| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Relax the requirement to have both seinfo and name specified for
privapps. The original reason for requiring both was because, normally,
a package can only be uniquely specified by both name and signature,
otherwise package squatting could occur. However, privapps are
pre-installed, so the concerns about the potential for package squatting
are eliminated. This change will drastically simplify sepolicy
configuration for priv-apps.
Bug: 142672293
Test: Flashed a device with this build and verified it boots.
Change-Id: I68e6245ae004888bdcc91df410ce15a8fd5da583
Merged-In: I68e6245ae004888bdcc91df410ce15a8fd5da583
(cherry picked from commit 0c61ef8783c0777dbd78a6791ae8dd16794d9e1d)
|
|
|
|
| |
Change-Id: I2d6c366b7498d9760cb0bc21bade9b66b20815e9
|
|\
| |
| |
| |
| |
| | |
qt-qpr1-release
Change-Id: I51758254b6e3b5da80375f1e029565aabe98a2e8
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When Android boots after file_contexts has changed, the boot process
walks the entire /data partition, updating any changed SELinux labels as
appropriate. However, credential encrypted ("ce") directories are
deliberately excluded from this early boot directory walk. Files within
ce directories have their filenames encrypted, and as a result, cannot
match the file_contexts entries. Only after the user has unlocked their
device are the unencrypted filenames available and a restorecon
appropriate.
Exclude /data/vendor_ce from the early boot restorecon, like we do for
/data/system_ce and /data/misc_ce. This prevents init from
inappropriately relabeling these files with encrypted filenames.
Bug: 132349934
Test: See bug 132349934 comment #12 for test procedure
Change-Id: I59171f11dc25d446fae3760c4aa538264944391d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow callers to indicate that they don't want to compute the sehash
value. Callers may not have CAP_SYS_ADMIN, so attempting to write the
sehash value will result in the following (harmless) errors:
SELinux: setxattr failed: /data/app/com.andromeda.androbench2-z5oLVfPATqQF35yGDuMUeA==: Operation not permitted
TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit.
Bugs where this error message has been called out:
Bug: 129766333
Bug: 129271240
Bug: 128700692
Bug: 129925723
Test: install an APK and ensure that no "SELinux: setxattr failed"
error messages are generated.
(cherry picked from commit 3060b61d412fa30e91fb13dd29b82d994143aa30)
Change-Id: Iddfb221354ee6336c6ef99d7950b9d1a1a07d5ac
|
|\
| |
| |
| |
| |
| | |
am: a90faed9c0
Change-Id: I14b49861226174f82bca09f53fc97b1fbe4a0149
|
| |\
| | |
| | |
| | |
| | | |
Change-Id: I2852314e8909462c7fec76ea279db7a85d49f035
BUG: 129345239
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 129704390
Test: ps -AZ; verify that apps have correct context
Test: with "#define DEBUG 1" to verify that
selinux_android_seapp_context_reload() is only called once
in zygote.
Change-Id: I8120f66ce77b472d9190647e13f6da6c6f52464a
|
|\ \
| |/
|/|
| |
| |
| |
| |
| | |
781054cc2f am: 066295c639
am: d400b1d6cc
Change-Id: If734fa1223a0eb171b1b0a46bba5bcf42e2df11e
|
| |\
| | |
| | |
| | |
| | |
| | | |
am: 066295c639
Change-Id: Id948b73fc7abef3aa23ae67083e113542dc754da
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | | |
am: 781054cc2f
Change-Id: I3afcf18ef27c14bec93743d8df9feb190ffce0e5
|
| | | |\
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
lunch && make -j
repo upload .
Test: compiles and boots
Change-Id: I75ccf5307012a2517c0fdf13bea806e10b8b8595
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For some reasons, restorecond was explicitly linking against libpcre but
the code is not using any of its symbols
Closes: https://github.com/SELinuxProject/selinux/issues/137
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
On most distributions, /var/run is a symbolic link to /run so using
/var/run or /run lead to the same result. Nevertheless systemd started
to warn about using /var/run in a service file, logging entries such as:
/usr/lib/systemd/system/restorecond.service:8: PIDFile= references
path below legacy directory /var/run/, updating
/var/run/restorecond.pid → /run/restorecond.pid; please update the
unit file accordingly.
Switch to /run in order to follow this advice.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.
make DESKTOPDIR=/usr/local/share/applications install
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Since version 2.30 glibc implements gettid() system call wrapper, see
https://sourceware.org/bugzilla/show_bug.cgi?id=6399
Fixes:
cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o procattr.o procattr.c
procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static declaration
28 | static pid_t gettid(void)
| ^~~~~~
In file included from /usr/include/unistd.h:1170,
from procattr.c:2:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
34 | extern __pid_t gettid (void) __THROW;
| ^~~~~~
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of unknown
classes/perms") added a new interface security_reject_unknown() which needs to
be documented.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
|\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
ffb4432b9a am: dd0d620905
am: afc5a5f900
Change-Id: I1907d767ff41a280fefbef5f5f149d56d122c2bc
|
| |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
ffb4432b9a
am: dd0d620905
Change-Id: I6a360c7bb8aa51eebb967fc07c672a5e2be50d2e
|
| | |\| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: ffb4432b9a
Change-Id: I46e9a7aa4f194c335d2485f3a527b8576809ed32
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The stem is a list of top level directory (without regex metachar)
covered in the file context. And it constructs from finding the
second '/' in the regex_string; and aims to speed up the lookup by
skipping unnecessary regex matches. More contexts in
https://lore.kernel.org/selinux/200309231522.25749.russell@coker.com.au/
However, this caused some issue when we try to find all the partial
matches for a root directory. For example, the path "/data" doesn't
have a stem while the regex "/data/misc/(/.*)?" has "/data" as the
stem. As a result, all the regex for the subdirs of /data will not
considered as a match for "/data". And the restorecon will wrongly
skip on top level "/data" when there's a context change to one of
subdir.
This CL always includes the stem when compiling the regex in all
circumstances. Also, it ignores the stem id check in the "match all"
case, while the behavior for the single match stays unchanged. I will
collect more data to find out if stem id check is still necessary at
all with the new restorecon logic.
Bug: 62302954
Bug: 127946548
Test: run restorecon on "/data"; change the context of one subdir and
run again, and the context is restored on that subdir; search the caller
of regex_match
Change-Id: I4d6e554bb6abe124055782769d2f95083ed6c3a1
|
|\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: ae2951a861
Change-Id: Id79dbe4459b42be166850190a43623eab6144602
|
| |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: c90d3ed589
Change-Id: I7d19e3c1d9f82dba7615f775a998a2653e59b2eb
|
| | |\| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: de9339b298
Change-Id: Ie80ea68df89ba35d9234b61313048e966ac074fd
|
| | | |\ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This doesn't appear needed anymore.
Test: compiles.
Change-Id: I41b41ec67324051bbae0624735eb797ad60aaca2
|
|\| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
f797b5b327 am: 63b151c687
am: d291486582
Change-Id: Ib01e2bd0e917790290191a1e4bf8480fcf93bb75
|
| |\| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
f797b5b327
am: 63b151c687
Change-Id: I96c75bb29480054ebd98dc65499b5806f224bb0a
|
| | |\| | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
am: f797b5b327
Change-Id: I67d959d417eb10a24cbc4ee34ff96db5f307ba40
|
| | | |\ \ \ |
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
We used to hash the file_context and skip the restorecon on the top
level directory if the hash doesn't change. But the file_context
might change after an OTA update; and some users experienced long
restorecon time as they have lots of files under directories like
/data/media.
This CL tries to hash all the partial match entries in the
file_context for each directory; and skips the restorecon if that
digest stays the same, regardless of the changes to the other parts
of file_context.
Bug: 62302954
Test: visited directory skips correctly during restorecon.
Change-Id: Ia0668629a260b9b7a049bb68f6a8cc901c6cc46b
|
|\| | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
de42e97aa8 am: abc9cf4978
am: 82dff62307
Change-Id: I0ca46b86de9520feffc53797f19d48f12284e256
|
| |\| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
de42e97aa8
am: abc9cf4978
Change-Id: Ica14a5fb5a28272a2ce7129963345ca5ef5b2624
|
| | |\| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
am: de42e97aa8
Change-Id: I029f6fd11e969143e118150139db705f1a507ad9
|
| | | |\| | |
| | | | |/ /
| | | |/| | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This is part of the effort to save digest for subdirectories.
Split out the non-android part to make the merge to upstream
branch easier.
Bug: 62302954
Test: build android, compile the upstream branch
Change-Id: I4df94ed381f26356c539d604f31a65daabafc1da
|
|\| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
356091588a am: 1aa07b6989
am: 4f7a3eaafc
Change-Id: If684bdf404138281a9f4f86af0a799cdd700ca2e
|
| |\| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
am: 1aa07b6989
Change-Id: I5722c0a20afea3b01ec68bfd60d41234e1ad405e
|
| | |\| | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
am: 356091588a
Change-Id: Ie05430fd88aff7b6cbca4258495841037180181c
|
| | | |\ \ \
| | | | |/ /
| | | |/| /
| | | | |/
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Additionally, resolve build time errors due to
c19395d72295f5e69275d98df5db22dfdf214b6c
libselinux: selinux_set_mapping: fix handling of unknown classes/perm
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
lunch && make -j
repo upload .
Test: device boots and no obvious problems.
Change-Id: Ib3a6c086ceadaeaaaf35498d53b2b3e3ad5b8945
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The libselinux selinux_set_mapping() implementation was never updated
to handle unknown classes/permissions based on the policy handle_unknown
flag. Update it and the internal mapping functions to gracefully
handle unknown classes/permissions. Add a security_reject_unknown()
interface to expose the corresponding selinuxfs node and use it when
creating a mapping to decide whether to fail immediately or proceed.
This enables dbus-daemon and XSELinux, which use selinux_set_mapping(),
to continue working with the dummy policy or other policies that lack
their userspace class/permission definitions as long as the policy
was built with -U allow.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
65c6846e1a am: bc47cff9dd
am: b4b9d8dc9c
Change-Id: I88d7f793aa6a470dd6d24fdfa8d882d575d661e1
|
| |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: bc47cff9dd
Change-Id: Id58d92dd4071e714a807eb186595c7bd7de2be63
|
| | |\| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
am: 65c6846e1a
Change-Id: I153c60a50aa6bd4d37b8a3f655a737b06080853f
|
| | | |\|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This really isn't needed, as we just rebased 5 days ago. However, I
wanted to minimize the diff in case anyone happens to look at
b/126376007 today.
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: device boots and no obvious problems.
Bug: 126376007
Change-Id: I290900ec5285ca98212b90d0ac536da9d27b16c9
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:
$ make PYTHON=/usr/bin/python ....
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|