Commit graph

83 commits

Author SHA1 Message Date
William Roberts
49693f1b4d fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
William Roberts
922b4e9522 checkfc: do not die on 0 length fc's
Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
Jeffrey Vander Stoep
5de7574a59 Merge "Revert "fc_sort: initial commit"" 2016-01-14 23:30:56 +00:00
Jeffrey Vander Stoep
b1fb7e4037 Revert "fc_sort: initial commit"
Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887e.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
2016-01-14 23:28:51 +00:00
William Roberts
c68a277f5e fc_sort: add NOTICE file
Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 10:45:45 -08:00
William Roberts
29d146887e fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 10:11:52 -08:00
William Roberts
ad3cb39e54 checkfc: add attribute test
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-14 23:37:10 +00:00
Jeff Vander Stoep
ee9c0b5fb6 Add priv_app domain to global seapp_context
Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
2015-10-14 21:23:54 +00:00
Stephen Smalley
13b6b7e88f checkfc: add support for comparing two file_contexts files.
Extend checkfc to support comparing two file_contexts or
file_contexts.bin files.  This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.

Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.

Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-12 18:37:02 +00:00
William Roberts
81e1f90cd1 check_seapp: add support for "neverallow" checks
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-25 23:53:46 +00:00
William Roberts
7d65b547d3 check_seapp: mac build memory leak
rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.

Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-23 12:25:35 -07:00
William Roberts
f26b6d427c drop unused option -s
Change-Id: I00aa4eeaf569c8108a7b6aab190be68e53b46597
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-23 10:23:01 -07:00
William Roberts
8d3a1b558e correct all error messages
When an error occured it was erroneously being indicated that he
file was the output file, not the input file.

Before:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user

After:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user

Change-Id: Ib0e01f1f0ef563a2a150a0a3b4012e6e15d736bb
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-19 09:14:40 -07:00
William Roberts
773d412665 check_seapp: Correct output on duplicate entries
If a duplicate entry is found, rule_map_cmp() incorrectly
assumes that the lengths of the key value pairs should be
equal, when this is not true. The duplicate detection is
done on the input parameters, thus the lengths can be
different. This resulted in a duplicate error string
message of "do not match", instead of "match on all inputs".

Also, the file name printed that contained the error was
the output file, not the input file that contained it.

Change-Id: I9b3f99fa4aa3454849de55f18b198b0b56e44320
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-11 17:21:06 -07:00
dcashman
96136d847d sepolicy-analyze: use headers from common selinux project.
Point to external/selinux/libsepol instead of external/libsepol.

Change-Id: I09c33a4cbd7b4cd3ef2341c042259b96c0b59372
2015-06-10 10:42:41 -07:00
Jeff Vander Stoep
53b480137f tools: use headers from common selinux project
Point to external/selinux/libsepol instead of external/libsepol

Change-Id: If6dc1e9261f397d801ba2376ab60c5dc5b5d86e4
2015-06-09 12:56:26 -07:00
dcashman
28acbeab18 Fix sepolicy-analyze libc++.so loading issue w/CTS.
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory

Also indicate that none of the sepolicy tools need c++ std lib.

(cherry-pick of 0cdb0517be696c0dc6882d289eedd45bf2da918c now made possible by
addition of commit: 28b72eddd54cb1287dd7daae853e8e4b78fa17eb)

Bug: 19617220
Change-Id: I2c5b7ab1ddeb0e02cbaad2b7d5430a0974524a89
2015-05-12 11:06:44 -07:00
Dan Albert
0d3bf4beac Revert "Fix sepolicy-analyze libc++.so loading issue w/CTS."
This is causing more harm than good. We'll just make these all link
libc++ again and work out the CTS issues if they still exist.

Bug: 19778891

This reverts commit 3812cf58cb.

Change-Id: Iaea8f6acb147da4275633a760ccb32951db7f8b6
2015-03-17 11:41:04 -07:00
Dan Albert
f0852340af Revert "Don't use address sanitizer for selinux tools."
This is causing more harm than good. We'll just make these all link
libc++ again (another revert) and work out the CTS issues if they still
exist.

Bug: 19778891

This reverts commit a5113a1500.

Change-Id: I35a4c93dae4abb66e3525451d5ce01e33a540895
2015-03-17 17:38:55 +00:00
Dan Albert
a5113a1500 Don't use address sanitizer for selinux tools.
Address sanitizer requires using libc++ (apparently). We removed
libc++ from these projects since they were C and the SDK/CTS was not
able to find libc++.

If we're interested in continuing to use ASAN on these tools
(probably), we should turn libc++ back on once we're sure CTS won't
die.

Bug: 19778891
Change-Id: I3c1913171a15396ead73277ec1186fead730f66d
2015-03-16 17:39:40 -07:00
dcashman
3812cf58cb Fix sepolicy-analyze libc++.so loading issue w/CTS.
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory

Also indicate that none of the sepolicy tools need c++ std lib.

Bug: 19617220

Change-Id: I713b3cbd1220655413d399c7cd2b0b50459a5485
2015-03-16 13:07:46 -07:00
Stephen Smalley
0233cd800e sepolicy-analyze: Add attribute command.
Add an attribute command to sepolicy-analyze for displaying the list
of types associated with an attribute in a policy.  This is for use
by CTS to check what domains and types are associated with certain
attributes such as mlstrustedsubject and mlstrustedobject.

Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 12:22:39 -04:00
Stephen Smalley
d155914479 sepolicy-analyze: Change booleans command to be more test-friendly.
Instead of displaying the boolean count, display a list of booleans
defined in the policy, if any.  This makes sepolicy-analyze booleans
consistent with sepolicy-analyze permissive and allows automated tests
to simply check whether there was any output at all.

Change-Id: I221b60d94e6e7f6d80399bf0833887af3747fe83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 10:01:49 -04:00
Stephen Smalley
a7b2c5f4ab sepolicy-analyze: Implement booleans test.
Implement the booleans test in sepolicy-analyze so
that we can move the no-booleans check from the
SELinuxTest to the SELinuxHostTest along with the
other policy checks.

Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-11 17:03:42 -04:00
Stephen Smalley
a02dbf4ee3 am 884ee2a6: checkseapp, seapp_contexts: drop sebool= support.
* commit '884ee2a61cc78ddaaf54b812932730045dd155c3':
  checkseapp, seapp_contexts:  drop sebool= support.
2015-02-24 00:39:50 +00:00
Stephen Smalley
afc841af8d am 534fb071: checkseapp: Detect duplicate keys in seapp_contexts entries.
* commit '534fb0711d95615a77af23ffe643e8b720a527e6':
  checkseapp:  Detect duplicate keys in seapp_contexts entries.
2015-02-24 00:39:49 +00:00
Stephen Smalley
884ee2a61c checkseapp, seapp_contexts: drop sebool= support.
SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-24 00:36:24 +00:00
Stephen Smalley
534fb0711d checkseapp: Detect duplicate keys in seapp_contexts entries.
Presently it ignores duplicate keys in seapp_contexts entries, e.g.
if you were to specify:

user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file

checkseapp would ignore the duplicate and libselinux would end up using
the last value defined for the key in each line.

Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-24 00:35:23 +00:00
Nick Kralevich
29d2a05b78 am c6a0feb4: Merge "checkseapp: Detect duplicate entries within seapp_contexts."
* commit 'c6a0feb44d3f9bb1f30671dad298040c594a2fe6':
  checkseapp:  Detect duplicate entries within seapp_contexts.
2015-02-24 00:05:53 +00:00
Stephen Smalley
0b820042e4 checkseapp: Detect duplicate entries within seapp_contexts.
Presently it only detects complete duplicates if you specify -s (strict),
which is not used in the external/sepolicy Makefile, and it allows
overriding earlier entries that have the same input selectors (e.g.
user=, seinfo=) with different values for the output selectors (e.g.
domain=, type=).  Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts
file can override the external/sepolicy definitions, and even a single
seapp_contexts file can contain duplicated or conflicting definitions.

Make it always check strictly, and prohibit either duplicates on the
input selectors (i.e. overrides) or complete duplicates (redundant).

Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-13 14:58:31 -05:00
dcashman
96550ed453 am 6b111e47: am 3b0988c5: Merge "Adjust sepolicy-analyze to reflect libsepol changes."
* commit '6b111e4761bf960e9f0010a7e9320eab83ca052e':
  Adjust sepolicy-analyze to reflect libsepol changes.
2015-01-13 23:26:10 +00:00
dcashman
0de2b45f63 Adjust sepolicy-analyze to reflect libsepol changes.
Commit dc0ab516f11d8e2c413315e733e25a41ba468e4f changed the libsepol
structures on which sepolicy-analyze relies so that it could be compiled
as a C++ library.  Reflect this change in sepolicy-analyze.

Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
2014-12-22 15:31:38 -08:00
dcashman
264dc2a8b3 resolved conflicts for merge of 598b87c2 to lmp-mr1-dev-plus-aosp
Change-Id: If652f7e81a2589647a7d0d697b2130f8bf32c513
2014-12-02 14:10:09 -08:00
William Roberts
47c1461156 Fix sepolicy-analyze build with different toolchains
host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage':
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code
make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1

Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35
2014-12-01 11:45:54 -08:00
Dan Albert
460c3f1630 resolved conflicts in merge of 3fa92bed to lmp-mr1-dev-plus-aosp
Change-Id: I5630bddc1dd2f5ce9d9f6091903c0cf6cafc38ca
2014-11-20 18:26:58 -08:00
Narayan Kamath
f639e96b2b Undo idiotic build fix.
Just remove unused variables instead of making them refer to
the wrong statics.

Change-Id: I314bfe91b7912f7d8c9cba7dd55a76d72c879a51
2014-11-20 12:07:33 +00:00
Narayan Kamath
012dd73460 Fix build.
Introduced by the merge conflict resolution for
3a1eb33be6.

Change-Id: Iddbc9e4d83c513d7003102f881793b5b7945566c
2014-11-20 11:44:54 +00:00
dcashman
3fa92beda7 Accept command-line input for neverallow-check.
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561

Cherry-pick from: https://android-review.googlesource.com/#/c/111626/

Change-Id: I751a99feffe820308ec58514fdba4cdef184d964
2014-11-19 15:44:14 -08:00
dcashman
fe0d6cb8f7 resolved conflicts for merge of 3a1eb33b to lmp-mr1-dev-plus-aosp
Change-Id: I5cdc157157b6ed382e4827406bce7406fc2c3e3a
2014-11-19 14:07:41 -08:00
Stephen Smalley
3a1eb33be6 Add neverallow checking to sepolicy-analyze.
See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-13 15:14:26 -08:00
dcashman
ef4fd30672 Accept command-line input for neverallow-check.
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.

Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19
2014-10-31 11:38:32 -07:00
Nick Kralevich
74bbf703df maybe fix mac build.
1 warning generated.
  external/sepolicy/tools/sepolicy-analyze.c:446:27: error: implicit declaration of function 'isspace' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
          while (p < end && isspace(*p))
                          ^
  1 error generated.
  make: *** [out/host/darwin-x86/obj32/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1
  make: *** Waiting for unfinished jobs....

Change-Id: I250dcef7c726d5b66835dc51c057e472b801aa2c
2014-10-14 20:35:23 -07:00
Stephen Smalley
59906bf893 Add neverallow checking to sepolicy-analyze.
See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-14 10:17:40 -04:00
Stephen Smalley
ff4db9194e Add isOwner= input selector for seapp_contexts.
Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-15 15:55:04 -04:00
dcashman
c30dd63f56 Add permissive domains check to sepolicy-analyze.
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Bug: 17288791

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
2014-08-27 14:54:48 -07:00
dcashman
9793ea7aa6 Add permissive domains check to sepolicy-analyze.
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
2014-08-22 11:54:35 -07:00
Stephen Smalley
43b9cfd356 Refine sepolicy-analyze -D / dup detection.
We were incorrectly reporting overlapping rules as duplicates.
Only report cases where an attribute-based rule is a superset
of type-based rule.  Also omit self rules as they are often due
to expansion of domain self rules by checkpolicy.

Change-Id: I27f33cdf9467be5fdb6ce148aa0006d407291833
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-17 14:42:09 -04:00
Stephen Smalley
f4fa7567f4 Treat seinfo=default name=<anything> as an error.
check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate.  Catch
that error case too.

Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-04 14:16:46 -04:00
Robert Craig
3ea628fccc Remove errant newline from generated policy file.
When running the post_process_mac_perms script
an unneeded newline is appended to modified
mac_permissions.xml file. Use sys.stdout.write
instead which avoids any formatting when printing.

Change-Id: Ib662dab1566299467371389dc236619aec40f5ac
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-04-01 11:22:53 -04:00
Robert Craig
4caa6d4b89 Update README concerning post_process_mac_perms script.
Change-Id: Iabda448d252d3b1ce19809c7f5de0dca3942f60c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:51:59 -04:00