projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9123e3a)
scripts/selinux,selinux: update mdp to enable policy capabilities
authorStephen Smalley <stephen.smalley.work@gmail.com>
Thu, 6 Aug 2020 18:34:18 +0000 (14:34 -0400)
committerPaul Moore <paul@paul-moore.com>
Tue, 18 Aug 2020 00:42:00 +0000 (20:42 -0400)
Presently mdp does not enable any SELinux policy capabilities
in the dummy policy it generates. Thus, policies derived from
it will by default lack various features commonly used in modern
policies such as open permission, extended socket classes, network
peer controls, etc.  Split the policy capability definitions out into
their own headers so that we can include them into mdp without pulling in
other kernel headers and extend mdp generate policycap statements for the
policy capabilities known to the kernel.  Policy authors may wish to
selectively remove some of these from the generated policy.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
scripts/selinux/mdp/mdp.c patch | blob | history
security/selinux/include/policycap.h [new file with mode: 0644] patch | blob
security/selinux/include/policycap_names.h [new file with mode: 0644] patch | blob
security/selinux/include/security.h patch | blob | history
security/selinux/ss/services.c patch | blob | history

diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6ceb88e..105c1c3 100644 (file)
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -35,6 +35,9 @@ struct security_class_mapping {
 
 #include "classmap.h"
 #include "initial_sid_to_string.h"
+#include "policycap_names.h"
+
+#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 
 int main(int argc, char *argv[])
 {
@@ -115,6 +118,10 @@ int main(int argc, char *argv[])
                }
        }
 
+       /* enable all policy capabilities */
+       for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
+               fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
+
        /* types, roles, and allows */
        fprintf(fout, "type base_t;\n");
        fprintf(fout, "role base_r;\n");
diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h
new file mode 100644 (file)
index 0000000..2ec038e
--- /dev/null
+++ b/security/selinux/include/policycap.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _SELINUX_POLICYCAP_H_
+#define _SELINUX_POLICYCAP_H_
+
+/* Policy capabilities */
+enum {
+       POLICYDB_CAPABILITY_NETPEER,
+       POLICYDB_CAPABILITY_OPENPERM,
+       POLICYDB_CAPABILITY_EXTSOCKCLASS,
+       POLICYDB_CAPABILITY_ALWAYSNETWORK,
+       POLICYDB_CAPABILITY_CGROUPSECLABEL,
+       POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
+       POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS,
+       __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
+
+#endif /* _SELINUX_POLICYCAP_H_ */
diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h
new file mode 100644 (file)
index 0000000..b89289f
--- /dev/null
+++ b/security/selinux/include/policycap_names.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _SELINUX_POLICYCAP_NAMES_H_
+#define _SELINUX_POLICYCAP_NAMES_H_
+
+#include "policycap.h"
+
+/* Policy capability names */
+const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
+       "network_peer_controls",
+       "open_perms",
+       "extended_socket_class",
+       "always_check_network",
+       "cgroup_seclabel",
+       "nnp_nosuid_transition",
+       "genfs_seclabel_symlinks"
+};
+
+#endif /* _SELINUX_POLICYCAP_NAMES_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b0e02cf..02dd91c 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -16,6 +16,7 @@
 #include <linux/refcount.h>
 #include <linux/workqueue.h>
 #include "flask.h"
+#include "policycap.h"
 
 #define SECSID_NULL                    0x00000000 /* unspecified SID */
 #define SECSID_WILD                    0xffffffff /* wildcard SID */
@@ -72,21 +73,6 @@ struct netlbl_lsm_secattr;
 
 extern int selinux_enabled_boot;
 
-/* Policy capabilities */
-enum {
-       POLICYDB_CAPABILITY_NETPEER,
-       POLICYDB_CAPABILITY_OPENPERM,
-       POLICYDB_CAPABILITY_EXTSOCKCLASS,
-       POLICYDB_CAPABILITY_ALWAYSNETWORK,
-       POLICYDB_CAPABILITY_CGROUPSECLABEL,
-       POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
-       POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS,
-       __POLICYDB_CAPABILITY_MAX
-};
-#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
-
-extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
-
 /*
  * type_datum properties
  * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1caf4e6..6765501 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -64,17 +64,7 @@
 #include "xfrm.h"
 #include "ebitmap.h"
 #include "audit.h"
-
-/* Policy capability names */
-const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
-       "network_peer_controls",
-       "open_perms",
-       "extended_socket_class",
-       "always_check_network",
-       "cgroup_seclabel",
-       "nnp_nosuid_transition",
-       "genfs_seclabel_symlinks"
-};
+#include "policycap_names.h"
 
 static struct selinux_ss selinux_ss;
 
Domain: System / Kernel;