Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 93c06cbbf9fea5d5be1778febb7fa9ab1a74e5f5

Authored by Serge E. Hallyn
Committed by James Morris
1 parent 3f23d815c5
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

selinux: add support for installing a dummy policy (v2) 

In August 2006 I posted a patch generating a minimal SELinux policy.  This
week, David P. Quigley posted an updated version of that as a patch against
the kernel.  It also had nice logic for auto-installing the policy.

Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):

se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.

The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.

Some statistics on the policy that it generates:

The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.

In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.

This policy generates a policy.23 binary that is 7920 bytes.

(then a few versions later...):

The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.

Changelog:

	Aug 26: Added Documentation/SELinux.txt
	Aug 26: Incorporated a set of comments by Stephen Smalley:
		1. auto-setup SELINUXTYPE=dummy
		2. don't auto-install if selinux is enabled with
			non-dummy policy
		3. don't re-compute policy version
		4. /sbin/setfiles not /usr/sbin/setfiles
	Aug 22: As per JMorris comments, made sure make distclean
		cleans up the mdp directory.
		Removed a check for file_contexts which is now
		created in the same file as the check, making it
		superfluous.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 8 changed files with 355 additions and 1 deletions Side-by-side Diff

Documentation/SELinux.txt
Diff comments   View file @ 93c06cb
  1 +If you want to use SELinux, chances are you will want
  2 +to use the distro-provided policies, or install the
  3 +latest reference policy release from
  4 + http://oss.tresys.com/projects/refpolicy
  5 +
  6 +However, if you want to install a dummy policy for
  7 +testing, you can do using 'mdp' provided under
  8 +scripts/selinux. Note that this requires the selinux
  9 +userspace to be installed - in particular you will
  10 +need checkpolicy to compile a kernel, and setfiles and
  11 +fixfiles to label the filesystem.
  12 +
  13 + 1. Compile the kernel with selinux enabled.
  14 + 2. Type 'make' to compile mdp.
  15 + 3. Make sure that you are not running with
  16 + SELinux enabled and a real policy. If
  17 + you are, reboot with selinux disabled
  18 + before continuing.
  19 + 4. Run install_policy.sh:
  20 + cd scripts/selinux
  21 + sh install_policy.sh
  22 +
  23 +Step 4 will create a new dummy policy valid for your
  24 +kernel, with a single selinux user, role, and type.
  25 +It will compile the policy, will set your SELINUXTYPE to
  26 +dummy in /etc/selinux/config, install the compiled policy
  27 +as 'dummy', and relabel your filesystem.
... ... @@ -20,7 +20,8 @@
20 20  
21 21 subdir-$(CONFIG_MODVERSIONS) += genksyms
22 22 subdir-y += mod
  23 +subdir-$(CONFIG_SECURITY_SELINUX) += selinux
23 24  
24 25 # Let clean descend into subdirs
25   -subdir- += basic kconfig package
  26 +subdir- += basic kconfig package selinux
scripts/selinux/Makefile
Diff comments   View file @ 93c06cb
  1 +subdir-y := mdp
  2 +subdir- += mdp
scripts/selinux/README
Diff comments   View file @ 93c06cb
  1 +Please see Documentation/SELinux.txt for information on
  2 +installing a dummy SELinux policy.
scripts/selinux/install_policy.sh
Diff comments   View file @ 93c06cb
  1 +#!/bin/sh
  2 +if [ `id -u` -ne 0 ]; then
  3 + echo "$0: must be root to install the selinux policy"
  4 + exit 1
  5 +fi
  6 +SF=`which setfiles`
  7 +if [ $? -eq 1 ]; then
  8 + if [ -f /sbin/setfiles ]; then
  9 + SF="/usr/setfiles"
  10 + else
  11 + echo "no selinux tools installed: setfiles"
  12 + exit 1
  13 + fi
  14 +fi
  15 +
  16 +cd mdp
  17 +
  18 +CP=`which checkpolicy`
  19 +VERS=`$CP -V | awk '{print $1}'`
  20 +
  21 +./mdp policy.conf file_contexts
  22 +$CP -o policy.$VERS policy.conf
  23 +
  24 +mkdir -p /etc/selinux/dummy/policy
  25 +mkdir -p /etc/selinux/dummy/contexts/files
  26 +
  27 +cp file_contexts /etc/selinux/dummy/contexts/files
  28 +cp dbus_contexts /etc/selinux/dummy/contexts
  29 +cp policy.$VERS /etc/selinux/dummy/policy
  30 +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
  31 +
  32 +if [ ! -d /etc/selinux ]; then
  33 + mkdir -p /etc/selinux
  34 +fi
  35 +if [ ! -f /etc/selinux/config ]; then
  36 + cat > /etc/selinux/config << EOF
  37 +SELINUX=enforcing
  38 +SELINUXTYPE=dummy
  39 +EOF
  40 +else
  41 + TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
  42 + if [ "eq$TYPE" != "eqdummy" ]; then
  43 + selinuxenabled
  44 + if [ $? -eq 0 ]; then
  45 + echo "SELinux already enabled with a non-dummy policy."
  46 + echo "Exiting. Please install policy by hand if that"
  47 + echo "is what you REALLY want."
  48 + exit 1
  49 + fi
  50 + mv /etc/selinux/config /etc/selinux/config.mdpbak
  51 + grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
  52 + echo "SELINUXTYPE=dummy" >> /etc/selinux/config
  53 + fi
  54 +fi
  55 +
  56 +cd /etc/selinux/dummy/contexts/files
  57 +$SF file_contexts /
  58 +
  59 +mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
  60 +$SF file_contexts $mounts
  61 +
  62 +
  63 +dodev=`cat /proc/$$/mounts | grep "/dev "`
  64 +if [ "eq$dodev" != "eq" ]; then
  65 + mount --move /dev /mnt
  66 + $SF file_contexts /dev
  67 + mount --move /mnt /dev
  68 +fi
scripts/selinux/mdp/Makefile
Diff comments   View file @ 93c06cb
  1 +hostprogs-y := mdp
  2 +HOST_EXTRACFLAGS += -Isecurity/selinux/include
  3 +
  4 +always := $(hostprogs-y)
  5 +clean-files := $(hostprogs-y) policy.* file_contexts
scripts/selinux/mdp/dbus_contexts
Diff comments   View file @ 93c06cb
  1 +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  2 + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
  3 +<busconfig>
  4 + <selinux>
  5 + </selinux>
  6 +</busconfig>
scripts/selinux/mdp/mdp.c
Diff comments   View file @ 93c06cb
  1 +/*
  2 + *
  3 + * mdp - make dummy policy
  4 + *
  5 + * When pointed at a kernel tree, builds a dummy policy for that kernel
  6 + * with exactly one type with full rights to itself.
  7 + *
  8 + * This program is free software; you can redistribute it and/or modify
  9 + * it under the terms of the GNU General Public License as published by
  10 + * the Free Software Foundation; either version 2 of the License, or
  11 + * (at your option) any later version.
  12 + *
  13 + * This program is distributed in the hope that it will be useful,
  14 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16 + * GNU General Public License for more details.
  17 + *
  18 + * You should have received a copy of the GNU General Public License
  19 + * along with this program; if not, write to the Free Software
  20 + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  21 + *
  22 + * Copyright (C) IBM Corporation, 2006
  23 + *
  24 + * Authors: Serge E. Hallyn <serue@us.ibm.com>
  25 + */
  26 +
  27 +#include <stdio.h>
  28 +#include <stdlib.h>
  29 +#include <unistd.h>
  30 +#include <string.h>
  31 +
  32 +#include "flask.h"
  33 +
  34 +void usage(char *name)
  35 +{
  36 + printf("usage: %s [-m] policy_file context_file\n", name);
  37 + exit(1);
  38 +}
  39 +
  40 +void find_common_name(char *cname, char *dest, int len)
  41 +{
  42 + char *start, *end;
  43 +
  44 + start = strchr(cname, '_')+1;
  45 + end = strchr(start, '_');
  46 + if (!start || !end || start-cname > len || end-start > len) {
  47 + printf("Error with commons defines\n");
  48 + exit(1);
  49 + }
  50 + strncpy(dest, start, end-start);
  51 + dest[end-start] = '\0';
  52 +}
  53 +
  54 +#define S_(x) x,
  55 +static char *classlist[] = {
  56 +#include "class_to_string.h"
  57 + NULL
  58 +};
  59 +#undef S_
  60 +
  61 +#include "initial_sid_to_string.h"
  62 +
  63 +#define TB_(x) char *x[] = {
  64 +#define TE_(x) NULL };
  65 +#define S_(x) x,
  66 +#include "common_perm_to_string.h"
  67 +#undef TB_
  68 +#undef TE_
  69 +#undef S_
  70 +
  71 +struct common {
  72 + char *cname;
  73 + char **perms;
  74 +};
  75 +struct common common[] = {
  76 +#define TB_(x) { #x, x },
  77 +#define S_(x)
  78 +#define TE_(x)
  79 +#include "common_perm_to_string.h"
  80 +#undef TB_
  81 +#undef TE_
  82 +#undef S_
  83 +};
  84 +
  85 +#define S_(x, y, z) {x, #y},
  86 +struct av_inherit {
  87 + int class;
  88 + char *common;
  89 +};
  90 +struct av_inherit av_inherit[] = {
  91 +#include "av_inherit.h"
  92 +};
  93 +#undef S_
  94 +
  95 +#include "av_permissions.h"
  96 +#define S_(x, y, z) {x, y, z},
  97 +struct av_perms {
  98 + int class;
  99 + int perm_i;
  100 + char *perm_s;
  101 +};
  102 +struct av_perms av_perms[] = {
  103 +#include "av_perm_to_string.h"
  104 +};
  105 +#undef S_
  106 +
  107 +int main(int argc, char *argv[])
  108 +{
  109 + int i, j, mls = 0;
  110 + char **arg, *polout, *ctxout;
  111 + int classlist_len, initial_sid_to_string_len;
  112 + FILE *fout;
  113 +
  114 + if (argc < 3)
  115 + usage(argv[0]);
  116 + arg = argv+1;
  117 + if (argc==4 && strcmp(argv[1], "-m") == 0) {
  118 + mls = 1;
  119 + arg++;
  120 + }
  121 + polout = *arg++;
  122 + ctxout = *arg;
  123 +
  124 + fout = fopen(polout, "w");
  125 + if (!fout) {
  126 + printf("Could not open %s for writing\n", polout);
  127 + usage(argv[0]);
  128 + }
  129 +
  130 + classlist_len = sizeof(classlist) / sizeof(char *);
  131 + /* print out the classes */
  132 + for (i=1; i < classlist_len; i++) {
  133 + if(classlist[i])
  134 + fprintf(fout, "class %s\n", classlist[i]);
  135 + else
  136 + fprintf(fout, "class user%d\n", i);
  137 + }
  138 + fprintf(fout, "\n");
  139 +
  140 + initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
  141 + /* print out the sids */
  142 + for (i=1; i < initial_sid_to_string_len; i++)
  143 + fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
  144 + fprintf(fout, "\n");
  145 +
  146 + /* print out the commons */
  147 + for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
  148 + char cname[101];
  149 + find_common_name(common[i].cname, cname, 100);
  150 + cname[100] = '\0';
  151 + fprintf(fout, "common %s\n{\n", cname);
  152 + for (j=0; common[i].perms[j]; j++)
  153 + fprintf(fout, "\t%s\n", common[i].perms[j]);
  154 + fprintf(fout, "}\n\n");
  155 + }
  156 + fprintf(fout, "\n");
  157 +
  158 + /* print out the class permissions */
  159 + for (i=1; i < classlist_len; i++) {
  160 + if (classlist[i]) {
  161 + int firstperm = -1, numperms = 0;
  162 +
  163 + fprintf(fout, "class %s\n", classlist[i]);
  164 + /* does it inherit from a common? */
  165 + for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
  166 + if (av_inherit[j].class == i)
  167 + fprintf(fout, "inherits %s\n", av_inherit[j].common);
  168 +
  169 + for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
  170 + if (av_perms[j].class == i) {
  171 + if (firstperm == -1)
  172 + firstperm = j;
  173 + numperms++;
  174 + }
  175 + }
  176 + if (!numperms) {
  177 + fprintf(fout, "\n");
  178 + continue;
  179 + }
  180 +
  181 + fprintf(fout, "{\n");
  182 + /* print out the av_perms */
  183 + for (j=0; j < numperms; j++) {
  184 + fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
  185 + }
  186 + fprintf(fout, "}\n\n");
  187 + }
  188 + }
  189 + fprintf(fout, "\n");
  190 +
  191 + /* NOW PRINT OUT MLS STUFF */
  192 + if (mls) {
  193 + printf("MLS not yet implemented\n");
  194 + exit(1);
  195 + }
  196 +
  197 + /* types, roles, and allows */
  198 + fprintf(fout, "type base_t;\n");
  199 + fprintf(fout, "role base_r types { base_t };\n");
  200 + for (i=1; i < classlist_len; i++) {
  201 + if (classlist[i])
  202 + fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
  203 + else
  204 + fprintf(fout, "allow base_t base_t:user%d *;\n", i);
  205 + }
  206 + fprintf(fout, "user user_u roles { base_r };\n");
  207 + fprintf(fout, "\n");
  208 +
  209 + /* default sids */
  210 + for (i=1; i < initial_sid_to_string_len; i++)
  211 + fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
  212 + fprintf(fout, "\n");
  213 +
  214 +
  215 + fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
  216 + fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
  217 + fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
  218 + fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
  219 + fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
  220 +
  221 + fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
  222 + fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
  223 +
  224 + fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
  225 + fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
  226 + fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
  227 +
  228 + fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
  229 +
  230 + fclose(fout);
  231 +
  232 + fout = fopen(ctxout, "w");
  233 + if (!fout) {
  234 + printf("Wrote policy, but cannot open %s for writing\n", ctxout);
  235 + usage(argv[0]);
  236 + }
  237 + fprintf(fout, "/ user_u:base_r:base_t\n");
  238 + fprintf(fout, "/.* user_u:base_r:base_t\n");
  239 + fclose(fout);
  240 +
  241 + return 0;
  242 +}