80bc7ee8faaddfa7a650994fa82a57f41a9e7475 |
|
22-Apr-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add support for ioctl command whitelisting Adds support for new policy statements whitelisting individual ioctl commands. Ioctls provide many of the operations necessary for driver control. The typical driver supports a device specific set of operations accessible by the ioctl system call and specified by the command argument. SELinux provides per operation access control to many system operations e.g. chown, kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor basis using the ioctl permission, meaning that the set of operations provided by the driver are granted on an all-or-nothing basis. In some cases this may be acceptable, but often the same driver provides a large and diverse set of operations such as benign and necessary functionality as well as dangerous capabilities or access to system information that should be restricted. Example policy: allow <source> <target>:<class> { 0x8900-0x8905 0x8910 } auditallow <source> <target>:<class> 0x8901 The ioctl permission is still required in order to make an ioctl call. If no individual ioctl commands are specified, only the ioctl permission is checked by the kernel - i.e. status quo. This allows ioctl whitelisting to done in a targeted manner, protecting desired drivers without requiring every ioctl command to be known and specified before use and otherwise allowing existing policy to be used as-is. This only implements ioctl whitelisting support for monolithic kernel policies built via checkpolicy. Support for modules and CIL remains to be done. Bug: 19419509 Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
f0290677091e7eee4a3724a2a86ede9e11f93802 |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
82030de5dc8d08a9417842156293c65fef9dc70c |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
ed7a6ba24ad3241e696fa7bc9bb56bb4f373147b |
|
16-Dec-2014 |
dcashman <dcashman@google.com> |
Allow libsepol C++ static library on device. Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
44a65ed816ea05e3f04872eb78f09c44ec695b21 |
|
14-Oct-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsepol: add function to libsepol for setting target_platform With pp modules, the target platform information comes form the base module. However, CIL modules have no concept of target platform. So it must come from somewhere else. This adds an API function that allows setting the target platform. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
ef24ade029329a6e9981bd1de2ba7b9ea48e1c79 |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Report source file and line information for neverallow failures. Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
4bc2cd49d4bb5cfb54c8133a9e9881e8f18f45cd |
|
28-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Update version of policy file to match what was shipped since Fedora 19
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
9eefe11b3a94307a3f5432316a59d1f8e3268429 |
|
28-Oct-2013 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: V1 Allow constraint denials to be determined. Adds policy source defined 'type' or 'typeattribute' names to constraints by adding additional structures (->type_names->types) to a binary policy. Before this change all typeattributes were expanded to lists of types and added to the constraint under ->names. This made it difficult for system admins to determine from the policy source what attribute needed to be updated. To facilitate analysis of constraint failures a new function has also been added, see sepol_compute_av_reason_buffer. As additional structures have been added to policy, the policy version is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a corresponding kernel patch to handle the additional structures. sepol_compute_av_reason_buffer is an extended version of sepol_compute_av_reason. This will return a buffer with constraint expression information, containing the constrain type, class, perms, keywords etc.. It will also contain which constraint expr failed plus the final outcome. The buffer MUST be free'd with free(3). The type information output by sepol_compute_av_reason_buffer depends on the policy version: If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be whatever was in the original policy (type or attribute names). If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be the types listed in the constraint (as no attribute information is available in these versions). For users and roles whatever policy version, only the names are listed (as role attributes are not currently held in the constraint). Also added are two functions that obtain the class and permissions from a binary policy file that has been loaded for testing: sepol_string_to_security_class sepol_string_to_av_perm Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
56258807ea4b33cf3c7a1dbf1b574ab77c91f899 |
|
25-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "Richard Haines patch that allows us discover constraint violation information" This reverts commit 56b49ab7114f367f46b70e41d84dc7e6d52d5209. Conflicts: libselinux/src/audit2why.c
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
56b49ab7114f367f46b70e41d84dc7e6d52d5209 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Richard Haines patch that allows us discover constraint violation information Basically we need this information to allow audit2allow/audit2why to better describe which constraint is being broken.
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
693f5241fdd5ae7e89d4312b85443c0fc1b1a57d |
|
18-Dec-2012 |
Eric Paris <eparis@redhat.com> |
checkpolicy: libsepol: implement default type policy syntax We currently have a mechanism in which the default user, role, and range can be picked up from the source or the target object. This implements the same thing for types. The kernel will override this with type transition rules and similar. This is just the default if nothing specific is given. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
09c783c9a36cd47216df827c5d2c21ec8cd613e2 |
|
05-Dec-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: checkpolicy: implement new default labeling behaviors We would like to be able to say that the user, role, or range of a newly created object should be based on the user, role, or range of either the source or the target of the creation operation. aka, for a new file this could be the user of the creating process or the user or the parent directory. This patch implements the new language and the policydb support to give this information to the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
f87ae538256eff759cb67c448416dc14031849a1 |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: Indicate when boolean is indeed a tunable. Add flags to cond_bool_datum_t and cond_node_t structures to differentiate the tunables' identifiers and conditionals from those of booleans. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
8072dba146b213a3f12a394596537e73f1b9339c |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when generating pp files. Add support to read/write the flavor flag and roles ebitmap in the role_datum_t structure from/to policy module, if its version is no less than MOD_POLICYDB_VERSION_ROLEATTRIB. Since the role ebitmap would be expanded and won't be written into policy.X, neither is the flavor flag, kernel SELinux security server needs no change, the maximum version number for policy.X needs no bump. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
16675b7f96b7a61ac64180b1824ec04984b72b3b |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when compiling modules. 1. Add a uint32_t "flavor" field and an ebitmap "roles" to the role_datum_t structure; 2. Add a new "attribute_role" statement and its handler to declare a role attribute; 3. Modify declare_role() to setup role_datum_t.flavor according to the isattr argument; 4. Add a new "roleattribute" rule and its handler, which will record the regular role's (policy value - 1) into the role attribute's role_datum_t.roles ebitmap; 5. Modify the syntax for the role-types rule only to define the role-type associations; 6. Add a new role-attr rule to support the declaration of a single role, and optionally the role attribute that the role belongs to; 7. Check if the new_role used in role-transition rule is a regular role; 8. Support to require a role attribute; 9. Modify symtab_insert() to allow multiple declarations only for the regular role, while a role attribute can't be declared more than once and can't share a same name with another regular role. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
6eeb71538ea29b639ac7549831cd1aa4da32722a |
|
12-Apr-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: add support for filenametrans rule This patch adds libsepol support for filename_trans rules. These rules allow one to make labeling decisions for new objects based partially on the last path component. They are stored in a list. If we find that the number of rules grows to an significant size I will likely choose to store these in a hash, both in libsepol and in the kernel. But as long as the number of such rules stays small, this should be good. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
45b2e6ec2340d698db506dff8c3df947b6e29452 |
|
25-Mar-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Userspace: add class to role_trans & role_trans_rule Introduce the class support to role_trans and role_trans_rule structures, which could be the subject class("process") or the class that the newly created object belongs to. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
505c75aad7f16e0db9ccfeb04eaa70f242e6b060 |
|
29-Sep-2009 |
Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> |
libsepol: Add support for multiple target OSes On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote: > I'd rather have separate ocontext structs for each system. That way it > is very easy to understand which ones apply to which system and you > don't get a crazy out of context ocontext struct. > I looked into having separate ocontext structs but that would involve changing a lot of files making the patch much larger and more intrusive. > > } u; > > union { > > uint32_t sclass; /* security class for genfs */ > > @@ -313,6 +323,17 @@ typedef struct genfs { > > #define OCON_NODE6 6 /* IPv6 nodes */ > > #define OCON_NUM 7 > > > > +/* object context array indices for Xen */ > > +#define OCON_ISID 0 /* initial SIDs */ > > +#define OCON_PIRQ 1 /* physical irqs */ > > +#define OCON_IOPORT 2 /* io ports */ > > +#define OCON_IOMEM 3 /* io memory */ > > +#define OCON_DEVICE 4 /* pci devices */ > > +#define OCON_DUMMY1 5 /* reserved */ > > +#define OCON_DUMMY2 6 /* reserved */ > > +#define OCON_NUM 7 > > + > > + > > > Should these be namespaced? What if <random other system> has io port > objects? You'd have to align them with each other and you have a mess of > keeping the numbers the same (you already do this with OCON_ISID) Variables have been namespaced and there is no more overlap with OCON_ISID. > Also we are relying on having the same number of OCON's which isn't good > I don't think. As much as I hate the policydb_compat_info (read: alot) > why aren't we using that to say how many ocons a xen policy really has? OCON_NUM is now dynamically read through policydb_compat_info. > This is messy, why not an ocontext_selinux_free() and > ocontext_xen_free() (note: I realize the xen_free() one won't do > anything except freep the ocontext_t) > done. > > > > len = buf[1]; > > - if (len != strlen(target_str)&& > > - (!alt_target_str || len != strlen(alt_target_str))) { > > - ERR(fp->handle, "policydb string length %zu does not match " > > - "expected length %zu", len, strlen(target_str)); > > + if (len> 32) { > > > > magic number 32? #defined. Thanks for your input. Below is the updated patch for libsepol. ---- libsepol/include/sepol/policydb/policydb.h | 28 ++ libsepol/src/expand.c | 85 +++++++- libsepol/src/policydb.c | 295 +++++++++++++++++++++++------ libsepol/src/policydb_internal.h | 1 libsepol/src/private.h | 4 libsepol/src/write.c | 93 ++++++++- 6 files changed, 443 insertions(+), 63 deletions(-) Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
f7917ea9cf6af752de98a1e742152d813028c669 |
|
10-Feb-2009 |
Caleb Case <ccase@tresys.com> |
aliases for the boundry format The boundry format mapped the primary field to a boolean in the properties bitmap. This is appropriate for the kernel policy, but in modular policy the primary field may be an integer that indicates the primary type that is being aliased. In this case, the primary value cannot be assumed to be boolean. This patch creates a new module format that writes out the primary value as was done before the boundry format. Signed-off-by: Caleb Case <ccase@tresys.com> Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
f470207454f5f6ce539aa543e5168a07d667254b |
|
08-Oct-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: KaiGai Kohei Email: kaigai@ak.jp.nec.com Subject: Thread/Child-Domain Assignment (rev.6) Date: Tue, 07 Oct 2008 15:39:45 +0900 >> Hmm.... >> It seems to me what you pointed out is a bug of my patch. It prevents to deliver >> actual number of type/attribute symbols to policy file, but it is unclear why does >> it makes libsepol ignore the policyvers. >> (I guess it may be a separated matter.) >> >>> Rather than trying to calculate the length without attributes I just removed >>> the attribute check. This causes attributes to be written for all versions, >>> but this should not cause any problems at all. >> The reason why I injected such an ad-hoc code is that we cannot decide the policy >> version written when type_attr_remove() is invoked. >> Is it impossible to move it to policydb_write()? >> It is invoked after the policyvers is fixed by caller. > > It isn't impossible. You are going to have to make it walk to type > symbol table to calculate the length without attributes, then write > that length instead of the total symtab length. The attached patch enables to fixup the number of type/attribute entries to be written. The type_attr_uncount() decrements the number of attribute entries skipped at type_write(). At first, I had a plan to invoke type_attr_remove() with hashtab_map_remove_on_error(), but it means the given policydb structure is modified at policydb_write() and implicit changes to external interface. Differences from the previous version are here: Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|
13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libsepol/include/sepol/policydb/policydb.h
|