diff options
Diffstat (limited to 'scripts/selinux/mdp')
-rw-r--r-- | scripts/selinux/mdp/.gitignore | 2 | ||||
-rw-r--r-- | scripts/selinux/mdp/Makefile | 3 | ||||
-rw-r--r-- | scripts/selinux/mdp/mdp.c | 34 |
3 files changed, 29 insertions, 10 deletions
diff --git a/scripts/selinux/mdp/.gitignore b/scripts/selinux/mdp/.gitignore index 654546d8dffd..a7482287e77f 100644 --- a/scripts/selinux/mdp/.gitignore +++ b/scripts/selinux/mdp/.gitignore @@ -1,2 +1,2 @@ -# Generated file +# SPDX-License-Identifier: GPL-2.0-only mdp diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile index 3026f3c2aa2b..d61058ddd15c 100644 --- a/scripts/selinux/mdp/Makefile +++ b/scripts/selinux/mdp/Makefile @@ -1,8 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 -hostprogs := mdp +hostprogs-always-y += mdp HOST_EXTRACFLAGS += \ -I$(srctree)/include/uapi -I$(srctree)/include \ -I$(srctree)/security/selinux/include -I$(objtree)/include -always-y := $(hostprogs) clean-files := policy.* file_contexts diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 576d11a60417..1415604c3d24 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -35,6 +35,9 @@ struct security_class_mapping { #include "classmap.h" #include "initial_sid_to_string.h" +#include "policycap_names.h" + +#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) int main(int argc, char *argv[]) { @@ -67,13 +70,19 @@ int main(int argc, char *argv[]) initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); /* print out the sids */ - for (i = 1; i < initial_sid_to_string_len; i++) - fprintf(fout, "sid %s\n", initial_sid_to_string[i]); + for (i = 1; i < initial_sid_to_string_len; i++) { + const char *name = initial_sid_to_string[i]; + + if (name) + fprintf(fout, "sid %s\n", name); + else + fprintf(fout, "sid unused%d\n", i); + } fprintf(fout, "\n"); /* print out the class permissions */ for (i = 0; secclass_map[i].name; i++) { - struct security_class_mapping *map = &secclass_map[i]; + const struct security_class_mapping *map = &secclass_map[i]; fprintf(fout, "class %s\n", map->name); fprintf(fout, "{\n"); for (j = 0; map->perms[j]; j++) @@ -94,7 +103,7 @@ int main(int argc, char *argv[]) #define SYSTEMLOW "s0" #define SYSTEMHIGH "s1:c0.c1" for (i = 0; secclass_map[i].name; i++) { - struct security_class_mapping *map = &secclass_map[i]; + const struct security_class_mapping *map = &secclass_map[i]; fprintf(fout, "mlsconstrain %s {\n", map->name); for (j = 0; map->perms[j]; j++) @@ -109,6 +118,10 @@ int main(int argc, char *argv[]) } } + /* enable all policy capabilities */ + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]); + /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); @@ -126,9 +139,16 @@ int main(int argc, char *argv[]) #define OBJUSERROLETYPE "user_u:object_r:base_t" /* default sids */ - for (i = 1; i < initial_sid_to_string_len; i++) - fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n", - initial_sid_to_string[i], mls ? ":" SYSTEMLOW : ""); + for (i = 1; i < initial_sid_to_string_len; i++) { + const char *name = initial_sid_to_string[i]; + + if (name) + fprintf(fout, "sid %s ", name); + else + fprintf(fout, "sid unused%d\n", i); + fprintf(fout, SUBJUSERROLETYPE "%s\n", + mls ? ":" SYSTEMLOW : ""); + } fprintf(fout, "\n"); #define FS_USE(behavior, fstype) \ |