Bionic provides its own version of strlcpy. Ignore the re-definition
from SELinux for devices.
Bug: 260539369
Test: lunch sdk && m sdk
Change-Id: Icb9d8678c29562ab7b73d7a0f14a233fd71dfefd
- Reference renamed file: COPYING -> LICENSE in Android.bp
- Fix constext_str calls now returning const char *
- Comment out cil_write_src_info_node which is not used on Android
- Include new selinux_internal.c source file
Bug: 253327909
Test: build and boot on bramble
Test: sediff between current and new policy; no change
Change-Id: I506479befb3c0b99136cd842b2a77a6a8bea18ed
selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Musl libc doesn't define __uid_t, and bionic's getpwuid takes a
uid_t, not a __uid_t.
Bug: 190084016
Test: m USE_HOST_MUSL=true host-native
Change-Id: I0f55c785c622365482d635d795f639a95acefd47
Split selinux_android_seapp_context_reload and seapp_context_lookup to
prevent the loading and use of the default seapp_contexts files (e.g.,
/system/etc/selinux/plat_file_contexts). The exposed API and current
callers of seapp_context_lookup remain the same.
Test: atest --host libselinux_test
Bug: 234313751
Change-Id: If3b525b92fa43e5599075509d4de55ff39ec8a6e
android_seapp.c can be build on host. strlcpy is replaced with strncpy
(the string copied is static). An alias seapp_getpwuid is created to
allow faking for the unit test.
Bug: 234313751
Test: build & boot
Change-Id: I0e86d83fddb3ceb20d63963b40ea0ca227a8538a
With android_platform.c split between android_device.c and
android_seapp.c, update the build configuration. Move to the internal
header the interface expected between the two files.
Test: m
Bug: 234313751
Change-Id: If13a7484bf48a49e36a424c39f6f62ec6140fc22
The context file locations are represented using a 2-dimension array of
paths. Use a struct to simplify the syntax.
Bug: 234313751
Test: m
Change-Id: Iaf62955d1c142f4210215cecbee427e91031516e
Support passing an optional object name to compute_create for name
based type transitions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This header file was used for all imports of android.c and
android_platform.c. Move the include directives to the source files
instead, to follow the include-what-you-use rule.
Bug: 234313751
Test: m
Change-Id: I362a722b2a3e7cd204772d8e37fa9b893184e1ce
A compilation option ANDROID_UNIT_TESTING is introduced to skip the
implicit search for /sys/fs/selinux when libselinux is first
initialized. The label functions of libselinux are used as-is (instead
of a mock or fake).
Expose the context_handle function internally so it may be called within
the unit tests.
Bug: 234313751
Test: atest --host libselinux_test
Change-Id: Ifd7f4857c959a6c7d397682ba9913dc1d1cea591
Currently, tagging a symbol with #apex (# systemapi or # llndk) is not
required when the symbol is in a non-NDK library. However, this is
considered dangerous because such a symbol will automatically be
promoted to NDK APIs when the library is promoted to an NDK library.
When that happens, the native API council won't be able to notice the
promotion because promoting a non-NDK library into an NDK library
doesn't require an update of the map.txt file, but Android.bp only.
To prevent that, we should mandate those tags for Mainline APIs
regardless of whether the library the API belongs to is an NDK library
or not.
Upcoming changes in build/soong will enforce this. This change is to
prepare for the enforcement.
Note that this is a build-time only change. There's no behavior change
at runtime.
Bug: 184712170
Test: m
Change-Id: I168fbdcf0a2a9b4e987a5410db941c0b4e4d9c35
Move sources files to the default libselinux rule so that other binaries
may reuse the same defaults (i.e., unittests). The majority of sources
can be compiled for the host.
Bug: 234313751
Test: local build for aosp_bramble-userdebug
Test: TH
Change-Id: I0b76bf79ceabd6096ab4ef03f0c8648d0636a310
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When the O_PATH emulation fails due to getxattr(2)/setxattr(2) failing
with ENOENT, e.g. because no procfs being available, override the errno
value to EBADF. This avoids confusion to the caller as it would suggest
the target of the operation does not exist, which is not the case:
setfiles: Could not set context for /: No such file or directory
Fixes: a782abf2 ("libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In commit 7d69031, pkgdir_selabel_lookup was updated to return an error
in case of invalid path. Such errors were previously ignored, relying on
the default file_contexts for such path. For example, if the security
context of /data/user/0a is restored, the parsing would fail and the
security context of /data/ used instead (i.e., system_data_file).
Restore this behaviour to avoid spurious error messages.
Test: build & boot bramble; check logcat for "Could not set context for"
Bug: 241150859
Change-Id: I5d78b558307bb4a02431783da69c92ea5a47de91
Previously, if restorecon was called for a /data subdirectory, the
userid (id of the physical user) was not taken into account. Capture the
userid from the file path and use it to set the security context.
Test: flash & adb push xxx /data/user/10/xxx & verify security context
Bug: 223254943
Change-Id: Ia20e192cb31435d810e43aa35eccbf55f721419a
We are now default restricting bindgen visibility to subpackages. This
change is part of a set of changes adding explicit visibility for
bindgen libraries which are already being used elsewhere.
* If these visibility rules are to allow access by the safe bindings
library which lives elsewhere in the codebase, no action is needed.
* If safe bindings do not exist, and you own this library, now is a good
time to think about producing them and transitioning your (now
enumerated) client list.
* If safe bindings exist, but there is a surprise client of the raw
bindings on this list, now is a good time to talk to them about why
they don't want to use your safe bindings.
Bug: 166332519
Test: m
Change-Id: I967811c6cf563725d591e1d8536f7c6e19535996
The variable `curcon` is NULL in case the file has no current security
context. Most C standard libraries handle it fine, avoid it nonetheless
for standard conformance.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Revert submission 2110147
Reason for revert: Broken sdk_mac target.
Reverted Changes:
Ifcd00954b:Refactor sources in Android.bp
Ie313b6d63:Add unit tests for service contexts backend
Change-Id: Id3d9c69c508b4774e667a600346b03a7c09e3a96
Revert submission 2110147
Reason for revert: Broken sdk_mac target.
Reverted Changes:
Ifcd00954b:Refactor sources in Android.bp
Ie313b6d63:Add unit tests for service contexts backend
Change-Id: I616f43ed57626b5255dcf193f5f2c750b47f2fae
This reverts commit b4634567e5.
Reason for revert: This was not sufficient to fix the sdk_mac target. Reverting for now, as well as the other changes.
Change-Id: I5a1e039d031c7fc65972a39f1ae47701838e2f98
security_load_policy(3) takes a read-only memory address for a binary
policy to be loaded.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The following interfaces are documented but do not have a redirection:
- context_str(3)
- security_get_checkreqprot(3)
- security_set_boolean_list(3)
- selinux_sepgsql_context_path(3)
- setexecfilecon(3)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
To copy string safely, by always NULL-terminating them, and provide an
easy way to check for truncation introduce the nonstandard function
strlcpy(3). Use the system implementation if available.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
In case the function __policy_init() gets called with a NULL pointer,
the stack variable path remains uninitialized (except at its last
index). If parsing the binary policy fails in sepol_policydb_read() the
error branch would access those uninitialized memory.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
libselinux implements a cache mechanism for get*con() functions, such
that when a thread calls setcon(...) then getcon(...), the context is
directly returned. Unfortunately, getpidcon(pid, &context) uses the same
cached variable, so when a program uses setcon("something"), all later
calls to getpidcon(pid, ...) returns "something". This is a bug.
Here is a program which illustrates this bug:
#include <stdio.h>
#include <selinux/selinux.h>
int main() {
char *context = "";
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
if (getcon(&context) < 0) {
perror("getcon()");
}
printf("getcon() = %s\n", context);
if (setcon(context) < 0) {
perror("setcon()");
}
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
return 0;
}
On an Arch Linux system using unconfined user, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = unconfined_u:unconfined_r:unconfined_t
With this commit, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = system_u:system_r:init_t
This bug was present in the first commit of
https://github.com/SELinuxProject/selinux git history. It was reported
in https://lore.kernel.org/selinux/20220121084012.GS7643@suse.com/ and a
patch to fix it was sent in
https://patchwork.kernel.org/project/selinux/patch/20220127130741.31940-1-jsegitz@suse.de/
without a clear explanation. This patch added pid checks, which made
sense but were difficult to read. Instead, it is possible to change the
way the functions are called so that they directly know which cache
variable to use.
Moreover, as the code is not clear at all (I spent too much time trying
to understand what the switch did and what the thread-local variable
contained), this commit also reworks libselinux/src/procattr.c to:
- not use hard-to-understand switch/case constructions on strings (they
are replaced by a new argument filled by macros)
- remove getpidattr_def macro (it was only used once, for pidcon, and
the code is clearer with one less macro)
- remove the pid parameter of setprocattrcon() and setprocattrcon_raw()
(it is always zero)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Johannes Segitz <jsegitz@suse.de>
Replace AID_APP with AID_APP_START and AID_USER with AID_USER_OFFSET.
These have the same constant values. See android_filesystem_config.h.
Test: m
Change-Id: I3f696ee30de09f1a41f1c7eb4be6508c0d34c6ce
This reverts commit 7e979b56fd.
The reverted commit broke `setfiles` when it's run from a chroot
without /proc mounted, e.g.
# chroot /mnt/sysimage
chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts /
[strace]
openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000
fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor)
fcntl(3, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory)
[/strace]
setfiles: Could not set context for /: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
context_str(3) returns a string representation of the given context.
This string is owned by the context and free'd on context_free(3).
Declare it const, as already done in the man page, since it must not be
free'd by the caller.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
A compilation option ANDROID_UNIT_TESTING is introduced to skip the
implicit search for /sys/fs/selinux when libselinux is first
initialized. The label functions of libselinux are used as-is (instead
of a mock or fake).
Expose the context_handle function internally so it may be called within
the unit tests.
Bug: 234313751
Test: atest --host libselinux_test
Change-Id: Ie313b6d63d25d42d9ec1b16a8bb42160950b5be8
