Device side libselinux has Android specific modifications.
but host side tools do not. Move host functionality over to common
selinux directory. This allows tools with libselinux dependency e.g.
audit2allow to be built in tree.
Change-Id: I10a7174b415bad7b5154c382a55eb10a8ed52fa5
Created a new function, get_line(), to replace the use of fmemopen()
and getline() in module_to_cil.c since fmemopen() is not available
on Darwin.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
If a userlevel or userrange statement is missing from a policy,
evaluate_level_expression() and evaluate_levelrange_expression, respectively
will have a NULL pointer dereference caused by a missing level in a user.
Add cil_pre_verify() which verifies users have a valid level. Also, move loop
checking in classpermissions into cil_pre_verify().
This fixes https://github.com/SELinuxProject/cil/issues/1.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Prevent writing a binary policy module if the source
included an ioctl operation rule because we do not support ioctl
operation rules in the binary module format. It doesn't seem
worthwhile to introduce a new binary policy module version since
CIL is now merged and we will have to implement the support in CIL
regardless; might as well only support it in CIL modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.
Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901
The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.
This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.
Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Libraries such as libqpol that link with libsepol statically do not understand
the symbolic versioning in libsepol. This patch disables the symbolic versioning
in libsepol if building the static library or building for Android.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Omit the versioned symbols and simply use the current interfaces
when building on Android.
Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.
Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a new function, sepol_module_policydb_to_cil, that generates
CIL from a module (not kernel) policydb. Refactor
sepol_module_package_to_cil() to use the new function.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.
Convert pp to use the renamed functions in libsepol.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.
- Move secilc source, test policies, docs, and secilc manpage to secilc
directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Problems fixed:
1) Fix core dump when building CIL policy (corrupted double-linked list)
by Steve Lawrence <slawrence@tresys.com>
2) Binary policy failed to read with devicetreecon statement.
3) Free path name - With a Xen policy running secilc/valgrind
there are no memory errors.
Also added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Boolean states are only written on a declaration.
If a module is turned off which includes a tunable declaration that
is required in another module, the state is never set. This patch
sets the state when the booldatum is created so that an uninitialized
memory read does not occur in cond_write_bool and write garbage to
the link binary. This can cause a failure in cond_read_bool when
running semodule_expand.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
- No longer require the caller to create a sepol_policydb. CIL is now
responsible for that
- Since the user is no longer responsible for creating the policydb, two
functions are added to let CIL know how it should configure the
policydb, to set the policy version and the target platform
- Some functions, like cil_compile, do not need a policydb. Additionally
some functions, like cil_filecons_to_string use the policydb, but could
be rewritten to not require it. In these cases, remove the policydb
from the API, and rewrite functions so they don't depend on it. The
only function that uses a policydb is cil_build_policydb
- Add functions and symbolic versioning to maintain binary backwards
compatability. API backwards compatability is not maintained
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reformat secilc(8) man page for readability and correct url
Remove unused/obsolete info and correct portcon statement in the
Reference Guide.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If the level contains a category that is not associated with a sensitivity,
the code correctly detects the condition, but does not return an error.
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
s6_addr32 is not portable; use s6_addr instead.
Change-Id: I21c237588d3e7200cefa3af96065f657dae4b1e7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Enable building CIL as part of the host libsepol.
This will allow using it for host-side policy tools.
Omit it from the device libsepol used for the CTS for now,
unless/until such a time as we find it necessary there.
Also build secilc, the CIL compiler.
Change-Id: I2f04a720d9143a9c84fbab211511f76d82581b0b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Using the Fedora 20 targeted policy, running check_assertions requires
an avtab with around 22 million elements. With the default limit of 4096
buckets, performance is abysmal: it takes more than an hour to populate
the hash. Profiling shows most of that time under avtab_search_node.
This patch increases the hash from 13 to 20 bits and to a maximum of
1048576 buckets. The time for check_assertions on that policy is reduced
to about 3 minutes, which is enough to re-enable those checks as part of
the build process.
A full size table will allocate 4-8 MB of memory, up from 16-32 KB. In a
cursory review, these tables are usually short-lived and only 1-3 are
allocated together. Compared to the cost of entries in this table (up to
1 GB using the same policy), this isn't a significant increase.
Signed-off-by: John Brooks <john.brooks@jolla.com>
This function, based on murmurhash3, has much better distribution than
the original. Using the current default of 4096 buckets, there are many
fewer collisions:
Before:
2893000 entries and 4096/4096 buckets used, longest chain length 1649
After:
2732000 entries and 4096/4096 buckets used, longest chain length 764
The difference becomes much more significant when buckets are increased.
A naive attempt to expand the current function to larger outputs doesn't
yield any significant improvement; so this function is a prerequisite
for increasing the bucket size.
Signed-off-by: John Brooks <john.brooks@jolla.com>
libsepol contains performance sensitive code; in particular, compiler
optimizations save a few minutes off of the optimized policydb hash
tables.
Signed-off-by: John Brooks <john.brooks@jolla.com>
This was broken for older policy versions when we updated to
version 24.
Broken by commit 787f2f00f5d8ed6f5f.
Change-Id: I4063334c5c0462ef5c3706611c7dff5c60c612aa
Reported-by: William Roberts <bill.c.roberts@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Switch libsepol check_assertions() from only reporting the first violation
to reporting them all.
Change-Id: I45b3502ff96b1d093574e1fecff93a582f8d00bd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
The current build system assumes SHLIBDIR is ../../ relative to LIBDIR.
However, this isn't always the case. For example, Arch Linux sets both
LIBDIR and SHLIBDIR to /usr/lib, which results in broken symlinks.
Instead of making that assumption, create .so symlinks using ln
--relative so that the correct relative paths are used. Note that this
adds a dependency for the build system to use coretuils-8.16 or later.
Fixes#2
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
