diff options
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/Kbuild.include | 4 | ||||
-rw-r--r-- | scripts/Makefile | 3 | ||||
-rwxr-xr-x | scripts/checkstack.pl | 5 | ||||
-rw-r--r-- | scripts/kconfig/conf.c | 123 | ||||
-rw-r--r-- | scripts/kconfig/confdata.c | 8 | ||||
-rwxr-xr-x | scripts/kernel-doc | 4 | ||||
-rw-r--r-- | scripts/mod/modpost.c | 6 | ||||
-rw-r--r-- | scripts/selinux/Makefile | 2 | ||||
-rw-r--r-- | scripts/selinux/README | 2 | ||||
-rw-r--r-- | scripts/selinux/install_policy.sh | 69 | ||||
-rw-r--r-- | scripts/selinux/mdp/.gitignore | 2 | ||||
-rw-r--r-- | scripts/selinux/mdp/Makefile | 5 | ||||
-rw-r--r-- | scripts/selinux/mdp/dbus_contexts | 6 | ||||
-rw-r--r-- | scripts/selinux/mdp/mdp.c | 242 |
14 files changed, 407 insertions, 74 deletions
diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include index d64e6badc942..982dcae7bbe2 100644 --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include | |||
@@ -105,12 +105,12 @@ as-instr = $(call try-run,\ | |||
105 | # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586) | 105 | # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586) |
106 | 106 | ||
107 | cc-option = $(call try-run,\ | 107 | cc-option = $(call try-run,\ |
108 | $(CC) $(KBUILD_CFLAGS) $(1) -S -xc /dev/null -o "$$TMP",$(1),$(2)) | 108 | $(CC) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",$(1),$(2)) |
109 | 109 | ||
110 | # cc-option-yn | 110 | # cc-option-yn |
111 | # Usage: flag := $(call cc-option-yn,-march=winchip-c6) | 111 | # Usage: flag := $(call cc-option-yn,-march=winchip-c6) |
112 | cc-option-yn = $(call try-run,\ | 112 | cc-option-yn = $(call try-run,\ |
113 | $(CC) $(KBUILD_CFLAGS) $(1) -S -xc /dev/null -o "$$TMP",y,n) | 113 | $(CC) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",y,n) |
114 | 114 | ||
115 | # cc-option-align | 115 | # cc-option-align |
116 | # Prefix align with either -falign or -malign | 116 | # Prefix align with either -falign or -malign |
diff --git a/scripts/Makefile b/scripts/Makefile index 1c73c5aea66b..aafdf064feef 100644 --- a/scripts/Makefile +++ b/scripts/Makefile | |||
@@ -20,6 +20,7 @@ hostprogs-y += unifdef | |||
20 | 20 | ||
21 | subdir-$(CONFIG_MODVERSIONS) += genksyms | 21 | subdir-$(CONFIG_MODVERSIONS) += genksyms |
22 | subdir-y += mod | 22 | subdir-y += mod |
23 | subdir-$(CONFIG_SECURITY_SELINUX) += selinux | ||
23 | 24 | ||
24 | # Let clean descend into subdirs | 25 | # Let clean descend into subdirs |
25 | subdir- += basic kconfig package | 26 | subdir- += basic kconfig package selinux |
diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl index 3eca62566d6b..f7e8e93ff30d 100755 --- a/scripts/checkstack.pl +++ b/scripts/checkstack.pl | |||
@@ -81,7 +81,10 @@ my (@stack, $re, $dre, $x, $xs); | |||
81 | $re = qr/.*st[dw]u.*r1,-($x{1,8})\(r1\)/o; | 81 | $re = qr/.*st[dw]u.*r1,-($x{1,8})\(r1\)/o; |
82 | } elsif ($arch =~ /^s390x?$/) { | 82 | } elsif ($arch =~ /^s390x?$/) { |
83 | # 11160: a7 fb ff 60 aghi %r15,-160 | 83 | # 11160: a7 fb ff 60 aghi %r15,-160 |
84 | $re = qr/.*ag?hi.*\%r15,-(([0-9]{2}|[3-9])[0-9]{2})/o; | 84 | # or |
85 | # 100092: e3 f0 ff c8 ff 71 lay %r15,-56(%r15) | ||
86 | $re = qr/.*(?:lay|ag?hi).*\%r15,-(([0-9]{2}|[3-9])[0-9]{2}) | ||
87 | (?:\(\%r15\))?$/ox; | ||
85 | } elsif ($arch =~ /^sh64$/) { | 88 | } elsif ($arch =~ /^sh64$/) { |
86 | #XXX: we only check for the immediate case presently, | 89 | #XXX: we only check for the immediate case presently, |
87 | # though we will want to check for the movi/sub | 90 | # though we will want to check for the movi/sub |
diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c index 36b5eedcdc75..3e1057f885c6 100644 --- a/scripts/kconfig/conf.c +++ b/scripts/kconfig/conf.c | |||
@@ -32,6 +32,7 @@ char *defconfig_file; | |||
32 | 32 | ||
33 | static int indent = 1; | 33 | static int indent = 1; |
34 | static int valid_stdin = 1; | 34 | static int valid_stdin = 1; |
35 | static int sync_kconfig; | ||
35 | static int conf_cnt; | 36 | static int conf_cnt; |
36 | static char line[128]; | 37 | static char line[128]; |
37 | static struct menu *rootEntry; | 38 | static struct menu *rootEntry; |
@@ -65,7 +66,7 @@ static void strip(char *str) | |||
65 | 66 | ||
66 | static void check_stdin(void) | 67 | static void check_stdin(void) |
67 | { | 68 | { |
68 | if (!valid_stdin && input_mode == ask_silent) { | 69 | if (!valid_stdin) { |
69 | printf(_("aborted!\n\n")); | 70 | printf(_("aborted!\n\n")); |
70 | printf(_("Console input/output is redirected. ")); | 71 | printf(_("Console input/output is redirected. ")); |
71 | printf(_("Run 'make oldconfig' to update configuration.\n\n")); | 72 | printf(_("Run 'make oldconfig' to update configuration.\n\n")); |
@@ -427,43 +428,6 @@ static void check_conf(struct menu *menu) | |||
427 | check_conf(child); | 428 | check_conf(child); |
428 | } | 429 | } |
429 | 430 | ||
430 | static void conf_do_update(void) | ||
431 | { | ||
432 | /* Update until a loop caused no more changes */ | ||
433 | do { | ||
434 | conf_cnt = 0; | ||
435 | check_conf(&rootmenu); | ||
436 | } while (conf_cnt); | ||
437 | } | ||
438 | |||
439 | static int conf_silent_update(void) | ||
440 | { | ||
441 | const char *name; | ||
442 | |||
443 | if (conf_get_changed()) { | ||
444 | name = getenv("KCONFIG_NOSILENTUPDATE"); | ||
445 | if (name && *name) { | ||
446 | fprintf(stderr, | ||
447 | _("\n*** Kernel configuration requires explicit update.\n\n")); | ||
448 | return 1; | ||
449 | } | ||
450 | conf_do_update(); | ||
451 | } | ||
452 | return 0; | ||
453 | } | ||
454 | |||
455 | static int conf_update(void) | ||
456 | { | ||
457 | rootEntry = &rootmenu; | ||
458 | conf(&rootmenu); | ||
459 | if (input_mode == ask_all) { | ||
460 | input_mode = ask_silent; | ||
461 | valid_stdin = 1; | ||
462 | } | ||
463 | conf_do_update(); | ||
464 | return 0; | ||
465 | } | ||
466 | |||
467 | int main(int ac, char **av) | 431 | int main(int ac, char **av) |
468 | { | 432 | { |
469 | int opt; | 433 | int opt; |
@@ -477,11 +441,11 @@ int main(int ac, char **av) | |||
477 | while ((opt = getopt(ac, av, "osdD:nmyrh")) != -1) { | 441 | while ((opt = getopt(ac, av, "osdD:nmyrh")) != -1) { |
478 | switch (opt) { | 442 | switch (opt) { |
479 | case 'o': | 443 | case 'o': |
480 | input_mode = ask_new; | 444 | input_mode = ask_silent; |
481 | break; | 445 | break; |
482 | case 's': | 446 | case 's': |
483 | input_mode = ask_silent; | 447 | input_mode = ask_silent; |
484 | valid_stdin = isatty(0) && isatty(1) && isatty(2); | 448 | sync_kconfig = 1; |
485 | break; | 449 | break; |
486 | case 'd': | 450 | case 'd': |
487 | input_mode = set_default; | 451 | input_mode = set_default; |
@@ -519,6 +483,19 @@ int main(int ac, char **av) | |||
519 | name = av[optind]; | 483 | name = av[optind]; |
520 | conf_parse(name); | 484 | conf_parse(name); |
521 | //zconfdump(stdout); | 485 | //zconfdump(stdout); |
486 | if (sync_kconfig) { | ||
487 | if (stat(".config", &tmpstat)) { | ||
488 | fprintf(stderr, _("***\n" | ||
489 | "*** You have not yet configured your kernel!\n" | ||
490 | "*** (missing kernel .config file)\n" | ||
491 | "***\n" | ||
492 | "*** Please run some configurator (e.g. \"make oldconfig\" or\n" | ||
493 | "*** \"make menuconfig\" or \"make xconfig\").\n" | ||
494 | "***\n")); | ||
495 | exit(1); | ||
496 | } | ||
497 | } | ||
498 | |||
522 | switch (input_mode) { | 499 | switch (input_mode) { |
523 | case set_default: | 500 | case set_default: |
524 | if (!defconfig_file) | 501 | if (!defconfig_file) |
@@ -531,16 +508,6 @@ int main(int ac, char **av) | |||
531 | } | 508 | } |
532 | break; | 509 | break; |
533 | case ask_silent: | 510 | case ask_silent: |
534 | if (stat(".config", &tmpstat)) { | ||
535 | printf(_("***\n" | ||
536 | "*** You have not yet configured your kernel!\n" | ||
537 | "*** (missing kernel .config file)\n" | ||
538 | "***\n" | ||
539 | "*** Please run some configurator (e.g. \"make oldconfig\" or\n" | ||
540 | "*** \"make menuconfig\" or \"make xconfig\").\n" | ||
541 | "***\n")); | ||
542 | exit(1); | ||
543 | } | ||
544 | case ask_all: | 511 | case ask_all: |
545 | case ask_new: | 512 | case ask_new: |
546 | conf_read(NULL); | 513 | conf_read(NULL); |
@@ -569,6 +536,19 @@ int main(int ac, char **av) | |||
569 | default: | 536 | default: |
570 | break; | 537 | break; |
571 | } | 538 | } |
539 | |||
540 | if (sync_kconfig) { | ||
541 | if (conf_get_changed()) { | ||
542 | name = getenv("KCONFIG_NOSILENTUPDATE"); | ||
543 | if (name && *name) { | ||
544 | fprintf(stderr, | ||
545 | _("\n*** Kernel configuration requires explicit update.\n\n")); | ||
546 | return 1; | ||
547 | } | ||
548 | } | ||
549 | valid_stdin = isatty(0) && isatty(1) && isatty(2); | ||
550 | } | ||
551 | |||
572 | switch (input_mode) { | 552 | switch (input_mode) { |
573 | case set_no: | 553 | case set_no: |
574 | conf_set_all_new_symbols(def_no); | 554 | conf_set_all_new_symbols(def_no); |
@@ -585,27 +565,38 @@ int main(int ac, char **av) | |||
585 | case set_default: | 565 | case set_default: |
586 | conf_set_all_new_symbols(def_default); | 566 | conf_set_all_new_symbols(def_default); |
587 | break; | 567 | break; |
588 | case ask_silent: | ||
589 | case ask_new: | 568 | case ask_new: |
590 | if (conf_silent_update()) | ||
591 | exit(1); | ||
592 | break; | ||
593 | case ask_all: | 569 | case ask_all: |
594 | if (conf_update()) | 570 | rootEntry = &rootmenu; |
595 | exit(1); | 571 | conf(&rootmenu); |
572 | input_mode = ask_silent; | ||
573 | /* fall through */ | ||
574 | case ask_silent: | ||
575 | /* Update until a loop caused no more changes */ | ||
576 | do { | ||
577 | conf_cnt = 0; | ||
578 | check_conf(&rootmenu); | ||
579 | } while (conf_cnt); | ||
596 | break; | 580 | break; |
597 | } | 581 | } |
598 | 582 | ||
599 | if (conf_write(NULL)) { | 583 | if (sync_kconfig) { |
600 | fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n")); | 584 | /* silentoldconfig is used during the build so we shall update autoconf. |
601 | exit(1); | 585 | * All other commands are only used to generate a config. |
602 | } | 586 | */ |
603 | /* ask_silent is used during the build so we shall update autoconf. | 587 | if (conf_get_changed() && conf_write(NULL)) { |
604 | * All other commands are only used to generate a config. | 588 | fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n")); |
605 | */ | 589 | exit(1); |
606 | if (input_mode == ask_silent && conf_write_autoconf()) { | 590 | } |
607 | fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n")); | 591 | if (conf_write_autoconf()) { |
608 | return 1; | 592 | fprintf(stderr, _("\n*** Error during update of the kernel configuration.\n\n")); |
593 | return 1; | ||
594 | } | ||
595 | } else { | ||
596 | if (conf_write(NULL)) { | ||
597 | fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n")); | ||
598 | exit(1); | ||
599 | } | ||
609 | } | 600 | } |
610 | return 0; | 601 | return 0; |
611 | } | 602 | } |
diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c index df6a188b9930..b91cf241a539 100644 --- a/scripts/kconfig/confdata.c +++ b/scripts/kconfig/confdata.c | |||
@@ -222,8 +222,10 @@ load: | |||
222 | continue; | 222 | continue; |
223 | if (def == S_DEF_USER) { | 223 | if (def == S_DEF_USER) { |
224 | sym = sym_find(line + 9); | 224 | sym = sym_find(line + 9); |
225 | if (!sym) | 225 | if (!sym) { |
226 | sym_add_change_count(1); | ||
226 | break; | 227 | break; |
228 | } | ||
227 | } else { | 229 | } else { |
228 | sym = sym_lookup(line + 9, 0); | 230 | sym = sym_lookup(line + 9, 0); |
229 | if (sym->type == S_UNKNOWN) | 231 | if (sym->type == S_UNKNOWN) |
@@ -259,8 +261,10 @@ load: | |||
259 | } | 261 | } |
260 | if (def == S_DEF_USER) { | 262 | if (def == S_DEF_USER) { |
261 | sym = sym_find(line + 7); | 263 | sym = sym_find(line + 7); |
262 | if (!sym) | 264 | if (!sym) { |
265 | sym_add_change_count(1); | ||
263 | break; | 266 | break; |
267 | } | ||
264 | } else { | 268 | } else { |
265 | sym = sym_lookup(line + 7, 0); | 269 | sym = sym_lookup(line + 7, 0); |
266 | if (sym->type == S_UNKNOWN) | 270 | if (sym->type == S_UNKNOWN) |
diff --git a/scripts/kernel-doc b/scripts/kernel-doc index ff787e6ff8ed..44ee94d2ab76 100755 --- a/scripts/kernel-doc +++ b/scripts/kernel-doc | |||
@@ -781,6 +781,7 @@ sub output_struct_xml(%) { | |||
781 | print " <refsect1>\n"; | 781 | print " <refsect1>\n"; |
782 | print " <title>Members</title>\n"; | 782 | print " <title>Members</title>\n"; |
783 | 783 | ||
784 | if ($#{$args{'parameterlist'}} >= 0) { | ||
784 | print " <variablelist>\n"; | 785 | print " <variablelist>\n"; |
785 | foreach $parameter (@{$args{'parameterlist'}}) { | 786 | foreach $parameter (@{$args{'parameterlist'}}) { |
786 | ($parameter =~ /^#/) && next; | 787 | ($parameter =~ /^#/) && next; |
@@ -798,6 +799,9 @@ sub output_struct_xml(%) { | |||
798 | print " </varlistentry>\n"; | 799 | print " </varlistentry>\n"; |
799 | } | 800 | } |
800 | print " </variablelist>\n"; | 801 | print " </variablelist>\n"; |
802 | } else { | ||
803 | print " <para>\n None\n </para>\n"; | ||
804 | } | ||
801 | print " </refsect1>\n"; | 805 | print " </refsect1>\n"; |
802 | 806 | ||
803 | output_section_xml(@_); | 807 | output_section_xml(@_); |
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c index 418cd7dbbc93..8e0de6a5e18a 100644 --- a/scripts/mod/modpost.c +++ b/scripts/mod/modpost.c | |||
@@ -1986,11 +1986,13 @@ static void read_markers(const char *fname) | |||
1986 | 1986 | ||
1987 | mod = find_module(modname); | 1987 | mod = find_module(modname); |
1988 | if (!mod) { | 1988 | if (!mod) { |
1989 | if (is_vmlinux(modname)) | ||
1990 | have_vmlinux = 1; | ||
1991 | mod = new_module(NOFAIL(strdup(modname))); | 1989 | mod = new_module(NOFAIL(strdup(modname))); |
1992 | mod->skip = 1; | 1990 | mod->skip = 1; |
1993 | } | 1991 | } |
1992 | if (is_vmlinux(modname)) { | ||
1993 | have_vmlinux = 1; | ||
1994 | mod->skip = 0; | ||
1995 | } | ||
1994 | 1996 | ||
1995 | if (!mod->skip) | 1997 | if (!mod->skip) |
1996 | add_marker(mod, marker, fmt); | 1998 | add_marker(mod, marker, fmt); |
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile new file mode 100644 index 000000000000..ca4b1ec01822 --- /dev/null +++ b/scripts/selinux/Makefile | |||
@@ -0,0 +1,2 @@ | |||
1 | subdir-y := mdp | ||
2 | subdir- += mdp | ||
diff --git a/scripts/selinux/README b/scripts/selinux/README new file mode 100644 index 000000000000..a936315ba2c8 --- /dev/null +++ b/scripts/selinux/README | |||
@@ -0,0 +1,2 @@ | |||
1 | Please see Documentation/SELinux.txt for information on | ||
2 | installing a dummy SELinux policy. | ||
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh new file mode 100644 index 000000000000..7b9ccf61f8f9 --- /dev/null +++ b/scripts/selinux/install_policy.sh | |||
@@ -0,0 +1,69 @@ | |||
1 | #!/bin/sh | ||
2 | if [ `id -u` -ne 0 ]; then | ||
3 | echo "$0: must be root to install the selinux policy" | ||
4 | exit 1 | ||
5 | fi | ||
6 | SF=`which setfiles` | ||
7 | if [ $? -eq 1 ]; then | ||
8 | if [ -f /sbin/setfiles ]; then | ||
9 | SF="/usr/setfiles" | ||
10 | else | ||
11 | echo "no selinux tools installed: setfiles" | ||
12 | exit 1 | ||
13 | fi | ||
14 | fi | ||
15 | |||
16 | cd mdp | ||
17 | |||
18 | CP=`which checkpolicy` | ||
19 | VERS=`$CP -V | awk '{print $1}'` | ||
20 | |||
21 | ./mdp policy.conf file_contexts | ||
22 | $CP -o policy.$VERS policy.conf | ||
23 | |||
24 | mkdir -p /etc/selinux/dummy/policy | ||
25 | mkdir -p /etc/selinux/dummy/contexts/files | ||
26 | |||
27 | cp file_contexts /etc/selinux/dummy/contexts/files | ||
28 | cp dbus_contexts /etc/selinux/dummy/contexts | ||
29 | cp policy.$VERS /etc/selinux/dummy/policy | ||
30 | FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts | ||
31 | |||
32 | if [ ! -d /etc/selinux ]; then | ||
33 | mkdir -p /etc/selinux | ||
34 | fi | ||
35 | if [ ! -f /etc/selinux/config ]; then | ||
36 | cat > /etc/selinux/config << EOF | ||
37 | SELINUX=enforcing | ||
38 | SELINUXTYPE=dummy | ||
39 | EOF | ||
40 | else | ||
41 | TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}` | ||
42 | if [ "eq$TYPE" != "eqdummy" ]; then | ||
43 | selinuxenabled | ||
44 | if [ $? -eq 0 ]; then | ||
45 | echo "SELinux already enabled with a non-dummy policy." | ||
46 | echo "Exiting. Please install policy by hand if that" | ||
47 | echo "is what you REALLY want." | ||
48 | exit 1 | ||
49 | fi | ||
50 | mv /etc/selinux/config /etc/selinux/config.mdpbak | ||
51 | grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config | ||
52 | echo "SELINUXTYPE=dummy" >> /etc/selinux/config | ||
53 | fi | ||
54 | fi | ||
55 | |||
56 | cd /etc/selinux/dummy/contexts/files | ||
57 | $SF file_contexts / | ||
58 | |||
59 | mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}` | ||
60 | $SF file_contexts $mounts | ||
61 | |||
62 | |||
63 | dodev=`cat /proc/$$/mounts | grep "/dev "` | ||
64 | if [ "eq$dodev" != "eq" ]; then | ||
65 | mount --move /dev /mnt | ||
66 | $SF file_contexts /dev | ||
67 | mount --move /mnt /dev | ||
68 | fi | ||
69 | |||
diff --git a/scripts/selinux/mdp/.gitignore b/scripts/selinux/mdp/.gitignore new file mode 100644 index 000000000000..654546d8dffd --- /dev/null +++ b/scripts/selinux/mdp/.gitignore | |||
@@ -0,0 +1,2 @@ | |||
1 | # Generated file | ||
2 | mdp | ||
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile new file mode 100644 index 000000000000..eb365b333441 --- /dev/null +++ b/scripts/selinux/mdp/Makefile | |||
@@ -0,0 +1,5 @@ | |||
1 | hostprogs-y := mdp | ||
2 | HOST_EXTRACFLAGS += -Isecurity/selinux/include | ||
3 | |||
4 | always := $(hostprogs-y) | ||
5 | clean-files := $(hostprogs-y) policy.* file_contexts | ||
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts new file mode 100644 index 000000000000..116e684f9fc1 --- /dev/null +++ b/scripts/selinux/mdp/dbus_contexts | |||
@@ -0,0 +1,6 @@ | |||
1 | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" | ||
2 | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> | ||
3 | <busconfig> | ||
4 | <selinux> | ||
5 | </selinux> | ||
6 | </busconfig> | ||
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c new file mode 100644 index 000000000000..ca757d486187 --- /dev/null +++ b/scripts/selinux/mdp/mdp.c | |||
@@ -0,0 +1,242 @@ | |||
1 | /* | ||
2 | * | ||
3 | * mdp - make dummy policy | ||
4 | * | ||
5 | * When pointed at a kernel tree, builds a dummy policy for that kernel | ||
6 | * with exactly one type with full rights to itself. | ||
7 | * | ||
8 | * This program is free software; you can redistribute it and/or modify | ||
9 | * it under the terms of the GNU General Public License as published by | ||
10 | * the Free Software Foundation; either version 2 of the License, or | ||
11 | * (at your option) any later version. | ||
12 | * | ||
13 | * This program is distributed in the hope that it will be useful, | ||
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
16 | * GNU General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU General Public License | ||
19 | * along with this program; if not, write to the Free Software | ||
20 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
21 | * | ||
22 | * Copyright (C) IBM Corporation, 2006 | ||
23 | * | ||
24 | * Authors: Serge E. Hallyn <serue@us.ibm.com> | ||
25 | */ | ||
26 | |||
27 | #include <stdio.h> | ||
28 | #include <stdlib.h> | ||
29 | #include <unistd.h> | ||
30 | #include <string.h> | ||
31 | |||
32 | #include "flask.h" | ||
33 | |||
34 | void usage(char *name) | ||
35 | { | ||
36 | printf("usage: %s [-m] policy_file context_file\n", name); | ||
37 | exit(1); | ||
38 | } | ||
39 | |||
40 | void find_common_name(char *cname, char *dest, int len) | ||
41 | { | ||
42 | char *start, *end; | ||
43 | |||
44 | start = strchr(cname, '_')+1; | ||
45 | end = strchr(start, '_'); | ||
46 | if (!start || !end || start-cname > len || end-start > len) { | ||
47 | printf("Error with commons defines\n"); | ||
48 | exit(1); | ||
49 | } | ||
50 | strncpy(dest, start, end-start); | ||
51 | dest[end-start] = '\0'; | ||
52 | } | ||
53 | |||
54 | #define S_(x) x, | ||
55 | static char *classlist[] = { | ||
56 | #include "class_to_string.h" | ||
57 | NULL | ||
58 | }; | ||
59 | #undef S_ | ||
60 | |||
61 | #include "initial_sid_to_string.h" | ||
62 | |||
63 | #define TB_(x) char *x[] = { | ||
64 | #define TE_(x) NULL }; | ||
65 | #define S_(x) x, | ||
66 | #include "common_perm_to_string.h" | ||
67 | #undef TB_ | ||
68 | #undef TE_ | ||
69 | #undef S_ | ||
70 | |||
71 | struct common { | ||
72 | char *cname; | ||
73 | char **perms; | ||
74 | }; | ||
75 | struct common common[] = { | ||
76 | #define TB_(x) { #x, x }, | ||
77 | #define S_(x) | ||
78 | #define TE_(x) | ||
79 | #include "common_perm_to_string.h" | ||
80 | #undef TB_ | ||
81 | #undef TE_ | ||
82 | #undef S_ | ||
83 | }; | ||
84 | |||
85 | #define S_(x, y, z) {x, #y}, | ||
86 | struct av_inherit { | ||
87 | int class; | ||
88 | char *common; | ||
89 | }; | ||
90 | struct av_inherit av_inherit[] = { | ||
91 | #include "av_inherit.h" | ||
92 | }; | ||
93 | #undef S_ | ||
94 | |||
95 | #include "av_permissions.h" | ||
96 | #define S_(x, y, z) {x, y, z}, | ||
97 | struct av_perms { | ||
98 | int class; | ||
99 | int perm_i; | ||
100 | char *perm_s; | ||
101 | }; | ||
102 | struct av_perms av_perms[] = { | ||
103 | #include "av_perm_to_string.h" | ||
104 | }; | ||
105 | #undef S_ | ||
106 | |||
107 | int main(int argc, char *argv[]) | ||
108 | { | ||
109 | int i, j, mls = 0; | ||
110 | char **arg, *polout, *ctxout; | ||
111 | int classlist_len, initial_sid_to_string_len; | ||
112 | FILE *fout; | ||
113 | |||
114 | if (argc < 3) | ||
115 | usage(argv[0]); | ||
116 | arg = argv+1; | ||
117 | if (argc==4 && strcmp(argv[1], "-m") == 0) { | ||
118 | mls = 1; | ||
119 | arg++; | ||
120 | } | ||
121 | polout = *arg++; | ||
122 | ctxout = *arg; | ||
123 | |||
124 | fout = fopen(polout, "w"); | ||
125 | if (!fout) { | ||
126 | printf("Could not open %s for writing\n", polout); | ||
127 | usage(argv[0]); | ||
128 | } | ||
129 | |||
130 | classlist_len = sizeof(classlist) / sizeof(char *); | ||
131 | /* print out the classes */ | ||
132 | for (i=1; i < classlist_len; i++) { | ||
133 | if(classlist[i]) | ||
134 | fprintf(fout, "class %s\n", classlist[i]); | ||
135 | else | ||
136 | fprintf(fout, "class user%d\n", i); | ||
137 | } | ||
138 | fprintf(fout, "\n"); | ||
139 | |||
140 | initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); | ||
141 | /* print out the sids */ | ||
142 | for (i=1; i < initial_sid_to_string_len; i++) | ||
143 | fprintf(fout, "sid %s\n", initial_sid_to_string[i]); | ||
144 | fprintf(fout, "\n"); | ||
145 | |||
146 | /* print out the commons */ | ||
147 | for (i=0; i< sizeof(common)/sizeof(struct common); i++) { | ||
148 | char cname[101]; | ||
149 | find_common_name(common[i].cname, cname, 100); | ||
150 | cname[100] = '\0'; | ||
151 | fprintf(fout, "common %s\n{\n", cname); | ||
152 | for (j=0; common[i].perms[j]; j++) | ||
153 | fprintf(fout, "\t%s\n", common[i].perms[j]); | ||
154 | fprintf(fout, "}\n\n"); | ||
155 | } | ||
156 | fprintf(fout, "\n"); | ||
157 | |||
158 | /* print out the class permissions */ | ||
159 | for (i=1; i < classlist_len; i++) { | ||
160 | if (classlist[i]) { | ||
161 | int firstperm = -1, numperms = 0; | ||
162 | |||
163 | fprintf(fout, "class %s\n", classlist[i]); | ||
164 | /* does it inherit from a common? */ | ||
165 | for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++) | ||
166 | if (av_inherit[j].class == i) | ||
167 | fprintf(fout, "inherits %s\n", av_inherit[j].common); | ||
168 | |||
169 | for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) { | ||
170 | if (av_perms[j].class == i) { | ||
171 | if (firstperm == -1) | ||
172 | firstperm = j; | ||
173 | numperms++; | ||
174 | } | ||
175 | } | ||
176 | if (!numperms) { | ||
177 | fprintf(fout, "\n"); | ||
178 | continue; | ||
179 | } | ||
180 | |||
181 | fprintf(fout, "{\n"); | ||
182 | /* print out the av_perms */ | ||
183 | for (j=0; j < numperms; j++) { | ||
184 | fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s); | ||
185 | } | ||
186 | fprintf(fout, "}\n\n"); | ||
187 | } | ||
188 | } | ||
189 | fprintf(fout, "\n"); | ||
190 | |||
191 | /* NOW PRINT OUT MLS STUFF */ | ||
192 | if (mls) { | ||
193 | printf("MLS not yet implemented\n"); | ||
194 | exit(1); | ||
195 | } | ||
196 | |||
197 | /* types, roles, and allows */ | ||
198 | fprintf(fout, "type base_t;\n"); | ||
199 | fprintf(fout, "role base_r types { base_t };\n"); | ||
200 | for (i=1; i < classlist_len; i++) { | ||
201 | if (classlist[i]) | ||
202 | fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]); | ||
203 | else | ||
204 | fprintf(fout, "allow base_t base_t:user%d *;\n", i); | ||
205 | } | ||
206 | fprintf(fout, "user user_u roles { base_r };\n"); | ||
207 | fprintf(fout, "\n"); | ||
208 | |||
209 | /* default sids */ | ||
210 | for (i=1; i < initial_sid_to_string_len; i++) | ||
211 | fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]); | ||
212 | fprintf(fout, "\n"); | ||
213 | |||
214 | |||
215 | fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n"); | ||
216 | fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n"); | ||
217 | fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n"); | ||
218 | fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n"); | ||
219 | fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n"); | ||
220 | |||
221 | fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n"); | ||
222 | fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n"); | ||
223 | |||
224 | fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n"); | ||
225 | fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n"); | ||
226 | fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n"); | ||
227 | |||
228 | fprintf(fout, "genfscon proc / user_u:base_r:base_t\n"); | ||
229 | |||
230 | fclose(fout); | ||
231 | |||
232 | fout = fopen(ctxout, "w"); | ||
233 | if (!fout) { | ||
234 | printf("Wrote policy, but cannot open %s for writing\n", ctxout); | ||
235 | usage(argv[0]); | ||
236 | } | ||
237 | fprintf(fout, "/ user_u:base_r:base_t\n"); | ||
238 | fprintf(fout, "/.* user_u:base_r:base_t\n"); | ||
239 | fclose(fout); | ||
240 | |||
241 | return 0; | ||
242 | } | ||