xref: /openbmc/linux/scripts/selinux/mdp/mdp.c (revision fd589a8f) 
1 /*
2  *
3  * mdp - make dummy policy
4  *
5  * When pointed at a kernel tree, builds a dummy policy for that kernel
6  * with exactly one type with full rights to itself.
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; either version 2 of the License, or
11  * (at your option) any later version.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License
19  * along with this program; if not, write to the Free Software
20  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21  *
22  * Copyright (C) IBM Corporation, 2006
23  *
24  * Authors: Serge E. Hallyn <serue@us.ibm.com>
25  */
26 
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <unistd.h>
30 #include <string.h>
31 
32 #include "flask.h"
33 
34 void usage(char *name)
35 {
36 	printf("usage: %s [-m] policy_file context_file\n", name);
37 	exit(1);
38 }
39 
40 void find_common_name(char *cname, char *dest, int len)
41 {
42 	char *start, *end;
43 
44 	start = strchr(cname, '_')+1;
45 	end = strchr(start, '_');
46 	if (!start || !end || start-cname > len || end-start > len) {
47 		printf("Error with commons defines\n");
48 		exit(1);
49 	}
50 	strncpy(dest, start, end-start);
51 	dest[end-start] = '\0';
52 }
53 
54 #define S_(x) x,
55 static char *classlist[] = {
56 #include "class_to_string.h"
57 	NULL
58 };
59 #undef S_
60 
61 #include "initial_sid_to_string.h"
62 
63 #define TB_(x) char *x[] = {
64 #define TE_(x) NULL };
65 #define S_(x) x,
66 #include "common_perm_to_string.h"
67 #undef TB_
68 #undef TE_
69 #undef S_
70 
71 struct common {
72 	char *cname;
73 	char **perms;
74 };
75 struct common common[] = {
76 #define TB_(x) { #x, x },
77 #define S_(x)
78 #define TE_(x)
79 #include "common_perm_to_string.h"
80 #undef TB_
81 #undef TE_
82 #undef S_
83 };
84 
85 #define S_(x, y, z) {x, #y},
86 struct av_inherit {
87 	int class;
88 	char *common;
89 };
90 struct av_inherit av_inherit[] = {
91 #include "av_inherit.h"
92 };
93 #undef S_
94 
95 #include "av_permissions.h"
96 #define S_(x, y, z) {x, y, z},
97 struct av_perms {
98 	int class;
99 	int perm_i;
100 	char *perm_s;
101 };
102 struct av_perms av_perms[] = {
103 #include "av_perm_to_string.h"
104 };
105 #undef S_
106 
107 int main(int argc, char *argv[])
108 {
109 	int i, j, mls = 0;
110 	char **arg, *polout, *ctxout;
111 	int classlist_len, initial_sid_to_string_len;
112 	FILE *fout;
113 
114 	if (argc < 3)
115 		usage(argv[0]);
116 	arg = argv+1;
117 	if (argc==4 && strcmp(argv[1], "-m") == 0) {
118 		mls = 1;
119 		arg++;
120 	}
121 	polout = *arg++;
122 	ctxout = *arg;
123 
124 	fout = fopen(polout, "w");
125 	if (!fout) {
126 		printf("Could not open %s for writing\n", polout);
127 		usage(argv[0]);
128 	}
129 
130 	classlist_len = sizeof(classlist) / sizeof(char *);
131 	/* print out the classes */
132 	for (i=1; i < classlist_len; i++) {
133 		if(classlist[i])
134 			fprintf(fout, "class %s\n", classlist[i]);
135 		else
136 			fprintf(fout, "class user%d\n", i);
137 	}
138 	fprintf(fout, "\n");
139 
140 	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141 	/* print out the sids */
142 	for (i=1; i < initial_sid_to_string_len; i++)
143 		fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144 	fprintf(fout, "\n");
145 
146 	/* print out the commons */
147 	for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148 		char cname[101];
149 		find_common_name(common[i].cname, cname, 100);
150 		cname[100] = '\0';
151 		fprintf(fout, "common %s\n{\n", cname);
152 		for (j=0; common[i].perms[j]; j++)
153 			fprintf(fout, "\t%s\n", common[i].perms[j]);
154 		fprintf(fout, "}\n\n");
155 	}
156 	fprintf(fout, "\n");
157 
158 	/* print out the class permissions */
159 	for (i=1; i < classlist_len; i++) {
160 		if (classlist[i]) {
161 			int firstperm = -1, numperms = 0;
162 
163 			fprintf(fout, "class %s\n", classlist[i]);
164 			/* does it inherit from a common? */
165 			for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
166 				if (av_inherit[j].class == i)
167 					fprintf(fout, "inherits %s\n", av_inherit[j].common);
168 
169 			for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170 				if (av_perms[j].class == i) {
171 					if (firstperm == -1)
172 						firstperm = j;
173 					numperms++;
174 				}
175 			}
176 			if (!numperms) {
177 				fprintf(fout, "\n");
178 				continue;
179 			}
180 
181 			fprintf(fout, "{\n");
182 			/* print out the av_perms */
183 			for (j=0; j < numperms; j++) {
184 				fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185 			}
186 			fprintf(fout, "}\n\n");
187 		}
188 	}
189 	fprintf(fout, "\n");
190 
191 	/* NOW PRINT OUT MLS STUFF */
192 	if (mls) {
193 		printf("MLS not yet implemented\n");
194 		exit(1);
195 	}
196 
197 	/* types, roles, and allows */
198 	fprintf(fout, "type base_t;\n");
199 	fprintf(fout, "role base_r types { base_t };\n");
200 	for (i=1; i < classlist_len; i++) {
201 		if (classlist[i])
202 			fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
203 		else
204 			fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205 	}
206 	fprintf(fout, "user user_u roles { base_r };\n");
207 	fprintf(fout, "\n");
208 
209 	/* default sids */
210 	for (i=1; i < initial_sid_to_string_len; i++)
211 		fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212 	fprintf(fout, "\n");
213 
214 
215 	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216 	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
217 	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218 	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219 	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
220 
221 	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222 	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223 
224 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
225 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227 
228 	fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
229 
230 	fclose(fout);
231 
232 	fout = fopen(ctxout, "w");
233 	if (!fout) {
234 		printf("Wrote policy, but cannot open %s for writing\n", ctxout);
235 		usage(argv[0]);
236 	}
237 	fprintf(fout, "/ user_u:base_r:base_t\n");
238 	fprintf(fout, "/.* user_u:base_r:base_t\n");
239 	fclose(fout);
240 
241 	return 0;
242 }
243