summaryrefslogtreecommitdiffstats
path: root/scripts/selinux
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/selinux/Makefile2
-rw-r--r--scripts/selinux/README2
-rw-r--r--scripts/selinux/genheaders/.gitignore2
-rw-r--r--scripts/selinux/genheaders/Makefile5
-rw-r--r--scripts/selinux/genheaders/genheaders.c142
-rwxr-xr-xscripts/selinux/install_policy.sh85
-rw-r--r--scripts/selinux/mdp/.gitignore2
-rw-r--r--scripts/selinux/mdp/Makefile7
-rw-r--r--scripts/selinux/mdp/dbus_contexts6
-rw-r--r--scripts/selinux/mdp/mdp.c273
10 files changed, 526 insertions, 0 deletions
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
new file mode 100644
index 000000000..59494e149
--- /dev/null
+++ b/scripts/selinux/Makefile
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+subdir-y := mdp genheaders
diff --git a/scripts/selinux/README b/scripts/selinux/README
new file mode 100644
index 000000000..5ba679c5b
--- /dev/null
+++ b/scripts/selinux/README
@@ -0,0 +1,2 @@
+Please see Documentation/admin-guide/LSM/SELinux.rst for information on
+installing a dummy SELinux policy.
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000..5fcadd307
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000..1faf7f07e
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: GPL-2.0
+hostprogs-always-y += genheaders
+HOST_EXTRACFLAGS += \
+ -I$(srctree)/include/uapi -I$(srctree)/include \
+ -I$(srctree)/security/selinux/include
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000..f355b3e0e
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/* NOTE: we really do want to use the kernel headers here */
+#define __EXPORTED_HEADERS__
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+ const char *name;
+ const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+const char *progname;
+
+static void usage(void)
+{
+ printf("usage: %s flask.h av_permissions.h\n", progname);
+ exit(1);
+}
+
+static char *stoupperx(const char *s)
+{
+ char *s2 = strdup(s);
+ char *p;
+
+ if (!s2) {
+ fprintf(stderr, "%s: out of memory\n", progname);
+ exit(3);
+ }
+
+ for (p = s2; *p; p++)
+ *p = toupper(*p);
+ return s2;
+}
+
+int main(int argc, char *argv[])
+{
+ int i, j;
+ int isids_len;
+ FILE *fout;
+
+ progname = argv[0];
+
+ if (argc < 3)
+ usage();
+
+ fout = fopen(argv[1], "w");
+ if (!fout) {
+ fprintf(stderr, "Could not open %s for writing: %s\n",
+ argv[1], strerror(errno));
+ exit(2);
+ }
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ map->name = stoupperx(map->name);
+ for (j = 0; map->perms[j]; j++)
+ map->perms[j] = stoupperx(map->perms[j]);
+ }
+
+ isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ for (i = 1; i < isids_len; i++) {
+ const char *s = initial_sid_to_string[i];
+
+ if (s)
+ initial_sid_to_string[i] = stoupperx(s);
+ }
+
+ fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
+ fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ fprintf(fout, "#define SECCLASS_%-39s %2d\n", map->name, i+1);
+ }
+
+ fprintf(fout, "\n");
+
+ for (i = 1; i < isids_len; i++) {
+ const char *s = initial_sid_to_string[i];
+ if (s)
+ fprintf(fout, "#define SECINITSID_%-39s %2d\n", s, i);
+ }
+ fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+ fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
+ fprintf(fout, "{\n");
+ fprintf(fout, "\tbool sock = false;\n\n");
+ fprintf(fout, "\tswitch (kern_tclass) {\n");
+ for (i = 0; secclass_map[i].name; i++) {
+ static char s[] = "SOCKET";
+ struct security_class_mapping *map = &secclass_map[i];
+ int len = strlen(map->name), l = sizeof(s) - 1;
+ if (len >= l && memcmp(map->name + len - l, s, l) == 0)
+ fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
+ }
+ fprintf(fout, "\t\tsock = true;\n");
+ fprintf(fout, "\t\tbreak;\n");
+ fprintf(fout, "\tdefault:\n");
+ fprintf(fout, "\t\tbreak;\n");
+ fprintf(fout, "\t}\n\n");
+ fprintf(fout, "\treturn sock;\n");
+ fprintf(fout, "}\n");
+
+ fprintf(fout, "\n#endif\n");
+ fclose(fout);
+
+ fout = fopen(argv[2], "w");
+ if (!fout) {
+ fprintf(stderr, "Could not open %s for writing: %s\n",
+ argv[2], strerror(errno));
+ exit(4);
+ }
+
+ fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
+ fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ int len = strlen(map->name);
+ for (j = 0; map->perms[j]; j++) {
+ if (j >= 32) {
+ fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
+ map->name, map->perms[j]);
+ exit(5);
+ }
+ fprintf(fout, "#define %s__%-*s 0x%08xU\n", map->name,
+ 39-len, map->perms[j], 1U<<j);
+ }
+ }
+
+ fprintf(fout, "\n#endif\n");
+ fclose(fout);
+ exit(0);
+}
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100755
index 000000000..20af56ce2
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,85 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+set -e
+if [ `id -u` -ne 0 ]; then
+ echo "$0: must be root to install the selinux policy"
+ exit 1
+fi
+
+SF=`which setfiles`
+if [ $? -eq 1 ]; then
+ echo "Could not find setfiles"
+ echo "Do you have policycoreutils installed?"
+ exit 1
+fi
+
+CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+ echo "Could not find checkpolicy"
+ echo "Do you have checkpolicy installed?"
+ exit 1
+fi
+VERS=`$CP -V | awk '{print $1}'`
+
+ENABLED=`which selinuxenabled`
+if [ $? -eq 1 ]; then
+ echo "Could not find selinuxenabled"
+ echo "Do you have libselinux-utils installed?"
+ exit 1
+fi
+
+if selinuxenabled; then
+ echo "SELinux is already enabled"
+ echo "This prevents safely relabeling all files."
+ echo "Boot with selinux=0 on the kernel command-line or"
+ echo "SELINUX=disabled in /etc/selinux/config."
+ exit 1
+fi
+
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
+
+mkdir -p /etc/selinux/dummy/policy
+mkdir -p /etc/selinux/dummy/contexts/files
+
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
+
+cp file_contexts /etc/selinux/dummy/contexts/files
+cp dbus_contexts /etc/selinux/dummy/contexts
+cp policy.$VERS /etc/selinux/dummy/policy
+FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
+
+if [ ! -d /etc/selinux ]; then
+ mkdir -p /etc/selinux
+fi
+if [ -f /etc/selinux/config ]; then
+ echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
+ mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
+SELINUXTYPE=dummy
+EOF
+
+cd /etc/selinux/dummy/contexts/files
+$SF -F file_contexts /
+
+mounts=`cat /proc/$$/mounts | \
+ grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+ awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+
+echo "-F" > /.autorelabel
diff --git a/scripts/selinux/mdp/.gitignore b/scripts/selinux/mdp/.gitignore
new file mode 100644
index 000000000..a7482287e
--- /dev/null
+++ b/scripts/selinux/mdp/.gitignore
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+mdp
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
new file mode 100644
index 000000000..d61058ddd
--- /dev/null
+++ b/scripts/selinux/mdp/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0
+hostprogs-always-y += mdp
+HOST_EXTRACFLAGS += \
+ -I$(srctree)/include/uapi -I$(srctree)/include \
+ -I$(srctree)/security/selinux/include -I$(objtree)/include
+
+clean-files := policy.* file_contexts
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts
new file mode 100644
index 000000000..116e684f9
--- /dev/null
+++ b/scripts/selinux/mdp/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
new file mode 100644
index 000000000..105c1c31a
--- /dev/null
+++ b/scripts/selinux/mdp/mdp.c
@@ -0,0 +1,273 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ *
+ * mdp - make dummy policy
+ *
+ * When pointed at a kernel tree, builds a dummy policy for that kernel
+ * with exactly one type with full rights to itself.
+ *
+ * Copyright (C) IBM Corporation, 2006
+ *
+ * Authors: Serge E. Hallyn <serue@us.ibm.com>
+ */
+
+
+/* NOTE: we really do want to use the kernel headers here */
+#define __EXPORTED_HEADERS__
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <linux/kconfig.h>
+
+static void usage(char *name)
+{
+ printf("usage: %s [-m] policy_file context_file\n", name);
+ exit(1);
+}
+
+/* Class/perm mapping support */
+struct security_class_mapping {
+ const char *name;
+ const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+#include "policycap_names.h"
+
+#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
+
+int main(int argc, char *argv[])
+{
+ int i, j, mls = 0;
+ int initial_sid_to_string_len;
+ char **arg, *polout, *ctxout;
+
+ FILE *fout;
+
+ if (argc < 3)
+ usage(argv[0]);
+ arg = argv+1;
+ if (argc==4 && strcmp(argv[1], "-m") == 0) {
+ mls = 1;
+ arg++;
+ }
+ polout = *arg++;
+ ctxout = *arg;
+
+ fout = fopen(polout, "w");
+ if (!fout) {
+ printf("Could not open %s for writing\n", polout);
+ usage(argv[0]);
+ }
+
+ /* print out the classes */
+ for (i = 0; secclass_map[i].name; i++)
+ fprintf(fout, "class %s\n", secclass_map[i].name);
+ fprintf(fout, "\n");
+
+ initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ /* print out the sids */
+ for (i = 1; i < initial_sid_to_string_len; i++) {
+ const char *name = initial_sid_to_string[i];
+
+ if (name)
+ fprintf(fout, "sid %s\n", name);
+ else
+ fprintf(fout, "sid unused%d\n", i);
+ }
+ fprintf(fout, "\n");
+
+ /* print out the class permissions */
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ fprintf(fout, "class %s\n", map->name);
+ fprintf(fout, "{\n");
+ for (j = 0; map->perms[j]; j++)
+ fprintf(fout, "\t%s\n", map->perms[j]);
+ fprintf(fout, "}\n\n");
+ }
+ fprintf(fout, "\n");
+
+ /* print out mls declarations and constraints */
+ if (mls) {
+ fprintf(fout, "sensitivity s0;\n");
+ fprintf(fout, "sensitivity s1;\n");
+ fprintf(fout, "dominance { s0 s1 }\n");
+ fprintf(fout, "category c0;\n");
+ fprintf(fout, "category c1;\n");
+ fprintf(fout, "level s0:c0.c1;\n");
+ fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+
+ fprintf(fout, "mlsconstrain %s {\n", map->name);
+ for (j = 0; map->perms[j]; j++)
+ fprintf(fout, "\t%s\n", map->perms[j]);
+ /*
+ * This requires all subjects and objects to be
+ * single-level (l2 eq h2), and that the subject
+ * level dominate the object level (h1 dom h2)
+ * in order to have any permissions to it.
+ */
+ fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+ }
+ }
+
+ /* enable all policy capabilities */
+ for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
+ fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
+
+ /* types, roles, and allows */
+ fprintf(fout, "type base_t;\n");
+ fprintf(fout, "role base_r;\n");
+ fprintf(fout, "role base_r types { base_t };\n");
+ for (i = 0; secclass_map[i].name; i++)
+ fprintf(fout, "allow base_t base_t:%s *;\n",
+ secclass_map[i].name);
+ fprintf(fout, "user user_u roles { base_r }");
+ if (mls)
+ fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
+ SYSTEMLOW, SYSTEMHIGH);
+ fprintf(fout, ";\n");
+
+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
+#define OBJUSERROLETYPE "user_u:object_r:base_t"
+
+ /* default sids */
+ for (i = 1; i < initial_sid_to_string_len; i++) {
+ const char *name = initial_sid_to_string[i];
+
+ if (name)
+ fprintf(fout, "sid %s ", name);
+ else
+ fprintf(fout, "sid unused%d\n", i);
+ fprintf(fout, SUBJUSERROLETYPE "%s\n",
+ mls ? ":" SYSTEMLOW : "");
+ }
+ fprintf(fout, "\n");
+
+#define FS_USE(behavior, fstype) \
+ fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
+ behavior, fstype, mls ? ":" SYSTEMLOW : "")
+
+ /*
+ * Filesystems whose inode labels can be fetched via getxattr.
+ */
+#ifdef CONFIG_EXT2_FS_SECURITY
+ FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+#ifdef CONFIG_EXT4_USE_FOR_EXT2
+ FS_USE("xattr", "ext2");
+#endif
+ FS_USE("xattr", "ext3");
+ FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+ FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+ FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+ FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+ FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+ FS_USE("xattr", "gfs2");
+#endif
+#ifdef CONFIG_BTRFS_FS
+ FS_USE("xattr", "btrfs");
+#endif
+#ifdef CONFIG_F2FS_FS_SECURITY
+ FS_USE("xattr", "f2fs");
+#endif
+#ifdef CONFIG_OCFS2_FS
+ FS_USE("xattr", "ocsfs2");
+#endif
+#ifdef CONFIG_OVERLAY_FS
+ FS_USE("xattr", "overlay");
+#endif
+#ifdef CONFIG_SQUASHFS_XATTR
+ FS_USE("xattr", "squashfs");
+#endif
+
+ /*
+ * Filesystems whose inodes are labeled from allocating task.
+ */
+ FS_USE("task", "pipefs");
+ FS_USE("task", "sockfs");
+
+ /*
+ * Filesystems whose inode labels are computed from both
+ * the allocating task and the superblock label.
+ */
+#ifdef CONFIG_UNIX98_PTYS
+ FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+ FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+ FS_USE("trans", "tmpfs");
+#endif
+#ifdef CONFIG_DEVTMPFS
+ FS_USE("trans", "devtmpfs");
+#endif
+#ifdef CONFIG_POSIX_MQUEUE
+ FS_USE("trans", "mqueue");
+#endif
+
+#define GENFSCON(fstype, prefix) \
+ fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
+ fstype, prefix, mls ? ":" SYSTEMLOW : "")
+
+ /*
+ * Filesystems whose inodes are labeled from path prefix match
+ * relative to the filesystem root. Depending on the filesystem,
+ * only a single label for all inodes may be supported. Here
+ * we list the filesystem types for which per-file labeling is
+ * supported using genfscon; any other filesystem type can also
+ * be added by only with a single entry for all of its inodes.
+ */
+#ifdef CONFIG_PROC_FS
+ GENFSCON("proc", "/");
+#endif
+#ifdef CONFIG_SECURITY_SELINUX
+ GENFSCON("selinuxfs", "/");
+#endif
+#ifdef CONFIG_SYSFS
+ GENFSCON("sysfs", "/");
+#endif
+#ifdef CONFIG_DEBUG_FS
+ GENFSCON("debugfs", "/");
+#endif
+#ifdef CONFIG_TRACING
+ GENFSCON("tracefs", "/");
+#endif
+#ifdef CONFIG_PSTORE
+ GENFSCON("pstore", "/");
+#endif
+ GENFSCON("cgroup", "/");
+ GENFSCON("cgroup2", "/");
+
+ fclose(fout);
+
+ fout = fopen(ctxout, "w");
+ if (!fout) {
+ printf("Wrote policy, but cannot open %s for writing\n", ctxout);
+ usage(argv[0]);
+ }
+ fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
+ fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
+ fclose(fout);
+
+ return 0;
+}