Commit Graph

5368 Commits

Author SHA1 Message Date
Sandro Montanari
90c0d6546d Introduce sdk_sandbox_audit SELinux domain
Bug: 295861450
Test: atest CtsSdkSandboxInprocessTests and adb shell ps -Z
Change-Id: Ic2dc4c854b3bbe5719b83fcd5504766a1e92e6a4
2023-10-26 10:05:49 +00:00
Thiébaud Weksteen
befd9372d7 Remove APEX sepolicy support am: e9448817b3
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2736178

Change-Id: I784f0839f4ce0d1aee5f87837529acd328f3e6f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-09-06 04:08:27 +00:00
Thiébaud Weksteen
e9448817b3 Remove APEX sepolicy support
Test: boot aosp_cf_x86_64_phone
Bug: 297794885
Change-Id: Ia447f1ce783eb83db41454aaee5e93f7f09c36b1
2023-09-04 14:14:05 +10:00
Inseob Kim
03af209f74 Add a comment to keep in sync with CTS am: 5cfac38d10
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2709434

Change-Id: I38131daf2d6fb24828cd82f8cc9af501eefe7704
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-08-16 13:35:07 +00:00
Inseob Kim
5cfac38d10 Add a comment to keep in sync with CTS
Test: N/A
Change-Id: I8d8c5033bcd9553a7b33e2d3875cc387fc4ddb86
2023-08-16 11:15:48 +09:00
Inseob Kim
9f06a40585 Change seapp partition log to warning am: cde31a9d4d
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2685446

Change-Id: Ib55f9ee9ded8069ab5d51e074e658207e0a1296c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-08-01 09:09:05 +00:00
Inseob Kim
cde31a9d4d Change seapp partition log to warning
It makes more sense to print it as a warning, because it's not a hard
error for now (until we resolve all violations and create a compliance
test)

Bug: N/A
Test: boot
Change-Id: Iac5deb1f965394ecd4c2acb3711bd07317956236
2023-08-01 01:56:20 +00:00
Inseob Kim
85561b366a Give priority to platform side seapp_contexts am: 51fde66c16
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: Ifebcd36ec4e164b2e65e4e4acd35e0f85140568f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-26 12:09:33 +00:00
Inseob Kim
51fde66c16 Give priority to platform side seapp_contexts
This is to remove duplicate errors while fixing seapp_contexts
violations (because old vendors still have the entries).

Bug: 280547417
Test: TH
Change-Id: I8c381dad6e8bf5e91148494b55278e124b845c13
2023-07-26 13:57:15 +09:00
Inseob Kim
066e9c5d2a Fix preinstalled app partition check am: e7d2d82bbb
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: I21f87747dd2d9aeb46d8e086c972570c52f7ff52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-26 01:23:50 +00:00
Inseob Kim
44b95e92a7 Check preinstalled app's partition am: be36d71068
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2670896

Change-Id: Ic4da60ec5b8b9af700614c41579b537aebce3f20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-26 01:23:46 +00:00
Inseob Kim
e7d2d82bbb Fix preinstalled app partition check
There is a bug on the code checking the partition, so it's printing
wrong logcat messages. This fixes it by renaming the function name for
better readability.

Also it fixes a bug that the check only happens when levelFrom != NONE.

Bug: 291005833
Test: boot and see logcat
Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
(cherry picked from commit 321c025259)
2023-07-25 10:33:06 +09:00
Inseob Kim
be36d71068 Check preinstalled app's partition
Bug: 280547417
Test: boot pixel and cuttlefish
Change-Id: I6ed125eff392020ace6686514e0a102dab1fb10f
Merged-In: I6ed125eff392020ace6686514e0a102dab1fb10f
(cherry picked from commit dc9f3516d7)
2023-07-25 10:32:35 +09:00
Inseob Kim
7e6718c196 Fix code detecting duplicated seapp_contexts entry am: c3d1e5a24a
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2658206

Change-Id: Ie55483272fdc4f99df6b7f3d800c16f8eabf60dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-17 11:35:17 +00:00
Inseob Kim
c3d1e5a24a Fix code detecting duplicated seapp_contexts entry
There are two problems addressed by this change.

1) qsort doesn't compare all pairs of elements having the same
   precedence. We can't rely only on qsort's comparator to detect
   duplicates.

2) comparing logic is broken. For example,

        s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp

   really should be

        !s1->isPrivAppSet || s1->isPrivApp == s2->isPrivApp

Bug: 291528964
Test: manually create two duplicated entries and boot
Change-Id: Ieae4a7f5419e18636bb2fd5f70700faa4fa8acf1
2023-07-17 10:04:00 +00:00
Nikita Ioffe
f684be58ea selinux_android_restorecon: log if selinux is disabled am: f8cf22eba8 am: 7acef81958 am: bff9fe164f
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2628031

Change-Id: I844493a1abd5a36a47cf0ff7d1b07a1bc2b91865
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-06-16 16:10:38 +00:00
Nikita Ioffe
bff9fe164f selinux_android_restorecon: log if selinux is disabled am: f8cf22eba8 am: 7acef81958
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2628031

Change-Id: Ic724498e45e5b98e7d8071f31db1c59a0efbf309
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-06-16 15:21:14 +00:00
Nikita Ioffe
7acef81958 selinux_android_restorecon: log if selinux is disabled am: f8cf22eba8
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2628031

Change-Id: Iec5a861f6a1305e86a0afdd00191734ad967c9b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-06-16 14:38:58 +00:00
Nikita Ioffe
f8cf22eba8 selinux_android_restorecon: log if selinux is disabled
Right now selinux_android_restorecon will silently succeed if selinux is
disabled which is confusing.

This change adds a log statement that should help with debugging issues
related to disabled selinux (see attached bug).

Bug: 284277137
Test: presubmit
Change-Id: I4ebc6400ac7188660658ef3cccfb7cbdc76c0f22
2023-06-16 12:59:16 +01:00
Mugdha Lakhani
ae7e95128b [automerger skipped] Add applySdkSandboxNextRestrictions flag am: 8c40c00f3d -s ours
am skip reason: Merged-In I175229d135d99516dd6f38b8963d0ccc93a61a4f with SHA-1 e1c842285b is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/selinux/+/23149989

Change-Id: I424096c54e2704b550904d6356910d0f9b042e80
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-12 23:59:26 +00:00
Mugdha Lakhani
263eed616d Add applySdkSandboxNextRestrictions flag am: e1c842285b am: 630c8c01c5 am: d5783f3391
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2584678

Change-Id: I5616bebdc478d6c6ad98a7d8aee93366d0f0511d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-12 12:42:39 +00:00
Mugdha Lakhani
d5783f3391 Add applySdkSandboxNextRestrictions flag am: e1c842285b am: 630c8c01c5
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2584678

Change-Id: I93b0b5bd53a32e662f5489502c7261a25802a747
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-12 11:56:58 +00:00
Mugdha Lakhani
630c8c01c5 Add applySdkSandboxNextRestrictions flag am: e1c842285b
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2584678

Change-Id: I813a7f18bc14084a7a81cb7a61804356981908f6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-12 11:18:03 +00:00
Mugdha Lakhani
8c40c00f3d Add applySdkSandboxNextRestrictions flag
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.

This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.

Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f
2023-05-11 18:07:06 +00:00
Mugdha Lakhani
e1c842285b Add applySdkSandboxNextRestrictions flag
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.

This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.

Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
2023-05-11 17:48:51 +00:00
Thiébaud Weksteen
0db1ceb25e Skip newlines for SELinux logs am: 366f01fd64 am: 273398f7b8 am: 829be6bea0
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2519660

Change-Id: Ib80972ee47715b990e2d47fd5dc1535438f643b8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-04-06 01:06:25 +00:00
Thiébaud Weksteen
829be6bea0 Skip newlines for SELinux logs am: 366f01fd64 am: 273398f7b8
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2519660

Change-Id: I6772f7091545c8bb28d6baceca652e4f837f7f22
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-04-06 00:37:40 +00:00
Thiébaud Weksteen
273398f7b8 Skip newlines for SELinux logs am: 366f01fd64
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2519660

Change-Id: Ifd367114af3b93af5a4cc5113205fbe4e3a71d64
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-04-06 00:06:50 +00:00
Thiébaud Weksteen
366f01fd64 Skip newlines for SELinux logs
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.

selinux_log_callback and selinux_vendor_log_callback implementations are
merged as they provide similar functionalities.

Match the indentation (i.e., tabs) with the rest of the file.

Test: boot & inspect logcat
Change-Id: I0a5e53b8f048c65f29c5df3bd7e0b38f523e42cd
2023-04-04 10:26:19 +10:00
Thiébaud Weksteen
a427bb67d6 Update METADATA am: 1b0711d5d8 am: 4e0321dd1b am: dfdc062b10
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496623

Change-Id: Ibb19361e5d802bed14df8cabe0473ca085be0d2a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-22 00:35:13 +00:00
Thiébaud Weksteen
168d1f78d2 Merge tag '3.5' into master am: a9f20263fd am: f01db3250c am: 020ef46b19
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496622

Change-Id: I1c1b95d5d3681d0d8c74feb6574027e2e8c412a2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-22 00:35:10 +00:00
Thiébaud Weksteen
dfdc062b10 Update METADATA am: 1b0711d5d8 am: 4e0321dd1b
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496623

Change-Id: I37147f60d761b1e15362f644e1f13f9bae491245
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-21 23:57:54 +00:00
Thiébaud Weksteen
020ef46b19 Merge tag '3.5' into master am: a9f20263fd am: f01db3250c
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496622

Change-Id: I69f980d27eff7c10a8623ee54df4e6c95b4b4456
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-21 23:57:52 +00:00
Thiébaud Weksteen
4e0321dd1b Update METADATA am: 1b0711d5d8
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496623

Change-Id: I4aa75645611b056d80a9d1e5209d609cf5822b26
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-21 23:19:25 +00:00
Thiébaud Weksteen
f01db3250c Merge tag '3.5' into master am: a9f20263fd
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2496622

Change-Id: Iff9a1447e6b1d649c30142faaf31b352de9920c0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-21 23:19:21 +00:00
Thiébaud Weksteen
1b0711d5d8 Update METADATA
Test: n/a
Change-Id: I711efac83c599844e6bc80301998fe8c89345e05
2023-03-21 15:31:10 +11:00
Thiébaud Weksteen
a9f20263fd Merge tag '3.5' into master
We were previously on 3.5-rc2, there has been only little changes since
then.

Followed the steps:
  repo start update_3.5 .
  git merge 3.5 --no-ff # No merge conflicts were found.
  lunch && m
  repo upload .
  # Update METADATA in a separate change.

Test: TH
Change-Id: If88fe90d2cbdb1ba6a279cba8b397cd2c808c6ab
2023-03-21 15:27:40 +11:00
Jason Zaman
d6e96c5929
Update VERSIONs to 3.5 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-23 05:16:11 -08:00
Sadaf Ebrahimi
5cc354a639 Adding METADATA file to selinux am: 5f377c52fa am: 1a5c7b7037 am: 0e8930c697
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2441187

Change-Id: I53559464b81d13749f8ac9dc69fd4b95ad68aa0a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-02-21 19:31:33 +00:00
Sadaf Ebrahimi
0e8930c697 Adding METADATA file to selinux am: 5f377c52fa am: 1a5c7b7037
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2441187

Change-Id: I79d3c988f34a95a6d0f21768e097ebc4df7ec041
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-02-21 18:17:35 +00:00
Sadaf Ebrahimi
1a5c7b7037 Adding METADATA file to selinux am: 5f377c52fa
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2441187

Change-Id: Ia7bc8cd4bff23d3a278d751eebfeecdc8c9e5144
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-02-21 17:15:32 +00:00
Sadaf Ebrahimi
5f377c52fa Adding METADATA file to selinux
Test: TreeHugger
Change-Id: I4ff048c7adf2fd07431590d04f56ae6d34cbf603
2023-02-16 21:01:46 +00:00
Jason Zaman
83e56c8a8b
Update VERSIONs to 3.5-rc3 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:32:13 -08:00
Christian Göttsche
49e65b85d6 libselinux: getcon.3: add note about PID races
Add a note that querying a foreign process via its PID is inherently
racy.

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:23:17 -08:00
Christian Göttsche
494eb683f3 libselinux: add getpidprevcon
Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:23:11 -08:00
Christian Göttsche
1609b9fdfd libselinux: restore: use fixed sized integer for hash index
The hash mask is set to 2^16 - 1, which does not fit into a signed 16
bit integer.  Use uint32_t to be on the safe side.  Also use size_t for
counting in debug function.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:19:00 -08:00
Christian Göttsche
06512c4373 libselinux: restore: misc tweaks
Add const qualifier to read-only state struct.

Minimize scope of function local variables, to reduce complexity.

Pass only the file type related file flags to selabel_lookup(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:18:53 -08:00
Christian Göttsche
f9df9487ad libselinux: drop obsolete optimization flag
The optimization flag -funit-at-a-time is enabled by default in GCC[1]
and not supported by Clang:

    clang: error: optimization flag '-funit-at-a-time' is not supported [-Werror,-Wignored-optimization-argument]

[1]: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:18:46 -08:00
Vit Mojzis
d8eb8b309f python/sepolicy: Cache conditional rule queries
Commit 7506771e4b
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.

Before commit 7506771e:
 #time sepolicy manpage -a
 real	1m43.153s
 # time sepolicy manpage -d httpd_t
 real	0m4.493s

After commit 7506771e:
 #time sepolicy manpage -a
 real   1h56m43.153s
 # time sepolicy manpage -d httpd_t
 real	0m8.352s

After this commit:
 #time sepolicy manpage -a
 real	1m41.074s
 # time sepolicy manpage -d httpd_t
 real	0m7.358s

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-02-06 15:38:58 +01:00
Petr Lautrbach
62d6d13f70 Update translations
Source: https://translate.fedoraproject.org/projects/selinux/

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2023-02-06 15:34:01 +01:00