6 files changed, 204 insertions, 185 deletions
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index 76ca30cc4791..0c5969fa795f 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -222,6 +222,9 @@ endif
 ifdef CONFIG_RETPOLINE
  objtool_args += --retpoline
 endif
+ifdef CONFIG_X86_SMAP
+  objtool_args += --uaccess
+endif
 # 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
 # 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 38b2b4818e8e..019771b845c5 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -3,7 +3,6 @@ ifdef CONFIG_UBSAN
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
-      CFLAGS_UBSAN += $(call cc-option, -fsanitize=vla-bound)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 74271dba4f94..80220ed26a35 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
          An arch should select this symbol if it supports building with
          GCC plugins.
-menuconfig GCC_PLUGINS
+config GCC_PLUGINS
-        bool "GCC plugins"
+        bool
        depends on HAVE_GCC_PLUGINS
        depends on PLUGIN_HOSTCC != ""
+        default y
        help
          GCC plugins are loadable modules that provide extra features to the
          compiler. They are useful for runtime instrumentation and static analysis.
          See Documentation/gcc-plugins.txt for details.
-if GCC_PLUGINS
+menu "GCC plugins"
+        depends on GCC_PLUGINS
 config GCC_PLUGIN_CYC_COMPLEXITY
        bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
           * https://grsecurity.net/
           * https://pax.grsecurity.net/
-config GCC_PLUGIN_STRUCTLEAK
-        bool "Zero initialize stack variables"
-        help
-          While the kernel is built with warnings enabled for any missed
-          stack variable initializations, this warning is silenced for
-          anything passed by reference to another function, under the
-          occasionally misguided assumption that the function will do
-          the initialization. As this regularly leads to exploitable
-          flaws, this plugin is available to identify and zero-initialize
-          such variables, depending on the chosen level of coverage.
-          This plugin was originally ported from grsecurity/PaX. More
-          information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-choice
-        prompt "Coverage"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-        help
-          This chooses the level of coverage over classes of potentially
-          uninitialized variables. The selected class will be
-          zero-initialized before use.
-        config GCC_PLUGIN_STRUCTLEAK_USER
-                bool "structs marked for userspace"
-                help
-                  Zero-initialize any structures on the stack containing
-                  a __user attribute. This can prevent some classes of
-                  uninitialized stack variable exploits and information
-                  exposures, like CVE-2013-2141:
-                  https://git.kernel.org/linus/b9e146d8eb3b9eca
-        config GCC_PLUGIN_STRUCTLEAK_BYREF
-                bool "structs passed by reference"
-                help
-                  Zero-initialize any structures on the stack that may
-                  be passed by reference and had not already been
-                  explicitly initialized. This can prevent most classes
-                  of uninitialized stack variable exploits and information
-                  exposures, like CVE-2017-1000410:
-                  https://git.kernel.org/linus/06e7e776ca4d3654
-        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-                bool "anything passed by reference"
-                help
-                  Zero-initialize any stack variables that may be passed
-                  by reference and had not already been explicitly
-                  initialized. This is intended to eliminate all classes
-                  of uninitialized stack variable exploits and information
-                  exposures.
-endchoice
-config GCC_PLUGIN_STRUCTLEAK_VERBOSE
-        bool "Report forcefully initialized variables"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        depends on !COMPILE_TEST        # too noisy
-        help
-          This option will cause a warning to be printed each time the
-          structleak plugin finds a variable it thinks needs to be
-          initialized. Since not all existing initializers are detected
-          by the plugin, this can produce false positive warnings.
 config GCC_PLUGIN_RANDSTRUCT
        bool "Randomize layout of sensitive kernel structures"
        select MODVERSIONS if MODULES
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
          in structures.  This reduces the performance hit of RANDSTRUCT
          at the cost of weakened randomization.
-config GCC_PLUGIN_STACKLEAK
-        bool "Erase the kernel stack before returning from syscalls"
-        depends on GCC_PLUGINS
-        depends on HAVE_ARCH_STACKLEAK
-        help
-          This option makes the kernel erase the kernel stack before
-          returning from system calls. That reduces the information which
-          kernel stack leak bugs can reveal and blocks some uninitialized
-          stack variable attacks.
-          The tradeoff is the performance impact: on a single CPU system kernel
-          compilation sees a 1% slowdown, other systems and workloads may vary
-          and you are advised to test this feature on your expected workload
-          before deploying it.
-          This plugin was ported from grsecurity/PaX. More information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-config STACKLEAK_TRACK_MIN_SIZE
-        int "Minimum stack frame size of functions tracked by STACKLEAK"
-        default 100
-        range 0 4096
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          The STACKLEAK gcc plugin instruments the kernel code for tracking
-          the lowest border of the kernel stack (and for some other purposes).
-          It inserts the stackleak_track_stack() call for the functions with
-          a stack frame size greater than or equal to this parameter.
-          If unsure, leave the default value 100.
-config STACKLEAK_METRICS
-        bool "Show STACKLEAK metrics in the /proc file system"
-        depends on GCC_PLUGIN_STACKLEAK
-        depends on PROC_FS
-        help
-          If this is set, STACKLEAK metrics for every task are available in
-          the /proc file system. In particular, /proc/<pid>/stack_depth
-          shows the maximum kernel stack consumption for the current and
-          previous syscalls. Although this information is not precise, it
-          can be useful for estimating the STACKLEAK performance impact for
-          your workloads.
-config STACKLEAK_RUNTIME_DISABLE
-        bool "Allow runtime disabling of kernel stack erasing"
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          This option provides 'stack_erasing' sysctl, which can be used in
-          runtime to control kernel stack erasing for kernels built with
-          CONFIG_GCC_PLUGIN_STACKLEAK.
 config GCC_PLUGIN_ARM_SSP_PER_TASK
        bool
        depends on GCC_PLUGINS && ARM
-endif
+endmenu
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..2dccf141241d 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+set -e
 if [ `id -u` -ne 0 ]; then
        echo "$0: must be root to install the selinux policy"
        exit 1
 fi
 SF=`which setfiles`
 if [ $? -eq 1 ]; then
-        if [ -f /sbin/setfiles ]; then
+        echo "Could not find setfiles"
-                SF="/usr/setfiles"
+        echo "Do you have policycoreutils installed?"
-        else
+        exit 1
-                echo "no selinux tools installed: setfiles"
-                exit 1
-        fi
 fi
-cd mdp
 CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+        echo "Could not find checkpolicy"
+        echo "Do you have checkpolicy installed?"
+        exit 1
+fi
 VERS=`$CP -V | awk '{print $1}'`
-./mdp policy.conf file_contexts
+ENABLED=`which selinuxenabled`
-$CP -o policy.$VERS policy.conf
+if [ $? -eq 1 ]; then
+        echo "Could not find selinuxenabled"
+        echo "Do you have libselinux-utils installed?"
+        exit 1
+fi
+if selinuxenabled; then
+    echo "SELinux is already enabled"
+    echo "This prevents safely relabeling all files."
+    echo "Boot with selinux=0 on the kernel command-line or"
+    echo "SELINUX=disabled in /etc/selinux/config."
+    exit 1
+fi
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 if [ ! -d /etc/selinux ]; then
        mkdir -p /etc/selinux
 fi
-if [ ! -f /etc/selinux/config ]; then
+if [ -f /etc/selinux/config ]; then
-        cat > /etc/selinux/config << EOF
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
-SELINUX=enforcing
+    mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
 SELINUXTYPE=dummy
 EOF
-else
-        TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
-        if [ "eq$TYPE" != "eqdummy" ]; then
-                selinuxenabled
-                if [ $? -eq 0 ]; then
-                        echo "SELinux already enabled with a non-dummy policy."
-                        echo "Exiting.  Please install policy by hand if that"
-                        echo "is what you REALLY want."
-                        exit 1
-                fi
-                mv /etc/selinux/config /etc/selinux/config.mdpbak
-                grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
-                echo "SELINUXTYPE=dummy" >> /etc/selinux/config
-        fi
-fi
 cd /etc/selinux/dummy/contexts/files
-$SF file_contexts /
+$SF -F file_contexts /
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
+mounts=`cat /proc/$$/mounts | \
-$SF file_contexts $mounts
+        egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+        awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+echo "-F" > /.autorelabel
-dodev=`cat /proc/$$/mounts | grep "/dev "`
-if [ "eq$dodev" != "eq" ]; then
-        mount --move /dev /mnt
-        $SF file_contexts /dev
-        mount --move /mnt /dev
-fi
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
index e9c92db7e2a3..8a1269a9d0ba 100644
--- a/scripts/selinux/mdp/Makefile
+++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
 hostprogs-y     := mdp
 HOST_EXTRACFLAGS += \
        -I$(srctree)/include/uapi -I$(srctree)/include \
-        -I$(srctree)/security/selinux/include
+        -I$(srctree)/security/selinux/include -I$(objtree)/include
 always          := $(hostprogs-y)
 clean-files     := policy.* file_contexts
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6d51b74bc679..18fd6143888b 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
+#include <linux/kconfig.h>
 static void usage(char *name)
 {
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
        }
        fprintf(fout, "\n");
-        /* NOW PRINT OUT MLS STUFF */
+        /* print out mls declarations and constraints */
        if (mls) {
-                printf("MLS not yet implemented\n");
+                fprintf(fout, "sensitivity s0;\n");
-                exit(1);
+                fprintf(fout, "sensitivity s1;\n");
+                fprintf(fout, "dominance { s0 s1 }\n");
+                fprintf(fout, "category c0;\n");
+                fprintf(fout, "category c1;\n");
+                fprintf(fout, "level s0:c0.c1;\n");
+                fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+                for (i = 0; secclass_map[i].name; i++) {
+                        struct security_class_mapping *map = &secclass_map[i];
+                        fprintf(fout, "mlsconstrain %s {\n", map->name);
+                        for (j = 0; map->perms[j]; j++)
+                                fprintf(fout, "\t%s\n", map->perms[j]);
+                        /*
+                         * This requires all subjects and objects to be
+                         * single-level (l2 eq h2), and that the subject
+                         * level dominate the object level (h1 dom h2)
+                         * in order to have any permissions to it.
+                         */
+                        fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+                }
        }
        /* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
        for (i = 0; secclass_map[i].name; i++)
                fprintf(fout, "allow base_t base_t:%s *;\n",
                        secclass_map[i].name);
-        fprintf(fout, "user user_u roles { base_r };\n");
+        fprintf(fout, "user user_u roles { base_r }");
-        fprintf(fout, "\n");
+        if (mls)
+                fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
+                        SYSTEMLOW, SYSTEMHIGH);
+        fprintf(fout, ";\n");
+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
+#define OBJUSERROLETYPE "user_u:object_r:base_t"
        /* default sids */
        for (i = 1; i < initial_sid_to_string_len; i++)
-                fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+                fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
+                        initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
        fprintf(fout, "\n");
-        fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+#define FS_USE(behavior, fstype)                            \
-        fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
-        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
+                behavior, fstype, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels can be fetched via getxattr.
-        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+         */
-        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+#ifdef CONFIG_EXT2_FS_SECURITY
+        FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+#ifdef CONFIG_EXT4_USE_FOR_EXT2
+        FS_USE("xattr", "ext2");
+#endif
+        FS_USE("xattr", "ext3");
+        FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+        FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+        FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+        FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+        FS_USE("xattr", "gfs2");
+#endif
+#ifdef CONFIG_BTRFS_FS
+        FS_USE("xattr", "btrfs");
+#endif
+#ifdef CONFIG_F2FS_FS_SECURITY
+        FS_USE("xattr", "f2fs");
+#endif
+#ifdef CONFIG_OCFS2_FS
+        FS_USE("xattr", "ocsfs2");
+#endif
+#ifdef CONFIG_OVERLAY_FS
+        FS_USE("xattr", "overlay");
+#endif
+#ifdef CONFIG_SQUASHFS_XATTR
+        FS_USE("xattr", "squashfs");
+#endif
+        /*
+         * Filesystems whose inodes are labeled from allocating task.
+         */
+        FS_USE("task", "pipefs");
+        FS_USE("task", "sockfs");
-        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels are computed from both
-        fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+         * the allocating task and the superblock label.
+         */
+#ifdef CONFIG_UNIX98_PTYS
+        FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+        FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+        FS_USE("trans", "tmpfs");
+#endif
+#ifdef CONFIG_DEVTMPFS
+        FS_USE("trans", "devtmpfs");
+#endif
+#ifdef CONFIG_POSIX_MQUEUE
+        FS_USE("trans", "mqueue");
+#endif
-        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
+#define GENFSCON(fstype, prefix)                             \
-        fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
-        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
+                fstype, prefix, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-        fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+        /*
+         * Filesystems whose inodes are labeled from path prefix match
+         * relative to the filesystem root.  Depending on the filesystem,
+         * only a single label for all inodes may be supported.  Here
+         * we list the filesystem types for which per-file labeling is
+         * supported using genfscon; any other filesystem type can also
+         * be added by only with a single entry for all of its inodes.
+         */
+#ifdef CONFIG_PROC_FS
+        GENFSCON("proc", "/");
+#endif
+#ifdef CONFIG_SECURITY_SELINUX
+        GENFSCON("selinuxfs", "/");
+#endif
+#ifdef CONFIG_SYSFS
+        GENFSCON("sysfs", "/");
+#endif
+#ifdef CONFIG_DEBUG_FS
+        GENFSCON("debugfs", "/");
+#endif
+#ifdef CONFIG_TRACING
+        GENFSCON("tracefs", "/");
+#endif
+#ifdef CONFIG_PSTORE
+        GENFSCON("pstore", "/");
+#endif
+        GENFSCON("cgroup", "/");
+        GENFSCON("cgroup2", "/");
        fclose(fout);
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
                printf("Wrote policy, but cannot open %s for writing\n", ctxout);
                usage(argv[0]);
        }
-        fprintf(fout, "/ user_u:base_r:base_t\n");
+        fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
-        fprintf(fout, "/.* user_u:base_r:base_t\n");
+        fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
        fclose(fout);
        return 0;

diff --git a/scripts/Makefile.build b/scripts/Makefile.build index 76ca30cc4791..0c5969fa795f 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build
@@ -222,6 +222,9 @@ endif
222	ifdef CONFIG_RETPOLINE	222	ifdef CONFIG_RETPOLINE
223	objtool_args += --retpoline	223	objtool_args += --retpoline
224	endif	224	endif
		225	ifdef CONFIG_X86_SMAP
		226	objtool_args += --uaccess
		227	endif
225		228
226	# 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory	229	# 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
227	# 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file	230	# 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file


diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 38b2b4818e8e..019771b845c5 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan
@@ -3,7 +3,6 @@ ifdef CONFIG_UBSAN
3	CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)	3	CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
4	CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)	4	CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
5	CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)	5	CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
6	CFLAGS_UBSAN += $(call cc-option, -fsanitize=vla-bound)
7	CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)	6	CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
8	CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)	7	CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
9	CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)	8	CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)


diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 74271dba4f94..80220ed26a35 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
13	An arch should select this symbol if it supports building with	13	An arch should select this symbol if it supports building with
14	GCC plugins.	14	GCC plugins.
15		15
16	menuconfig GCC_PLUGINS	16	config GCC_PLUGINS
17	bool "GCC plugins"	17	bool
18	depends on HAVE_GCC_PLUGINS	18	depends on HAVE_GCC_PLUGINS
19	depends on PLUGIN_HOSTCC != ""	19	depends on PLUGIN_HOSTCC != ""
		20	default y
20	help	21	help
21	GCC plugins are loadable modules that provide extra features to the	22	GCC plugins are loadable modules that provide extra features to the
22	compiler. They are useful for runtime instrumentation and static analysis.	23	compiler. They are useful for runtime instrumentation and static analysis.
23		24
24	See Documentation/gcc-plugins.txt for details.	25	See Documentation/gcc-plugins.txt for details.
25		26
26	if GCC_PLUGINS	27	menu "GCC plugins"
		28	depends on GCC_PLUGINS
27		29
28	config GCC_PLUGIN_CYC_COMPLEXITY	30	config GCC_PLUGIN_CYC_COMPLEXITY
29	bool "Compute the cyclomatic complexity of a function" if EXPERT	31	bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
66	* https://grsecurity.net/	68	* https://grsecurity.net/
67	* https://pax.grsecurity.net/	69	* https://pax.grsecurity.net/
68		70
69	config GCC_PLUGIN_STRUCTLEAK
70	bool "Zero initialize stack variables"
71	help
72	While the kernel is built with warnings enabled for any missed
73	stack variable initializations, this warning is silenced for
74	anything passed by reference to another function, under the
75	occasionally misguided assumption that the function will do
76	the initialization. As this regularly leads to exploitable
77	flaws, this plugin is available to identify and zero-initialize
78	such variables, depending on the chosen level of coverage.
79
80	This plugin was originally ported from grsecurity/PaX. More
81	information at:
82	* https://grsecurity.net/
83	* https://pax.grsecurity.net/
84
85	choice
86	prompt "Coverage"
87	depends on GCC_PLUGIN_STRUCTLEAK
88	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
89	help
90	This chooses the level of coverage over classes of potentially
91	uninitialized variables. The selected class will be
92	zero-initialized before use.
93
94	config GCC_PLUGIN_STRUCTLEAK_USER
95	bool "structs marked for userspace"
96	help
97	Zero-initialize any structures on the stack containing
98	a __user attribute. This can prevent some classes of
99	uninitialized stack variable exploits and information
100	exposures, like CVE-2013-2141:
101	https://git.kernel.org/linus/b9e146d8eb3b9eca
102
103	config GCC_PLUGIN_STRUCTLEAK_BYREF
104	bool "structs passed by reference"
105	help
106	Zero-initialize any structures on the stack that may
107	be passed by reference and had not already been
108	explicitly initialized. This can prevent most classes
109	of uninitialized stack variable exploits and information
110	exposures, like CVE-2017-1000410:
111	https://git.kernel.org/linus/06e7e776ca4d3654
112
113	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
114	bool "anything passed by reference"
115	help
116	Zero-initialize any stack variables that may be passed
117	by reference and had not already been explicitly
118	initialized. This is intended to eliminate all classes
119	of uninitialized stack variable exploits and information
120	exposures.
121
122	endchoice
123
124	config GCC_PLUGIN_STRUCTLEAK_VERBOSE
125	bool "Report forcefully initialized variables"
126	depends on GCC_PLUGIN_STRUCTLEAK
127	depends on !COMPILE_TEST # too noisy
128	help
129	This option will cause a warning to be printed each time the
130	structleak plugin finds a variable it thinks needs to be
131	initialized. Since not all existing initializers are detected
132	by the plugin, this can produce false positive warnings.
133
134	config GCC_PLUGIN_RANDSTRUCT	71	config GCC_PLUGIN_RANDSTRUCT
135	bool "Randomize layout of sensitive kernel structures"	72	bool "Randomize layout of sensitive kernel structures"
136	select MODVERSIONS if MODULES	73	select MODVERSIONS if MODULES
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
171	in structures. This reduces the performance hit of RANDSTRUCT	108	in structures. This reduces the performance hit of RANDSTRUCT
172	at the cost of weakened randomization.	109	at the cost of weakened randomization.
173		110
174	config GCC_PLUGIN_STACKLEAK
175	bool "Erase the kernel stack before returning from syscalls"
176	depends on GCC_PLUGINS
177	depends on HAVE_ARCH_STACKLEAK
178	help
179	This option makes the kernel erase the kernel stack before
180	returning from system calls. That reduces the information which
181	kernel stack leak bugs can reveal and blocks some uninitialized
182	stack variable attacks.
183
184	The tradeoff is the performance impact: on a single CPU system kernel
185	compilation sees a 1% slowdown, other systems and workloads may vary
186	and you are advised to test this feature on your expected workload
187	before deploying it.
188
189	This plugin was ported from grsecurity/PaX. More information at:
190	* https://grsecurity.net/
191	* https://pax.grsecurity.net/
192
193	config STACKLEAK_TRACK_MIN_SIZE
194	int "Minimum stack frame size of functions tracked by STACKLEAK"
195	default 100
196	range 0 4096
197	depends on GCC_PLUGIN_STACKLEAK
198	help
199	The STACKLEAK gcc plugin instruments the kernel code for tracking
200	the lowest border of the kernel stack (and for some other purposes).
201	It inserts the stackleak_track_stack() call for the functions with
202	a stack frame size greater than or equal to this parameter.
203	If unsure, leave the default value 100.
204
205	config STACKLEAK_METRICS
206	bool "Show STACKLEAK metrics in the /proc file system"
207	depends on GCC_PLUGIN_STACKLEAK
208	depends on PROC_FS
209	help
210	If this is set, STACKLEAK metrics for every task are available in
211	the /proc file system. In particular, /proc/<pid>/stack_depth
212	shows the maximum kernel stack consumption for the current and
213	previous syscalls. Although this information is not precise, it
214	can be useful for estimating the STACKLEAK performance impact for
215	your workloads.
216
217	config STACKLEAK_RUNTIME_DISABLE
218	bool "Allow runtime disabling of kernel stack erasing"
219	depends on GCC_PLUGIN_STACKLEAK
220	help
221	This option provides 'stack_erasing' sysctl, which can be used in
222	runtime to control kernel stack erasing for kernels built with
223	CONFIG_GCC_PLUGIN_STACKLEAK.
224
225	config GCC_PLUGIN_ARM_SSP_PER_TASK	111	config GCC_PLUGIN_ARM_SSP_PER_TASK
226	bool	112	bool
227	depends on GCC_PLUGINS && ARM	113	depends on GCC_PLUGINS && ARM
228		114
229	endif	115	endmenu


diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh index 0b86c47baf7d..2dccf141241d 100755 --- a/scripts/selinux/install_policy.sh +++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
1	#!/bin/sh	1	#!/bin/sh
2	# SPDX-License-Identifier: GPL-2.0	2	# SPDX-License-Identifier: GPL-2.0
		3	set -e
3	if [ `id -u` -ne 0 ]; then	4	if [ `id -u` -ne 0 ]; then
4	echo "$0: must be root to install the selinux policy"	5	echo "$0: must be root to install the selinux policy"
5	exit 1	6	exit 1
6	fi	7	fi
		8
7	SF=`which setfiles`	9	SF=`which setfiles`
8	if [ $? -eq 1 ]; then	10	if [ $? -eq 1 ]; then
9	if [ -f /sbin/setfiles ]; then	11	echo "Could not find setfiles"
10	SF="/usr/setfiles"	12	echo "Do you have policycoreutils installed?"
11	else	13	exit 1
12	echo "no selinux tools installed: setfiles"
13	exit 1
14	fi
15	fi	14	fi
16		15
17	cd mdp
18
19	CP=`which checkpolicy`	16	CP=`which checkpolicy`
		17	if [ $? -eq 1 ]; then
		18	echo "Could not find checkpolicy"
		19	echo "Do you have checkpolicy installed?"
		20	exit 1
		21	fi
20	VERS=`$CP -V \| awk '{print $1}'`	22	VERS=`$CP -V \| awk '{print $1}'`
21		23
22	./mdp policy.conf file_contexts	24	ENABLED=`which selinuxenabled`
23	$CP -o policy.$VERS policy.conf	25	if [ $? -eq 1 ]; then
		26	echo "Could not find selinuxenabled"
		27	echo "Do you have libselinux-utils installed?"
		28	exit 1
		29	fi
		30
		31	if selinuxenabled; then
		32	echo "SELinux is already enabled"
		33	echo "This prevents safely relabeling all files."
		34	echo "Boot with selinux=0 on the kernel command-line or"
		35	echo "SELINUX=disabled in /etc/selinux/config."
		36	exit 1
		37	fi
		38
		39	cd mdp
		40	./mdp -m policy.conf file_contexts
		41	$CP -U allow -M -o policy.$VERS policy.conf
24		42
25	mkdir -p /etc/selinux/dummy/policy	43	mkdir -p /etc/selinux/dummy/policy
26	mkdir -p /etc/selinux/dummy/contexts/files	44	mkdir -p /etc/selinux/dummy/contexts/files
27		45
		46	echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
		47	echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
		48	echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
		49	cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
		50	client * user_u:base_r:base_t:s0
		51	property * user_u:object_r:base_t:s0
		52	extension * user_u:object_r:base_t:s0
		53	selection * user_u:object_r:base_t:s0
		54	event * user_u:object_r:base_t:s0
		55	EOF
		56	touch /etc/selinux/dummy/contexts/virtual_domain_context
		57	touch /etc/selinux/dummy/contexts/virtual_image_context
		58
28	cp file_contexts /etc/selinux/dummy/contexts/files	59	cp file_contexts /etc/selinux/dummy/contexts/files
29	cp dbus_contexts /etc/selinux/dummy/contexts	60	cp dbus_contexts /etc/selinux/dummy/contexts
30	cp policy.$VERS /etc/selinux/dummy/policy	61	cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
33	if [ ! -d /etc/selinux ]; then	64	if [ ! -d /etc/selinux ]; then
34	mkdir -p /etc/selinux	65	mkdir -p /etc/selinux
35	fi	66	fi
36	if [ ! -f /etc/selinux/config ]; then	67	if [ -f /etc/selinux/config ]; then
37	cat > /etc/selinux/config << EOF	68	echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
38	SELINUX=enforcing	69	mv /etc/selinux/config /etc/selinux/config.bak
		70	fi
		71	echo "Creating new /etc/selinux/config for dummy policy."
		72	cat > /etc/selinux/config << EOF
		73	SELINUX=permissive
39	SELINUXTYPE=dummy	74	SELINUXTYPE=dummy
40	EOF	75	EOF
41	else
42	TYPE=`cat /etc/selinux/config \| grep "^SELINUXTYPE" \| tail -1 \| awk -F= '{ print $2 '}`
43	if [ "eq$TYPE" != "eqdummy" ]; then
44	selinuxenabled
45	if [ $? -eq 0 ]; then
46	echo "SELinux already enabled with a non-dummy policy."
47	echo "Exiting. Please install policy by hand if that"
48	echo "is what you REALLY want."
49	exit 1
50	fi
51	mv /etc/selinux/config /etc/selinux/config.mdpbak
52	grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
53	echo "SELINUXTYPE=dummy" >> /etc/selinux/config
54	fi
55	fi
56		76
57	cd /etc/selinux/dummy/contexts/files	77	cd /etc/selinux/dummy/contexts/files
58	$SF file_contexts /	78	$SF -F file_contexts /
59		79
60	mounts=`cat /proc/$$/mounts \| egrep "ext2\|ext3\|xfs\|jfs\|ext4\|ext4dev\|gfs2" \| awk '{ print $2 '}`	80	mounts=`cat /proc/$$/mounts \| \
61	$SF file_contexts $mounts	81	egrep "ext[234]\|jfs\|xfs\|reiserfs\|jffs2\|gfs2\|btrfs\|f2fs\|ocfs2" \| \
		82	awk '{ print $2 '}`
		83	$SF -F file_contexts $mounts
62		84
63		85	echo "-F" > /.autorelabel
64	dodev=`cat /proc/$$/mounts \| grep "/dev "`
65	if [ "eq$dodev" != "eq" ]; then
66	mount --move /dev /mnt
67	$SF file_contexts /dev
68	mount --move /mnt /dev
69	fi


diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile index e9c92db7e2a3..8a1269a9d0ba 100644 --- a/scripts/selinux/mdp/Makefile +++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
2	hostprogs-y := mdp	2	hostprogs-y := mdp
3	HOST_EXTRACFLAGS += \	3	HOST_EXTRACFLAGS += \
4	-I$(srctree)/include/uapi -I$(srctree)/include \	4	-I$(srctree)/include/uapi -I$(srctree)/include \
5	-I$(srctree)/security/selinux/include	5	-I$(srctree)/security/selinux/include -I$(objtree)/include
6		6
7	always := $(hostprogs-y)	7	always := $(hostprogs-y)
8	clean-files := policy.* file_contexts	8	clean-files := policy.* file_contexts


diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6d51b74bc679..18fd6143888b 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
32	#include <stdlib.h>	32	#include <stdlib.h>
33	#include <unistd.h>	33	#include <unistd.h>
34	#include <string.h>	34	#include <string.h>
		35	#include <linux/kconfig.h>
35		36
36	static void usage(char *name)	37	static void usage(char *name)
37	{	38	{
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
94	}	95	}
95	fprintf(fout, "\n");	96	fprintf(fout, "\n");
96		97
97	/* NOW PRINT OUT MLS STUFF */	98	/* print out mls declarations and constraints */
98	if (mls) {	99	if (mls) {
99	printf("MLS not yet implemented\n");	100	fprintf(fout, "sensitivity s0;\n");
100	exit(1);	101	fprintf(fout, "sensitivity s1;\n");
		102	fprintf(fout, "dominance { s0 s1 }\n");
		103	fprintf(fout, "category c0;\n");
		104	fprintf(fout, "category c1;\n");
		105	fprintf(fout, "level s0:c0.c1;\n");
		106	fprintf(fout, "level s1:c0.c1;\n");
		107	#define SYSTEMLOW "s0"
		108	#define SYSTEMHIGH "s1:c0.c1"
		109	for (i = 0; secclass_map[i].name; i++) {
		110	struct security_class_mapping *map = &secclass_map[i];
		111
		112	fprintf(fout, "mlsconstrain %s {\n", map->name);
		113	for (j = 0; map->perms[j]; j++)
		114	fprintf(fout, "\t%s\n", map->perms[j]);
		115	/*
		116	* This requires all subjects and objects to be
		117	* single-level (l2 eq h2), and that the subject
		118	* level dominate the object level (h1 dom h2)
		119	* in order to have any permissions to it.
		120	*/
		121	fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
		122	}
101	}	123	}
102		124
103	/* types, roles, and allows */	125	/* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
107	for (i = 0; secclass_map[i].name; i++)	129	for (i = 0; secclass_map[i].name; i++)
108	fprintf(fout, "allow base_t base_t:%s *;\n",	130	fprintf(fout, "allow base_t base_t:%s *;\n",
109	secclass_map[i].name);	131	secclass_map[i].name);
110	fprintf(fout, "user user_u roles { base_r };\n");	132	fprintf(fout, "user user_u roles { base_r }");
111	fprintf(fout, "\n");	133	if (mls)
		134	fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
		135	SYSTEMLOW, SYSTEMHIGH);
		136	fprintf(fout, ";\n");
		137
		138	#define SUBJUSERROLETYPE "user_u:base_r:base_t"
		139	#define OBJUSERROLETYPE "user_u:object_r:base_t"
112		140
113	/* default sids */	141	/* default sids */
114	for (i = 1; i < initial_sid_to_string_len; i++)	142	for (i = 1; i < initial_sid_to_string_len; i++)
115	fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);	143	fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
		144	initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
116	fprintf(fout, "\n");	145	fprintf(fout, "\n");
117		146
118	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");	147	#define FS_USE(behavior, fstype) \
119	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");	148	fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
120	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");	149	behavior, fstype, mls ? ":" SYSTEMLOW : "")
121	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");	150
122	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");	151	/*
123	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");	152	* Filesystems whose inode labels can be fetched via getxattr.
124	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");	153	*/
125	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");	154	#ifdef CONFIG_EXT2_FS_SECURITY
		155	FS_USE("xattr", "ext2");
		156	#endif
		157	#ifdef CONFIG_EXT4_FS_SECURITY
		158	#ifdef CONFIG_EXT4_USE_FOR_EXT2
		159	FS_USE("xattr", "ext2");
		160	#endif
		161	FS_USE("xattr", "ext3");
		162	FS_USE("xattr", "ext4");
		163	#endif
		164	#ifdef CONFIG_JFS_SECURITY
		165	FS_USE("xattr", "jfs");
		166	#endif
		167	#ifdef CONFIG_REISERFS_FS_SECURITY
		168	FS_USE("xattr", "reiserfs");
		169	#endif
		170	#ifdef CONFIG_JFFS2_FS_SECURITY
		171	FS_USE("xattr", "jffs2");
		172	#endif
		173	#ifdef CONFIG_XFS_FS
		174	FS_USE("xattr", "xfs");
		175	#endif
		176	#ifdef CONFIG_GFS2_FS
		177	FS_USE("xattr", "gfs2");
		178	#endif
		179	#ifdef CONFIG_BTRFS_FS
		180	FS_USE("xattr", "btrfs");
		181	#endif
		182	#ifdef CONFIG_F2FS_FS_SECURITY
		183	FS_USE("xattr", "f2fs");
		184	#endif
		185	#ifdef CONFIG_OCFS2_FS
		186	FS_USE("xattr", "ocsfs2");
		187	#endif
		188	#ifdef CONFIG_OVERLAY_FS
		189	FS_USE("xattr", "overlay");
		190	#endif
		191	#ifdef CONFIG_SQUASHFS_XATTR
		192	FS_USE("xattr", "squashfs");
		193	#endif
		194
		195	/*
		196	* Filesystems whose inodes are labeled from allocating task.
		197	*/
		198	FS_USE("task", "pipefs");
		199	FS_USE("task", "sockfs");
126		200
127	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");	201	/*
128	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");	202	* Filesystems whose inode labels are computed from both
129	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");	203	* the allocating task and the superblock label.
		204	*/
		205	#ifdef CONFIG_UNIX98_PTYS
		206	FS_USE("trans", "devpts");
		207	#endif
		208	#ifdef CONFIG_HUGETLBFS
		209	FS_USE("trans", "hugetlbfs");
		210	#endif
		211	#ifdef CONFIG_TMPFS
		212	FS_USE("trans", "tmpfs");
		213	#endif
		214	#ifdef CONFIG_DEVTMPFS
		215	FS_USE("trans", "devtmpfs");
		216	#endif
		217	#ifdef CONFIG_POSIX_MQUEUE
		218	FS_USE("trans", "mqueue");
		219	#endif
130		220
131	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");	221	#define GENFSCON(fstype, prefix) \
132	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");	222	fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
133	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");	223	fstype, prefix, mls ? ":" SYSTEMLOW : "")
134	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
135	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
136		224
137	fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");	225	/*
		226	* Filesystems whose inodes are labeled from path prefix match
		227	* relative to the filesystem root. Depending on the filesystem,
		228	* only a single label for all inodes may be supported. Here
		229	* we list the filesystem types for which per-file labeling is
		230	* supported using genfscon; any other filesystem type can also
		231	* be added by only with a single entry for all of its inodes.
		232	*/
		233	#ifdef CONFIG_PROC_FS
		234	GENFSCON("proc", "/");
		235	#endif
		236	#ifdef CONFIG_SECURITY_SELINUX
		237	GENFSCON("selinuxfs", "/");
		238	#endif
		239	#ifdef CONFIG_SYSFS
		240	GENFSCON("sysfs", "/");
		241	#endif
		242	#ifdef CONFIG_DEBUG_FS
		243	GENFSCON("debugfs", "/");
		244	#endif
		245	#ifdef CONFIG_TRACING
		246	GENFSCON("tracefs", "/");
		247	#endif
		248	#ifdef CONFIG_PSTORE
		249	GENFSCON("pstore", "/");
		250	#endif
		251	GENFSCON("cgroup", "/");
		252	GENFSCON("cgroup2", "/");
138		253
139	fclose(fout);	254	fclose(fout);
140		255
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
143	printf("Wrote policy, but cannot open %s for writing\n", ctxout);	258	printf("Wrote policy, but cannot open %s for writing\n", ctxout);
144	usage(argv[0]);	259	usage(argv[0]);
145	}	260	}
146	fprintf(fout, "/ user_u:base_r:base_t\n");	261	fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
147	fprintf(fout, "/.* user_u:base_r:base_t\n");	262	fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
148	fclose(fout);	263	fclose(fout);
149		264
150	return 0;	265	return 0;