Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Jeff Vander Stoep's avatar
    c75aa50d
    Add another extraneous neverallow rule to force attribute inclusion · c75aa50d
    Jeff Vander Stoep authored 
    Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62658302
Bug: 62999603
Test: Build Marlin policy.
Test: verify attribute exists in policy using sepolicy-analyze.
    sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
    attribute hal_tetheroffload_server
Test: CTS neverallow tests pass.
    cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249
    c75aa50d
    History
    Add another extraneous neverallow rule to force attribute inclusion
    Jeff Vander Stoep authored 
    Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62658302
Bug: 62999603
Test: Build Marlin policy.
Test: verify attribute exists in policy using sepolicy-analyze.
    sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
    attribute hal_tetheroffload_server
Test: CTS neverallow tests pass.
    cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249