT4_FS_SECURITY
	165	+#ifdef CONFIG_EXT4_USE_FOR_EXT2
	166	+ FS_USE("xattr", "ext2");
	167	+#endif
	168	+ FS_USE("xattr", "ext3");
	169	+ FS_USE("xattr", "ext4");
	170	+#endif
	171	+#ifdef CONFIG_JFS_SECURITY
	172	+ FS_USE("xattr", "jfs");
	173	+#endif
	174	+#ifdef CONFIG_REISERFS_FS_SECURITY
	175	+ FS_USE("xattr", "reiserfs");
	176	+#endif
	177	+#ifdef CONFIG_JFFS2_FS_SECURITY
	178	+ FS_USE("xattr", "jffs2");
	179	+#endif
	180	+#ifdef CONFIG_XFS_FS
	181	+ FS_USE("xattr", "xfs");
	182	+#endif
	183	+#ifdef CONFIG_GFS2_FS
	184	+ FS_USE("xattr", "gfs2");
	185	+#endif
	186	+#ifdef CONFIG_BTRFS_FS
	187	+ FS_USE("xattr", "btrfs");
	188	+#endif
	189	+#ifdef CONFIG_F2FS_FS_SECURITY
	190	+ FS_USE("xattr", "f2fs");
	191	+#endif
	192	+#ifdef CONFIG_OCFS2_FS
	193	+ FS_USE("xattr", "ocsfs2");
	194	+#endif
	195	+#ifdef CONFIG_OVERLAY_FS
	196	+ FS_USE("xattr", "overlay");
	197	+#endif
	198	+#ifdef CONFIG_SQUASHFS_XATTR
	199	+ FS_USE("xattr", "squashfs");
	200	+#endif
130	201
131		- fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
132		- fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
133		- fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
134		- fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
135		- fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
	202	+ /*
	203	+ * Filesystems whose inodes are labeled from allocating task.
	204	+ */
	205	+ FS_USE("task", "pipefs");
	206	+ FS_USE("task", "sockfs");
136	207
137		- fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
	208	+ /*
	209	+ * Filesystems whose inode labels are computed from both
	210	+ * the allocating task and the superblock label.
	211	+ */
	212	+#ifdef CONFIG_UNIX98_PTYS
	213	+ FS_USE("trans", "devpts");
	214	+#endif
	215	+#ifdef CONFIG_HUGETLBFS
	216	+ FS_USE("trans", "hugetlbfs");
	217	+#endif
	218	+#ifdef CONFIG_TMPFS
	219	+ FS_USE("trans", "tmpfs");
	220	+#endif
	221	+#ifdef CONFIG_DEVTMPFS
	222	+ FS_USE("trans", "devtmpfs");
	223	+#endif
	224	+#ifdef CONFIG_POSIX_MQUEUE
	225	+ FS_USE("trans", "mqueue");
	226	+#endif
	227	+
	228	+#define GENFSCON(fstype, prefix) \
	229	+ fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
	230	+ fstype, prefix, mls ? ":" SYSTEMLOW : "")
	231	+
	232	+ /*
	233	+ * Filesystems whose inodes are labeled from path prefix match
	234	+ * relative to the filesystem root. Depending on the filesystem,
	235	+ * only a single label for all inodes may be supported. Here
	236	+ * we list the filesystem types for which per-file labeling is
	237	+ * supported using genfscon; any other filesystem type can also
	238	+ * be added by only with a single entry for all of its inodes.
	239	+ */
	240	+#ifdef CONFIG_PROC_FS
	241	+ GENFSCON("proc", "/");
	242	+#endif
	243	+#ifdef CONFIG_SECURITY_SELINUX
	244	+ GENFSCON("selinuxfs", "/");
	245	+#endif
	246	+#ifdef CONFIG_SYSFS
	247	+ GENFSCON("sysfs", "/");
	248	+#endif
	249	+#ifdef CONFIG_DEBUG_FS
	250	+ GENFSCON("debugfs", "/");
	251	+#endif
	252	+#ifdef CONFIG_TRACING
	253	+ GENFSCON("tracefs", "/");
	254	+#endif
	255	+#ifdef CONFIG_PSTORE
	256	+ GENFSCON("pstore", "/");
	257	+#endif
	258	+ GENFSCON("cgroup", "/");
	259	+ GENFSCON("cgroup2", "/");
138	260
139	261	fclose(fout);
140	262
..	..	@@ -143,8 +265,8 @@
143	265	printf("Wrote policy, but cannot open %s for writing\n", ctxout);
144	266	usage(argv[0]);
145	267	}
146		- fprintf(fout, "/ user_u:base_r:base_t\n");
147		- fprintf(fout, "/.* user_u:base_r:base_t\n");
	268	+ fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
	269	+ fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
148	270	fclose(fout);
149	271
150	272	return 0;