Commit Graph

1032 Commits

Author SHA1 Message Date
vvb2060
48fcf8bba0 Copy over Android specific config bits 2024-03-19 02:52:32 -07:00
残页
6c226ef9e6 No more policydb validation
Validation is useless in magiskpolicy's use case, and now it turns out the new more strict validation breaks compatibility with some existing devices, so skip it.
2024-03-19 02:50:46 -07:00
topjohnwu
368f68e140 Revert "libsepol: Make an unknown permission an error in CIL"
There are still invalid CILs out in the wild on Android.
Do not throw an error in this case, preserve the old behavior.

This reverts commit dc4e54126b.
2024-03-19 02:50:46 -07:00
topjohnwu
161e64dfe7 Export several function symbols
We need to access several non-exported functions in magiskpolicy.
2024-03-19 02:50:46 -07:00
topjohnwu
2638c3a548 Add Android M policy compatibility
Source: https://android-review.googlesource.com/c/kernel/common/+/179568/2/security/selinux/ss/avtab.c

Co-authored-by: canyie <a1364259@163.com>
2024-03-19 02:50:46 -07:00
topjohnwu
a922c8457e Prebuild cil_lexer with flex 2024-03-19 02:50:46 -07:00
Thiébaud Weksteen
a9f20263fd Merge tag '3.5' into master
We were previously on 3.5-rc2, there has been only little changes since
then.

Followed the steps:
  repo start update_3.5 .
  git merge 3.5 --no-ff # No merge conflicts were found.
  lunch && m
  repo upload .
  # Update METADATA in a separate change.

Test: TH
Change-Id: If88fe90d2cbdb1ba6a279cba8b397cd2c808c6ab
2023-03-21 15:27:40 +11:00
Jason Zaman
d6e96c5929
Update VERSIONs to 3.5 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-23 05:16:11 -08:00
Jason Zaman
83e56c8a8b
Update VERSIONs to 3.5-rc3 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:32:13 -08:00
Inseob Kim
ad990cb28b Merge remote-tracking branch 'aosp/upstream-master' into HEAD
Bug: 262469329
Test: build and boot cuttlefish
Change-Id: Ic97540265491a501cd89f40f46bf1f97d6a753e2
2023-01-16 13:45:35 +09:00
Jason Zaman
3ccea01c69
Update VERSIONs to 3.5-rc2 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-01-15 15:40:55 -08:00
Christian Göttsche
986a3fe27e libsepol: do not write empty class definitions
Do not write class definitions for classes without any permission and
any inherited common class.  The classes are already declared in
write_class_decl_rules_to_conf().  Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.

This will enable simple round-trip tests with checkpolicy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:48:19 -05:00
Christian Göttsche
b32e85cf67 Correct misc typos
Found by codespell(1) and typos[1].

[1]: https://github.com/crate-ci/typos

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:45:08 -05:00
Christian Göttsche
fa936a0a30 libsepol: reject attributes in type av rules for kernel policies
The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1].  Such rules
should have been expanded[2].

[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:43:09 -05:00
Jason Zaman
013ecfd7fa Update VERSIONs to 3.5-rc1 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2022-12-22 13:10:26 -08:00
Thiébaud Weksteen
4d132a10b0 Fix build after upstream merge
- Reference renamed file: COPYING -> LICENSE in Android.bp
- Fix constext_str calls now returning const char *
- Comment out cil_write_src_info_node which is not used on Android
- Include new selinux_internal.c source file

Bug: 253327909
Test: build and boot on bramble
Test: sediff between current and new policy; no change
Change-Id: I506479befb3c0b99136cd842b2a77a6a8bea18ed
2022-11-25 14:10:15 +11:00
Christian Göttsche
7c0a84c8cc libsepol/tests: add tests for neverallow assertions
Add tests for neverallow assertion checks.
This creates a foundation for the status quo, and enables to spot
regressions in future changes to the - quite complex - assertion logic.
One example is the support for not-self rules.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-11-21 14:34:37 -05:00
Christian Göttsche
c54dd0fab7 libsepol/tests: use more strict compiler options
Use the more strict C compiler warnings from the root Makefile.

Also fail on warnings from the m4 macro processor.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-11-21 14:34:20 -05:00
Christian Göttsche
06df377829 libsepol: simplify string copying
Use strdup(3) instead of allocating memory and then manually copying the
content.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-11-21 14:30:26 -05:00
Thiébaud Weksteen
a5d093d150 Merge remote-tracking branch 'aosp/upstream-master' into rebase_20221110
Fix conflict in libselinux/src/label.c

Bug: 253327909
Test: n/a; follow up commit for fixing build
Change-Id: Ibdd5e384dda9e995dc52574dbcc7ad8d89698dc3
2022-11-14 14:29:35 +11:00
Christian Göttsche
3f11c7d19c libsepol/cil: restore error on context rule conflicts
Commit bc26ddc59c ("libsepol/cil: Limit the amount of reporting for
context rule conflicts") reworked the processing of context rule
conflicts to limit the number of written conflicting statements to
increase readability of the printed error message.  It forgot to set the
return value, signaling a context conflict, in the case the logging
level is higher than warning (e.g. in semodule(8), which defaults to
error).

Reported-by: Milos Malik <mmalik@redhat.com> [1]
Fixes: bc26ddc59c ("libsepol/cil: Limit the amount of reporting for context rule conflicts")

[1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-10-13 11:24:00 -04:00
Paul Moore
a0a216ff7d docs: provide a top level LICENSE file
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses.  Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.

This is to help meet the OpenSSF Best Practices requirements.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-10-05 08:20:38 -04:00
Juraj Marcin
eca72d8e47 libsepol: fix missing double quotes in typetransition CIL rule
CIL Reference Guide defines typetransition rule with double quotes
around object name, but those are not present in the format string.

This patch fixes this issue, so the CIL output produced by
sepol_kernel_policydb_to_cil() is in the correct format.

Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
2022-09-01 09:26:56 -04:00
Christian Göttsche
1e3c557425 libsepol: refactor ebitmap conversion in link.c
Refactor the ebitmap conversions in link.c into its own function.

Do not log an OOM message twice on type_set_or_convert() failure.

Drop the now unused state parameter from type_set_or_convert() and
type_set_convert().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:48 -04:00
Christian Göttsche
d2d24b9331 libsepol: more strict validation
Validate that

  - each constraint has at least one expression
  - classes reference a valid common class identifier
  - the role flavor is either ROLE or ATTRIB
  - types reference a valid primary identifier
  - types refer to a raw type, not an attribute, as bounds
  - extended permissions in avtabs have a valid specifier
  - type av rules refer to a raw type (e.g. type_transition)
  - conditionals have at least one expression
  - the state and flags of conditionals are valid
  - filename transitions have at least one datum
  - low ports are not bigger than high ones in port ocontexts
  - genfs declarations refer to a valid class identifier
  - genfs declarations contains a filesystem name
  - filename transitions refer to a raw type
  - permissive types are raw ones
  - the range transition hashmap is valid
  - the type-attribute-maps are valid

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:44 -04:00
Christian Göttsche
858f660831 libsepol: rename parameter name
Do not use `bool` as a parameter name, for future C version support.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:40 -04:00
Christian Göttsche
9e6f8ed70e libsepol: operate on const pointers during validation
The actual policy should not be modified during validation, thus use
const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:37 -04:00
Christian Göttsche
d192e4d937 libsepol: support const avtab_t pointer in avtab_map()
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.

Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:34 -04:00
Christian Göttsche
938530171b libsepol: rename validate_policydb to policydb_validate
Most global functions operating on a policy database use policydb as
prefix.

Since this function is not exported there should not be any external
use.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:31 -04:00
Christian Göttsche
fc7bb9f05a libsepol: skip superfluous memset calls in ebitmap operations
The three members of struct ebitmap_node are all unconditionally
initialized.  Hinder compilers to optimize malloc() and memset() into
calloc(), which might be slightly slower.  Especially affects
ebitmap_or().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:28 -04:00
Christian Göttsche
f174045525 libsepol: optimize ebitmap_xor
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:25 -04:00
Christian Göttsche
efcd008148 libsepol: optimize ebitmap_and
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:22 -04:00
Christian Göttsche
12a8a00bf2 libsepol: optimize ebitmap_not
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:19 -04:00
Christian Göttsche
bc8f7b502b libsepol/cil: use ebitmap_init_range
Especially in the case of __cil_permissionx_expr_range_to_bitmap_helper()
it substitutes hundreds of thousand of calls to ebitmap_set_bit() during
semodule(8) on a policy widely using extended permissions.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:15 -04:00
Christian Göttsche
6f9e682c15 libsepol: add ebitmap_init_range
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:13 -04:00
Christian Göttsche
490cd409e3 libsepol/tests: add ebitmap tests
Preparation for several ebitmap related optimizations.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:10 -04:00
Christian Göttsche
65b3f695be libsepol: enclose macro parameters and replacement lists in parentheses
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:06 -04:00
Christian Göttsche
85e73a22ff libsepol: include necessary headers in headers
Include policydb header file required for typedef policydb_t.

This is for example helpful when working with an IDE, which needs to
resolve those symbols.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:03 -04:00
Christian Göttsche
12beafe7ce libsepol: break circular include
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.

Also drop the unnecessary forward declaration of `struct policydb`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:00 -04:00
Christian Göttsche
2651989d3b libsepol: do not modify policy during write
Do not modify the in memory default_range value of a class datum while
writing a policy.

While on it fix indentation.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:27 -04:00
Christian Göttsche
36bf1be1ca libsepol/utils: improve wording
A request is denied with SEPOL_COMPUTEAV_RBAC if the source role is not
allowed to transition to the target role, granted via a

    allow source_role target_role;

statement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:24 -04:00
Nicolas Iooss
d2fecbb97b libsepol: initialize s in constraint_expr_eval_reason
clang's static analyzer reports that s[0] can be uninitialized when used
in:

    sprintf(tmp_buf, "%s %s\n",
                    xcontext ? "Validatetrans" : "Constraint",
                    s[0] ? "GRANTED" : "DENIED");

Silence this false-positive issue by making s always initialized.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:18 -04:00
Christian Göttsche
f505a73b06 libsepol: avoid potential NULL dereference on optional parameter
The parameter `reason` of `context_struct_compute_av()` is optional and
can be passed in as NULL, like from `type_attribute_bounds_av()`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:15 -04:00
sandrom
ef1f345fc9 Add cil_amend_policydb to android.c
Bug: 236691128
Test: atest seamendc-test
Change-Id: Ifde234bc5e9e15f8439292b0c6af3d5945a4f318
2022-07-06 14:42:11 +00:00
Christian Göttsche
88a703399f libsepol: fix validation of user declarations in modules
Users are allowed to be declared in modules. Modules do not get expanded
leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
empty.
Do no validate the expanded range and level for modular polices.

Reported-by: bauen1 <j2468h@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:07 -04:00
Petr Lautrbach
3f23f07f01 libsepol: Drop unused assignment
Fixes:
cil/src/cil_build_ast.c:4622:4: warning[deadcode.DeadStores]: Value stored to 'rc' is never read

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:01 -04:00
Petr Lautrbach
0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Ondrej Mosnacek
9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Ondrej Mosnacek
539b066036 libsepol/cil: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the CIL level. It also adds basic coverage for the such 'self' rules
to the secilc test policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:05 -04:00
Petr Lautrbach
9df28c241a
Update VERSIONs to 3.4-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-04 19:20:37 +02:00