Commit graph

102 commits

Author SHA1 Message Date
William Roberts
7fc865a4ca service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 22:01:50 +00:00
William Roberts
dcffd2b482 property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 14:56:19 -07:00
Colin Cross
9eb6c87439 Revert "property_contexts: don't delete intermediate on failure"
This reverts commit 7f81b337bc.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6
2015-10-01 21:25:55 +00:00
Colin Cross
efcaecab4e Revert "service_contexts: don't delete intermediate on failure"
This reverts commit f6ee7a5219.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663
2015-10-01 21:25:25 +00:00
William Roberts
f6ee7a5219 service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
7f81b337bc property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
3746a0ae63 file_contexts: don't delete intermediate on failure
Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-28 10:36:49 -07:00
Ivan Krasin
9aa413036b asan: update condition to work with multiple SANITIZE_TARGET values.
The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
2015-09-18 12:05:51 -07:00
William Roberts
031e5ce9c5 Android.mk: Cleanup GENERAL_*_CONTEXTS variables
Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:11:31 -07:00
William Roberts
6aabc1c77b Android.mk: drop polluting variables
Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:09:23 -07:00
Richard Haines
c2d01914d1 Update Android.mk to support file_contexts.bin
This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-08-12 08:45:44 -07:00
Dan Willemsen
bc2a49f247 Don't assume ordering of $(wildcard ...)
There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
2015-08-11 12:27:08 -07:00
William Roberts
d21855824d Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-24 23:20:53 +00:00
Colin Cross
29a463d5d5 Use build fingerprint from file
Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53
2015-07-17 13:40:42 -07:00
William Roberts
85402534f3 android.mk: drop duplicate spaces
Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-16 11:40:21 -07:00
William Roberts
ffc86bea0e Correct local variables for file_contexts_asan
Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-10 19:55:35 +00:00
William Roberts
99fe8df245 hide checkseapp command invocation
Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-07 17:45:51 +00:00
William Roberts
b876993f4e use a general sepolicy when building general targets
Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-30 14:02:17 -07:00
William Roberts
3a74555c4e Drop unused variable in Android.mk
Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 16:14:15 -07:00
William Roberts
4ee7131ade Introduce seapp_neverallow test
Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 10:57:06 -07:00
William Roberts
da52e85906 correct colon usage on make targets
Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-27 07:22:34 -07:00
William Roberts
81e1f90cd1 check_seapp: add support for "neverallow" checks
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-25 23:53:46 +00:00
Evgenii Stepanov
930304829b Extend sepolicy for SANITIZE_TARGET.
SANITIZE_TARGET adds shared libraries in /data/lib.

Bug: 21785137
Change-Id: I8ac3d059d88d57d24ed762ffc6202a4ce5a42333
2015-06-12 17:19:30 -07:00
Stephen Smalley
8e0ca8867e Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:18:17 -04:00
Stephen Smalley
b4f17069b3 sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support.
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze.  The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets.  However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies

Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 10:26:00 -04:00
Stephen Smalley
c93617315e Fix rules for general_property_contexts.
Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 09:36:57 -04:00
Stephen Smalley
2e0cd5ad36 Generate general versions of the other contexts files for tests.
Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 17:45:03 -04:00
Stephen Smalley
377128778d Generate a general_seapp_contexts file for tests.
Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.

Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 15:46:36 -04:00
Nick Kralevich
f435a8e556 Delete unconfined domain
No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
2015-02-28 11:27:35 -08:00
William Roberts
754f5ea7ee Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.

Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
2014-12-20 15:15:33 +00:00
William Roberts
f330f37529 Remove network shell script
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
2014-11-13 07:34:39 -08:00
Stephen Smalley
ee58864b95 Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true"
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3f0.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-07 09:50:38 -05:00
Nick Kralevich
39f92a8350 am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
  recovery.te: add /data neverallow rules
2014-11-06 19:22:09 +00:00
Nick Kralevich
a17a266e7e recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-05 15:30:41 -08:00
dcashman
5a6ac67476 am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build."
* commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915':
  Generate selinux_policy.xml as part of CTS build.
2014-08-04 20:24:23 +00:00
dcashman
704741a5c2 Generate selinux_policy.xml as part of CTS build.
Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
2014-07-28 17:57:22 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
2014-07-14 09:15:08 -07:00
Nick Kralevich
db644f98ad am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit '8eb63f24bb34639d76246a2fe0276f5cada5c764':
  Add SELinux rules for service_manager.
2014-06-12 21:13:06 +00:00
Nick Kralevich
8eb63f24bb am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit 'b0ee91a418a899dbd39678711ea65ed60418154e':
  Add SELinux rules for service_manager.
2014-06-12 21:06:37 +00:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Robert Craig
33bf667ab1 am ec87ecb9: am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit 'ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968':
  Build the selinux_version file.
2014-05-31 11:38:45 +00:00
Robert Craig
ec87ecb991 am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit '8571ed162e85c507ea93b06c6816cdf99019625a':
  Build the selinux_version file.
2014-05-31 08:49:29 +00:00
Robert Craig
8b7545bf57 Build the selinux_version file.
The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.

Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-05-30 20:24:18 +00:00
Stephen Smalley
4a247480b3 am c664083b: am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'c664083badd1c73c144f53354c015681cd7e6951':
  Create a separate recovery policy.
2014-05-30 19:01:44 +00:00
Stephen Smalley
c664083bad am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'ffbba62eafb759573aad4bcdc77d56026697ea00':
  Create a separate recovery policy.
2014-05-30 18:27:02 +00:00
Stephen Smalley
e60723ab59 Create a separate recovery policy.
Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 12:53:32 -04:00
Nick Kralevich
863b282366 am d188f5be: Merge "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" into klp-modular-dev
* commit 'd188f5be07e168c19a2cd46439c0319f4866c641':
  DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
2014-02-05 23:50:47 +00:00
Nick Kralevich
2772e78ff9 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
2014-02-05 14:57:14 -08:00
Robert Craig
6b0ff4756a Catch nonexistent BOARD_SEPOLICY_UNION policy files.
Added a new check to make sure that all listed
BOARD_SEPOLICY_UNION files are located somewhere
in the listed BOARD_SEPOLICY_DIRS locations. The
build will error out otherwise.

Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-29 13:14:49 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00