GitLab

This change resulted in //data being used for restorecon, rather than
/data, causing the check to fail when deciding whether or not init
should label app data files.

This reverts commit 249094fc.

(cherry-pick of commit: 02797a0e)

Bug: 24190361
Change-Id: I1a0f64404da3c54a03890df60b8b5d9102d1efa3

* commit '74900f76':
  Enable restorecon to properly label symlinks.

* commit '249094fc':
  Enable restorecon to properly label symlinks.

commit: 06d45512 changed restorecon to only
operate on paths which had undergone a realpath transformation.  Unfortunately,
this made it impossible to directly restorecon a symlink, since the symlink
would be followed.  Change restorecon to only perform realpath on the directory
prefix, so that symlinks can be labeled.

Bug: 21732016
Change-Id: I95e18f9a8e9ffda8cf9ab8676052486c68216b00

* commit 'a0fb33c1':

* commit '5f83d69a':

* commit 'd59496a0':

* commit '80fe5f15':

am 09fbb966: (-s ours) am be86166f: restorecon: do not set security.restorecon_last on ramfs and tmpfs

* commit '09fbb966':

* commit 'dc022606':

* commit '91b7d911':
  Set SELABEL_OPT_BASEONLY to stop additional file checks

* commit '91b7d911':
  Set SELABEL_OPT_BASEONLY to stop additional file checks

Stop checking for the homedirs and local file_contexts files as they do not
exist on Android and therefore always fail.

Change-Id: Idba7ea4757073f428ce2a3e02e63796fdde71cdb
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

* commit '95736e8c':
  libselinux: support context validation on file_contexts.bin
  libselinux: test for file_contexts.bin format
  libselinux: add selabel_cmp interface and label_file backend
  libselinux: switch to file_contexts.bin
  libselinux: support specifying file_contexts.bin file path
  libselinux: support file_contexts.bin without file_contexts

* commit '95736e8c':
  libselinux: support context validation on file_contexts.bin
  libselinux: test for file_contexts.bin format
  libselinux: add selabel_cmp interface and label_file backend
  libselinux: switch to file_contexts.bin
  libselinux: support specifying file_contexts.bin file path
  libselinux: support file_contexts.bin without file_contexts

* changes:
  libselinux: support context validation on file_contexts.bin
  libselinux: test for file_contexts.bin format
  libselinux: add selabel_cmp interface and label_file backend
  libselinux: switch to file_contexts.bin
  libselinux: support specifying file_contexts.bin file path
  libselinux: support file_contexts.bin without file_contexts

* commit '2ef4270c':
  libselinux: fail hard on invalid file_contexts entries

* commit '2ef4270c':
  libselinux: fail hard on invalid file_contexts entries

* commit '82216295':
  libselinux: fail hard on invalid property_contexts entries

* commit '82216295':
  libselinux: fail hard on invalid property_contexts entries

Fail hard on any error during property_contexts (or service_contexts)
processing.  We want to catch any such errors early and not proceed
with a potentially mislabeled system.

Also remove some obsoleted tests for NULL; they were necessary
in earlier versions of the code where we were copying the strings
at this point, but no longer.

Change-Id: I98b8f88996d2ad385ad9ea13682eb11611d665ff
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fail hard on any error during file_contexts processing.
We want to catch any such errors early and not proceed
with a potentially mislabeled system.  This was the original
logic but was loosened long ago to more gracefully handle
user error in Linux distributions (a single typo could lead
to not being able to label anything, even if the relevant
entry for the files in question was correct).  However,
in Android, file_contexts is not modified at runtime and
we want to fully validate it at build, so we want to fail
hard in these cases, and in modern Linux, file_contexts is
modified using tools (semanage, semodule) and a library
(libsemanage) that should already be fully validating values
before adding entries, and that trigger a setfiles -c validation
(equivalent to Android checkfc) before committing the transaction.

Change-Id: If98dc462b7132c34d5a1ae0a2634fda3779227c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

If file_contexts.bin was opened with SELABEL_OPT_VALIDATE set, then
we should validate contexts in the same manner as with file_contexts.

Change-Id: I08c1ba91c694c5483aa838833ff9d704aceca235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Check to see if the file whose path is passed to selabel_open() starts
with the file_contexts.bin magic number, and if so, automatically
treat it as a file_contexts.bin file.  This allows one to open
file_contexts.bin formatted files without necessarily having a .bin
file suffix.  This removes the need for the previously added
.bin file suffix test.

Change-Id: I6a0cb303954cc6fa24c437ccc794104859eac24b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add a selabel_cmp() interface for comparing two label configurations,
and implement it for the file backend (i.e. for file_contexts). This
allows comparing two file_contexts configurations to see if the first
is a subset of, equal/identical to, a superset of, or incomparable to
the second.  The motivating use case is to allow comparing two
file_contexts.bin files in Android CTS to confirm that a device
file_contexts.bin file contains all of the entries in the AOSP
general file_contexts.

Change-Id: I0fe63e0c7f11ae067b5aac2f468f7842e5d76986
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Switch the libselinux android code to load file_contexts.bin
rather than file_contexts.  While the label_file backend already
looks for the .bin file even if the caller only asked for the
text file, the Android-specific code in libselinux also directly
opens the path in order to compute the hash to compare and store
in the security.restorecon_last xattr, and it directly calls
access(2) on the path to confirm that all the expected policy
files exist before using any /data/security policy.  So we need
to change it here as well.

Depends on I75a781100082c23536f70ce3603f7de42408b5ba

Change-Id: I43806d564b83d57f05f5c36c8eba7b1ff4831b04
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

At present, the label_file backend expects to be provided the path
to the text file_contexts file and always appends the .bin suffix
when checking for the binary file_contexts.bin file.  If one
attempts to directly specify the path to a file_contexts.bin file
to selabel_open(), it will fail as the code will append a second
.bin suffix to it.  Check to see if the file path already has a .bin
suffix and do not append it in that case.

Change-Id: Id560d093440a2aba99cef28c20133b35feebf950
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change the label_file backend in libselinux to support systems
that only have file_contexts.bin files installed and do not ship
a file_contexts file at all.  Only fail if neither file can be
loaded.

Change-Id: I15660f4b3e4c5cb8ae0ec1498c74d6fcbb9a0400
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'be86166f':
  restorecon: do not set security.restorecon_last on ramfs and tmpfs

* commit 'be86166f':
  restorecon: do not set security.restorecon_last on ramfs and tmpfs

When setting the last value for restorecon, it should skip over the
ramfs and tmpfs, as setting last on non-persistent file systems
makes no sense. Notably, this avoids triggering a CAP_SYS_ADMIN
capability check and a SELinux setattr permission check to the
file when applying restorecon to ramfs or tmpfs filesystems.

Change-Id: I7e7ebaa9d62c7bc6a5587cc9c472dcb4a7a49513
Signed-off-by: William Roberts <william.c.roberts@intel.com>

* commit '6d0b91bb':
  libselinux: Enhance spec file support

* commit '6d0b91bb':
  libselinux: Enhance spec file support

This file labeling update brings libselinux into line with upstream
selinux except for minor changes to support MacOS X and Bionic.

Update file labeling to support a PCRE formatted binary
file_contexts file. The file is generated on the host using
sefcontext_compile. Should the bin file not be present (because the
build process has not been implemented yet) or corrupt, the load process
will fallback to the text file.
Using the current emulator file_contexts file containing 321 lines
(64 of which are blank or comments), the binary file loads
approximately 50% faster than the text file.

The processing of text spec files (file_contexts and property_contexts)
now uses the read_spec_entries function instead of sscanf.

To test the file_contexts.bin functionality requires an update to
external/sepolicy/Android.mk to build the binary file for the device
and also adding a 'file_contexts.bin' entry to the
build/target/product/embedded.mk file under the SELinux PRODUCT_PACKAGES.
These updates are available in the appropriate projects.

Major changes in V2:
label_file.c - Move process_line function to label_file.h as this is also
used by utils/sefcontext_compile.c.
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind.

Major changes in V3:
label_file.c - Improve error handling in process_file function.
sefcontext_compile.c - Add callback to ignore validation. Fixed error paths
to free/close memory, checked by valgrind.
label_file.h - Revert validation check now added callback to
sefcontext_compile.c.

Changes in V4:
label_file.c - linux/limits.h not supported on MacOS - change to limits.h.
Improve error handling in process_file function.
sefcontext_compile.c - linux/limits.h not spported on MacOS - change to
limits.h. Improve error handling in process_file function.

Changes in V5:
sefcontext_compile.c - Change callbacks so this can build on Android and
selinux upstream with no changes.
label_android_property.c and  label_internal.h - Minor formatting changes
to bring into line with selinux upstream.

Changes in V6:
sefcontext_compile.c - Revert to V3 callback now the problem has been
fixed by upstream commit e88914849490c3fc17b0e5ed67387e47f2701d3c
("libselinux: build sefcontext_compile with static libselinux") that
also hid read_spec_entries function as this is not intended as a
public interface for shared library users.
label_android_property.c - More minor formatting changes to bring
into line with selinux upstream.

Changes in V7:
Android.mk - Add darwin support
label_file.c - In process_file set rc for getline and correct
fopen to upstream.
sefcontext_compile.c - In process_file set rc for getline.

Change in V8:
Android.mk - Remove LOCAL_CFLAGS := -Wall -Werror

Changes in V9:
label_file.c - Fix file labels for regexes with metachars for text
file_contexts
label_support.c - Fix if file_contexts not '\n' terminated
If the last line of a file_contexts file is not '\n' terminated
or if any line has additional isspace(3) characters at end, it
gave an invalid file type error

Changes in V10
Fix file labels for regexes with metachars for binary
file_contexts This change adds a new entry in the binary file with
the calculated prefix length that is then read when processing the
file. This fix also bumps SELINUX_COMPILED_FCONTEXT_MAX_VERS.

Change-Id: Ief0d3a6a5fbffc785b02d9dffb416f837000e61c

* commit '5b4ddd76':
  Revert "libselinux: Enhance spec file support"

This reverts commit c0798527.

There is a change in how file names are matched. Unescaped periods are
no longer treated like a regex period (matching any character including
an actual period). For example in devices/moto/shamu/sepolicy/file_contexts,
several of the block devices have unescaped periods. These partitions
do not receive their proper label, and the device fails to boot.

Bug: 22104578
Change-Id: Iffc60beb24a79a80c110d4f2b0b91f3220615586

* commit '09ec61f7':
  libselinux: Enhance spec file support