From 8753f6bec352392b52ed9b5e290afb34379f4612 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 30 Sep 2009 13:41:02 -0400
Subject: selinux: generate flask headers during kernel build

Add a simple utility (scripts/selinux/genheaders) and invoke it to
generate the kernel-private class and permission indices in flask.h
and av_permissions.h automatically during the kernel build from the
security class mapping definitions in classmap.h.  Adding new kernel
classes and permissions can then be done just by adding them to classmap.h.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
 scripts/selinux/genheaders/Makefile     |   5 ++
 scripts/selinux/genheaders/genheaders.c | 118 ++++++++++++++++++++++++++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 scripts/selinux/genheaders/Makefile
 create mode 100644 scripts/selinux/genheaders/genheaders.c

(limited to 'scripts/selinux/genheaders')

diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 00000000000..417b165008e
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y	:= genheaders
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always		:= $(hostprogs-y)
+clean-files	:= $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 00000000000..3b16145dabe
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+	const char *name;
+	const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+#define max(x, y) ((x > y) ? x : y)
+
+const char *progname;
+
+void usage(void)
+{
+	printf("usage: %s flask.h av_permissions.h\n", progname);
+	exit(1);
+}
+
+char *stoupperx(const char *s)
+{
+	char *s2 = strdup(s);
+	char *p;
+
+	if (!s2) {
+		fprintf(stderr, "%s:  out of memory\n", progname);
+		exit(3);
+	}
+
+	for (p = s2; *p; p++)
+		*p = toupper(*p);
+	return s2;
+}
+
+int main(int argc, char *argv[])
+{
+	int i, j, k;
+	int isids_len;
+	FILE *fout;
+
+	progname = argv[0];
+
+	if (argc < 3)
+		usage();
+
+	fout = fopen(argv[1], "w");
+	if (!fout) {
+		fprintf(stderr, "Could not open %s for writing:  %s\n",
+			argv[1], strerror(errno));
+		exit(2);
+	}
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		map->name = stoupperx(map->name);
+		for (j = 0; map->perms[j]; j++)
+			map->perms[j] = stoupperx(map->perms[j]);
+	}
+
+	isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+	for (i = 1; i < isids_len; i++)
+		initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
+
+	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+	fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		fprintf(fout, "#define SECCLASS_%s", map->name);
+		for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
+			fprintf(fout, " ");
+		fprintf(fout, "%2d\n", i+1);
+	}
+
+	fprintf(fout, "\n");
+
+	for (i = 1; i < isids_len; i++) {
+		char *s = initial_sid_to_string[i];
+		fprintf(fout, "#define SECINITSID_%s", s);
+		for (j = 0; j < max(1, 40 - strlen(s)); j++)
+			fprintf(fout, " ");
+		fprintf(fout, "%2d\n", i);
+	}
+	fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+	fprintf(fout, "\n#endif\n");
+	fclose(fout);
+
+	fout = fopen(argv[2], "w");
+	if (!fout) {
+		fprintf(stderr, "Could not open %s for writing:  %s\n",
+			argv[2], strerror(errno));
+		exit(4);
+	}
+
+	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+	fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		for (j = 0; map->perms[j]; j++) {
+			fprintf(fout, "#define %s__%s", map->name,
+				map->perms[j]);
+			for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
+				fprintf(fout, " ");
+			fprintf(fout, "0x%08xUL\n", (1<<j));
+		}
+	}
+
+	fprintf(fout, "\n#endif\n");
+	fclose(fout);
+	exit(0);
+}
-- 
cgit v1.2.3-70-g09d2


From 6e8e16c7bc298d7887584c3d027e05db3e86eed9 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Thu, 22 Oct 2009 15:38:26 -0400
Subject: SELinux: add .gitignore files for dynamic classes

The SELinux dynamic class work in c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c
creates a number of dynamic header files and scripts.  Add .gitignore files
so git doesn't complain about these.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
 Documentation/dontdiff                | 3 +++
 scripts/selinux/genheaders/.gitignore | 1 +
 security/selinux/.gitignore           | 2 ++
 3 files changed, 6 insertions(+)
 create mode 100644 scripts/selinux/genheaders/.gitignore
 create mode 100644 security/selinux/.gitignore

(limited to 'scripts/selinux/genheaders')

diff --git a/Documentation/dontdiff b/Documentation/dontdiff
index e1efc400bed..e151b2a3626 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
@@ -65,6 +65,7 @@ aicdb.h*
 asm-offsets.h
 asm_offsets.h
 autoconf.h*
+av_permissions.h
 bbootsect
 bin2c
 binkernel.spec
@@ -95,12 +96,14 @@ docproc
 elf2ecoff
 elfconfig.h*
 fixdep
+flask.h
 fore200e_mkfirm
 fore200e_pca_fw.c*
 gconf
 gen-devlist
 gen_crc32table
 gen_init_cpio
+genheaders
 genksyms
 *_gray256.c
 ihex2fw
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 00000000000..4c0b646ff8d
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
+genheaders
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 00000000000..2e5040a3d48
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
+av_permissions.h
+flask.h
-- 
cgit v1.2.3-70-g09d2


From 821d35a56044e522e811f6a1e8632cc230360280 Mon Sep 17 00:00:00 2001
From: Alan Cox <alan@linux.intel.com>
Date: Wed, 18 Nov 2009 14:39:51 +0000
Subject: selinux: Fix warnings

scripts/selinux/genheaders/genheaders.c:20: warning: no previous prototype
for ?usage?
scripts/selinux/genheaders/genheaders.c:26: warning: no previous prototype
for ?stoupperx?

Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: WANG Cong <xiyou.wangcong@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 scripts/selinux/genheaders/genheaders.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'scripts/selinux/genheaders')

diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 3b16145dabe..771b86f4619 100644
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -17,13 +17,13 @@ struct security_class_mapping {
 
 const char *progname;
 
-void usage(void)
+static void usage(void)
 {
 	printf("usage: %s flask.h av_permissions.h\n", progname);
 	exit(1);
 }
 
-char *stoupperx(const char *s)
+static char *stoupperx(const char *s)
 {
 	char *s2 = strdup(s);
 	char *p;
-- 
cgit v1.2.3-70-g09d2


From 85c3b529f8ad4d65ba86b982ef050212ae7dd976 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Fri, 20 Nov 2009 11:00:12 -0500
Subject: SELinux: header generation may hit infinite loop

If a permission name is long enough the selinux class definition generation
tool will go into a infinite loop.  This is because it's macro max() is
fooled into thinking it is dealing with unsigned numbers.  This patch makes
sure the macro always uses signed number so 1 > -1.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 scripts/selinux/genheaders/genheaders.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'scripts/selinux/genheaders')

diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 771b86f4619..24626968055 100644
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -13,7 +13,7 @@ struct security_class_mapping {
 #include "classmap.h"
 #include "initial_sid_to_string.h"
 
-#define max(x, y) ((x > y) ? x : y)
+#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
 
 const char *progname;
 
-- 
cgit v1.2.3-70-g09d2