seapp_contexts supports multiple boolean attributes: isPrivApp,
isEphemeralApp, isIsolatedComputeApp, isSdkSandboxAudit,
isSdkSandboxNext, fromRunAs. Each of these exists to support a specific
labelling scenario from the framework. When a new predicate is required,
an update to libselinux is also required. This change generically
handles any attribute starting with "is" and maps it directly
(case-insensitive) to the same seinfo field.
It is assumed that only one of these is required at a time. An error is
raised if seapp_contexts contains multiple is-selector within one rule.
An error is raised if seinfo contains multiple is-selector.
The order for comparison between seapp_contexts is altered: an entry
with an is-selector will be prioritized over one with an unspecifed
is-selector. This is not quite the previous order (e.g., isPrivApp <
targetSdkVersion < fromRunAs), but it is understood that the previous
order was not intentional and emerged from the incremental contributions
to this library.
The boolean info.isPreinstalledApp is replaced by checking the first
byte of info.partition.
Test: atest --host libselinux_test
Bug: 307635909
Change-Id: Ice3b84870e3255f6d9357d9750acbe9691b45aad
The seinfo string contains many attributes provided by the caller to
match an seapp_contexts rule. Its usage has evolved organically and now
contains multiple fields for various purposes.
Refactor the parsing of seinfo, relying on strtok as the string
informally follows the convention of using colons between attributes and
an equal sign to separate an attribute and its value. For instance,
default:privapp:targetSdkVersion=10000:partition=system:complete
A new internal structure is introduced to capture the attributes. The
new parse_seinfo function replaces seinfo_parse (which only parsed the
first attribute, historically the original seinfo), get_partition and
get_app_targetSdkVersion.
The new function is expected to behave similarly to the previous code.
Unknown attributes are now logged, but still ignored. The "complete"
attribute is now interpreted (as the last attribute), but not required.
Unit tests are added to cover standard and edge cases.
Test: boot and verify denial logs
Test: atest --host libselinux_test
Bug: 307635909
Change-Id: Ia0e3522c42c80e6e631ff1af644e03f53d88da93
It makes more sense to print it as a warning, because it's not a hard
error for now (until we resolve all violations and create a compliance
test)
Bug: N/A
Test: boot
Change-Id: Iac5deb1f965394ecd4c2acb3711bd07317956236
This is to remove duplicate errors while fixing seapp_contexts
violations (because old vendors still have the entries).
Bug: 280547417
Test: TH
Change-Id: I8c381dad6e8bf5e91148494b55278e124b845c13
There is a bug on the code checking the partition, so it's printing
wrong logcat messages. This fixes it by renaming the function name for
better readability.
Also it fixes a bug that the check only happens when levelFrom != NONE.
Bug: 291005833
Test: boot and see logcat
Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
(cherry picked from commit 321c025259)
There are two problems addressed by this change.
1) qsort doesn't compare all pairs of elements having the same
precedence. We can't rely only on qsort's comparator to detect
duplicates.
2) comparing logic is broken. For example,
s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp
really should be
!s1->isPrivAppSet || s1->isPrivApp == s2->isPrivApp
Bug: 291528964
Test: manually create two duplicated entries and boot
Change-Id: Ieae4a7f5419e18636bb2fd5f70700faa4fa8acf1
Right now selinux_android_restorecon will silently succeed if selinux is
disabled which is confusing.
This change adds a log statement that should help with debugging issues
related to disabled selinux (see attached bug).
Bug: 284277137
Test: presubmit
Change-Id: I4ebc6400ac7188660658ef3cccfb7cbdc76c0f22
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.
This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.
Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.
selinux_log_callback and selinux_vendor_log_callback implementations are
merged as they provide similar functionalities.
Match the indentation (i.e., tabs) with the rest of the file.
Test: boot & inspect logcat
Change-Id: I0a5e53b8f048c65f29c5df3bd7e0b38f523e42cd
We were previously on 3.5-rc2, there has been only little changes since
then.
Followed the steps:
repo start update_3.5 .
git merge 3.5 --no-ff # No merge conflicts were found.
lunch && m
repo upload .
# Update METADATA in a separate change.
Test: TH
Change-Id: If88fe90d2cbdb1ba6a279cba8b397cd2c808c6ab
Add a note that querying a foreign process via its PID is inherently
racy.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The hash mask is set to 2^16 - 1, which does not fit into a signed 16
bit integer. Use uint32_t to be on the safe side. Also use size_t for
counting in debug function.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add const qualifier to read-only state struct.
Minimize scope of function local variables, to reduce complexity.
Pass only the file type related file flags to selabel_lookup(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The optimization flag -funit-at-a-time is enabled by default in GCC[1]
and not supported by Clang:
clang: error: optimization flag '-funit-at-a-time' is not supported [-Werror,-Wignored-optimization-argument]
[1]: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Since 30b3e9d2 (libselinux: Workaround for heap overhead of pcre,
2023-01-12), performance of PCRE2 matches has been affected due to
excesive recreation of the match_data in an attempt to reduce memory
utilization; instead of a workaround, it would be better to address
the problem and maybe even improve performance in the process.
The issue is that currently the structure that holds PCRE state has
both a pcre2_code (which is per pattern) and a pcre2_match_data (which
is per match), forcing us to add a mutex to prevent multiple matches to
step on each other.
Lets remove the match_data and the mutex and instead allocate one once
in a thread independent way that could be used and reused, by extending
our pthread interface to not only store TLS variables but also retrieve
them, and then use one of those.
Since we are not interested on the capture groups (if any) lets only
allocate 1 pair which is all that will be needed and change the logic
so that a return of 0 (which means the pattern matched but there were
not enough capture spots) is also considered a match.
This will ensure that the memory use would be bound to the number of
concurrent matches instead of the number of patterns and therefore
reduce the impact that recent changes on the way that the frames used
for matching are allocated might had brough since 10.41 was released.
For cases where threads are not available, just keep it working in slow
mode as done before the workaround was reverted.
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
cherry picked from:
https://patchwork.kernel.org/project/selinux/patch/20230123014047.84911-3-carenas@gmail.com/
Bug: 262469329
Test: atest MicrodroidBenchmarkApp
Change-Id: I3207c6dd2a215f81699aa62e8fcdf65c745bae72
Enables processes with :IsolatedComputeApp set to be selected by seapp contexts with isIsolatedComputeApp selector.
Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I44f33bdd17454586708cbff2631ecd6725e53087
This is to workaround a regression on peak memory usage, due to a
behavior change of pcre2. With this patch, peak memory usage decreases
for about 4 MB.
Also verified with microdroid benchmarks that the runtime impact is
negligible.
Before this patch:
testMicrodroidBootTime[protectedVm=false]:
avf_perf/microdroid/boot_time_average_ms: 1072.2437260666668
avf_perf/microdroid/boot_time_max_ms: 1153.957195
avf_perf/microdroid/boot_time_min_ms: 987.760254
avf_perf/microdroid/boot_time_stdev_ms: 43.715968392943445
testMicrodroidBootTime[protectedVm=true]:
avf_perf/microdroid/boot_time_average_ms: 1318.7790113333335
avf_perf/microdroid/boot_time_max_ms: 1367.490967
avf_perf/microdroid/boot_time_min_ms: 1239.080486
avf_perf/microdroid/boot_time_stdev_ms: 33.82832311810135
After this patch:
testMicrodroidBootTime[protectedVm=false]:
avf_perf/microdroid/boot_time_average_ms: 1074.9152321333336
avf_perf/microdroid/boot_time_max_ms: 1172.233481
avf_perf/microdroid/boot_time_min_ms: 971.020793
avf_perf/microdroid/boot_time_stdev_ms: 45.3782260524823
testMicrodroidBootTime[protectedVm=true]:
avf_perf/microdroid/boot_time_average_ms: 1286.4607849333333
avf_perf/microdroid/boot_time_max_ms: 1380.643678
avf_perf/microdroid/boot_time_min_ms: 1209.573649
avf_perf/microdroid/boot_time_stdev_ms: 44.44544241596637
Bug: 262469329
Test: atest MicrodroidBenchmarks
Test: run device boot time test
Change-Id: Ifc1be381255c263638ea262b995bc06fa3c7bdcc
pcre's behavior is changed so that pcre2_match always allocates heap for
match_data, rather than stack, regardless of size. The heap isn't freed
until explicitly calling pcre2_match_data_free. This new behavior may
result in heap overhead, which may increase the peak memory usage about
a few megabytes. It's because regex_match is first called for regex_data
objects, and then regex_data objects are freed at once.
To workaround it, free match_data as soon as we call regex_match. It's
fine because libselinux currently doesn't use match_data, but use only
the return value.
Signed-off-by: Inseob Kim <inseob@google.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Found by codespell(1) and typos[1].
[1]: https://github.com/crate-ci/typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When the python bindings are installed to a destdir with pip install
--prefix= --root=, pip tries to uninstall the existing root-owned
package and fails
Fixes:
running build_ext
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/libselinux/src
Preparing metadata (setup.py) ... done
Building wheels for collected packages: selinux
Building wheel for selinux (setup.py) ... done
Created wheel for selinux: filename=selinux-3.4-cp310-cp310-linux_x86_64.whl size=725511 sha256=b35e9cdb2a6efce389eeece45446826b4ac6b41f81fdc128893f947036f27e8e
Stored in directory: /tmp/pip-ephem-wheel-cache-kemjh99e/wheels/ca/2d/1e/d1ab52426d9add92931471cfa0d2558bcbeed89084af2388c9
Successfully built selinux
Installing collected packages: selinux
Attempting uninstall: selinux
Found existing installation: selinux 3.4
Uninstalling selinux-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '__init__.cpython-310.pyc'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add return check for regex_data_create() to avoid NULL reference of regex_data
(gdb) bt
#0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6
#1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260
#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76
#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407
#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>)
at label_file.c:949
#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092
#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
1. check the return of strdup to avoid a potential NULL reference.
2. make sure line_buf is freed.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bionic provides its own version of strlcpy. Ignore the re-definition
from SELinux for devices.
Bug: 260539369
Test: lunch sdk && m sdk
Change-Id: Icb9d8678c29562ab7b73d7a0f14a233fd71dfefd
- Reference renamed file: COPYING -> LICENSE in Android.bp
- Fix constext_str calls now returning const char *
- Comment out cil_write_src_info_node which is not used on Android
- Include new selinux_internal.c source file
Bug: 253327909
Test: build and boot on bramble
Test: sediff between current and new policy; no change
Change-Id: I506479befb3c0b99136cd842b2a77a6a8bea18ed
Boolean names, taken by security_get_boolean_pending(3),
security_get_boolean_active(3) and security_set_boolean(3), as well as
user names, taken by security_get_initial_context(3), are used in path
constructions. Ensure they do not contain path separators to avoid
unwanted path traversal.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bail out if computed paths based on user input are being truncated, to
avoid wrong files to be opened.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Using strndup(3) instead of malloc(3) followed by strncpy(3) simplifies
the code and pleases GCC:
In file included from /usr/include/string.h:535,
from context.c:2:
In function ‘strncpy’,
inlined from ‘context_new’ at context.c:74:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: error: ‘__builtin_strncpy’ destination unchanged after copying no bytes [-Werror=stringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The internal variable avc_netlink_trouble is only assigned but never
read from.
Unused since the initial commit 13cd4c8960 ("initial import from svn
trunk revision 2950").
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>