| f947ce012ddeda735bd402bcfe8e64e030ac9429 |
|
16-Mar-2018 |
Tri Vo <trong@android.com> |
Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.
For example, these statements resolve to false in policy language:
expandattribute hal_audio true;
expandattribute hal_audio false;
Similarly, in CIL these also resolve to false.
(expandtypeattribute (hal_audio) true)
(expandtypeattribute (hal_audio) false)
A warning will be issued on this conflict.
Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.
This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.
Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
Bug: 72757373
Test: build and run aosp_taimen-userdebugaa
Change-Id: I4c9c36006db61c95da2c94eec33fb4d526b74243
(cherry picked from commit ea8d689b533ac498c8ab37bca04aaf4f81e2ee71)
/external/selinux/checkpolicy/policy_define.c
|
| 53bb2a11c23b774f096701bab759c6ab9ec52ea1 |
|
17-Aug-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 5bc05dd2a52755b1f9d16fc12fea74e54c71bf5b |
|
22-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
checkpolicy: Add support for ibendportcon labels
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
/external/selinux/checkpolicy/policy_define.c
|
| 5b203145fd7a8f4df8cfa1c4d7381d1d0a001f6e |
|
22-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
checkpolicy: Add support for ibpkeycon labels
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
/external/selinux/checkpolicy/policy_define.c
|
| c3118041df74124c5b8b8d769354bb0ca4c5ac19 |
|
10-May-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy,libsepol: drop unnecessary usage of s6_addr32
s6_addr32 is not portable; use s6_addr instead.
This obviates the need for #ifdef __APPLE__ conditionals in these cases.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 1089665e31a647a5f0ba2eabe8ac6232b384bed9 |
|
04-May-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add attribute expansion options
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.
Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)
Never expand an attribute example:
expandattribute { bar } false;
CIL example:
(expandtypeattribute (bar) false)
Adding the annotations directly to policy was chosen over other
methods as it is consistent with how targeted runtime optimizations
are specified in other languages. For example, in C the "inline"
command.
Motivation
expandattribute true:
Android has been moving away from a monolithic policy binary to
a two part split policy representing the Android platform and the
underlying vendor-provided hardware interface. The goal is a stable
API allowing these two parts to be updated independently of each
other. Attributes provide an important mechanism for compatibility.
For example, when the vendor provides a HAL for the platform,
permissions needed by clients of the HAL can be granted to an
attribute. Clients need only be assigned the attribute and do not
need to be aware of the underlying types and permissions being
granted.
Inheriting permissions via attribute creates a convenient mechanism
for independence between vendor and platform policy, but results
in the creation of many attributes, and the potential for performance
issues when processes are clients of many HALs. [1] Annotating these
attributes for expansion at compile time allows us to retain the
compatibility benefits of using attributes without the performance
costs. [2]
expandattribute false:
Commit 0be23c3f15fd added the capability to aggresively remove unused
attributes. This is generally useful as too many attributes assigned
to a type results in lengthy policy look up times when there is a
cache miss. However, removing attributes can also result in loss of
information used in external tests. On Android, we're considering
stripping neverallow rules from on-device policy. This is consistent
with the kernel policy binary which also did not contain neverallows.
Removing neverallow rules results in a 5-10% decrease in on-device
policy build and load and a policy size decrease of ~250k. Neverallow
rules are still asserted at build time and during device
certification (CTS). If neverallow rules are absent when secilc is
run, some attributes are being stripped from policy and neverallow
tests in CTS may be violated. [3] This change retains the aggressive
attribute stripping behavior but adds an override mechanism to
preserve attributes marked as necessary.
[1] https://github.com/SELinuxProject/cil/issues/9
[2] Annotating all HAL client attributes for expansion resulted in
system_server's dropping from 19 attributes to 8. Because these
attributes were not widely applied to other types, the final
policy size change was negligible.
[3] data_file_type and service_manager_type are stripped from AOSP
policy when using secilc's -G option. This impacts 11 neverallow
tests in CTS.
Test: Build and boot Marlin with all hal_*_client attributes marked
for expansion. Verify (using seinfo and sesearch) that permissions
are correctly expanded from attributes to types.
Test: Mark types being stripped by secilc with "preserve" and verify
that they are retained in policy and applied to the same types.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/checkpolicy/policy_define.c
|
| 9087bb9c5a7bb89553b3e9c67346a60c08ac429f |
|
17-Mar-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: dereference rangehead after checking it was not NULL
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| 7da9bc00f26dc06ad3072de22563472220cdfa9f |
|
21-Jan-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: do not leak memory when a class is not found in an avrule
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:
module ckpol_leaktest 1.0.0;
require {type TYPE1;}
allow TYPE1 self:process fork;
clang memory sanitier output is:
=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27
Indirect leak of 18 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
#1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| 42658e729f56481dabc7c9c98f9c1580763a8c75 |
|
21-Jan-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: add a missing free(id) in define_roleattribute()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| 0a0d05528349ae5b13fe21a9a3bfd9ea147fa128 |
|
21-Jan-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix memory leaks in define_filename_trans()
When parsing type_transition statements with names, the memory allocated
by the type set bitmaps of variable stypes and ttypes was never freed.
Call type_set_destroy() to free this memory and, while at it, make the
function exits without leaking memory when exiting with an error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| aa1a8a3c84d9c04fcf0b53b1bfdbefa502cc22f1 |
|
21-Jan-2017 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: always free id in define_type()
In function define_type(), some error conditions between "id =
queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)"
returned without freeing id. Fix theses memory leaks.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| 908898846af20acf3940f2b2c2a8865a1645a93b |
|
13-Jan-2017 |
Nick Kralevich <nnk@google.com> |
policy_define.c: don't free memory returned from queue_head()
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.
This causes the following policy generation errors on Android:
FAILED:
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
/bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
are supported' at token ';' on line 6784:
#line 241
} };
checkpolicy: error(s) encountered while parsing configuration
because the value of "id" in:
id = queue_remove(id_queue);
if (strcmp(id,"ioctl") == 0) {
...
} else {
yyerror("only ioctl extended permissions are supported");
...
}
is now garbage.
This is a partial revert of the following commit:
c1ba8311 checkpolicy: free id where it was leaked
Signed-off-by: Nick Kralevich <nnk@google.com>
/external/selinux/checkpolicy/policy_define.c
|
| d7b0941eed3e9f4cee800eff064c9a10e038a0d7 |
|
26-Dec-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix memory usage in define_bool_tunable()
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.
Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| c1ba831122be62199d98c50157b5cd5dddbcc471 |
|
26-Dec-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: free id where it was leaked
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.
The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| 6ef96094d3a29679478c7ad512720d22f760992e |
|
26-Dec-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix memory leaks in genfscon statements parsing
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.
Fix these leaks by calling free() appropriately.
These leaks have been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| da002468279be1ce3f5ec3e9ef6e694208f85907 |
|
26-Dec-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: free id in define_port_context()
Variable id is almost never freed in define_port_context().
This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 8fdb2255215a1f1488b613737b5fbffb873d8376 |
|
23-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
range transition and name-based type transition rules were originally
simple unordered lists. They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.
With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy. To do so, you can run the following sequence of commands:
checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2
Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries. There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 49bfee8562b778129cb989bdf9014045e39b0916 |
|
18-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy: treat -self as an error
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.
This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.
This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 112f86d4899dd467454ead0069c1530603a3ebea |
|
27-Aug-2016 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: add types associated to a role in the current scope when parsing
This fixes most of the errors reported in "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/external/selinux/checkpolicy/policy_define.c
|
| bedef7d12493e5785537c1f8e46ce32c3e34bf32 |
|
03-May-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol,checkpolicy,secilc: Replace #ifdef DARWIN with __APPLE__.
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| aac9360581ba8894ac90d88e094dabca510f8266 |
|
24-Apr-2016 |
Richard Haines <richard_c_haines@btinternet.com> |
selinux: Build policy on systems not supporting DCCP protocol
Commit 3895fbbe0cf2ec52d6b6eda66084b6e9f8d88fb2 ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP Protocol Number 33 to IPPROTO_DCCP.
[1] https://android-review.googlesource.com/#/c/219568/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/checkpolicy/policy_define.c
|
| 3895fbbe0cf2ec52d6b6eda66084b6e9f8d88fb2 |
|
06-Apr-2016 |
Richard Haines <richard_c_haines@btinternet.com> |
selinux: Add support for portcon dccp protocol
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 99fc177b5af4e1e8855d42d2d01cb93ac7f9d14b |
|
18-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add neverallow support for ioctl extended permissions
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
set the test will pass if the ioctl permission is not granted.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| a3691b87be42006bb8211082762cddc10c94e05e |
|
31-Jul-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy: fix double free on name-based type transitions
checkpolicy was directly assigning type sets rather than using
type_set_cpy() and therefore creating pointer aliases to the
same type set from multiple filename-based type transition rules
if they specified multiple classes. This would then yield a double
free when destroying the rules afterward and a segmentation fault.
Fix it to use type_set_cpy().
Reported-by: William C Roberts <william.c.roberts@intel.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 915fa8f08f4f9a4c437ee8280a4e641872ea59dd |
|
12-Jun-2015 |
Jeff Vander Stoep <jeffv@google.com> |
checkpolicy: switch operations to extended perms
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/checkpolicy/policy_define.c
|
| de0a3bd18d41b5e392833db9abcaa68342f0b54a |
|
13-Jun-2015 |
Nick Kralevich <nnk@google.com> |
policy_define.c: fix compiler warnings
Fixes compiler warnings all similar to the following:
host C: checkpolicy <= external/selinux/checkpolicy/policy_define.c
external/selinux/checkpolicy/policy_define.c:1572:2: warning: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Wsign-compare]
ebitmap_for_each_bit(&tclasses, node, i) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
external/selinux/checkpolicy/../libsepol/include/sepol/policydb/ebitmap.h:76:39: note: expanded from macro 'ebitmap_for_each_bit'
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
^ ~~~~~~~~~~~~~~~~~
Signed-off-by: Nick Kralevich <nnk@google.com>
/external/selinux/checkpolicy/policy_define.c
|
| 80bc7ee8faaddfa7a650994fa82a57f41a9e7475 |
|
22-Apr-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add support for ioctl command whitelisting
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.
Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901
The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.
This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.
Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| f0290677091e7eee4a3724a2a86ede9e11f93802 |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 82030de5dc8d08a9417842156293c65fef9dc70c |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| ed7a6ba24ad3241e696fa7bc9bb56bb4f373147b |
|
16-Dec-2014 |
dcashman <dcashman@google.com> |
Allow libsepol C++ static library on device.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| 5af8c5adb274cc45d3a41ce9b1ab2c7573463d74 |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix gcc -Wunused-variable warnings
Add __attribute__ ((unused)) to unused function parameters.
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 7dcb7a594698124940d148f00f85be90c6757d7f |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 581d3eb1281f7c970376649f5027df012269935a |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix gcc -Wsign-compare warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 832e7017f881f0a66e24170b7a2ff1cd9b113239 |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: constify the message written by yyerror and yywarn
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 8db96d0cb4feb1323488a5e04a3d4623ba22ffce |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: add printf format attribute to relevant functions
Once __attribute__ ((format(printf, 1, 2))) is added to yyerror2,
"gcc -Wformat -Wformat-security" shows some issues. Fix them.
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| e91b5d2ad050043519f6d8a95e4102f93458269b |
|
11-Mar-2014 |
Nick Kralevich <nnk@google.com> |
Maybe fix darwin compile error.
external/checkpolicy/policy_define.c:63: error: 'PATH_MAX' undeclared here (not in a function)
[deleted]
make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkpolicy_intermediates/policy_define.o] Error 1
make: *** Waiting for unfinished jobs....
Change-Id: If3795c7e62ed0d685ad07047f46014f77b87b4a8
/external/selinux/checkpolicy/policy_define.c
|
| 0e00684f695ea503ef06ff52861d7772acf9ef40 |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/policy_define.c
|
| ab995a59b2a91750a47920d9fe2cecc5bbb61b03 |
|
09-Jan-2013 |
Alice Chu <alice.chu@sta.samsung.com> |
checkpolicy: Free allocated memory when clean up / exit.
Number of error paths and failures do not clean up memory. Try to make
it better.
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| 693f5241fdd5ae7e89d4312b85443c0fc1b1a57d |
|
18-Dec-2012 |
Eric Paris <eparis@redhat.com> |
checkpolicy: libsepol: implement default type policy syntax
We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object. This implements
the same thing for types. The kernel will override this with type
transition rules and similar. This is just the default if nothing
specific is given.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| c27a54775d42025e2249c8ee5e3a56ca38859661 |
|
29-Nov-2012 |
Dan Walsh <dwalsh@redhat.com> |
checkpolicy: Fix errors found by coverity
Couple of memory leaks and a couple of dead code spots.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| 873c1766510f82481beb83a07fdf03235d4f4dfe |
|
03-Jul-2012 |
Eric Paris <eparis@redhat.com> |
checkpolicy: check return code on ebitmap_set_bit
This can fail due to ENOMEM. Check and return code and return error if
necessary.
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| da752cabb5b25974ef6b45274a59344d594a2130 |
|
23-Feb-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy: Android/MacOS X build support
Android/MacOS X build support for checkpolicy.
Create a Android.mk file for Android build integration.
Introduce DARWIN ifdefs for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| 09c783c9a36cd47216df827c5d2c21ec8cd613e2 |
|
05-Dec-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: checkpolicy: implement new default labeling behaviors
We would like to be able to say that the user, role, or range of a newly
created object should be based on the user, role, or range of either the
source or the target of the creation operation. aka, for a new file
this could be the user of the creating process or the user or the parent
directory. This patch implements the new language and the policydb
support to give this information to the kernel.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| b39e8cab3c8d635a0fd0c3f67e6ecd0b0aff71f9 |
|
05-Dec-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: add new helper to translate class sets into bitmaps
We use the exact same logic a bunch of places in policy_define.c to
translate a class set into a bitmap. Make this into a helper function.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| 80f26c5ee865993264ef638480c6a05ab574f7c0 |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
checkpolicy: Separate tunable from boolean during compile.
Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.
Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/policy_define.c
|
| c3f5d75c3234ea2b03c7eba9eb18b550efcc1605 |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Support adding one role attribute into another.
When the link process is completed, the types type_set_t and roles
ebitmap in a role attribute are settled, then we could go on to scan
all role attributes in the base->p_roles.table checking if any non-zero
bit in its roles ebitmap is indeed another role attribute.
If this is the case, then we need to escalate the roles ebitmap of
the sub role attribute into that of the parent, and remove the sub role
attribute from parent's roles ebitmap.
Since sub-attribute's roles ebitmap may further contain other role
attributes, we need to re-scan the updated parent's roles ebitmap.
Also if a loop dependency is detected, no escalation of sub-attribute's
roles ebitmap is needed.
Note, although in the link stage all role identifiers defined in any
block/decl of any module would be copied into the base->p_roles.table,
the role-attribute relationships could still be recorded in the decl's
local symtab[SYM_ROLES] table(see get_local_role()), so before all above
escalation of sub role attribute's roles ebitmap into that of parent ever
happens, all decl in the base->global list except the global block would
have to be traversed so as to populate potential role-attribute
relationships from decl up to the base module.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 3592ebea1a5beb390a520c09747d3699867af9de |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when expanding role_set_t.
When the rolemap and pointer to the base module are available, if
a non-zero bit in role_set_t.roles is a role attribute, expand it
before remap.
Note, during module compile the rolemap may not be available, the
potential duplicates of a regular role and the role attribute that
the regular role belongs to could be properly handled by
copy_role_allow() and copy_role_trans() during module expansion.
Take advantage of the role_val_to_struct[] of the base module, since
when role_set_expand() is invoked, the role_val_to_struct[] of the
out module may have not been established yet.
Also cleanup the error handling of role_set_expand().
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 16675b7f96b7a61ac64180b1824ec04984b72b3b |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when compiling modules.
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;
2. Add a new "attribute_role" statement and its handler to declare
a role attribute;
3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;
4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;
5. Modify the syntax for the role-types rule only to define the
role-type associations;
6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;
7. Check if the new_role used in role-transition rule is a regular role;
8. Support to require a role attribute;
9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 516cb2a264448421bff692f47f61e8cf2a74237e |
|
28-Mar-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: add support for using last path component in type transition rules
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| e95f358e3bbe850e5c99f56f8521abe1f5a6210b |
|
25-Mar-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Userspace: role_transition parser to handle class field
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| f997295da3e6377899ca31c05f92819eab7d3ea7 |
|
08-Dec-2010 |
Justin P. Mattock <justinmattock@gmail.com> |
Author: "Justin P. Mattock"
Email: justinmattock@gmail.com
Subject: checkpolicy Fix error: variable 'newattr' set but not used(and others as well)
Date: Tue, 6 Jul 2010 15:23:28 -0700
The below patch fixes some warning messages Im receiving
with GCC:(in this case some are erros due to -Werror)
policy_define.c: In function 'define_type':
policy_define.c:1216:6: error: variable 'newattr' set but not used
cc1: all warnings being treated as errors
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/checkpolicy/policy_define.c
|
| 79d10a8f9889ce0458ff0592ccaf83b273608eb2 |
|
29-Sep-2009 |
Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> |
checkpolicy: Add support for multiple target OSes
Updated patch of checkpolicy based on input.
On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote:
> Add support for multiple target OSes by adding the -t target option to
> checkpolicy. Implemented the new Xen ocontext identifiers pirqcon,
> pcidevicecon, iomemcon and ioportcon.
>
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---
checkpolicy/checkpolicy.c | 20 ++-
checkpolicy/policy_define.c | 272
++++++++++++++++++++++++++++++++++++++++++++
checkpolicy/policy_define.h | 4
checkpolicy/policy_parse.y | 29 ++++
checkpolicy/policy_scan.l | 10 +
5 files changed, 330 insertions(+), 5 deletions(-)
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/checkpolicy/policy_define.c
|
| f7917ea9cf6af752de98a1e742152d813028c669 |
|
10-Feb-2009 |
Caleb Case <ccase@tresys.com> |
aliases for the boundry format
The boundry format mapped the primary field to a boolean in the
properties bitmap. This is appropriate for the kernel policy, but in
modular policy the primary field may be an integer that indicates the
primary type that is being aliased. In this case, the primary value cannot
be assumed to be boolean.
This patch creates a new module format that writes out the primary value
as was done before the boundry format.
Signed-off-by: Caleb Case <ccase@tresys.com>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/checkpolicy/policy_define.c
|
| 45728407d60a5297deac7aa65fd92adf2412d5f7 |
|
08-Oct-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.2)
Date: Tue, 05 Aug 2008 14:55:52 +0900
[2/3] thread-context-checkpolicy.2.patch
It enables to support TYPEBOUNDS statement and to expand
existing hierarchies implicitly.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++
policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
policy_define.h | 1
policy_parse.y | 5 ++
policy_scan.l | 2 +
5 files changed, 186 insertions(+), 1 deletion(-)
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/checkpolicy/policy_define.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/checkpolicy/policy_define.c
|