This commit marks libselinux.so as VNDK, so that vendor variant of
libselinux.so can be installed into /system/lib[64]/vndk instead of
/vendor/lib[64]. This makes it easier to apply security patches
through system-only OTAs.
Before this commit, libselinux was not an VNDK library because there
was a concern with selabel database file format. This is no longer a
concern because the file backend is disabled in vendor variant.
Bug: 69587962
Bug: 63866913
Test: /system/lib64/vndk/libselinux.so shows up in GSI
Change-Id: I9d3be760bb5b3f8bf50b96ce6d8b938bf75c620a
libselinux_vendor is removed and merged to libselinux by using
vendor_available:true.
Bug: 66914194
Test: lunch aosp_arm64_ab-userdebug; m libselinux.vendor
Change-Id: Idc04eccf8a9803b9acf6277a9d078a1528ed29c9
Test: I solemnly swear I tested this conflict resolution.
Exempt-From-Owner-Approval: fix merge conflict
Change-Id: I7af3ed74c62c9004c17fcb080acfff7ff408945c
cil_android_attributize() uses a source policy to identify types and
attributes to be versioned according to the given version number, and
then proceeds to modify the provided target policy to provide this
versioning. Previously, the versioned policy relied on a base policy
for the declarations of these type[attribute]s, but with multiple_decl
support added, the declarations can be made in both places. This will
make the policy more robust and allow for greater flexibility and the
types of base policy used.
Bug: 37915794
Test: Builds 'n' boots. non_plat_sepolicy.cil now contains the public
type[attribute] declarations.
Change-Id: Iaa084211a9e2774a7ed391888fb21c4c0cf955db
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: compiles/boots no problems.
Change-Id: I4e7ee3fddfe021d128ebd70a663374367914b825
Public types get versioned for Treble compatibility. The versioned
attribute is declared in vendor policy. Then a mapping between the
newer system policy occurs on the system partition. This causes
on-device compilation to fail in AOSP because the vendor image stays
static and thus the mapping file references undeclared typeattributes.
This can be solved by declaring, or redeclaring all versioned types
in the mapping file. Support for this was added to secilc in commit
fafe4c212b 'libsepol: cil: Add ability
to redeclare types[attributes]'
Bug: 67092827
Bug: 37915794
Test: build and boot aosp_sailfish with new type declared in public
policy
Change-Id: I04a884db6d0eaf42ee189b0669833dd0860b626f
Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This will allow listing the correct file_contexts.homedirs
using libsemanage regardless of selected policy store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
* Use -Wno-error= to keep existing warnings to fix later.
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I0e84d5fb2ae2ae68a687a0b6b81eb64a983db57c
In the future, target.linux will apply to all targets running a linux kernel
(android, linux_glibc, linux_bionic). So move all current users to the specific
linux_glibc.
There will be another cleanup pass later that will move some instances back to
target.linux if the properties should be shared with target.android and
target.linux_bionic, but target.linux needs to be removed first.
Test: out/soong/build.ninja identical before/after
Change-Id: I30ea2790de2588ba0f5cfe1cd3bb6dc66f00a537
Exempt-From-Owner-Approval: build system cleanup
Function delete() is defined twice in class usersPage and the first one
invoke semanagePage.delete(), which does not exist.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The output of "semodule -lfull" changed from "module version" to
"priority module kind". Update system-config-selinux to use this new
format in its tab "Policy Module".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Several "sepolic gui" tabs raise exceptions when using a policy without
MLS because some dictionaries describing users and logins lack level and
range properties. Use conditions and get() where appropriate in order
to make "sepolicy gui" usable again with a non-MLS policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In refpolicy, file_contexts.subs_dist begins with comments:
# This file can is used to configure base path aliases as in:
#
# /aliased_path /original_path_as_configured_in_file_contexts
#
The first line gets parsed in read_file_equiv even though it is not a
valid path substitution and the second line triggers an exception when
accessing f[1]:
IndexError: list index out of range
Parse substitutions only for lines which are not comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The latest update to Travis-CI build environment splitted sugilite
environment into amethyst and garnet and deprecated sugilite. As garnet
provides tools for languages C and Python, and as it is automatically
selected according to
https://travis-ci.org/fishilico/selinux/jobs/278927391 , remove "group:
sugilite" from Travis-CI configuration file.
This update introduced two issues:
- Ruby 2.1 is no longer provided. As it has reached End Of Life
according to https://www.ruby-lang.org/en/downloads/, remove it from
the tested versions
- Python 3.3, 3.4 and 3.5 are no longer installed by default. When
Travis-CI builds Python projects using these versions, it
automatically download and extract an archive from
https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/.
Implement this process in .travis.yml directly (because Travis-CI does
not support multi-language projects which use several versions of C
compilers and Python and Ruby interpreters).
Last but not least, it is now possible to build with PyPy3. Enable this
interpreter in the build environment matrix.
More information about the Travis-CI update is available at
https://docs.travis-ci.com/user/build-environment-updates/2017-09-06/
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
PyGTK has been deprecated in favor of PyGI+GTK and thus has never been
ported to python3. Using pygi-convert.sh from
https://git.gnome.org/browse/pygobject/tree/pygi-convert.sh helps
migrating most of the API but gnome-python.
The glade file has been converted to GtkBuilder using
gtk-builder-convert system-config-selinux.glade system-config-selinux.ui
and some fixes in order to provide an application window (object
GnomeApp disappeared, GtkVBox is deprecated, etc.). The associated
Python code also needed some modifications in order to migrate to
GtkBuilder.
The result has been tested on Arch Linux with Python 3.6. There are some
bugs in the GUI itself, for which patches will be sent afterwards.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.
This commit reduces the number of attributes in the policy binary from
607 to 159.
(cherry-pick of commit: 574926fe67)
Bug: 36508258
Test: build and boot Marlin
Change-Id: I42c778fe9e760abf62d4ec1f7b7e748e28ac5497
On a system without any file context customizations, "sepolicy gui"
fails to load because it tries to read a non-existing file:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
Once this issue is fixed, another one is triggered:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
Use try/except to catch these exceptions and use OSError/errno.ENOENT to
keep the code compatible with Python 2.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When sepol_bool_query() returns NULL response, variable name is not
freed. Fix this by calling free() before returning.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Do not include private/android_filesystem_config.h
for libselinux_vendor.
Test: mma -j
Test: BOARD_VNDK_VERSION=current mma -j
Bug: 33241851
Change-Id: I4f4328dceaa8609d1891b4b7129669ad7040865a
Merged-In: I4f4328dceaa8609d1891b4b7129669ad7040865a
When building the project with "make DESTDIR=... install", the root
Makefile defines CFLAGS and LDFLAGS without any warning flags ("CFLAGS
+= -I$(DESTDIR)/usr/include" and "LDFLAGS += -L$(DESTDIR)/usr/lib"). As
the Makefiles in subdirectories do not override the flags with warning
flags, the code gets compiled without any enabled warning.
This leads for example to code being introduced which breaks building
libsepol from its directory, while building it from the root Makefile
still works fine.
This issue can be fixed by defining a set of flags in the root Makefile
which are used by all Makefiles in subdirectories. The flags have been
chosen following these principles:
* they are compatible with both clang and gcc,
* they already appear in at least one Makefile, and
* they are not triggered with the current git master version.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When compiling restorecond with -Wunused, gcc 4.8.4 (from Ubuntu 14.04)
reports the following warnings:
restorecond.c: In function ‘main’:
restorecond.c:208:9: error: ignoring return value of ‘daemon’,
declared with attribute warn_unused_result [-Werror=unused-result]
daemon(0, 0);
^
restorecond.c: In function ‘write_pid_file’:
restorecond.c:106:2: error: ignoring return value of ‘write’,
declared with attribute warn_unused_result [-Werror=unused-result]
(void)write(pidfd, val, (unsigned int)len);
^
If any of these calls returns an error, it is currently silently
discarded. Add a message in order to warn about such an error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
cil_gen_node() has been using its argument "db" since commit
fafe4c212b ("libsepol: cil: Add ability to redeclare
types[attributes]"). Drop attribute "unused" on this argument.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
cil_defaults_to_policy() defines its third argument as non-const "char
*kind" even though it is called with literal strings. This makes gcc
report the following warning when compiling with -Wwrite-strings:
../cil/src/cil_policy.c: In function ‘cil_gen_policy’:
../cil/src/cil_policy.c:1931:60: error: passing argument 3 of
‘cil_defaults_to_policy’ discards ‘const’ qualifier from pointer
target type [-Werror=discarded-qualifiers]
cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER],
"default_user");
^~~~~~~~~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Since commit 67b410e80f ("libsepol/cil: Keep attributes used by
generated attributes in neverallow rules") gcc reports the following
warning when building libsepol:
../cil/src/cil_post.c: In function
‘__cil_post_db_neverallow_attr_helper’:
../cil/src/cil_post.c:1322:17: error: unused variable ‘db’
[-Werror=unused-variable]
struct cil_db *db = extra_args;
^~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When compiling libsepol with clang and some warning flags, the compiler
complains about the way IPv6 addresses are initialized:
kernel_to_cil.c:2795:35: error: suggest braces around initialization
of subobject [-Werror,-Wmissing-braces]
struct in6_addr subnet_prefix = {0};
^
{}
When replacing the initializer as suggested, gcc 4.8.4 complains:
kernel_to_cil.c: In function ‘write_selinux_ibpkey_rules_to_cil’:
kernel_to_cil.c:2795:9: error: missing initializer for field
‘__in6_u’ of ‘struct in6_addr’ [-Werror=missing-field-initializers]
struct in6_addr subnet_prefix = {};
^
Thankfully netinet/in.h provides a macro to initialize struct in6_addr
variables:
#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
Both clang and gcc no longer report warnings when using this macro.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On full Treble devices, servicemanager should only
host services served from processes on /system; don't load
nonplat_service_contexts.
Bug: 36866029
Test: builds, boot Taimen, boot Sailfish
Change-Id: Ia093c4c6b342335e35648db35e340e2df54fdcf3
Merged-In: Ia093c4c6b342335e35648db35e340e2df54fdcf3
(cherry picked from commit e3ab0e6086)
libsepol is entirely C, so it doesn't need libc++. On the host,
libsepolwrap loads libsepol into the system python, which does not have
the sanitizer runtime.
Test: SANITIZE_HOST=true m treble_sepolicy_tests
Test: mmma external/selinux
Change-Id: If22a6b3d492170871bdb70e71bba8148c607af01
In order to reduce policy size, CIL removes attributes that are not used
by a policy rule in the generated binary policy. However, CIL keeps
attributes used by neverallow rules (which are checked at compile time
and not in the binary policy) even if the attribute is not used anywhere
else in the policy. This behavior is useful to Google who pulls neverallow
rules out of the original policy.conf for compatibility testing, but
converts the policy.conf to CIL and uses the CIL compiler to generate
policy. Without this behavior, the generated binary policy might not have
an attribute referred to by one of the neverallow rules used for testing.
The one exception to this behavior is for attributes generated in
module_to_cil (these have an "_typeattr_" in the middle of their name).
Since these attributes are only created because CIL does not allow a
type expression in an AV rule, they are removed if they only appear in
a neverallow rule (which is the case for most of them) or if the
option to expand generated attributes (-G or --expand-generated) is
specified for secilc when compiling the policy.
Removing generated attributes causes a problem, however, if the type
expression that the generated attribute is replacing uses an attribute
that is removed. In this case, the original neverallow rule will refer
to an attribute that does not exist in the generated binary policy.
Now any non-generated attribute used in a typeattributeset rule for a
generated attribute which is used in a neverallow rule will be treated
like it was used in a neverallow rule.
This does not change the behavior of an expandtypeattribute rule for
the attribute. That rule, if it exists, will take precedence.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Modify cil_gen_node() to check to see if the cil_db supports multiple
declarations, and if so, to check whether or not the
repeated symbol is eligible to share the existing, already-stored datum. The
only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of
which intall empty datums during AST building, so they automatically return
true.
Test: Build policy with multilpe type and attribute declarations, and
without. Policies are binary-identical.
Signed-off-by: Dan Cashman <dcashman@android.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
In cil_strpool_destroy(), cil_strpool_tab is freed but it is not reset to NULL.
When cil_strpool_init() is called again it assumes that cil_strpool_tab was
already initialized. Other functions then work with invalid data.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
"roleattribute" was referencing "typeattributeset", but I believe it should be referencing "roleattributeset" instead.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
