check_seapp: add support for "neverallow" checks

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is similar to the existing key-value-pair entries but the line begins with "neverallow". A neverallow violation is detected when all keys, both inputs and outputs are matched. The neverallow rules value parameter (not the key) can contain regular expressions to assist in matching. Neverallow rules are never output to the generated seapp_contexts file. Also, unless -o is specified, checkseapp runs in silent mode and outputs nothing. Specifying - as an argument to -o outputs to stdout. Sample Output: Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app" Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d Signed-off-by: William Roberts <william.c.roberts@intel.com>

check_seapp: add support for "neverallow" checks
81e1f90c · William Roberts · William C Roberts · 33edd308 · 81e1f90c · 81e1f90c
Commit 81e1f90c authored 9 years ago by William Roberts Committed by William C Roberts 9 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -173,18 +173,16 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 include $(BUILD_SYSTEM)/base_rules.mk
-seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
+all_sc_files := $(call build_policy, seapp_contexts)
-$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $^ > $@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
 	@mkdir -p $(dir $@)
-	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
+	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
 built_sc := $(LOCAL_BUILT_MODULE)
-seapp_contexts.tmp :=
+all_sc_files :=
 ##################################
 include $(CLEAR_VARS)
@@ -194,18 +192,16 @@ LOCAL_MODULE_TAGS := tests
 include $(BUILD_SYSTEM)/base_rules.mk
-general_seapp_contexts.tmp := $(intermediates)/general_seapp_contexts.tmp
+all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
-$(general_seapp_contexts.tmp): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $^ > $@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE) : $(general_seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
 	@mkdir -p $(dir $@)
-	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
+	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE)
 GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE)
-general_seapp_contexts.tmp :=
+all_sc_files :=
 ##################################
 include $(CLEAR_VARS)

--- a/seapp_contexts
+++ b/seapp_contexts
@@ -38,6 +38,42 @@
 # levelFrom=app or levelFrom=all is only supported for _app UIDs.
 # level may be used to specify a fixed level for any UID.
 #
+#
+# Neverallow Assertions
+# Additional compile time assertion checks can be added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+# only the system server can be in system_server domain
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer="" domain=system_server
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+# anything with a non-known uid with a specified name should have a specified seinfo
+neverallow user=_app name=.* seinfo=""
+neverallow user=_app name=.* seinfo=default
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
 isSystemServer=true domain=system_server
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file

--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -4,10 +4,13 @@ include $(CLEAR_VARS)
 LOCAL_MODULE := checkseapp
 LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include/
+LOCAL_C_INCLUDES := \
+		external/pcre \
+		external/selinux/libsepol/include
 LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
 LOCAL_SRC_FILES := check_seapp.c
 LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_WHOLE_STATIC_LIBRARIES := libpcre
 LOCAL_CXX_STL := none
 include $(BUILD_HOST_EXECUTABLE)

--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c