• Home
  • History
  • Annotate
  • only in /external/libselinux/src/
History log of /external/libselinux/src/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
d514c5aff9c5d8831f8907ec12dee43a2583c9ff 28-Sep-2014 Nick Kralevich <nnk@google.com> implement partial matching using PCRE

To speed up the boot process, Android doesn't visit every directory
in /sys. Instead, only those directories which match a regular
expression in /file_contexts are visited. Other directories are
skipped. This results in 2-3 second boot time reduction.

The initial version of this optimization was implemented in
change 0e7340fb99b931540e2baf4778abeb53d40084e7. However, because
PCRE wasn't available, it was recognized that false positives and
false negatives might occur.

Now that PCRE is available, start using it. It will avoid the
false positive / negatives problem.

Bug: 17682157

(cherry picked from commit d0b768abcd2b4adb1853ac38e59aa80f09872ac3)

Change-Id: I403e32cdb23e45abcf6f2a702af88a3eacc47942
abel_file.c
da4208c8808e6a62fcfe848343abd3e2f3b339cc 07-Jul-2014 Stephen Smalley <sds@tycho.nsa.gov> Do not try to set restorecon_last on /sys entries.

There is no benefit to setting restorecon_last on /sys entries
since they are re-created on each boot and doing so triggers
sys_admin denials. Also, apply the same partial matching
optimization to restorecon_recursive on subdirectories of /sys
as we apply on the top-level restorecon_recursive /sys.

Change-Id: I90ea143e189db44bf8dc6c93c08d794e80d5539f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
f58dbddbf5d4f10732501e91427afa421f463be5 01-Jul-2014 Nick Kralevich <nnk@google.com> Log userspace SELinux denials to the event log.

In addition to logging userspace SELinux denials to logcat,
also log it to eventlog using the auditd log tag.

Change-Id: I6a269a832bc2f5e5da6c9dbd169ed2f901b49166
ndroid.c
be7f5e8814c4954aca51d3f95455c5d9d527658c 12-Jun-2014 Stephen Smalley <sds@tycho.nsa.gov> Extend label file backend to support label-by-symlink for ueventd.

When ueventd creates a device node, it may also create one or more
symlinks to the device node. These symlinks may be the only stable
name for the device, e.g. if the partition is dynamically assigned.
Extend the label file backend to support looking up the "best match"
for a device node based on its real path (key) and any links to it
(aliases). The order of precedence for best match is:
1) An exact match for the real path (key), or
2) An exact match for any of the links (aliases), or
3) The longest fixed prefix match.

Change-Id: Id6c2597eee2b6723a5089dcf7c450f8d0a4128f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
abel.c
abel_file.c
abel_internal.h
bad0ebb47417d17ca807e5f97fcbe649bc4cc05e 12-Jun-2014 Riley Spahn <rileyspahn@google.com> Add service_context management into libselinux.

Add functions to handle opening handles for MAC
on service_manager. Also add selinux_log_callback
into libselinux because identical code was spread
through three different files.

Bug: 12909011
Change-Id: I04eb855700f1d0c086542053d987b3a30cf1b0c0
ndroid.c
5b5183f9b7c1a09429cfb113b4d144882c03530f 18-Mar-2014 Robert Craig <rpcraig@tycho.ncsc.mil> SELinux changes to check policy versions during a reload.

New construct which validates /data/security/current/selinux_version
against the base version file /selinux_version when policy
overrides could occur. This change covers the cases where
sepolicy, seapp_contexts and file_contexts under
/data/security/current can be used to override their rootfs
counterparts.

Change-Id: I4716039bb0f5ba1e961977a18350347a67969dca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
ndroid.c
a8e4ad3c81df866583a8929bcb5d48a2000ce738 19-May-2014 Nick Kralevich <nnk@google.com> Don't set restorecon_last on subdirectories

When restorecon_recursive is called, we set the directory xattr
"security.restorecon_last" to the hash of /file_contexts.
This allows us to do automatic relabeling when /file_contexts
changes.

Prior to this change, we were also setting the xattr for all
subdirectories of the directory. Doing so is unnecessary because
we never look at the value.

Remove setting the xattr for subdirectories, but continue to set
the xattr for the directory itself.

Change-Id: Id81d1e24209e195c559b4e382bee42ddd48a7593
ndroid.c
b4c9808a9f744c0b9ef502088547ebb798b5f3d0 28-May-2014 Stephen Smalley <sds@tycho.nsa.gov> restorecon top-level entries under /data/user.

/data/user has a set of top-level entries including the /data/user/0
symlink and the /data/user/N subdirectories for secondary users that
need to be relabeled on upgrades from 4.2 with unlabeled userdata.
Only set the flag to skip on subdirectories of /data/user, not on
/data/user itself.

Change-Id: I7a4c7ede74daa249db654963ba49585755c9b04e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
4b130cc0d6d2e9183b7b7c3c0dba3996d0f56261 17-May-2014 Nick Kralevich <nnk@google.com> Ensure labeling of /data/data and /data/user

On an upgrade, the *contents* of the /data/data and /data/user
directories are not labeled by init, because their labels are
managed by installd.

However, the /data/data and /data/user directories themselves are
never labeled, neither by init nor installd.

On an upgrade from an Android 4.2 system, it's possible for these
two directories to remain unlabeled, causing anything created
within these directories to also be unlabeled.

Make sure we label /data/data and /data/user (but not their contents)
from init's restorecon_recursive.

Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
ndroid.c
0e7340fb99b931540e2baf4778abeb53d40084e7 01-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Optimize restorecon_recursive tree walk.

restorecon_recursive can prune the tree walk whenever it
encounters a directory for which there is no possible match
for any of its descendants in the file_contexts configuration.
This will only presently benefit the restorecon_recursive("/sys") call
by init since other restorecon_recursive calls always have
top-level entries that will match anything underneath and this
is required to fully label those partitions on upgrade. However,
those other cases are already optimized to only run once per
file_contexts change (upgrade) and thus do not need this optimization.

Change-Id: I854bf1ccff6ded56e9da2c4184435f67d7069bc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
abel.c
abel_file.c
abel_internal.h
13319cfa30ae74638bc984015f84d113f3bf8d7a 04-Apr-2014 Stephen Smalley <sds@tycho.nsa.gov> Improve error handling for seapp_contexts.

Detect and reject configurations that specify name= without
seinfo= or with seinfo=default.

On any error during loading the configuration, drop the entire
configuration. This will prevent system_server or any apps
from being started by zygote at all. Previously we could be
left with a partially loaded, unsorted configuration which could
lead to partial startup but mislabeled processes.

On the error path, do not try to report the (name, value) pair for
the invalid entry as they are not always set (or meaningful) on all
code paths and we already have check_seapp to check and report the
same errors at build time.

Provide common helpers for freeing the configuration entries and
ensure that we always do it on any error during loading.

Change-Id: I2b238e90c9cc07a410e08a96a10d7699b608b3df
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
1d66afb585be447fe1d360448f74b5ecde879602 27-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Add a new API for relabeling package directories.

Add a new selinux_android_restorecon_pkgdir() API for
relabeling package directories that explicitly takes the
seinfo and uid information from the caller. This is similar
to the selinux_android_setfilecon() API used by installd to
label newly created package directories but can be used to
recursively restorecon existing package directories. By
passing the seinfo and uid information directly, we avoid the
need to rely upon packages.list for this purpose and can
perform the relabeling on a per-directory basis before each app
is loaded.

Also if we are not provided with a seinfo value and we cannot
lookup the package name in packages.list, log a warning and
return an error condition rather than silently ignoring the failure.
This avoids mislabeling the file by restorecon and provides a warning
if any future bugs arise in this area.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
db21feb260fd792f47010a613273c38f43da745b 12-Mar-2014 Nick Kralevich <nnk@google.com> Don't read selinux policies from /data

Bug: 12613118

(cherry picked from commit c661446c4607bb54ccf3104727086b56d49ad250)

Change-Id: I5114c9dde5edc3365cfb6e98ec2c0cd6a249cf8f
ndroid.c
833cbd68ac546067fe2810163a70f77ab598a2ab 27-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Disable restorecon_last usage for restorecon /data/data.

Since /data/data and /data/user labeling is based on seapp_contexts and seinfo
assignments rather than file_contexts, we do not want to get or set
the security.restorecon_last attribute on these directories as that will
incorrectly skip subsequent recursive restorecon calls on these directories.
Also, setting a security. attribute other than selinux or capability
requires CAP_SYS_ADMIN and thus attempting to do this would trigger
denials for installd, which handles relabeling of these directories.

Ensuring that /data/data and /data/user are only relabeled when
necessary is the responsibility of the caller of restorecon, in
this case the system_server and installd.

Change-Id: I33476236c493f9749a3da068afd83d9f279409a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
274e0f649df4684f94d1ec3374d1d106fe233901 19-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Add support for path= specifier in seapp_contexts.

The path= input selector can be used to match a specific pathname
or pathname prefix (end with *) for assigning types to directories
and files within app data directories.

Change-Id: Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
027670de87acd33f9de65c8b5a2bcb8c3e1d967f 18-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Only restorecon /data/data if passed an explicit flag.

As discussed in the comments of:
https://android-review.googlesource.com/#/c/81292/
we do not want restorecon_recursive /data by init.rc to
change the contexts of /data/data or /data/users/N because
those contexts are dependent on package information in
/data/system/packages.list that may not be set correctly
at boot on an upgrade. Therefore we skip /data/data
on a recursive restorecon unless passed an explicit flag.
This flag will be used by the PMS or installd in a subsequent
change to restorecon /data/data after computing the seinfo
values for packages and updating packages.list accordingly.
It will also be optionally used by the toolbox restorecon
command if passed a new option to be introduced in a subsequent
change.

Change-Id: I137588013ed1750315702c0dbe088ce3e4a29e83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
ab40ea9bfd71b50138f1482c4764a65ac17d8caf 19-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Get rid of security_context_t and fix const declarations.

The const security_context_t declarations were incorrect;
const char * was intended, not char * const. Easiest fix is to
replace them all with const char *. And while we are at it, just
get rid of all usage of security_context_t itself as it adds no value.
typedef left to permit building legacy users until such a time as all are
updated.

Change-Id: I2f9df7bb9f575f76024c3e5f5b660345da2931a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
vc.c
vc_sidtab.c
vc_sidtab.h
allbacks.c
allbacks.h
anonicalize_context.c
heckAccess.c
heck_context.c
ompute_av.c
ompute_create.c
nabled.c
getfilecon.c
reecon.c
setfilecon.c
et_initial_context.c
etfilecon.c
etpeercon.c
abel.c
abel_internal.h
getfilecon.c
setfilecon.c
rocattr.c
etfilecon.c
4abb4b98f7ae0932e99661b4df302ea533212163 13-Feb-2014 Nick Kralevich <nnk@google.com> Merge "Apply const to SELboolean array and name field."
84cdd3e00cb4566bfcd0b34d6c0706e5d74d8874 12-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Apply const to SELboolean array and name field.

Change-Id: Ib746ce663cef0d0480ab62eaa1a0b760947fa604
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ooleans.c
1b478eadff95edfe79bdc1211bdb8bb9cdd394d2 07-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Convert all selinux_android_restorecon and _setfilecon calls to new API.

libselinux selinux_android_restorecon API is changing to the more
general interface with flags and dropping the older variants.

Also get rid of the old, no longer used selinux_android_setfilecon API
and rename selinux_android_setfilecon2 to it as it is the only API in use.

Change-Id: I1e71ec398ccdc24cac4ec76f1b858d0f680f4925
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
f61f9792a33562c9aa9f393492153343b9a4de7d 06-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Replace obsolete selinux_android_restorecon* functions with macros.

Replace the older selinux_android_restorecon() and
selinux_android_restorecon_recursive() functions with macros
calling the new selinux_android_restorecon_flags() function with
the right flags. These macros provide temporary API compatibility
until all callers are updated.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib52c3d7a375d2cf3ac7a3d4460b4ba51860315cb
ndroid.c
e183cec077891371542a5f2e164fcb9ddd745fd8 05-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Extend restorecon to handle app data directories correctly.

App data directories are labeled by installd at creation time
based on package information, seapp_contexts, and file_contexts.
Prior to this change, restorecon and restorecon_recursive did not
know how to label app data directories and would merely label
them based on file_contexts, causing them to be (mis)labeled with
a single security context if restorecon was applied to /data/data/<pkgname>
or /data/user/N/<pkgname>. Extend restorecon to correctly handle app data
directories based on all of the relevant information.

After applying this change and its dependencies (including rewriting
toolbox restorecon to use libselinux), a restorecon -Rv /data/data
only relabels the lib symlinks in the app data directories, which I
believe is harmless and arguably is a bug in installd. Originally
when the lib subdirectories were created in each app data directory
we labeled them with system_data_file to distinguish them from
app data, prevent direct writes by apps, and allow execute by apps.
However, when the lib directories were moved under /data/app-lib and only the
symlink was left behind, it continued to be labeled system_data_file
as a side effect of the fact that it is created before installd
calls selinux_android_setfilecon2() on the package directory and
thus inherits the original parent directory security context. Offhand,
I don't see a real reason to not just label the symlinks with the app data
directory context even though the symlinks do have a different UID (install)
since the containing directory is owned by the app UID so apps
can already unlink and re-create the symlink at will. So I think this
change by restorecon is harmless and we could switch installd to
applying the setfilecon2 first before creating the symlinks so that
they are originally labeled this way.

Change-Id: I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
08587cfbf9de7d89a3d2d4e87aecd82a478e3289 30-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Unify toolbox restorecon and libselinux restorecon implementations.

Extend the libselinux restorecon implementation to allow reuse
by the toolbox restorecon command. This simply requires adding
support for the nochange (-n) and verbose (-v) options to the
libselinux functions and rewriting the toolbox restorecon command
to use the libselinux functions. Also add a force (-F) option to
support forcing a restorecon_recursive even if the restorecon_last
attribute matches the current file_contexts hash so that we can
continue to force a restorecon via the toolbox command for testing
or when we know something else has changed (e.g. for when we support
relabeling /data/data and package information has changed).

Change-Id: I92bb3259790a7195ba56a5e9555c3b6c76ceb862
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
b77c0360fa9baaac5e9cad173520a103f878bcbf 04-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Fix return value of selinux_android_restorecon.

Change I4a380caab7f8481c33eb64fcdb16b6cabe918ebd unified
the init and libselinux restorecon code but introduced a bug
by changing the return value of selinux_android_restorecon
on errors from -1 (as in libselinux) to -errno (as in the init
built-in command). Change it back as there are various callers
assuming the libselinux behavior and init does not actually rely
on the -errno behavior in the utils code and handles it correctly
in the built-in command functions themselves.

Change-Id: I6ed5b644820eb07c061d8a2a116511aeb7401df4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
0a10104a1adec50f20291ae4046584786c747134 29-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Do not log the file_contexts digest/hash value.

Change-Id: I3ce2e803b53b99a9442b123f41b0966857da66b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
826cc29d8bb1b570165e9b0cc332e7159c65031a 28-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Only apply restorecon_recursive when file_contexts changes.

For any persistent directory (e.g. /data, /persist), we only want
to apply restorecon_recursive when there is a change to the
file_contexts mapping on an update. Avoid repeatedly walking the
directory tree on each boot by setting a security.restorecon_last
xattr on each directory during a restorecon_recursive tree walk
to a hash of the file_contexts file and skipping the traversal if
the xattr is already set and matches the hash of the current file_contexts
file.

For /sys, the attempt to get and set the xattr will fail but this
is harmless.

Change-Id: I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
7fc97fb4d3fcf4b1385171820e4e0cd7a2b513c8 28-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Move restorecon and restorecon_recursive code to libselinux.

This requires telling libselinux to use the sehandle already
obtained by init rather than re-acquiring it internally. init
retains ownership of the sehandle because it performs the
initial load, uses the sehandle for other purposes (e.g. labeling
of directories created via mkdir and labeling of socket files),
and handles the policy reload property trigger.

Unify the restorecon code previously duplicated between init and libselinux.

Change-Id: I4a380caab7f8481c33eb64fcdb16b6cabe918ebd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
13e1cebf5c166246baa06324d6eb9543930aa2c7 27-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Remove unused structure and code.

Seems to have been leftover from some prior work on policy update support.

Change-Id: Id5c5772a370a5a79de8f910decf938106a9c0718
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
0dbac4eafd82ba0d9d9fa4ecf9bfdd34b6db2b52 23-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Fix a bug in the userspace AVC that broke per-domain permissive mode.

Failure to copy the entire av_decision structure, including the
flags field, would prevent preservation of the SELINUX_AVD_FLAGS_PERMISSIVE
flag and thus cause per-domain permissive to not be honored for userspace
permission checks.

Also ensure that we clear the entire structure.

Change-Id: I92fcb2522d05094a9583b0035bbe1f94cb289ecd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
vc.c
df1ece2412dbbb2f2b021852c7f5c69257401f0b 02-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Use a fixed string for the level rather than the caller's range.

Otherwise we can get an unexpected result if the caller is already
running with categories set.

Change-Id: I9146a202b3175a75aecd0b38939b44cec63a67f2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
2c41f9f1f5e51a80e2ffbb05932da3aece4ac827 27-Nov-2013 Nick Kralevich <nnk@google.com> Remove dead code

This code isn't being used.

Change-Id: I8113e16717dfbaa42913ee8e3c7fc7d2c9b36660
ndroid.c
833cba64c0a3a8ac4684e408da509827f6977ed8 19-Nov-2013 Nick Kralevich <nnk@google.com> Clean up more c++ errors

Modify android.c so it compiles under C++.

Change-Id: I6770a46ee1ccfd6e08fb4c92de94a4adc3084fcc
ndroid.c
nit.c
5b91e6297719ee29fc4d3795a4bc9d7343b30fb0 12-Nov-2013 Nick Kralevich <nnk@google.com> Clean up some (void *) assignments.

Do casting when using the result of a malloc / realloc. This allows
this code to be compiled using c++, if needed.

Change-Id: I4f38b6747216548effb8b4edad77ee54de386a81
abel_file.c
e3615f9d90e9b37c84b00d1830121fb21e6981f7 12-Sep-2013 William Roberts <wroberts@tresys.com> seapp_contexts support for prefix matching on name

A package name specifed in seapp_contexts ending with a * will
perform a prefix match.

Ex)
name=com.test*

Will match:
com.test.me
com.test.foo.bar

Change-Id: I0dfb4584579945a7c444b40bb732d2d530dddb3a
ndroid.c
8ed42427deec178494a1de79dae6f9cae43dd005 16-Apr-2013 William Roberts <w.roberts@sta.samsung.com> Use NULL instead of 0 as terminator to array

Change-Id: I034fb304145529791f275db568cd8ce29748a9fd
ndroid.c
cb92504c2b9439b2c9bb745a3727f58e8c44c224 26-Jul-2013 Stephen Smalley <sds@tycho.nsa.gov> Fix logging of sepolicy pathname on policy load.

I9d83122e276a25d2e7c928b724344d5f3420af73 eliminated a temporary path
variable but ended up using the wrong index in the sepolicy_file[] array,
thereby indexing off the end of the array or logging the
wrong path.

Change-Id: If1b61c938bdcf53aef000d45e9415ded68a96585
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
8792a5ce72fdb903cc1f90e63605df78455ba55a 12-Jul-2013 Nick Kralevich <nnk@google.com> am b1ae15ab: Clean up code

* commit 'b1ae15abf1d3a47b0e993d1a4daa228f73d12bb9':
Clean up code
ca0811112e819f5351a31b1cd8509c4d2cf98eb0 12-Jul-2013 Nick Kralevich <nnk@google.com> am 9ca4088e: android.c: fix free of uninitialized memory

* commit '9ca4088ee4d8378e9f01df67a8df3f0cb5071bed':
android.c: fix free of uninitialized memory
b1ae15abf1d3a47b0e993d1a4daa228f73d12bb9 12-Jul-2013 Nick Kralevich <nnk@google.com> Clean up code

Clean up the code, so it compiles with -Wall -Wextra -Werror

Change-Id: I78ad5941a45208e1a82181cedb5853753f58ff0d
ndroid.c
ooleans.c
nabled.c
abel.c
9ca4088ee4d8378e9f01df67a8df3f0cb5071bed 12-Jul-2013 Nick Kralevich <nnk@google.com> android.c: fix free of uninitialized memory

Under certain error conditions, freecon is called with a pointer
to uninitialized memory. Make sure everything is initialized.

Move variable declaration before any goto statements. Variable
declaration after a goto statement produces weird runtime artifacts.

Change-Id: Ie1db5a8466bbf259f09a612a1c97afc3713e33df
ndroid.c
0daa62c1dd9bd27f0f955f4bdebf3c537e6232eb 21-May-2013 gcondra@google.com <gcondra@google.com> am dae85f9e: Revert "Hack to fix selinux crashes on Manta"

* commit 'dae85f9e3e7f0e531138a57f1b13e646b78b1919':
Revert "Hack to fix selinux crashes on Manta"
bc3d58d53bda40d788f31e6db71451c2854736cd 21-May-2013 gcondra@google.com <gcondra@google.com> am 8c6e5f8e: Revert "Call lsetfilecon directly in fixcon."

* commit '8c6e5f8ee923ef72e550d76e855a1d6f3df4b693':
Revert "Call lsetfilecon directly in fixcon."
dae85f9e3e7f0e531138a57f1b13e646b78b1919 17-May-2013 repo sync <gcondra@google.com> Revert "Hack to fix selinux crashes on Manta"

This reverts commit 1d857f3e2e739c001b7cbbd1e37b92a038e46b98.
ndroid.c
8c6e5f8ee923ef72e550d76e855a1d6f3df4b693 17-May-2013 repo sync <gcondra@google.com> Revert "Call lsetfilecon directly in fixcon."

This reverts commit 0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4.
ndroid.c
4d53ee61f68921dd08d4428b7af1ba30a806f412 17-May-2013 gcondra@google.com <gcondra@google.com> am 0f3a5e88: Call lsetfilecon directly in fixcon.

* commit '0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4':
Call lsetfilecon directly in fixcon.
0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4 15-May-2013 repo sync <gcondra@google.com> Call lsetfilecon directly in fixcon.

This avoids the spurious double-lookup from calling restorecon.

Bug: 8967715
Change-Id: I3e92804dca245501ca974bda7a0d7d1c459c58da
ndroid.c
2ed00e3edeb68c6728aa54e1b428cb702eb9880d 09-May-2013 Ken Sumrall <ksumrall@android.com> am 1d857f3e: Hack to fix selinux crashes on Manta

* commit '1d857f3e2e739c001b7cbbd1e37b92a038e46b98':
Hack to fix selinux crashes on Manta
1d857f3e2e739c001b7cbbd1e37b92a038e46b98 09-May-2013 Ken Sumrall <ksumrall@android.com> Hack to fix selinux crashes on Manta

Due to previous issues with make_ext4fs not zeroing out inode
tables and Nexus 10 not erasing partitions before flashing, some
devices during development were flashed with garbage in the
inode tables for unused inodes. The kernel did not care, and
ignore the unused inodes, but if e2fsck ran for any reason, it
would find what it thought were lost inodes, and put them in
lost+found.

When selinux was enabled, it would reload the policy
on all files in /data, and when it traversed /lost+found, the
kernel would crash with weird ext4 errors. We are pretty sure
this is due to bugs in the xattr code not handling potentially
bogus inodes, but we have not yet found the actual bug. In
order to get the release out the door on time, this hack will
skip searching in lost+found directories. This will be
fixed properly before the next release.

Bug: 8801548
Change-Id: If4cd78cf587cefa4cd2d41c4424034c5d5878b78
ndroid.c
b7100dc38750ed5780202d5a584d170a68b345c8 06-May-2013 Nick Kralevich <nnk@google.com> am 9c30ac60: selinux_android_reload_policy: get rid of useless temp var

* commit '9c30ac60791fe561816017c96a2931d17a7cb103':
selinux_android_reload_policy: get rid of useless temp var
baa9a6253aa4d231a050f0fe0ef839717428b73c 06-May-2013 Nick Kralevich <nnk@google.com> am 397359d0: fixcon_recursive: avoid fixed size buffers

* commit '397359d043e5763f955b31e4421dcf15be8e3237':
fixcon_recursive: avoid fixed size buffers
9c30ac60791fe561816017c96a2931d17a7cb103 06-May-2013 Nick Kralevich <nnk@google.com> selinux_android_reload_policy: get rid of useless temp var

Change-Id: I9d83122e276a25d2e7c928b724344d5f3420af73
ndroid.c
397359d043e5763f955b31e4421dcf15be8e3237 06-May-2013 Nick Kralevich <nnk@google.com> fixcon_recursive: avoid fixed size buffers

Change-Id: I980d526e999e602b6ab6ebfb7a5ddc7a4bd13785
ndroid.c
3885884d61759de36e928fcaf40e7ac32baf1aaa 02-May-2013 Geremy Condra <gcondra@google.com> am 7f90cf46: Merge "Eliminate a memory leak."

* commit '7f90cf46569f4ca2429b7e843c3816d816c0fd36':
Eliminate a memory leak.
7f90cf46569f4ca2429b7e843c3816d816c0fd36 02-May-2013 Geremy Condra <gcondra@google.com> Merge "Eliminate a memory leak."
520c2aaf75887c76631cedf83322cbe4c523d739 30-Apr-2013 Stephen Smalley <sds@tycho.nsa.gov> am 4f2b0565: Add selinux status functions from upstream libselinux.

* commit '4f2b0565ea34081dc2fd04073bb558d6b2609aef':
Add selinux status functions from upstream libselinux.
6750780433d7f989b56ac61b655ca982ad9027d4 27-Apr-2013 repo sync <gcondra@google.com> Fix typo in location of seapp_contexts.

Bug: 8116902
Change-Id: I066b32029ca6631d51e1d319477f5536c4fccbd5
ndroid.c
300bebb3883f92dc642be4546963ffd9d152ffa8 16-Apr-2013 Stephen Smalley <sds@tycho.nsa.gov> Eliminate a memory leak.

Need to free the old seapp_contexts if any before reloading.

Change-Id: I66a9c2895518c6224920c9728157a84dc572d31a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
4f2b0565ea34081dc2fd04073bb558d6b2609aef 16-Apr-2013 Stephen Smalley <sds@tycho.nsa.gov> Add selinux status functions from upstream libselinux.

These functions allow programs to check whether there has
been a change to the SELinux status without needing to poll a netlink socket.

Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
eny_unknown.c
estatus.c
01cccbfd1b00dad6ec23383fb14cc3a2db5d144d 15-Apr-2013 Geremy Condra <gcondra@google.com> Special case fixups for unlabled files and directories.

Bug: 8116902

(cherry picked from commit 67c2662296fc8dfa233ace58567eaeba1a646d11)

Change-Id: I2041b827240d1102060e2ec5a5de8ea1ff4e171c
ndroid.c
6064643a2dbfa9649894f64d9457a0b6ee103113 11-Apr-2013 Geremy Condra <gcondra@google.com> Add logic to handle file context updates.

Bug: 8116902

(cherry picked from commit 527959d207b5eb852612e91efc4880bde701fd2d)

Change-Id: Ib1061e9b804e29a57116656626999cfc7b1513e4
ndroid.c
59004581965932530bb582fd071cd426dbfa39ab 21-Mar-2013 William Roberts <w.roberts@sta.samsung.com> Drop /data/system as a location for policy files

/data/system is no longer supported as a possible
location for policy files, use /data/security instead.

Change-Id: I83e5014a9e2f64bd95c0f1be6cd463fd71a7025b
ndroid.c
77e151b60201e31f8eed25d745f1c1a718f70e7d 23-Jan-2013 William Roberts <w.roberts@sta.samsung.com> Add new location for policy files

Add new location for policy, /data/security, which has
precedence over /data/system

Change-Id: If75da3889c75ca83eb7dbd6e5540657a4cf65831
ndroid.c
a879598e8b1d7daad0222b0692b58963a40298d7 28-Nov-2012 Stephen Smalley <sds@tycho.nsa.gov> Generalize levelFromUid support.

Generalize levelFromUid support to support per-app, per-user,
or per-combination level assignment. Adds a new levelFrom=none|app|user|all
syntax for specifying the desired behavior in seapp_contexts.
levelFromUid=true|false is still supported but translated to
levelFrom=app|none.

No change in existing behavior for existing seapp_contexts configurations.

Change-Id: I0e9c18ecf3113fa7079d2101899c92a241ef80a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
299b1e5d40ceda8e292d8adccdc1ac58c2da6fd8 19-Mar-2013 Geremy Condra <gcondra@google.com> Merge "Adjustments to android property backend."
51c57096c8101ea13e51c296e4891ae84fc1c422 24-Jan-2013 Robert Craig <rpcraig@tycho.ncsc.mil> Adjustments to android property backend.

Allow the android property backend parser to accept the
SELABEL_OPT_VALIDATE option and to perform a validate
callback.

Change-Id: If061502c5e2489a1155798fac1d8357dbb8d13ba
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
abel_android_property.c
d2302ca4c4142f4b46df3d334288fb7f7f939ed2 05-Jan-2013 Alice Chu <alice.chu@sta.samsung.com> Check mkdir return value before calling mount.

Change-Id: If058da4431215fa4b6f895563ba13620b7d9a81a
ndroid.c
d10c3437e60a40d49e9359e1de23b018859e5d45 05-Nov-2012 Stephen Smalley <sds@tycho.nsa.gov> Mount selinuxfs on /sys/fs/selinux when possible.

Linux 3.0 introduced /sys/fs/selinux as the preferred mount point
directory for selinuxfs. Upstream libselinux tries to mount selinuxfs
on /sys/fs/selinux first and falls back to /selinux if it doesn't exist.
Do likewise in Android.

Change-Id: Iec738ff7e2f13f809a271eb03f08ef6cd2582bd4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
olicy.h
20f62f358ff65dae9aac74d6d1ccf2a648a9e20d 23-Oct-2012 Kenny Root <kroot@google.com> Do not try to restorecon if selinux is disabled

debuggerd tries to restorecon on the tombstones directory which fails
when SELinux is not enabled in the kernel. That would return an error
condition to debuggerd which would then abort its attempt to dump the
stacks of the failing program.

Fix it here in case there are other places that might call this in the
future. Currently the only other caller is android_os_SELinux.cpp JNI
code.

Change-Id: Id73796a70174333b61fd04ee6b1d99fccbea8116
ndroid.c
61e917ad2f1fbf39b3205d7568fcd3684b0ccda6 02-Oct-2012 Stephen Smalley <sds@tycho.nsa.gov> Apply context validation when loading file_contexts.

Change-Id: I7c0bdca5c9a1ffe428200a830c1b706fc8ed9675
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
abel_file.c
525a22446b011415038e3c4b213ba691286f28a5 24-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Switch app_* and isolated to _app and _isolated in seapp_contexts.

The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic. With the recent changes to move away from this approach,
there is no reason to retain that syntax. Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs. The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to sepolicy.

Change-Id: I21f9f88415b653c1bf6332fc100d91d969c9da64
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
d23b9e0198be5699623b4be8c12f02719c506ce0 21-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Rework category mapping and perform some code cleanup.

Map the app IDs to a category pair rather than a single category.
With this scheme, we can represent up to 2^16 app IDs, which exceeds
the maximum of 10000 imposed by Android. This also only uses category
bits 0-511, so 512-1023 remain free for use for other purposes (or we
could shrink the number of categories defined in the policy).

Also perform other minor code cleanups previously suggested, e.g.
fix const declaration, use an enum rather than #define, correct %lu
to %u for format string, etc.

Change-Id: I5bb727bfb4297e3e13ba1ef078e41db3ea7d1b8f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
895b446e8b4844f2da7354e74d5d96cc7f4418f3 19-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Clean up libselinux logic for looking up seapp contexts entries.

Re-factor the logic shared by selinux_android_setfilecon2 and
selinux_android_setcontext into a common helper and replace the
use of getpwuid and username string parsing with direct use of
android_filesystem_config.h definitions. Also map isolated UIDs
to a separate isolated key so that we can label them differently
in the future if desired.

Change-Id: If2f9def21222588b440a6cedcceec0434f6797fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
4a655eca75a79149c25616c4a5a44f5b8d26b28f 18-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Drop the use of a policy version suffix on the sepolicy file.

The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies. This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

Requires a corresponding change to sepolicy.

Change-Id: I061607f5fe6457e469b4834da6fc659d7ddca6f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
8aeb5c5fd002c09d32f3151c17c645b85d1bb8e5 14-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Only check SELinux enabled status once in selinux_check_access().

Move the SELinux enabled check to the once handler so that we do
not perform this on each call to selinux_check_access(). Reduces
overhead in both the SELinux-enabled and the SELinux-disabled cases.

Change-Id: I61fe85bc04fe53cbf840ba712c81bdb06e4e0c2f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
heckAccess.c
906742dfd76bf9f21bddbddc43966c2cc9b0da0e 23-Aug-2012 Stephen Smalley <sds@tycho.nsa.gov> Do not return the libselinux-private sehandle from selinux_android_file_context_handle().
ndroid.c
4d1d14fbe2960a5aaf5f7b3138bf9e11722d1130 23-Aug-2012 Stephen Smalley <sds@tycho.nsa.gov> Only call regfree if regcomp was previously called on the regex.
abel_file.c
ce4e2e6a0819b0a23d80fa137b5ee0e351aff855 23-Aug-2012 Stephen Smalley <sds@tycho.nsa.gov> Handle naming for system uids running as secondary users.

Commit bf9441e in bionic introduced a new scheme for naming system uids
as secondary users (as part of multi-user support). Update the libselinux
logic to correctly map these identities for lookup purposes in the
seapp_contexts configuration file.
ndroid.c
bee88b2041e0c5cb51dd707a9e508d8573907515 06-Aug-2012 rpcraig <rpcraig@tycho.ncsc.mil> Fix once synchronization control structure for file_contexts.

This is not needed when used within the reload scenerio. We
actually need the file_contexts to be read multiple times.
ndroid.c
f1724a371be1678ebf79474ab9a390dd6a5c96c7 01-Aug-2012 rpcraig <rpcraig@tycho.ncsc.mil> Add sepolicy loading functionality.

These changes reflect changes made to init.
The sepolicy reload now happens in libselinux.
ndroid.c
e8b0fd8c21a68fd0a7fcf656a7b6eae10e61c8e5 31-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Close the selinux netlink socket when we set the app context.
ndroid.c
d181826941c365f66b00a7f5accfd42bc09c19d6 31-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Ensure that we only close the selinux netlink socket once.
vc_internal.c
689383dc7dd425b6026c97d49642b0c608602577 30-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Handle EINTR correctly in avc_netlink_receive.
vc_internal.c
09f69843a9991d35888b35f0bfa8de0b11a824b2 28-Jul-2012 William Roberts <bill.c.roberts@gmail.com> Allow non-matched apps to launch when no match found

Allows the zygote to still spawn apps in the zygote's
context when no match is found in seapp_contexts. In
enforcing mode, apps that are not matched will not be
spawned. A "No match" message will (still) be printed
to logcat.

Change-Id: Ibe362cc8e168be7acae5162c9ff6a310233fcbe6
ndroid.c
1b36ad00bfbea16ad4456a9fd715e594d57f2fd6 27-Jul-2012 William Roberts <bill.c.roberts@gmail.com> You can now specify a sebool= flag in seapp_contexts

The seapp rule will containing an sebool clause will
ONLY be applied on a match to that boolean,
and only if the boolean is set to true.

Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
ndroid.c
f77e60de67dbc84d06aa77adef6bdf80455ee9f5 27-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Revert "Allow zygote to spawn non matched apps in permissive mode"

This reverts commit 0beab96891a9ee1808b113479f167148cab5c998.
ndroid.c
0beab96891a9ee1808b113479f167148cab5c998 27-Jul-2012 William Roberts <bill.c.roberts@gmail.com> Allow zygote to spawn non matched apps in permissive mode

This patch will allow non-matched apps in seapp_contexts to
still be spawned via the zygote. An error message will be sent
to logcat.

Change-Id: I9fb5dcfeb384a26e6a01d69bffd2ef14af74c51c
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
ndroid.c
9b10083ab40e78cce8cc2b940ce22db6d1095fc5 27-Jul-2012 rpcraig <rpcraig@tycho.ncsc.mil> Introduce new function to return sehandle.

Add function selinux_android_file_context_handle
that opens the correct file_contexts policy file
and returns the available sehandle object.
ndroid.c
edfaad87e34e7a5bb691d45fd6df3e0b5ad0bb1a 12-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Introduce selinux_android_setfilecon2 to support passing seinfo argument.
ndroid.c
c9726aba339f3d935ff14c0734edf13116af3cbf 11-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Fix handling of app id 0.
ndroid.c
ba70ee4c5ab8026e97fce5c2452dfe588dfaac3e 10-Jul-2012 Stephen Smalley <sds@tycho.nsa.gov> Add support for the new username mapping in JB, and backward compatibility.
ndroid.c
a2e47cd90d84d48cde19575d044577a3fc7a4000 11-Jun-2012 Stephen Smalley <sds@tycho.nsa.gov> Change selabel_open and label backends to take a const struct selinux_opt argument.
abel.c
abel_android_property.c
abel_file.c
abel_internal.h
35b01083fe5e34cbd318a78ef9b1a13432ae24d9 04-Apr-2012 Stephen Smalley <sds@tycho.nsa.gov> Define and implement Android property selabel backend.
abel.c
abel_android_property.c
abel_internal.h
32ebfe869edfc32633cf4f2ee2b56b7d8ce97a19 20-Mar-2012 Stephen Smalley <sds@tycho.nsa.gov> Check for /data/system/file_contexts first in restorecon.
ndroid.c
7446c917148c778315e511ad5c990492d3c8cdb8 19-Mar-2012 Stephen Smalley <sds@tycho.nsa.gov> Add selinux_android_seapp_context_reload() to support reloading of
seapp_contexts configuration upon updates, and introduce support for
loading it from /data/system or /.
ndroid.c
0ca91b300c711079816fa67b4148cac3cd1eef8c 19-Mar-2012 Stephen Smalley <sds@tycho.nsa.gov> Add a selinux_android_restorecon interface for use by the frameworks.
ndroid.c
cc3d76d1b717805740126aec7e0343f5a240cfbe 24-Jan-2012 Stephen Smalley <sds@tycho.nsa.gov> Support for building the host library on MacOS X.
nit.c
273c4c63a7314db7da4bc8312e80a39470a7f663 18-Jan-2012 Stephen Smalley <sds@tycho.nsa.gov> Move SELINUXMNT definition to public selinux.h for use by init.
olicy.h
f074036424618c130dacb3464465a8b40bffef58 04-Jan-2012 Stephen Smalley <sds@tycho.nsa.gov> Port of libselinux to Android.
ndroid.c
vc.c
vc_internal.c
vc_internal.h
vc_sidtab.c
vc_sidtab.h
ooleans.c
allbacks.c
allbacks.h
anonicalize_context.c
heckAccess.c
heck_context.c
ompute_av.c
ompute_create.c
ontext.c
ontext_internal.h
isable.c
so.h
nabled.c
getfilecon.c
reecon.c
setfilecon.c
et_initial_context.c
etenforce.c
etfilecon.c
etpeercon.c
nit.c
abel.c
abel_file.c
abel_internal.h
getfilecon.c
oad_policy.c
setfilecon.c
apping.c
apping.h
olicy.h
olicyvers.c
rocattr.c
elinux_internal.h
elinux_netlink.h
etenforce.c
etfilecon.c
tringrep.c