Commit graph

207 commits

Author SHA1 Message Date
Mugdha Lakhani
49075f9cab Add canary restrictions for sdk_sandbox
Apply sdk_sandbox_next it if a new input selector,
isSdkSandboxNext, is true. This is set to true by libselinux
if a flag is set in the seInfo passed to it.

This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest

Change-Id: Idbc3ab39a2d9ef6e1feaf8c212d81a1c79b0f787
2023-05-11 17:42:48 +00:00
Charles Chen
eb1290f511 Merge "Update seapp_contexts with isIsolatedComputeApp selector" 2023-02-01 17:34:48 +00:00
Inseob Kim
338f81baac Add comments on compat files
To prevent further confusion.

Bug: 258029505
Test: manual
Change-Id: Iaa145e4480833a224b1a07fc68adb7d3e8a36e4b
2023-01-31 09:57:26 +09:00
Charles Chen
307049222a Update seapp_contexts with isIsolatedComputeApp selector
Provide isIsolatedComputeApp selector for apps reusing _isolated user to run in domains other than isolated_app. Processes match the selector will have a default domain isolated_compute_app assigned. Also updated _isolated neverallow statements.

Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: Ia05954aa6a9a9a07d6a8d1e3235a89e7b37dead9
2023-01-27 14:36:40 +00:00
Inseob Kim
f87eb38696 Generate compat files and modules with scripts
The steps have been done by hand, which is highly errorprone.

Bug: 207344718
Test: run the script manually
Change-Id: I9deb367b0cbd8d357147f83964bc214cd00266f7
2022-10-19 18:32:01 +09:00
Inseob Kim
bf2a967f1f Fix wrongly hardcoded version
Also removed 10000.0 as there is no 10000.0 in the cil (only 10000_0
exists)

Test: manual
Change-Id: I8c88622e75847388394ba7a0e2e16ceb600ac4f1
2022-10-19 18:31:07 +09:00
Inseob Kim
73172d83ca Remove deprecated distutils dependency
Test: manual
Change-Id: I18747dc6dc47d8e865cadb87dee4a88d1ec32d49
2022-10-19 18:25:23 +09:00
Pawan Wagh
a103fde7ea sepolicy: updating error message for fuzzer bindings
BUG: 249122938
Test: m
Change-Id: I562cc9207f821025180c647d4a07e433abb2cc6c
2022-09-28 19:38:31 +00:00
Pawan
588ebd5e74 sepolicy : Updating error message with doc link
Updating error message with aidl fuzzing link.

Test: m
Bug: 242104782
Change-Id: I96ffc8f55319da6d3acb2deffd4717bfd9727346
2022-09-14 23:34:05 +00:00
Pawan
0ecf99def5 sepolicy : Recommend fuzzers for new services
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.

Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
2022-09-13 18:18:46 +00:00
Sandro
8978204264 seamendc: prefetch binary policy in memory before parsing
This optimization improves the runtime of seamendc by ~6-7ms.

Bug: 236691128
Test: atest seamendc-test && atest SeamendcHostTest
Change-Id: Id1e86a5f51d035fac415a0e6ae05b99b3bd774d4
2022-07-28 14:25:03 +00:00
George Burgess IV
3f0bbd132d seamendc: fix potential double-free
If we don't set `buff = NULL` after it's freed by this loop, a later
iteration over the loop where e.g., `stat` fails will call
`free(buff)` again.

Bug: 206470603
Test: TreeHugger
Change-Id: Ic19195adb7398fe2f8ab682ed451f24463872562
2022-07-19 17:31:52 +00:00
sandrom
b246b1dc35 Add seamendc binary
Bug: 236691128
Test: adb shell seamendc -b <binary_policy> -o <output_policy> <test.cil> <test-redefinitions.cil>

Change-Id: Id51271e89261a2a612cf25e7b56147d5931c76f9
2022-07-11 09:23:52 +00:00
Treehugger Robot
8817edcbb4 Merge "Revert^2 "Migrate contexts tests to Android.bp"" 2022-02-16 04:23:47 +00:00
Inseob Kim
b5e235346e Revert^2 "Migrate contexts tests to Android.bp"
This reverts commit baa93cc651.

Reason for revert: amlogic build fixed

Change-Id: I8b046dc810d47a2d87012f02a668873889fce705
2022-02-16 02:26:11 +00:00
Inseob Kim
9eadc83220 Implement compat file generator
sepolicy_generate_compat is a binary that creates a new compat file when
freezing sepolicy API.

Suppose that we are adding {ver} compat file, after freezing {ver}
sepolicy. Then the workflow would be:

1) copy prebuilts to system/sepolicy/prebuilts/api/{ver}
2) add {ver} to PLATFORM_SEPOLICY_COMPAT_VERSIONS under
   build/make/core/config.mk
3) touch the following three files
  - system/sepolicy/private/compat/{ver}/{ver}.cil
  - system/sepolicy/private/compat/{ver}/{ver}.compat.cil
  - system/sepolicy/private/compat/{ver}/{ver}.ignore.cil
  - system/sepolicy/prebuilts/api/{ver}/vendor_sepolicy.cil
  - system/sepolicy/prebuilts/api/{ver}/plat_pub_versioned.cil
  * This step is to build base compat files, and won't be needed in the
    future.
4) add compat module files (won't be needed in the future)
  - {ver}.cil
  - {ver}.compat.cil
  - {ver}.ignore.cil
  * This step is to build base compat files, and won't be needed in the
    future.
5) run the following command to update above three files:
  $ source build/envsetup.sh && lunch aosp_arm64-userdebug
  $ m sepolicy_generate_compat
  $ sepolicy_generate_compat --branch=(branch_for_ver) \
        --build latest --target-version {ver} \
        --latest-version {ver-1}
6) upload build/make and system/sepolicy changes.

This script still lacks:
- handling of plat_pub_versioned.cil
- test cases
We will tackle such problems with follow-up changes.

Bug: 214336258
Test: manual
Change-Id: I21723a0832e5adadae7c22797c5aba867dc0174e
2022-02-07 13:06:49 +09:00
Inseob Kim
cbc95ea5e2 compat_generator: find new types and removed types
To generate compat files, we need:

- base plat sepolicy
- old plat sepolicy
- base plat pub sepolicy
- mapping file from the device
- latest compat files

Generator now triggers the build system itself to get necessary base
files, and then uses the artifacts to extract new types and removed
types.

For the next step, the new/removed types will be mapped to old types,
based on the latest compat files.

Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --target-version \
    32.0 --latest-version 31.0 -vvvv --build latest
Change-Id: I1f228233c1e3638e78bc0630ae51e48667a12ef5
2022-01-24 10:51:18 +09:00
Inseob Kim
29e357e898 Add a skeleton sepolicy compat generator
sepolicy_generate_compat will be used to generate compat files for ToT,
based on the mapping file from aosp_arm64-userdebug target of {ver}
source tree. For now, it only supports downloading a mapping file
system/etc/selinux/mapping/{ver}.cil from the Android build server.

Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --version 32.0
Change-Id: I48043c71a6866aa385ecd67462f7678561cc5a38
2022-01-17 17:05:46 +09:00
Inseob Kim
baa93cc651 Revert "Migrate contexts tests to Android.bp"
This reverts commit f612656adf.

Reason for revert: breaking amlogic build

Change-Id: I129b5cb74259c9c028483e84c9b2ac3597c24701
2022-01-14 06:13:28 +00:00
Inseob Kim
f612656adf Migrate contexts tests to Android.bp
Now that we have sepolicy module in Android.bp, we can migrate contexts
tests. Also vendor_service_contexts_test will be run, as we now include
vendor_service_contexts unconditionally.

Unfortunately, vendor_service_contexts_test is now broken, due to a
malformed type hal_power_stats_vendor_service. We will temporarily
exempt the type from the test, to speed up migrating to Android.bp.

Bug: 33691272
Test: m selinux_policy and see tests running
Test: add a malformed type other than hal_power_stats_vendor_service and
      run tests
Change-Id: Ic60eb38b9a7c79006f0b5ff4453768e03006604b
2022-01-14 10:59:59 +09:00
Thiébaud Weksteen
9870725336 Migrate insertkeys.py to Python3
PEM files are ASCII-encoded, open them as text file (as opposed to
binary). Avoid relying on __del__. Introduce a prologue and epilogue
methods to emit the <policy> tag only once per output.

Test: build plat_mac_permissions.xml on bramble and compare with
      previous version; identical
Test: build product_mac_permissions.xml on bramble and compare with
      previous version; identical
Test: build system_ext_mac_permissions.xml on bramble and compare with
      previous version; identical
Test: build vendor_mac_permissions.xml on bramble and compare with
      previous version; identical
Bug: 200119288
Change-Id: Iced0acf75bff756453918a411aecb9f4ef8f825d
2021-12-06 13:46:23 +11:00
Thiébaud Weksteen
1c574576b5 Revert^2 "Use cil_write_build_ast"
bde09de39f

Change-Id: I1c94eb98d1b37216096dfba297434377f805eed9
2021-10-27 04:50:56 +00:00
Thiébaud Weksteen
bde09de39f Revert "Use cil_write_build_ast"
Revert submission 1827311-update_libselinux

Reason for revert: b/200771997 
Reverted Changes:
I088d1e94c:Fix build and use new cil_write_build_ast
I14dc4dc58:Merge remote-tracking branch 'aosp/upstream-master...
I7b77f4469:Use cil_write_build_ast

Change-Id: Ib4983288feb0139ed12cb3a07edd60d2d457022f
2021-09-22 09:15:53 +00:00
Thiébaud Weksteen
8e057d189a Use cil_write_build_ast
libsepol now provides its own function to output the AST.

Bug: 190808996
Change-Id: I7b77f446972b42eca63c2ef7c18dff01508014e8
2021-09-15 16:21:46 +02:00
Jeff Vander Stoep
35779f082f seapp_contexts: Remove unused selectors
These have never been used in AOSP. Looking at ~10,000 Android
build images confirms that these are not used elsewhere within
the Android ecosystem.

Bug: 192532348
Test: build (failures here would be at build-time)
Change-Id: I787b14b531df31fbb9995156eb2e84719b7c90da
2021-07-01 10:51:12 +02:00
Bob Badour
601ebb43a3 [LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy
Added SPDX-license-identifier-Apache-2.0 to:
  build/Android.bp
  build/soong/Android.bp
  tests/Android.bp
  tools/Android.bp

Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to:
  Android.bp
  Android.mk
  compat.mk
  contexts_tests.mk
  mac_permissions.mk
  seapp_contexts.mk
  treble_sepolicy_tests_for_release.mk

Added legacy_unencumbered to:
  apex/Android.bp
  tools/sepolicy-analyze/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-05 01:28:24 -08:00
Alan Stokes
3c4375a5b4 Enforce use of app_data_file_type.
Extend check_seapp to check that all types specified in seapp_contexts
files have the attribute, to ensure that the neverallow rules apply to
them. As a small bonus, also verify that domain and type values are
actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: I951d6f993445e8ba11c30a504b8de281fdd93c4a
2020-11-11 14:45:32 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Joel Galenson
b0d74a1f5b Update sepolicy to use inclusive language
See https://source.android.com/setup/contribute/respectful-code for reference

#inclusivefixit

Bug: 161896447
Test: Build
Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 16:52:04 +00:00
Dan Willemsen
fb12c6b8aa Convert sepolicy-analyze to Android.bp
The LOCAL_COMPATIBILITY_SUITES variable has been removed, as the users
are now embedding this binary the same way they do the rest of the
sepolicy tools.

Bug: 122331947
Bug: 130696912
Test: treehugger
Change-Id: Ia83025b18da87204d87684f2c0af025d9cecc824
2020-01-29 13:20:47 -08:00
liwugang
85ce153283 version_policy: avoid fclose a NULL file pointer
Test: Pass a not cil file to version_policy and see no crash appeared.
example: out/host/linux-x86/bin/version_policy -b  `which ls`  -m -n 10000.0 -o target

Change-Id: If2b950a02dd94a4813b74377617f90c7a75a9f27
Signed-off-by: liwugang <liwugang@xiaomi.com>
2019-07-01 16:47:20 +08:00
Treehugger Robot
5dda7f70db Merge "fix memory leaks in sepolicy-analyze tool" 2019-05-17 17:14:20 +00:00
Jinguang Dong
ee62756a7c fix memory leaks in sepolicy-analyze tool
Test: check sepolicy-analyze tool can work well
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d
 sepolicy-analyze out/target/product/<board>/root/sepolicy dups
 sepolicy-analyze out/target/product/<board>/root/sepolicy permissive
 sepolicy-analyze out/target/product/<board>/root/sepolicy booleans
 sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>

Change-Id: I09d30967f00062c6a807ae4711ccc87b0fd6064c
2019-05-17 09:57:43 +08:00
Stephen Hines
5c081803fc Ensure avrule is initialized.
Bug: http://b/131390872
Test: Builds with -Wconditional-initialize
Change-Id: I14b9316ca392f299745342d61e4fd45ab8e9e307
2019-05-08 17:14:34 -07:00
Nick Kralevich
795add585c Remove isV2App
This selector is no longer used.

Bug: 123605817
Bug: 111314398
Test: compiles and boots
Change-Id: I61bb6b9f17ba4534569bd4a1c0489023cdaf698d
2019-04-16 16:01:08 -07:00
Jeff Vander Stoep
1ca7a4c8f5 fc_sort: delete c version, migrate to python version
Test: build aosp_blueline-userdebug, run build-time tests
Change-Id: I9c466cd718602e6068ee31abd6de7dbab84f4949
2019-04-11 10:19:16 -07:00
Inseob Kim
98c7ade609 Fix fc_sort to be deterministic
fc_sort uses its own implementation of merge sort, but it's
unnecessarily complex and sorting criteria isn't clear: it only
compares lengths and existences of fields. So it can give different
results on the same input (same set of entries, different order).

This fixes it so that output is always deterministic, regardless of
the order of lines in input files.

Bug: N/A
Test: try to run fc_sort several times on same input with different
      line orders, and see the results.

Change-Id: I982a35a4ae9e115030a8598027bbf1181ee77a7d
2019-04-10 07:42:10 +00:00
Treehugger Robot
2456c37021 Merge "Fix memory leaks" 2019-03-20 01:14:58 +00:00
George Burgess IV
bf2f927019 Fix memory leaks
This CL fixes leaks of the policy that we're building up. The analyzer
only caught the leaks on the error path, but I assume that
`check_assertions` does nothing to free the object that it's handed.

Analyzer warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'avrule'
[clang-analyzer-unix.Malloc]

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'neverallows'
[clang-analyzer-unix.Malloc]

Bug: None
Test: Treehugger; reran the analyzer
Change-Id: I79a0c34e8b53d33a1f01497337590eab660ad3ec
2019-03-19 12:10:51 -07:00
Jeff Vander Stoep
ecd288f41d Android.bp: set sepolicy version for use by init
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
2019-03-14 17:49:14 +00:00
Joel Galenson
3fbd303d1c Reduce the number of parallel compiles.
Running this script sometimes completely hangs all of our computers.
This change seems to work better for me.

Test: Use script to compile many Androids.
Change-Id: I95539034b35a4ff6dbc39cd67856b0bd7e20d587
2019-03-04 14:04:49 -08:00
liwugang
eb74dd9f86 checkseapp: check the size of key value pairs
OOB write if the size of the key value pairs exceeds the max.

Test: Add a long line to the seapp_contexts file

Change-Id: Iaa3e697e7ac134eb6829b8b36b090997ca344b3a
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-11-29 00:43:50 +00:00
liwugang
57d66ef1c2 Fix the bound size and the variable name
It will not end when other words appeared because of the wrong bound and variable,
rule_map->length will exceed the actual length in the rule_map_new function,
it will lead to crash in the rule_map_validate function because of strcmp(NULL, str).

Test: 1.add "user=shell doman=system_app" to private/seapp_contexts
      2.exec "checkseapp private/seapp_contexts" and it will not be crashed

Change-Id: I600206448b38cf2c9b61f9141b40f920b05696c8
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-11-14 16:39:39 +08:00
Yabin Cui
ffa2b61330 Add runas_app domain to allow running app data file via run-as.
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.

Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
2018-11-07 18:11:40 +00:00
Joel Galenson
b5806c47c5 Add code to check for unescaped periods in file_contexts.
Test: Run script and find unescaped periods.
Change-Id: I35a4366aa576d5c6036d0dcfb068ca4e0f27fff9
2018-10-06 13:39:38 -07:00
Nick Kralevich
5fe07c724b version_policy.c: be less verbose at build time
Avoid generating build time noise so that real errors stand out.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

Test: Info messages no longer show up at build time.
Bug: 115998215
Change-Id: I33c18e2c7d77ed1bb4132debe13de2ae0907c34c
2018-09-21 10:31:54 -07:00
Treehugger Robot
13e4eb8ca4 Merge "Add a script to check for ways to cleanup SELinux policy." 2018-09-13 16:16:09 +00:00
Joel Galenson
c43273162f Add a script to check for ways to cleanup SELinux policy.
This scripts checks for common problems with SELinux policy,
including:
- Declared types that are not assigned to any files
- Files that don't exist on a running device
- Rules defined in the wrong file
- Using the wrong version of _file_perms/_dir_perms

These are heuristics, mainly because it does not fully parse regular
expressions and because policy might still be needed even if the
relevant file does not exist on a single device.  But it hopefully is
a start at helping cleanup policy.

Bug: 30003114
Bug: 70702017
Test: Run script on core and device-specific policy.
Test: Verify that most of its results are correct.
Change-Id: I1ded4e9b18816841198dcbf72da65f046441d626
2018-08-31 13:55:34 -07:00
Chih-Hung Hsieh
e0db1651e6 Free type_rules before return or exit.
Test: make with WITH_TIDY=1 and clang-analyzer-* checks.
Change-Id: Ide1eaf8880132c566545710e6287f66a5a2b393c
2018-08-31 10:11:09 -07:00