d514c5aff9c5d8831f8907ec12dee43a2583c9ff |
28-Sep-2014 |
Nick Kralevich <nnk@google.com> |
implement partial matching using PCRE To speed up the boot process, Android doesn't visit every directory in /sys. Instead, only those directories which match a regular expression in /file_contexts are visited. Other directories are skipped. This results in 2-3 second boot time reduction. The initial version of this optimization was implemented in change 0e7340fb99b931540e2baf4778abeb53d40084e7. However, because PCRE wasn't available, it was recognized that false positives and false negatives might occur. Now that PCRE is available, start using it. It will avoid the false positive / negatives problem. Bug: 17682157 (cherry picked from commit d0b768abcd2b4adb1853ac38e59aa80f09872ac3) Change-Id: I403e32cdb23e45abcf6f2a702af88a3eacc47942
abel_file.c
|
da4208c8808e6a62fcfe848343abd3e2f3b339cc |
07-Jul-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not try to set restorecon_last on /sys entries. There is no benefit to setting restorecon_last on /sys entries since they are re-created on each boot and doing so triggers sys_admin denials. Also, apply the same partial matching optimization to restorecon_recursive on subdirectories of /sys as we apply on the top-level restorecon_recursive /sys. Change-Id: I90ea143e189db44bf8dc6c93c08d794e80d5539f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
f58dbddbf5d4f10732501e91427afa421f463be5 |
01-Jul-2014 |
Nick Kralevich <nnk@google.com> |
Log userspace SELinux denials to the event log. In addition to logging userspace SELinux denials to logcat, also log it to eventlog using the auditd log tag. Change-Id: I6a269a832bc2f5e5da6c9dbd169ed2f901b49166
ndroid.c
|
be7f5e8814c4954aca51d3f95455c5d9d527658c |
12-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Extend label file backend to support label-by-symlink for ueventd. When ueventd creates a device node, it may also create one or more symlinks to the device node. These symlinks may be the only stable name for the device, e.g. if the partition is dynamically assigned. Extend the label file backend to support looking up the "best match" for a device node based on its real path (key) and any links to it (aliases). The order of precedence for best match is: 1) An exact match for the real path (key), or 2) An exact match for any of the links (aliases), or 3) The longest fixed prefix match. Change-Id: Id6c2597eee2b6723a5089dcf7c450f8d0a4128f4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
abel.c
abel_file.c
abel_internal.h
|
bad0ebb47417d17ca807e5f97fcbe649bc4cc05e |
12-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Add service_context management into libselinux. Add functions to handle opening handles for MAC on service_manager. Also add selinux_log_callback into libselinux because identical code was spread through three different files. Bug: 12909011 Change-Id: I04eb855700f1d0c086542053d987b3a30cf1b0c0
ndroid.c
|
5b5183f9b7c1a09429cfb113b4d144882c03530f |
18-Mar-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
SELinux changes to check policy versions during a reload. New construct which validates /data/security/current/selinux_version against the base version file /selinux_version when policy overrides could occur. This change covers the cases where sepolicy, seapp_contexts and file_contexts under /data/security/current can be used to override their rootfs counterparts. Change-Id: I4716039bb0f5ba1e961977a18350347a67969dca Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
ndroid.c
|
a8e4ad3c81df866583a8929bcb5d48a2000ce738 |
19-May-2014 |
Nick Kralevich <nnk@google.com> |
Don't set restorecon_last on subdirectories When restorecon_recursive is called, we set the directory xattr "security.restorecon_last" to the hash of /file_contexts. This allows us to do automatic relabeling when /file_contexts changes. Prior to this change, we were also setting the xattr for all subdirectories of the directory. Doing so is unnecessary because we never look at the value. Remove setting the xattr for subdirectories, but continue to set the xattr for the directory itself. Change-Id: Id81d1e24209e195c559b4e382bee42ddd48a7593
ndroid.c
|
b4c9808a9f744c0b9ef502088547ebb798b5f3d0 |
28-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
restorecon top-level entries under /data/user. /data/user has a set of top-level entries including the /data/user/0 symlink and the /data/user/N subdirectories for secondary users that need to be relabeled on upgrades from 4.2 with unlabeled userdata. Only set the flag to skip on subdirectories of /data/user, not on /data/user itself. Change-Id: I7a4c7ede74daa249db654963ba49585755c9b04e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
4b130cc0d6d2e9183b7b7c3c0dba3996d0f56261 |
17-May-2014 |
Nick Kralevich <nnk@google.com> |
Ensure labeling of /data/data and /data/user On an upgrade, the *contents* of the /data/data and /data/user directories are not labeled by init, because their labels are managed by installd. However, the /data/data and /data/user directories themselves are never labeled, neither by init nor installd. On an upgrade from an Android 4.2 system, it's possible for these two directories to remain unlabeled, causing anything created within these directories to also be unlabeled. Make sure we label /data/data and /data/user (but not their contents) from init's restorecon_recursive. Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
ndroid.c
|
0e7340fb99b931540e2baf4778abeb53d40084e7 |
01-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Optimize restorecon_recursive tree walk. restorecon_recursive can prune the tree walk whenever it encounters a directory for which there is no possible match for any of its descendants in the file_contexts configuration. This will only presently benefit the restorecon_recursive("/sys") call by init since other restorecon_recursive calls always have top-level entries that will match anything underneath and this is required to fully label those partitions on upgrade. However, those other cases are already optimized to only run once per file_contexts change (upgrade) and thus do not need this optimization. Change-Id: I854bf1ccff6ded56e9da2c4184435f67d7069bc1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
abel.c
abel_file.c
abel_internal.h
|
13319cfa30ae74638bc984015f84d113f3bf8d7a |
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Improve error handling for seapp_contexts. Detect and reject configurations that specify name= without seinfo= or with seinfo=default. On any error during loading the configuration, drop the entire configuration. This will prevent system_server or any apps from being started by zygote at all. Previously we could be left with a partially loaded, unsorted configuration which could lead to partial startup but mislabeled processes. On the error path, do not try to report the (name, value) pair for the invalid entry as they are not always set (or meaningful) on all code paths and we already have check_seapp to check and report the same errors at build time. Provide common helpers for freeing the configuration entries and ensure that we always do it on any error during loading. Change-Id: I2b238e90c9cc07a410e08a96a10d7699b608b3df Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
1d66afb585be447fe1d360448f74b5ecde879602 |
27-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add a new API for relabeling package directories. Add a new selinux_android_restorecon_pkgdir() API for relabeling package directories that explicitly takes the seinfo and uid information from the caller. This is similar to the selinux_android_setfilecon() API used by installd to label newly created package directories but can be used to recursively restorecon existing package directories. By passing the seinfo and uid information directly, we avoid the need to rely upon packages.list for this purpose and can perform the relabeling on a per-directory basis before each app is loaded. Also if we are not provided with a seinfo value and we cannot lookup the package name in packages.list, log a warning and return an error condition rather than silently ignoring the failure. This avoids mislabeling the file by restorecon and provides a warning if any future bugs arise in this area. Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
db21feb260fd792f47010a613273c38f43da745b |
12-Mar-2014 |
Nick Kralevich <nnk@google.com> |
Don't read selinux policies from /data Bug: 12613118 (cherry picked from commit c661446c4607bb54ccf3104727086b56d49ad250) Change-Id: I5114c9dde5edc3365cfb6e98ec2c0cd6a249cf8f
ndroid.c
|
833cbd68ac546067fe2810163a70f77ab598a2ab |
27-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Disable restorecon_last usage for restorecon /data/data. Since /data/data and /data/user labeling is based on seapp_contexts and seinfo assignments rather than file_contexts, we do not want to get or set the security.restorecon_last attribute on these directories as that will incorrectly skip subsequent recursive restorecon calls on these directories. Also, setting a security. attribute other than selinux or capability requires CAP_SYS_ADMIN and thus attempting to do this would trigger denials for installd, which handles relabeling of these directories. Ensuring that /data/data and /data/user are only relabeled when necessary is the responsibility of the caller of restorecon, in this case the system_server and installd. Change-Id: I33476236c493f9749a3da068afd83d9f279409a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
274e0f649df4684f94d1ec3374d1d106fe233901 |
19-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add support for path= specifier in seapp_contexts. The path= input selector can be used to match a specific pathname or pathname prefix (end with *) for assigning types to directories and files within app data directories. Change-Id: Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
027670de87acd33f9de65c8b5a2bcb8c3e1d967f |
18-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only restorecon /data/data if passed an explicit flag. As discussed in the comments of: https://android-review.googlesource.com/#/c/81292/ we do not want restorecon_recursive /data by init.rc to change the contexts of /data/data or /data/users/N because those contexts are dependent on package information in /data/system/packages.list that may not be set correctly at boot on an upgrade. Therefore we skip /data/data on a recursive restorecon unless passed an explicit flag. This flag will be used by the PMS or installd in a subsequent change to restorecon /data/data after computing the seinfo values for packages and updating packages.list accordingly. It will also be optionally used by the toolbox restorecon command if passed a new option to be introduced in a subsequent change. Change-Id: I137588013ed1750315702c0dbe088ce3e4a29e83 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
ab40ea9bfd71b50138f1482c4764a65ac17d8caf |
19-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Get rid of security_context_t and fix const declarations. The const security_context_t declarations were incorrect; const char * was intended, not char * const. Easiest fix is to replace them all with const char *. And while we are at it, just get rid of all usage of security_context_t itself as it adds no value. typedef left to permit building legacy users until such a time as all are updated. Change-Id: I2f9df7bb9f575f76024c3e5f5b660345da2931a7 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
vc.c
vc_sidtab.c
vc_sidtab.h
allbacks.c
allbacks.h
anonicalize_context.c
heckAccess.c
heck_context.c
ompute_av.c
ompute_create.c
nabled.c
getfilecon.c
reecon.c
setfilecon.c
et_initial_context.c
etfilecon.c
etpeercon.c
abel.c
abel_internal.h
getfilecon.c
setfilecon.c
rocattr.c
etfilecon.c
|
4abb4b98f7ae0932e99661b4df302ea533212163 |
13-Feb-2014 |
Nick Kralevich <nnk@google.com> |
Merge "Apply const to SELboolean array and name field."
|
84cdd3e00cb4566bfcd0b34d6c0706e5d74d8874 |
12-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Apply const to SELboolean array and name field. Change-Id: Ib746ce663cef0d0480ab62eaa1a0b760947fa604 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ooleans.c
|
1b478eadff95edfe79bdc1211bdb8bb9cdd394d2 |
07-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Convert all selinux_android_restorecon and _setfilecon calls to new API. libselinux selinux_android_restorecon API is changing to the more general interface with flags and dropping the older variants. Also get rid of the old, no longer used selinux_android_setfilecon API and rename selinux_android_setfilecon2 to it as it is the only API in use. Change-Id: I1e71ec398ccdc24cac4ec76f1b858d0f680f4925 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
f61f9792a33562c9aa9f393492153343b9a4de7d |
06-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Replace obsolete selinux_android_restorecon* functions with macros. Replace the older selinux_android_restorecon() and selinux_android_restorecon_recursive() functions with macros calling the new selinux_android_restorecon_flags() function with the right flags. These macros provide temporary API compatibility until all callers are updated. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Change-Id: Ib52c3d7a375d2cf3ac7a3d4460b4ba51860315cb
ndroid.c
|
e183cec077891371542a5f2e164fcb9ddd745fd8 |
05-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Extend restorecon to handle app data directories correctly. App data directories are labeled by installd at creation time based on package information, seapp_contexts, and file_contexts. Prior to this change, restorecon and restorecon_recursive did not know how to label app data directories and would merely label them based on file_contexts, causing them to be (mis)labeled with a single security context if restorecon was applied to /data/data/<pkgname> or /data/user/N/<pkgname>. Extend restorecon to correctly handle app data directories based on all of the relevant information. After applying this change and its dependencies (including rewriting toolbox restorecon to use libselinux), a restorecon -Rv /data/data only relabels the lib symlinks in the app data directories, which I believe is harmless and arguably is a bug in installd. Originally when the lib subdirectories were created in each app data directory we labeled them with system_data_file to distinguish them from app data, prevent direct writes by apps, and allow execute by apps. However, when the lib directories were moved under /data/app-lib and only the symlink was left behind, it continued to be labeled system_data_file as a side effect of the fact that it is created before installd calls selinux_android_setfilecon2() on the package directory and thus inherits the original parent directory security context. Offhand, I don't see a real reason to not just label the symlinks with the app data directory context even though the symlinks do have a different UID (install) since the containing directory is owned by the app UID so apps can already unlink and re-create the symlink at will. So I think this change by restorecon is harmless and we could switch installd to applying the setfilecon2 first before creating the symlinks so that they are originally labeled this way. Change-Id: I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
08587cfbf9de7d89a3d2d4e87aecd82a478e3289 |
30-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Unify toolbox restorecon and libselinux restorecon implementations. Extend the libselinux restorecon implementation to allow reuse by the toolbox restorecon command. This simply requires adding support for the nochange (-n) and verbose (-v) options to the libselinux functions and rewriting the toolbox restorecon command to use the libselinux functions. Also add a force (-F) option to support forcing a restorecon_recursive even if the restorecon_last attribute matches the current file_contexts hash so that we can continue to force a restorecon via the toolbox command for testing or when we know something else has changed (e.g. for when we support relabeling /data/data and package information has changed). Change-Id: I92bb3259790a7195ba56a5e9555c3b6c76ceb862 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
b77c0360fa9baaac5e9cad173520a103f878bcbf |
04-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix return value of selinux_android_restorecon. Change I4a380caab7f8481c33eb64fcdb16b6cabe918ebd unified the init and libselinux restorecon code but introduced a bug by changing the return value of selinux_android_restorecon on errors from -1 (as in libselinux) to -errno (as in the init built-in command). Change it back as there are various callers assuming the libselinux behavior and init does not actually rely on the -errno behavior in the utils code and handles it correctly in the built-in command functions themselves. Change-Id: I6ed5b644820eb07c061d8a2a116511aeb7401df4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
0a10104a1adec50f20291ae4046584786c747134 |
29-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not log the file_contexts digest/hash value. Change-Id: I3ce2e803b53b99a9442b123f41b0966857da66b6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
826cc29d8bb1b570165e9b0cc332e7159c65031a |
28-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only apply restorecon_recursive when file_contexts changes. For any persistent directory (e.g. /data, /persist), we only want to apply restorecon_recursive when there is a change to the file_contexts mapping on an update. Avoid repeatedly walking the directory tree on each boot by setting a security.restorecon_last xattr on each directory during a restorecon_recursive tree walk to a hash of the file_contexts file and skipping the traversal if the xattr is already set and matches the hash of the current file_contexts file. For /sys, the attempt to get and set the xattr will fail but this is harmless. Change-Id: I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
7fc97fb4d3fcf4b1385171820e4e0cd7a2b513c8 |
28-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move restorecon and restorecon_recursive code to libselinux. This requires telling libselinux to use the sehandle already obtained by init rather than re-acquiring it internally. init retains ownership of the sehandle because it performs the initial load, uses the sehandle for other purposes (e.g. labeling of directories created via mkdir and labeling of socket files), and handles the policy reload property trigger. Unify the restorecon code previously duplicated between init and libselinux. Change-Id: I4a380caab7f8481c33eb64fcdb16b6cabe918ebd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
13e1cebf5c166246baa06324d6eb9543930aa2c7 |
27-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove unused structure and code. Seems to have been leftover from some prior work on policy update support. Change-Id: Id5c5772a370a5a79de8f910decf938106a9c0718 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
0dbac4eafd82ba0d9d9fa4ecf9bfdd34b6db2b52 |
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix a bug in the userspace AVC that broke per-domain permissive mode. Failure to copy the entire av_decision structure, including the flags field, would prevent preservation of the SELINUX_AVD_FLAGS_PERMISSIVE flag and thus cause per-domain permissive to not be honored for userspace permission checks. Also ensure that we clear the entire structure. Change-Id: I92fcb2522d05094a9583b0035bbe1f94cb289ecd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
vc.c
|
df1ece2412dbbb2f2b021852c7f5c69257401f0b |
02-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Use a fixed string for the level rather than the caller's range. Otherwise we can get an unexpected result if the caller is already running with categories set. Change-Id: I9146a202b3175a75aecd0b38939b44cec63a67f2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
2c41f9f1f5e51a80e2ffbb05932da3aece4ac827 |
27-Nov-2013 |
Nick Kralevich <nnk@google.com> |
Remove dead code This code isn't being used. Change-Id: I8113e16717dfbaa42913ee8e3c7fc7d2c9b36660
ndroid.c
|
833cba64c0a3a8ac4684e408da509827f6977ed8 |
19-Nov-2013 |
Nick Kralevich <nnk@google.com> |
Clean up more c++ errors Modify android.c so it compiles under C++. Change-Id: I6770a46ee1ccfd6e08fb4c92de94a4adc3084fcc
ndroid.c
nit.c
|
5b91e6297719ee29fc4d3795a4bc9d7343b30fb0 |
12-Nov-2013 |
Nick Kralevich <nnk@google.com> |
Clean up some (void *) assignments. Do casting when using the result of a malloc / realloc. This allows this code to be compiled using c++, if needed. Change-Id: I4f38b6747216548effb8b4edad77ee54de386a81
abel_file.c
|
e3615f9d90e9b37c84b00d1830121fb21e6981f7 |
12-Sep-2013 |
William Roberts <wroberts@tresys.com> |
seapp_contexts support for prefix matching on name A package name specifed in seapp_contexts ending with a * will perform a prefix match. Ex) name=com.test* Will match: com.test.me com.test.foo.bar Change-Id: I0dfb4584579945a7c444b40bb732d2d530dddb3a
ndroid.c
|
8ed42427deec178494a1de79dae6f9cae43dd005 |
16-Apr-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Use NULL instead of 0 as terminator to array Change-Id: I034fb304145529791f275db568cd8ce29748a9fd
ndroid.c
|
cb92504c2b9439b2c9bb745a3727f58e8c44c224 |
26-Jul-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix logging of sepolicy pathname on policy load. I9d83122e276a25d2e7c928b724344d5f3420af73 eliminated a temporary path variable but ended up using the wrong index in the sepolicy_file[] array, thereby indexing off the end of the array or logging the wrong path. Change-Id: If1b61c938bdcf53aef000d45e9415ded68a96585 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
8792a5ce72fdb903cc1f90e63605df78455ba55a |
12-Jul-2013 |
Nick Kralevich <nnk@google.com> |
am b1ae15ab: Clean up code * commit 'b1ae15abf1d3a47b0e993d1a4daa228f73d12bb9': Clean up code
|
ca0811112e819f5351a31b1cd8509c4d2cf98eb0 |
12-Jul-2013 |
Nick Kralevich <nnk@google.com> |
am 9ca4088e: android.c: fix free of uninitialized memory * commit '9ca4088ee4d8378e9f01df67a8df3f0cb5071bed': android.c: fix free of uninitialized memory
|
b1ae15abf1d3a47b0e993d1a4daa228f73d12bb9 |
12-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Clean up code Clean up the code, so it compiles with -Wall -Wextra -Werror Change-Id: I78ad5941a45208e1a82181cedb5853753f58ff0d
ndroid.c
ooleans.c
nabled.c
abel.c
|
9ca4088ee4d8378e9f01df67a8df3f0cb5071bed |
12-Jul-2013 |
Nick Kralevich <nnk@google.com> |
android.c: fix free of uninitialized memory Under certain error conditions, freecon is called with a pointer to uninitialized memory. Make sure everything is initialized. Move variable declaration before any goto statements. Variable declaration after a goto statement produces weird runtime artifacts. Change-Id: Ie1db5a8466bbf259f09a612a1c97afc3713e33df
ndroid.c
|
0daa62c1dd9bd27f0f955f4bdebf3c537e6232eb |
21-May-2013 |
gcondra@google.com <gcondra@google.com> |
am dae85f9e: Revert "Hack to fix selinux crashes on Manta" * commit 'dae85f9e3e7f0e531138a57f1b13e646b78b1919': Revert "Hack to fix selinux crashes on Manta"
|
bc3d58d53bda40d788f31e6db71451c2854736cd |
21-May-2013 |
gcondra@google.com <gcondra@google.com> |
am 8c6e5f8e: Revert "Call lsetfilecon directly in fixcon." * commit '8c6e5f8ee923ef72e550d76e855a1d6f3df4b693': Revert "Call lsetfilecon directly in fixcon."
|
dae85f9e3e7f0e531138a57f1b13e646b78b1919 |
17-May-2013 |
repo sync <gcondra@google.com> |
Revert "Hack to fix selinux crashes on Manta" This reverts commit 1d857f3e2e739c001b7cbbd1e37b92a038e46b98.
ndroid.c
|
8c6e5f8ee923ef72e550d76e855a1d6f3df4b693 |
17-May-2013 |
repo sync <gcondra@google.com> |
Revert "Call lsetfilecon directly in fixcon." This reverts commit 0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4.
ndroid.c
|
4d53ee61f68921dd08d4428b7af1ba30a806f412 |
17-May-2013 |
gcondra@google.com <gcondra@google.com> |
am 0f3a5e88: Call lsetfilecon directly in fixcon. * commit '0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4': Call lsetfilecon directly in fixcon.
|
0f3a5e88ddc12f033edd8f3bbe0457ff2d3146e4 |
15-May-2013 |
repo sync <gcondra@google.com> |
Call lsetfilecon directly in fixcon. This avoids the spurious double-lookup from calling restorecon. Bug: 8967715 Change-Id: I3e92804dca245501ca974bda7a0d7d1c459c58da
ndroid.c
|
2ed00e3edeb68c6728aa54e1b428cb702eb9880d |
09-May-2013 |
Ken Sumrall <ksumrall@android.com> |
am 1d857f3e: Hack to fix selinux crashes on Manta * commit '1d857f3e2e739c001b7cbbd1e37b92a038e46b98': Hack to fix selinux crashes on Manta
|
1d857f3e2e739c001b7cbbd1e37b92a038e46b98 |
09-May-2013 |
Ken Sumrall <ksumrall@android.com> |
Hack to fix selinux crashes on Manta Due to previous issues with make_ext4fs not zeroing out inode tables and Nexus 10 not erasing partitions before flashing, some devices during development were flashed with garbage in the inode tables for unused inodes. The kernel did not care, and ignore the unused inodes, but if e2fsck ran for any reason, it would find what it thought were lost inodes, and put them in lost+found. When selinux was enabled, it would reload the policy on all files in /data, and when it traversed /lost+found, the kernel would crash with weird ext4 errors. We are pretty sure this is due to bugs in the xattr code not handling potentially bogus inodes, but we have not yet found the actual bug. In order to get the release out the door on time, this hack will skip searching in lost+found directories. This will be fixed properly before the next release. Bug: 8801548 Change-Id: If4cd78cf587cefa4cd2d41c4424034c5d5878b78
ndroid.c
|
b7100dc38750ed5780202d5a584d170a68b345c8 |
06-May-2013 |
Nick Kralevich <nnk@google.com> |
am 9c30ac60: selinux_android_reload_policy: get rid of useless temp var * commit '9c30ac60791fe561816017c96a2931d17a7cb103': selinux_android_reload_policy: get rid of useless temp var
|
baa9a6253aa4d231a050f0fe0ef839717428b73c |
06-May-2013 |
Nick Kralevich <nnk@google.com> |
am 397359d0: fixcon_recursive: avoid fixed size buffers * commit '397359d043e5763f955b31e4421dcf15be8e3237': fixcon_recursive: avoid fixed size buffers
|
9c30ac60791fe561816017c96a2931d17a7cb103 |
06-May-2013 |
Nick Kralevich <nnk@google.com> |
selinux_android_reload_policy: get rid of useless temp var Change-Id: I9d83122e276a25d2e7c928b724344d5f3420af73
ndroid.c
|
397359d043e5763f955b31e4421dcf15be8e3237 |
06-May-2013 |
Nick Kralevich <nnk@google.com> |
fixcon_recursive: avoid fixed size buffers Change-Id: I980d526e999e602b6ab6ebfb7a5ddc7a4bd13785
ndroid.c
|
3885884d61759de36e928fcaf40e7ac32baf1aaa |
02-May-2013 |
Geremy Condra <gcondra@google.com> |
am 7f90cf46: Merge "Eliminate a memory leak." * commit '7f90cf46569f4ca2429b7e843c3816d816c0fd36': Eliminate a memory leak.
|
7f90cf46569f4ca2429b7e843c3816d816c0fd36 |
02-May-2013 |
Geremy Condra <gcondra@google.com> |
Merge "Eliminate a memory leak."
|
520c2aaf75887c76631cedf83322cbe4c523d739 |
30-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
am 4f2b0565: Add selinux status functions from upstream libselinux. * commit '4f2b0565ea34081dc2fd04073bb558d6b2609aef': Add selinux status functions from upstream libselinux.
|
6750780433d7f989b56ac61b655ca982ad9027d4 |
27-Apr-2013 |
repo sync <gcondra@google.com> |
Fix typo in location of seapp_contexts. Bug: 8116902 Change-Id: I066b32029ca6631d51e1d319477f5536c4fccbd5
ndroid.c
|
300bebb3883f92dc642be4546963ffd9d152ffa8 |
16-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Eliminate a memory leak. Need to free the old seapp_contexts if any before reloading. Change-Id: I66a9c2895518c6224920c9728157a84dc572d31a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
4f2b0565ea34081dc2fd04073bb558d6b2609aef |
16-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add selinux status functions from upstream libselinux. These functions allow programs to check whether there has been a change to the SELinux status without needing to poll a netlink socket. Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
eny_unknown.c
estatus.c
|
01cccbfd1b00dad6ec23383fb14cc3a2db5d144d |
15-Apr-2013 |
Geremy Condra <gcondra@google.com> |
Special case fixups for unlabled files and directories. Bug: 8116902 (cherry picked from commit 67c2662296fc8dfa233ace58567eaeba1a646d11) Change-Id: I2041b827240d1102060e2ec5a5de8ea1ff4e171c
ndroid.c
|
6064643a2dbfa9649894f64d9457a0b6ee103113 |
11-Apr-2013 |
Geremy Condra <gcondra@google.com> |
Add logic to handle file context updates. Bug: 8116902 (cherry picked from commit 527959d207b5eb852612e91efc4880bde701fd2d) Change-Id: Ib1061e9b804e29a57116656626999cfc7b1513e4
ndroid.c
|
59004581965932530bb582fd071cd426dbfa39ab |
21-Mar-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Drop /data/system as a location for policy files /data/system is no longer supported as a possible location for policy files, use /data/security instead. Change-Id: I83e5014a9e2f64bd95c0f1be6cd463fd71a7025b
ndroid.c
|
77e151b60201e31f8eed25d745f1c1a718f70e7d |
23-Jan-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Add new location for policy files Add new location for policy, /data/security, which has precedence over /data/system Change-Id: If75da3889c75ca83eb7dbd6e5540657a4cf65831
ndroid.c
|
a879598e8b1d7daad0222b0692b58963a40298d7 |
28-Nov-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Generalize levelFromUid support. Generalize levelFromUid support to support per-app, per-user, or per-combination level assignment. Adds a new levelFrom=none|app|user|all syntax for specifying the desired behavior in seapp_contexts. levelFromUid=true|false is still supported but translated to levelFrom=app|none. No change in existing behavior for existing seapp_contexts configurations. Change-Id: I0e9c18ecf3113fa7079d2101899c92a241ef80a0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
299b1e5d40ceda8e292d8adccdc1ac58c2da6fd8 |
19-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Merge "Adjustments to android property backend."
|
51c57096c8101ea13e51c296e4891ae84fc1c422 |
24-Jan-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Adjustments to android property backend. Allow the android property backend parser to accept the SELABEL_OPT_VALIDATE option and to perform a validate callback. Change-Id: If061502c5e2489a1155798fac1d8357dbb8d13ba Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
abel_android_property.c
|
d2302ca4c4142f4b46df3d334288fb7f7f939ed2 |
05-Jan-2013 |
Alice Chu <alice.chu@sta.samsung.com> |
Check mkdir return value before calling mount. Change-Id: If058da4431215fa4b6f895563ba13620b7d9a81a
ndroid.c
|
d10c3437e60a40d49e9359e1de23b018859e5d45 |
05-Nov-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Mount selinuxfs on /sys/fs/selinux when possible. Linux 3.0 introduced /sys/fs/selinux as the preferred mount point directory for selinuxfs. Upstream libselinux tries to mount selinuxfs on /sys/fs/selinux first and falls back to /selinux if it doesn't exist. Do likewise in Android. Change-Id: Iec738ff7e2f13f809a271eb03f08ef6cd2582bd4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
olicy.h
|
20f62f358ff65dae9aac74d6d1ccf2a648a9e20d |
23-Oct-2012 |
Kenny Root <kroot@google.com> |
Do not try to restorecon if selinux is disabled debuggerd tries to restorecon on the tombstones directory which fails when SELinux is not enabled in the kernel. That would return an error condition to debuggerd which would then abort its attempt to dump the stacks of the failing program. Fix it here in case there are other places that might call this in the future. Currently the only other caller is android_os_SELinux.cpp JNI code. Change-Id: Id73796a70174333b61fd04ee6b1d99fccbea8116
ndroid.c
|
61e917ad2f1fbf39b3205d7568fcd3684b0ccda6 |
02-Oct-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Apply context validation when loading file_contexts. Change-Id: I7c0bdca5c9a1ffe428200a830c1b706fc8ed9675 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
abel_file.c
|
525a22446b011415038e3c4b213ba691286f28a5 |
24-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Switch app_* and isolated to _app and _isolated in seapp_contexts. The app_* syntax was a legacy of the original approach of looking up the username returned by getpwuid() and the original username encoding scheme by bionic. With the recent changes to move away from this approach, there is no reason to retain that syntax. Instead, just use _app to match app UIDs and _isolated to match isolated service UIDs. The underscore prefix is to signify that these are not real usernames and to avoid conflicts with any system usernames. Requires a corresponding change to sepolicy. Change-Id: I21f9f88415b653c1bf6332fc100d91d969c9da64 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
d23b9e0198be5699623b4be8c12f02719c506ce0 |
21-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Rework category mapping and perform some code cleanup. Map the app IDs to a category pair rather than a single category. With this scheme, we can represent up to 2^16 app IDs, which exceeds the maximum of 10000 imposed by Android. This also only uses category bits 0-511, so 512-1023 remain free for use for other purposes (or we could shrink the number of categories defined in the policy). Also perform other minor code cleanups previously suggested, e.g. fix const declaration, use an enum rather than #define, correct %lu to %u for format string, etc. Change-Id: I5bb727bfb4297e3e13ba1ef078e41db3ea7d1b8f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
895b446e8b4844f2da7354e74d5d96cc7f4418f3 |
19-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up libselinux logic for looking up seapp contexts entries. Re-factor the logic shared by selinux_android_setfilecon2 and selinux_android_setcontext into a common helper and replace the use of getpwuid and username string parsing with direct use of android_filesystem_config.h definitions. Also map isolated UIDs to a separate isolated key so that we can label them differently in the future if desired. Change-Id: If2f9def21222588b440a6cedcceec0434f6797fd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
4a655eca75a79149c25616c4a5a44f5b8d26b28f |
18-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop the use of a policy version suffix on the sepolicy file. The policy version suffix support was carried over from conventional Linux distributions, where we needed to support simultaneous installation of multiple kernels and policies. This isn't required for Android, so get rid of it and thereby simplify the policy pathname. Requires a corresponding change to sepolicy. Change-Id: I061607f5fe6457e469b4834da6fc659d7ddca6f9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ndroid.c
|
8aeb5c5fd002c09d32f3151c17c645b85d1bb8e5 |
14-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only check SELinux enabled status once in selinux_check_access(). Move the SELinux enabled check to the once handler so that we do not perform this on each call to selinux_check_access(). Reduces overhead in both the SELinux-enabled and the SELinux-disabled cases. Change-Id: I61fe85bc04fe53cbf840ba712c81bdb06e4e0c2f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
heckAccess.c
|
906742dfd76bf9f21bddbddc43966c2cc9b0da0e |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not return the libselinux-private sehandle from selinux_android_file_context_handle().
ndroid.c
|
4d1d14fbe2960a5aaf5f7b3138bf9e11722d1130 |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only call regfree if regcomp was previously called on the regex.
abel_file.c
|
ce4e2e6a0819b0a23d80fa137b5ee0e351aff855 |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Handle naming for system uids running as secondary users. Commit bf9441e in bionic introduced a new scheme for naming system uids as secondary users (as part of multi-user support). Update the libselinux logic to correctly map these identities for lookup purposes in the seapp_contexts configuration file.
ndroid.c
|
bee88b2041e0c5cb51dd707a9e508d8573907515 |
06-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Fix once synchronization control structure for file_contexts. This is not needed when used within the reload scenerio. We actually need the file_contexts to be read multiple times.
ndroid.c
|
f1724a371be1678ebf79474ab9a390dd6a5c96c7 |
01-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Add sepolicy loading functionality. These changes reflect changes made to init. The sepolicy reload now happens in libselinux.
ndroid.c
|
e8b0fd8c21a68fd0a7fcf656a7b6eae10e61c8e5 |
31-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Close the selinux netlink socket when we set the app context.
ndroid.c
|
d181826941c365f66b00a7f5accfd42bc09c19d6 |
31-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Ensure that we only close the selinux netlink socket once.
vc_internal.c
|
689383dc7dd425b6026c97d49642b0c608602577 |
30-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Handle EINTR correctly in avc_netlink_receive.
vc_internal.c
|
09f69843a9991d35888b35f0bfa8de0b11a824b2 |
28-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Allow non-matched apps to launch when no match found Allows the zygote to still spawn apps in the zygote's context when no match is found in seapp_contexts. In enforcing mode, apps that are not matched will not be spawned. A "No match" message will (still) be printed to logcat. Change-Id: Ibe362cc8e168be7acae5162c9ff6a310233fcbe6
ndroid.c
|
1b36ad00bfbea16ad4456a9fd715e594d57f2fd6 |
27-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
You can now specify a sebool= flag in seapp_contexts The seapp rule will containing an sebool clause will ONLY be applied on a match to that boolean, and only if the boolean is set to true. Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28 Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
ndroid.c
|
f77e60de67dbc84d06aa77adef6bdf80455ee9f5 |
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "Allow zygote to spawn non matched apps in permissive mode" This reverts commit 0beab96891a9ee1808b113479f167148cab5c998.
ndroid.c
|
0beab96891a9ee1808b113479f167148cab5c998 |
27-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Allow zygote to spawn non matched apps in permissive mode This patch will allow non-matched apps in seapp_contexts to still be spawned via the zygote. An error message will be sent to logcat. Change-Id: I9fb5dcfeb384a26e6a01d69bffd2ef14af74c51c Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
ndroid.c
|
9b10083ab40e78cce8cc2b940ce22db6d1095fc5 |
27-Jul-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Introduce new function to return sehandle. Add function selinux_android_file_context_handle that opens the correct file_contexts policy file and returns the available sehandle object.
ndroid.c
|
edfaad87e34e7a5bb691d45fd6df3e0b5ad0bb1a |
12-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce selinux_android_setfilecon2 to support passing seinfo argument.
ndroid.c
|
c9726aba339f3d935ff14c0734edf13116af3cbf |
11-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix handling of app id 0.
ndroid.c
|
ba70ee4c5ab8026e97fce5c2452dfe588dfaac3e |
10-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add support for the new username mapping in JB, and backward compatibility.
ndroid.c
|
a2e47cd90d84d48cde19575d044577a3fc7a4000 |
11-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Change selabel_open and label backends to take a const struct selinux_opt argument.
abel.c
abel_android_property.c
abel_file.c
abel_internal.h
|
35b01083fe5e34cbd318a78ef9b1a13432ae24d9 |
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define and implement Android property selabel backend.
abel.c
abel_android_property.c
abel_internal.h
|
32ebfe869edfc32633cf4f2ee2b56b7d8ce97a19 |
20-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Check for /data/system/file_contexts first in restorecon.
ndroid.c
|
7446c917148c778315e511ad5c990492d3c8cdb8 |
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add selinux_android_seapp_context_reload() to support reloading of seapp_contexts configuration upon updates, and introduce support for loading it from /data/system or /.
ndroid.c
|
0ca91b300c711079816fa67b4148cac3cd1eef8c |
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add a selinux_android_restorecon interface for use by the frameworks.
ndroid.c
|
cc3d76d1b717805740126aec7e0343f5a240cfbe |
24-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Support for building the host library on MacOS X.
nit.c
|
273c4c63a7314db7da4bc8312e80a39470a7f663 |
18-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move SELINUXMNT definition to public selinux.h for use by init.
olicy.h
|
f074036424618c130dacb3464465a8b40bffef58 |
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Port of libselinux to Android.
ndroid.c
vc.c
vc_internal.c
vc_internal.h
vc_sidtab.c
vc_sidtab.h
ooleans.c
allbacks.c
allbacks.h
anonicalize_context.c
heckAccess.c
heck_context.c
ompute_av.c
ompute_create.c
ontext.c
ontext_internal.h
isable.c
so.h
nabled.c
getfilecon.c
reecon.c
setfilecon.c
et_initial_context.c
etenforce.c
etfilecon.c
etpeercon.c
nit.c
abel.c
abel_file.c
abel_internal.h
getfilecon.c
oad_policy.c
setfilecon.c
apping.c
apping.h
olicy.h
olicyvers.c
rocattr.c
elinux_internal.h
elinux_netlink.h
etenforce.c
etfilecon.c
tringrep.c
|