Device side libselinux has Android specific modifications.
but host side tools do not. Move host functionality over to common
selinux directory. This allows tools with libselinux dependency e.g.
audit2allow to be built in tree.
Change-Id: I10a7174b415bad7b5154c382a55eb10a8ed52fa5
Migrate selinux tools to common directory for consistency with
the external selinux project. Build libsepol and checkpolicy
Change-Id: Ifb6618d27e95fadf29cf735776c8d4d439589347
Created a new function, get_line(), to replace the use of fmemopen()
and getline() in module_to_cil.c since fmemopen() is not available
on Darwin.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Check buffer address limits when processing *.bin files
to catch any over-runs. On failure process text file instead.
To test, the bin files were corrupted by adding and removing
various bits of data. Various file sizes were also checked and
all were caught by the patch.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Migrate selinux tools to common directory for consistency with
the external selinux project. Use projects libsepol, checkpolicy,
and secilc.
Change-Id: Ibc623b751dfe4e7f5119d7dd3ddffa39e68d9ebe
Add support for new API functions selabel_partial_match and
selabel_lookup_best_match ported from the Android libselinux
fork.
Add supporting man(3) pages and test utilities: selabel_lookup,
selabel_lookup_best_match and selabel_partial_match.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If a userlevel or userrange statement is missing from a policy,
evaluate_level_expression() and evaluate_levelrange_expression, respectively
will have a NULL pointer dereference caused by a missing level in a user.
Add cil_pre_verify() which verifies users have a valid level. Also, move loop
checking in classpermissions into cil_pre_verify().
This fixes https://github.com/SELinuxProject/cil/issues/1.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Prevent writing a binary policy module if the source
included an ioctl operation rule because we do not support ioctl
operation rules in the binary module format. It doesn't seem
worthwhile to introduce a new binary policy module version since
CIL is now merged and we will have to implement the support in CIL
regardless; might as well only support it in CIL modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also drop expanding of rules; just display the rules in their
original form. I think expansion was a relic of an older policy
version where we did not preserve attributes in the kernel policy.
In any event, it seems more useful to display the rules unmodified.
Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The modules from the old store were previously copied to the new one
using setfscreatecon and shutil.copy2(). Now that refpolicy has rules
about the new policy location[1], copying the contexts is redundant.
More importantly, the setcreatefscon caused a constraint violation[2]
which made the migration fail. In python3, shutil.copy2() copies xattrs
as well which again causes problems. shutil.copy() is enough for our
needs here as it will copy the file and permissions in both py2 and 3.
We do not need the extra things that copy2() does (mtime, xattr, etc).
[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html
[2]
type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0
constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
allow semanage_t semanage_store_t:dir create;
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Changes from v1:
- Changed some methods to not take a src param anymore.
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.
Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901
The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.
This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.
Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
os.path.walk() function is deprecated and has been removed in Python 3
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
SELinux can be disabled via the selinux=0 kernel parameter or via
/sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
/etc/selinux/config). In either case, selinuxfs will be unmounted
and unregistered and therefore it is sufficient to check for the
selinuxfs mount. We do not need to check for no-policy-loaded and
treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
days. Drop the no-policy-loaded test, which was a bit of a hack anyway
(checking whether getcon_raw() returned "kernel" as that can only happen
if no policy is yet loaded and therefore security_sid_to_context() only
has the initial SID name available to return as the context).
May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074
by virtue of removing the call to getcon_raw() and therefore avoiding
use of tls on is_selinux_enabled() calls. Regardless, it will make
is_selinux_enabled() faster and simpler.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
A spec file was incorrectly stored as rootpath when -r option was used
Fixes:
/sbin/setfiles: /tmp/install_root is not located in /etc/selinux/targeted/contexts/files/file_contexts
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The mudflap run time checker was removed in GCC 4.9. The
option no longer does anything and triggers a warning from gcc 4.9
and later. Remove it. We might want to add -fsanitize=address
to enable AddressSanitizer in its place, but that should be a separate
change.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Needed to allow Android to keep building with a copy of the SELinux
source code checked into external/selinux
Bug: 19963152
Change-Id: I4e192bb6ca5d185e11540aca7253e729d92a00c1