Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits) TOMOYO: Add recursive directory matching operator support. remove CONFIG_SECURITY_FILE_CAPABILITIES compile option SELinux: print denials for buggy kernel with unknown perms Silence the existing API for capability version compatibility check. LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock(). SELinux: header generation may hit infinite loop selinux: Fix warnings security: report the module name to security_module_request Config option to set a default LSM sysctl: require CAP_SYS_RAWIO to set mmap_min_addr tpm: autoload tpm_tis based on system PnP IDs tpm_tis: TPM_STS_DATA_EXPECT workaround define convenient securebits masks for prctl users (v2) tpm: fix header for modular build tomoyo: improve hash bucket dispersion tpm add default function definitions LSM: imbed ima calls in the security hooks SELinux: add .gitignore files for dynamic classes security: remove root_plug SELinux: fix locking issue introduced with c6d3aaa4e35c71a3 ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2009-12-05 09:44:57 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> 2009-12-05 09:44:57 -0800
commit: 83fdbfbfe6e7e8906e3a3f8f6bc074d887e92109 (patch)
tree: 977e10a076d76fdb2622f089211f3d0954ba6873 /scripts
parent: d9b2c4d0b03c721808c0d259e43a27f1e80205bc (diff)
parent: c84d6efd363a3948eb32ec40d46bab6338580454 (diff)
download: linux-83fdbfbfe6e7e8906e3a3f8f6bc074d887e92109.tar.gz
5 files changed, 154 insertions, 125 deletions
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index ca4b1ec01822..e8049da1831f 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
-subdir-y := mdp
-subdir-	+= mdp
+subdir-y := mdp genheaders
+subdir-	+= mdp genheaders
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000000..4c0b646ff8d5
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
+genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000000..417b165008ee
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y	:= genheaders
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always		:= $(hostprogs-y)
+clean-files	:= $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000000..24626968055d
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+	const char *name;
+	const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
+
+const char *progname;
+
+static void usage(void)
+{
+	printf("usage: %s flask.h av_permissions.h\n", progname);
+	exit(1);
+}
+
+static char *stoupperx(const char *s)
+{
+	char *s2 = strdup(s);
+	char *p;
+
+	if (!s2) {
+		fprintf(stderr, "%s:  out of memory\n", progname);
+		exit(3);
+	}
+
+	for (p = s2; *p; p++)
+		*p = toupper(*p);
+	return s2;
+}
+
+int main(int argc, char *argv[])
+{
+	int i, j, k;
+	int isids_len;
+	FILE *fout;
+
+	progname = argv[0];
+
+	if (argc < 3)
+		usage();
+
+	fout = fopen(argv[1], "w");
+	if (!fout) {
+		fprintf(stderr, "Could not open %s for writing:  %s\n",
+			argv[1], strerror(errno));
+		exit(2);
+	}
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		map->name = stoupperx(map->name);
+		for (j = 0; map->perms[j]; j++)
+			map->perms[j] = stoupperx(map->perms[j]);
+	}
+
+	isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+	for (i = 1; i < isids_len; i++)
+		initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
+
+	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+	fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		fprintf(fout, "#define SECCLASS_%s", map->name);
+		for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
+			fprintf(fout, " ");
+		fprintf(fout, "%2d\n", i+1);
+	}
+
+	fprintf(fout, "\n");
+
+	for (i = 1; i < isids_len; i++) {
+		char *s = initial_sid_to_string[i];
+		fprintf(fout, "#define SECINITSID_%s", s);
+		for (j = 0; j < max(1, 40 - strlen(s)); j++)
+			fprintf(fout, " ");
+		fprintf(fout, "%2d\n", i);
+	}
+	fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+	fprintf(fout, "\n#endif\n");
+	fclose(fout);
+
+	fout = fopen(argv[2], "w");
+	if (!fout) {
+		fprintf(stderr, "Could not open %s for writing:  %s\n",
+			argv[2], strerror(errno));
+		exit(4);
+	}
+
+	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+	fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		for (j = 0; map->perms[j]; j++) {
+			fprintf(fout, "#define %s__%s", map->name,
+				map->perms[j]);
+			for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
+				fprintf(fout, " ");
+			fprintf(fout, "0x%08xUL\n", (1<<j));
+		}
+	}
+
+	fprintf(fout, "\n#endif\n");
+	fclose(fout);
+	exit(0);
+}
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
 #include <unistd.h>
 #include <string.h>
 
-#include "flask.h"
-
 static void usage(char *name)
 {
 	printf("usage: %s [-m] policy_file context_file\n", name);
 	exit(1);
 }
 
-static void find_common_name(char *cname, char *dest, int len)
-{
-	char *start, *end;
-
-	start = strchr(cname, '_')+1;
-	end = strchr(start, '_');
-	if (!start || !end || start-cname > len || end-start > len) {
-		printf("Error with commons defines\n");
-		exit(1);
-	}
-	strncpy(dest, start, end-start);
-	dest[end-start] = '\0';
-}
-
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
-	NULL
+/* Class/perm mapping support */
+struct security_class_mapping {
+	const char *name;
+	const char *perms[sizeof(unsigned) * 8 + 1];
 };
-#undef S_
 
+#include "classmap.h"
 #include "initial_sid_to_string.h"
 
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-struct common {
-	char *cname;
-	char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
-	int class;
-	char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
-	int class;
-	int perm_i;
-	char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
-
 int main(int argc, char *argv[])
 {
 	int i, j, mls = 0;
+	int initial_sid_to_string_len;
 	char **arg, *polout, *ctxout;
-	int classlist_len, initial_sid_to_string_len;
+
 	FILE *fout;
 
 	if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
 		usage(argv[0]);
 	}
 
-	classlist_len = sizeof(classlist) / sizeof(char *);
 	/* print out the classes */
-	for (i=1; i < classlist_len; i++) {
-		if(classlist[i])
-			fprintf(fout, "class %s\n", classlist[i]);
-		else
-			fprintf(fout, "class user%d\n", i);
-	}
+	for (i = 0; secclass_map[i].name; i++)
+		fprintf(fout, "class %s\n", secclass_map[i].name);
 	fprintf(fout, "\n");
 
 	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
 	/* print out the sids */
-	for (i=1; i < initial_sid_to_string_len; i++)
+	for (i = 1; i < initial_sid_to_string_len; i++)
 		fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
 	fprintf(fout, "\n");
 
-	/* print out the commons */
-	for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
-		char cname[101];
-		find_common_name(common[i].cname, cname, 100);
-		cname[100] = '\0';
-		fprintf(fout, "common %s\n{\n", cname);
-		for (j=0; common[i].perms[j]; j++)
-			fprintf(fout, "\t%s\n", common[i].perms[j]);
-		fprintf(fout, "}\n\n");
-	}
-	fprintf(fout, "\n");
-
 	/* print out the class permissions */
-	for (i=1; i < classlist_len; i++) {
-		if (classlist[i]) {
-			int firstperm = -1, numperms = 0;
-
-			fprintf(fout, "class %s\n", classlist[i]);
-			/* does it inherit from a common? */
-			for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
-				if (av_inherit[j].class == i)
-					fprintf(fout, "inherits %s\n", av_inherit[j].common);
-
-			for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
-				if (av_perms[j].class == i) {
-					if (firstperm == -1)
-						firstperm = j;
-					numperms++;
-				}
-			}
-			if (!numperms) {
-				fprintf(fout, "\n");
-				continue;
-			}
-
-			fprintf(fout, "{\n");
-			/* print out the av_perms */
-			for (j=0; j < numperms; j++) {
-				fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
-			}
-			fprintf(fout, "}\n\n");
-		}
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		fprintf(fout, "class %s\n", map->name);
+		fprintf(fout, "{\n");
+		for (j = 0; map->perms[j]; j++)
+			fprintf(fout, "\t%s\n", map->perms[j]);
+		fprintf(fout, "}\n\n");
 	}
 	fprintf(fout, "\n");
 
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
 	/* types, roles, and allows */
 	fprintf(fout, "type base_t;\n");
 	fprintf(fout, "role base_r types { base_t };\n");
-	for (i=1; i < classlist_len; i++) {
-		if (classlist[i])
-			fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
-		else
-			fprintf(fout, "allow base_t base_t:user%d *;\n", i);
-	}
+	for (i = 0; secclass_map[i].name; i++)
+		fprintf(fout, "allow base_t base_t:%s *;\n",
+			secclass_map[i].name);
 	fprintf(fout, "user user_u roles { base_r };\n");
 	fprintf(fout, "\n");
 
 	/* default sids */
-	for (i=1; i < initial_sid_to_string_len; i++)
+	for (i = 1; i < initial_sid_to_string_len; i++)
 		fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
 	fprintf(fout, "\n");
 
-
 	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
 
+	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
 
+	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
author	Linus Torvalds <torvalds@linux-foundation.org>	2009-12-05 09:44:57 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2009-12-05 09:44:57 -0800
commit	83fdbfbfe6e7e8906e3a3f8f6bc074d887e92109 (patch)
tree	977e10a076d76fdb2622f089211f3d0954ba6873 /scripts
parent	d9b2c4d0b03c721808c0d259e43a27f1e80205bc (diff)
parent	c84d6efd363a3948eb32ec40d46bab6338580454 (diff)
download	linux-83fdbfbfe6e7e8906e3a3f8f6bc074d887e92109.tar.gz