GitLab

Rename module definition files to Android.bp to avoid conflicts
with another project called Blueprint.

Change-Id: Iffba1becf0122d386bac9183c92f5ff1a8b90d84

Change-Id: I85b39e22e473cfc13134ff813b0c22e3fe5baa44

upstream commit 685f4aeeadc0b60f3770404d4f149610d656e3c8.

SELinux can be disabled via the selinux=0 kernel parameter or via
/sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
/etc/selinux/config).  In either case, selinuxfs will be unmounted
and unregistered and therefore it is sufficient to check for the
selinuxfs mount.  We do not need to check for no-policy-loaded and
treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
days.  Drop the no-policy-loaded test, which was a bit of a hack anyway
(checking whether getcon_raw() returned "kernel" as that can only happen
if no policy is yet loaded and therefore security_sid_to_context() only
has the initial SID name available to return as the context).

May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074


by virtue of removing the call to getcon_raw() and therefore avoiding
use of tls on is_selinux_enabled() calls.  Regardless, it will make
is_selinux_enabled() faster and simpler.

[sds:  Adapted for the Android libselinux port.  Also drops the
fallback to scanning /proc/filesystems for selinuxfs as this was
already done upstream; init mounts selinuxfs via libselinux prior to any
is_selinux_enabled() checks.  The tls bug is not relevant in Android
since the Android libselinux port does not use tls, but this change
is nonetheless useful to optimize is_selinux_enabled().]

Change-Id: Ia8b484a3a2fe7f604b0bfb8f5b109ad7674c1152
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This fixes build warnings:
build/core/copy_headers.mk:15: warning: overriding commands for target
`out/host/linux-x86/obj/include/selinux/selinux.h'

Change-Id: Ie64a43856f7fd3759d84a6d3a5b897040cb648f3

Bug: 19908228
Change-Id: I618938a5a487d5d9ed8d961f85b4b584f419a1d0

/data/data and /data/user are treated differently when doing relabeling.
Specifically:

1) /data/data should be labeled by init.
2) files / directories within /data/data should NOT be labeled by init,
   only by installd at system_server's request.
3) /data/user should be labeled by init.
4) subdirectories one level deep under /data/user should be labeled
   by init.
5) subdirectories more than one level deep under /data/user
   should NOT be labeled by init, only by installd at system_server's
   request.

Commit 4766bfa9 inadvertantly applied
the same rules to /data/data that we use for /data/user, resulting
in init attempting to label directories one level deep in /data/data.
Restore the line to the version before 4766bfa9.

While we're here, fix the following compiler warning:

  external/libselinux/src/android.c:1059:45: warning: trigraph ??- ignored, use -trigraphs to enable [-Wtrigraphs]
  #define EXPAND_USER_PATH "/mnt/expand/????????-????-????-????-????????????/user"
  ^

Bug: 20190506
Change-Id: I5dc6ada37c2bfd0904e341aabc3b7a123105a212

Expanded storage behaves mostly like the internal data storage,
including holding private app data.  To correctly apply SELinux
labels, this change defines a pattern for matching these new paths
which follow the format:

/mnt/expand/<UUID>/user/<N>

The owner user (0) is not special cased like internal storage, and
lives under the /user/0 directory.

Bug: 19993667
Change-Id: Ia3eb28440ff3a119f0a3892e636640cf59c01244

Change-Id: Ib956911fba8b51dec19856a20970cdce10a91cf0

* commit 'ab5e5faa':
  Change seapp_context isSystemServer to bool.

This brings it in line with the other is* members of struct seapp_context and
better reflects its usage.

Change-Id: I6e2d1891e7bd38b5164dfe66b66d698ad48323d5

* commit '51fc85bc':
  handle newlines in file names

restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.

See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.

Change-Id: I0dde8f2567305f746d19ebd75a9e2add7406eb9a

* commit '76d51845':
  libselinux:  Reject duplicate entries within seapp_contexts.

* commit '0f912a1c':
  libselinux:  Reject duplicate keys in seapp_context entries.

Presently it will leak the memory from the first definition and
use the last one in each line.  Treat it as an error instead and
fail.

Change-Id: I6a6383bf6ace59b1fd504c01047fd685c16c4849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Presently it will permit duplicate entries (either duplicated
on input selectors or entirely) and whichever one ended up first
in the sorted list would win (and this would be arbitrary as
the comparison function would return 0 since they have the same
input selectors).

Treat it as an error instead and fail.

Change-Id: I611515699b35b04dfc5c5020b92a88bff24ca606
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '4ebfa148':
  libselinux:  drop sebool= support

* commit '4f033616':
  libselinux:  Add a README.android file.

Add a README.android file to libselinux explaining how it relates
to upstream, how it differs, and which new files were added.

Change-Id: I113f7fac5ed6a3f37fd65ce790fd59b2496998cc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise if we have a matching selinux_version but only a subset of
the expected policy files (sepolicy, *_contexts) under /data/security,
then we'll fail when attempting to open the missing files.

This does not check that mac_permissions.xml is present as that is only
opened and used by SELinuxMMAC, not by libselinux, but we should likely
change SELinuxMMAC to do the same.

The alternative would be to change the logic for opening each policy
file to fall back to the / policy if the /data/security policy is missing,
as we used to do before the /data/security support was first disabled and
then reworked to check selinux_version.  Then it would be valid once again
to merely push a sepolicy file or any other individual file with a
selinux_version file to /data/security/current without needing to copy
the rest of the files if they were unchanged.  That is how we used to
support pushing a policy with dontaudit rules stripped,
http://seandroid.bitbucket.org/AddressingHiddenDenials.html



I have updated those instructions to specify that all files must be
copied but it is a bit more cumbersome to do so.

Change-Id: I60f7ac1f6fa714c0b827a1edd008da172ef1c991
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I4828cdf1e5370b1dee7d1e887fd7a3d54be2d95d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I5d6d6eb7438361bbb072540c96361cef95c83a9e introduced a bug
in the policy reload logic such that we incorrectly (but harmlessly)
load policy twice from / on each boot and never load policy from
/data/security/current even if it is present.

Also, even prior to that change, we were failing to reload policy
from / if we previously had loaded a policy from /data/security/current
and that policy was removed.

Fix the bugs.  Also correct the comments to drop the obsolete
reference to safe mode and to reflect the updated code.

Change-Id: I7b53c91c5681764009de453ff104a72cd26d7c2e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '3e04b8be':
  libselinux:  pcre_study can return NULL without error.

* commit '3463ebca':
  Coding style fix for sizeof operator.

* commit '6f1b8911':
  Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.

* commit '9746c0bd':
  libselinux: assert if avc_init() not called

Per the man page, pcre_study can return NULL without error if
it could not find any additional information.  Errors are indicated
by the combination of a NULL return value and a non-NULL error string.
Fix the handling so that we do not incorrectly reject file_contexts
entries.

Change-Id: I2e7b7e01d85d96dd7fe78545d3ee3834281c4eba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit dcd8167f7722c1f00c71f54af5425434da2d6cbc upstream.

Change-Id: I3373f01811d93348801fa8ae4156ab4edd6f259b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit 8b114a3bf25b7b818910cca77528de80cdb953f8 upstream.

If we get an EINVAL from security_compute_av* (indicates an invalid
source or target security context, likely due to a policy reload that
removed one or the other) and we are in permissive mode, then handle it
like any other permission denial, i.e. log but do not deny it.

Change-Id: I6cb5f06e7468d685b647513ed7a653f2f6676a2a
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit ed5dc69dad117006ba9dddf258e064431bb96cfb upstream.

To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called.  This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.

Change-Id: Ief8590b332d4e8ecf369cd0a4c661d7735303254
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

commit 3b5e45f004e508cca8958f6e3a46961753af291e upstream.

Change-Id: I4675c538266bea7858e3f716eb431be9c99f44b7
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

* commit '1502e6f6':
  libselinux: Don't reinitialize avc_init if it has been called previously

* commit '3dd432b3':
  Log an error on unknown classes and permissions.

* commit 'e5331eb7':
  libselinux: take security_deny_unknown into account

* commit '6415d3e6':
  libselinux: Remove unused flush_class_cache method

* commit '3fbac6e7':
  libselinux: mapping fix for invalid class/perms after selinux_set_mapping call