sepolicy: add version_policy tool and version non-platform policy.

am: 2e00e637 Change-Id: I616afaa6babfa976e79ecd8dd52308620f3fb694

sepolicy: add version_policy tool and version non-platform policy.
b0343fb8 · dcashman · android-build-merger · 0fd68b77 · 2e00e637 · b0343fb8
Commit b0343fb8 authored 8 years ago by dcashman Committed by android-build-merger 8 years ago
--- a/public/su.te
+++ b/public/su.te
+# File types must be defined for file_contexts.
+type su_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+  # Domain used for su processes, as well as for adbd and adb shell
+  # after performing an adb root command.  The domain definition is
+  # wrapped to ensure that it does not exist at all on -user builds.
+  type su, domain, mlstrustedsubject;
+
+  # Add su to various domains
+  net_domain(su)
+  app_domain(su)
+
+  dontaudit su self:capability_class_set *;
+  dontaudit su kernel:security *;
+  dontaudit su kernel:system *;
+  dontaudit su self:memprotect *;
+  dontaudit su domain:process *;
+  dontaudit su domain:fd *;
+  dontaudit su domain:dir *;
+  dontaudit su domain:lnk_file *;
+  dontaudit su domain:{ fifo_file file } *;
+  dontaudit su domain:socket_class_set *;
+  dontaudit su domain:ipc_class_set *;
+  dontaudit su domain:key *;
+  dontaudit su fs_type:filesystem *;
+  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+  dontaudit su node_type:node *;
+  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+  dontaudit su netif_type:netif *;
+  dontaudit su port_type:socket_class_set *;
+  dontaudit su port_type:{ tcp_socket dccp_socket } *;
+  dontaudit su domain:peer *;
+  dontaudit su domain:binder *;
+  dontaudit su property_type:property_service *;
+  dontaudit su property_type:file *;
+  dontaudit su service_manager_type:service_manager *;
+  dontaudit su servicemanager:service_manager list;
+  dontaudit su keystore:keystore_key *;
+  dontaudit su domain:debuggerd *;
+  dontaudit su domain:drmservice *;
+  dontaudit su unlabeled:filesystem *;
+  dontaudit su postinstall_file:filesystem *;
+')
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -25,7 +25,6 @@ allow system_server self:process ptrace;
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
-allow system_server zygote_tmpfs:file read;

 # May kill zygote on crashes.
 allow system_server zygote:process sigkill;
@@ -381,8 +380,6 @@ set_prop(system_server, ctl_bugreport_prop)
 set_prop(system_server, cppreopt_prop)

 # Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
 allow system_server wpa_socket:dir rw_dir_perms;
 allow system_server system_wpa_socket:sock_file create_file_perms;

@@ -626,4 +623,3 @@ neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perm
 # system_server should never use JIT functionality
 neverallow system_server self:process execmem;
 neverallow system_server ashmem_device:chr_file execute;
-neverallow system_server system_server_tmpfs:file execute;
--- a/public/te_macros
+++ b/public/te_macros
@@ -95,10 +95,6 @@ tmpfs_domain($1)
 # Allow a base set of permissions required for all apps.
 define(`app_domain', `
 typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
 ')

 #####################################

--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -38,10 +38,6 @@ allow untrusted_app asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
 allow untrusted_app asec_public_file:file { execute execmod };

-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 # TODO: Long term, we don't want apps probing into shell data files.

--- a/reqd_mask/access_vectors
+++ b/reqd_mask/access_vectors
+../private/access_vectors
\ No newline at end of file
--- a/reqd_mask/initial_sid_contexts
+++ b/reqd_mask/initial_sid_contexts
+sid reqd_mask u:r:reqd_mask_type:s0
--- a/reqd_mask/initial_sids
+++ b/reqd_mask/initial_sids
+sid reqd_mask
+
+# FLASK
--- a/reqd_mask/mls
+++ b/reqd_mask/mls
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
--- a/reqd_mask/mls_decl
+++ b/reqd_mask/mls_decl
+../private/mls_decl
\ No newline at end of file
--- a/reqd_mask/mls_macros
+++ b/reqd_mask/mls_macros
+../private/mls_macros
\ No newline at end of file
--- a/reqd_mask/reqd_mask.te
+++ b/reqd_mask/reqd_mask.te
+type reqd_mask_type;
--- a/reqd_mask/roles
+++ b/reqd_mask/roles
+role r types reqd_mask_type;
--- a/reqd_mask/roles_decl
+++ b/reqd_mask/roles_decl
+role r;
--- a/reqd_mask/security_classes
+++ b/reqd_mask/security_classes
+../private/security_classes
\ No newline at end of file
--- a/reqd_mask/users
+++ b/reqd_mask/users
+user u roles { r } level s0 range s0 - mls_systemhigh;
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -46,4 +46,17 @@ LOCAL_CXX_STL := none

 include $(BUILD_HOST_EXECUTABLE)

+###################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := version_policy
+LOCAL_MODULE_TAGS := optional
+LOCAL_CFLAGS := -Wall -Werror
+LOCAL_SRC_FILES := version_policy.c
+LOCAL_SHARED_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
+
+include $(BUILD_HOST_EXECUTABLE)
+
+
 include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
+/*
+ * version_policy.c - Takes the given public platform policy, a private policy
+ * and a version number to produced a combined "versioned" policy file.
+ */
+#include <errno.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <cil/android.h>
+#include <cil/cil.h>
+#include <cil/cil_write_ast.h>
+
+void __attribute__ ((noreturn)) static usage(char *prog) {
+	printf("Usage: %s [OPTION]...\n", prog);
+	printf("\n");
+	printf("Options:\n");
+	printf("  -b, --base=<file>          (req'd) base policy for versioning.\n");
+	printf("  -m, --mapping              generate cil version  mapping from base policy\n");
+	printf("  -n, --number               (req'd) version number to use.\n");
+	printf("  -o, --output=<file>        write cil policy to <file>\n");
+	printf("  -t, --tgt_policy           policy to be versioned according to base policy\n");
+	printf("  -h, --help                 display usage information\n");
+	exit(1);
+}
+
+/*
+ * read_cil_file - Initialize db and parse CIL input file.
+ */
+static int read_cil_file(struct cil_db **db, char *path) {
+	int rc = SEPOL_ERR;
+	FILE *file;
+	struct stat filedata;
+	uint32_t file_size;
+	char *buff = NULL;
+
+	cil_db_init(db);
+	file = fopen(path, "re");
+	if (!file) {
+		fprintf(stderr, "Could not open file: %s\n", path);
+		goto file_err;
+	}
+	rc = stat(path, &filedata);
+	if (rc == -1) {
+		fprintf(stderr, "Could not stat file: %s - %s\n", path, strerror(errno));
+		goto err;
+	}
+	file_size = filedata.st_size;
+	buff = malloc(file_size);
+	if (buff == NULL) {
+		fprintf(stderr, "OOM!\n");
+		rc = SEPOL_ERR;
+		goto err;
+	}
+	rc = fread(buff, file_size, 1, file);
+	if (rc != 1) {
+		fprintf(stderr, "Failure reading file: %s\n", path);
+		rc = SEPOL_ERR;
+		goto err;
+	}
+	fclose(file);
+	file = NULL;
+
+	/* creates parse_tree */
+	rc = cil_add_file(*db, path, buff, file_size);
+	if (rc != SEPOL_OK) {
+		fprintf(stderr, "Failure adding %s to parse tree\n", path);
+		goto err;
+	}
+	free(buff);
+
+	return SEPOL_OK;
+err:
+	free(buff);
+	fclose(file);
+file_err:
+	cil_db_destroy(db);
+	return rc;
+}
+
+int main(int argc, char *argv[])
+{
+	int opt_char;
+	int opt_index = 0;
+	int rc = SEPOL_ERR;
+	bool mapping = false;
+	char *base = NULL;
+	char *tgt_policy = NULL;
+	char *num = NULL;
+	char *output = NULL;
+	struct cil_db *base_db = NULL;
+	struct cil_db *out_db = NULL;
+
+	static struct option long_opts[] = {
+		{"help", no_argument, 0, 'h'},
+		{"base", required_argument, 0, 'b'},
+		{"mapping", no_argument, 0, 'm'},
+		{"number", required_argument, 0, 'n'},
+		{"output", required_argument, 0, 'o'},
+		{"tgt_policy", required_argument, 0, 't'},
+		{0, 0, 0, 0}
+	};
+
+	while (1) {
+		opt_char = getopt_long(argc, argv, "b:mn:o:t:h", long_opts, &opt_index);
+		if (opt_char == -1) {
+			break;
+		}
+		switch (opt_char) {
+		case 'b':
+			base = strdup(optarg);
+			break;
+		case 'm':
+			mapping = true;
+			break;
+		case 'n':
+			num = strdup(optarg);
+			break;
+		case 'o':
+			output = strdup(optarg);
+			break;
+		case 't':
+			tgt_policy = strdup(optarg);
+			break;
+		case 'h':
+			usage(argv[0]);
+		default:
+			fprintf(stderr, "Unsupported option: %s\n", optarg);
+			usage(argv[0]);
+		}
+	}
+	if (optind < argc) {
+		fprintf(stderr, "Unknown arguments supplied\n");
+		usage(argv[0]);
+	}
+	if (num == NULL || base == NULL || (mapping == false && tgt_policy == NULL)) {
+		fprintf(stderr, "Please specify required arguments\n");
+		usage(argv[0]);
+	}
+
+	if (mapping && tgt_policy) {
+		fprintf(stderr, "Please select only one mode between --mapping and --tgt_policy\n");
+		usage(argv[0]);
+	}
+
+	/* gimme all the details */
+	cil_set_log_level(CIL_INFO);
+
+	/* read platform policy */
+	rc = read_cil_file(&base_db, base);
+	if (rc != SEPOL_OK) {
+		goto exit;
+	}
+
+	if (mapping) {
+		rc = cil_android_attrib_mapping(&out_db, base_db, num);
+		if (rc != SEPOL_OK)
+			goto exit;
+	} else {
+		/* read target policy, ready for manipulation */
+		rc = read_cil_file(&out_db, tgt_policy);
+		if (rc != SEPOL_OK) {
+			goto exit;
+		}
+		/* attributize the target policy */
+		rc = cil_android_attributize(out_db, base_db, num);
+		if (rc != SEPOL_OK) {
+			goto exit;
+		}
+	}
+	rc = cil_write_ast(out_db, output);
+	if (rc != SEPOL_OK) {
+		goto exit;
+	}
+
+exit:
+	free(base);
+	free(tgt_policy);
+	free(num);
+	free(output);
+	cil_db_destroy(&base_db);
+	cil_db_destroy(&out_db);
+	return rc;
+}