tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5417 commits 1 branch 0 tags 17 MiB
Commit graph

5417 commits

This branch
This branch
All branches
Author SHA1 Message Date
Thiébaud Weksteen
57857be7cb Use generic isSelector am: 3d85f1e116 am: d26a4af638 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2839485

Change-Id: I96867dca9a2731cf062a795fcfdf034beb9e9cab
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 04:05:52 +00:00
Thiébaud Weksteen
28f879de16 Use generic isSelector am: 3d85f1e116 am: bce1d3689b 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2839485

Change-Id: I408f1d9edea15863dde0e50ca5f2000ebf8fad5c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 03:51:40 +00:00
Thiébaud Weksteen
d26a4af638 Use generic isSelector am: 3d85f1e116 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2839485

Change-Id: Iebf082e0c29320766b69c5ea6b9fb151c8676a25
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 03:34:32 +00:00
Thiébaud Weksteen
bce1d3689b Use generic isSelector am: 3d85f1e116 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2839485

Change-Id: I0aad333ba1526c0a61ea2d55c528b1e7373897e7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 03:19:18 +00:00
Thiébaud Weksteen
3d85f1e116 Use generic isSelector 
seapp_contexts supports multiple boolean attributes: isPrivApp,
isEphemeralApp, isIsolatedComputeApp, isSdkSandboxAudit,
isSdkSandboxNext, fromRunAs. Each of these exists to support a specific
labelling scenario from the framework. When a new predicate is required,
an update to libselinux is also required. This change generically
handles any attribute starting with "is" and maps it directly
(case-insensitive) to the same seinfo field.

It is assumed that only one of these is required at a time. An error is
raised if seapp_contexts contains multiple is-selector within one rule.
An error is raised if seinfo contains multiple is-selector.

The order for comparison between seapp_contexts is altered: an entry
with an is-selector will be prioritized over one with an unspecifed
is-selector. This is not quite the previous order (e.g., isPrivApp <
targetSdkVersion < fromRunAs), but it is understood that the previous
order was not intentional and emerged from the incremental contributions
to this library.

The boolean info.isPreinstalledApp is replaced by checking the first
byte of info.partition.

Test: atest --host libselinux_test
Bug: 307635909
Change-Id: Ice3b84870e3255f6d9357d9750acbe9691b45aad
 2023-12-01 10:42:50 +11:00
Thiébaud Weksteen
f87183c61b Refactor the parsing of seinfo am: 7fd89c00f7 am: c4b477c1de 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2836178

Change-Id: Ia03b4d9c99c43b1644c949f5ca6cfb11147f383d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-21 23:32:50 +00:00
Thiébaud Weksteen
6af667a24b Refactor the parsing of seinfo am: 7fd89c00f7 am: 4bf49f0fb0 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2836178

Change-Id: I5b172e06cd5efe1c18a0eb9bf7f69593aeb76d29
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-21 23:00:27 +00:00
Thiébaud Weksteen
c4b477c1de Refactor the parsing of seinfo am: 7fd89c00f7 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2836178

Change-Id: I11bfae9f5cb86c03642d30afb7b8f1ea46c9efb0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-21 22:47:45 +00:00
Thiébaud Weksteen
4bf49f0fb0 Refactor the parsing of seinfo am: 7fd89c00f7 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2836178

Change-Id: Ifa4dbb6ccaa95af13c388fb60736517b77b34475
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-21 22:28:21 +00:00
Thiébaud Weksteen
7fd89c00f7 Refactor the parsing of seinfo 
The seinfo string contains many attributes provided by the caller to
match an seapp_contexts rule. Its usage has evolved organically and now
contains multiple fields for various purposes.

Refactor the parsing of seinfo, relying on strtok as the string
informally follows the convention of using colons between attributes and
an equal sign to separate an attribute and its value. For instance,

  default:privapp:targetSdkVersion=10000:partition=system:complete

A new internal structure is introduced to capture the attributes. The
new parse_seinfo function replaces seinfo_parse (which only parsed the
first attribute, historically the original seinfo), get_partition and
get_app_targetSdkVersion.

The new function is expected to behave similarly to the previous code.
Unknown attributes are now logged, but still ignored. The "complete"
attribute is now interpreted (as the last attribute), but not required.

Unit tests are added to cover standard and edge cases.

Test: boot and verify denial logs
Test: atest --host libselinux_test
Bug: 307635909
Change-Id: Ia0e3522c42c80e6e631ff1af644e03f53d88da93
 2023-11-21 13:59:42 +11:00
Sandro Montanari
bc58ce3f60 Introduce sdk_sandbox_audit SELinux domain am: 90c0d6546d am: 1163af38b5 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2797594

Change-Id: Ife97c50400054605e3e9fe62574a05ee65bc3e31
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-26 13:37:52 +00:00
Sandro Montanari
7c4998952f Introduce sdk_sandbox_audit SELinux domain am: 90c0d6546d am: 1fb35a146a 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2797594

Change-Id: I21ce6a808a1db942978cf7195c59c1611766e50c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-26 13:36:05 +00:00
Sandro Montanari
1163af38b5 Introduce sdk_sandbox_audit SELinux domain am: 90c0d6546d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2797594

Change-Id: I99385f64dec55322fb600c15da8a648ee15b453d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-26 13:14:40 +00:00
Sandro Montanari
1fb35a146a Introduce sdk_sandbox_audit SELinux domain am: 90c0d6546d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2797594

Change-Id: I30e008c05bfa75bff1ffb60bd7c8c869c7fc062c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-26 13:13:08 +00:00
Sandro Montanari
90c0d6546d Introduce sdk_sandbox_audit SELinux domain 
Bug: 295861450
Test: atest CtsSdkSandboxInprocessTests and adb shell ps -Z
Change-Id: Ic2dc4c854b3bbe5719b83fcd5504766a1e92e6a4
 2023-10-26 10:05:49 +00:00
Thiébaud Weksteen
32eb7e6bc4 Remove APEX sepolicy support am: e9448817b3 am: befd9372d7 am: 298608b246 am: 61ac3b9137 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2736178

Change-Id: I25227cf516e7a4799a4cbea23740cddbfac53919
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-06 08:43:01 +00:00
Thiébaud Weksteen
61ac3b9137 Remove APEX sepolicy support am: e9448817b3 am: befd9372d7 am: 298608b246 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2736178

Change-Id: I372c214844771151969d8b021023b6e7a6fe1862
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-06 07:21:22 +00:00
Thiébaud Weksteen
298608b246 Remove APEX sepolicy support am: e9448817b3 am: befd9372d7 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2736178

Change-Id: I3117e97c5ace1a8b69d869bf189a0e8b751849ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-06 05:45:28 +00:00
Thiébaud Weksteen
befd9372d7 Remove APEX sepolicy support am: e9448817b3 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2736178

Change-Id: I784f0839f4ce0d1aee5f87837529acd328f3e6f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-06 04:08:27 +00:00
Thiébaud Weksteen
e9448817b3 Remove APEX sepolicy support 
Test: boot aosp_cf_x86_64_phone
Bug: 297794885
Change-Id: Ia447f1ce783eb83db41454aaee5e93f7f09c36b1
 2023-09-04 14:14:05 +10:00
Inseob Kim
6c035ce159 Add a comment to keep in sync with CTS am: 5cfac38d10 am: 03af209f74 am: 7959969e47 am: 603ac63b13 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2709434

Change-Id: Ie9526b15e1cab0da56a2152f91cf99d4d7c5f5bf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-16 16:33:27 +00:00
Inseob Kim
603ac63b13 Add a comment to keep in sync with CTS am: 5cfac38d10 am: 03af209f74 am: 7959969e47 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2709434

Change-Id: I23020f2dcc69c7e8f3b53fda7ed7954117922329
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-16 15:25:10 +00:00
Inseob Kim
7959969e47 Add a comment to keep in sync with CTS am: 5cfac38d10 am: 03af209f74 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2709434

Change-Id: I15579adc5dd42b42747d69ebba92e1f3fb3037ba
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-16 14:38:24 +00:00
Inseob Kim
03af209f74 Add a comment to keep in sync with CTS am: 5cfac38d10 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2709434

Change-Id: I38131daf2d6fb24828cd82f8cc9af501eefe7704
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-16 13:35:07 +00:00
Inseob Kim
5cfac38d10 Add a comment to keep in sync with CTS 
Test: N/A
Change-Id: I8d8c5033bcd9553a7b33e2d3875cc387fc4ddb86
 2023-08-16 11:15:48 +09:00
Inseob Kim
aa4e4066d3 Change seapp partition log to warning am: cde31a9d4d am: 9f06a40585 am: 6d76d34364 am: 0fee82b014 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2685446

Change-Id: I052a3899aa567440c4e7b4ecdb5aa53782a5f9b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-01 11:16:38 +00:00
Inseob Kim
0fee82b014 Change seapp partition log to warning am: cde31a9d4d am: 9f06a40585 am: 6d76d34364 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2685446

Change-Id: I06a0ce738ef402163a3cc12c9e78bf481c3a6b8f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-01 10:32:27 +00:00
Inseob Kim
6d76d34364 Change seapp partition log to warning am: cde31a9d4d am: 9f06a40585 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2685446

Change-Id: Id5655ac83fba93b9f0244b338cdb50cb8925bb44
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-01 09:48:32 +00:00
Inseob Kim
9f06a40585 Change seapp partition log to warning am: cde31a9d4d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2685446

Change-Id: Ib55f9ee9ded8069ab5d51e074e658207e0a1296c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-01 09:09:05 +00:00
Inseob Kim
cde31a9d4d Change seapp partition log to warning 
It makes more sense to print it as a warning, because it's not a hard
error for now (until we resolve all violations and create a compliance
test)

Bug: N/A
Test: boot
Change-Id: Iac5deb1f965394ecd4c2acb3711bd07317956236
 2023-08-01 01:56:20 +00:00
Inseob Kim
94c0a1f5d3 Give priority to platform side seapp_contexts am: 51fde66c16 am: 85561b366a am: fb13a306cd am: 8d73989eb3 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: If8a49a082bb7af91f67e730f64008fb8efa8693b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 14:20:30 +00:00
Inseob Kim
8d73989eb3 Give priority to platform side seapp_contexts am: 51fde66c16 am: 85561b366a am: fb13a306cd 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: Ia7b8018f817eb15fd15040ad90fd2df83399f10f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 13:35:54 +00:00
Inseob Kim
fb13a306cd Give priority to platform side seapp_contexts am: 51fde66c16 am: 85561b366a 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: I2e9d919747dfda2faefc40d62ace99d9e27ecb89
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 12:52:40 +00:00
Inseob Kim
85561b366a Give priority to platform side seapp_contexts am: 51fde66c16 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: Ifebcd36ec4e164b2e65e4e4acd35e0f85140568f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 12:09:33 +00:00
Inseob Kim
51fde66c16 Give priority to platform side seapp_contexts 
This is to remove duplicate errors while fixing seapp_contexts
violations (because old vendors still have the entries).

Bug: 280547417
Test: TH
Change-Id: I8c381dad6e8bf5e91148494b55278e124b845c13
 2023-07-26 13:57:15 +09:00
Inseob Kim
55f05a5e4e Fix preinstalled app partition check am: e7d2d82bbb am: 066e9c5d2a am: 1847b12d43 am: ba4c95392d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: I6ec3ee9c8188d6bfac3e97fe3eb08ac8a2ed5677
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 04:23:25 +00:00
Inseob Kim
45e4f38df0 Check preinstalled app's partition am: be36d71068 am: 44b95e92a7 am: 5ad7961fff am: b777ba8580 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: Ia3e7f3532256db6cc7c1ab16d5f412f56c3d863a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 04:23:21 +00:00
Inseob Kim
ba4c95392d Fix preinstalled app partition check am: e7d2d82bbb am: 066e9c5d2a am: 1847b12d43 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: Icaef9dde2112eee4b0d47a16dcc6bdd1fde69dbc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 03:17:36 +00:00
Inseob Kim
b777ba8580 Check preinstalled app's partition am: be36d71068 am: 44b95e92a7 am: 5ad7961fff 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: Idb08972e124f8f7655d9ce97d050169474bedf7d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 03:17:34 +00:00
Inseob Kim
1847b12d43 Fix preinstalled app partition check am: e7d2d82bbb am: 066e9c5d2a 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: I6c0b1f36bfcbd3469f98f30a455131b537453cd1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 02:31:27 +00:00
Inseob Kim
5ad7961fff Check preinstalled app's partition am: be36d71068 am: 44b95e92a7 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: I7f2e49ed1c0054ae27dae1589f4b2d7706cd2430
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 02:31:24 +00:00
Inseob Kim
066e9c5d2a Fix preinstalled app partition check am: e7d2d82bbb 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: I21f87747dd2d9aeb46d8e086c972570c52f7ff52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 01:23:50 +00:00
Inseob Kim
44b95e92a7 Check preinstalled app's partition am: be36d71068 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: Ic4da60ec5b8b9af700614c41579b537aebce3f20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-26 01:23:46 +00:00
Inseob Kim
e7d2d82bbb Fix preinstalled app partition check 
There is a bug on the code checking the partition, so it's printing
wrong logcat messages. This fixes it by renaming the function name for
better readability.

Also it fixes a bug that the check only happens when levelFrom != NONE.

Bug: 291005833
Test: boot and see logcat
Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
(cherry picked from commit 321c025259)
 2023-07-25 10:33:06 +09:00
Inseob Kim
be36d71068 Check preinstalled app's partition 
Bug: 280547417
Test: boot pixel and cuttlefish
Change-Id: I6ed125eff392020ace6686514e0a102dab1fb10f
Merged-In: I6ed125eff392020ace6686514e0a102dab1fb10f
(cherry picked from commit dc9f3516d7)
 2023-07-25 10:32:35 +09:00
Inseob Kim
d44af41693 Fix code detecting duplicated seapp_contexts entry am: c3d1e5a24a am: 7e6718c196 am: 0a8954744d am: d600004be6 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2658206

Change-Id: Iccfb5417ea9ea942413f621f15325b3bdb63d612
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-17 13:46:30 +00:00
Inseob Kim
d600004be6 Fix code detecting duplicated seapp_contexts entry am: c3d1e5a24a am: 7e6718c196 am: 0a8954744d 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2658206

Change-Id: I5d509a734572a9b9f95d75ac65f7f6b3fe5ec3bb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-17 13:07:21 +00:00
Inseob Kim
0a8954744d Fix code detecting duplicated seapp_contexts entry am: c3d1e5a24a am: 7e6718c196 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2658206

Change-Id: I4ed3459e4b181e014bbf28ee9f88d163a46d49b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-17 12:21:21 +00:00
Inseob Kim
7e6718c196 Fix code detecting duplicated seapp_contexts entry am: c3d1e5a24a 
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2658206

Change-Id: Ie55483272fdc4f99df6b7f3d800c16f8eabf60dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-07-17 11:35:17 +00:00
Inseob Kim
c3d1e5a24a Fix code detecting duplicated seapp_contexts entry 
There are two problems addressed by this change.

1) qsort doesn't compare all pairs of elements having the same
   precedence. We can't rely only on qsort's comparator to detect
   duplicates.

2) comparing logic is broken. For example,

        s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp

   really should be

        !s1->isPrivAppSet || s1->isPrivApp == s2->isPrivApp

Bug: 291528964
Test: manually create two duplicated entries and boot
Change-Id: Ieae4a7f5419e18636bb2fd5f70700faa4fa8acf1
 2023-07-17 10:04:00 +00:00