Commit graph

47 commits

Author SHA1 Message Date
Stephen Smalley
884ee2a61c checkseapp, seapp_contexts: drop sebool= support.
SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-24 00:36:24 +00:00
Stephen Smalley
534fb0711d checkseapp: Detect duplicate keys in seapp_contexts entries.
Presently it ignores duplicate keys in seapp_contexts entries, e.g.
if you were to specify:

user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file

checkseapp would ignore the duplicate and libselinux would end up using
the last value defined for the key in each line.

Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-24 00:35:23 +00:00
Stephen Smalley
0b820042e4 checkseapp: Detect duplicate entries within seapp_contexts.
Presently it only detects complete duplicates if you specify -s (strict),
which is not used in the external/sepolicy Makefile, and it allows
overriding earlier entries that have the same input selectors (e.g.
user=, seinfo=) with different values for the output selectors (e.g.
domain=, type=).  Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts
file can override the external/sepolicy definitions, and even a single
seapp_contexts file can contain duplicated or conflicting definitions.

Make it always check strictly, and prohibit either duplicates on the
input selectors (i.e. overrides) or complete duplicates (redundant).

Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-13 14:58:31 -05:00
dcashman
0de2b45f63 Adjust sepolicy-analyze to reflect libsepol changes.
Commit dc0ab516f11d8e2c413315e733e25a41ba468e4f changed the libsepol
structures on which sepolicy-analyze relies so that it could be compiled
as a C++ library.  Reflect this change in sepolicy-analyze.

Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
2014-12-22 15:31:38 -08:00
William Roberts
47c1461156 Fix sepolicy-analyze build with different toolchains
host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage':
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code
make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1

Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35
2014-12-01 11:45:54 -08:00
dcashman
ef4fd30672 Accept command-line input for neverallow-check.
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.

Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19
2014-10-31 11:38:32 -07:00
Nick Kralevich
74bbf703df maybe fix mac build.
1 warning generated.
  external/sepolicy/tools/sepolicy-analyze.c:446:27: error: implicit declaration of function 'isspace' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
          while (p < end && isspace(*p))
                          ^
  1 error generated.
  make: *** [out/host/darwin-x86/obj32/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1
  make: *** Waiting for unfinished jobs....

Change-Id: I250dcef7c726d5b66835dc51c057e472b801aa2c
2014-10-14 20:35:23 -07:00
Stephen Smalley
59906bf893 Add neverallow checking to sepolicy-analyze.
See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-14 10:17:40 -04:00
Stephen Smalley
ff4db9194e Add isOwner= input selector for seapp_contexts.
Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-15 15:55:04 -04:00
dcashman
9793ea7aa6 Add permissive domains check to sepolicy-analyze.
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
2014-08-22 11:54:35 -07:00
Stephen Smalley
43b9cfd356 Refine sepolicy-analyze -D / dup detection.
We were incorrectly reporting overlapping rules as duplicates.
Only report cases where an attribute-based rule is a superset
of type-based rule.  Also omit self rules as they are often due
to expansion of domain self rules by checkpolicy.

Change-Id: I27f33cdf9467be5fdb6ce148aa0006d407291833
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-17 14:42:09 -04:00
Stephen Smalley
f4fa7567f4 Treat seinfo=default name=<anything> as an error.
check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate.  Catch
that error case too.

Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-04 14:16:46 -04:00
Robert Craig
3ea628fccc Remove errant newline from generated policy file.
When running the post_process_mac_perms script
an unneeded newline is appended to modified
mac_permissions.xml file. Use sys.stdout.write
instead which avoids any formatting when printing.

Change-Id: Ib662dab1566299467371389dc236619aec40f5ac
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-04-01 11:22:53 -04:00
Robert Craig
4caa6d4b89 Update README concerning post_process_mac_perms script.
Change-Id: Iabda448d252d3b1ce19809c7f5de0dca3942f60c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:51:59 -04:00
Robert Craig
3e70d4793a Introduce post_process_mac_perms script.
usage: post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY

Tool to help modify an existing mac_permissions.xml with additional app certs
not already found in that policy. This becomes useful when a directory
containing apps is searched and the certs from those apps are added to the
policy not already explicitly listed.

optional arguments:
  -h, --help            show this help message and exit
  -s SEINFO, --seinfo SEINFO
                        seinfo tag for each generated stanza
  -d DIR, --dir DIR     Directory to search for apks
  -f POLICY, --file POLICY
                        mac_permissions.xml policy file

Change-Id: Ifbaca3b3120874a567d3f22eb487de1aa8bda796
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-12 11:01:24 -04:00
Stephen Smalley
6139de50fd Add support for and use new path= specifier in seapp_contexts.
Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-19 10:56:41 -05:00
Stephen Smalley
bec54f42ed Add support for duplicate allow rule detection (-D / --dups).
Usage:
sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy

Displays duplicate allow rules, i.e. pairs of allow rules that grant
the same permissions where one allow rule is written directly in terms
of individual types and the other is written in terms of attributes
associated with those same types.  The rule with individual types is
a candidate for removal.  The rule with individual types may be directly
represented in the source policy or may be a result of expansion of
a type negation (e.g. domain -foo -bar is expanded to individual allow
rules by the policy compiler).  Domains with unconfineddomain will
typically have such duplicate rules as a natural side effect and can
be ignored.

Also add a tools/README with a description of all of the tools.

Change-Id: I07838dbd22c5cc8a4a65b57003ccae38129050f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-18 16:11:36 -08:00
Robert Craig
c9bb91da5f Reintroduce -Wall -Werror to check_seapp.
Also add attribute for a potential unused
function argument when dealing with darwin
SDK builds.

Change-Id: Iefdbecb050cc5fff6036f15413566e10cefa3813
2013-11-01 11:53:46 -04:00
Nick Kralevich
2d8a42373e Revert -Wall -Werror
Temporarily revert -Wall -Werror on checkseapp.
This is causing a compiler error on darwin SDK builds.

cc1: warnings being treated as errors
external/sepolicy/tools/check_seapp.c: In function 'rule_map_free':
external/sepolicy/tools/check_seapp.c:439: warning: unused parameter 's'
make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkseapp_intermediates/check_seapp.o] Error 1

Change-Id: I9776777a751f16d5ca0d90e731482c31dac813f9
2013-10-31 15:33:37 -07:00
Stephen Smalley
7b2bee99c1 Add sepolicy-analyze tool.
And also remove the unnecessary references to libselinux for
sepolicy-check, as it has no dependencies on libselinux.
Also enable -Wall -Werror on building all of these tools and
fix up all such errors.

Usage:
$ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy
or
$ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy

The first form will display all type pairs that are "equivalent", i.e.
they are identical with respect to allow rules, including indirect allow
rules via attributes and default-enabled conditional rules (i.e. default
boolean values yield a true conditional expression).

Equivalent types are candidates for being coalesced into a single type.
However, there may be legitimate reasons for them to remain separate,
for example:
- the types may differ in a respect not included in the current
analysis, such as default-disabled conditional rules, audit-related
rules (auditallow or dontaudit), default type transitions, or
constraints (e.g. mls), or
- the current policy may be overly permissive with respect to one or the
other of the types and thus the correct action may be to tighten access
to one or the other rather than coalescing them together, or
- the domains that would in fact have different accesses to the types
may not yet be defined or may be unconfined in the policy you are
analyzing (e.g. in AOSP policy).

The second form will display type pairs that differ and the first
difference found between the two types.  This output can be long.

We have plans to explore further enhancements to this tool, including
support for identifying isomorphic types.  That will be required to
identify similar domains since all domains differ in at least their
entrypoint type and in their tmpfs type and thus will never show up as
equivalent even if they are in all other respects identical to each other.

Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 15:12:32 -04:00
William Roberts
610a4b1c32 tools: update lengths from int to size_t
Change-Id: If4839218b200a0d90bdf7779d2e039719fae85a5
2013-10-16 08:27:47 -07:00
William Roberts
6184629174 tools: require that seinfo and packagename be used
Modify check_seapp.c to verify that a packagname (name)
must be specified with a signing key (seinfo). This will
help thwart spoof attacks on the packagename.

Change-Id: I8f1aa8a479cb5beb5c3522d85e3181604931ea72
2013-10-16 08:27:40 -07:00
William Roberts
d1f1070acb tools: drop unused field in struct
check_seapp at one point in time switch from a home implementation
of a hash table to using GLIBC search.h routines. A struct in one
of the fields was never removed during this transition.

Change-Id: I65c028103ffe90fa52e0b3c9fce28124ed9c7ff9
2013-10-15 08:58:51 -07:00
William Roberts
14138335bd tools: Strengthen BEGIN/END CERTIFICATE checks
insertkeys.py used beginswith() when checking that the BEGIN
and END CERTIFICATE clauses in PEM files were correct. It should
have done an explicit check on equality.

Change-Id: I5efb48d180bc674e6281a26a955acd248588b8bd
2013-10-14 15:54:42 -07:00
Mike Palmiotto
070c01f8f1 tools: Don't error out of insertkeys script on whitespace
Many keys end with whitespace or otherwise have whitespace separating the
certificates.  If insertkeys is intended to support multiple certificates, we
should also support blank line separators.

Change-Id: I5fd17be5785ad1b89a6191e9ba33bbc7c5a4e8e9
2013-10-10 17:40:23 -04:00
William Roberts
1ecb4e8ad1 tools: Correct insert keys behavior on pem files
Insert keys would erroneously process pem files
with openssl headers in them. Also, the tool would
be fooled into attempting to use pem files that
had private keys and other things in the format.
This patch strengthens the formatting requirements
and increases the verboseness of error messages
when processing pem files.

Change-Id: I03353faaa641233a000d1a18943024ae47c63e0f
2013-10-08 10:43:56 -04:00
Stephen Smalley
640991bb3c Extend to check indirect allow rules and conditional rules.
$ sepolicy-check -s untrusted_app -t mediaserver -c binder -p call -P out/target/product/manta/root/sepolicy
Match found!

Also removed loading of initial SIDs as that is not required for
this functionality and it leaks memory as it is never freed.
valgrind now reports no leaks.

Change-Id: Ic7a26fd01c57914e4e96db504d669f5367542a35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-12 16:26:06 -04:00
Geremy Condra
2b8512cc59 Merge "Add sepolicy-check, a utility for auditing selinux policy." 2013-08-23 19:01:23 +00:00
Geremy Condra
01aaeb6a82 Add sepolicy-check, a utility for auditing selinux policy.
This is based on Joshua Brindle's sepolicy-inject.

Change-Id: Ie75bd56a2996481592dcfe7ad302b52f381d5b18
2013-08-23 11:57:42 -07:00
Richard Haines
1b46b2fe47 Fix insertkeys.py to resolve keys.conf path entries in a portable way
Currently a path to a key in keys.conf must be fully qualified or have
the -d option appended. This fix will allow paths to have environment
variables that will be expanded. This will give portability to the
entries. For example the following entry will now be resolved correctly:
[@NET_APPS]
ALL : $ANDROID_BUILD_TOP/device/demo_vendor/demo_dev/security/net_apps.x509.pem

Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-08-08 15:13:29 +01:00
William Roberts
5f4e6ee379 am 63297211: Support strict duplicate checking
* commit '632972117a754dc64102cf81154ae6aed86febf3':
  Support strict duplicate checking
2013-05-02 13:36:00 -07:00
William Roberts
3e273da29d am 1e8c061b: Fix segfault on -v with duplicates
* commit '1e8c061b053cdfd808c7a7649c78df4c33ded63d':
  Fix segfault on -v with duplicates
2013-05-02 13:36:00 -07:00
William Roberts
632972117a Support strict duplicate checking
Change-Id: I3bb4755b86a90414a3912c8099dd7a4389249b24
2013-04-29 11:05:40 -07:00
William Roberts
1e8c061b05 Fix segfault on -v with duplicates
Change-Id: Ic040af5cfcd1be22074a691ecdd01e890866bc19
2013-04-19 19:06:02 -07:00
Geremy Condra
020b5ff631 Add a key directory argument to insertkeys.py
This allows us to better integrate key selection with our existing
build process.

Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
2013-03-29 16:29:43 -07:00
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Geremy Condra
edf7b4c861 Revert "Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""""
This reverts commit 60d4d71ead

This should (finally) be fixed in https://android-review.googlesource.com/#/c/54730/

Change-Id: I3dd358560f7236f28387ffbe247fc2b004e303ea
2013-03-26 22:19:03 +00:00
Geremy Condra
60d4d71ead Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml"""
This reverts commit cd4104e84b

This builds clean locally, but seems to explode on the build servers. Reverting until there's a solution.

Change-Id: I09200db37c193f39c77486d5957a8f5916e38aa0
2013-03-26 19:45:18 +00:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
Stephen Smalley
38084146e0 Generalize levelFromUid support.
Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-20 01:39:25 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
Geremy Condra
d06104d873 Merge "property_contexts checks added to checkfc." 2013-03-19 22:42:19 +00:00
Geremy Condra
6d6c617f6d Merge "Whitespace and doxygen fix" 2013-03-19 22:35:44 +00:00
Robert Craig
d98d26ef3c property_contexts checks added to checkfc.
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
fff2980a1a Whitespace and doxygen fix
Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3
2012-11-27 14:20:34 -08:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00