History log of /external/selinux/libsepol/src/write.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
915fa8f08f4f9a4c437ee8280a4e641872ea59dd 12-Jun-2015 Jeff Vander Stoep <jeffv@google.com> checkpolicy: switch operations to extended perms

The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/libsepol/src/write.c
7c912dbc7c926629474387f39f9b86cf94477cd7 24-Apr-2015 Stephen Smalley <sds@tycho.nsa.gov> libsepol: Binary modules do not support ioctl rules.

Prevent writing a binary policy module if the source
included an ioctl operation rule because we do not support ioctl
operation rules in the binary module format. It doesn't seem
worthwhile to introduce a new binary policy module version since
CIL is now merged and we will have to implement the support in CIL
regardless; might as well only support it in CIL modules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/write.c
80bc7ee8faaddfa7a650994fa82a57f41a9e7475 22-Apr-2015 Jeff Vander Stoep <jeffv@google.com> Add support for ioctl command whitelisting

Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.

Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901

The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.

This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.

Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/write.c
f0290677091e7eee4a3724a2a86ede9e11f93802 17-Mar-2015 Daniel De Graaf <dgdegra@tycho.nsa.gov> libsepol, checkpolicy: add device tree ocontext nodes to Xen policy

In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/src/write.c
82030de5dc8d08a9417842156293c65fef9dc70c 17-Mar-2015 Daniel De Graaf <dgdegra@tycho.nsa.gov> libsepol, checkpolicy: widen Xen IOMEM ocontext entries

This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/src/write.c
ed7a6ba24ad3241e696fa7bc9bb56bb4f373147b 16-Dec-2014 dcashman <dcashman@google.com> Allow libsepol C++ static library on device.

Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/write.c
14c0564641e6c8be386f117c2b0f09434121226f 14-Sep-2014 Nicolas Iooss <nicolas.iooss@m4x.org> libsepol: fix most gcc -Wwrite-strings warnings

gcc puts literal strings lie in read-only memory. On x86_64, trying to
write to them triggers a segmentation fault.

To detect such issues at build time, variables holding a pointer to such
strings should be "const char*". "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.

Remove gcc warnings by adding const to local variables and argumens of
internal functions.

This does *not* fix this warning:

policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
^
In file included from ../include/sepol/policydb/symtab.h:16:0,
from ../include/sepol/policydb/policydb.h:60,
from policydb_public.c:4:
../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
^

Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".

Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
9eefe11b3a94307a3f5432316a59d1f8e3268429 28-Oct-2013 Richard Haines <richard_c_haines@btinternet.com> libsepol: V1 Allow constraint denials to be determined.

Adds policy source defined 'type' or 'typeattribute' names to
constraints by adding additional structures (->type_names->types) to a
binary policy.
Before this change all typeattributes were expanded to lists of types
and added to the constraint under ->names. This made it difficult for
system admins to determine from the policy source what attribute
needed to be updated. To facilitate analysis of constraint failures
a new function has also been added, see sepol_compute_av_reason_buffer.

As additional structures have been added to policy, the policy version
is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a
corresponding kernel patch to handle the additional structures.

sepol_compute_av_reason_buffer is an extended version of
sepol_compute_av_reason. This will return a buffer with constraint
expression information, containing the constrain type, class, perms,
keywords etc.. It will also contain which constraint expr failed plus
the final outcome. The buffer MUST be free'd with free(3).

The type information output by sepol_compute_av_reason_buffer depends on
the policy version:
If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
whatever was in the original policy (type or attribute names).
If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
the types listed in the constraint (as no attribute information is
available in these versions).
For users and roles whatever policy version, only the names are listed
(as role attributes are not currently held in the constraint).

Also added are two functions that obtain the class and permissions
from a binary policy file that has been loaded for testing:
sepol_string_to_security_class
sepol_string_to_av_perm

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/src/write.c
56258807ea4b33cf3c7a1dbf1b574ab77c91f899 25-Oct-2013 Stephen Smalley <sds@tycho.nsa.gov> Revert "Richard Haines patch that allows us discover constraint violation information"

This reverts commit 56b49ab7114f367f46b70e41d84dc7e6d52d5209.

Conflicts:
libselinux/src/audit2why.c
/external/selinux/libsepol/src/write.c
56b49ab7114f367f46b70e41d84dc7e6d52d5209 09-Oct-2013 Dan Walsh <dwalsh@redhat.com> Richard Haines patch that allows us discover constraint violation information

Basically we need this information to allow audit2allow/audit2why to better
describe which constraint is being broken.
/external/selinux/libsepol/src/write.c
693f5241fdd5ae7e89d4312b85443c0fc1b1a57d 18-Dec-2012 Eric Paris <eparis@redhat.com> checkpolicy: libsepol: implement default type policy syntax

We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object. This implements
the same thing for types. The kernel will override this with type
transition rules and similar. This is just the default if nothing
specific is given.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/write.c
afe88d8c69543b2ebd6e25efdaab76f40ea4d3c7 11-Dec-2012 Eric Paris <eparis@redhat.com> libsepol: coverity fixes

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/write.c
09c783c9a36cd47216df827c5d2c21ec8cd613e2 05-Dec-2011 Eric Paris <eparis@redhat.com> libsepol: checkpolicy: implement new default labeling behaviors

We would like to be able to say that the user, role, or range of a newly
created object should be based on the user, role, or range of either the
source or the target of the creation operation. aka, for a new file
this could be the user of the creating process or the user or the parent
directory. This patch implements the new language and the policydb
support to give this information to the kernel.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/write.c
b0be2a06b7b377cfc3134bb7ebadc9cf9d070992 01-Sep-2011 Harry Ciao <qingtao.cao@windriver.com> libsepol: Write and read TUNABLE flags in related data structures.

All flags in cond_bool_datum_t and cond_node_t structures are written
or read for policy modules which version is no less than
MOD_POLICYDB_VERSION_TUNABLE_SEP.

Note, for cond_node_t the TUNABLE flag bit would be used only at expand,
however, it won't hurt to read/write this field for modules(potentially
for future usage).

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/write.c
0299119625fe0067998fffdff9bdf721379f3131 16-Aug-2011 Harry Ciao <qingtao.cao@windriver.com> libsepol: Skip writing role attributes for policy.X and downgraded pp.

Role attributes are redundant for policy.X, their destiny has been
fulfilled in the expand phase when their types.types ebitmap have
been populated to that of their sub regular roles.

When pp is downgraded, role_datum_t's the flavor flag and roles
ebitmap would be discarded, resulting in role attributes useless
at all. So for such case they should also be skipped.

Deduct the number of role attributes from p_roles.table->nel when
they are skipped.

Last, uncount attributes number before converting endianness.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/write.c
8072dba146b213a3f12a394596537e73f1b9339c 25-Jul-2011 Harry Ciao <qingtao.cao@windriver.com> Add role attribute support when generating pp files.

Add support to read/write the flavor flag and roles ebitmap in the
role_datum_t structure from/to policy module, if its version is no less
than MOD_POLICYDB_VERSION_ROLEATTRIB.

Since the role ebitmap would be expanded and won't be written into
policy.X, neither is the flavor flag, kernel SELinux security server
needs no change, the maximum version number for policy.X needs no bump.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
30c3a6e4c3abe5e3202344591768aa4666b66f76 02-May-2011 Steve Lawrence <slawrence@tresys.com> libsepol: warn if filename_trans rules are dropped

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
58fef61e7350d64049a04c9a4b21c86ce35c35de 13-Apr-2011 Steve Lawrence <slawrence@tresys.com> libsepol: use the correct number of roletrans rules when not supported

When writing the roletrans rules, rules are dropped when not supported,
but the number of rules is not decreased. This sets the number of
elements to the actual number of rules that will be written.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
34df32ab85a914c2bb7430e40716be7cbfa0a6bb 12-Apr-2011 Eric Paris <eparis@redhat.com> libsepol: support policy modules when roletrans rules not supported

Although the role trans code had support to handle the kernel policy
when the version was less that roletrans such support was not in the
module read/write code. This patch adds proper support for role trans
in modules.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
6eeb71538ea29b639ac7549831cd1aa4da32722a 12-Apr-2011 Eric Paris <eparis@redhat.com> libsepol: add support for filenametrans rule

This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
6db9b74210197f792a52038abbd10e946e99e49d 25-Mar-2011 Harry Ciao <qingtao.cao@windriver.com> Userspace: handle the class in role_trans_rule

Add class support to various functions to handle role_trans_rule_t
structures.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
93417dfa28606d48dc3e37e05d5a3aeaa1488870 25-Mar-2011 Harry Ciao <qingtao.cao@windriver.com> Userspace: handle the class field in role_trans struct

Add the class support to various functions that handle role_trans
structure.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/write.c
8627ab66a7136f1a84fe2a4d83f04e196b09ea7b 18-Nov-2009 Manoj Srivastava <srivasta@debian.org> Author: Manoj Srivastava
Email: srivasta@debian.org
Subject: cannnot -> cannot and suport -> support
Date: Tue, 17 Nov 2009 10:27:57 -0600

This was reported after a lintian check found this on any package
linked with libsepol. Closes: #556390

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libsepol/src/write.c
505c75aad7f16e0db9ccfeb04eaa70f242e6b060 29-Sep-2009 Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> libsepol: Add support for multiple target OSes

On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote:
> I'd rather have separate ocontext structs for each system. That way it
> is very easy to understand which ones apply to which system and you
> don't get a crazy out of context ocontext struct.
>

I looked into having separate ocontext structs but that would involve
changing a lot of files making the patch much larger and more intrusive.

> > } u;
> > union {
> > uint32_t sclass; /* security class for genfs */
> > @@ -313,6 +323,17 @@ typedef struct genfs {
> > #define OCON_NODE6 6 /* IPv6 nodes */
> > #define OCON_NUM 7
> >
> > +/* object context array indices for Xen */
> > +#define OCON_ISID 0 /* initial SIDs */
> > +#define OCON_PIRQ 1 /* physical irqs */
> > +#define OCON_IOPORT 2 /* io ports */
> > +#define OCON_IOMEM 3 /* io memory */
> > +#define OCON_DEVICE 4 /* pci devices */
> > +#define OCON_DUMMY1 5 /* reserved */
> > +#define OCON_DUMMY2 6 /* reserved */
> > +#define OCON_NUM 7
> > +
> > +
> >
> Should these be namespaced? What if <random other system> has io port
> objects? You'd have to align them with each other and you have a mess of
> keeping the numbers the same (you already do this with OCON_ISID)

Variables have been namespaced and there is no more overlap with
OCON_ISID.

> Also we are relying on having the same number of OCON's which isn't good
> I don't think. As much as I hate the policydb_compat_info (read: alot)
> why aren't we using that to say how many ocons a xen policy really has?

OCON_NUM is now dynamically read through policydb_compat_info.

> This is messy, why not an ocontext_selinux_free() and
> ocontext_xen_free() (note: I realize the xen_free() one won't do
> anything except freep the ocontext_t)
>

done.

> >
> > len = buf[1];
> > - if (len != strlen(target_str)&&
> > - (!alt_target_str || len != strlen(alt_target_str))) {
> > - ERR(fp->handle, "policydb string length %zu does not match "
> > - "expected length %zu", len, strlen(target_str));
> > + if (len> 32) {
> >
>
> magic number 32?

#defined.

Thanks for your input. Below is the updated patch for libsepol.

----

libsepol/include/sepol/policydb/policydb.h | 28 ++
libsepol/src/expand.c | 85 +++++++-
libsepol/src/policydb.c | 295
+++++++++++++++++++++++------
libsepol/src/policydb_internal.h | 1
libsepol/src/private.h | 4
libsepol/src/write.c | 93 ++++++++-
6 files changed, 443 insertions(+), 63 deletions(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/write.c
f7917ea9cf6af752de98a1e742152d813028c669 10-Feb-2009 Caleb Case <ccase@tresys.com> aliases for the boundry format

The boundry format mapped the primary field to a boolean in the
properties bitmap. This is appropriate for the kernel policy, but in
modular policy the primary field may be an integer that indicates the
primary type that is being aliased. In this case, the primary value cannot
be assumed to be boolean.

This patch creates a new module format that writes out the primary value
as was done before the boundry format.

Signed-off-by: Caleb Case <ccase@tresys.com>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/write.c
f470207454f5f6ce539aa543e5168a07d667254b 08-Oct-2008 Joshua Brindle <method@manicmethod.com> Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.6)
Date: Tue, 07 Oct 2008 15:39:45 +0900

>> Hmm....
>> It seems to me what you pointed out is a bug of my patch. It prevents to deliver
>> actual number of type/attribute symbols to policy file, but it is unclear why does
>> it makes libsepol ignore the policyvers.
>> (I guess it may be a separated matter.)
>>
>>> Rather than trying to calculate the length without attributes I just removed
>>> the attribute check. This causes attributes to be written for all versions,
>>> but this should not cause any problems at all.
>> The reason why I injected such an ad-hoc code is that we cannot decide the policy
>> version written when type_attr_remove() is invoked.
>> Is it impossible to move it to policydb_write()?
>> It is invoked after the policyvers is fixed by caller.
>
> It isn't impossible. You are going to have to make it walk to type
> symbol table to calculate the length without attributes, then write
> that length instead of the total symtab length.

The attached patch enables to fixup the number of type/attribute entries
to be written. The type_attr_uncount() decrements the number of attribute
entries skipped at type_write().

At first, I had a plan to invoke type_attr_remove() with
hashtab_map_remove_on_error(), but it means the given policydb structure
is modified at policydb_write() and implicit changes to external interface.

Differences from the previous version are here:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/write.c
13cd4c8960688af11ad23b4c946149015c80d549 19-Aug-2008 Joshua Brindle <method@manicmethod.com> initial import from svn trunk revision 2950
/external/selinux/libsepol/src/write.c