d7eedeb89c9d59562e9e2d82102fd4b3adba7f30 |
|
30-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
checkseapp: remove .data = NULL assignments Remove the .data=NULL assignments that were pushing the static keymap mapping horizontal. (cherry picked from commit 29adea51edfe190e29fd24397e0b8d7abbf5f5f6) Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
0593e848fa77193ca281fb831ea4daa0e928f68f |
|
29-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
checkseapp: remove data types form static map Data type tracking is no longer needed now that per key validation routines are supported. (cherry picked from commit c92dae9807e890e7b8bdc8f293ef35143ad51ca5) Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
7bbdaefc7fe3364e39cdc8e7d1ab52e0de92327c |
|
29-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
checkseapp: generalize input validation Input validation was hard-coded into a validation routine that would check against type and key names in a scattered, order dependent conditional code block. This makes it harder than it should be to add new key value pairs and types into checkseapp. To correct this, we add a validation callback into the static mapping. If the validation callback is set, the existing validation routine will call this for input validation. On failure, a validation specific error message is returned to be displayed. (cherry picked from commit 696a66ba202780d757bd8a2d47db72473b7d558b) Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
d5c3e5000937d0456101b18de0309223654304bc |
|
29-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
checkseapp: update error message output Change the final error message to be consistent with the others. From: Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server To: Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server" (cherry picked from commit efebf97e23ce6a170fbea5f3376af0d9f0a63858) Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
ffd053ba93f2ddc0f97c8461a722035972f61f03 |
|
29-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
checkseapp: declare internal function as static (cherry picked from commit 25528cf4a5d2b037d4d51d6163bbde412b5bc33c) Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
400d3ac1408d34ca6ed19d7c5da65331e00edc8c |
|
30-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add autoplay_app domain Initial check in of empty autoplay_app.te policy file. Create isAutoPlayApp input selector. Give this selector high precedence - only below isSystemServer. Add neverallow rule disallowing an app context with isAutoPlayApp=true from running in a domain other than autoplay_app. Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
/system/sepolicy/tools/check_seapp.c
|
ee9c0b5fb6d0c66756e1890711fe0afdacc7ea0c |
|
05-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add priv_app domain to global seapp_context Assign priviliged apps not signed with the platform key to the priv_app domain. Bug: 22033466 Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
/system/sepolicy/tools/check_seapp.c
|
81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0 |
|
04-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
check_seapp: add support for "neverallow" checks Introduce "neverallow" rules for seapp_contexts. A neverallow rule is similar to the existing key-value-pair entries but the line begins with "neverallow". A neverallow violation is detected when all keys, both inputs and outputs are matched. The neverallow rules value parameter (not the key) can contain regular expressions to assist in matching. Neverallow rules are never output to the generated seapp_contexts file. Also, unless -o is specified, checkseapp runs in silent mode and outputs nothing. Specifying - as an argument to -o outputs to stdout. Sample Output: Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app" Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
7d65b547d3959b9f98334cf0da6afe9ab418b17a |
|
19-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
check_seapp: mac build memory leak rule_map_free() took as a parameter a boolean menu rule_map_switch that was used to determine if it should free the key pointer that is also in the table. On GLIBC variants, calls to hdestroy do not free the key pointer, on NON-GLIBC variants, it does. The original patch was meant to correct this, however, it always passes "destroy" as the rule_map_switch. On GLIBC variants this is fine, however on NON-GLIBC variants, that free was compiled out, and the free() was handled by hdestroy. In cases of failure where the rule_map was not in the htable, those key's were not properly free'd. Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
f26b6d427cce74bf22e3a45e2fcbe3f3bab6441c |
|
23-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
drop unused option -s Change-Id: I00aa4eeaf569c8108a7b6aab190be68e53b46597 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
8d3a1b558e02aed2269b55cb47688801e417f776 |
|
19-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
correct all error messages When an error occured it was erroneously being indicated that he file was the output file, not the input file. Before: Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts Error: Could not validate Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user After: Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp Error: Could not validate Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user Change-Id: Ib0e01f1f0ef563a2a150a0a3b4012e6e15d736bb Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
773d412665d93334f19b76cda0c5e9ff836d7278 |
|
12-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
check_seapp: Correct output on duplicate entries If a duplicate entry is found, rule_map_cmp() incorrectly assumes that the lengths of the key value pairs should be equal, when this is not true. The duplicate detection is done on the input parameters, thus the lengths can be different. This resulted in a duplicate error string message of "do not match", instead of "match on all inputs". Also, the file name printed that contained the error was the output file, not the input file that contained it. Change-Id: I9b3f99fa4aa3454849de55f18b198b0b56e44320 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/tools/check_seapp.c
|
884ee2a61cc78ddaaf54b812932730045dd155c3 |
|
13-Feb-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkseapp, seapp_contexts: drop sebool= support. SELinux policy booleans are prohibited in AOSP, so we can drop the support for the sebool= input selector. Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
534fb0711d95615a77af23ffe643e8b720a527e6 |
|
13-Feb-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkseapp: Detect duplicate keys in seapp_contexts entries. Presently it ignores duplicate keys in seapp_contexts entries, e.g. if you were to specify: user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file checkseapp would ignore the duplicate and libselinux would end up using the last value defined for the key in each line. Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
0b820042e4bb9bb93790e0cf0812fd97d15ce7a5 |
|
13-Feb-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkseapp: Detect duplicate entries within seapp_contexts. Presently it only detects complete duplicates if you specify -s (strict), which is not used in the external/sepolicy Makefile, and it allows overriding earlier entries that have the same input selectors (e.g. user=, seinfo=) with different values for the output selectors (e.g. domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts file can override the external/sepolicy definitions, and even a single seapp_contexts file can contain duplicated or conflicting definitions. Make it always check strictly, and prohibit either duplicates on the input selectors (i.e. overrides) or complete duplicates (redundant). Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
ff4db9194e684a894939f88effc84f79f222e1c3 |
|
15-Sep-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add isOwner= input selector for seapp_contexts. Enable labeling apps differently depending on whether they are running for the primary user / owner or for a secondary user. Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
f4fa7567f4e3d010a3e96c22034bf19fa05d15a7 |
|
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Treat seinfo=default name=<anything> as an error. check_app already checks for usage of name= entries in seapp_contexts with no seinfo= specification to link it back to a signer in mac_permissions.xml. However, one can avoid this error by specifying a seinfo=default which merely matches the default stanza of mac_permissions.xml without actually ensuring that it is tied to a specific certificate. Catch that error case too. Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
6139de50fdb212d28fe406525dce5246f4a4da36 |
|
19-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add support for and use new path= specifier in seapp_contexts. Extend check_seapp to accept the use of the new path= specifier in seapp_contexts and use it to ensure proper labeling of the cache subdirectory of com.android.providers.downloads for restorecon. After this change, restorecon /data/data/com.android.providers.downloads/cache does not change the context, leaving it in download_file rather than relabeling it to platform_app_data_file. Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1. Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
c9bb91da5fc84bce936f0795d18bf5c36fa5db6f |
|
01-Nov-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Reintroduce -Wall -Werror to check_seapp. Also add attribute for a potential unused function argument when dealing with darwin SDK builds. Change-Id: Iefdbecb050cc5fff6036f15413566e10cefa3813
/system/sepolicy/tools/check_seapp.c
|
7b2bee99c18b8cb3f52161b1191d16b8ab50b08f |
|
31-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add sepolicy-analyze tool. And also remove the unnecessary references to libselinux for sepolicy-check, as it has no dependencies on libselinux. Also enable -Wall -Werror on building all of these tools and fix up all such errors. Usage: $ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy or $ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy The first form will display all type pairs that are "equivalent", i.e. they are identical with respect to allow rules, including indirect allow rules via attributes and default-enabled conditional rules (i.e. default boolean values yield a true conditional expression). Equivalent types are candidates for being coalesced into a single type. However, there may be legitimate reasons for them to remain separate, for example: - the types may differ in a respect not included in the current analysis, such as default-disabled conditional rules, audit-related rules (auditallow or dontaudit), default type transitions, or constraints (e.g. mls), or - the current policy may be overly permissive with respect to one or the other of the types and thus the correct action may be to tighten access to one or the other rather than coalescing them together, or - the domains that would in fact have different accesses to the types may not yet be defined or may be unconfined in the policy you are analyzing (e.g. in AOSP policy). The second form will display type pairs that differ and the first difference found between the two types. This output can be long. We have plans to explore further enhancements to this tool, including support for identifying isomorphic types. That will be required to identify similar domains since all domains differ in at least their entrypoint type and in their tmpfs type and thus will never show up as equivalent even if they are in all other respects identical to each other. Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
610a4b1c32490ac9f6f7ca0fafba8c182a542934 |
|
16-Oct-2013 |
William Roberts <wroberts@tresys.com> |
tools: update lengths from int to size_t Change-Id: If4839218b200a0d90bdf7779d2e039719fae85a5
/system/sepolicy/tools/check_seapp.c
|
61846291746a3a3559f615ef3665312ccd2228c2 |
|
15-Oct-2013 |
William Roberts <wroberts@tresys.com> |
tools: require that seinfo and packagename be used Modify check_seapp.c to verify that a packagname (name) must be specified with a signing key (seinfo). This will help thwart spoof attacks on the packagename. Change-Id: I8f1aa8a479cb5beb5c3522d85e3181604931ea72
/system/sepolicy/tools/check_seapp.c
|
d1f1070acb4f5d29ddc6536126d6834ec418b8f1 |
|
15-Oct-2013 |
William Roberts <wroberts@tresys.com> |
tools: drop unused field in struct check_seapp at one point in time switch from a home implementation of a hash table to using GLIBC search.h routines. A struct in one of the fields was never removed during this transition. Change-Id: I65c028103ffe90fa52e0b3c9fce28124ed9c7ff9
/system/sepolicy/tools/check_seapp.c
|
632972117a754dc64102cf81154ae6aed86febf3 |
|
20-Apr-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Support strict duplicate checking Change-Id: I3bb4755b86a90414a3912c8099dd7a4389249b24
/system/sepolicy/tools/check_seapp.c
|
1e8c061b053cdfd808c7a7649c78df4c33ded63d |
|
20-Apr-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Fix segfault on -v with duplicates Change-Id: Ic040af5cfcd1be22074a691ecdd01e890866bc19
/system/sepolicy/tools/check_seapp.c
|
38084146e0fd665b68c8c4ff131cae9d07ef5993 |
|
28-Nov-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Generalize levelFromUid support. Introduce a levelFrom=none|app|user|all syntax for specifying per-app, per-user, or per-combination level assignment. levelFromUid=true|false remains valid syntax but is deprecated. levelFromUid=true is equivalent to levelFrom=app. Update check_seapp to accept the new syntax. Update seapp_contexts to document the new syntax and switch from levelFromUid=true to levelFrom=app. No change in behavior. Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/tools/check_seapp.c
|
fff2980a1ac2aca5966f6b54fa030309a0d98e0c |
|
27-Nov-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Whitespace and doxygen fix Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3
/system/sepolicy/tools/check_seapp.c
|
cdfb06f55394d68a7df1110d83070961a2cc52aa |
|
01-Nov-2012 |
Alice Chu <alice.chu@sta.samsung.com> |
Moved Android policy tools to tools directory Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
/system/sepolicy/tools/check_seapp.c
|