1089665e31a647a5f0ba2eabe8ac6232b384bed9 |
|
04-May-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
b63eb892f93249ac217ab878c29245f2cae2dc76 |
|
11-Apr-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol: cil: check cil_fill_list return value cil_gen_default() and cil_gen_defaultrange() call cil_fill_list() without checking its return value. If it failed, propagate the return value to the caller. This issue has been found using clang's static analyzer. It reported "warning: Value stored to 'rc' is never read" four times. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
af0ce03ec7411ebfec365e668bb4c2ca20cb8bbd |
|
22-Mar-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Add hexadecimal support for Xen ioportcon statements Add hexadecimal support for Xen ioportcon statements which was left out of commit c408c70. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
c408c70b0ad93b16c115c2770b4c626e41bbdfef |
|
20-Mar-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Allow hexadecimal numbers in Xen context rules Allow the use of hexadecimal numbers in iomemcon, ioportcon, and pcidevicecon statements. The use of hexadecimal numbers is often the natural choice for these rules. A zero base is now passed to strtol() and strtoull() which will assume base 16 if the string has a prefix of "0x", base 8 if the string starts with "0", and base 10 otherwise. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
9feaf0380db5872a3120f537b0a26627d179bcec |
|
19-Feb-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol/cil: do not leak left-hand side of an invalid constraint __cil_fill_constraint_expr() does not destroy the list associated with the first operand of a two-operand operation when the second operand is invalid. This memory leak can be reproduced with the following policy: (constrain (files (read)) (not (or (and (eq t1 exec_t) (%q t2 bin_t)) (eq r1 r2)))) This memory leak has been found by running clang's Address Sanitizer on a set of policies generated from secilc/test/policy.cil by American Fuzzy Lop. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
166b260d75b982e79f2369952d8ec16be042eda6 |
|
18-Oct-2016 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Check that permission is not an empty list Nicolas Iooss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. CIL expects a list of permissions in the class declaration and "(())" is a valid list. Each item of the list is expected to be an identifier and as the list is processed each item is checked to see if it is a list. An error is given if it is a list, otherwise the item is assumed to be an identifier. Unfortunately, the check only works if the list is not empty. In this case, the item passes the check and is assumed to be an identifier and a NULL is passed as the string for name verification. If name verification assumes that a non-NULL value will be passed in, a segfault will occur. Add a check for an empty list when processing a permission list and improve the error handling for permissions when building the AST. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
ac12826c110eae35d56ad38a93ada70aee31b4bd |
|
03-Oct-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol/cil: fix memory leak in __cil_fill_expr() __cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy it when __cil_fill_expr_helper() fails. This list is therefore leaked when __cil_fill_expr() returns. This occurs when secilc compiles the following policy: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (categoryset cats (not (range unknown))) This bug has been found using gcc address sanitizer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
81c9ca5f961f9da18fd71bb041e8b90469f26d82 |
|
03-Oct-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol/cil: fix double-free in cil categories parser When cil_fill_cats() fails to parse an expression and destroys a category set, it fails to reset *cats to NULL. This makes this object be destroyed again in cil_destroy_catset(). This bug can be triggered by the following policy: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (categoryset cats (range unknown)) This bug has been found by fuzzing secilc with american fuzzy lop. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
c303ca910add05bb5fc9f515d880b393f02d695c |
|
29-Sep-2016 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Check for too many permissions in classes and commons Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence. Nicolass reported: When compiling a CIL policy with more than 32 items in a class (e.g. in (class capability (chown ...)) with many items), cil_classorder_to_policydb() overflows perm_value_to_cil[class_index] array. As this array is allocated on the heap through calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the following message: *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 *** ======= Backtrace: ========= /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b] /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6] /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de] /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda] /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8] /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723] /usr/bin/secilc[0x40273b] /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291] /usr/bin/secilc[0x402f7a] This bug has been found by fuzzing secilc with american fuzzy lop. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
67560cc7ace8c2ba728735e839729ac97e8a51a6 |
|
05-May-2016 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Remove path field from cil_tree_node struct Remove path field from cil_tree_node struct and all references to it in CIL. This will reduce memory usage by 5%. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
46b3a555981927b47d6a19bd941ccd99085cce18 |
|
05-May-2016 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Replace cil_log() calls with cil_tree_log() Replace all calls to cil_log() that print path information with a call to cil_tree_log() which will also print information about any high-level sources. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
875a6bcbe8885c927122c6931b3a01d821e04b10 |
|
05-May-2016 |
James Carter <jwcart2@tycho.nsa.gov> |
libsepol/cil: Add high-level language line marking support Adds support for tracking original file and line numbers for better error reporting when a high-level language is translated into CIL. This adds a field called "hll_line" to struct cil_tree_node which increases memory usage by 5%. Syntax: ;;* lm(s|x) LINENO FILENAME (CIL STATEMENTS) ;;* lme lms is used when each of the following CIL statements corresponds to a line in the original file. lmx is used when the following CIL statements are all expanded from a single high-level language line. lme ends a line mark block. Example: ;;* lms 1 foo.hll (CIL-1) (CIL-2) ;;* lme ;;* lmx 10 bar.hll (CIL-3) (CIL-4) ;;* lms 100 baz.hll (CIL-5) (CIL-6) ;;* lme (CIL-7) ;;* lme CIL-1 is from line 1 of foo.hll CIL-2 is from line 2 of foo.hll CIL-3 is from line 10 of bar.hll CIL-4 is from line 10 of bar.hll CIL-5 is from line 100 of baz.hll CIL-6 is from line 101 of baz.hll CIL-7 is from line 10 of bar.hll Based on work originally done by Yuli Khodorkovskiy of Tresys. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
3895fbbe0cf2ec52d6b6eda66084b6e9f8d88fb2 |
|
06-Apr-2016 |
Richard Haines <richard_c_haines@btinternet.com> |
selinux: Add support for portcon dccp protocol This adds CIL and checkpolicy support for the (portcon dccp ...) statement. The kernel already handles name_bind and name_connect permissions for the dccp_socket class. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
172ce53ffa793e69632923b5323fc8c2220b3294 |
|
05-Feb-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol: fix __attribute__((unused)) annotations clang warns about variables which are used in a function body even though they were marked __attribute__((unused)). For example: interfaces.c:129:2: error: 'handle' was marked unused but was used [-Werror,-Wused-but-marked-unused] handle = NULL; ^ interfaces.c:233:2: error: 'handle' was marked unused but was used [-Werror,-Wused-but-marked-unused] handle = NULL; ^ Remove these warnings either by removing meaningless assigments or by removing the attribute. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
f5602f5ff980435ee2aefed35ba643310ceeac25 |
|
01-Dec-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: Add support for neverallowx Add a new statement, neverallowx, which has the same syntax as allowx: (neverallowx foo bar (ioctl file (range 0x2000 0x20FF))) (allowx foo bar (ioctl file (0x20A0))) ; this fails Much of the changes just move functions around or split functions up to ease the sharing of avrule and avrulex comparisons with neverallows. This refactoring also modifies the avrule struct to include a union of either class permission information for standard avrules or extended permission information for extended avrules, also done to support sharing code. This also changes assertion.c and avtab.c to allow check_assertion_avtab_match to work with extended avrules. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
71dd7b71338e832da8e446d565e6cd871b8a08f6 |
|
10-Nov-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
secilc: Add support for unordered classes Resolves https://github.com/SELinuxProject/cil/issues/3 An 'unordered' keyword provides the ability to append classes to the current list of ordered classes. This allows users to not need knowledge of existing classes when creating a class and fixes dependencies on classes when removing a module. This enables userspace object managers with custom objects to be modularized. If a class is declared in both an unordered and ordered statement, then the ordered statement will supercede the unordered declaration. Example usage: ; Appends new_class to the existing list of classes (class new_class ()) (classorder (unordered new_class)) Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
77779d2ca5a0c6efd113ff34cee432d5bb951f09 |
|
10-Sep-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsepol/cil: Add userattribute{set} functionality This adds a userattribute statement that may be used in userroles and constraints. The syntax is the same as typeattributset. Also, disallow roleattributes where roles are accepted in contexts. Specify a userattribute (userattribute foo) Add users to the set foo (userattributeset foo (u1 u2)) Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
b6e519e54261d14d553a28bcd1fed88f96752c26 |
|
10-Sep-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: fix blockinherit copying segfault and add macro restrictions When we copy a blockinherit statement, we perform actions that assume the blockinherit statement was already resolved. However, this isn't the case if the statement was copied from a tunableif or an in-statement, since those are resolve before blockinherits and blocks. So when copying a blockinherit that hasn't been resolved, ignore the code that associates blocks with the blockinherit; that will all be handled when the copied blockinherit is actually resolved later. Additionally, restrict block, blockabstract, and blockinherit statements from appearing in macros. These statements are all resolved before macros due to ordering issues, so they must not appear inside macros. Note that in addition to doing the checks in build_ast, they are also done in resolve_ast. This is because an in-statement could copy a block statement into a macro, which we would not know about until after the in-statement was resolved. Signed-off-by: Steve Lawrence <slawrence@tresys.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
ef93dfe0393c4a60483c3f7729dd98a2f886606a |
|
28-Aug-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: add ioctl whitelist support Add three new extended avrule statements with the following syntax: (allowx source_type target_type permissionx) (auditallowx source_type target_type permissionx) (dontauditx source_type target_type permissionx) source_type - type, typeattribute, or typealias target_type - type, typeattribute, typealias, or "self" keyword permissionx - named or anonymous permissionx statement, which has the syntax: (permissionx name (kind object expression)) name - unique identifier of the permissionx statement kind - must be "ioctl"; could be extended in the future object - class or classmap expression - standard CIL expression containing hexadecimal values, prefixed with '0x', and the expression keywords 'or', 'xor', 'and', 'not', 'range', or 'all'. Values must be between 0x0000 and 0xFFFF. Values may also be provided in decimal, or in octal if starting with '0'. For example: (allowx src_t tgt_t (ioctl cls (0x1111 0x1222 0x1333))) (allowx src_t tgt_t (ioctl cls (range 0x1400 0x14FF))) (allowx src_t tgt_t (ioctl cls (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F))))) (permissionx ioctl_nodebug (ioctl cls (not (range 0x2010 0x2013)))) (allowx src_t tgt_t ioctl_nodebug) Signed-off-by: Steve Lawrence <slawrence@tresys.com> Acked-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
d03e9373e82d143c396401adf4912ed0ea490ecf |
|
23-Mar-2015 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: Fix building Xen policy with devicetreecon Problems fixed: 1) Fix core dump when building CIL policy (corrupted double-linked list) by Steve Lawrence <slawrence@tresys.com> 2) Binary policy failed to read with devicetreecon statement. 3) Free path name - With a Xen policy running secilc/valgrind there are no memory errors. Also added devicetreecon statement to CIL policy.cil and updated the CIL Reference Guide. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
f0290677091e7eee4a3724a2a86ede9e11f93802 |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy In Xen on ARM, device tree nodes identified by a path (string) need to be labeled by the security policy. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
82030de5dc8d08a9417842156293c65fef9dc70c |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: widen Xen IOMEM ocontext entries This expands IOMEMCON device context entries to 64 bits. This change is required to support static I/O memory range labeling for systems with over 16TB of physical address space. The policy version number change is shared with the next patch. While this makes no changes to SELinux policy, a new SELinux policy compatibility entry was added in order to avoid breaking compilation of an SELinux policy without explicitly specifying the policy version. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
28ae74e112a031e1aeb22a2083568a881491b6db |
|
18-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '76ba6eaa7333483a8cc0c73a7880f7acf99c2656'
|
72dc45bf5488a957d9db32531749a55fea414619 |
|
03-Dec-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '80afe7b2ce0b06f93b6b3a07e58cab1aee8afc91'
|
450a3ea21694aafebb46254716c1a7aa0243c09f |
|
06-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '847aa150e30e6147c28ed9807fae4dc232b5a8fe'
|
bbbd58e1252a06550810ae6f7b40b867841da918 |
|
02-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge
|
bb0f8beff890195cfd459c67230c6130c86b3214 |
|
26-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit 'b19eafb97feb6389d78e1693f276fc5b10e25bd6' as 'libsepol/cil'
|