Commit graph

412 commits

Author SHA1 Message Date
Dan Cashman
36ee91d4b5 Add sepolicy definitions.mk and create policy.conf function.
Bug: 36899958
Test: Builds 'n' boots.
Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
Merged-In: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
(cherry picked from commit c0713e8679)
2017-08-25 15:08:45 +08:00
Jeff Vander Stoep
822631baa3 Merge "move build dependencies to sepolicy" am: 99cbe530c1 am: 5d478edd41
am: b519a9ad07

Change-Id: I30b5b25d3667fd2e0bc3e8efc2b4dc7ff403c171
2017-08-23 22:09:17 +00:00
Jeff Vander Stoep
5d478edd41 Merge "move build dependencies to sepolicy"
am: 99cbe530c1

Change-Id: I008a9509e758cee7802030e1146bbf140b31ba78
2017-08-23 21:58:36 +00:00
Michael Wright
a9bfbbfec7 O MR1 is API 27
Bug: 64982450
Test: manual
Change-Id: Ic5d25b8a12271e5bfa71e30843a36fb643b914ff
2017-08-23 13:52:40 -07:00
Jeff Vander Stoep
13fb5ed305 move build dependencies to sepolicy
Some selinux build packages are defined in embedded.mk,
others are defined in system/sepolicy/Android.mk. Move all
to sepolicy as a dependency of the phony package selinux_policy
which is defined in embedded.mk.

Test: build Marlin (Treble) and Angler (non-Treble)
Merged-In: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6
Change-Id: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6
2017-08-23 05:27:03 +00:00
Dan Cashman
78b3d573da Move compatibility files out of prebuilts dir.
The treble compatibility tests check for policy differences between old
and new policy.  To do this correctly, we must not modify the policy which
represents the older policies.  Move the files meant to be changed to a
different location from the ones that are not meant to be touched to avoid
any undesired changes to old policy, e.g. commit:
2bdefd65078d890889672938c6f0d2accdd25bc5

Bug: 36899958
Test: Build-time tests build.
Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372
2017-08-14 09:47:37 -07:00
Dan Cashman
7f7c3b8229 Add 26.0 api compatibility check infrastructure.
Add support to the treble_sepolicy_tests suite that explicitly look at
the old and current policy versions, as well as the compatibility file,
to determine if any new types have been added without a compatibility
entry.  This first test catches the most common and likely changes that
could change the type label of an object for which vendor policy may have
needed access.  It also should prove the basis for additional compatibility
checks between old and new policies.

Bug: 36899958
Test: Policy builds and tests pass.
Change-Id: I609c913e6354eb10a04cc1a029ddd9fa0e592a4c
2017-08-08 13:31:50 -07:00
Dan Cashman
c0713e8679 Add sepolicy definitions.mk and create policy.conf function.
Bug: 36899958
Test: Builds 'n' boots.
Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
2017-07-11 11:16:50 -07:00
Dan Cashman
b04df6e309 Make sure platform policy builds with compatible versions.
Platform SELinux policy may be updated without a corresponding
update to non-platform policy.  This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.

Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it.  Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.

Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file.  Removed private type with no effect.  Removed
public type without corresponding mapping entry causes build to fail.

Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
2017-07-10 14:49:03 -07:00
Sandeep Patil
3034b7779b Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b3189e am: 760674da63
am: e729505e63

Change-Id: Icedeefca21d21654af5e4fa2c7ddce389f1a96ea
2017-06-16 17:34:14 +00:00
Sandeep Patil
e729505e63 Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b3189e
am: 760674da63

Change-Id: Ibf3d635255104966af4d0b3004cee8babeffc4f9
2017-06-16 17:28:11 +00:00
Sandeep Patil
760674da63 Merge changes from topic 'fix-neverallow-violation' into oc-dev
am: 3692b3189e

Change-Id: Ide1a5455e2b279ac1532bbdb88e852dba3ee2b28
2017-06-16 17:22:47 +00:00
Dan Cashman
ccdd6e11dc Exempt ASAN from selinux build-checks.
ASAN makes use of shenanigans that violate our policy best-practices.
This is by design.  Exempt them from these tests to get it building
again.

Bug: 37740897
Test: Builds with ASAN enabled.
Change-Id: Iffde28c2741466da5862b2dfe1fffa2c0d93caeb
2017-06-15 11:24:29 -07:00
TreeHugger Robot
b8ad31d28f Merge "Assert filesystem types must have their associated attr" 2017-06-14 17:43:35 +00:00
Sandeep Patil
cfb6f35231 build: run neverallow checks on platform sepolicy
This will prevent us from breaking our own neverallow rules
in the platform sepolicy regardless of vendor policy adding
exceptions to the neverallow rules using "*_violators" attributes

Bug: 62616897
Bug: 62343727

Test: Build policy for sailfish
Test: Build policy with radio to rild socket rule enabled for all
      and ensure the build fails

Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-14 10:01:34 -07:00
Jeff Vander Stoep
11d096fc99 Assert filesystem types must have their associated attr
Test that:
- File types on /sys have attr sysfs_type
- File types on /sys/kernel/debug have attr debugfs_type
- File types on /data have attr data_file_type

Test: build policy
Change-Id: Ie4f1f1c7e5345da0999082962f084fdac6b85428
2017-06-13 16:04:48 -07:00
Jeff Vander Stoep
78c58c7936 Build split file_contexts for recovery am: b236eb6ca2
am: 77fe1de7d1

Change-Id: I71b4bca350a9a29dd45dfafe8c3d1938cb54a46f
2017-06-13 18:02:42 +00:00
Jeff Vander Stoep
77fe1de7d1 Build split file_contexts for recovery
am: b236eb6ca2

Change-Id: I60a92781a5b923889e627d73e8922aca2607b67b
2017-06-13 17:59:09 +00:00
Jeff Vander Stoep
b236eb6ca2 Build split file_contexts for recovery
[    7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)

Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
    and recovery modes

Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
2017-06-13 15:38:55 +00:00
Jeff Vander Stoep
8265811608 Move non-treble devices to split file_contexts
am: 7a68c5ae4c

Change-Id: Ide9c5ccdc2002972f311c9829c573b98f12fea44
2017-06-12 22:14:28 +00:00
Jeff Vander Stoep
7a68c5ae4c Move non-treble devices to split file_contexts
This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
2017-06-10 15:14:10 +00:00
Jeff Vander Stoep
f965a0a176 Move non-treble devices to split file_contexts
This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
2017-06-10 14:30:57 +00:00
Dan Cashman
c234ba3805 Hide grep filename output.
checkseapp does not expect filenames before the appearance of neverallow
rules against which to check.  They had previously been hidden by default
because they were only gathered from one file, but with the addition of
the BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to allow for /system policy
extensions, this may change.

Bug: 36467375
Bug: 62357603
Test: Builds with seapp_contexts extension.
Change-Id: I270bd60ae368aa3c082299d57c4bf12936ac2073
2017-06-06 08:15:01 -07:00
Jeff Vander Stoep
c85b859648 Run Treble sepolicy tests at build time
am: 1fc0682ec6

Change-Id: I5f6adf8043686e1dbc5327b6845d710e6f673256
2017-06-06 03:54:42 +00:00
Jeff Vander Stoep
1fc0682ec6 Run Treble sepolicy tests at build time
Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
(cherry picked from commit e1ddc6df75)
2017-06-05 08:09:32 -07:00
Jeff Vander Stoep
e1ddc6df75 Run Treble sepolicy tests at build time
Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
2017-06-02 16:11:52 -07:00
Dan Cashman
11b239f0b0 Merge changes I397ca4e7,I38efe224 into oc-dev
am: 33d7e90b51

Change-Id: I72b51db1d65df6a82b396187e982df1e4336c6be
2017-05-26 02:46:50 +00:00
Dan Cashman
51455fe977 Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir.
These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy.  There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files.  Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06af)
2017-05-25 22:10:45 +08:00
Dan Cashman
1b0a71f308 Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.

Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.

Change-Id: I38efe2248520804a123603bb050bba75563fe45c
Merged-In: I38efe2248520804a123603bb050bba75563fe45c
(cherry picked from commit f893700c73)
2017-05-25 22:10:36 +08:00
Dan Cashman
1633da06af Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir.
These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy.  There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files.  Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
2017-05-23 14:47:16 -07:00
Ian Pedowitz
d95ded6fde Merge "Revert "Revert "O is API 26""" into oc-dev am: 0f406a7a7f
am: ed4841cea0

Change-Id: I04a5cd25af698a06101d202e2815bf5f3f39856e
2017-05-16 05:09:19 +00:00
Ian Pedowitz
ed4841cea0 Merge "Revert "Revert "O is API 26""" into oc-dev
am: 0f406a7a7f

Change-Id: I39ba184fe5b89a6cace60a4ea31f42e3e9940fce
2017-05-16 04:07:21 +00:00
Dan Cashman
5e9451b1cf Fix ASAN build.
Test: Build with ASAN on.
Bug: 36467375
Change-Id: Id6a07b7bd48f39326b7c7ab47cfde396f7cfd033
2017-05-10 17:26:02 -07:00
Dan Cashman
f893700c73 Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.

Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.
Change-Id: I38efe2248520804a123603bb050bba75563fe45c
2017-05-09 09:51:07 -07:00
Ian Pedowitz
998c2ff9d5 Merge "Revert "O is API 26"" into oc-dev
am: 47859a9370

Change-Id: I3ec67ae45f165601f22f7ebb446fc626300ee1b6
2017-05-04 00:18:37 +00:00
Ian Pedowitz
4816b8f00a Revert "Revert "O is API 26""
This reverts commit 6b04a961b4.

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: I24ee1b4f0f23262cae25b2f575da9f16f4ebec34
2017-05-04 00:09:57 +00:00
Ian Pedowitz
6b04a961b4 Revert "O is API 26"
This reverts commit 8713882bb8.

Reason for revert:  b/37355569

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
2017-05-03 22:00:06 +00:00
Michael Wright
a51923896a Merge "O is API 26" into oc-dev
am: 7cc3f0a909

Change-Id: Ie5fbe081e35116ee4751b43f323b83ac56993870
2017-05-02 22:17:43 +00:00
Michael Wright
8713882bb8 O is API 26
Bug: 37480230
Bug: 37896931
Test: build, boot
Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
2017-05-02 20:50:49 +01:00
Andreas Gampe
3ddc78b132 Sepolicy: Disable leak sanitizer for checkpolicy
Temporary workaround.

Bug: 37755687
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I001a42ea6463a1e137e1f5328755596f986323de
2017-04-28 17:52:35 +00:00
Jeff Vander Stoep
5edd96d915 Android.mk: fix dependency typo
Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
2017-04-24 16:49:41 -07:00
Jeff Vander Stoep
b87876937b Retain neverallow rules in CIL files
Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil    567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
2017-04-24 13:43:22 -07:00
Jeff Vander Stoep
748cae865d secilc: expand generated attributes on non-treble devices
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
2017-04-14 22:37:09 -07:00
Jeffrey Vander Stoep
9bdb66b25c Merge "secilc: expand generated attributes" into oc-dev 2017-04-13 18:11:08 +00:00
Martijn Coenen
f6daa78a82 Merge "Add hwservice_contexts and support for querying it." into oc-dev 2017-04-13 03:34:48 +00:00
Martijn Coenen
3ea47b9249 Add hwservice_contexts and support for querying it.
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-12 18:07:12 -07:00
Jeff Vander Stoep
ac171b4437 secilc: expand generated attributes
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

With this patch the number of attributes in policy drops from
845 to 475. The number of attributes assigned to the bluetooth domain
drops from 41 to 11.

Bug: 3650825
Test: Build and boot Marlin
Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
2017-04-12 17:01:54 -07:00
Dan Cashman
4d24a77551 Fix build part 2. Always create platform_mapping_file.
commit 552fb53712 fixed an undefined
module error by removing the module when not defined (on non-treble
devices), but the sepolicy build on non-treble devices was changed
to rely on the split treble files, even though the split is not used.
Change this so that the file is always present, to allow policy
compilation.

Test: policy fully builds.
Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
2017-04-12 14:28:34 -07:00
Dan Cashman
552fb53712 Fix build: encase $(platform_mapping_file) module in treble block.
Specifying an empty module causes a build error, so make sure that
if there is no $(platform_mapping_file) the MODULE is not included.

Test: Makefiles parsed without error.
Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
2017-04-12 14:06:30 -07:00
Dan Cashman
6bf50e5c14 Remove BOARD_SEPOLICY_VERS_DIR build variable.
The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
specification of an alternate platform public policy, primarily for
testing purposes.  This should not be a part of the released platform,
since the only public policy and corresponding mapping file construction
should be based on the current public platform policy, with compatibility
with vendor policy targeting previous versions provided by static mapping
files.  Its continued presence muddles the generation of mapping files by
potentially introducing a situation in which an incorrect mapping file is
generated.  Remove it.

Bug: 36783775
Test: Device boots with compiled SELinux policy (SHA256s don't match for
precompiled policy).

Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
2017-04-12 11:12:17 -07:00
Dan Cashman
c8d4535cc2 Change recovery to static platform-only compilation.
Recovery is not meant to be versioned in the treble model, but rather
provided as part of the platform/framework component and self-sufficient.
Simplify its compilation by removing the attribute versioning steps, but
maintain device-specific policy, which is currently required for full
functionality.

Bug: 37240781
Bug: 36783775
Test: recovery boots and is able to select commands.  Also tried:
reboot system, boot to bootloader, factory reset, sideload, view logs,
run graphics test, and power off.

Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
2017-04-12 11:01:00 -07:00
Dan Cashman
4f9a648e90 Change mapping file name to reflect its platform version.
As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions.  This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this.  Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
2017-04-12 09:16:51 -07:00
Dan Cashman
6f14f6b7d9 Add PLATFORM_SEPOLICY_VERSION.
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
2017-04-10 09:59:19 -07:00
TreeHugger Robot
8612307083 Merge "sepolicy_version: change current version to NN.m format" into oc-dev 2017-04-07 23:14:06 +00:00
Sandeep Patil
42f95984b5 sepolicy_version: change current version to NN.m format
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
2017-04-07 14:18:48 -07:00
Alex Klyubin
df72094196 Merge "Preserve treble-only flag for CTS neverallows" into oc-dev 2017-04-07 20:09:22 +00:00
Alex Klyubin
446279a6b9 Preserve treble-only flag for CTS neverallows
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
2017-04-07 12:22:10 -07:00
Martijn Coenen
ee97662f17 Fix checkfc options order.
darwin's getopt() doesn't like putting arguments
in the wrong order.

Test: Mac/Linux builds
Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
2017-04-07 10:08:55 -07:00
Martijn Coenen
d48d54a3a1 Modify checkfc to check (vnd|hw)service_manager_type.
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
2017-04-06 17:25:07 -07:00
Dan Cashman
0e9c47c0af Move mapping_sepolicy.cil to /system partition.
This is a necessary first step to finalizing the SELinux policy build
process.  The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
2017-04-06 10:00:42 -07:00
Martijn Coenen
6676c234fc Add target for vndservice_contexts.
So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
2017-04-03 15:39:42 -07:00
Jeff Vander Stoep
d4a3e9dd48 Create selinux_policy phony target
Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
      included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
2017-03-26 21:52:14 +00:00
William Roberts
5d0c2e417b build: stop generating $T/file_contexts
secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
  File: 'file_contexts'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 5508958     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/wcrobert)   Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
      ensure file is not regenerated. Also, ensure hikey builds and
      boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-03-25 22:43:24 +00:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jeff Vander Stoep
7443484831 Grant additional permissions for ASAN builds
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
2017-03-22 14:03:07 -07:00
Jeff Vander Stoep
d2053bd024 Specify intermediates dir for sepolicy
Policy intermediates are being placed in a seemingly random
intermediates directories.

Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates

Instead, place intermediates in the sepolicy_intermediates dir.

Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118

Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
2017-03-15 20:52:43 +00:00
Alex Klyubin
e8243518a7 Remove unused /selinux_version
This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.

Test: Clean build, flash, device boots without additional denials.
      Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
2017-03-15 09:48:14 -07:00
Xin Li
ec6f393d07 Fix build under GitC client.
Test: build
Bug: 36229129
Change-Id: I0654ce44f344729b0bb1f8716afa151e134fdc6a
2017-03-14 17:23:54 -07:00
Alex Klyubin
9d59041f63 Correct location of property_contexts for TREBLE devices
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377c0), this change
no longer affects is recovery.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.

Test: cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testAospPropertyContexts

      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).

Test: Clean build, flash, device boots with no additional denials.
      Rebooting to recovery, recovery boots fine with no denials.
      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).
Bug: 36002573

(cherry picked from commit 4cb628a3be)

Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
2017-03-13 11:37:26 -07:00
Alex Klyubin
ec78c377c0 Targets for artifacts needed by recovery
This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.

Test: Clean build, flash, device boots just fine, no new denials.
      Reboot to recovery, recovery boots just fine, no denials.
      This was tested on bullhead (non A/B device) and sailfish (A/B
      device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
2017-03-13 08:42:52 -07:00
Jeff Vander Stoep
bba9e7b92d Split mac_permissions.xml to /system and /vendor
Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756  1345  1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787  1345  1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167

Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
2017-03-11 00:08:37 +00:00
Jeff Vander Stoep
0cb417a639 Move split file_contexts to /system and /vendor
Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
      /vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414

Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
2017-03-10 22:11:35 +00:00
Alex Klyubin
84aa742184 Remove unnecessary recovery-related targets
Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.

Test: make clean && make sepolicy.recovery, then confirm that
      repolicy.recovery is identical to the one produced prior to this
      change.
Test: Clean build, flash, device boots up fine, no new denials. Device
      also boots into recovery just fine, no denials.
Bug: 31363362

Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
2017-03-10 10:06:26 -08:00
Alex Klyubin
935ddb20c1 Revert "Correct location of property_contexts for TREBLE devices"
This reverts commit 4cb628a3be.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
      and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
2017-03-09 18:04:03 -08:00
Jeff Vander Stoep
4e3a4c7b21 Move service and seapp contexts to /system and /vendor
Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
      Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427

Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
2017-03-09 19:41:32 +00:00
Alex Klyubin
4cb628a3be Correct location of property_contexts for TREBLE devices
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573

Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
2017-03-08 23:48:41 +00:00
Alex Klyubin
193dccda79 Precompiled kernel policy for on-device use
This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.

Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.

The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.

Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
      SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
      precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
2017-03-07 14:55:49 -08:00
Jeff Vander Stoep
87ae5f7dbd assert plat neverallows on nonplat seapp_contexts
With the plat/nonplat policy split, nonplat_seapp_contexts should still
be checked against the plat_seapp_contexts_neverallows during build
time to ensure no violations occur.

Test: stock aosp_marlin builds.
Test: name=foo.bar seinfo=default fails (as expected) in nonplat policy
Test: name=foo.bar seinfo="" fails (as expected) in nonplat policy
Bug: 36002816
Change-Id: I95b2c695b23e2bdf420575d631e85391e93fc869
2017-03-07 20:45:07 +00:00
Alex Klyubin
052b0bbb26 Move split sepolicy to correct locations
This moves the CIL files comprising the split sepolicy to the
directories/partitions based on whether the file is part of
platform/system or non-platform/vendor. In particular:
* plat_sepolicy.cil is moved to /system/etc/selinux,
* nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and
* mapping_sepolicy.cil is moved to /vendor/etc/selinux.

Test: Device boots, no additional denials. The test is performed both
      for a device without the CIL files and with the three CIL files.
Bug: 31363362

Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9
2017-03-03 09:44:55 -08:00
Alex Klyubin
8f7173b016 Test CIL policy when building it
Prior to this commit, there was a bug in generated CIL where it
wouldn't compile using secilc. The reason was that the build script
was stripping out all lines containing "neverallow" from CIL files,
accidentally removing lines which were not neverallow statements,
such as lmx lines referencing app_neverallows.te.

The commit fixes the build script's CIL neverallow filter to filter
out only neverallow* statements, as originally intended. Moreover, to
catch non-compiling CIL policy earlier in the future, this commit runs
secilc on the policy at build time. In particular, it tests that
platform policy compiles on its own and that nonplatform + platform +
mappig policy compiles as well.

Test: CIL policy builds and compiles on-device using secilc
Bug: 31363362
Change-Id: I769aeb3d8c913a5599f1a2195c69460ece7f6465
2017-02-25 15:08:31 -08:00
Alex Klyubin
5596172d23 Device-agnostic policy for vendor image
Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.

Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.

This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.

Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
      but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
2017-01-30 18:48:17 -08:00
Sandeep Patil
a86316e852 property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-29 21:09:11 +00:00
Alex Klyubin
e4665d7f85 Fix bugs in *_file_contexts targets
This fixes the following issues introduced in commit
d225b6979d:
* plat_file_contexts was empty because the target was referencing
  system/sepolicy/private/file_contexts via a misspelled variable
  name.
* plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt
  when system/sepolicy/private/file_contexts changed. This is because
  the file_contexts dependency was referenced via a misspelled
  variable name.
* plat_file_contexts wasn't sorted (as opposed to other similar
  targets, such as nonplat_file_contexts and file_contexts.bin). This
  may lead to unnecessary non-determinism.
* nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt
  when device-specific file_contexts file(s) changed. This is because
  the file_contexts files were referenced via a misspelled variable
  name.

Test: "make plat_file_contexts" produces a non-empty file containing
      mappings from system/sepolicy/private/file_contexts
Test: "make plat_file_contexts" updates output when
      system/sepolicy/private/file_contexts changes
Test: "make plat_file_contexts" produces output which is sorted
      accroding to rules in fc_sort
Test: "make nonplat_file_contexts" updates output when
      device/lge/bullhead/sepolicy/file_contexts changes (tested on
      aosp_bullhead-eng)
Bug: 31363362
Change-Id: I540555651103f02c96cf958bb93618f600e47a75
2017-01-20 04:34:11 +00:00
Jorim Jaggi
aa03ef2621 Revert "property_context: split into platform and non-platform components."
This reverts commit 262edc382a.

Fixes: 34370523
Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d
2017-01-18 15:47:11 +00:00
Sandeep Patil
262edc382a property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-18 00:41:47 +00:00
Sandeep Patil
a058b569e4 service_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-18 00:33:09 +00:00
Dan Cashman
9c03807223 Split seapp_contexts into plat and nonplat components.
Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e
2017-01-09 10:10:59 -08:00
dcashman
d225b6979d Split file_contexts for on-device compilation.
Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device.  Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.

Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0

Bring back file_contexts.bin.

Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-05 11:22:45 -08:00
Richard Uhler
c5c3abc6bc Remove option for non-pic dex preopt.
Test: make checkbuild, aosp_bullhead-userdebug boots.
Bug: 33192586

Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8
2016-12-28 08:49:55 +00:00
Steven Moreland
52b759777b Remove ENABLE_TREBLE from sepolicy.
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
2016-12-21 12:29:02 -08:00
Daniel Cashman
65d01349a0 Revert "Move sepolicy and recovery from on-device tree and add dependency."
This reverts commit cf5c6ecb93.

Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
2016-12-17 00:53:26 +00:00
Dan Cashman
cf5c6ecb93 Move sepolicy and recovery from on-device tree and add dependency.
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it.  Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
  denials.  Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
2016-12-16 14:29:59 -08:00
Dan Cashman
1c04027795 Switch recovery to versioned policy and split into components.
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.

Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
2016-12-16 10:19:17 -08:00
dcashman
90b3b94897 Split mac_permissions.xml into plat and non-plat components.
Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
2016-12-15 10:20:35 -08:00
dcashman
1faa644c81 Split policy for on-device compilation.
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
2016-12-13 10:06:12 -08:00
dcashman
0779155805 Restore checkfc and neverallow checks.
Bug: 33388095
Test: Builds and boots.
Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf
2016-12-07 11:27:47 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Jorge Lucangeli Obes
2899434716 Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro.
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.

Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
2016-11-21 11:57:08 -05:00
Jorge Lucangeli Obes
84db84e6cd Use with_dexpreopt macro for zygote execute permissions.
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.

Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 14:22:37 -05:00
Jeff Vander Stoep
d733d161cf Add macros for treble and non-treble only policy
Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
2016-10-19 15:05:05 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Douglas Leung
5807d1d2b9 Fix ioctl defines for Mips.
This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496
2016-08-29 14:43:07 -07:00
William Roberts
7d9487c996 Merge \"service_contexts: strip blank lines and comments\"
am: afad0c35ec

Change-Id: Id4a4937cc3b7c2ddd6d363144e6fafc90be60498
2016-07-18 22:56:49 +00:00
William Roberts
a584f2f6cd Merge \"property_contexts: strip blank lines and comments\"
am: ee69a2e775

Change-Id: If61f5720180243ec1b5aa9e16d66c95c37f49b88
2016-07-15 21:24:34 +00:00
William Roberts
c9fce3fa59 service_contexts: strip blank lines and comments
Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-07-01 15:01:13 +00:00
William Roberts
371918c1fe property_contexts: strip blank lines and comments
Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-07-01 15:01:01 +00:00
Shinichiro Hamaji
2f7b0514fa Merge "Add keys to prerequisites of mac_permissions.xml" am: d1eb0ede9c
am: a8f65aa156

* commit 'a8f65aa156331487153456ed111b7feb1434355e':
  Add keys to prerequisites of mac_permissions.xml

Change-Id: I9b6f11e61f31ec6c11ec35283eff4936b66497f9
2016-05-17 04:09:02 +00:00
Shinichiro Hamaji
ef0c14d3a2 Add keys to prerequisites of mac_permissions.xml
Bug: 27954979
Change-Id: Ia0403e2dc2726523a41742e23beff29b47274392
2016-05-13 16:04:58 +09:00
Nick Kralevich
3116b83f83 suppress unnecessary makefile output am: 6ef10bd48b
am: 1274aa15d4

* commit '1274aa15d415ea317c48b321445583bf25999b6a':
  suppress unnecessary makefile output
2016-03-02 01:47:59 +00:00
Nick Kralevich
6ef10bd48b suppress unnecessary makefile output
checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
2016-02-29 16:59:33 -08:00
Nick Kralevich
6710e5c377 Don\'t allow permissive SELinux domains on user builds. am: bca98efa57
am: 0551e9e8d4

* commit '0551e9e8d4764578d7304d695ba20040a6e0ea0b':
  Don't allow permissive SELinux domains on user builds.
2016-02-27 04:39:39 +00:00
Nick Kralevich
bca98efa57 Don't allow permissive SELinux domains on user builds.
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
2016-02-26 20:06:52 -08:00
Jeffrey Vander Stoep
7a29402717 Merge changes from topic \'fc_sort-2\' am: 87a73f199a
am: af77ab6b13

* commit 'af77ab6b136b0c4d44e912bbd2b98f958f7ceb45':
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's
2016-01-15 19:41:30 +00:00
William Roberts
49693f1b4d fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
Jeffrey Vander Stoep
b9053767ab Merge "Revert "fc_sort: initial commit"" am: 5de7574a59
am: 62871e5874

* commit '62871e5874e6b1663c732c7f2a2b2d6b36604534':
  Revert "fc_sort: initial commit"
2016-01-15 01:12:54 +00:00
Jeffrey Vander Stoep
b1fb7e4037 Revert "fc_sort: initial commit"
Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887e.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
2016-01-14 23:28:51 +00:00
Jeffrey Vander Stoep
a654d9f3aa Merge "fc_sort: initial commit" am: 2dea4525f3
am: faddabe6f5

* commit 'faddabe6f58f30f81938b928597ee7a792c34984':
  fc_sort: initial commit
2016-01-14 20:19:47 +00:00
William Roberts
29d146887e fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 10:11:52 -08:00
Jeffrey Vander Stoep
9aa378ec31 Merge "Reduce socket ioctl perms" 2016-01-04 22:06:54 +00:00
Jeff Vander Stoep
cbaa2b7d37 Reduce socket ioctl perms
Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2016-01-04 12:15:19 -08:00
Daniel Cashman
efeac86de4 Merge changes from topic \'sepolicy-makefile-cleanup\' am: 1e5b7a1962
am: 26f06d172d

* commit '26f06d172dc2b55c42b1543c7ef02563241efce1':
  Android.mk: cleanse all set but not unset variables
  Android.mk: clean dependencies and clear variables
2015-12-29 17:39:18 +00:00
William Roberts
50a478ef72 Android.mk: cleanse all set but not unset variables
Discovered by diffing the set of "set variables" with
the set of "cleared variables".

Script:

mydir=$(mktemp -d)

grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk  | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars
grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars
diff $mydir/set_vars $mydir/unset_vars
rm -rf $mydir

Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-28 16:19:54 -08:00
William Roberts
46749752e5 Android.mk: clean dependencies and clear variables
Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.

Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.

Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-28 16:17:24 -08:00
William Roberts
4b412232c1 sectxfile_nl: fix superfluous dependencies am: cb1ab9858e
am: aeb403f233

* commit 'aeb403f233ada241a099777ccd0ef3b007e935e2':
  sectxfile_nl: fix superfluous dependencies
2015-12-16 23:44:41 +00:00
William Roberts
cb1ab9858e sectxfile_nl: fix superfluous dependencies
The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.

Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.

Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-16 14:01:58 -08:00
Jeffrey Vander Stoep
e927937f2d Merge "checkfc: add attribute test" am: d48773ab3e
am: c435b7590b

* commit 'c435b7590bd7d7f0594d48976fe931d1f6c07f32':
  checkfc: add attribute test
2015-12-16 16:35:36 +00:00
William Roberts
ad3cb39e54 checkfc: add attribute test
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-14 23:37:10 +00:00
Nick Kralevich
edb41d8744 Merge "Ensure newlines are added between context config files" am: d6765a99f3
am: 5cfd34957e

* commit '5cfd34957e48cd79e53fbfb8aa4acf1d53f8f638':
  Ensure newlines are added between context config files
2015-12-13 14:45:40 -08:00
Richard Haines
c8801fec63 Ensure newlines are added between context config files
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-12-13 12:01:53 +00:00
Jeff Vander Stoep
3a0ce49b86 Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-11 18:07:17 +00:00
Jeffrey Vander Stoep
4f9107df8f Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 12:14:50 -08:00
Jeffrey Vander Stoep
5ca5696e8b Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 18:19:04 +00:00
Jeff Vander Stoep
2ea23a6e1a Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-08 07:18:41 -08:00
Jeff Vander Stoep
0fc831c3b0 Temporarily downgrade to policy version number
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
2015-10-23 10:16:00 -07:00
William Roberts
f88e31ea90 am 7fc865a4: service_contexts: don\'t delete intermediate on failure
* commit '7fc865a4caec1a2ced41918449e34596f50f8c43':
  service_contexts: don't delete intermediate on failure
2015-10-01 22:24:59 +00:00
William Roberts
630fd5d80c am dcffd2b4: property_contexts: don\'t delete intermediate on failure
* commit 'dcffd2b482a625a99233d82019d7b96919c41600':
  property_contexts: don't delete intermediate on failure
2015-10-01 22:11:37 +00:00
Colin Cross
0f1b1f353b am 9eb6c874: Revert "property_contexts: don\'t delete intermediate on failure"
* commit '9eb6c87439da2b00699f644a8b8c335bf8cd9680':
  Revert "property_contexts: don't delete intermediate on failure"
2015-10-01 22:11:33 +00:00
Colin Cross
2a41cb70a7 am efcaecab: Revert "service_contexts: don\'t delete intermediate on failure"
* commit 'efcaecab4eb075fdc69942e6915999458fb5f88b':
  Revert "service_contexts: don't delete intermediate on failure"
2015-10-01 22:11:32 +00:00
Jeffrey Vander Stoep
4f821319f7 am 23c42c38: Merge "service_contexts: don\'t delete intermediate on failure"
* commit '23c42c389b07f6ebda69ca8e834c27b27460879a':
  service_contexts: don't delete intermediate on failure
2015-10-01 22:11:25 +00:00
Jeffrey Vander Stoep
89c1fd2582 am e6e94762: Merge "property_contexts: don\'t delete intermediate on failure"
* commit 'e6e947622514bdf0b80bf093c0df1a7d9ae12c37':
  property_contexts: don't delete intermediate on failure
2015-10-01 22:11:24 +00:00
William Roberts
7fc865a4ca service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 22:01:50 +00:00
William Roberts
dcffd2b482 property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 14:56:19 -07:00
Colin Cross
9eb6c87439 Revert "property_contexts: don't delete intermediate on failure"
This reverts commit 7f81b337bc.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6
2015-10-01 21:25:55 +00:00
Colin Cross
efcaecab4e Revert "service_contexts: don't delete intermediate on failure"
This reverts commit f6ee7a5219.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663
2015-10-01 21:25:25 +00:00
William Roberts
f6ee7a5219 service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
7f81b337bc property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
92461b6169 am 3746a0ae: file_contexts: don\'t delete intermediate on failure
* commit '3746a0ae63a56a6b18fabd3e89bfe4760a1691e3':
  file_contexts: don't delete intermediate on failure
2015-09-28 18:23:43 +00:00
William Roberts
3746a0ae63 file_contexts: don't delete intermediate on failure
Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-28 10:36:49 -07:00
Ivan Krasin
b49f5cf83f am 9aa41303: asan: update condition to work with multiple SANITIZE_TARGET values.
* commit '9aa413036bde2c80c25b381bd685ab05f8390127':
  asan: update condition to work with multiple SANITIZE_TARGET values.
2015-09-19 19:52:05 +00:00
Ivan Krasin
9aa413036b asan: update condition to work with multiple SANITIZE_TARGET values.
The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
2015-09-18 12:05:51 -07:00
William Roberts
4d526d8675 am 031e5ce9: Android.mk: Cleanup GENERAL_*_CONTEXTS variables
* commit '031e5ce9c5cd3334cd2a09645cb03306fb552494':
  Android.mk: Cleanup GENERAL_*_CONTEXTS variables
2015-08-13 18:00:43 +00:00
William Roberts
dc858fe64d am 6aabc1c7: Android.mk: drop polluting variables
* commit '6aabc1c77b98d0ce8e13871047504afb90108733':
  Android.mk: drop polluting variables
2015-08-13 17:26:59 +00:00
William Roberts
031e5ce9c5 Android.mk: Cleanup GENERAL_*_CONTEXTS variables
Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:11:31 -07:00
William Roberts
6aabc1c77b Android.mk: drop polluting variables
Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:09:23 -07:00
Richard Haines
32bbafc194 am c2d01914: Update Android.mk to support file_contexts.bin
* commit 'c2d01914d12b1c153b5ef32293079764a4342169':
  Update Android.mk to support file_contexts.bin
2015-08-13 00:40:32 +00:00
Richard Haines
c2d01914d1 Update Android.mk to support file_contexts.bin
This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-08-12 08:45:44 -07:00
Dan Willemsen
10c1e872cc am bc2a49f2: Don\'t assume ordering of
* commit 'bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5':
  Don't assume ordering of $(wildcard ...)
2015-08-11 20:23:15 +00:00
Dan Willemsen
bc2a49f247 Don't assume ordering of $(wildcard ...)
There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
2015-08-11 12:27:08 -07:00
William Roberts
deb2f8b5f7 am d2185582: Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
* commit 'd21855824d178abea9ac93376757c7aed765cd83':
  Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
2015-07-27 18:02:27 +00:00
William Roberts
d21855824d Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-24 23:20:53 +00:00
Colin Cross
07039d386a am 29a463d5: Use build fingerprint from file
* commit '29a463d5d594a1b83288eff2da1f8829a69d3d46':
  Use build fingerprint from file
2015-07-23 19:01:40 +00:00
Colin Cross
29a463d5d5 Use build fingerprint from file
Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53
2015-07-17 13:40:42 -07:00
Nick Kralevich
457e446fe7 am 1a6e29e2: Merge "android.mk: drop duplicate spaces"
* commit '1a6e29e251ead902509e4ff25fdfdcaf023d860e':
  android.mk: drop duplicate spaces
2015-07-16 19:57:51 +00:00
William Roberts
85402534f3 android.mk: drop duplicate spaces
Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-16 11:40:21 -07:00
William Roberts
b2420cf4ec am ffc86bea: Correct local variables for file_contexts_asan
* commit 'ffc86bea0e38147a9330177708aedbccd603627a':
  Correct local variables for file_contexts_asan
2015-07-10 20:34:46 +00:00
William Roberts
ffc86bea0e Correct local variables for file_contexts_asan
Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-10 19:55:35 +00:00
William Roberts
e1a2001fc5 am 99fe8df2: hide checkseapp command invocation
* commit '99fe8df245f4346c14a3dfaf856006c7ebf51ad2':
  hide checkseapp command invocation
2015-07-07 19:13:59 +00:00
William Roberts
0046404b2c am b876993f: use a general sepolicy when building general targets
* commit 'b876993f4ee25fb299b7521b0dc565248d3db2a6':
  use a general sepolicy when building general targets
2015-07-07 19:13:58 +00:00
William Roberts
99fe8df245 hide checkseapp command invocation
Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-07 17:45:51 +00:00
William Roberts
807b8a6f9d am 3a74555c: Drop unused variable in Android.mk
* commit '3a74555c4e6c3b87c43b1eb311a2e418f6d88453':
  Drop unused variable in Android.mk
2015-07-07 15:49:25 +00:00
William Roberts
b876993f4e use a general sepolicy when building general targets
Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-30 14:02:17 -07:00
William Roberts
3a74555c4e Drop unused variable in Android.mk
Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 16:14:15 -07:00
William Roberts
bf4568d1cd am 4ee7131a: Introduce seapp_neverallow test
* commit '4ee7131ade43a046ad784a91bdded7c3c77206cd':
  Introduce seapp_neverallow test
2015-06-29 20:36:17 +00:00
William Roberts
4ee7131ade Introduce seapp_neverallow test
Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 10:57:06 -07:00
William Roberts
8f519b3f0f am da52e859: correct colon usage on make targets
* commit 'da52e85906289d5b691404ffed1fb830065140f9':
  correct colon usage on make targets
2015-06-29 17:53:41 +00:00
William Roberts
da52e85906 correct colon usage on make targets
Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-27 07:22:34 -07:00
William Roberts
942c0ea901 am 81e1f90c: check_seapp: add support for "neverallow" checks
* commit '81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0':
  check_seapp: add support for "neverallow" checks
2015-06-26 21:02:10 +00:00
William Roberts
81e1f90cd1 check_seapp: add support for "neverallow" checks
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-25 23:53:46 +00:00
Evgenii Stepanov
651a315ad2 am 4b4c5645: Merge "Extend sepolicy for SANITIZE_TARGET."
* commit '4b4c5645931a0e187d261c4db6caac67d09ab4e4':
  Extend sepolicy for SANITIZE_TARGET.
2015-06-15 21:09:13 +00:00
Evgenii Stepanov
930304829b Extend sepolicy for SANITIZE_TARGET.
SANITIZE_TARGET adds shared libraries in /data/lib.

Bug: 21785137
Change-Id: I8ac3d059d88d57d24ed762ffc6202a4ce5a42333
2015-06-12 17:19:30 -07:00
Jeff Vander Stoep
de9b5301a1 restrict app access to socket ioctls
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
2015-06-05 22:35:51 +00:00
Jeff Vander Stoep
64b01c6165 Update policy version to enable ioctl whitelisting
Bug: 20756547
Bug: 18087110
Change-Id: I9ff76f1cf359e38c19d7b50a5b7236fd673d937e
2015-05-04 11:14:23 -07:00
Stephen Smalley
8e0ca8867e Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:18:17 -04:00
Stephen Smalley
b4f17069b3 sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support.
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze.  The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets.  However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies

Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 10:26:00 -04:00
Stephen Smalley
c93617315e Fix rules for general_property_contexts.
Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 09:36:57 -04:00
Stephen Smalley
2e0cd5ad36 Generate general versions of the other contexts files for tests.
Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 17:45:03 -04:00
Stephen Smalley
377128778d Generate a general_seapp_contexts file for tests.
Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.

Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 15:46:36 -04:00
Nick Kralevich
f435a8e556 Delete unconfined domain
No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
2015-02-28 11:27:35 -08:00
William Roberts
754f5ea7ee Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.

Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
2014-12-20 15:15:33 +00:00
William Roberts
f330f37529 Remove network shell script
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
2014-11-13 07:34:39 -08:00
Stephen Smalley
ee58864b95 Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true"
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3f0.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-07 09:50:38 -05:00
Nick Kralevich
39f92a8350 am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
  recovery.te: add /data neverallow rules
2014-11-06 19:22:09 +00:00
Nick Kralevich
a17a266e7e recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-05 15:30:41 -08:00
dcashman
5a6ac67476 am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build."
* commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915':
  Generate selinux_policy.xml as part of CTS build.
2014-08-04 20:24:23 +00:00
dcashman
704741a5c2 Generate selinux_policy.xml as part of CTS build.
Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
2014-07-28 17:57:22 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
2014-07-14 09:15:08 -07:00
Nick Kralevich
db644f98ad am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit '8eb63f24bb34639d76246a2fe0276f5cada5c764':
  Add SELinux rules for service_manager.
2014-06-12 21:13:06 +00:00
Nick Kralevich
8eb63f24bb am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit 'b0ee91a418a899dbd39678711ea65ed60418154e':
  Add SELinux rules for service_manager.
2014-06-12 21:06:37 +00:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00