The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.
This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.
This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.
Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.
The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.
Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
This is a necessary first step to finalizing the SELinux policy build
process. The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.
This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
So we can limit vndservicemanager access to
just vndservice_contexts.
Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.
Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:
$ stat $T/file_contexts
File: 'file_contexts'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fc00h/64512d Inode: 5508958 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/wcrobert) Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700
Test: remove $T/file_contexts, touch a policy file and make sepolicy,
ensure file is not regenerated. Also, ensure hikey builds and
boots.
Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.
This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.
Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.
P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.
Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.
Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file
Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm;
Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
Policy intermediates are being placed in a seemingly random
intermediates directories.
Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates
Instead, place intermediates in the sepolicy_intermediates dir.
Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118
Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.
Test: Clean build, flash, device boots without additional denials.
Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.
This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377c0), this change
no longer affects is recovery.
Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospPropertyContexts
This test was performed on bullhead (non A/B device) and sailfish
(A/B device).
Test: Clean build, flash, device boots with no additional denials.
Rebooting to recovery, recovery boots fine with no denials.
This test was performed on bullhead (non A/B device) and sailfish
(A/B device).
Bug: 36002573
(cherry picked from commit 4cb628a3be)
Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.
Test: Clean build, flash, device boots just fine, no new denials.
Reboot to recovery, recovery boots just fine, no denials.
This was tested on bullhead (non A/B device) and sailfish (A/B
device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167
Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
/vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414
Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.
Test: make clean && make sepolicy.recovery, then confirm that
repolicy.recovery is identical to the one produced prior to this
change.
Test: Clean build, flash, device boots up fine, no new denials. Device
also boots into recovery just fine, no denials.
Bug: 31363362
Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
This reverts commit 4cb628a3be.
Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.
Test: Clean build, flash, sailfish and bullhead boot up just fine,
and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427
Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.
Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573
Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.
Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.
The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.
Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
With the plat/nonplat policy split, nonplat_seapp_contexts should still
be checked against the plat_seapp_contexts_neverallows during build
time to ensure no violations occur.
Test: stock aosp_marlin builds.
Test: name=foo.bar seinfo=default fails (as expected) in nonplat policy
Test: name=foo.bar seinfo="" fails (as expected) in nonplat policy
Bug: 36002816
Change-Id: I95b2c695b23e2bdf420575d631e85391e93fc869
This moves the CIL files comprising the split sepolicy to the
directories/partitions based on whether the file is part of
platform/system or non-platform/vendor. In particular:
* plat_sepolicy.cil is moved to /system/etc/selinux,
* nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and
* mapping_sepolicy.cil is moved to /vendor/etc/selinux.
Test: Device boots, no additional denials. The test is performed both
for a device without the CIL files and with the three CIL files.
Bug: 31363362
Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9
Prior to this commit, there was a bug in generated CIL where it
wouldn't compile using secilc. The reason was that the build script
was stripping out all lines containing "neverallow" from CIL files,
accidentally removing lines which were not neverallow statements,
such as lmx lines referencing app_neverallows.te.
The commit fixes the build script's CIL neverallow filter to filter
out only neverallow* statements, as originally intended. Moreover, to
catch non-compiling CIL policy earlier in the future, this commit runs
secilc on the policy at build time. In particular, it tests that
platform policy compiles on its own and that nonplatform + platform +
mappig policy compiles as well.
Test: CIL policy builds and compiles on-device using secilc
Bug: 31363362
Change-Id: I769aeb3d8c913a5599f1a2195c69460ece7f6465
Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.
Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.
This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.
Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.
Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
This fixes the following issues introduced in commit
d225b6979d:
* plat_file_contexts was empty because the target was referencing
system/sepolicy/private/file_contexts via a misspelled variable
name.
* plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt
when system/sepolicy/private/file_contexts changed. This is because
the file_contexts dependency was referenced via a misspelled
variable name.
* plat_file_contexts wasn't sorted (as opposed to other similar
targets, such as nonplat_file_contexts and file_contexts.bin). This
may lead to unnecessary non-determinism.
* nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt
when device-specific file_contexts file(s) changed. This is because
the file_contexts files were referenced via a misspelled variable
name.
Test: "make plat_file_contexts" produces a non-empty file containing
mappings from system/sepolicy/private/file_contexts
Test: "make plat_file_contexts" updates output when
system/sepolicy/private/file_contexts changes
Test: "make plat_file_contexts" produces output which is sorted
accroding to rules in fc_sort
Test: "make nonplat_file_contexts" updates output when
device/lge/bullhead/sepolicy/file_contexts changes (tested on
aosp_bullhead-eng)
Bug: 31363362
Change-Id: I540555651103f02c96cf958bb93618f600e47a75
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.
Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.
Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>
Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device. Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.
Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0
Bring back file_contexts.bin.
Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).
Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it. Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.
Bug: 31363362
Test: Builds and boots, including recovery, without additional
denials. Neverallow violations still caught at build time.
Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.
Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.
Bug: 31363362
Test: Policy builds on-device and boots. sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.
Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.
Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.
However, on builds with more synclines and comments, further
space savings can be realized.
Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.
However, on builds with more synclines and comments, further
space savings can be realized.
Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.
SELinux compile time errors are printed to stderr, and are
uneffected by this change.
Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.
In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.
A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:
userdebug_or_eng(`
permissive foo;
')
Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.
To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.
Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.
To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.
Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.
Define common ioctl commands in ioctl_defines.
Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
am: 26f06d172d
* commit '26f06d172dc2b55c42b1543c7ef02563241efce1':
Android.mk: cleanse all set but not unset variables
Android.mk: clean dependencies and clear variables
Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.
Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.
Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.
Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.
Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.
Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.
Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"
service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"
property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"
Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.
Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.
Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.
Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.
(cherry picked from commit 89765083f7)
Bug: 22846070
Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.
Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.
Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.
Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.
Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.
The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.
A CleanSpec.mk file is added to remove the old file_contexts file.
Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).
Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.
Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.
Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.
Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.
Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.
Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.
Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"
Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls
Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.
Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.
Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.
Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.
BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze. The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets. However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.
Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies
Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Failed to include base_rules.mk, so this target was not being built.
Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.
Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.
Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.
Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.
Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.
This reverts commit 2aa727e3f0.
Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.
Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.
Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.
Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.
Without this change, our user builds will behave differently than
userdebug builds, complicating testing.
Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.
Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Create a separate recovery policy and only include the
recovery domain allow rules in it.
Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.
Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
Added a new check to make sure that all listed
BOARD_SEPOLICY_UNION files are located somewhere
in the listed BOARD_SEPOLICY_DIRS locations. The
build will error out otherwise.
Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.
Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.
This will ensure that all SELinux domains have at least a
minimal level of protection.
Unconditionally enable this flag for all user builds.
Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.
Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te
Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In 9af6f1bd59, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.
Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)
This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.
Steps to reproduce.
1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"
Expected:
$ adb shell ps -Z | grep process.media
u:r:media_app:s0 u0_a5 1332 202 android.process.media
Actual:
$ adb shell ps -Z | grep process.media
u:r:untrusted_app:s0 u0_a5 3617 187 android.process.media
Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822
This breaks the ability for users to have certs in many
directories. Currently the design is to allow keys.conf
to specify arbitrary locations for pem files, relative to
the root of the Android tree. If users want to have a
common prefix on all the keys, then they can export
DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment
variable in their keys.conf file.
Signed-off-by: William Roberts <wroberts@tresys.com>
Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640
Signed-off-by: William Roberts <wroberts@tresys.com>
Increase the SELinux policy version to 26. This is needed
for name-based transitions used by the manta sepolicy.
Requires kernel 3.0 or higher.
Change-Id: I046fa9f7122f77506c70b2c735345bc0194935df
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.
Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Assortment of policy changes include:
* Bluetooth domain to talk to init and procfs.
* New device node domains.
* Allow zygote to talk to its executable.
* Update system domain access to new device node domains.
* Create a post-process sepolicy with dontaudits removed.
* Allow rild to use the tty device.
Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.
Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.
Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.
Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies. This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.
We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.
Requires a corresponding change to libselinux.
Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9':
Corrected gramatical issues
Added new line to end of file
Changed seapp_contexts temporary file naming
Fix mls checking code
Support overrides in seapp_contexts
Add tf_daemon labeling support.
Add ppp/mtp policy.
per device seapp_context support
dhcp policy.
Trusted Execution Environment policy.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts
Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
Avoid any future collisions with the use of .fc or .te suffixes in the
per-device directories. If we want multiple file support, add a separate
subdirectory for sepolicy files.
