GitLab

On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed.  This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.

This CL offers a flag that callers can use to request that well-known
CE directories be skipped during a restorecon.

Bug: 30126557
Change-Id: I5f3bb6615bae0654ff344a83029025e557d1aff0

getpidcon documentation does not specify that a pid of 0 refers to the
current process, and getcon exists specifically to provide this
functionality, and getpidcon(getpid()) would provide it as well.
Disallow pid values <= 0 that may lead to unintended behavior in
userspace object managers.

(from upstream commit: c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c)
(cherry-picked from commit: 034c53e9

)
Signed-off-by: Daniel Cashman <dcashman@android.com>
AOSP Bug: 200617
Bug: 27111481

Change-Id: I69b00df6413f5c3d566ac76cb4a464c97c167cdf

Returning -{ERRVAL} is a kernel return convention, but userspace errno
assignment and associated functions deal with the positive numbers.
Correct the errno assignment introduced in
commit: 78899de1.

(cherry-pick of commit: 034c53e9)

AOSP Bug: 200617
Bug: 27111481

Change-Id: I174dac888c06d096d361eab5efcde169f7899726

(cherry-pick of commit: https://android-review.googlesource.com/#/c/203372/)
AOSP Bug: 200617
Bug: 27111481

Change-Id: Ib269a35686aa19b4b57697886ae27913842b707a

Inserting non-ascii characters into the following files:
 * file_contexts
 * property_contexts
 * service_contexts
can cause a failure on labeling but still result in a successful
build.

Hard error on non-ascii characters with:
<path>:  line 229 error due to: Non-ASCII characters found
Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit de7b594a)

Change-Id: I3ae442e4673490f1815f3cae4eed494a8d68d1dc

am: 256ae129

* commit '256ae129':
  Move libselinux from libmincrypt to BoringSSL.

I don't think there was any reason to statically link libmincrypt,
so I'm dynamically linking BoringSSL.

Also remove unnecessary manual additions to the include path.

Change-Id: Id07daa3bd79ca3db7e6141dee70b9bbe6fb89ea1

am: 589c5ac4

* commit '589c5ac4':
  libselinux: stop copying headers

Copying headers causes problems for dependency tracking, as any module
can include the copied header without depending on the module.  Replace
LOCAL_COPY_HEADERS with LOCAL_EXPORT_C_INCLUDE_DIRS.

Change-Id: Ic3343fc6b8978d59d1ef48ebdb9a96470bb27232

am: 8b78078d

* commit '8b78078d':
  Create selinux_android_setcon()

System properties are backed by various property files that are
mmap()'ed into a process's address space.  setcon() does not revoke
access to such mmap()'ed regions, so we may leak access to property
files when moving to a more restrictive context.

This commit creates a new selinux_android_setcon() function that
explicitly reinitializes system properties after
calling setcon() to ensure that no leaks occur.

This new function is used in place of setcon() in
selinux_android_setcontext().

Bug 26114086

Change-Id: I631a8d6f3f474f62b2b4ecca3c842a0700486ddd

am: be5f860e

* commit 'be5f860e':
  Correct line count for property and service contexts files

When a line number is displayed for context errors they are
x2 the correct value, so reset line count for each pass.

Change-Id: I03cc6320b22d52ce989dafe4c8ecd854540d1367
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

am: 02df2e30

* commit '02df2e30':
  libselinux: use /proc/thread-self when available

am: c821cc2e

* commit 'c821cc2e':
  Support for new file-based encryption paths.

We're adding "/data/user_de" paths which belong to apps, but are
encrypted with a different set of keys.  All the same security
labels from "/data/user" paths should apply.

Bug: 22358539
Change-Id: I7594d382da140c8fa4261a0fb271ff1d762cfb15

Add isAutoPlayApp selector

isAutoPlayApp is set when the seinfo value assigned by PackageManager
contains ":autoplayapp"

Change-Id: I5cd154257eb227a613a6a0c26f1b171500a401df

am: a83098b6

* commit 'a83098b6':
  fix memory leaks and uninitialized jump

am: 0f520fac

* commit '0f520fac':
  fix memory leaks and uninitialized jump

Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:

1. properly formed file_contexts file.
2. malformed file_contexts file, unknown type.
3. malformed file_contexts file, type that fails on validate callback.
4. malformed file_contexts file, invalid regex.
5. malformed file_contexts file, invalid mode.

==3819== Conditional jump or move depends on uninitialised value(s)
==3819==    at 0x12A682: closef (label_file.c:577)
==3819==    by 0x12A196: selabel_close (label.c:163)
==3819==    by 0x10A2FD: cleanup (checkfc.c:218)
==3819==    by 0x5089258: __run_exit_handlers (exit.c:82)
==3819==    by 0x50892A4: exit (exit.c:104)
==3819==    by 0x10A231: main (checkfc.c:361)
==3819==  Uninitialised value was created by a heap allocation
==3819==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819==    by 0x4C2CF1F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819==    by 0x12BB31: process_file (label_file.h:273)
==3819==    by 0x12A2BA: selabel_file_init (label_file.c:522)
==3819==    by 0x12A0BB: selabel_open (label.c:88)
==3819==    by 0x10A038: main (checkfc.c:292)
==3819==
==3819==
==3819== HEAP SUMMARY:
==3819==     in use at exit: 729 bytes in 19 blocks
==3819==   total heap usage: 21,126 allocs, 21,107 frees, 923,854 bytes allocated
==3819==
==3819== 81 bytes in 1 blocks are definitely lost in loss record 1 of 2
==3819==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819==    by 0x50D5839: strdup (strdup.c:42)
==3819==    by 0x12A2A6: selabel_file_init (label_file.c:517)
==3819==    by 0x12A0BB: selabel_open (label.c:88)
==3819==    by 0x10A038: main (checkfc.c:292)
==3819==

==4238== 40 bytes in 1 blocks are definitely lost in loss record 1 of 6
==4238==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x12A1D2: selabel_file_init (label_file.c:886)
==4238==    by 0x12A0BB: selabel_open (label.c:88)
==4238==    by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 81 bytes in 1 blocks are definitely lost in loss record 2 of 6
==4238==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x50D5839: strdup (strdup.c:42)
==4238==    by 0x12A2A6: selabel_file_init (label_file.c:517)
==4238==    by 0x12A0BB: selabel_open (label.c:88)
==4238==    by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 386 bytes in 24 blocks are definitely lost in loss record 3 of 6
==4238==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x50D5889: strndup (strndup.c:45)
==4238==    by 0x12CDDF: read_spec_entries (label_support.c:37)
==4238==    by 0x12B72D: process_file (label_file.h:392)
==4238==    by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238==    by 0x12A0BB: selabel_open (label.c:88)
==4238==    by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 648 bytes in 18 blocks are definitely lost in loss record 4 of 6
==4238==    at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x117C9B: avtab_insert_node (avtab.c:105)
==4238==    by 0x117C10: avtab_insert (avtab.c:163)
==4238==    by 0x11880A: avtab_read_item (avtab.c:566)
==4238==    by 0x118BD3: avtab_read (avtab.c:600)
==4238==    by 0x125BDD: policydb_read (policydb.c:3854)
==4238==    by 0x109F87: main (checkfc.c:273)
==4238==
==4238== 1,095 bytes in 12 blocks are definitely lost in loss record 5 of 6
==4238==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x12D8D1: pcre_compile2 (pcre_compile.c:9217)
==4238==    by 0x12B239: compile_regex (label_file.h:357)
==4238==    by 0x12B9C7: process_file (label_file.h:429)
==4238==    by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238==    by 0x12A0BB: selabel_open (label.c:88)
==4238==    by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 1,296 bytes in 12 blocks are definitely lost in loss record 6 of 6
==4238==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238==    by 0x13EBE5: pcre_study (pcre_study.c:1565)
==4238==    by 0x12B25D: compile_regex (label_file.h:366)
==4238==    by 0x12B9C7: process_file (label_file.h:429)
==4238==    by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238==    by 0x12A0BB: selabel_open (label.c:88)
==4238==    by 0x10A038: main (checkfc.c:292)

Change-Id: I2f7ed4ffbdcc3d0646f7caf66187d87347220c60
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: ca65fd51

* commit 'ca65fd51':
  Use libpackageparser

am: 6d5e6edc

* commit '6d5e6edc':
  Use libpackageparser

Switch from the internal packages.list parser implementation
to a common parser library.

Change-Id: I7aee10c9395310919779ed2463aab6b2f8b380cc
Signed-off-by: William Roberts <william.c.roberts@intel.com>

* commit '04badd25':
  Add privapp flag to libselinux

* commit '2857a7ec':
  Add privapp flag to libselinux

Run privileged apps in their own domain. Search seinfo string for
":privapp" specifier.

Motivation:
Untrusted_app is overprivileged due to the inclusion of privileged
apps like gmscore, play store and finsky. Moving these and other
privileged apps to their own domain reduces the permissions required
by untrusted_app.

A separate priv_app domain also protects priv-apps by further
isolating them from third party apps.

Bug: 22033466
Change-Id: I6e85ae13cbd130415600ecc25ef8ac053a19d0d8

* commit 'a31a56a6':
  audit: log permissive from access decision

* commit '80890a97':
  audit: log permissive from access decision

The userspace object managers were missing the permissive=0|1 as found in the
kernel logs. This is important when debugging potential policy issues.

To remedy this, add the permissive result from the access decision at the
end of the audit logs. A shortened log sample from Android:

avc:  denied  { find } <snip> tclass=service_manager permissive=1

Change-Id: Ic92852f3bad258982d8f68dc93d978612a52db04
Signed-off-by: William Roberts <william.c.roberts@intel.com>

* commit 'deb18b51':
  Enable restorecon to properly label symlinks.

* commit '0feca1dd':
  Enable restorecon to properly label symlinks.

* commit '87ceb1e2':
  Enable restorecon to properly label symlinks.

commit: 06d45512 changed restorecon to only
operate on paths which had undergone a realpath transformation.  Unfortunately,
this made it impossible to directly restorecon a symlink, since the symlink
would be followed.  Change restorecon to only perform realpath on the directory
prefix, so that symlinks can be labeled.

Bug: 21732016
Change-Id: Iebb5d5e9c637c2ef3da5d5674f73babf094af131

* commit '72a4168c':
  Fix mmap memory release for file labeling

* commit '3763c321':
  Fix mmap memory release for file labeling

* commit 'd4b197ab':
  Fix mmap memory release for file labeling