GitLab

This reverts commit 1d857f3e.

This reverts commit 0f3a5e88.

This avoids the spurious double-lookup from calling restorecon.

Bug: 8967715
Change-Id: I3e92804dca245501ca974bda7a0d7d1c459c58da

Due to previous issues with make_ext4fs not zeroing out inode
tables and Nexus 10 not erasing partitions before flashing, some
devices during development were flashed with garbage in the
inode tables for unused inodes.  The kernel did not care, and
ignore the unused inodes, but if e2fsck ran for any reason, it
would find what it thought were lost inodes, and put them in
lost+found.

When selinux was enabled, it would reload the policy
on all files in /data, and when it traversed /lost+found, the
kernel would crash with weird ext4 errors.  We are pretty sure
this is due to bugs in the xattr code not handling potentially
bogus inodes, but we have not yet found the actual bug.  In
order to get the release out the door on time, this hack will
skip searching in lost+found directories.  This will be
fixed properly before the next release.

Bug: 8801548
Change-Id: If4cd78cf587cefa4cd2d41c4424034c5d5878b78

Change-Id: I9d83122e276a25d2e7c928b724344d5f3420af73

Change-Id: I980d526e999e602b6ab6ebfb7a5ddc7a4bd13785

Bug: 8116902
Change-Id: I066b32029ca6631d51e1d319477f5536c4fccbd5

Bug: 8116902

(cherry picked from commit 67c26622)

Change-Id: I2041b827240d1102060e2ec5a5de8ea1ff4e171c

Bug: 8116902

(cherry picked from commit 527959d2)

Change-Id: Ib1061e9b804e29a57116656626999cfc7b1513e4

/data/system is no longer supported as a possible
location for policy files, use /data/security instead.

Change-Id: I83e5014a9e2f64bd95c0f1be6cd463fd71a7025b

Add new location for policy, /data/security, which has
precedence over /data/system

Change-Id: If75da3889c75ca83eb7dbd6e5540657a4cf65831

Generalize levelFromUid support to support per-app, per-user,
or per-combination level assignment.  Adds a new levelFrom=none|app|user|all
syntax for specifying the desired behavior in seapp_contexts.
levelFromUid=true|false is still supported but translated to
levelFrom=app|none.

No change in existing behavior for existing seapp_contexts configurations.

Change-Id: I0e9c18ecf3113fa7079d2101899c92a241ef80a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the android property backend parser to accept the
SELABEL_OPT_VALIDATE option and to perform a validate
callback.

Change-Id: If061502c5e2489a1155798fac1d8357dbb8d13ba
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>

Change-Id: If058da4431215fa4b6f895563ba13620b7d9a81a

Linux 3.0 introduced /sys/fs/selinux as the preferred mount point
directory for selinuxfs.  Upstream libselinux tries to mount selinuxfs
on /sys/fs/selinux first and falls back to /selinux if it doesn't exist.
Do likewise in Android.

Change-Id: Iec738ff7e2f13f809a271eb03f08ef6cd2582bd4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

debuggerd tries to restorecon on the tombstones directory which fails
when SELinux is not enabled in the kernel. That would return an error
condition to debuggerd which would then abort its attempt to dump the
stacks of the failing program.

Fix it here in case there are other places that might call this in the
future. Currently the only other caller is android_os_SELinux.cpp JNI
code.

Change-Id: Id73796a70174333b61fd04ee6b1d99fccbea8116

Change-Id: I7c0bdca5c9a1ffe428200a830c1b706fc8ed9675
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to sepolicy.

Change-Id: I21f9f88415b653c1bf6332fc100d91d969c9da64
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Map the app IDs to a category pair rather than a single category.
With this scheme,  we can represent up to 2^16 app IDs, which exceeds
the maximum of 10000 imposed by Android.  This also only uses category
bits 0-511, so 512-1023 remain free for use for other purposes (or we
could shrink the number of categories defined in the policy).

Also perform other minor code cleanups previously suggested, e.g.
fix const declaration, use an enum rather than #define, correct %lu
to %u for format string, etc.

Change-Id: I5bb727bfb4297e3e13ba1ef078e41db3ea7d1b8f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Re-factor the logic shared by selinux_android_setfilecon2 and
selinux_android_setcontext into a common helper and replace the
use of getpwuid and username string parsing with direct use of
android_filesystem_config.h definitions.  Also map isolated UIDs
to a separate isolated key so that we can label them differently
in the future if desired.

Change-Id: If2f9def21222588b440a6cedcceec0434f6797fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies.  This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

Requires a corresponding change to sepolicy.

Change-Id: I061607f5fe6457e469b4834da6fc659d7ddca6f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Move the SELinux enabled check to the once handler so that we do
not perform this on each call to selinux_check_access().  Reduces
overhead in both the SELinux-enabled and the SELinux-disabled cases.

Change-Id: I61fe85bc04fe53cbf840ba712c81bdb06e4e0c2f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit bf9441e in bionic introduced a new scheme for naming system uids
as secondary users (as part of multi-user support).  Update the libselinux
logic to correctly map these identities for lookup purposes in the
seapp_contexts configuration file.

This is not needed when used within the reload scenerio. We
actually need the file_contexts to be read multiple times.

These changes reflect changes made to init.
The sepolicy reload now happens in libselinux.

Allows the zygote to still spawn apps in the zygote's
context when no match is found in seapp_contexts. In
enforcing mode, apps that are not matched will not be
spawned. A "No match" message will (still) be printed
to logcat.

Change-Id: Ibe362cc8e168be7acae5162c9ff6a310233fcbe6

The seapp rule will containing an sebool clause will
ONLY be applied on a match to that boolean,
and only if the boolean is set to true.

Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>

This reverts commit 0beab968.

This patch will allow non-matched apps in seapp_contexts to
still be spawned via the zygote. An error message will be sent
to logcat.

Change-Id: I9fb5dcfeb384a26e6a01d69bffd2ef14af74c51c
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>

Add function selinux_android_file_context_handle
that opens the correct file_contexts policy file
and returns the available sehandle object.