Commit graph

66 commits

Author SHA1 Message Date
Thiébaud Weksteen
e9ac9ce0f3 Grant execute on toolbox_exec for isolated_compute_app
In commit 7ba4801, the execute permission for all isolated_app was
removed. Grant access to isolated_compute_app which requires it.

The new treble test TestIsolatedAttributeConsistency is updated to
capture the new permission. See b/275263760.

Bug: 265960698
Bug: 275024392
Bug: 275263760
Test: atest CtsVoiceInteractionTestCases:android.voiceinteraction.cts.VoiceInteractionServiceTest
Change-Id: Ide27a7e351e8f53b0f5b1ad918a508d04ef515a1
2023-03-27 12:44:03 +11:00
Charles Chen
dc184e9aed Compliance test added for isolated_app_all
Compliance test is added to analyzes all members of isolated_app_all
and only allows them to have specific differences. Currently only
certain targets and classes are permitted based on the usecase of such
member classses. The list could be expanded based on future requirement
of more functionality yet the change won't be huge to ensure the
properties of sandbox.

Bug: 255597123
Test: m && presubmit
Change-Id: Id579223c585759ab5f6fbd531583d002eb2b14a5
2023-03-22 20:14:11 +00:00
Thiébaud Weksteen
dab3b1a1c0 Refactor treble_sepolicy_tests.py
Introduce a new class TestPolicy to capture all the previous global
variables. This class contains the constructor and loading methods
(Get*) to load its internal state. The tests are modified to accept a
TestPolicy as first argument.

This commit is a no-op. There is no change to the tests.

`git show --ignore-space-change` can be used to skip over the
re-indentation due to the new class.

Bug: 269182257
Test: m selinux_policy (runs treble_sepolicy_tests against all
			compatible versions)
Test: Set DEBUG=True, compare generated scontexts. Identical.
Change-Id: Ia8da115dc1c0109b835e03b95da029b35712d251
2023-03-06 14:08:11 +11:00
Charles Chen
e8b651b240 One-click fix script for isolated_app_all replacement
Provides the script to replace current isolated_app with
isolated_app_all if possible.

Bug: 267487579
Test: m && presubmit
Change-Id: Ifcec81ddf3da2ffb4eac67d8be1de70c1eab6b92
2023-02-03 14:55:29 +00:00
Sandro
26152e9576 searchpolicy: return empty list when providing non existing source/target
Before this CL, "searchpolicy -t <NAME>" or "searchpolicy -s <NAME>"
would return all rules in the policy if NAME did not exist.

Bug: 238394904
Test: atest SELinuxHostTest
Change-Id: Id8eae496c2e605a094c4931b60812e10d2adab62
2022-08-05 11:35:39 +00:00
Inseob Kim
4912a24447 Use embedded launcher for python binaries
Bug: 239386651
Test: m selinux_policy
Change-Id: Ic267fcfe4c38b51f8cf2469157b7cb57b84ad779
2022-07-26 22:59:04 +09:00
Inseob Kim
68e178a727 Merge "Remove dependency to distutils" 2022-07-20 00:56:59 +00:00
Sandro
6e7e003344 Lexicographically sort perms in rules output of searchpolicy.py
Bug: 238394904
Test: atest seamendc-test && atest CtsSecurityHostTestCases
Change-Id: I841e7d5cf3616d692dcd5b749544268bcbab76c2
2022-07-19 13:56:30 +00:00
Inseob Kim
3a9ac6f10a Remove dependency to distutils
Because distutils is deprecated since Python 3.10.

Test: atest android.security.cts.SELinuxHostTest
Change-Id: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
2022-07-19 14:27:36 +09:00
Maciej Żenczykowski
b13921c3f0 much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.

BPFFS (ie. /sys/fs/bpf) labelling is as follows:
  subdirectory   selinux context      mainline  usecase / usable by
  /              fs_bpf               no (*)    core operating system (ie. platform)
  /net_private   fs_bpf_net_private   yes, T+   network_stack
  /net_shared    fs_bpf_net_shared    yes, T+   network_stack & system_server
  /netd_readonly fs_bpf_netd_readonly yes, T+   network_stack & system_server & r/o to netd
  /netd_shared   fs_bpf_netd_shared   yes, T+   network_stack & system_server & netd [**]
  /tethering     fs_bpf_tethering     yes, S+   network_stack
  /vendor        fs_bpf_vendor        no, T+    vendor

* initial support for bpf was added back in P,
  but things worked differently back then with no bpfloader,
  and instead netd doing stuff by hand,
  bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
  (and was definitely there in R)

** additionally bpf programs are accesible to netutils_wrapper
   for use by iptables xt_bpf extensions

'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).

The reason for splitting net_private vs tethering is that:
  S+ must support 4.9+ kernels and S era bpfloader v0.2+
  T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+

The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions.  Older kernels have
a tendency to reject programs that newer kernels allow.

/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.

Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
2022-06-22 16:07:42 -07:00
Jonas 5 Persson
aa9d421655 Allow policy tests to support space in file names
Though libsepol supports it since selinux commit 644c5bbb,
test code couldn't handle whitespace in file name in policy
database.

Solved by splitting string once from left and then once
from right to avoid split of whitespace in file name.

Minimal reproducing example:
$ echo '(genfscon sysfs "/s/p a/ce" (USER ROLE TYPE ((SENS) (SENS))))' > s.cil
$ secilc -m -o s.db external/selinux/secilc/test/minimum.cil s.cil
$ searchpolicy --libpath out/host/linux-x86/lib64/libsepolwrap.so -sX --allow s.db
Traceback (most recent call last):
  File "/tmp/Soong.python_ra9it1nk/searchpolicy.py", line 52, in <module>
    pol = policy.Policy(args.policy, None, args.libpath)
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 460, in __init__
    self.__InitGenfsCon()
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 419, in __InitGenfsCon
    self.__GenfsDictAdd(self.__GenfsDict, buf.value.decode("ascii"))
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 399, in __GenfsDictAdd
    fs, path, context = buf.split(" ")
ValueError: too many values to unpack (expected 3)

Test: manual, as described above
Test: cts SELinuxHostTest with spaces in a genfscon path
Change-Id: I7c74292513a63819ee7dc03ab4977ce9363589a4
2022-02-02 15:12:43 +01:00
Inseob Kim
cbc95ea5e2 compat_generator: find new types and removed types
To generate compat files, we need:

- base plat sepolicy
- old plat sepolicy
- base plat pub sepolicy
- mapping file from the device
- latest compat files

Generator now triggers the build system itself to get necessary base
files, and then uses the artifacts to extract new types and removed
types.

For the next step, the new/removed types will be mapped to old types,
based on the latest compat files.

Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --target-version \
    32.0 --latest-version 31.0 -vvvv --build latest
Change-Id: I1f228233c1e3638e78bc0630ae51e48667a12ef5
2022-01-24 10:51:18 +09:00
Inseob Kim
6fa8efdf4a Use "data: libsepolwrap" in python binaries
To avoid hard-coded paths in Android.mk rules.

Test: m selinux_policy
Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 04:58:30 +00:00
Thiébaud Weksteen
f24b457dd0 Migrate tests/ to Python 3
In general, it appears that libselinux and libsepol interpret paths and
contexts as bytes. For instance, selabel_file(5) mentions about the path
field of file_contexts:

  Strings representing paths are processed as bytes (as opposed to
  Unicode), meaning that non-ASCII characters are not matched
  by a single wildcard.

libsepol also uses primitives such as strchr[1], which explicitly
operate at the byte level (see strchr(3)). However, practically, Android
paths and contexts all uses ASCII characters.

Use the str type (i.e., Unicode) for all Python code to avoid a larger
refactoring. Ensure we convert to bytes for inputs and outputs of
libsepolwrap.so. The encoding "ascii" is used, which will raise an error
should a context or type contain non-ASCII characters.

Update headers to match development/docs/copyright-templates.

[1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4

Bug: 200119288
Test: lunch aosp_bramble-userdebug && m
Test: atest --host fc_sort_test
Test: manually run searchpolicy
Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-12-01 21:45:13 +00:00
Thiébaud Weksteen
b75b4d2477 Refactor fc_sort and add unit tests
Clean up fc_sort to facilitate the migration to Python3. Use PEP8 for
naming scheme.

Test: atest --host fc_sort_test
Bug: 200119288
Change-Id: Ia2c40a850a48ec75e995d5233b5abaae10917a89
2021-11-25 13:18:05 +11:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Hridya Valsaraju
edccaa87aa Revert "Revert "Check that tracefs files are labelled as tracefs_type""
This reverts commit a00863e4d8.

All dependencies for this patch are now merged.

Bug: 184381659
Test: atest
android.security.cts.SELinuxHostTest#testTracefsTypeViolators

Change-Id: Ic268b24222a87cd9f7ff9158eb16a20f1cb3ecbb
2021-05-14 14:06:14 -07:00
Hridya Valsaraju
a00863e4d8 Revert "Check that tracefs files are labelled as tracefs_type"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I398e7ecb0403c2044027c3145438d02b9ffaeb8a
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
fde9b8f069 Check that tracefs files are labelled as tracefs_type
Bug: 184381659
Test: make
Change-Id: Iaa4fce9f02d85f2657f2331b68ae5af318d0820f
2021-04-21 14:13:54 -07:00
Inseob Kim
2bcc045724 Check vendor_property_contexts namespaces
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.

To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.

Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
2021-02-17 12:41:38 +09:00
Bob Badour
601ebb43a3 [LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy
Added SPDX-license-identifier-Apache-2.0 to:
  build/Android.bp
  build/soong/Android.bp
  tests/Android.bp
  tools/Android.bp

Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to:
  Android.bp
  Android.mk
  compat.mk
  contexts_tests.mk
  mac_permissions.mk
  seapp_contexts.mk
  treble_sepolicy_tests_for_release.mk

Added legacy_unencumbered to:
  apex/Android.bp
  tools/sepolicy-analyze/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-05 01:28:24 -08:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Alan Stokes
668e74f6f4 Exempt app_data_file_type from neverallow rules.
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 18:08:18 +00:00
Steven Moreland
4537b1ed62 Merge "Policy: file errors include files with attrs" 2020-11-04 16:21:40 +00:00
Steven Moreland
7f11650293 Policy: file errors include files with attrs
Since many files can correspond to the same error, it can be hard to see
which file is causing the error for an attribute

Example, here I couldn't find which file was 'vendor_file':

  The following types on / must be associated with the "no_fs_type"
  attribute: vendor_file
   corresponding to files: /cache/overlay/oem/upper

Bug: 154851797
Test: see above example
Change-Id: Ic96536da3ce55ccc5f600579b9f6b1b4f56fc93d
2020-11-03 23:20:43 +00:00
Steven Moreland
a01338d4a8 sepolicy_tests.py: system_ext, product, odm
Adds missing partitions to Treble sepolicy tests, and makes exceptions
explicit.

Bug: 154851797
Test: build runs this test

Change-Id: I93f3e633981383d3d215d3a850f6ade12c910415
2020-11-02 20:24:35 +00:00
Inseob Kim
1b8b1f648c Ensure property owners are exclusive
system_property_type and vendor_property_type can't be assigned
together. For example, the following policy snippet will fail.

system_public_prop(foo_prop)
typeattribute foo_prop vendor_property_type;

product_property_type is currently synonym for system_property_type, so
we only check those two.

Bug: 171437654
Test: m selinux_policy
Test: add "typeattribute default_prop vendor_property_type;" to
      property.te and then "m selinux_policy"
Change-Id: I1cdbf3d04264bb045568c30f19339dfe3889dbb4
2020-10-23 15:16:11 +09:00
Steven Moreland
5c0a0a8190 Remove binder_in_vendor_violators.
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.

Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
2020-08-27 00:00:35 +00:00
Joel Galenson
b0d74a1f5b Update sepolicy to use inclusive language
See https://source.android.com/setup/contribute/respectful-code for reference

#inclusivefixit

Bug: 161896447
Test: Build
Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 16:52:04 +00:00
Steven Moreland
000ec93900 treble_sepolicy_tests.py: require recognized loc
Before, we were silently ignoring unrecognized paths.

Bug: 152813275
Test: m (runs this test)
Test: reproduce every error I've added
Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-08 23:17:16 +00:00
Steven Moreland
a00530b07c Remove treble coredomain whitelist.
Seems that this is no longer needed, except for vendor_init.

Bug: 152813275
Test: m (runs this test)
Change-Id: I773053cbe1a84911684cc2ff15904ee7ddf7a73e
2020-04-02 16:02:54 -07:00
Tri Vo
8c31ddf22e sepolicy: don't construct mappings for ignored types
Say, foo_type was introduced in 29.0 sepolicy and is in 29.0.ignore.cil.
Also assume (typeattributeset foo_type_29_0 (foo_type bar_type))

Make sure that above mapping is not expanded into 28.0.cil, 27.0.cil, etc.

Test: m selinux_policy
Test: build aosp/1199739
Change-Id: Ib564431ab67f555ea1ae650dc31a68121e9c6d84
2020-01-08 08:53:27 -08:00
Dan Willemsen
1f944107a3 Fix sepolicy_tests on Mac 10.15
This is dlopened by sepolicy_tests, which uses embeds the python
interpreter built from our tree. That python interpreter links against
the shared version of libc++, so mixing it with this static copy was
causing segfaults on Mac 10.15 (but apparently not elsewhere).

Test: SANITIZE_HOST=address m treble_sepolicy_tests
Test: `m` on Mac 10.15
Change-Id: I31744acd018ea4c980c46a9979bbad17ae1c4f68
2019-11-23 17:45:01 -08:00
Tri Vo
7bfd7303b3 Expand typattribute declarations into older maps
Say, foo_attribute is removed in 30 API. We need to preserve
typeattribute declaration in 29.0.cil, 28.0.cil, etc for backwards
compatibility.
(typeattribute binder_in_vendor_violators)

Automatically expand these typeattribute declaration into older map
files, so that we only need to update 29.0.cil.

Test: remove binder_in_vendor_violators; only 29.0.cil map needs to be
updated
Change-Id: Ifa7767d771f802e122b2f1ff6faf198ba2afa42e
2019-08-20 16:07:29 -07:00
Tri Vo
462c9c4382 sepolicy: public links in error messages
Bug: n/a
Test: n/a
Change-Id: Id449fe115fac8bf99c33bf4455a23dd29448f93d
2019-08-09 10:27:48 -07:00
Jeff Vander Stoep
1ca7a4c8f5 fc_sort: delete c version, migrate to python version
Test: build aosp_blueline-userdebug, run build-time tests
Change-Id: I9c466cd718602e6068ee31abd6de7dbab84f4949
2019-04-11 10:19:16 -07:00
Tri Vo
1451938da0 sepolicy: Improve treble test error message.
Bug: 120080521
Test: removing a mapped type in the mapping file triggers new error
message
Change-Id: I04b21da7206777af8c281a843bd39ea5c4f0863a
2019-01-06 18:18:32 -08:00
Treehugger Robot
3e5054e8fa Merge "Start enforcing /system file labeling" 2018-10-04 22:03:11 +00:00
Nick Kralevich
dab131b1f8 Start enforcing /system file labeling
system_file_type is an attribute assigned to all files on the /system
partition. Add a compile time test to ensure that the attribute is
assigned to all the relevant types.

Test: code compiles.
Change-Id: I7d69a04a4f04f6269cc408f25527b948756cc079
2018-10-04 11:24:00 -07:00
Tri Vo
2777d18c20 combine_maps: only use python2
python3 is not required on host machines.

Bug: 117260689
Test: m selinux_policy
Change-Id: Iea31eadcb3f09ffadca82dd1862cf5538259c710
2018-10-04 10:22:49 -07:00
Tri Vo
438684b39f Only maintain maps between current and previous selinux versions.
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-10-02 15:10:13 -07:00
Tri Vo
e3f4f77d39 Don't require private types in mapping file.
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.

We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.

Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-28 17:22:25 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
bb880a2826 gracefully handle hashtab_search failures
Otherwise we crash on a null pointer exception.

Test: Reference a non-existent type in test code and make sure
    the test doesn't crash.

Change-Id: I5839d2740d51c0df7a8909a3f8430850ae1b2675
2018-09-26 14:28:44 -07:00
Nick Kralevich
41b21ee96a Delete untrusted_v2_app
As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
2018-08-06 12:52:37 -07:00
Yi Kong
16544eb94f Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: Ib3f0a25a5129c34d94ebebff818feb5e6fd349dd
2018-07-24 14:54:56 -07:00
Jeff Vander Stoep
3a3756feee searchpolicy depends on FcSort
Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
(cherry picked from commit cc541a80c3)
2018-04-24 14:12:50 -07:00
Tri Vo
4c80c2caa8 Test that /proc files have proc_type attribute.
Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy
2018-03-29 03:42:47 +00:00
Tri Vo
0d5b954086 Revert "Test that /proc files have proc_type attribute."
This reverts commit 4e79b64e05.

Reason for revert: broke something internal

Change-Id: Iec5f2c17fc768424c0b82936a069e42de0b66555
2018-03-28 23:13:14 +00:00
Tri Vo
4e79b64e05 Test that /proc files have proc_type attribute.
Bug: 74182216
Test: build policy
Change-Id: Ice800c571e9be469dffa212c478c10e63b80deca
2018-03-28 13:08:42 -07:00