tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5435 commits 1 branch 0 tags 17 MiB
Commit graph

5435 commits

This branch
This branch
All branches
Author SHA1 Message Date
Vit Mojzis
48602370ac python: Harden tools against "rogue" modules 
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.

Fixes:
  #cat > /usr/sbin/audit.py <<EOF
  import sys
  print("BAD GUY!", file=sys.stderr)
  sys.exit(1)
  EOF
  #semanage boolean -l
  BAD GUY!

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
 2022-11-09 07:53:27 -05:00
James Carter
950cc5b54a README.md: Remove mention of python3-distutils dependency 
With the removal of any dependence on the python disutils module,
Debian no longer depends on the python3-disutils package.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-09 07:52:10 -05:00
James Carter
2b5d558575 scripts: Remove dependency on the Python module distutils 
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the sysconfig module instead.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-09 07:51:51 -05:00
James Carter
c08cf24f39 python: Remove dependency on the Python module distutils 
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-09 07:51:36 -05:00
James Carter
33e56c9b2e libsemanage: Remove dependency on the Python module distutils 
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the sysconfig module instead.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-09 07:51:21 -05:00
James Carter
94364696c5 libselinux: Remove dependency on the Python module distutils 
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-09 07:50:51 -05:00
Petr Lautrbach
ecfcb1d6a8 sandbox: Use temporary directory for XDG_RUNTIME_DIR 
XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files
such as sockets, named pipes and so on. Therefore, it should not be
available to sandboxed processes.

Usage:
    # ls -a $XDG_RUNTIME_DIR
    .  ..  bus  pipewire-0  systemd
    # sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR"
    .  ..

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
 2022-11-09 07:49:34 -05:00
Petr Lautrbach
0fb988c86b sandbox: Do not try to remove tmpdir twice if uid == 0 
If the user is root, tmpdir is already wiped out.

Fixes:
    # sandbox -T /root/tmp -- id
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756
    Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
 2022-11-09 07:48:48 -05:00
Paul Moore
c626187063 docs: update the README.md with a basic SELinux description 
This is to help meet the OpenSSF Best Practices requirements.

Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
 2022-11-07 11:03:39 +01:00
Inseob Kim
bd93cf0f33 Add odm_service_contexts support am: b4d8972d77 am: cd399a6134 am: db540d903d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2267644

Change-Id: I92db03d4bc01f6b6af6e318d79b92dad72ea80b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-26 04:43:34 +00:00
Inseob Kim
db540d903d Add odm_service_contexts support am: b4d8972d77 am: cd399a6134 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2267644

Change-Id: I622c9476909c27837a479c8bb6ed79521c6739b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-26 03:45:23 +00:00
Inseob Kim
cd399a6134 Add odm_service_contexts support am: b4d8972d77 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2267644

Change-Id: Iea02971fd28a98b4c5d9631abee3c21bd36f496b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-26 03:11:46 +00:00
Inseob Kim
b4d8972d77 Add odm_service_contexts support 
Bug: 240609481
Test: build and boot
Test: see build error upon invalid odm service contexts
Change-Id: I14c2b681ec17ceef6d645219334ac741534a8009
 2022-10-26 02:46:27 +00:00
James Carter
7238ad32a3 python: Do not query the local database if the fcontext is non-local 
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.

He gives the following example:
  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
  libsemanage.dbase_llist_query: could not query record value (No such file or directory).

When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.

The error is from querying the local database when the fcontext is in
the non-local database.

Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
 2022-10-24 08:26:28 -04:00
Petr Lautrbach
bba6225abc gui: Fix export file chooser dialog 
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.

Fixes:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
    self.export_config(filename)
  File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
    fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 2022-10-24 08:26:18 -04:00
James Carter
e004946447 docs: Add GPG fingerprints 
For Nicolas Iooss, James Carter, and Jason Zaman.

Signed-off-by: James Carter <jwcart2@gmail.com>
 2022-10-24 08:26:05 -04:00
Colin Cross
93d9077a2b Use uid_t instead of __uid_t am: 7f9e57f296 am: 98ca180882 am: 5c176ed1bb 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2261050

Change-Id: I65c0c89da674ab3605597d2ec434f828bba4d6a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-21 00:16:37 +00:00
Colin Cross
5c176ed1bb Use uid_t instead of __uid_t am: 7f9e57f296 am: 98ca180882 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2261050

Change-Id: I2eacb1053b630d7e255c1a58d77689fba6c32a97
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-20 23:44:47 +00:00
Colin Cross
98ca180882 Use uid_t instead of __uid_t am: 7f9e57f296 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2261050

Change-Id: I56766f2fe5d7c1f711627ca3102be8a9314f2e4c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-20 23:15:40 +00:00
Colin Cross
7f9e57f296 Use uid_t instead of __uid_t 
Musl libc doesn't define __uid_t, and bionic's getpwuid takes a
uid_t, not a __uid_t.

Bug: 190084016
Test: m USE_HOST_MUSL=true host-native
Change-Id: I0f55c785c622365482d635d795f639a95acefd47
 2022-10-19 10:10:52 -07:00
Thiébaud Weksteen
edb3baba9a Add unit test for seapp_contexts am: 67fba33f8a am: 5dd66f50c4 am: ee37f32833 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254490

Change-Id: I1aa42f48788b2b1ed3334ba0038f792e279e171e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:16 +00:00
Thiébaud Weksteen
6ac6ade869 Build android_seapp.c for the host am: 65fe8e161f am: 7d6e2e26b8 am: 82238f49ea 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254489

Change-Id: Id2ddf18929124421ed82c76c208ae506de5282c3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:15 +00:00
Thiébaud Weksteen
ce4d399aa2 Fix build for android_platform.c am: 4a15e5176d am: e39a9af2db am: 52aebc0e15 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254488

Change-Id: I3ac76a84fa55629904ddad389890a54e91c8f544
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:14 +00:00
Thiébaud Weksteen
89a0e4d406 Merge branches 'split_seapp' and 'split_device' into master am: 6cdba9c863 am: 92d45b050b am: 64decb8a4d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254487

Change-Id: I7ca6dc960c6bf5c381e9b95bd55bb6c84f301201
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:13 +00:00
Thiébaud Weksteen
793df60e91 Rename android_platform.c to android_device.c am: 9348addf0f am: cddcbde94c am: 89ec8b4c88 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254485

Change-Id: I77d8467328d7de6b0f8b36ce26d0f324780d8a00
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:11 +00:00
Thiébaud Weksteen
b6bd25a45c Trim down android_seapp.c am: 92f48ee3db am: 1356e7e200 am: 21c86dabc6 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254484

Change-Id: I27ff253f8b40d86c7a9115d2c817266e8e51b3e8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:10 +00:00
Thiébaud Weksteen
64220179bd Move android_platform.c to android_seapp.c am: 25fd00bf4e am: c38adaaacb am: e17ac86477 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254483

Change-Id: If6977aa836417bb88237dc1af933edf88ca636e4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:09 +00:00
Thiébaud Weksteen
94649497c7 Define and use path_alts_t am: c8b3ae636f am: e958b5dbbb am: 2433ca5b26 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239403

Change-Id: I829b177ed8c740a3f836b4c1b0402a8b17ade9ab
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:08 +00:00
Thiébaud Weksteen
4cdd9ac114 Remove android_common.h am: 12b4861e66 am: 66ead1d6db am: 4a4f804445 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239402

Change-Id: I7c292eccea93e0b6f2398a4e2c1ee510ef4e557b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 08:20:06 +00:00
Thiébaud Weksteen
ee37f32833 Add unit test for seapp_contexts am: 67fba33f8a am: 5dd66f50c4 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254490

Change-Id: I93c38ee977f7fa0fba2d82e57f34f2c251936459
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:56 +00:00
Thiébaud Weksteen
82238f49ea Build android_seapp.c for the host am: 65fe8e161f am: 7d6e2e26b8 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254489

Change-Id: I92ebbb7645823a33d7271cc9e39475e5a8da3f15
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:55 +00:00
Thiébaud Weksteen
52aebc0e15 Fix build for android_platform.c am: 4a15e5176d am: e39a9af2db 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254488

Change-Id: Idd1fadc274f851eb736b4daf66b307a6f37bf859
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:53 +00:00
Thiébaud Weksteen
64decb8a4d Merge branches 'split_seapp' and 'split_device' into master am: 6cdba9c863 am: 92d45b050b 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254487

Change-Id: Ib1fdc54c32751c7ba257669730ecbe5a71218fed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:52 +00:00
Thiébaud Weksteen
89ec8b4c88 Rename android_platform.c to android_device.c am: 9348addf0f am: cddcbde94c 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254485

Change-Id: Ib21269bdfd823025b70941e3ccc3a3def8e564cd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:51 +00:00
Thiébaud Weksteen
21c86dabc6 Trim down android_seapp.c am: 92f48ee3db am: 1356e7e200 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254484

Change-Id: I44c70467e1e63912d597cf1e724600cb768d7dbf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:50 +00:00
Thiébaud Weksteen
e17ac86477 Move android_platform.c to android_seapp.c am: 25fd00bf4e am: c38adaaacb 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254483

Change-Id: I44067418956c8bbca795dc2656e092a0bbd95f48
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:49 +00:00
Thiébaud Weksteen
2433ca5b26 Define and use path_alts_t am: c8b3ae636f am: e958b5dbbb 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239403

Change-Id: Ie18b0cab538c7b81ba8245c4d7b130464903ccc9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:48 +00:00
Thiébaud Weksteen
4a4f804445 Remove android_common.h am: 12b4861e66 am: 66ead1d6db 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239402

Change-Id: I1e495e0d35c701113658d64b9f02a336847bd10f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:47:46 +00:00
Thiébaud Weksteen
5dd66f50c4 Add unit test for seapp_contexts am: 67fba33f8a 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254490

Change-Id: Id7b070c97dcc8dc5362a7b859b8305196394c6cd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:22 +00:00
Thiébaud Weksteen
7d6e2e26b8 Build android_seapp.c for the host am: 65fe8e161f 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254489

Change-Id: I7b1df9296e6e9b77e341ab45c45176723d11d6d3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:21 +00:00
Thiébaud Weksteen
e39a9af2db Fix build for android_platform.c am: 4a15e5176d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254488

Change-Id: I2890e9b8bd4b09bd4169a25eea901686fd3486c4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:20 +00:00
Thiébaud Weksteen
92d45b050b Merge branches 'split_seapp' and 'split_device' into master am: 6cdba9c863 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254487

Change-Id: I6002a315de32f33df672e1be3494dcefce7159bf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:19 +00:00
Thiébaud Weksteen
cddcbde94c Rename android_platform.c to android_device.c am: 9348addf0f 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254485

Change-Id: Ic35521d2d17dae36d85812909e3ed40e850d30d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:17 +00:00
Thiébaud Weksteen
1356e7e200 Trim down android_seapp.c am: 92f48ee3db 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254484

Change-Id: I81ce7f41c13b3055ee9adf489f9fe5ab504efd57
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:16 +00:00
Thiébaud Weksteen
c38adaaacb Move android_platform.c to android_seapp.c am: 25fd00bf4e 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2254483

Change-Id: Ic00aec55d861c75979952061048cd4c4a313576b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:15 +00:00
Thiébaud Weksteen
e958b5dbbb Define and use path_alts_t am: c8b3ae636f 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239403

Change-Id: I091da6e2f0564c9bc9b2cdcc4d04d78312ac635f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:14 +00:00
Thiébaud Weksteen
66ead1d6db Remove android_common.h am: 12b4861e66 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2239402

Change-Id: Ie0627e7c7a3ad528a2ca85e952189b7d068deeb2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 07:04:12 +00:00
Thiébaud Weksteen
67fba33f8a Add unit test for seapp_contexts 
Split selinux_android_seapp_context_reload and seapp_context_lookup to
prevent the loading and use of the default seapp_contexts files (e.g.,
/system/etc/selinux/plat_file_contexts). The exposed API and current
callers of seapp_context_lookup remain the same.

Test: atest --host libselinux_test
Bug: 234313751
Change-Id: If3b525b92fa43e5599075509d4de55ff39ec8a6e
 2022-10-19 10:09:02 +11:00
Thiébaud Weksteen
65fe8e161f Build android_seapp.c for the host 
android_seapp.c can be build on host. strlcpy is replaced with strncpy
(the string copied is static). An alias seapp_getpwuid is created to
allow faking for the unit test.

Bug: 234313751
Test: build & boot
Change-Id: I0e86d83fddb3ceb20d63963b40ea0ca227a8538a
 2022-10-19 10:09:02 +11:00
Thiébaud Weksteen
4a15e5176d Fix build for android_platform.c 
With android_platform.c split between android_device.c and
android_seapp.c, update the build configuration. Move to the internal
header the interface expected between the two files.

Test: m
Bug: 234313751
Change-Id: If13a7484bf48a49e36a424c39f6f62ec6140fc22
 2022-10-19 10:09:02 +11:00