Add a pre-submit check to ensure that files have a newline character at
the end.

Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.

Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

check_seapp.c:993:6: warning: Passed-by-value struct argument contains
uninitialized data (e.g., field: 'data')

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I3fc2ca8f862356628864f2a37b8d39222c8d658a

Value stored to 'i' is never read.
Variable 'j' is never used.

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Inform checkfc about new service label backend.

Test: bullhead builds

Bug: 31353148
Change-Id: I499da36108e67483a4f9a18fd8cc7c8f13419abd

It should be specified by LOCAL_EXPORT_C_INCLUDE_DIRS from the imported
libraries.

Change-Id: I5b01ac24763a75984227d77671def6561325b7cc

Ports check_seapp to pcre2.

Change-Id: If3faac5b911765a66eab074f7da2511624c3fc97

Ports check_seapp to pcre2.

Merged-In: Ib9977326cfbb19ce143b04504f41afb884f2ec17
Bug: 24091652
Change-Id: Ib9977326cfbb19ce143b04504f41afb884f2ec17

Add parentheses around macro arguments used beside binary operators.
Use NOLINT comment to suppress false clang-tidy warnings.

Bug: 28705665
Change-Id: Idc7474c43da52a1ca6a690b56d8f637767adbb88

Bug: 21266225
Change-Id: I649c2ae36340d1f2b3db478e90e125c473b47b6e

Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

(cherry picked from commit 29adea51)

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Data type tracking is no longer needed now that per
key validation routines are supported.

(cherry picked from commit c92dae98)

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.

This makes it harder than it should be to add new key value
pairs and types into checkseapp.

To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.

(cherry picked from commit 696a66ba)

Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change the final error message to be consistent with the others.

From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server

To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"

(cherry picked from commit efebf97e)

Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit 25528cf4)

Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Data type tracking is no longer needed now that per
key validation routines are supported.

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.

This makes it harder than it should be to add new key value
pairs and types into checkseapp.

To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.

Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change the final error message to be consistent with the others.

From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server

To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"

Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d14688.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a

Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Initial check in of empty autoplay_app.te policy file.

Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.

Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.

Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

Extend checkfc to support comparing two file_contexts or
file_contexts.bin files.  This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.

Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.

Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.

Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: I00aa4eeaf569c8108a7b6aab190be68e53b46597
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When an error occured it was erroneously being indicated that he
file was the output file, not the input file.

Before:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user

After:
Error: Could not find selinux type "fake_app" on line: 51 in file: out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp
Error: Could not validate
Error: reading out/target/product/flo/obj/ETC/seapp_contexts_intermediates/seapp_contexts.tmp, line 51, name levelFrom, value user

Change-Id: Ib0e01f1f0ef563a2a150a0a3b4012e6e15d736bb
Signed-off-by: William Roberts <william.c.roberts@intel.com>

If a duplicate entry is found, rule_map_cmp() incorrectly
assumes that the lengths of the key value pairs should be
equal, when this is not true. The duplicate detection is
done on the input parameters, thus the lengths can be
different. This resulted in a duplicate error string
message of "do not match", instead of "match on all inputs".

Also, the file name printed that contained the error was
the output file, not the input file that contained it.

Change-Id: I9b3f99fa4aa3454849de55f18b198b0b56e44320
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Point to external/selinux/libsepol instead of external/libsepol.

(cherry picked from commit 96136d84)

Change-Id: I09c33a4cbd7b4cd3ef2341c042259b96c0b59372

Point to external/selinux/libsepol instead of external/libsepol.

Change-Id: I09c33a4cbd7b4cd3ef2341c042259b96c0b59372

Point to external/selinux/libsepol instead of external/libsepol

(cherry picked from commit 53b48013)

Change-Id: If6dc1e9261f397d801ba2376ab60c5dc5b5d86e4

Point to external/selinux/libsepol instead of external/libsepol

Change-Id: If6dc1e9261f397d801ba2376ab60c5dc5b5d86e4