The library is already available as part of LL-NDK. It was partially
removed in commit 1ea855e, complete the clean up.
Test: m
Bug: 151303316
Change-Id: If824aeeb4f79b5759e103a7d0473946fd51f9171
Remove the exported header entry and replace the function body with a
log message. Keep the linker entry for compatibility.
Bug: 230037499
Test: m libselinux
Change-Id: I9abd7be80c228362ec2fe44d105301ed6e4d0095
The loading of context files is similar between the different backends.
Refactor their definitions and loading. The trade-off is that each
backend context configuration will be a 6x2 pointer array vs exact size
previously. This is negligible as the majority of backends are defined
for almost all partitions (with vndservice being the exception). Having
these constant-size arrays greatly simplifies the processing.
The only difference in behaviour is that each file_context being loaded
is also being reported to the logs (similarly to service and
keystore2_key backend).
Test: build and boot, verify logcat messages from SELinux
Change-Id: I71954b624ce5ca7cca68a18d7e81c462359a4330
Rename once to seapp_once, to avoid confusion with the other once marker
used within libselinux.
Test: build
Change-Id: I02aafefa7280ddd557650483b050219e1763ae47
App data can be found on `/mnt/expand/<volume-uuid>`. Similarly, we want
sdk data to be together with app data on other volumes. Such directories
should get their labeling from seapp_context just like app data.
Bug: 222034645
Test: atest SdkSandboxStorageHostTest (see ag/17120883)
Ignore-AOSP-First: End to end test added which exists in internal branch
only. Will cherry-pick this CL to aosp standalone once it is safely
merged to internal branch.
Change-Id: I10b53d4827495466521983067e2830486fbd080e
Merged-In: I10b53d4827495466521983067e2830486fbd080e
(cherry picked from commit a58a9091cd)
For convenience, builds against musl libc currently use the
linux_glibc properties because they are almost always linux-specific
and not glibc-specific. In preparation for removing this hack,
tweak the linux_glibc properties by either moving them to host_linux,
which will apply to linux_glibc, linux_musl and linux_bionic, or
by setting appropriate musl or linux_musl properties. Properties
that must not be repeated while musl uses linux_musl and also still
uses the linux_glibc properties are moved to glibc properties, which
don't apply to musl. Whether these stay as glibc properties or get
moved back to linux_glibc later once the musl hack is removed is TBD.
Bug: 223257095
Test: m checkbuild
Test: m USE_HOST_MUSL=true host-native
Change-Id: I416ea94e6a6d8dac014cc1c70226090f1baeddfc
This cl does two things:
1. Supplemental process will be running in a new UID range, between
20k to 30k. As such, we need a new username which is different than app
and isolated process.
2. Supplmental data, which is an extension of app data, is located in
/data/misc_{ce,de}/<user-id>/supplemental directory. Their labeling
need to come from seapp_context file just like other app data
labeling.
See the selinux changes made in ag/16803377 for context on how this is
being used.
Bug: 217543371
Bug: 217559719
Test: atest SupplementalProcessStorageHostTest
- #testSelinuxLabel
- #testSupplementalDataAppDirectory_SharedStorageIsUsable
Change-Id: Ib22c9963761603633d66a232b421dbd5ee752bed
Merged-In: Ib22c9963761603633d66a232b421dbd5ee752bed
(cherry picked from commit 9528843267)
Spaces before values in /etc/selinux/config should be ignored just as
spaces after them are.
E.g. "SELINUXTYPE= targeted" should be a valid value.
Fixes:
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
# dnf install <any_package>
...
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
RPM: error: Plugin selinux: hook tsm_pre failed
...
Error: Could not run transaction.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
In 50400d3 the selabel_open function was updated to call selabel_close
should the initialization of a backend fails. selabel_close includes a
call to the backend-specific close function: closef. This same function
is previously call, in case of an error, within the init function.
The file backend was adapted by introducing a safe guard to prevent a
double free. Update the property backend in a similar fashion.
Bug: 215387420
Test: build & boot
Change-Id: Id6b7c4d10538ccbec43b2af1de462da077f10c44
(cherry picked from commit 98fa1b865d)
Merged-In:Id6b7c4d10538ccbec43b2af1de462da077f10c44
Followed the following steps:
# aosp mirror does not have the upstream tags. Manually mark the
# 3.3 release. See
# https://github.com/SELinuxProject/selinux/releases/tag/3.3
git tag 3.3 7f600c40bc
repo start update_3_3 .
git merge 3.3 --no-ff # No merge conflicts were found.
lunch && m
repo upload .
Bug: 37755687
Test: Build aosp_bramble-userdebug and manually compare the generated
/{system,vendor,product}/etc/selinux* files with their previous
versions. All are identical.
Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
Quoting pcre.org:
There are two major versions of the PCRE library. The current
version, PCRE2, released in 2015, is now at version 10.39.
The older, but still widely deployed PCRE library, originally
released in 1997, is at version 8.45. This version of PCRE is now at
end of life, and is no longer being actively maintained. Version
8.45 is expected to be the final release of the older PCRE library,
and new projects should use PCRE2 instead.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
selinux_restorecon_parallel was originally proposed before 3.3, but it
was merged after release so it will be introduced in version 3.4.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Refactor selinux_restorecon(3) to allow for distributing the relabeling
to multiple threads and add a new function
selinux_restorecon_parallel(3), which allows specifying the number of
threads to use. The existing selinux_restorecon(3) function maintains
the same interface and maintains the same behavior (i.e. relabeling is
done on a single thread).
The parallel implementation takes a simple approach of performing all
the directory tree traversal in a critical section and only letting the
relabeling of individual objects run in parallel. Thankfully, this
approach turns out to be efficient enough in practice, as shown by
restorecon benchmarks (detailed in a subsequent patch that switches
setfiles & restorecon to use selinux_restorecon_parallel(3)).
Note that to be able to use the parallelism, the calling application/
library must be explicitly linked to the libpthread library (statically
or dynamically). This is necessary to mantain the requirement that
libselinux shouldn't explicitly link with libpthread. (I don't know what
exactly was the reason behind this requirement as the commit logs are
fuzzy, but special care has been taken in the past to maintain it, so I
didn't want to break it...)
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Use the __selinux_once() macro to ensure that threads don't race to
initialize the list of customizable types.
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Ensure that selinux_log() is thread-safe by guarding the call to the
underlying callback with a mutex.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Not very useful on its own, but will allow to implement a parallel
version of selinux_restorecon() in subsequent patches.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The 'matches' member of 'struct spec' may be written to by different
threads, so it needs to be accessed using the proper atomic constructs.
Since the actual count of matches doesn't matter and is not used,
convert this field to a bool and just atomically set/read it using GCC
__atomic builtins (which are already being used in another place).
If the compiler lacks support for __atomic builtins (which seem to have
been introduced in GCC 4.1), just fail the compilation. I don't think
it's worth tryin to invent a workaround to support a 15 years old
compiler.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Glibc 2.34 added an access function attribute to pthread_setspecific(3).
This leads to the following GCC warnings:
In file included from matchpathcon.c:5:
matchpathcon.c: In function ‘matchpathcon_init_prefix’:
selinux_internal.h:38:25: error: ‘pthread_setspecific’ expecting 1 byte in a region of size 0 [-Werror=stringop-overread]
38 | pthread_setspecific(KEY, VALUE); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
matchpathcon.c:359:9: note: in expansion of macro ‘__selinux_setspecific’
359 | __selinux_setspecific(destructor_key, (void *)1);
| ^~~~~~~~~~~~~~~~~~~~~
In file included from selinux_internal.h:2,
from matchpathcon.c:5:
/usr/include/pthread.h:1167:12: note: in a call to function ‘pthread_setspecific’ declared with attribute ‘access (none, 2)’
1167 | extern int pthread_setspecific (pthread_key_t __key,
| ^~~~~~~~~~~~~~~~~~~
The actual value and the validity of the passed pointer is irrelevant,
since it does not gets accessed internally by glibc and
pthread_getspecific(3) is not used.
Use a pointer to a global object to please GCC.
Closes: https://github.com/SELinuxProject/selinux/issues/311
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: build boot cuttlefish device. adb remount, modify
/system/etc/selinux/plat_sepolicy_and_mapping.sha256 to force
on-device policy compilation. reboot. Verify that device boots
without new selinux denials.
Change-Id: Ifec2d60810e4b2742f34b09d646db5e4ff6bb83b
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.
Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.
Signed-off-by: James Carter <jwcart2@gmail.com>
The extra dependency of sefcontext_compile on its object file causes the
compile and link step to be separated.
During the link step the CFLAGS are not passed, which might contain
optimization or sanitizer flags.
Reorder the LDLIBS requirements to avoid the symbol 'pcre_fullinfo'
being unresolvable at link time.
Current behavior:
gcc-11 **custom CFLAGS** -I../include -D_GNU_SOURCE -c -o sefcontext_compile.o sefcontext_compile.c
gcc-11 -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile
Changed:
gcc-11 **custom CFLAGS** -I../include -D_GNU_SOURCE -L../src sefcontext_compile.c -lselinux ../src/libselinux.a -lpcre -lsepol -o sefcontext_compile
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Previously, Android used its own cil_write_ast function to output the
resulting AST. libsepol now defines a similar function named
cil_write_build_ast. The new function differs slightly in behaviour:
* It will output "source information" nodes in the resulting CIL. When
loading, it is expected that each source information line (e.g.,
`;;* lms 100 file.cil`) will be matched with a terminating entry (e.g.,
`;;* lme`). If not, the loading will fail. Because we split and merge
policy files in AOSP, explicitly ignore these lines when writing the
AST.
* genfscon paths are now quoted following 644c5bb.
* An extra superfluous set of parentheses was previously added for some
operators (e.g., "range" "and" or "not").
For typeattributes, cil_write_build_ast uses the `fqn` field and not
`name`. Ensure the nodes are correctly populated.
Bug: 190808996
Test: Build aosp_bramble-userdebug and manually compare the generated
/{system,vendor,product}/etc/selinux* files with their previous
versions. The differences are due to the new behaviours described
above.
Test: Force a recompilation of the policy on device, the new policy is
correctly loaded.
Change-Id: I088d1e94ca07cfbd0b6c604f1f82464b3537c392
Musl recently added a wrapper for gettid() syscall. There is no way to
detect this new version in a reliable way, so rename our gettid()
wrapper to a non-conflicting name.
Introduce a new function which, when using a libc known to provide a
wrapper for gettid(), calls it, and which, otherwise, performs the
syscall directly.
Anyway this function is only used on systems where /proc/thread-self
does not exist, which are therefore running Linux<3.17.
Fixes: https://github.com/SELinuxProject/selinux/issues/282
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
(cherry picked from commit 398d2ceef9)
Bug: 190084016
Test: m USE_HOST_MUSL=true fastboot
Change-Id: I7e42155fd341bb2dfdcb73ab93041a1eee3ca64e
This is cherry-picked from upstream
8c21eeeace
Signed-off-by: Kelvin Zhang <zhangxp1998@gmail.com>
Change-Id: I3745d2b45eb42e62f29823edc1b20629bf8ab9d7
The boilerplate is no longer necessary for defining rust_test modules
testing generated source.
Bug: 196076408
Test: m libselinux_bindgen_test
Change-Id: Iae623f4146e7580bc58090cebd78a21413ac844d
The standard function `strerror(3)` is not thread safe. This does not
only affect the concurrent usage of libselinux itself but also with
other `strerror(3)` linked libraries.
Use the thread safe GNU extension format specifier `%m`[1].
libselinux already uses the GNU extension format specifier `%ms`.
[1]: https://www.gnu.org/software/libc/manual/html_node/Other-Output-Conversions.html
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
