1 /*
2 *
3 * mdp - make dummy policy
4 *
5 * When pointed at a kernel tree, builds a dummy policy for that kernel
6 * with exactly one type with full rights to itself.
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 *
22 * Copyright (C) IBM Corporation, 2006
23 *
24 * Authors: Serge E. Hallyn <serue@us.ibm.com>
25 */
26
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <unistd.h>
30 #include <string.h>
31
32 #include "flask.h"
33
usage(char * name)34 void usage(char *name)
35 {
36 printf("usage: %s [-m] policy_file context_file\n", name);
37 exit(1);
38 }
39
find_common_name(char * cname,char * dest,int len)40 void find_common_name(char *cname, char *dest, int len)
41 {
42 char *start, *end;
43
44 start = strchr(cname, '_')+1;
45 end = strchr(start, '_');
46 if (!start || !end || start-cname > len || end-start > len) {
47 printf("Error with commons defines\n");
48 exit(1);
49 }
50 strncpy(dest, start, end-start);
51 dest[end-start] = '\0';
52 }
53
54 #define S_(x) x,
55 static char *classlist[] = {
56 #include "class_to_string.h"
57 NULL
58 };
59 #undef S_
60
61 #include "initial_sid_to_string.h"
62
63 #define TB_(x) char *x[] = {
64 #define TE_(x) NULL };
65 #define S_(x) x,
66 #include "common_perm_to_string.h"
67 #undef TB_
68 #undef TE_
69 #undef S_
70
71 struct common {
72 char *cname;
73 char **perms;
74 };
75 struct common common[] = {
76 #define TB_(x) { #x, x },
77 #define S_(x)
78 #define TE_(x)
79 #include "common_perm_to_string.h"
80 #undef TB_
81 #undef TE_
82 #undef S_
83 };
84
85 #define S_(x, y, z) {x, #y},
86 struct av_inherit {
87 int class;
88 char *common;
89 };
90 struct av_inherit av_inherit[] = {
91 #include "av_inherit.h"
92 };
93 #undef S_
94
95 #include "av_permissions.h"
96 #define S_(x, y, z) {x, y, z},
97 struct av_perms {
98 int class;
99 int perm_i;
100 char *perm_s;
101 };
102 struct av_perms av_perms[] = {
103 #include "av_perm_to_string.h"
104 };
105 #undef S_
106
main(int argc,char * argv[])107 int main(int argc, char *argv[])
108 {
109 int i, j, mls = 0;
110 char **arg, *polout, *ctxout;
111 int classlist_len, initial_sid_to_string_len;
112 FILE *fout;
113
114 if (argc < 3)
115 usage(argv[0]);
116 arg = argv+1;
117 if (argc==4 && strcmp(argv[1], "-m") == 0) {
118 mls = 1;
119 arg++;
120 }
121 polout = *arg++;
122 ctxout = *arg;
123
124 fout = fopen(polout, "w");
125 if (!fout) {
126 printf("Could not open %s for writing\n", polout);
127 usage(argv[0]);
128 }
129
130 classlist_len = sizeof(classlist) / sizeof(char *);
131 /* print out the classes */
132 for (i=1; i < classlist_len; i++) {
133 if(classlist[i])
134 fprintf(fout, "class %s\n", classlist[i]);
135 else
136 fprintf(fout, "class user%d\n", i);
137 }
138 fprintf(fout, "\n");
139
140 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141 /* print out the sids */
142 for (i=1; i < initial_sid_to_string_len; i++)
143 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144 fprintf(fout, "\n");
145
146 /* print out the commons */
147 for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148 char cname[101];
149 find_common_name(common[i].cname, cname, 100);
150 cname[100] = '\0';
151 fprintf(fout, "common %s\n{\n", cname);
152 for (j=0; common[i].perms[j]; j++)
153 fprintf(fout, "\t%s\n", common[i].perms[j]);
154 fprintf(fout, "}\n\n");
155 }
156 fprintf(fout, "\n");
157
158 /* print out the class permissions */
159 for (i=1; i < classlist_len; i++) {
160 if (classlist[i]) {
161 int firstperm = -1, numperms = 0;
162
163 fprintf(fout, "class %s\n", classlist[i]);
164 /* does it inherit from a common? */
165 for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
166 if (av_inherit[j].class == i)
167 fprintf(fout, "inherits %s\n", av_inherit[j].common);
168
169 for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170 if (av_perms[j].class == i) {
171 if (firstperm == -1)
172 firstperm = j;
173 numperms++;
174 }
175 }
176 if (!numperms) {
177 fprintf(fout, "\n");
178 continue;
179 }
180
181 fprintf(fout, "{\n");
182 /* print out the av_perms */
183 for (j=0; j < numperms; j++) {
184 fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185 }
186 fprintf(fout, "}\n\n");
187 }
188 }
189 fprintf(fout, "\n");
190
191 /* NOW PRINT OUT MLS STUFF */
192 if (mls) {
193 printf("MLS not yet implemented\n");
194 exit(1);
195 }
196
197 /* types, roles, and allows */
198 fprintf(fout, "type base_t;\n");
199 fprintf(fout, "role base_r types { base_t };\n");
200 for (i=1; i < classlist_len; i++) {
201 if (classlist[i])
202 fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
203 else
204 fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205 }
206 fprintf(fout, "user user_u roles { base_r };\n");
207 fprintf(fout, "\n");
208
209 /* default sids */
210 for (i=1; i < initial_sid_to_string_len; i++)
211 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212 fprintf(fout, "\n");
213
214
215 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
217 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
220
221 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223
224 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
225 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227
228 fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
229
230 fclose(fout);
231
232 fout = fopen(ctxout, "w");
233 if (!fout) {
234 printf("Wrote policy, but cannot open %s for writing\n", ctxout);
235 usage(argv[0]);
236 }
237 fprintf(fout, "/ user_u:base_r:base_t\n");
238 fprintf(fout, "/.* user_u:base_r:base_t\n");
239 fclose(fout);
240
241 return 0;
242 }
243