GitLab

restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.

See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.

Change-Id: I0dde8f2567305f746d19ebd75a9e2add7406eb9a

Presently it will permit duplicate entries (either duplicated
on input selectors or entirely) and whichever one ended up first
in the sorted list would win (and this would be arbitrary as
the comparison function would return 0 since they have the same
input selectors).

Treat it as an error instead and fail.

Change-Id: I611515699b35b04dfc5c5020b92a88bff24ca606
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Presently it will leak the memory from the first definition and
use the last one in each line.  Treat it as an error instead and
fail.

Change-Id: I6a6383bf6ace59b1fd504c01047fd685c16c4849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add a README.android file to libselinux explaining how it relates
to upstream, how it differs, and which new files were added.

Change-Id: I113f7fac5ed6a3f37fd65ce790fd59b2496998cc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise if we have a matching selinux_version but only a subset of
the expected policy files (sepolicy, *_contexts) under /data/security,
then we'll fail when attempting to open the missing files.

This does not check that mac_permissions.xml is present as that is only
opened and used by SELinuxMMAC, not by libselinux, but we should likely
change SELinuxMMAC to do the same.

The alternative would be to change the logic for opening each policy
file to fall back to the / policy if the /data/security policy is missing,
as we used to do before the /data/security support was first disabled and
then reworked to check selinux_version.  Then it would be valid once again
to merely push a sepolicy file or any other individual file with a
selinux_version file to /data/security/current without needing to copy
the rest of the files if they were unchanged.  That is how we used to
support pushing a policy with dontaudit rules stripped,
http://seandroid.bitbucket.org/AddressingHiddenDenials.html



I have updated those instructions to specify that all files must be
copied but it is a bit more cumbersome to do so.

Change-Id: I60f7ac1f6fa714c0b827a1edd008da172ef1c991
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I4828cdf1e5370b1dee7d1e887fd7a3d54be2d95d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I5d6d6eb7438361bbb072540c96361cef95c83a9e introduced a bug
in the policy reload logic such that we incorrectly (but harmlessly)
load policy twice from / on each boot and never load policy from
/data/security/current even if it is present.

Also, even prior to that change, we were failing to reload policy
from / if we previously had loaded a policy from /data/security/current
and that policy was removed.

Fix the bugs.  Also correct the comments to drop the obsolete
reference to safe mode and to reflect the updated code.

Change-Id: I7b53c91c5681764009de453ff104a72cd26d7c2e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Per the man page, pcre_study can return NULL without error if
it could not find any additional information.  Errors are indicated
by the combination of a NULL return value and a non-NULL error string.
Fix the handling so that we do not incorrectly reject file_contexts
entries.

Change-Id: I2e7b7e01d85d96dd7fe78545d3ee3834281c4eba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit dcd8167f7722c1f00c71f54af5425434da2d6cbc upstream.

Change-Id: I3373f01811d93348801fa8ae4156ab4edd6f259b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit 8b114a3bf25b7b818910cca77528de80cdb953f8 upstream.

If we get an EINVAL from security_compute_av* (indicates an invalid
source or target security context, likely due to a policy reload that
removed one or the other) and we are in permissive mode, then handle it
like any other permission denial, i.e. log but do not deny it.

Change-Id: I6cb5f06e7468d685b647513ed7a653f2f6676a2a
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit ed5dc69dad117006ba9dddf258e064431bb96cfb upstream.

To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called.  This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.

Change-Id: Ief8590b332d4e8ecf369cd0a4c661d7735303254
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 3b5e45f004e508cca8958f6e3a46961753af291e upstream.

Change-Id: I4675c538266bea7858e3f716eb431be9c99f44b7
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 7bdc38ccb21133155658279895b10ceb347b0b5a upstream.

Change-Id: I118354547c854a52655075753c29884ed742496a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit c7d749efe2fa6f1e765b0bc215476d533f1b4d7b upsteram.

selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false.  If policy tells us to
allow unknown classes and perms we should respect that.

Change-Id: If2a8f71b51746d87b760e00eaeda38f8ed4a6a15
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 435fae64a931301ac00930af1eebc28bd9b0c576 upstream.
Also sync with commit 76913d8adb61b5afe28fd3b4ce91feab29e284dd upstream.

* stringrep.c: Delete flush_class_cache

* stringrep.c:  Delete unused ARRAY_SIZE macro and pthread once variable.

Change-Id: I251e827be31842a01a46e409b9ba5a1d7375d7c8
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 34d9c258dac686f4baa2e7f0d6f25f7e7ca5aac6 upstream.

Please find another libselinux patch. I've tested quite extensively with the compute_av and string functions with and without mapping and seems okay.

The patch covers:
When selinux_set_mapping(3) is used to set the class and permissions allowed by an object manager, then an invalid class and/or permissions are selected (e.g. using security_class_to_string), then mapping.c in libselinux forces an assert. This patch removes the asserts and allows the functions to return a class/perm of 0 (unknown) with errno set to EINVAL. A minor patch to set EINVAL in security_av_perm_to_string_compat is also included. All the functions to convert perms & classes to strings and back should now return the correct errno with or without mapping enabled.

Change-Id: I3dcf1e9a820b8ed9ed7f424cdfc783b5f15365cc
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 1e8f102e8cec4ae84f09cc595013234398270366 upstream.

We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd.  Fix my using the
common error exit path rather than just returning.

Change-Id: I1f83a044edea0a2e242f6ceabe10567e193a0fae
Signed-off-by: Eric Paris <eparis@redhat.com>

commit aa62cd60f7192123b509c2518e7a2083e34a65a2 upstream.

Change-Id: I5e6222344b3baf4b9680aae1dad9652ce7d46f8a
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

Bug: 18675947
Change-Id: Id22090dd5d7aa0c0b98ac3594f20a8bd1265832e

Resubmission of commit: b3e5022bd4319eabdecdeee0187588e1a4d15c12.

Changed "if (compute_contexts...)" to "if (!compute_contexts..."

Change-Id: I5d6d6eb7438361bbb072540c96361cef95c83a9e

Emulator fails to boot.

This reverts commit c242f0b5.

Bug: 18692152
Change-Id: I00119bfbb06f7b5714f2531e83a6559e5fe4af01

Suppress warning until we get a fix from upstream.

Change-Id: I8846f514410d53cbc52a44d43f737d455ba2faa0

Change-Id: I76e2ed95d4e4f8618458e63d30ae82e37d1acf7b

* commit 'd0b768ab':
  implement partial matching using PCRE

To speed up the boot process, Android doesn't visit every directory
in /sys. Instead, only those directories which match a regular
expression in /file_contexts are visited. Other directories are
skipped. This results in 2-3 second boot time reduction.

The initial version of this optimization was implemented in
change 0e7340fb. However, because
PCRE wasn't available, it was recognized that false positives and
false negatives might occur.

Now that PCRE is available, start using it. It will avoid the
false positive / negatives problem.

Bug: 17682157
Change-Id: I94a109733b0c97a70f80c94fd0a980cb7cb5ca43

* commit 'f76c30b8':
  Add isOwner= input selector for seapp_contexts.

Enable distinctions to be made between the owner/primary user
and secondary users in seapp_contexts.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'dfb9fe2f':
  Remove FTS_COMFOLLOW from fts_open flags on restorecon_recursive.

When I converted restorecon_recursive from using nftw to using fts,
I followed bionic's nftw implementation
(bionic/libc/upstream-netbsd/lib/libc/gen/nftw.c)
and set FTS_COMFOLLOW in the flags for fts_open.  However, this is
not needed for any legitimate purpose and could be dangerous if someone
were to add an explicit restorecon_recursive /data/local/tmp/foo command
to an init*.rc file.  This should not be a problem with current policy,
but no point in risking it.

Change-Id: I7cec116d68ae60fe8e18fe4ecc9b6c8e564ac10f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'f8417037':
  Do not try to set restorecon_last on /sys entries.

* commit 'da4208c8':
  Do not try to set restorecon_last on /sys entries.

There is no benefit to setting restorecon_last on /sys entries
since they are re-created on each boot and doing so triggers
sys_admin denials.   Also, apply the same partial matching
optimization to restorecon_recursive on subdirectories of /sys
as we apply on the top-level restorecon_recursive /sys.

Change-Id: I90ea143e189db44bf8dc6c93c08d794e80d5539f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>