Merge "tighten up some neverallow rules."
diff --git a/Android.mk b/Android.mk
index 4ae0dab..11a693d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -176,6 +176,13 @@
with_asan := true
endif
+# Library extension for host-side tests
+ifeq ($(HOST_OS),darwin)
+SHAREDLIB_EXT=dylib
+else
+SHAREDLIB_EXT=so
+endif
+
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
LOCAL_MODULE_TAGS := optional
@@ -1188,7 +1195,8 @@
$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests \
$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
+ -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -1305,7 +1313,8 @@
$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
+ -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
$(PRIVATE_FAKE_TREBLE)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index de5c53c..1693736 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,6 +27,7 @@
allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 37935c3..951a0df 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
diff --git a/public/recovery.te b/public/recovery.te
index 187251a..5f7a475 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -134,6 +134,8 @@
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
+
+ allow recovery proc_cmdline:file r_file_perms;
')
###
diff --git a/tests/Android.bp b/tests/Android.bp
index 8dc3330..144b995 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,14 +1,16 @@
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
- shared_libs: ["libsepol"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
// libsepolwrap gets loaded from the system python, which does not have the
// ASAN runtime. So turn off sanitization for ourself, and use static
// libraries, since the shared libraries will use ASAN.
- static_libs: ["libbase"],
+ static_libs: [
+ "libbase",
+ "libsepol",
+ ],
stl: "libc++_static",
sanitize: {
never: true,
diff --git a/tests/policy.py b/tests/policy.py
index 4bc9c91..2c4b0a6 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -253,13 +253,7 @@
# load ctypes-ified libsepol wrapper
def __InitLibsepolwrap(self, LibPath):
- if "linux" in platform.system().lower():
- lib = CDLL(LibPath + "/libsepolwrap.so")
- elif "darwin" in platform.system().lower():
- lib = CDLL(LibPath + "/libsepolwrap.dylib")
- else:
- sys.exit("policy.py: " + platform.system() + " not supported." +
- " Only Linux and Darwin platforms are currently supported.")
+ lib = CDLL(LibPath)
# int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp);
lib.get_allow_rule.restype = c_int
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 3f93ff4..3edf1f2 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -39,7 +39,8 @@
Tests = ["TestDataTypeViolators"]
if __name__ == '__main__':
- usage = "sepolicy_tests.py -f nonplat_file_contexts -f "
+ usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage += "-f nonplat_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
@@ -52,7 +53,7 @@
(options, args) = parser.parse_args()
if not options.libpath:
- sys.exit("Must specify path to host libraries\n" + parser.usage)
+ sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
if not os.path.exists(options.libpath):
sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ parser.usage)
@@ -74,11 +75,11 @@
results = ""
# If an individual test is not specified, run all tests.
- if options.test is None or "TestDataTypeViolations" in options.tests:
+ if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
- if options.test is None or "TestSysfsTypeViolations" in options.tests:
+ if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
- if options.test is None or "TestDebugfsTypeViolations" in options.tests:
+ if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
if len(results) > 0:
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2c0cef3..ea03731 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -308,7 +308,7 @@
"ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests.py -l out/host/linux-x86/lib64 "
+ usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
@@ -328,7 +328,7 @@
(options, args) = parser.parse_args()
if not options.libpath:
- sys.exit("Must specify path to host libraries\n" + parser.usage)
+ sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
if not os.path.exists(options.libpath):
sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ parser.usage)