GitLab

commit 3b5e45f004e508cca8958f6e3a46961753af291e upstream.

Change-Id: I4675c538266bea7858e3f716eb431be9c99f44b7
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 7bdc38ccb21133155658279895b10ceb347b0b5a upstream.

Change-Id: I118354547c854a52655075753c29884ed742496a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit c7d749efe2fa6f1e765b0bc215476d533f1b4d7b upsteram.

selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false.  If policy tells us to
allow unknown classes and perms we should respect that.

Change-Id: If2a8f71b51746d87b760e00eaeda38f8ed4a6a15
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 435fae64a931301ac00930af1eebc28bd9b0c576 upstream.
Also sync with commit 76913d8adb61b5afe28fd3b4ce91feab29e284dd upstream.

* stringrep.c: Delete flush_class_cache

* stringrep.c:  Delete unused ARRAY_SIZE macro and pthread once variable.

Change-Id: I251e827be31842a01a46e409b9ba5a1d7375d7c8
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 34d9c258dac686f4baa2e7f0d6f25f7e7ca5aac6 upstream.

Please find another libselinux patch. I've tested quite extensively with the compute_av and string functions with and without mapping and seems okay.

The patch covers:
When selinux_set_mapping(3) is used to set the class and permissions allowed by an object manager, then an invalid class and/or permissions are selected (e.g. using security_class_to_string), then mapping.c in libselinux forces an assert. This patch removes the asserts and allows the functions to return a class/perm of 0 (unknown) with errno set to EINVAL. A minor patch to set EINVAL in security_av_perm_to_string_compat is also included. All the functions to convert perms & classes to strings and back should now return the correct errno with or without mapping enabled.

Change-Id: I3dcf1e9a820b8ed9ed7f424cdfc783b5f15365cc
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 1e8f102e8cec4ae84f09cc595013234398270366 upstream.

We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd.  Fix my using the
common error exit path rather than just returning.

Change-Id: I1f83a044edea0a2e242f6ceabe10567e193a0fae
Signed-off-by: Eric Paris <eparis@redhat.com>

commit aa62cd60f7192123b509c2518e7a2083e34a65a2 upstream.

Change-Id: I5e6222344b3baf4b9680aae1dad9652ce7d46f8a
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

Bug: 18675947
Change-Id: Id22090dd5d7aa0c0b98ac3594f20a8bd1265832e

Resubmission of commit: b3e5022bd4319eabdecdeee0187588e1a4d15c12.

Changed "if (compute_contexts...)" to "if (!compute_contexts..."

Change-Id: I5d6d6eb7438361bbb072540c96361cef95c83a9e

Emulator fails to boot.

This reverts commit c242f0b5.

Bug: 18692152
Change-Id: I00119bfbb06f7b5714f2531e83a6559e5fe4af01

Suppress warning until we get a fix from upstream.

Change-Id: I8846f514410d53cbc52a44d43f737d455ba2faa0

Change-Id: I76e2ed95d4e4f8618458e63d30ae82e37d1acf7b

* commit 'd0b768ab':
  implement partial matching using PCRE

To speed up the boot process, Android doesn't visit every directory
in /sys. Instead, only those directories which match a regular
expression in /file_contexts are visited. Other directories are
skipped. This results in 2-3 second boot time reduction.

The initial version of this optimization was implemented in
change 0e7340fb. However, because
PCRE wasn't available, it was recognized that false positives and
false negatives might occur.

Now that PCRE is available, start using it. It will avoid the
false positive / negatives problem.

Bug: 17682157
Change-Id: I94a109733b0c97a70f80c94fd0a980cb7cb5ca43

* commit 'f76c30b8':
  Add isOwner= input selector for seapp_contexts.

Enable distinctions to be made between the owner/primary user
and secondary users in seapp_contexts.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'dfb9fe2f':
  Remove FTS_COMFOLLOW from fts_open flags on restorecon_recursive.

When I converted restorecon_recursive from using nftw to using fts,
I followed bionic's nftw implementation
(bionic/libc/upstream-netbsd/lib/libc/gen/nftw.c)
and set FTS_COMFOLLOW in the flags for fts_open.  However, this is
not needed for any legitimate purpose and could be dangerous if someone
were to add an explicit restorecon_recursive /data/local/tmp/foo command
to an init*.rc file.  This should not be a problem with current policy,
but no point in risking it.

Change-Id: I7cec116d68ae60fe8e18fe4ecc9b6c8e564ac10f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'f8417037':
  Do not try to set restorecon_last on /sys entries.

* commit 'da4208c8':
  Do not try to set restorecon_last on /sys entries.

There is no benefit to setting restorecon_last on /sys entries
since they are re-created on each boot and doing so triggers
sys_admin denials.   Also, apply the same partial matching
optimization to restorecon_recursive on subdirectories of /sys
as we apply on the top-level restorecon_recursive /sys.

Change-Id: I90ea143e189db44bf8dc6c93c08d794e80d5539f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '86ae6256':
  Log userspace SELinux denials to the event log.

* commit 'f58dbddb':
  Log userspace SELinux denials to the event log.

In addition to logging userspace SELinux denials to logcat,
also log it to eventlog using the auditd log tag.

Change-Id: I6a269a832bc2f5e5da6c9dbd169ed2f901b49166

* commit '51b51eea':
  Extend label file backend to support label-by-symlink for ueventd.

* commit 'be7f5e88':
  Extend label file backend to support label-by-symlink for ueventd.

When ueventd creates a device node, it may also create one or more
symlinks to the device node.  These symlinks may be the only stable
name for the device, e.g. if the partition is dynamically assigned.
Extend the label file backend to support looking up the "best match"
for a device node based on its real path (key) and any links to it
(aliases).  The order of precedence for best match is:
1) An exact match for the real path (key), or
2) An exact match for any of the links (aliases), or
3) The longest fixed prefix match.

Change-Id: Id6c2597eee2b6723a5089dcf7c450f8d0a4128f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'd57030c2':
  Add service_context management into libselinux.

* commit 'bad0ebb4':
  Add service_context management into libselinux.

Add functions to handle opening handles for MAC
on service_manager. Also add selinux_log_callback
into libselinux because identical code was spread
through three different files.

Bug: 12909011
Change-Id: I04eb855700f1d0c086542053d987b3a30cf1b0c0

* commit '74f2c202':
  SELinux changes to check policy versions during a reload.

* commit 'e9b58950':
  SELinux changes to check policy versions during a reload.

* commit '5b5183f9':
  SELinux changes to check policy versions during a reload.

New construct which validates /data/security/current/selinux_version
against the base version file /selinux_version when policy
overrides could occur. This change covers the cases where
sepolicy, seapp_contexts and file_contexts under
/data/security/current can be used to override their rootfs
counterparts.

Change-Id: I4716039bb0f5ba1e961977a18350347a67969dca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

* commit '3446861b':
  Don't set restorecon_last on subdirectories