53bb2a11c23b774f096701bab759c6ab9ec52ea1 |
|
17-Aug-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address Update my email address since epoch.ncsc.mil no longer exists. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
118c0cd1038efb8d869db70753d2ac449f4fda9b |
|
22-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
libsepol: Add ibendport ocontext handling Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
9fbb3112769a7931777f30894156d981b6933415 |
|
22-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
libsepol: Add ibpkey ocontext handling Add support for reading, writing, and copying Infiniband Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
7e09f584e1f7b315abc4f55023234e3225ab9fa0 |
|
29-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol,libselinux,audit2allow: teach audit2why about type bounds failures Teach audit2why to recognize type bounds failures. This required updating libsepol sepol_compute_av_reason() to identify bounds failures, and updating libsepol context_struct_compute_av() to include the type bounds logic from the kernel. This could potentially be further augmented to provide more detailed reporting via the reason buffer to include information similar to what security_dump_masked_av() reports in the kernel. However, it is unclear if this is needed. It is already possible to get type bounds checking at policy build time by enabling expand-check=1 in /etc/selinux/semanage.conf (or by default when compiling monolithic policy). Before: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. After: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Typebounds violation. Add an allow rule for the parent type. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
cf8625be58e3fe29e7a45331a47dde03e107b340 |
|
29-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol: do not #include <sys/cdefs.h> ratbert90 submitted this patch via https://github.com/SELinuxProject/selinux/issues/19. Apparently musl does not provide sys/cdefs.h, see http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
ed7a6ba24ad3241e696fa7bc9bb56bb4f373147b |
|
16-Dec-2014 |
dcashman <dcashman@google.com> |
Allow libsepol C++ static library on device. Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
14c0564641e6c8be386f117c2b0f09434121226f |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsepol: fix most gcc -Wwrite-strings warnings gcc puts literal strings lie in read-only memory. On x86_64, trying to write to them triggers a segmentation fault. To detect such issues at build time, variables holding a pointer to such strings should be "const char*". "gcc -Wwrite-strings" warns when using non-const pointers to literal strings. Remove gcc warnings by adding const to local variables and argumens of internal functions. This does *not* fix this warning: policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) == ^ In file included from ../include/sepol/policydb/symtab.h:16:0, from ../include/sepol/policydb/policydb.h:60, from policydb_public.c:4: ../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *' extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k); ^ Moreover the "const" word in hashtab_search prototype does not make the second parameter "const char*" but "char* const". Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
e1551b91af5660f690dfeb1b7f9a333853dcc524 |
|
03-Nov-2013 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: Add sepol_validate_transition_reason_buffer function This will return mls/validatetrans constraint information for each expression in a buffer. If POLICY_KERN version is >= POLICYDB_VERSION_CONSTRAINT_NAMES then the policy defined types/attributes will be returned. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
9eefe11b3a94307a3f5432316a59d1f8e3268429 |
|
28-Oct-2013 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: V1 Allow constraint denials to be determined. Adds policy source defined 'type' or 'typeattribute' names to constraints by adding additional structures (->type_names->types) to a binary policy. Before this change all typeattributes were expanded to lists of types and added to the constraint under ->names. This made it difficult for system admins to determine from the policy source what attribute needed to be updated. To facilitate analysis of constraint failures a new function has also been added, see sepol_compute_av_reason_buffer. As additional structures have been added to policy, the policy version is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a corresponding kernel patch to handle the additional structures. sepol_compute_av_reason_buffer is an extended version of sepol_compute_av_reason. This will return a buffer with constraint expression information, containing the constrain type, class, perms, keywords etc.. It will also contain which constraint expr failed plus the final outcome. The buffer MUST be free'd with free(3). The type information output by sepol_compute_av_reason_buffer depends on the policy version: If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be whatever was in the original policy (type or attribute names). If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be the types listed in the constraint (as no attribute information is available in these versions). For users and roles whatever policy version, only the names are listed (as role attributes are not currently held in the constraint). Also added are two functions that obtain the class and permissions from a binary policy file that has been loaded for testing: sepol_string_to_security_class sepol_string_to_av_perm Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/include/sepol/policydb/services.h
|
56258807ea4b33cf3c7a1dbf1b574ab77c91f899 |
|
25-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "Richard Haines patch that allows us discover constraint violation information" This reverts commit 56b49ab7114f367f46b70e41d84dc7e6d52d5209. Conflicts: libselinux/src/audit2why.c
/external/selinux/libsepol/include/sepol/policydb/services.h
|
56b49ab7114f367f46b70e41d84dc7e6d52d5209 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Richard Haines patch that allows us discover constraint violation information Basically we need this information to allow audit2allow/audit2why to better describe which constraint is being broken.
/external/selinux/libsepol/include/sepol/policydb/services.h
|
13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libsepol/include/sepol/policydb/services.h
|