summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/Makefile3
-rwxr-xr-xscripts/checkstack.pl5
-rw-r--r--scripts/kconfig/conf.c123
-rw-r--r--scripts/kconfig/confdata.c8
-rwxr-xr-xscripts/kernel-doc4
-rw-r--r--scripts/mod/modpost.c6
-rw-r--r--scripts/selinux/Makefile2
-rw-r--r--scripts/selinux/README2
-rw-r--r--scripts/selinux/install_policy.sh69
-rw-r--r--scripts/selinux/mdp/.gitignore2
-rw-r--r--scripts/selinux/mdp/Makefile5
-rw-r--r--scripts/selinux/mdp/dbus_contexts6
-rw-r--r--scripts/selinux/mdp/mdp.c242
13 files changed, 405 insertions, 72 deletions
diff --git a/scripts/Makefile b/scripts/Makefile
index 1c73c5aea66b..aafdf064feef 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -20,6 +20,7 @@ hostprogs-y += unifdef
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-y += mod
+subdir-$(CONFIG_SECURITY_SELINUX) += selinux
# Let clean descend into subdirs
-subdir- += basic kconfig package
+subdir- += basic kconfig package selinux
diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl
index 3eca62566d6b..f7e8e93ff30d 100755
--- a/scripts/checkstack.pl
+++ b/scripts/checkstack.pl
@@ -81,7 +81,10 @@ my (@stack, $re, $dre, $x, $xs);
$re = qr/.*st[dw]u.*r1,-($x{1,8})\(r1\)/o;
} elsif ($arch =~ /^s390x?$/) {
# 11160: a7 fb ff 60 aghi %r15,-160
- $re = qr/.*ag?hi.*\%r15,-(([0-9]{2}|[3-9])[0-9]{2})/o;
+ # or
+ # 100092: e3 f0 ff c8 ff 71 lay %r15,-56(%r15)
+ $re = qr/.*(?:lay|ag?hi).*\%r15,-(([0-9]{2}|[3-9])[0-9]{2})
+ (?:\(\%r15\))?$/ox;
} elsif ($arch =~ /^sh64$/) {
#XXX: we only check for the immediate case presently,
# though we will want to check for the movi/sub
diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
index 36b5eedcdc75..3e1057f885c6 100644
--- a/scripts/kconfig/conf.c
+++ b/scripts/kconfig/conf.c
@@ -32,6 +32,7 @@ char *defconfig_file;
static int indent = 1;
static int valid_stdin = 1;
+static int sync_kconfig;
static int conf_cnt;
static char line[128];
static struct menu *rootEntry;
@@ -65,7 +66,7 @@ static void strip(char *str)
static void check_stdin(void)
{
- if (!valid_stdin && input_mode == ask_silent) {
+ if (!valid_stdin) {
printf(_("aborted!\n\n"));
printf(_("Console input/output is redirected. "));
printf(_("Run 'make oldconfig' to update configuration.\n\n"));
@@ -427,43 +428,6 @@ static void check_conf(struct menu *menu)
check_conf(child);
}
-static void conf_do_update(void)
-{
- /* Update until a loop caused no more changes */
- do {
- conf_cnt = 0;
- check_conf(&rootmenu);
- } while (conf_cnt);
-}
-
-static int conf_silent_update(void)
-{
- const char *name;
-
- if (conf_get_changed()) {
- name = getenv("KCONFIG_NOSILENTUPDATE");
- if (name && *name) {
- fprintf(stderr,
- _("\n*** Kernel configuration requires explicit update.\n\n"));
- return 1;
- }
- conf_do_update();
- }
- return 0;
-}
-
-static int conf_update(void)
-{
- rootEntry = &rootmenu;
- conf(&rootmenu);
- if (input_mode == ask_all) {
- input_mode = ask_silent;
- valid_stdin = 1;
- }
- conf_do_update();
- return 0;
-}
-
int main(int ac, char **av)
{
int opt;
@@ -477,11 +441,11 @@ int main(int ac, char **av)
while ((opt = getopt(ac, av, "osdD:nmyrh")) != -1) {
switch (opt) {
case 'o':
- input_mode = ask_new;
+ input_mode = ask_silent;
break;
case 's':
input_mode = ask_silent;
- valid_stdin = isatty(0) && isatty(1) && isatty(2);
+ sync_kconfig = 1;
break;
case 'd':
input_mode = set_default;
@@ -519,6 +483,19 @@ int main(int ac, char **av)
name = av[optind];
conf_parse(name);
//zconfdump(stdout);
+ if (sync_kconfig) {
+ if (stat(".config", &tmpstat)) {
+ fprintf(stderr, _("***\n"
+ "*** You have not yet configured your kernel!\n"
+ "*** (missing kernel .config file)\n"
+ "***\n"
+ "*** Please run some configurator (e.g. \"make oldconfig\" or\n"
+ "*** \"make menuconfig\" or \"make xconfig\").\n"
+ "***\n"));
+ exit(1);
+ }
+ }
+
switch (input_mode) {
case set_default:
if (!defconfig_file)
@@ -531,16 +508,6 @@ int main(int ac, char **av)
}
break;
case ask_silent:
- if (stat(".config", &tmpstat)) {
- printf(_("***\n"
- "*** You have not yet configured your kernel!\n"
- "*** (missing kernel .config file)\n"
- "***\n"
- "*** Please run some configurator (e.g. \"make oldconfig\" or\n"
- "*** \"make menuconfig\" or \"make xconfig\").\n"
- "***\n"));
- exit(1);
- }
case ask_all:
case ask_new:
conf_read(NULL);
@@ -569,6 +536,19 @@ int main(int ac, char **av)
default:
break;
}
+
+ if (sync_kconfig) {
+ if (conf_get_changed()) {
+ name = getenv("KCONFIG_NOSILENTUPDATE");
+ if (name && *name) {
+ fprintf(stderr,
+ _("\n*** Kernel configuration requires explicit update.\n\n"));
+ return 1;
+ }
+ }
+ valid_stdin = isatty(0) && isatty(1) && isatty(2);
+ }
+
switch (input_mode) {
case set_no:
conf_set_all_new_symbols(def_no);
@@ -585,27 +565,38 @@ int main(int ac, char **av)
case set_default:
conf_set_all_new_symbols(def_default);
break;
- case ask_silent:
case ask_new:
- if (conf_silent_update())
- exit(1);
- break;
case ask_all:
- if (conf_update())
- exit(1);
+ rootEntry = &rootmenu;
+ conf(&rootmenu);
+ input_mode = ask_silent;
+ /* fall through */
+ case ask_silent:
+ /* Update until a loop caused no more changes */
+ do {
+ conf_cnt = 0;
+ check_conf(&rootmenu);
+ } while (conf_cnt);
break;
}
- if (conf_write(NULL)) {
- fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n"));
- exit(1);
- }
- /* ask_silent is used during the build so we shall update autoconf.
- * All other commands are only used to generate a config.
- */
- if (input_mode == ask_silent && conf_write_autoconf()) {
- fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n"));
- return 1;
+ if (sync_kconfig) {
+ /* silentoldconfig is used during the build so we shall update autoconf.
+ * All other commands are only used to generate a config.
+ */
+ if (conf_get_changed() && conf_write(NULL)) {
+ fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n"));
+ exit(1);
+ }
+ if (conf_write_autoconf()) {
+ fprintf(stderr, _("\n*** Error during update of the kernel configuration.\n\n"));
+ return 1;
+ }
+ } else {
+ if (conf_write(NULL)) {
+ fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n"));
+ exit(1);
+ }
}
return 0;
}
diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
index df6a188b9930..b91cf241a539 100644
--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -222,8 +222,10 @@ load:
continue;
if (def == S_DEF_USER) {
sym = sym_find(line + 9);
- if (!sym)
+ if (!sym) {
+ sym_add_change_count(1);
break;
+ }
} else {
sym = sym_lookup(line + 9, 0);
if (sym->type == S_UNKNOWN)
@@ -259,8 +261,10 @@ load:
}
if (def == S_DEF_USER) {
sym = sym_find(line + 7);
- if (!sym)
+ if (!sym) {
+ sym_add_change_count(1);
break;
+ }
} else {
sym = sym_lookup(line + 7, 0);
if (sym->type == S_UNKNOWN)
diff --git a/scripts/kernel-doc b/scripts/kernel-doc
index ff787e6ff8ed..44ee94d2ab76 100755
--- a/scripts/kernel-doc
+++ b/scripts/kernel-doc
@@ -781,6 +781,7 @@ sub output_struct_xml(%) {
print " <refsect1>\n";
print " <title>Members</title>\n";
+ if ($#{$args{'parameterlist'}} >= 0) {
print " <variablelist>\n";
foreach $parameter (@{$args{'parameterlist'}}) {
($parameter =~ /^#/) && next;
@@ -798,6 +799,9 @@ sub output_struct_xml(%) {
print " </varlistentry>\n";
}
print " </variablelist>\n";
+ } else {
+ print " <para>\n None\n </para>\n";
+ }
print " </refsect1>\n";
output_section_xml(@_);
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 418cd7dbbc93..8e0de6a5e18a 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1986,11 +1986,13 @@ static void read_markers(const char *fname)
mod = find_module(modname);
if (!mod) {
- if (is_vmlinux(modname))
- have_vmlinux = 1;
mod = new_module(NOFAIL(strdup(modname)));
mod->skip = 1;
}
+ if (is_vmlinux(modname)) {
+ have_vmlinux = 1;
+ mod->skip = 0;
+ }
if (!mod->skip)
add_marker(mod, marker, fmt);
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
new file mode 100644
index 000000000000..ca4b1ec01822
--- /dev/null
+++ b/scripts/selinux/Makefile
@@ -0,0 +1,2 @@
+subdir-y := mdp
+subdir- += mdp
diff --git a/scripts/selinux/README b/scripts/selinux/README
new file mode 100644
index 000000000000..a936315ba2c8
--- /dev/null
+++ b/scripts/selinux/README
@@ -0,0 +1,2 @@
+Please see Documentation/SELinux.txt for information on
+installing a dummy SELinux policy.
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100644
index 000000000000..7b9ccf61f8f9
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+if [ `id -u` -ne 0 ]; then
+ echo "$0: must be root to install the selinux policy"
+ exit 1
+fi
+SF=`which setfiles`
+if [ $? -eq 1 ]; then
+ if [ -f /sbin/setfiles ]; then
+ SF="/usr/setfiles"
+ else
+ echo "no selinux tools installed: setfiles"
+ exit 1
+ fi
+fi
+
+cd mdp
+
+CP=`which checkpolicy`
+VERS=`$CP -V | awk '{print $1}'`
+
+./mdp policy.conf file_contexts
+$CP -o policy.$VERS policy.conf
+
+mkdir -p /etc/selinux/dummy/policy
+mkdir -p /etc/selinux/dummy/contexts/files
+
+cp file_contexts /etc/selinux/dummy/contexts/files
+cp dbus_contexts /etc/selinux/dummy/contexts
+cp policy.$VERS /etc/selinux/dummy/policy
+FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
+
+if [ ! -d /etc/selinux ]; then
+ mkdir -p /etc/selinux
+fi
+if [ ! -f /etc/selinux/config ]; then
+ cat > /etc/selinux/config << EOF
+SELINUX=enforcing
+SELINUXTYPE=dummy
+EOF
+else
+ TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
+ if [ "eq$TYPE" != "eqdummy" ]; then
+ selinuxenabled
+ if [ $? -eq 0 ]; then
+ echo "SELinux already enabled with a non-dummy policy."
+ echo "Exiting. Please install policy by hand if that"
+ echo "is what you REALLY want."
+ exit 1
+ fi
+ mv /etc/selinux/config /etc/selinux/config.mdpbak
+ grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
+ echo "SELINUXTYPE=dummy" >> /etc/selinux/config
+ fi
+fi
+
+cd /etc/selinux/dummy/contexts/files
+$SF file_contexts /
+
+mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
+$SF file_contexts $mounts
+
+
+dodev=`cat /proc/$$/mounts | grep "/dev "`
+if [ "eq$dodev" != "eq" ]; then
+ mount --move /dev /mnt
+ $SF file_contexts /dev
+ mount --move /mnt /dev
+fi
+
diff --git a/scripts/selinux/mdp/.gitignore b/scripts/selinux/mdp/.gitignore
new file mode 100644
index 000000000000..654546d8dffd
--- /dev/null
+++ b/scripts/selinux/mdp/.gitignore
@@ -0,0 +1,2 @@
+# Generated file
+mdp
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
new file mode 100644
index 000000000000..eb365b333441
--- /dev/null
+++ b/scripts/selinux/mdp/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y := mdp
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always := $(hostprogs-y)
+clean-files := $(hostprogs-y) policy.* file_contexts
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts
new file mode 100644
index 000000000000..116e684f9fc1
--- /dev/null
+++ b/scripts/selinux/mdp/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
new file mode 100644
index 000000000000..ca757d486187
--- /dev/null
+++ b/scripts/selinux/mdp/mdp.c
@@ -0,0 +1,242 @@
+/*
+ *
+ * mdp - make dummy policy
+ *
+ * When pointed at a kernel tree, builds a dummy policy for that kernel
+ * with exactly one type with full rights to itself.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Copyright (C) IBM Corporation, 2006
+ *
+ * Authors: Serge E. Hallyn <serue@us.ibm.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "flask.h"
+
+void usage(char *name)
+{
+ printf("usage: %s [-m] policy_file context_file\n", name);
+ exit(1);
+}
+
+void find_common_name(char *cname, char *dest, int len)
+{
+ char *start, *end;
+
+ start = strchr(cname, '_')+1;
+ end = strchr(start, '_');
+ if (!start || !end || start-cname > len || end-start > len) {
+ printf("Error with commons defines\n");
+ exit(1);
+ }
+ strncpy(dest, start, end-start);
+ dest[end-start] = '\0';
+}
+
+#define S_(x) x,
+static char *classlist[] = {
+#include "class_to_string.h"
+ NULL
+};
+#undef S_
+
+#include "initial_sid_to_string.h"
+
+#define TB_(x) char *x[] = {
+#define TE_(x) NULL };
+#define S_(x) x,
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+
+struct common {
+ char *cname;
+ char **perms;
+};
+struct common common[] = {
+#define TB_(x) { #x, x },
+#define S_(x)
+#define TE_(x)
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+};
+
+#define S_(x, y, z) {x, #y},
+struct av_inherit {
+ int class;
+ char *common;
+};
+struct av_inherit av_inherit[] = {
+#include "av_inherit.h"
+};
+#undef S_
+
+#include "av_permissions.h"
+#define S_(x, y, z) {x, y, z},
+struct av_perms {
+ int class;
+ int perm_i;
+ char *perm_s;
+};
+struct av_perms av_perms[] = {
+#include "av_perm_to_string.h"
+};
+#undef S_
+
+int main(int argc, char *argv[])
+{
+ int i, j, mls = 0;
+ char **arg, *polout, *ctxout;
+ int classlist_len, initial_sid_to_string_len;
+ FILE *fout;
+
+ if (argc < 3)
+ usage(argv[0]);
+ arg = argv+1;
+ if (argc==4 && strcmp(argv[1], "-m") == 0) {
+ mls = 1;
+ arg++;
+ }
+ polout = *arg++;
+ ctxout = *arg;
+
+ fout = fopen(polout, "w");
+ if (!fout) {
+ printf("Could not open %s for writing\n", polout);
+ usage(argv[0]);
+ }
+
+ classlist_len = sizeof(classlist) / sizeof(char *);
+ /* print out the classes */
+ for (i=1; i < classlist_len; i++) {
+ if(classlist[i])
+ fprintf(fout, "class %s\n", classlist[i]);
+ else
+ fprintf(fout, "class user%d\n", i);
+ }
+ fprintf(fout, "\n");
+
+ initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ /* print out the sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+ /* print out the commons */
+ for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
+ char cname[101];
+ find_common_name(common[i].cname, cname, 100);
+ cname[100] = '\0';
+ fprintf(fout, "common %s\n{\n", cname);
+ for (j=0; common[i].perms[j]; j++)
+ fprintf(fout, "\t%s\n", common[i].perms[j]);
+ fprintf(fout, "}\n\n");
+ }
+ fprintf(fout, "\n");
+
+ /* print out the class permissions */
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i]) {
+ int firstperm = -1, numperms = 0;
+
+ fprintf(fout, "class %s\n", classlist[i]);
+ /* does it inherit from a common? */
+ for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
+ if (av_inherit[j].class == i)
+ fprintf(fout, "inherits %s\n", av_inherit[j].common);
+
+ for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
+ if (av_perms[j].class == i) {
+ if (firstperm == -1)
+ firstperm = j;
+ numperms++;
+ }
+ }
+ if (!numperms) {
+ fprintf(fout, "\n");
+ continue;
+ }
+
+ fprintf(fout, "{\n");
+ /* print out the av_perms */
+ for (j=0; j < numperms; j++) {
+ fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
+ }
+ fprintf(fout, "}\n\n");
+ }
+ }
+ fprintf(fout, "\n");
+
+ /* NOW PRINT OUT MLS STUFF */
+ if (mls) {
+ printf("MLS not yet implemented\n");
+ exit(1);
+ }
+
+ /* types, roles, and allows */
+ fprintf(fout, "type base_t;\n");
+ fprintf(fout, "role base_r types { base_t };\n");
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i])
+ fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
+ else
+ fprintf(fout, "allow base_t base_t:user%d *;\n", i);
+ }
+ fprintf(fout, "user user_u roles { base_r };\n");
+ fprintf(fout, "\n");
+
+ /* default sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+
+ fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
+
+ fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+
+ fclose(fout);
+
+ fout = fopen(ctxout, "w");
+ if (!fout) {
+ printf("Wrote policy, but cannot open %s for writing\n", ctxout);
+ usage(argv[0]);
+ }
+ fprintf(fout, "/ user_u:base_r:base_t\n");
+ fprintf(fout, "/.* user_u:base_r:base_t\n");
+ fclose(fout);
+
+ return 0;
+}