tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'aosp/upstream-master' into mymerge

Browse source 
Followed the following steps:
  # In repo client
  cd external/selinux
  repo sync .
  repo start mymerge .
  git merge aosp/upstream-master --no-ff # resolve any conflicts
  repo upload .

Test: android compiles and boots and no observed problems.
Change-Id: Ic353353e43d9f90921ea39087289fcd5b98521d6
This commit is contained in:
Nick Kralevich 2018-12-19 13:54:50 -08:00
commit 5dabba05d1
11 changed files with 109 additions and 267 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
dbus/org.selinux.conf
View file

@ -12,12 +12,8 @@
<!-- Allow anyone to invoke methods on the interfaces,
authorization is performed by PolicyKit -->
<policy at_console="true">
<allow send_destination="org.selinux"/>
</policy>
<policy context="default">
<allow send_destination="org.selinux"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.selinux"/>
</policy>
</busconfig>

1
gui/Makefile
View file

@ -9,7 +9,6 @@ TARGETS= \
booleansPage.py \
domainsPage.py \
fcontextPage.py \
html_util.py \
loginsPage.py \
modulesPage.py \
polgen.ui \

175
gui/html_util.py
View file

@ -1,175 +0,0 @@
# Authors: John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2007 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
__all__ = [
'escape_html',
'unescape_html',
'html_to_text',
'html_document',
]
import htmllib
import formatter as Formatter
import string
from types import *
try:
from io import StringIO
except ImportError:
from StringIO import StringIO
#------------------------------------------------------------------------------
class TextWriter(Formatter.DumbWriter):
def __init__(self, file=None, maxcol=80, indent_width=4):
Formatter.DumbWriter.__init__(self, file, maxcol)
self.indent_level = 0
self.indent_width = indent_width
self._set_indent()
def _set_indent(self):
self.indent_col = self.indent_level * self.indent_width
self.indent = ' ' * self.indent_col
def new_margin(self, margin, level):
self.indent_level = level
self._set_indent()
def send_label_data(self, data):
data = data + ' '
if len(data) > self.indent_col:
self.send_literal_data(data)
else:
offset = self.indent_col - len(data)
self.send_literal_data(' ' * offset + data)
def send_flowing_data(self, data):
if not data:
return
atbreak = self.atbreak or data[0] in string.whitespace
col = self.col
maxcol = self.maxcol
write = self.file.write
col = self.col
if col == 0:
write(self.indent)
col = self.indent_col
for word in data.split():
if atbreak:
if col + len(word) >= maxcol:
write('\n' + self.indent)
col = self.indent_col
else:
write(' ')
col = col + 1
write(word)
col = col + len(word)
atbreak = 1
self.col = col
self.atbreak = data[-1] in string.whitespace
class HTMLParserAnchor(htmllib.HTMLParser):
def __init__(self, formatter, verbose=0):
htmllib.HTMLParser.__init__(self, formatter, verbose)
def anchor_bgn(self, href, name, type):
self.anchor = href
def anchor_end(self):
if self.anchor:
self.handle_data(' (%s) ' % self.anchor)
self.anchor = None
#------------------------------------------------------------------------------
def escape_html(s):
if s is None:
return None
s = s.replace("&", "&amp;") # Must be done first!
s = s.replace("<", "&lt;")
s = s.replace(">", "&gt;")
s = s.replace("'", "&apos;")
s = s.replace('"', "&quot;")
return s
def unescape_html(s):
if s is None:
return None
if '&' not in s:
return s
s = s.replace("&lt;", "<")
s = s.replace("&gt;", ">")
s = s.replace("&apos;", "'")
s = s.replace("&quot;", '"')
s = s.replace("&amp;", "&") # Must be last
return s
def html_to_text(html, maxcol=80):
try:
buffer = StringIO()
formatter = Formatter.AbstractFormatter(TextWriter(buffer, maxcol))
parser = HTMLParserAnchor(formatter)
parser.feed(html)
parser.close()
text = buffer.getvalue()
buffer.close()
return text
except Exception as e:
log_program.error('cannot convert html to text: %s' % e)
return None
def html_document(*body_components):
'''Wrap the body components in a HTML document structure with a valid header.
Accepts a variable number of arguments of which can be:
* string
* a sequences of strings (tuple or list).
* a callable object taking no parameters and returning a string or sequence of strings.
'''
head = '<html>\n <head>\n <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>\n </head>\n <body>\n'
tail = '\n </body>\n</html>'
doc = head
for body_component in body_components:
if type(body_component) is StringTypes:
doc += body_component
elif type(body_component) in [TupleType, ListType]:
for item in body_component:
doc += item
elif callable(body_component):
result = body_component()
if type(result) in [TupleType, ListType]:
for item in result:
doc += item
else:
doc += result
else:
doc += body_component
doc += tail
return doc

5
libsepol/src/ibpkeys.c
View file

@ -1,5 +1,6 @@
#include <netinet/in.h>
#include <stdlib.h>
#include <inttypes.h>
#include "debug.h"
#include "context.h"
@ -176,7 +177,7 @@ int sepol_ibpkey_query(sepol_handle_t *handle,
return STATUS_SUCCESS;
err:
ERR(handle, "could not query ibpkey subnet prefix: %#lx range %u - %u exists",
ERR(handle, "could not query ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists",
subnet_prefix, low, high);
return STATUS_ERR;
}
@ -203,7 +204,7 @@ int sepol_ibpkey_modify(sepol_handle_t *handle,
return STATUS_SUCCESS;
err:
ERR(handle, "could not load ibpkey subnet prefix: %#lx range %u - %u exists",
ERR(handle, "could not load ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists",
subnet_prefix, low, high);
if (ibpkey) {
context_destroy(&ibpkey->context[0]);

17
mcstrans/share/util/mlscolor-test
View file

@ -1,7 +1,8 @@
#!/usr/bin/python -E
import sys
import re
from selinux import *
import selinux
verbose = 0
errors = 0
@ -18,19 +19,19 @@ for arg in sys.argv[1:]:
line = line.rstrip('\n')
# print line
context, expected = line.split("=")
rc, raw = selinux_trans_to_raw_context(context)
rc, raw = selinux.selinux_trans_to_raw_context(context)
if rc < 0:
print "Unable to get raw context of '%s'" % (context)
print("Unable to get raw context of '%s'" % (context))
errors += 1
continue
rc, colors = selinux_raw_context_to_color(raw)
rc, colors = selinux.selinux_raw_context_to_color(raw)
if rc < 0:
print "Unable to get colors for '%s'" % (context)
print("Unable to get colors for '%s'" % (context))
errors += 1
continue
colors = colors.rstrip()
if colors != expected:
print "For '%s' got\n\t'%s' expected\n\t'%s'" % (context, colors, expected)
print("For '%s' got\n\t'%s' expected\n\t'%s'" % (context, colors, expected))
errors += 1
continue
f.close()
@ -38,6 +39,6 @@ for arg in sys.argv[1:]:
s = "s"
if errors == 1:
s = ""
print "mlscolor-test done with %d error%s" % (errors, s)
print("mlscolor-test done with %d error%s" % (errors, s))
sys.exit(errors)

23
mcstrans/share/util/mlstrans-test
View file

@ -1,31 +1,33 @@
#!/usr/bin/python -E
import sys
import re
from selinux import *
import selinux
verbose = 0
errors = 0
def untrans(trans, val):
global errors, verbose
(rc, raw) = selinux_trans_to_raw_context(trans)
(rc, raw) = selinux.selinux_trans_to_raw_context(trans)
if raw != val:
print "untrans: '%s' -> '%s' != '%s' FAILED" % (trans, raw, val)
print("untrans: '%s' -> '%s' != '%s' FAILED" % (trans, raw, val))
errors += 1
else:
if verbose:
print "untrans: %s -> %s != %s SUCCESS" % (trans, raw, val)
print("untrans: %s -> %s != %s SUCCESS" % (trans, raw, val))
def trans(raw, val):
global errors, verbose
(rc, trans) = selinux_raw_to_trans_context(raw)
(rc, trans) = selinux.selinux_raw_to_trans_context(raw)
if trans != val:
print "trans: '%s' -> '%s' != '%s' FAILED" % (raw, trans, val)
print("trans: '%s' -> '%s' != '%s' FAILED" % (raw, trans, val))
errors += 1
else:
if verbose:
print "trans: %s -> %s != %s SUCCESS" % (raw, trans, val)
print("trans: %s -> %s != %s SUCCESS" % (raw, trans, val))
if len(sys.argv) > 1 and sys.argv[1] == "-v":
verbose = 1
@ -38,8 +40,7 @@ for arg in sys.argv[1:]:
if not line.strip():
continue
line = line.rstrip('\n')
# print line
if (line.find("==") != -1):
if line.find("==") != -1:
t, r = line.split("==")
untrans("a:b:c:" + t, "a:b:c:" + r)
trans("a:b:c:" + r, "a:b:c:" + t)
@ -51,6 +52,6 @@ for arg in sys.argv[1:]:
s = "s"
if errors == 1:
s = ""
print "mlstrans-test done with %d error%s" % (errors, s)
print("mlstrans-test done with %d error%s" % (errors, s))
sys.exit(errors)

95
python/chcat/chcat
View file

@ -4,7 +4,7 @@
#
# chcat is a script that allows you modify the Security label on a file
#
#` Author: Daniel Walsh <dwalsh@redhat.com>
# Author: Daniel Walsh <dwalsh@redhat.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@ -22,14 +22,10 @@
# 02111-1307 USA
#
#
try:
from subprocess import getstatusoutput
except ImportError:
from commands import getstatusoutput
import subprocess
import sys
import os
import pwd
import string
import getopt
import selinux
import seobject
@ -44,7 +40,7 @@ try:
localedir="/usr/share/locale",
codeset='utf-8',
**kwargs)
except:
except ImportError:
try:
import builtins
builtins.__dict__['_'] = str
@ -86,8 +82,7 @@ def chcat_user_add(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
cats.append(top[1])
cats = expandCats(cats)
cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i not in cats:
@ -99,12 +94,12 @@ def chcat_user_add(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -140,10 +135,11 @@ def chcat_add(orig, newcat, objects, login_ind):
cat_string = "%s,%s" % (cat_string, c)
else:
cat_string = cat
cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -166,8 +162,7 @@ def chcat_user_remove(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
cats.append(top[1])
cats = expandCats(cats)
cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i in cats:
@ -179,13 +174,15 @@ def chcat_user_remove(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -224,12 +221,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
continue
if len(cat) == 0:
cmd = 'chcon -l %s %s' % (sensitivity, f)
new_serange = sensitivity
else:
cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
new_serange = '%s:%s' % (sensitivity, cat)
cmd = ["chcon", "-l", new_serange, f]
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -247,17 +246,17 @@ def chcat_user_replace(newcat, users):
add_ind = 1
user = seusers["__default__"]
serange = user[1].split("-")
new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
if new_serange[-1:] == ":":
new_serange = new_serange[:-1]
if add_ind:
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -266,21 +265,18 @@ def chcat_replace(newcat, objects, login_ind):
if login_ind == 1:
return chcat_user_replace(newcat, objects)
errors = 0
# newcat[0] is the sensitivity level, newcat[1:] are the categories
if len(newcat) == 1:
sensitivity = newcat[0]
cmd = 'chcon -l %s ' % newcat[0]
new_serange = newcat[0]
else:
sensitivity = newcat[0]
cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
new_serange = "%s:%s" % (newcat[0], newcat[1])
for cat in newcat[2:]:
cmd = '%s,%s' % (cmd, cat)
new_serange = '%s,%s' % (new_serange, cat)
for f in objects:
cmd = "%s %s" % (cmd, f)
rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
cmd = ["chcon", "-l", new_serange] + objects
try:
subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
except subprocess.CalledProcessError:
errors += 1
return errors
@ -384,7 +380,7 @@ def listusercats(users):
if len(users) == 0:
try:
users.append(os.getlogin())
except:
except OSError:
users.append(pwd.getpwuid(os.getuid()).pw_name)
verify_users(users)
@ -401,6 +397,7 @@ def error(msg):
print("%s: %s" % (sys.argv[0], msg))
sys.exit(1)
if __name__ == '__main__':
if selinux.is_selinux_mls_enabled() != 1:
error("Requires a mls enabled system")
@ -435,7 +432,7 @@ if __name__ == '__main__':
except getopt.error as error:
errorExit(_("Options Error %s ") % error.msg)
except ValueError as e:
except ValueError:
usage()
if delete_ind:

2
python/semanage/semanage
View file

@ -776,7 +776,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module"]
manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:

44
python/semanage/seobject.py
View file

@ -747,7 +747,10 @@ class loginRecords(semanageRecords):
l = []
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k))
if ddict[k][1]:
l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k))
else:
l.append("-a -s %s %s" % (ddict[k][0], k))
return l
def list(self, heading=1, locallist=0):
@ -1014,7 +1017,10 @@ class seluserRecords(semanageRecords):
l = []
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k))
if ddict[k][1] or ddict[k][2]:
l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k))
else:
l.append("-a -R '%s' %s" % (ddict[k][3], k))
return l
def list(self, heading=1, locallist=0):
@ -1292,10 +1298,11 @@ class portRecords(semanageRecords):
l = []
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
if k[0] == k[1]:
l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0]))
port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1])
if ddict[k][1]:
l.append("-a -t %s -r '%s' -p %s %s" % (ddict[k][0], ddict[k][1], k[2], port))
else:
l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], port))
return l
def list(self, heading=1, locallist=0):
@ -1549,10 +1556,11 @@ class ibpkeyRecords(semanageRecords):
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
if k[0] == k[1]:
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1])
if ddict[k][1]:
l.append("-a -t %s -r '%s' -x %s %s" % (ddict[k][0], ddict[k][1], k[2], port))
else:
l.append("-a -t %s -x %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], port))
return l
def list(self, heading=1, locallist=0):
@ -1793,7 +1801,10 @@ class ibendportRecords(semanageRecords):
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
if ddict[k][1]:
l.append("-a -t %s -r '%s' -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
else:
l.append("-a -t %s -z %s %s" % (ddict[k][0], k[1], k[0]))
return l
def list(self, heading=1, locallist=0):
@ -2033,7 +2044,10 @@ class nodeRecords(semanageRecords):
l = []
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0]))
if ddict[k][3]:
l.append("-a -M %s -p %s -t %s -r '%s' %s" % (k[1], k[2], ddict[k][2], ddict[k][3], k[0]))
else:
l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0]))
return l
def list(self, heading=1, locallist=0):
@ -2227,7 +2241,10 @@ class interfaceRecords(semanageRecords):
l = []
ddict = self.get_all(True)
for k in sorted(ddict.keys()):
l.append("-a -t %s %s" % (ddict[k][2], k))
if ddict[k][3]:
l.append("-a -t %s -r '%s' %s" % (ddict[k][2], ddict[k][3], k))
else:
l.append("-a -t %s %s" % (ddict[k][2], k))
return l
def list(self, heading=1, locallist=0):
@ -2609,7 +2626,10 @@ class fcontextRecords(semanageRecords):
fcon_dict = self.get_all(True)
for k in sorted(fcon_dict.keys()):
if fcon_dict[k]:
l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0]))
if fcon_dict[k][3]:
l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
else:
l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0]))
if len(self.equiv):
for target in self.equiv.keys():

6
python/sepolgen/src/sepolgen/refparser.py
View file

@ -757,9 +757,9 @@ def p_attribute_def(p):
p[0] = a
def p_attribute_role_def(p):
'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
a = refpolicy.Attribute_Role(p[2])
p[0] = a
'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
a = refpolicy.Attribute_Role(p[2])
p[0] = a
def p_typealias_def(p):
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'

2
python/sepolicy/sepolicy/__init__.py
View file

@ -344,6 +344,8 @@ def search(types, seinfo=None):
tertypes.append(NEVERALLOW)
if AUDITALLOW in types:
tertypes.append(AUDITALLOW)
if DONTAUDIT in types:
tertypes.append(DONTAUDIT)
if len(tertypes) > 0:
q = setools.TERuleQuery(_pol,