Commit graph

94 commits

Author SHA1 Message Date
Alan Stokes
668e74f6f4 Exempt app_data_file_type from neverallow rules.
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 18:08:18 +00:00
Steven Moreland
4537b1ed62 Merge "Policy: file errors include files with attrs" 2020-11-04 16:21:40 +00:00
Steven Moreland
7f11650293 Policy: file errors include files with attrs
Since many files can correspond to the same error, it can be hard to see
which file is causing the error for an attribute

Example, here I couldn't find which file was 'vendor_file':

  The following types on / must be associated with the "no_fs_type"
  attribute: vendor_file
   corresponding to files: /cache/overlay/oem/upper

Bug: 154851797
Test: see above example
Change-Id: Ic96536da3ce55ccc5f600579b9f6b1b4f56fc93d
2020-11-03 23:20:43 +00:00
Steven Moreland
a01338d4a8 sepolicy_tests.py: system_ext, product, odm
Adds missing partitions to Treble sepolicy tests, and makes exceptions
explicit.

Bug: 154851797
Test: build runs this test

Change-Id: I93f3e633981383d3d215d3a850f6ade12c910415
2020-11-02 20:24:35 +00:00
Inseob Kim
1b8b1f648c Ensure property owners are exclusive
system_property_type and vendor_property_type can't be assigned
together. For example, the following policy snippet will fail.

system_public_prop(foo_prop)
typeattribute foo_prop vendor_property_type;

product_property_type is currently synonym for system_property_type, so
we only check those two.

Bug: 171437654
Test: m selinux_policy
Test: add "typeattribute default_prop vendor_property_type;" to
      property.te and then "m selinux_policy"
Change-Id: I1cdbf3d04264bb045568c30f19339dfe3889dbb4
2020-10-23 15:16:11 +09:00
Steven Moreland
5c0a0a8190 Remove binder_in_vendor_violators.
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.

Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
2020-08-27 00:00:35 +00:00
Joel Galenson
b0d74a1f5b Update sepolicy to use inclusive language
See https://source.android.com/setup/contribute/respectful-code for reference

#inclusivefixit

Bug: 161896447
Test: Build
Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 16:52:04 +00:00
Steven Moreland
000ec93900 treble_sepolicy_tests.py: require recognized loc
Before, we were silently ignoring unrecognized paths.

Bug: 152813275
Test: m (runs this test)
Test: reproduce every error I've added
Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-08 23:17:16 +00:00
Steven Moreland
a00530b07c Remove treble coredomain whitelist.
Seems that this is no longer needed, except for vendor_init.

Bug: 152813275
Test: m (runs this test)
Change-Id: I773053cbe1a84911684cc2ff15904ee7ddf7a73e
2020-04-02 16:02:54 -07:00
Tri Vo
8c31ddf22e sepolicy: don't construct mappings for ignored types
Say, foo_type was introduced in 29.0 sepolicy and is in 29.0.ignore.cil.
Also assume (typeattributeset foo_type_29_0 (foo_type bar_type))

Make sure that above mapping is not expanded into 28.0.cil, 27.0.cil, etc.

Test: m selinux_policy
Test: build aosp/1199739
Change-Id: Ib564431ab67f555ea1ae650dc31a68121e9c6d84
2020-01-08 08:53:27 -08:00
Dan Willemsen
1f944107a3 Fix sepolicy_tests on Mac 10.15
This is dlopened by sepolicy_tests, which uses embeds the python
interpreter built from our tree. That python interpreter links against
the shared version of libc++, so mixing it with this static copy was
causing segfaults on Mac 10.15 (but apparently not elsewhere).

Test: SANITIZE_HOST=address m treble_sepolicy_tests
Test: `m` on Mac 10.15
Change-Id: I31744acd018ea4c980c46a9979bbad17ae1c4f68
2019-11-23 17:45:01 -08:00
Tri Vo
7bfd7303b3 Expand typattribute declarations into older maps
Say, foo_attribute is removed in 30 API. We need to preserve
typeattribute declaration in 29.0.cil, 28.0.cil, etc for backwards
compatibility.
(typeattribute binder_in_vendor_violators)

Automatically expand these typeattribute declaration into older map
files, so that we only need to update 29.0.cil.

Test: remove binder_in_vendor_violators; only 29.0.cil map needs to be
updated
Change-Id: Ifa7767d771f802e122b2f1ff6faf198ba2afa42e
2019-08-20 16:07:29 -07:00
Tri Vo
462c9c4382 sepolicy: public links in error messages
Bug: n/a
Test: n/a
Change-Id: Id449fe115fac8bf99c33bf4455a23dd29448f93d
2019-08-09 10:27:48 -07:00
Jeff Vander Stoep
1ca7a4c8f5 fc_sort: delete c version, migrate to python version
Test: build aosp_blueline-userdebug, run build-time tests
Change-Id: I9c466cd718602e6068ee31abd6de7dbab84f4949
2019-04-11 10:19:16 -07:00
Tri Vo
1451938da0 sepolicy: Improve treble test error message.
Bug: 120080521
Test: removing a mapped type in the mapping file triggers new error
message
Change-Id: I04b21da7206777af8c281a843bd39ea5c4f0863a
2019-01-06 18:18:32 -08:00
Treehugger Robot
3e5054e8fa Merge "Start enforcing /system file labeling" 2018-10-04 22:03:11 +00:00
Nick Kralevich
dab131b1f8 Start enforcing /system file labeling
system_file_type is an attribute assigned to all files on the /system
partition. Add a compile time test to ensure that the attribute is
assigned to all the relevant types.

Test: code compiles.
Change-Id: I7d69a04a4f04f6269cc408f25527b948756cc079
2018-10-04 11:24:00 -07:00
Tri Vo
2777d18c20 combine_maps: only use python2
python3 is not required on host machines.

Bug: 117260689
Test: m selinux_policy
Change-Id: Iea31eadcb3f09ffadca82dd1862cf5538259c710
2018-10-04 10:22:49 -07:00
Tri Vo
438684b39f Only maintain maps between current and previous selinux versions.
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-10-02 15:10:13 -07:00
Tri Vo
e3f4f77d39 Don't require private types in mapping file.
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.

We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.

Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-28 17:22:25 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
bb880a2826 gracefully handle hashtab_search failures
Otherwise we crash on a null pointer exception.

Test: Reference a non-existent type in test code and make sure
    the test doesn't crash.

Change-Id: I5839d2740d51c0df7a8909a3f8430850ae1b2675
2018-09-26 14:28:44 -07:00
Nick Kralevich
41b21ee96a Delete untrusted_v2_app
As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
2018-08-06 12:52:37 -07:00
Yi Kong
16544eb94f Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: Ib3f0a25a5129c34d94ebebff818feb5e6fd349dd
2018-07-24 14:54:56 -07:00
Jeff Vander Stoep
3a3756feee searchpolicy depends on FcSort
Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
(cherry picked from commit cc541a80c3)
2018-04-24 14:12:50 -07:00
Tri Vo
4c80c2caa8 Test that /proc files have proc_type attribute.
Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy
2018-03-29 03:42:47 +00:00
Tri Vo
0d5b954086 Revert "Test that /proc files have proc_type attribute."
This reverts commit 4e79b64e05.

Reason for revert: broke something internal

Change-Id: Iec5f2c17fc768424c0b82936a069e42de0b66555
2018-03-28 23:13:14 +00:00
Tri Vo
4e79b64e05 Test that /proc files have proc_type attribute.
Bug: 74182216
Test: build policy
Change-Id: Ice800c571e9be469dffa212c478c10e63b80deca
2018-03-28 13:08:42 -07:00
Jeff Vander Stoep
1b8284444c Assert types labeled in genfs_contexts have correct attributes
Types in sysfs should have the sysfs_type attribute, types in
debugfs and tracefs should have the debugfs_type attribute.

TODO: Test that files in procfs have the proc_type attribute.
TODO: Assert these tests in CTS.

Bug: 74182216
Test: build - these are build-time tests.
Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf
2018-03-23 14:34:46 -07:00
Jeff Vander Stoep
370a52fee5 Improve data separation test coverage
Two areas need better coverage:
1. Tests are not verifying that files in /data/vendor do not have the
core_data_file_type attribute.
2. No error is thrown if a type lives in both /data/vendor
/data/<not vendor>.

Bug: 72998741
Test: build all selinux policies on master (assert build time tests)
Test: build and boot Marlin and Taimen, verify no selinux denials and
    everything works as expected.

Change-Id: I133a068123139a599b9b81ddcc254616894621eb
(cherry picked from commit 55d5e28472)
2018-03-22 22:58:50 -07:00
Tri Vo
19047a6a32 Silence expandtypeattribute build-time warning.
treble_sepolicy_tests emit during build time warnings for
expandtypeattribute statements in the mapping file.
Silence those warning.

Bug: 72757373
Test: build sepolicy
Change-Id: Ia40d80d8172c96c75854d2e1ec0d284ea0724b5c
2018-02-07 12:59:38 -08:00
Bowgo Tsai
afbcf21bfb Renames nonplat_* to vendor_*
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot bullhead/taimen
Change-Id: Iea2210c9c8ab30c9ecbcd8146f074e76e90e6943
2018-02-05 18:21:55 +08:00
Jeff Vander Stoep
ccf965e9ca Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
2018-01-30 10:11:38 -08:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Jeff Vander Stoep
e63686011b Fix error message format
"/n" --> "\n"

Fixes: 72225980
Test: build (this is a build test)
Change-Id: Iffd7241b4d7b9b429fff34dc2e25baad32d8008d
2018-01-19 15:00:41 -08:00
Tri Vo
30c3c2a85c Files under /vendor must have attribute vendor_file_type.
Label /vendor/etc/selinux/* as vendor_configs_file.

Bug: 62041836
Test: build system/sepolicy
Test: walleye boots
Change-Id: I617a3287860e965c282e9e82b4375ea68dbca785
2018-01-12 00:05:41 +00:00
Jeff Vander Stoep
fe0910c9ad Prepare treble_sepolicy_tests for inclusion in CTS
Unconditionally compile treble_sepolicy_tests. Make compat
files conditional on running the compat tests.

Bug: 37008075
Test: build
Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:29:38 +00:00
Jeff Vander Stoep
3ca843a57d Prepare python tests to be run in CTS
Bug: 37008075
Test: build, all tests pass. Modify some attributes locally to
    cause tests to fail (verify that they are actually working).
Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd
2017-10-04 19:46:12 +00:00
Jeff Vander Stoep
e9777e3402 Move python sepolicy tests to embedded launcher
This is a necessary for enforcing these tests in CTS.

Bug: 37008075
Test: build
Change-Id: I36b4ce71c26a0ba01cd0289fe363f0a9f7db1214
(cherry picked from commit 8d614b3f81)
2017-10-04 17:09:30 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
a7d2c5bf17 Move python scripts to python_binary_host build rule
Fixes: 65263013
Test: build
Merged-In: I0ec412481c5990927fcbee7c4303bee2da876210
Change-Id: I0a5b9a80e988fcd16a29807ed83b2c65bba9000f
2017-09-23 14:45:02 -07:00
Dan Willemsen
948354abb9 Fix libsepolwrap with SANITIZE_HOST=address
Test: SANITIZE_HOST=true m treble_sepolicy_tests
Change-Id: I9190dc06715bbbac8a267a143801f99f911decf3
2017-09-01 14:08:46 -07:00
Jeff Vander Stoep
1fc0682ec6 Run Treble sepolicy tests at build time
Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
(cherry picked from commit e1ddc6df75)
2017-06-05 08:09:32 -07:00
Jeff Vander Stoep
bdfc0301a1 Verify correct application of labels and attributes
With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.

We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.

Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain

In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.

Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
    treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
    -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
    -f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
(cherry picked from commit 0366afdf14)
2017-06-05 08:09:05 -07:00