It makes more sense to print it as a warning, because it's not a hard
error for now (until we resolve all violations and create a compliance
test)
Bug: N/A
Test: boot
Change-Id: Iac5deb1f965394ecd4c2acb3711bd07317956236
This is to remove duplicate errors while fixing seapp_contexts
violations (because old vendors still have the entries).
Bug: 280547417
Test: TH
Change-Id: I8c381dad6e8bf5e91148494b55278e124b845c13
There is a bug on the code checking the partition, so it's printing
wrong logcat messages. This fixes it by renaming the function name for
better readability.
Also it fixes a bug that the check only happens when levelFrom != NONE.
Bug: 291005833
Test: boot and see logcat
Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
(cherry picked from commit 321c025259)
There are two problems addressed by this change.
1) qsort doesn't compare all pairs of elements having the same
precedence. We can't rely only on qsort's comparator to detect
duplicates.
2) comparing logic is broken. For example,
s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp
really should be
!s1->isPrivAppSet || s1->isPrivApp == s2->isPrivApp
Bug: 291528964
Test: manually create two duplicated entries and boot
Change-Id: Ieae4a7f5419e18636bb2fd5f70700faa4fa8acf1
Right now selinux_android_restorecon will silently succeed if selinux is
disabled which is confusing.
This change adds a log statement that should help with debugging issues
related to disabled selinux (see attached bug).
Bug: 284277137
Test: presubmit
Change-Id: I4ebc6400ac7188660658ef3cccfb7cbdc76c0f22
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.
This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.
Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.
This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.
Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.
selinux_log_callback and selinux_vendor_log_callback implementations are
merged as they provide similar functionalities.
Match the indentation (i.e., tabs) with the rest of the file.
Test: boot & inspect logcat
Change-Id: I0a5e53b8f048c65f29c5df3bd7e0b38f523e42cd
We were previously on 3.5-rc2, there has been only little changes since
then.
Followed the steps:
repo start update_3.5 .
git merge 3.5 --no-ff # No merge conflicts were found.
lunch && m
repo upload .
# Update METADATA in a separate change.
Test: TH
Change-Id: If88fe90d2cbdb1ba6a279cba8b397cd2c808c6ab
Add a note that querying a foreign process via its PID is inherently
racy.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The hash mask is set to 2^16 - 1, which does not fit into a signed 16
bit integer. Use uint32_t to be on the safe side. Also use size_t for
counting in debug function.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add const qualifier to read-only state struct.
Minimize scope of function local variables, to reduce complexity.
Pass only the file type related file flags to selabel_lookup(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The optimization flag -funit-at-a-time is enabled by default in GCC[1]
and not supported by Clang:
clang: error: optimization flag '-funit-at-a-time' is not supported [-Werror,-Wignored-optimization-argument]
[1]: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Commit 7506771e4b
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.
Before commit 7506771e:
#time sepolicy manpage -a
real 1m43.153s
# time sepolicy manpage -d httpd_t
real 0m4.493s
After commit 7506771e:
#time sepolicy manpage -a
real 1h56m43.153s
# time sepolicy manpage -d httpd_t
real 0m8.352s
After this commit:
#time sepolicy manpage -a
real 1m41.074s
# time sepolicy manpage -d httpd_t
real 0m7.358s
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
