Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

chmod +x

Test: build all sepolicy targets.
Change-Id: I9e47b78667e4a213c31ecce0e37fe7f84abd9655

This script will build the SELinux policy for multiple targets in parallel.

To use it, run:
./build_policies.sh <Android root directory> <output directory> [specific targets to build]

If you do not pass any individual targets, it will build all targets it can find.

It will print out the list of failing targets.  You can open up the corresponding log file in the output directory to see the exact errors.

This script is still a work in progress.  It currently cannot discover all build targets (it misses ones "lunch" does not list).

Bug: 33463570
Test: Ran script to build multiple targets with and without failures.
Change-Id: Iee8ccf4da38e5eb7ce2034431613fe10c65696ab

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

bug: 69430536
Test: make ats-tradefed && ats-tradefed run ats -m
GtsSecurityHostTestCases

Merged-In: I617a7d08b1bf480f970bc8b4339fa6bbdc347311
Change-Id: I1d4af47662de5db4e5f7bba244e42930b6de164b

bug: 69430536
Test: make ats-tradefed && ats-tradefed run ats -m
GtsSecurityHostTestCases

Change-Id: I617a7d08b1bf480f970bc8b4339fa6bbdc347311

Code review of:
  - https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/512420/

had some comments. These were addressed and upstreamed here:
  - https://github.com/TresysTechnology/refpolicy/commit/65620e0f94541195fed45f34d4fc1218b4e0d6f3



Bring these changes back into the AOSP tree.

Test: verify that output sorted device files did not change hashes when built.

Change-Id: I7f07d3f74923cf731e853629034469784fc669f7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I5df432c6d2f7ee19db89f44fbe3adec2bbcc0b41

Bug: 67848572
Test: mma
Change-Id: I75520b6aa19e44854129697b3c3e375427356e6a

Update to commit:
  - https://github.com/TresysTechnology/refpolicy/commit/5490639ac99fcfa062a0b9825a111b9392a2da34



This solves all reported clang analyzer issues and is inline with upstream.

Test: veerify that md5sum of output files do not change.

Change-Id: I942145b8f9748c8ecd185f730c94d57cb77f5acc
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Static analyzer complains the memory pointed by list in bcurrent is not
deallocated before returning. But since this code is in "main" routine,
we don't care about the deallocation. Just ignore the warning.

Bug: b/27101951
Test: Verified warning is gone.
Change-Id: I58d784b61a5ad30d1406bd7c6b28c5713abf2b34

Test: gts-tradefed run gts-dev --module=GtsSecurityHostTestCases
Bug: 64127136
Change-Id: Ib50294488bb1a5d46faed00d6954db64648fed20

Fix the following warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by '__s1'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by 'id'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'classperms'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'node'

Bug: b/27101951
Test:Warnings are gone.
Change-Id: Ib9b2e0b9f19950b4b764d438ee58340e6c022ef5

Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.

Release the head of the linked list.

Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7

Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167

Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
  neverallow {
    untrusted_app_all
    -untrusted_app
    -untrusted_app_25
  } domain:process fork;

Test: sepolicy-analyze neverallow -w -n \
          'neverallow {} {}:binder call;'
      produces empty output instead of "Warning!  Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45

This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

(cherry-pick of commit 42f95984)

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b

added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783

sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.

Usage: sepolicy-analyze sepolicy attribute -r init

Bug: 36508258
Test: Build and run against current policy.

(cherry picked from commit d444ebed)

Change-Id: I9813ebf61d50fb5abbc8e52be4cf62751979bbd4

sepolicy-analyze allows users to see all types that have a given
attribute, but not the reverse case: all attributes of a given type.
Add a '--reverse' option which enables this, but keeps the previous
interface.

Usage: sepolicy-analyze sepolicy attribute -r init

Bug: 36508258
Test: Build and run against current policy.
Change-Id: Ice6893cf7aa2ec4706a7411645a8e0a8a3ad01eb

untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2

This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.

When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806

Add a pre-submit check to ensure that files have a newline character at
the end.

Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.

Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

check_seapp.c:993:6: warning: Passed-by-value struct argument contains
uninitialized data (e.g., field: 'data')

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I3fc2ca8f862356628864f2a37b8d39222c8d658a

Value stored to 'i' is never read.
Variable 'j' is never used.

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Inform checkfc about new service label backend.

Test: bullhead builds

Bug: 31353148
Change-Id: I499da36108e67483a4f9a18fd8cc7c8f13419abd

It should be specified by LOCAL_EXPORT_C_INCLUDE_DIRS from the imported
libraries.

Change-Id: I5b01ac24763a75984227d77671def6561325b7cc

Ports check_seapp to pcre2.

Change-Id: If3faac5b911765a66eab074f7da2511624c3fc97

Ports check_seapp to pcre2.

Merged-In: Ib9977326cfbb19ce143b04504f41afb884f2ec17
Bug: 24091652
Change-Id: Ib9977326cfbb19ce143b04504f41afb884f2ec17

Ports check_seapp to pcre2.

Bug: 24091652
Change-Id: Ib9977326cfbb19ce143b04504f41afb884f2ec17

Add parentheses around macro arguments used beside binary operators.
Use NOLINT comment to suppress false clang-tidy warnings.

Bug: 28705665
Change-Id: Idc7474c43da52a1ca6a690b56d8f637767adbb88

Bug: 21266225
Change-Id: I649c2ae36340d1f2b3db478e90e125c473b47b6e