Commit graph

226 commits

Author SHA1 Message Date
liwugang
85ce153283 version_policy: avoid fclose a NULL file pointer
Test: Pass a not cil file to version_policy and see no crash appeared.
example: out/host/linux-x86/bin/version_policy -b  `which ls`  -m -n 10000.0 -o target

Change-Id: If2b950a02dd94a4813b74377617f90c7a75a9f27
Signed-off-by: liwugang <liwugang@xiaomi.com>
2019-07-01 16:47:20 +08:00
Treehugger Robot
5dda7f70db Merge "fix memory leaks in sepolicy-analyze tool" 2019-05-17 17:14:20 +00:00
Jinguang Dong
ee62756a7c fix memory leaks in sepolicy-analyze tool
Test: check sepolicy-analyze tool can work well
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d
 sepolicy-analyze out/target/product/<board>/root/sepolicy dups
 sepolicy-analyze out/target/product/<board>/root/sepolicy permissive
 sepolicy-analyze out/target/product/<board>/root/sepolicy booleans
 sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>

Change-Id: I09d30967f00062c6a807ae4711ccc87b0fd6064c
2019-05-17 09:57:43 +08:00
Stephen Hines
5c081803fc Ensure avrule is initialized.
Bug: http://b/131390872
Test: Builds with -Wconditional-initialize
Change-Id: I14b9316ca392f299745342d61e4fd45ab8e9e307
2019-05-08 17:14:34 -07:00
Nick Kralevich
795add585c Remove isV2App
This selector is no longer used.

Bug: 123605817
Bug: 111314398
Test: compiles and boots
Change-Id: I61bb6b9f17ba4534569bd4a1c0489023cdaf698d
2019-04-16 16:01:08 -07:00
Jeff Vander Stoep
1ca7a4c8f5 fc_sort: delete c version, migrate to python version
Test: build aosp_blueline-userdebug, run build-time tests
Change-Id: I9c466cd718602e6068ee31abd6de7dbab84f4949
2019-04-11 10:19:16 -07:00
Inseob Kim
98c7ade609 Fix fc_sort to be deterministic
fc_sort uses its own implementation of merge sort, but it's
unnecessarily complex and sorting criteria isn't clear: it only
compares lengths and existences of fields. So it can give different
results on the same input (same set of entries, different order).

This fixes it so that output is always deterministic, regardless of
the order of lines in input files.

Bug: N/A
Test: try to run fc_sort several times on same input with different
      line orders, and see the results.

Change-Id: I982a35a4ae9e115030a8598027bbf1181ee77a7d
2019-04-10 07:42:10 +00:00
Treehugger Robot
2456c37021 Merge "Fix memory leaks" 2019-03-20 01:14:58 +00:00
George Burgess IV
bf2f927019 Fix memory leaks
This CL fixes leaks of the policy that we're building up. The analyzer
only caught the leaks on the error path, but I assume that
`check_assertions` does nothing to free the object that it's handed.

Analyzer warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'avrule'
[clang-analyzer-unix.Malloc]

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'neverallows'
[clang-analyzer-unix.Malloc]

Bug: None
Test: Treehugger; reran the analyzer
Change-Id: I79a0c34e8b53d33a1f01497337590eab660ad3ec
2019-03-19 12:10:51 -07:00
Jeff Vander Stoep
ecd288f41d Android.bp: set sepolicy version for use by init
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
2019-03-14 17:49:14 +00:00
Joel Galenson
3fbd303d1c Reduce the number of parallel compiles.
Running this script sometimes completely hangs all of our computers.
This change seems to work better for me.

Test: Use script to compile many Androids.
Change-Id: I95539034b35a4ff6dbc39cd67856b0bd7e20d587
2019-03-04 14:04:49 -08:00
liwugang
eb74dd9f86 checkseapp: check the size of key value pairs
OOB write if the size of the key value pairs exceeds the max.

Test: Add a long line to the seapp_contexts file

Change-Id: Iaa3e697e7ac134eb6829b8b36b090997ca344b3a
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-11-29 00:43:50 +00:00
liwugang
57d66ef1c2 Fix the bound size and the variable name
It will not end when other words appeared because of the wrong bound and variable,
rule_map->length will exceed the actual length in the rule_map_new function,
it will lead to crash in the rule_map_validate function because of strcmp(NULL, str).

Test: 1.add "user=shell doman=system_app" to private/seapp_contexts
      2.exec "checkseapp private/seapp_contexts" and it will not be crashed

Change-Id: I600206448b38cf2c9b61f9141b40f920b05696c8
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-11-14 16:39:39 +08:00
Yabin Cui
ffa2b61330 Add runas_app domain to allow running app data file via run-as.
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.

Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
2018-11-07 18:11:40 +00:00
Joel Galenson
b5806c47c5 Add code to check for unescaped periods in file_contexts.
Test: Run script and find unescaped periods.
Change-Id: I35a4366aa576d5c6036d0dcfb068ca4e0f27fff9
2018-10-06 13:39:38 -07:00
Nick Kralevich
5fe07c724b version_policy.c: be less verbose at build time
Avoid generating build time noise so that real errors stand out.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

Test: Info messages no longer show up at build time.
Bug: 115998215
Change-Id: I33c18e2c7d77ed1bb4132debe13de2ae0907c34c
2018-09-21 10:31:54 -07:00
Treehugger Robot
13e4eb8ca4 Merge "Add a script to check for ways to cleanup SELinux policy." 2018-09-13 16:16:09 +00:00
Joel Galenson
c43273162f Add a script to check for ways to cleanup SELinux policy.
This scripts checks for common problems with SELinux policy,
including:
- Declared types that are not assigned to any files
- Files that don't exist on a running device
- Rules defined in the wrong file
- Using the wrong version of _file_perms/_dir_perms

These are heuristics, mainly because it does not fully parse regular
expressions and because policy might still be needed even if the
relevant file does not exist on a single device.  But it hopefully is
a start at helping cleanup policy.

Bug: 30003114
Bug: 70702017
Test: Run script on core and device-specific policy.
Test: Verify that most of its results are correct.
Change-Id: I1ded4e9b18816841198dcbf72da65f046441d626
2018-08-31 13:55:34 -07:00
Chih-Hung Hsieh
e0db1651e6 Free type_rules before return or exit.
Test: make with WITH_TIDY=1 and clang-analyzer-* checks.
Change-Id: Ide1eaf8880132c566545710e6287f66a5a2b393c
2018-08-31 10:11:09 -07:00
Dan Willemsen
207fb14549 Merge "Remove unused tags property from Android.bp files" am: d32437e975
am: 526080303a

Change-Id: I1f4060617ada8a1202bec741cc59d9c10f1a9a60
2018-05-08 23:15:36 -07:00
Dan Willemsen
76b7f7b311 Remove unused tags property from Android.bp files
The tags property is (and has always been) unused by Soong. The property has
been defined as a list of strings, and the `androidmk` converted any
LOCAL_MODULE_TAGS entries over to it, but we've never done anything with it.

In preparation for removing the definition from Soong, I'm removing it from all
Android.bp files in the tree.

Since this has never done anything, this is a no-op, but if you really did want
the Android.mk behavior, the proper way to define a module to be installed in
userdebug / eng builds is to use PRODUCT_PACKAGES_DEBUG or PRODUCT_PACKAGES_ENG
in the appropriate product makefile.

Change-Id: Ia9a9b1c35533e02047cbb183b317ab93f1eeec6b
Exempt-From-Owner-Approval: global no-op build change
Test: remove `tags` from Soong, see errors go away.
2018-05-08 17:15:33 -07:00
Tri Vo
f7831bc3d3 Build sepolicy tools with Android.bp. am: 594488f8b0
am: 98e7cdf408

Change-Id: I7138922e28326d4bb05901101fb636360c2717c8
2018-05-07 15:56:48 -07:00
Tri Vo
594488f8b0 Build sepolicy tools with Android.bp.
Bug: 33691272
Test: make clean && mmma system/sepolicy
Change-Id: I6bbd6271c375338e7d24cd6089c6f826080c98b6
2018-05-07 12:51:54 -07:00
Ryan Longair
50fec5f819 Fix sepolicy-analyze makefile so it is included in STS builds
Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
2018-03-01 10:07:11 -08:00
Jeff Vander Stoep
c08fcbe0c5 tools/build_policies.sh make tool executable am: be6489d1bf am: fc83906f50
am: fb814c6d1f

Change-Id: I02404a15dd274795900075021c63de0fb186db56
2018-01-30 22:15:00 +00:00
Jeff Vander Stoep
be6489d1bf tools/build_policies.sh make tool executable
chmod +x

Test: build all sepolicy targets.
Change-Id: I9e47b78667e4a213c31ecce0e37fe7f84abd9655
2018-01-30 10:08:34 -08:00
Joel Galenson
abc8cc8cd6 Merge "Add a script to build multiple SELinux targets." am: 6b81d43537 am: 7e6235c97a
am: 393357531a

Change-Id: Ibfd98c8d9642d4d9ee5f9ca86376638a2b2883b3
2018-01-30 02:59:25 +00:00
Joel Galenson
c17c5abe22 Add a script to build multiple SELinux targets.
This script will build the SELinux policy for multiple targets in parallel.

To use it, run:
./build_policies.sh <Android root directory> <output directory> [specific targets to build]

If you do not pass any individual targets, it will build all targets it can find.

It will print out the list of failing targets.  You can open up the corresponding log file in the output directory to see the exact errors.

This script is still a work in progress.  It currently cannot discover all build targets (it misses ones "lunch" does not list).

Bug: 33463570
Test: Ran script to build multiple targets with and without failures.
Change-Id: Iee8ccf4da38e5eb7ce2034431613fe10c65696ab
2018-01-29 15:48:15 -08:00
Jaekyun Seok
e0909f482c Merge "Whitelist exported platform properties" am: 70d2bb432a am: 42f8d7b27a
am: f00d05634b

Change-Id: Id6276f733fb5d52b2437927e13343d40c7d53007
2018-01-10 23:53:09 +00:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Nicholas Sauer
3257295a0f Make sepolicy-analyze for ATS.
bug: 69430536
Test: make ats-tradefed && ats-tradefed run ats -m
GtsSecurityHostTestCases

Change-Id: I617a7d08b1bf480f970bc8b4339fa6bbdc347311
2017-11-28 13:19:09 -08:00
Xin Li
c667a0ed64 Merge commit 'd9664064dd09ae254aa3e6ce28fec5fde68c1fb6' into HEAD
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
2017-11-14 11:46:58 -08:00
Chih-Hung Hsieh
92dacd1ef9 Merge "Use -Werror in system/sepolicy" am: 0d2303be0c am: b03597d1b4
am: 52313b4ce8

Change-Id: I724e29b61036248d06aeadd604084857b5a2936a
2017-10-19 23:34:17 +00:00
Treehugger Robot
0d2303be0c Merge "Use -Werror in system/sepolicy" 2017-10-19 22:53:57 +00:00
William Roberts
71ebf07cfd Merge "fc_sort: rectify with upstream" am: adef499d29 am: 9b1affaa07
am: 6091bbc363

Change-Id: I5e16838c9b81d23b113dc0d0cadf74419d279d38
2017-10-19 19:35:23 +00:00
William Roberts
1cf1064baa fc_sort: rectify with upstream
Code review of:
  - https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/512420/

had some comments. These were addressed and upstreamed here:
  - 65620e0f94

Bring these changes back into the AOSP tree.

Test: verify that output sorted device files did not change hashes when built.

Change-Id: I7f07d3f74923cf731e853629034469784fc669f7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-10-19 16:04:24 +00:00
Chih-Hung Hsieh
038e322f3b Use -Werror in system/sepolicy
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I5df432c6d2f7ee19db89f44fbe3adec2bbcc0b41
2017-10-18 16:19:42 -07:00
William Roberts
ce6c74327e Merge "fc_sort: update to latest" am: f54c8ea95c am: c73fb57045
am: 2f22694a6b

Change-Id: Ia78d8ac42c7986a6a64a575cf47b386a5f1f045b
2017-10-18 00:08:53 +00:00
Keun Soo Yim
5f6fc9c9be package sepolicy-analyze as part of VTS
am: 67b2da4431

Change-Id: I1bbf9b95f0c38fd5f20412e4afb2251ed2c3948e
2017-10-17 03:52:11 +00:00
Keun Soo Yim
67b2da4431 package sepolicy-analyze as part of VTS
Bug: 67848572
Test: mma
Change-Id: I75520b6aa19e44854129697b3c3e375427356e6a
2017-10-16 14:21:07 -07:00
William Roberts
9a6b240b1f fc_sort: update to latest
Update to commit:
  - 5490639ac9

This solves all reported clang analyzer issues and is inline with upstream.

Test: veerify that md5sum of output files do not change.

Change-Id: I942145b8f9748c8ecd185f730c94d57cb77f5acc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-10-16 10:04:46 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeffrey Vander Stoep
59005d3761 Merge "Fix possible memory leak warning." am: 3b24ce5090 am: dfdb96280e
am: dfea667d3f

Change-Id: Ic835bf45ab8a2334bdeec6540678d73dddfffa6d
2017-09-20 03:41:13 +00:00
Luis A. Lozano
635e3eccfb Fix possible memory leak warning.
Static analyzer complains the memory pointed by list in bcurrent is not
deallocated before returning. But since this code is in "main" routine,
we don't care about the deallocation. Just ignore the warning.

Bug: b/27101951
Test: Verified warning is gone.
Change-Id: I58d784b61a5ad30d1406bd7c6b28c5713abf2b34
2017-08-22 18:24:56 -07:00
Yifan Hong
43473a00e1 Merge "Make sepolicy-analyze for GTS." into oc-mr1-dev
am: 7c55e171de

Change-Id: Iff2eb18c5898ae5d05c00a3c888d98286b36374a
2017-08-17 01:01:28 +00:00
Yifan Hong
9ffea2f94b Make sepolicy-analyze for GTS.
Test: gts-tradefed run gts-dev --module=GtsSecurityHostTestCases
Bug: 64127136
Change-Id: Ib50294488bb1a5d46faed00d6954db64648fed20
2017-08-15 15:26:07 -07:00
Manoj Gupta
508db351a1 Merge "Fix static analyzer warnings."
am: 4b547a1516

Change-Id: Id5b85ec29220cdbc15aab72ddf4dfbd2d4ef2fc7
2017-08-02 02:47:37 +00:00
Manoj Gupta
3cdd4a4b0d Fix static analyzer warnings.
Fix the following warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by '__s1'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by 'id'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'classperms'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'node'

Bug: b/27101951
Test:Warnings are gone.
Change-Id: Ib9b2e0b9f19950b4b764d438ee58340e6c022ef5
2017-08-01 15:46:44 -07:00
Andreas Gampe
d1e5758596 Merge "fc_sort: Fix leaks" am: 7f4b2ad584 am: acbf2ad328
am: 274c4e3352

Change-Id: Ic46f83ae348c57ad306748d03456e62c9a4600d4
2017-05-01 23:40:57 +00:00
Treehugger Robot
7f4b2ad584 Merge "fc_sort: Fix leaks" 2017-05-01 23:30:26 +00:00
Andreas Gampe
a1ccbd3d67 Sepolicy-Analyze: Plug leak am: ee8b67dfd9 am: 4a318ad697
am: 4c1385a6d4

Change-Id: I4da23806c532acfaaa1535ee87b25383a99723d7
2017-04-28 18:36:36 +00:00
Andreas Gampe
c32d7bae15 fc_sort: Fix leaks
Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.

Release the head of the linked list.

Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7
2017-04-28 10:37:55 -07:00
Andreas Gampe
ee8b67dfd9 Sepolicy-Analyze: Plug leak
Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167
2017-04-27 18:16:26 -07:00
Alex Klyubin
16fcbe8f17 Merge "Do not warn about empty typesets in neverallows" into oc-dev
am: 26564ce754

Change-Id: I8961e581bad56f118c112f6b1e6d2ba11a81ccf6
2017-04-26 00:41:44 +00:00
Alex Klyubin
c60d3ea164 Do not warn about empty typesets in neverallows
Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
  neverallow {
    untrusted_app_all
    -untrusted_app
    -untrusted_app_25
  } domain:process fork;

Test: sepolicy-analyze neverallow -w -n \
          'neverallow {} {}:binder call;'
      produces empty output instead of "Warning!  Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45
2017-04-25 14:25:04 -07:00
Dan Cashman
c787f54766 sepolicy-analyze: Add ability to list all attributes. am: 9d46f9b4f0 am: fdb9c018cd
am: c45e9b9afb

Change-Id: I6af916d823b983581c5f7b33858364af6b2e4456
2017-04-18 22:20:46 +00:00
Dan Cashman
9d46f9b4f0 sepolicy-analyze: Add ability to list all attributes.
This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131
2017-04-18 11:08:43 -07:00
Sandeep Patil
9a3a6a81df sepolicy_version: change current version to NN.m format
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

(cherry-pick of commit 42f95984b5)

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
2017-04-11 10:16:24 -07:00
Sandeep Patil
42f95984b5 sepolicy_version: change current version to NN.m format
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
2017-04-07 14:18:48 -07:00
Martijn Coenen
d48d54a3a1 Modify checkfc to check (vnd|hw)service_manager_type.
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
2017-04-06 17:25:07 -07:00
Dan Cashman
3a68bd169b Add reverse-attribute mapping to sepolicy-analyze.
sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.

Usage: sepolicy-analyze sepolicy attribute -r init

Bug: 36508258
Test: Build and run against current policy.

(cherry picked from commit d444ebedac)

Change-Id: I9813ebf61d50fb5abbc8e52be4cf62751979bbd4
2017-04-06 09:46:38 -07:00
Dan Cashman
d444ebedac Add reverse-attribute mapping to sepolicy-analyze.
sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.

Usage: sepolicy-analyze sepolicy attribute -r init

Bug: 36508258
Test: Build and run against current policy.
Change-Id: Ice6893cf7aa2ec4706a7411645a8e0a8a3ad01eb
2017-03-31 08:40:26 -07:00
Chad Brubaker
a782a81627 Add new untrusted_v2_app domain
untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-21 12:39:55 -08:00
Michael Peck
f54b3622c7 Add minTargetSdkVersion input selector to seapp_contexts
This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.

When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 13:03:12 -08:00
Nick Kralevich
16b7f0a14c Block files without trailing newlines
Add a pre-submit check to ensure that files have a newline character at
the end.

Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.

Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d
2016-12-12 08:18:01 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Treehugger Robot
ce3b2a41a5 Merge "fc_sort: cleanup warnings caught by clang tidy / static analyzer." 2016-10-24 19:03:57 +00:00
William Roberts
f7d6bb3f71 check_seapp: correct output on invalid policy file
If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-10-19 22:03:41 +00:00
Rahul Chaudhry
e1682c71a1 check_seapp: cleanup warning caught by clang tidy / static analyzer.
check_seapp.c:993:6: warning: Passed-by-value struct argument contains
uninitialized data (e.g., field: 'data')

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I3fc2ca8f862356628864f2a37b8d39222c8d658a
2016-10-12 12:27:29 -07:00
Rahul Chaudhry
66dd3ca6ce fc_sort: cleanup warnings caught by clang tidy / static analyzer.
Value stored to 'i' is never read.
Variable 'j' is never used.

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553
2016-10-12 12:19:48 -07:00
Chad Brubaker
06cf31eb63 Rename autoplay_app to ephemeral_app
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-07 09:52:31 -07:00
Janis Danisevskis
3e4632943d fix lax service context lookup
Inform checkfc about new service label backend.

Test: bullhead builds

Bug: 31353148
Change-Id: I499da36108e67483a4f9a18fd8cc7c8f13419abd
2016-09-30 10:18:00 +01:00
bowgotsai
a6c215bcaf Clean up LOCAL_C_INCLUDES
It should be specified by LOCAL_EXPORT_C_INCLUDE_DIRS from the imported
libraries.

Change-Id: I5b01ac24763a75984227d77671def6561325b7cc
2016-09-23 09:21:25 +08:00
Janis Danisevskis
750d797b1c Port from pcre to pcre2 (Fix wrong merge decision)
Ports check_seapp to pcre2.

Change-Id: If3faac5b911765a66eab074f7da2511624c3fc97
2016-08-22 11:12:53 +01:00
Chih-hung Hsieh
b077a75646 Merge "Fix misc-macro-parentheses warnings." am: d62aa0b1a3
am: ebb3dc9ea0

* commit 'ebb3dc9ea0c29b2b56fcf9fae99d254c3a14359f':
  Fix misc-macro-parentheses warnings.

Change-Id: Id9658183b6cec0e5725c800d8939e57bf181c9e4
2016-05-16 16:23:46 +00:00
Chih-Hung Hsieh
33500c91e3 Fix misc-macro-parentheses warnings.
Add parentheses around macro arguments used beside binary operators.
Use NOLINT comment to suppress false clang-tidy warnings.

Bug: 28705665
Change-Id: Idc7474c43da52a1ca6a690b56d8f637767adbb88
2016-05-11 14:59:45 -07:00
dcashman
48a29397d2 Add cts artifact tag for use in CTS tests.
Bug: 21266225
Change-Id: I649c2ae36340d1f2b3db478e90e125c473b47b6e
2016-03-30 08:54:55 -07:00
William Roberts
d7eedeb89c checkseapp: remove .data = NULL assignments
Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

(cherry picked from commit 29adea51ed)

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-02-10 19:37:20 +00:00
William Roberts
0593e848fa checkseapp: remove data types form static map
Data type tracking is no longer needed now that per
key validation routines are supported.

(cherry picked from commit c92dae9807)

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-02-10 19:37:05 +00:00
William Roberts
7bbdaefc7f checkseapp: generalize input validation
Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.

This makes it harder than it should be to add new key value
pairs and types into checkseapp.

To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.

(cherry picked from commit 696a66ba20)

Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-02-10 19:36:48 +00:00
William Roberts
d5c3e50009 checkseapp: update error message output
Change the final error message to be consistent with the others.

From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server

To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"

(cherry picked from commit efebf97e23)

Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-02-10 19:36:21 +00:00
William Roberts
ffd053ba93 checkseapp: declare internal function as static
(cherry picked from commit 25528cf4a5)

Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-02-10 19:24:00 +00:00
William Roberts
29adea51ed checkseapp: remove .data = NULL assignments
Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-29 15:12:58 -08:00
William Roberts
c92dae9807 checkseapp: remove data types form static map
Data type tracking is no longer needed now that per
key validation routines are supported.

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-29 11:05:57 -08:00
William Roberts
696a66ba20 checkseapp: generalize input validation
Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.

This makes it harder than it should be to add new key value
pairs and types into checkseapp.

To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.

Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-29 10:53:16 -08:00
William Roberts
efebf97e23 checkseapp: update error message output
Change the final error message to be consistent with the others.

From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server

To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"

Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-29 10:51:00 -08:00
William Roberts
25528cf4a5 checkseapp: declare internal function as static
Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-29 10:51:00 -08:00
Jeffrey Vander Stoep
7a29402717 Merge changes from topic \'fc_sort-2\' am: 87a73f199a
am: af77ab6b13

* commit 'af77ab6b136b0c4d44e912bbd2b98f958f7ceb45':
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's
2016-01-15 19:41:30 +00:00
William Roberts
49693f1b4d fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
William Roberts
922b4e9522 checkfc: do not die on 0 length fc's
Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
Jeffrey Vander Stoep
b9053767ab Merge "Revert "fc_sort: initial commit"" am: 5de7574a59
am: 62871e5874

* commit '62871e5874e6b1663c732c7f2a2b2d6b36604534':
  Revert "fc_sort: initial commit"
2016-01-15 01:12:54 +00:00
Jeffrey Vander Stoep
5de7574a59 Merge "Revert "fc_sort: initial commit"" 2016-01-14 23:30:56 +00:00
Jeffrey Vander Stoep
b1fb7e4037 Revert "fc_sort: initial commit"
Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887e.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
2016-01-14 23:28:51 +00:00
William Roberts
2f9fbf53e9 fc_sort: add NOTICE file am: c68a277f5e
am: bc88ec944a

* commit 'bc88ec944a0e6f22983fa31803b75d99ea791735':
  fc_sort: add NOTICE file
2016-01-14 20:54:01 +00:00
Jeffrey Vander Stoep
a654d9f3aa Merge "fc_sort: initial commit" am: 2dea4525f3
am: faddabe6f5

* commit 'faddabe6f58f30f81938b928597ee7a792c34984':
  fc_sort: initial commit
2016-01-14 20:19:47 +00:00
William Roberts
c68a277f5e fc_sort: add NOTICE file
Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 10:45:45 -08:00
William Roberts
29d146887e fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 10:11:52 -08:00
Jeffrey Vander Stoep
e927937f2d Merge "checkfc: add attribute test" am: d48773ab3e
am: c435b7590b

* commit 'c435b7590bd7d7f0594d48976fe931d1f6c07f32':
  checkfc: add attribute test
2015-12-16 16:35:36 +00:00
William Roberts
ad3cb39e54 checkfc: add attribute test
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-14 23:37:10 +00:00
Jeff Vander Stoep
400d3ac140 Add autoplay_app domain
Initial check in of empty autoplay_app.te policy file.

Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.

Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.

Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
2015-11-09 13:43:55 -08:00