selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Musl libc doesn't define __uid_t, and bionic's getpwuid takes a
uid_t, not a __uid_t.
Bug: 190084016
Test: m USE_HOST_MUSL=true host-native
Change-Id: I0f55c785c622365482d635d795f639a95acefd47
Split selinux_android_seapp_context_reload and seapp_context_lookup to
prevent the loading and use of the default seapp_contexts files (e.g.,
/system/etc/selinux/plat_file_contexts). The exposed API and current
callers of seapp_context_lookup remain the same.
Test: atest --host libselinux_test
Bug: 234313751
Change-Id: If3b525b92fa43e5599075509d4de55ff39ec8a6e
android_seapp.c can be build on host. strlcpy is replaced with strncpy
(the string copied is static). An alias seapp_getpwuid is created to
allow faking for the unit test.
Bug: 234313751
Test: build & boot
Change-Id: I0e86d83fddb3ceb20d63963b40ea0ca227a8538a
With android_platform.c split between android_device.c and
android_seapp.c, update the build configuration. Move to the internal
header the interface expected between the two files.
Test: m
Bug: 234313751
Change-Id: If13a7484bf48a49e36a424c39f6f62ec6140fc22
The context file locations are represented using a 2-dimension array of
paths. Use a struct to simplify the syntax.
Bug: 234313751
Test: m
Change-Id: Iaf62955d1c142f4210215cecbee427e91031516e
Support passing an optional object name to compute_create for name
based type transitions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This header file was used for all imports of android.c and
android_platform.c. Move the include directives to the source files
instead, to follow the include-what-you-use rule.
Bug: 234313751
Test: m
Change-Id: I362a722b2a3e7cd204772d8e37fa9b893184e1ce
A compilation option ANDROID_UNIT_TESTING is introduced to skip the
implicit search for /sys/fs/selinux when libselinux is first
initialized. The label functions of libselinux are used as-is (instead
of a mock or fake).
Expose the context_handle function internally so it may be called within
the unit tests.
Bug: 234313751
Test: atest --host libselinux_test
Change-Id: Ifd7f4857c959a6c7d397682ba9913dc1d1cea591
Currently, tagging a symbol with #apex (# systemapi or # llndk) is not
required when the symbol is in a non-NDK library. However, this is
considered dangerous because such a symbol will automatically be
promoted to NDK APIs when the library is promoted to an NDK library.
When that happens, the native API council won't be able to notice the
promotion because promoting a non-NDK library into an NDK library
doesn't require an update of the map.txt file, but Android.bp only.
To prevent that, we should mandate those tags for Mainline APIs
regardless of whether the library the API belongs to is an NDK library
or not.
Upcoming changes in build/soong will enforce this. This change is to
prepare for the enforcement.
Note that this is a build-time only change. There's no behavior change
at runtime.
Bug: 184712170
Test: m
Change-Id: I168fbdcf0a2a9b4e987a5410db941c0b4e4d9c35
Move sources files to the default libselinux rule so that other binaries
may reuse the same defaults (i.e., unittests). The majority of sources
can be compiled for the host.
Bug: 234313751
Test: local build for aosp_bramble-userdebug
Test: TH
Change-Id: I0b76bf79ceabd6096ab4ef03f0c8648d0636a310
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When the O_PATH emulation fails due to getxattr(2)/setxattr(2) failing
with ENOENT, e.g. because no procfs being available, override the errno
value to EBADF. This avoids confusion to the caller as it would suggest
the target of the operation does not exist, which is not the case:
setfiles: Could not set context for /: No such file or directory
Fixes: a782abf2 ("libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In commit 7d69031, pkgdir_selabel_lookup was updated to return an error
in case of invalid path. Such errors were previously ignored, relying on
the default file_contexts for such path. For example, if the security
context of /data/user/0a is restored, the parsing would fail and the
security context of /data/ used instead (i.e., system_data_file).
Restore this behaviour to avoid spurious error messages.
Test: build & boot bramble; check logcat for "Could not set context for"
Bug: 241150859
Change-Id: I5d78b558307bb4a02431783da69c92ea5a47de91
Previously, if restorecon was called for a /data subdirectory, the
userid (id of the physical user) was not taken into account. Capture the
userid from the file path and use it to set the security context.
Test: flash & adb push xxx /data/user/10/xxx & verify security context
Bug: 223254943
Change-Id: Ia20e192cb31435d810e43aa35eccbf55f721419a
We are now default restricting bindgen visibility to subpackages. This
change is part of a set of changes adding explicit visibility for
bindgen libraries which are already being used elsewhere.
* If these visibility rules are to allow access by the safe bindings
library which lives elsewhere in the codebase, no action is needed.
* If safe bindings do not exist, and you own this library, now is a good
time to think about producing them and transitioning your (now
enumerated) client list.
* If safe bindings exist, but there is a surprise client of the raw
bindings on this list, now is a good time to talk to them about why
they don't want to use your safe bindings.
Bug: 166332519
Test: m
Change-Id: I967811c6cf563725d591e1d8536f7c6e19535996
The variable `curcon` is NULL in case the file has no current security
context. Most C standard libraries handle it fine, avoid it nonetheless
for standard conformance.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Revert submission 2110147
Reason for revert: Broken sdk_mac target.
Reverted Changes:
Ifcd00954b:Refactor sources in Android.bp
Ie313b6d63:Add unit tests for service contexts backend
Change-Id: Id3d9c69c508b4774e667a600346b03a7c09e3a96
Revert submission 2110147
Reason for revert: Broken sdk_mac target.
Reverted Changes:
Ifcd00954b:Refactor sources in Android.bp
Ie313b6d63:Add unit tests for service contexts backend
Change-Id: I616f43ed57626b5255dcf193f5f2c750b47f2fae
This reverts commit b4634567e5.
Reason for revert: This was not sufficient to fix the sdk_mac target. Reverting for now, as well as the other changes.
Change-Id: I5a1e039d031c7fc65972a39f1ae47701838e2f98
security_load_policy(3) takes a read-only memory address for a binary
policy to be loaded.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The following interfaces are documented but do not have a redirection:
- context_str(3)
- security_get_checkreqprot(3)
- security_set_boolean_list(3)
- selinux_sepgsql_context_path(3)
- setexecfilecon(3)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
To copy string safely, by always NULL-terminating them, and provide an
easy way to check for truncation introduce the nonstandard function
strlcpy(3). Use the system implementation if available.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
In case the function __policy_init() gets called with a NULL pointer,
the stack variable path remains uninitialized (except at its last
index). If parsing the binary policy fails in sepol_policydb_read() the
error branch would access those uninitialized memory.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
libselinux implements a cache mechanism for get*con() functions, such
that when a thread calls setcon(...) then getcon(...), the context is
directly returned. Unfortunately, getpidcon(pid, &context) uses the same
cached variable, so when a program uses setcon("something"), all later
calls to getpidcon(pid, ...) returns "something". This is a bug.
Here is a program which illustrates this bug:
#include <stdio.h>
#include <selinux/selinux.h>
int main() {
char *context = "";
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
if (getcon(&context) < 0) {
perror("getcon()");
}
printf("getcon() = %s\n", context);
if (setcon(context) < 0) {
perror("setcon()");
}
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
return 0;
}
On an Arch Linux system using unconfined user, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = unconfined_u:unconfined_r:unconfined_t
With this commit, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = system_u:system_r:init_t
This bug was present in the first commit of
https://github.com/SELinuxProject/selinux git history. It was reported
in https://lore.kernel.org/selinux/20220121084012.GS7643@suse.com/ and a
patch to fix it was sent in
https://patchwork.kernel.org/project/selinux/patch/20220127130741.31940-1-jsegitz@suse.de/
without a clear explanation. This patch added pid checks, which made
sense but were difficult to read. Instead, it is possible to change the
way the functions are called so that they directly know which cache
variable to use.
Moreover, as the code is not clear at all (I spent too much time trying
to understand what the switch did and what the thread-local variable
contained), this commit also reworks libselinux/src/procattr.c to:
- not use hard-to-understand switch/case constructions on strings (they
are replaced by a new argument filled by macros)
- remove getpidattr_def macro (it was only used once, for pidcon, and
the code is clearer with one less macro)
- remove the pid parameter of setprocattrcon() and setprocattrcon_raw()
(it is always zero)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Johannes Segitz <jsegitz@suse.de>
Replace AID_APP with AID_APP_START and AID_USER with AID_USER_OFFSET.
These have the same constant values. See android_filesystem_config.h.
Test: m
Change-Id: I3f696ee30de09f1a41f1c7eb4be6508c0d34c6ce
This reverts commit 7e979b56fd.
The reverted commit broke `setfiles` when it's run from a chroot
without /proc mounted, e.g.
# chroot /mnt/sysimage
chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts /
[strace]
openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000
fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor)
fcntl(3, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory)
[/strace]
setfiles: Could not set context for /: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
context_str(3) returns a string representation of the given context.
This string is owned by the context and free'd on context_free(3).
Declare it const, as already done in the man page, since it must not be
free'd by the caller.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
A compilation option ANDROID_UNIT_TESTING is introduced to skip the
implicit search for /sys/fs/selinux when libselinux is first
initialized. The label functions of libselinux are used as-is (instead
of a mock or fake).
Expose the context_handle function internally so it may be called within
the unit tests.
Bug: 234313751
Test: atest --host libselinux_test
Change-Id: Ie313b6d63d25d42d9ec1b16a8bb42160950b5be8
Move sources files to the default libselinux rule so that other binaries
may reuse the same defaults (i.e., unittests). The majority of sources
can be compiled for the host.
Bug: 234313751
Test: build
Change-Id: Ifcd00954b09f1d05c91f3deaf15cf16091455308
The library is already available as part of LL-NDK. It was partially
removed in commit 1ea855e, complete the clean up.
Test: m
Bug: 151303316
Change-Id: If824aeeb4f79b5759e103a7d0473946fd51f9171
Remove the exported header entry and replace the function body with a
log message. Keep the linker entry for compatibility.
Bug: 230037499
Test: m libselinux
Change-Id: I9abd7be80c228362ec2fe44d105301ed6e4d0095
The family of setfilecon(3) functions take the context as a read-only
`const char *` parameter.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Print error description on failure after functions known to set errno.
Also mention the library function name in getenforce, policyvers and
setenforce instead of the program name twice.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selinux_log() is used in many error branches, where the caller might
expect errno to bet set, e.g. label_file.c::lookup_all():
if (match_count) {
*match_count = 0;
result = calloc(data->nspec, sizeof(struct spec*));
} else {
result = calloc(1, sizeof(struct spec*));
}
if (!result) {
selinux_log(SELINUX_ERROR, "Failed to allocate %zu bytes of data\n",
data->nspec * sizeof(struct spec*));
goto finish;
}
Preserve errno in the macro wrapper itself, also preventing accidental
errno modifications in client specified SELINUX_CB_LOG callbacks.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case the allocation for the filename fails, free the memory of the context.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Pin the file to operate on in restorecon_sb() to prevent symlink attacks
in between the label database lookup, the current context query and the
final context write. Also don't use the file information from
fts_read(3), which might also be out of sync.
Due to querying file information twice, one in fts_read(3) needed for
the cross device check and one on the pinned file descriptor for the
database lookup, there is a slight slowdown:
[current]
Time (mean ± σ): 14.456 s ± 0.306 s [User: 45.863 s, System: 4.463 s]
Range (min … max): 14.275 s … 15.294 s 10 runs
[changed]
Time (mean ± σ): 15.843 s ± 0.045 s [User: 46.274 s, System: 9.495 s]
Range (min … max): 15.787 s … 15.916 s 10 runs
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selabel_lookup_raw(3) can fail for other reasons than no corresponding
context found, e.g. ENOMEM or EINVAL for invalid key or type.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
* mark read-only parameters const
* check for overflow when adding exclude directory
* use 64 bit integer for file counting
* avoid implicit conversions
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Operating on a file descriptor avoids TOCTOU issues and one opened via
O_PATH avoids the requirement of having read access to the file. Since
Linux does not natively support file descriptors opened via O_PATH in
fgetxattr(2) and at least glibc and musl does not emulate O_PATH support
in their implementations, fgetfilecon(3) and fsetfilecon(3) also do not
currently support file descriptors opened with O_PATH.
Inspired by CVE-2013-4392: https://github.com/systemd/systemd/pull/8583
Implementation adapted from: 2825f10b7f%5E%21/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, if the SELINUX_RESTORECON_ABORT_ON_ERROR flag is clear, then
selinux_restorecon[_parallel]() does not abort the file tree walk upon an
error, but the function itself fails the same, with the same (-1) return
value. This in turn is reported by the setfiles(8) utility to its parent
process with the same exit code (255).
In libguestfs we want to proceed after setfiles(8) fails *at most* with
such errors that occur during the file tree walk. We need setfiles(8) to
exit with a distinct exit status in that situation.
For this, introduce the SELINUX_RESTORECON_COUNT_ERRORS flag, and the
corresponding selinux_restorecon_get_skipped_errors() function, for
selinux_restorecon[_parallel]() to count, but otherwise ignore, errors
during the file tree walk. When no other kind of error occurs, the
relabeling functions will return zero, and the caller can fetch the number
of errors ignored during the file tree walk with
selinux_restorecon_get_skipped_errors().
Importantly, when at least one such error is skipped, we don't write
partial match digests for subdirectories, as any masked error means that
any subdirectory may not have been completely relabeled.
Cc: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Petr Lautrbach <plautrba@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1794518
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
The loading of context files is similar between the different backends.
Refactor their definitions and loading. The trade-off is that each
backend context configuration will be a 6x2 pointer array vs exact size
previously. This is negligible as the majority of backends are defined
for almost all partitions (with vndservice being the exception). Having
these constant-size arrays greatly simplifies the processing.
The only difference in behaviour is that each file_context being loaded
is also being reported to the logs (similarly to service and
keystore2_key backend).
Test: build and boot, verify logcat messages from SELinux
Change-Id: I71954b624ce5ca7cca68a18d7e81c462359a4330
Rename once to seapp_once, to avoid confusion with the other once marker
used within libselinux.
Test: build
Change-Id: I02aafefa7280ddd557650483b050219e1763ae47
The internal Sha1Update() functions only handles buffers up to a size of
UINT32_MAX, due to its usage of the type uint32_t. This causes issues
when processing more than UINT32_MAX bytes, e.g. with a specfile larger
than 4G. 0aa974a4 ("libselinux: limit has buffer size") tried to
address this issue, but failed since the overflow check
if (digest->hashbuf_size + buf_len < digest->hashbuf_size) {
will be done in the widest common type, which is size_t, the type of
`buf_len`.
Revert the type of `hashbuf_size` to size_t and instead process the data
in blocks of supported size.
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reverts: 0aa974a4 ("libselinux: limit has buffer size")
If selabel_open(3) fails, e.g. when a specfile has the wrong file
permissions, free the memory allocated for digests.
Fixes: e40bbea9 ("libselinux: Add selabel_digest function")
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
selabel_open(3) takes an `unsigned int` as backend parameter.
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The `struct selabel_digest` member `hashbuf_size` is used to compute
hashes via `Sha1Update()`, which takes uint32_t as length parameter
type. Use that same type for `hashbuf_size` to avoid potential value
truncations, as the overflow check in `digest_add_specfile()` on
`hashbuf_size` is based on it.
label_support.c: In function ‘digest_gen_hash’:
label_support.c:125:53: warning: conversion from ‘size_t’ {aka ‘long unsigned int’} to ‘uint32_t’ {aka ‘unsigned int’} may change value [-Wconversion]
125 | Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
| ~~~~~~^~~~~~~~~~~~~~
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Return more detailed error messages when the supplied contexts are
invalid.
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
App data can be found on `/mnt/expand/<volume-uuid>`. Similarly, we want
sdk data to be together with app data on other volumes. Such directories
should get their labeling from seapp_context just like app data.
Bug: 222034645
Test: atest SdkSandboxStorageHostTest (see ag/17120883)
Ignore-AOSP-First: End to end test added which exists in internal branch
only. Will cherry-pick this CL to aosp standalone once it is safely
merged to internal branch.
Change-Id: I10b53d4827495466521983067e2830486fbd080e
Merged-In: I10b53d4827495466521983067e2830486fbd080e
(cherry picked from commit a58a9091cd)
For convenience, builds against musl libc currently use the
linux_glibc properties because they are almost always linux-specific
and not glibc-specific. In preparation for removing this hack,
tweak the linux_glibc properties by either moving them to host_linux,
which will apply to linux_glibc, linux_musl and linux_bionic, or
by setting appropriate musl or linux_musl properties. Properties
that must not be repeated while musl uses linux_musl and also still
uses the linux_glibc properties are moved to glibc properties, which
don't apply to musl. Whether these stay as glibc properties or get
moved back to linux_glibc later once the musl hack is removed is TBD.
Bug: 223257095
Test: m checkbuild
Test: m USE_HOST_MUSL=true host-native
Change-Id: I416ea94e6a6d8dac014cc1c70226090f1baeddfc
This cl does two things:
1. Supplemental process will be running in a new UID range, between
20k to 30k. As such, we need a new username which is different than app
and isolated process.
2. Supplmental data, which is an extension of app data, is located in
/data/misc_{ce,de}/<user-id>/supplemental directory. Their labeling
need to come from seapp_context file just like other app data
labeling.
See the selinux changes made in ag/16803377 for context on how this is
being used.
Bug: 217543371
Bug: 217559719
Test: atest SupplementalProcessStorageHostTest
- #testSelinuxLabel
- #testSupplementalDataAppDirectory_SharedStorageIsUsable
Change-Id: Ib22c9963761603633d66a232b421dbd5ee752bed
Merged-In: Ib22c9963761603633d66a232b421dbd5ee752bed
(cherry picked from commit 9528843267)
Spaces before values in /etc/selinux/config should be ignored just as
spaces after them are.
E.g. "SELINUXTYPE= targeted" should be a valid value.
Fixes:
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
# dnf install <any_package>
...
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
RPM: error: Plugin selinux: hook tsm_pre failed
...
Error: Could not run transaction.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
In 50400d3 the selabel_open function was updated to call selabel_close
should the initialization of a backend fails. selabel_close includes a
call to the backend-specific close function: closef. This same function
is previously call, in case of an error, within the init function.
The file backend was adapted by introducing a safe guard to prevent a
double free. Update the property backend in a similar fashion.
Bug: 215387420
Test: build & boot
Change-Id: Id6b7c4d10538ccbec43b2af1de462da077f10c44
(cherry picked from commit 98fa1b865d)
Merged-In:Id6b7c4d10538ccbec43b2af1de462da077f10c44
Followed the following steps:
# aosp mirror does not have the upstream tags. Manually mark the
# 3.3 release. See
# https://github.com/SELinuxProject/selinux/releases/tag/3.3
git tag 3.3 7f600c40bc
repo start update_3_3 .
git merge 3.3 --no-ff # No merge conflicts were found.
lunch && m
repo upload .
Bug: 37755687
Test: Build aosp_bramble-userdebug and manually compare the generated
/{system,vendor,product}/etc/selinux* files with their previous
versions. All are identical.
Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
Quoting pcre.org:
There are two major versions of the PCRE library. The current
version, PCRE2, released in 2015, is now at version 10.39.
The older, but still widely deployed PCRE library, originally
released in 1997, is at version 8.45. This version of PCRE is now at
end of life, and is no longer being actively maintained. Version
8.45 is expected to be the final release of the older PCRE library,
and new projects should use PCRE2 instead.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
selinux_restorecon_parallel was originally proposed before 3.3, but it
was merged after release so it will be introduced in version 3.4.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Refactor selinux_restorecon(3) to allow for distributing the relabeling
to multiple threads and add a new function
selinux_restorecon_parallel(3), which allows specifying the number of
threads to use. The existing selinux_restorecon(3) function maintains
the same interface and maintains the same behavior (i.e. relabeling is
done on a single thread).
The parallel implementation takes a simple approach of performing all
the directory tree traversal in a critical section and only letting the
relabeling of individual objects run in parallel. Thankfully, this
approach turns out to be efficient enough in practice, as shown by
restorecon benchmarks (detailed in a subsequent patch that switches
setfiles & restorecon to use selinux_restorecon_parallel(3)).
Note that to be able to use the parallelism, the calling application/
library must be explicitly linked to the libpthread library (statically
or dynamically). This is necessary to mantain the requirement that
libselinux shouldn't explicitly link with libpthread. (I don't know what
exactly was the reason behind this requirement as the commit logs are
fuzzy, but special care has been taken in the past to maintain it, so I
didn't want to break it...)
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Use the __selinux_once() macro to ensure that threads don't race to
initialize the list of customizable types.
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Ensure that selinux_log() is thread-safe by guarding the call to the
underlying callback with a mutex.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Not very useful on its own, but will allow to implement a parallel
version of selinux_restorecon() in subsequent patches.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The 'matches' member of 'struct spec' may be written to by different
threads, so it needs to be accessed using the proper atomic constructs.
Since the actual count of matches doesn't matter and is not used,
convert this field to a bool and just atomically set/read it using GCC
__atomic builtins (which are already being used in another place).
If the compiler lacks support for __atomic builtins (which seem to have
been introduced in GCC 4.1), just fail the compilation. I don't think
it's worth tryin to invent a workaround to support a 15 years old
compiler.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Glibc 2.34 added an access function attribute to pthread_setspecific(3).
This leads to the following GCC warnings:
In file included from matchpathcon.c:5:
matchpathcon.c: In function ‘matchpathcon_init_prefix’:
selinux_internal.h:38:25: error: ‘pthread_setspecific’ expecting 1 byte in a region of size 0 [-Werror=stringop-overread]
38 | pthread_setspecific(KEY, VALUE); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
matchpathcon.c:359:9: note: in expansion of macro ‘__selinux_setspecific’
359 | __selinux_setspecific(destructor_key, (void *)1);
| ^~~~~~~~~~~~~~~~~~~~~
In file included from selinux_internal.h:2,
from matchpathcon.c:5:
/usr/include/pthread.h:1167:12: note: in a call to function ‘pthread_setspecific’ declared with attribute ‘access (none, 2)’
1167 | extern int pthread_setspecific (pthread_key_t __key,
| ^~~~~~~~~~~~~~~~~~~
The actual value and the validity of the passed pointer is irrelevant,
since it does not gets accessed internally by glibc and
pthread_getspecific(3) is not used.
Use a pointer to a global object to please GCC.
Closes: https://github.com/SELinuxProject/selinux/issues/311
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: build boot cuttlefish device. adb remount, modify
/system/etc/selinux/plat_sepolicy_and_mapping.sha256 to force
on-device policy compilation. reboot. Verify that device boots
without new selinux denials.
Change-Id: Ifec2d60810e4b2742f34b09d646db5e4ff6bb83b
