Commit graph

24 commits

Author SHA1 Message Date
Inseob Kim
4912a24447 Use embedded launcher for python binaries
Bug: 239386651
Test: m selinux_policy
Change-Id: Ic267fcfe4c38b51f8cf2469157b7cb57b84ad779
2022-07-26 22:59:04 +09:00
Inseob Kim
3a9ac6f10a Remove dependency to distutils
Because distutils is deprecated since Python 3.10.

Test: atest android.security.cts.SELinuxHostTest
Change-Id: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
2022-07-19 14:27:36 +09:00
Maciej Żenczykowski
b13921c3f0 much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.

BPFFS (ie. /sys/fs/bpf) labelling is as follows:
  subdirectory   selinux context      mainline  usecase / usable by
  /              fs_bpf               no (*)    core operating system (ie. platform)
  /net_private   fs_bpf_net_private   yes, T+   network_stack
  /net_shared    fs_bpf_net_shared    yes, T+   network_stack & system_server
  /netd_readonly fs_bpf_netd_readonly yes, T+   network_stack & system_server & r/o to netd
  /netd_shared   fs_bpf_netd_shared   yes, T+   network_stack & system_server & netd [**]
  /tethering     fs_bpf_tethering     yes, S+   network_stack
  /vendor        fs_bpf_vendor        no, T+    vendor

* initial support for bpf was added back in P,
  but things worked differently back then with no bpfloader,
  and instead netd doing stuff by hand,
  bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
  (and was definitely there in R)

** additionally bpf programs are accesible to netutils_wrapper
   for use by iptables xt_bpf extensions

'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).

The reason for splitting net_private vs tethering is that:
  S+ must support 4.9+ kernels and S era bpfloader v0.2+
  T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+

The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions.  Older kernels have
a tendency to reject programs that newer kernels allow.

/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.

Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
2022-06-22 16:07:42 -07:00
Inseob Kim
6fa8efdf4a Use "data: libsepolwrap" in python binaries
To avoid hard-coded paths in Android.mk rules.

Test: m selinux_policy
Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 04:58:30 +00:00
Thiébaud Weksteen
f24b457dd0 Migrate tests/ to Python 3
In general, it appears that libselinux and libsepol interpret paths and
contexts as bytes. For instance, selabel_file(5) mentions about the path
field of file_contexts:

  Strings representing paths are processed as bytes (as opposed to
  Unicode), meaning that non-ASCII characters are not matched
  by a single wildcard.

libsepol also uses primitives such as strchr[1], which explicitly
operate at the byte level (see strchr(3)). However, practically, Android
paths and contexts all uses ASCII characters.

Use the str type (i.e., Unicode) for all Python code to avoid a larger
refactoring. Ensure we convert to bytes for inputs and outputs of
libsepolwrap.so. The encoding "ascii" is used, which will raise an error
should a context or type contain non-ASCII characters.

Update headers to match development/docs/copyright-templates.

[1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4

Bug: 200119288
Test: lunch aosp_bramble-userdebug && m
Test: atest --host fc_sort_test
Test: manually run searchpolicy
Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-12-01 21:45:13 +00:00
Hridya Valsaraju
edccaa87aa Revert "Revert "Check that tracefs files are labelled as tracefs_type""
This reverts commit a00863e4d8.

All dependencies for this patch are now merged.

Bug: 184381659
Test: atest
android.security.cts.SELinuxHostTest#testTracefsTypeViolators

Change-Id: Ic268b24222a87cd9f7ff9158eb16a20f1cb3ecbb
2021-05-14 14:06:14 -07:00
Hridya Valsaraju
a00863e4d8 Revert "Check that tracefs files are labelled as tracefs_type"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I398e7ecb0403c2044027c3145438d02b9ffaeb8a
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
fde9b8f069 Check that tracefs files are labelled as tracefs_type
Bug: 184381659
Test: make
Change-Id: Iaa4fce9f02d85f2657f2331b68ae5af318d0820f
2021-04-21 14:13:54 -07:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Alan Stokes
668e74f6f4 Exempt app_data_file_type from neverallow rules.
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 18:08:18 +00:00
Steven Moreland
a01338d4a8 sepolicy_tests.py: system_ext, product, odm
Adds missing partitions to Treble sepolicy tests, and makes exceptions
explicit.

Bug: 154851797
Test: build runs this test

Change-Id: I93f3e633981383d3d215d3a850f6ade12c910415
2020-11-02 20:24:35 +00:00
Inseob Kim
1b8b1f648c Ensure property owners are exclusive
system_property_type and vendor_property_type can't be assigned
together. For example, the following policy snippet will fail.

system_public_prop(foo_prop)
typeattribute foo_prop vendor_property_type;

product_property_type is currently synonym for system_property_type, so
we only check those two.

Bug: 171437654
Test: m selinux_policy
Test: add "typeattribute default_prop vendor_property_type;" to
      property.te and then "m selinux_policy"
Change-Id: I1cdbf3d04264bb045568c30f19339dfe3889dbb4
2020-10-23 15:16:11 +09:00
Nick Kralevich
dab131b1f8 Start enforcing /system file labeling
system_file_type is an attribute assigned to all files on the /system
partition. Add a compile time test to ensure that the attribute is
assigned to all the relevant types.

Test: code compiles.
Change-Id: I7d69a04a4f04f6269cc408f25527b948756cc079
2018-10-04 11:24:00 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Tri Vo
4c80c2caa8 Test that /proc files have proc_type attribute.
Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy
2018-03-29 03:42:47 +00:00
Tri Vo
0d5b954086 Revert "Test that /proc files have proc_type attribute."
This reverts commit 4e79b64e05.

Reason for revert: broke something internal

Change-Id: Iec5f2c17fc768424c0b82936a069e42de0b66555
2018-03-28 23:13:14 +00:00
Tri Vo
4e79b64e05 Test that /proc files have proc_type attribute.
Bug: 74182216
Test: build policy
Change-Id: Ice800c571e9be469dffa212c478c10e63b80deca
2018-03-28 13:08:42 -07:00
Jeff Vander Stoep
1b8284444c Assert types labeled in genfs_contexts have correct attributes
Types in sysfs should have the sysfs_type attribute, types in
debugfs and tracefs should have the debugfs_type attribute.

TODO: Test that files in procfs have the proc_type attribute.
TODO: Assert these tests in CTS.

Bug: 74182216
Test: build - these are build-time tests.
Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf
2018-03-23 14:34:46 -07:00
Jeff Vander Stoep
370a52fee5 Improve data separation test coverage
Two areas need better coverage:
1. Tests are not verifying that files in /data/vendor do not have the
core_data_file_type attribute.
2. No error is thrown if a type lives in both /data/vendor
/data/<not vendor>.

Bug: 72998741
Test: build all selinux policies on master (assert build time tests)
Test: build and boot Marlin and Taimen, verify no selinux denials and
    everything works as expected.

Change-Id: I133a068123139a599b9b81ddcc254616894621eb
(cherry picked from commit 55d5e28472)
2018-03-22 22:58:50 -07:00
Bowgo Tsai
afbcf21bfb Renames nonplat_* to vendor_*
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot bullhead/taimen
Change-Id: Iea2210c9c8ab30c9ecbcd8146f074e76e90e6943
2018-02-05 18:21:55 +08:00
Jeff Vander Stoep
ccf965e9ca Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
2018-01-30 10:11:38 -08:00
Tri Vo
30c3c2a85c Files under /vendor must have attribute vendor_file_type.
Label /vendor/etc/selinux/* as vendor_configs_file.

Bug: 62041836
Test: build system/sepolicy
Test: walleye boots
Change-Id: I617a3287860e965c282e9e82b4375ea68dbca785
2018-01-12 00:05:41 +00:00
Jeff Vander Stoep
3ca843a57d Prepare python tests to be run in CTS
Bug: 37008075
Test: build, all tests pass. Modify some attributes locally to
    cause tests to fail (verify that they are actually working).
Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd
2017-10-04 19:46:12 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00