Code review of:
- https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/512420/
had some comments. These were addressed and upstreamed here:
- 65620e0f94
Bring these changes back into the AOSP tree.
Test: verify that output sorted device files did not change hashes when built.
Change-Id: I7f07d3f74923cf731e853629034469784fc669f7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Update to commit:
- 5490639ac9
This solves all reported clang analyzer issues and is inline with upstream.
Test: veerify that md5sum of output files do not change.
Change-Id: I942145b8f9748c8ecd185f730c94d57cb77f5acc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Static analyzer complains the memory pointed by list in bcurrent is not
deallocated before returning. But since this code is in "main" routine,
we don't care about the deallocation. Just ignore the warning.
Bug: b/27101951
Test: Verified warning is gone.
Change-Id: I58d784b61a5ad30d1406bd7c6b28c5713abf2b34
Fix the following warnings:
system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by '__s1'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by 'id'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'classperms'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'node'
Bug: b/27101951
Test:Warnings are gone.
Change-Id: Ib9b2e0b9f19950b4b764d438ee58340e6c022ef5
Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.
Release the head of the linked list.
Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7
Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
neverallow {
untrusted_app_all
-untrusted_app
-untrusted_app_25
} domain:process fork;
Test: sepolicy-analyze neverallow -w -n \
'neverallow {} {}:binder call;'
produces empty output instead of "Warning! Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45
This could be useful in diffs between policy versions.
Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
(cherry-pick of commit 42f95984b5)
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.
The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.
Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.
Usage: sepolicy-analyze sepolicy attribute -r init
Bug: 36508258
Test: Build and run against current policy.
(cherry picked from commit d444ebedac)
Change-Id: I9813ebf61d50fb5abbc8e52be4cf62751979bbd4
sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.
Usage: sepolicy-analyze sepolicy attribute -r init
Bug: 36508258
Test: Build and run against current policy.
Change-Id: Ice6893cf7aa2ec4706a7411645a8e0a8a3ad01eb
untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.
This is not currently hooked up to anything.
Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.
When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.
Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
Add a pre-submit check to ensure that files have a newline character at
the end.
Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.
Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
If in invalid policy file is loaded check_seapp outputs:
Error: Could not lod policy file to db: Success!
The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!
Hardcode the error message to:
Error: Could not load policy file to db: invalid input file!
Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Value stored to 'i' is never read.
Variable 'j' is never used.
Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553
Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.
(cherry picked from commit 29adea51ed)
Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Data type tracking is no longer needed now that per
key validation routines are supported.
(cherry picked from commit c92dae9807)
Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.
This makes it harder than it should be to add new key value
pairs and types into checkseapp.
To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.
(cherry picked from commit 696a66ba20)
Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change the final error message to be consistent with the others.
From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server
To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"
(cherry picked from commit efebf97e23)
Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry picked from commit 25528cf4a5)
Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.
Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Data type tracking is no longer needed now that per
key validation routines are supported.
Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.
This makes it harder than it should be to add new key value
pairs and types into checkseapp.
To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.
Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change the final error message to be consistent with the others.
From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server
To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"
Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.
To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.
Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.
We add this option, so we don't allow empty file_context
files to pass CTS checking.
Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.
To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.
Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.
Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.
Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"
service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"
property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"
Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Initial check in of empty autoplay_app.te policy file.
Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.
Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.
Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
Extend checkfc to support comparing two file_contexts or
file_contexts.bin files. This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.
Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.
Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.
Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.
Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"
Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.
Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When an error occured it was erroneously being indicated that he
file was the output file, not the input file.
Before:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user
After:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user
Change-Id: Ib0e01f1f0ef563a2a150a0a3b4012e6e15d736bb
Signed-off-by: William Roberts <william.c.roberts@intel.com>
If a duplicate entry is found, rule_map_cmp() incorrectly
assumes that the lengths of the key value pairs should be
equal, when this is not true. The duplicate detection is
done on the input parameters, thus the lengths can be
different. This resulted in a duplicate error string
message of "do not match", instead of "match on all inputs".
Also, the file name printed that contained the error was
the output file, not the input file that contained it.
Change-Id: I9b3f99fa4aa3454849de55f18b198b0b56e44320
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory
Also indicate that none of the sepolicy tools need c++ std lib.
(cherry-pick of 0cdb0517be696c0dc6882d289eedd45bf2da918c now made possible by
addition of commit: 28b72eddd54cb1287dd7daae853e8e4b78fa17eb)
Bug: 19617220
Change-Id: I2c5b7ab1ddeb0e02cbaad2b7d5430a0974524a89
This is causing more harm than good. We'll just make these all link
libc++ again and work out the CTS issues if they still exist.
Bug: 19778891
This reverts commit 3812cf58cb.
Change-Id: Iaea8f6acb147da4275633a760ccb32951db7f8b6
This is causing more harm than good. We'll just make these all link
libc++ again (another revert) and work out the CTS issues if they still
exist.
Bug: 19778891
This reverts commit a5113a1500.
Change-Id: I35a4c93dae4abb66e3525451d5ce01e33a540895
Address sanitizer requires using libc++ (apparently). We removed
libc++ from these projects since they were C and the SDK/CTS was not
able to find libc++.
If we're interested in continuing to use ASAN on these tools
(probably), we should turn libc++ back on once we're sure CTS won't
die.
Bug: 19778891
Change-Id: I3c1913171a15396ead73277ec1186fead730f66d
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory
Also indicate that none of the sepolicy tools need c++ std lib.
Bug: 19617220
Change-Id: I713b3cbd1220655413d399c7cd2b0b50459a5485
Add an attribute command to sepolicy-analyze for displaying the list
of types associated with an attribute in a policy. This is for use
by CTS to check what domains and types are associated with certain
attributes such as mlstrustedsubject and mlstrustedobject.
Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Instead of displaying the boolean count, display a list of booleans
defined in the policy, if any. This makes sepolicy-analyze booleans
consistent with sepolicy-analyze permissive and allows automated tests
to simply check whether there was any output at all.
Change-Id: I221b60d94e6e7f6d80399bf0833887af3747fe83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Implement the booleans test in sepolicy-analyze so
that we can move the no-booleans check from the
SELinuxTest to the SELinuxHostTest along with the
other policy checks.
Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.
Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Presently it ignores duplicate keys in seapp_contexts entries, e.g.
if you were to specify:
user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file
checkseapp would ignore the duplicate and libselinux would end up using
the last value defined for the key in each line.
Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Presently it only detects complete duplicates if you specify -s (strict),
which is not used in the external/sepolicy Makefile, and it allows
overriding earlier entries that have the same input selectors (e.g.
user=, seinfo=) with different values for the output selectors (e.g.
domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts
file can override the external/sepolicy definitions, and even a single
seapp_contexts file can contain duplicated or conflicting definitions.
Make it always check strictly, and prohibit either duplicates on the
input selectors (i.e. overrides) or complete duplicates (redundant).
Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit dc0ab516f11d8e2c413315e733e25a41ba468e4f changed the libsepol
structures on which sepolicy-analyze relies so that it could be compiled
as a C++ library. Reflect this change in sepolicy-analyze.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage':
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code
make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1
Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561
Cherry-pick from: https://android-review.googlesource.com/#/c/111626/
Change-Id: I751a99feffe820308ec58514fdba4cdef184d964
