Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.
Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.
Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"
Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.
Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When an error occured it was erroneously being indicated that he
file was the output file, not the input file.
Before:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user
After:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user
Change-Id: Ib0e01f1f0ef563a2a150a0a3b4012e6e15d736bb
Signed-off-by: William Roberts <william.c.roberts@intel.com>
If a duplicate entry is found, rule_map_cmp() incorrectly
assumes that the lengths of the key value pairs should be
equal, when this is not true. The duplicate detection is
done on the input parameters, thus the lengths can be
different. This resulted in a duplicate error string
message of "do not match", instead of "match on all inputs".
Also, the file name printed that contained the error was
the output file, not the input file that contained it.
Change-Id: I9b3f99fa4aa3454849de55f18b198b0b56e44320
Signed-off-by: William Roberts <william.c.roberts@intel.com>
SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.
Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Presently it ignores duplicate keys in seapp_contexts entries, e.g.
if you were to specify:
user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file
checkseapp would ignore the duplicate and libselinux would end up using
the last value defined for the key in each line.
Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Presently it only detects complete duplicates if you specify -s (strict),
which is not used in the external/sepolicy Makefile, and it allows
overriding earlier entries that have the same input selectors (e.g.
user=, seinfo=) with different values for the output selectors (e.g.
domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts
file can override the external/sepolicy definitions, and even a single
seapp_contexts file can contain duplicated or conflicting definitions.
Make it always check strictly, and prohibit either duplicates on the
input selectors (i.e. overrides) or complete duplicates (redundant).
Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.
Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate. Catch
that error case too.
Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.
After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.
Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.
Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
And also remove the unnecessary references to libselinux for
sepolicy-check, as it has no dependencies on libselinux.
Also enable -Wall -Werror on building all of these tools and
fix up all such errors.
Usage:
$ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy
or
$ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy
The first form will display all type pairs that are "equivalent", i.e.
they are identical with respect to allow rules, including indirect allow
rules via attributes and default-enabled conditional rules (i.e. default
boolean values yield a true conditional expression).
Equivalent types are candidates for being coalesced into a single type.
However, there may be legitimate reasons for them to remain separate,
for example:
- the types may differ in a respect not included in the current
analysis, such as default-disabled conditional rules, audit-related
rules (auditallow or dontaudit), default type transitions, or
constraints (e.g. mls), or
- the current policy may be overly permissive with respect to one or the
other of the types and thus the correct action may be to tighten access
to one or the other rather than coalescing them together, or
- the domains that would in fact have different accesses to the types
may not yet be defined or may be unconfined in the policy you are
analyzing (e.g. in AOSP policy).
The second form will display type pairs that differ and the first
difference found between the two types. This output can be long.
We have plans to explore further enhancements to this tool, including
support for identifying isomorphic types. That will be required to
identify similar domains since all domains differ in at least their
entrypoint type and in their tmpfs type and thus will never show up as
equivalent even if they are in all other respects identical to each other.
Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Modify check_seapp.c to verify that a packagname (name)
must be specified with a signing key (seinfo). This will
help thwart spoof attacks on the packagename.
Change-Id: I8f1aa8a479cb5beb5c3522d85e3181604931ea72
check_seapp at one point in time switch from a home implementation
of a hash table to using GLIBC search.h routines. A struct in one
of the fields was never removed during this transition.
Change-Id: I65c028103ffe90fa52e0b3c9fce28124ed9c7ff9
Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.
Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app. No change in behavior.
Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
