diff options
| author | Pierre-Hugues Husson <phh@phh.me> | 2019-10-25 13:29:20 +0200 |
|---|---|---|
| committer | Jeferson <jroliveira.oliveira301@gmail.com> | 2022-06-04 21:53:51 +0200 |
| commit | 625928655b699028d67c5699bd7c224d4a44d7a7 (patch) | |
| tree | 662c1bcf63de68078a0f64475bcfb8b465c0a208 | |
| parent | bb57f72d4b985e19dd4d871828cd363b3803c40b (diff) | |
vendor sepolicy never contains new class or classorder, and are not
allowed to.
Though this is not tested, and it turns out Moto did it anyway.
This raises an issue, because class need to be ordered, and thus the cil
contains the ordering. This ordering needs to be merged.
Android 10 added new classes, so the ordering can no longer be merged,
and secilc fails on those devices, preventing boot.
Considering vendor are not supposed to declare new class (and thus
declare classorder), this fix ignores class-es/classorder in vendor
SELinux policy.
Since the vendor selinux policy has allows rules based on this context,
those allows will fail since the class doesn't exist.
Workaround this by ignoring rules with the problematic class
( keystore_moto_key )
Lucky us, this new class `keystore_moto_key` is used by Moto for
framework to framework (more accurately priv app to keymaster), since
our own framework doesn't use this class, simply ignoring it fixes the
issue.
Change-Id: I66339857634ebfdba359f12a99dfd0bff709d80b
| -rw-r--r-- | libsepol/cil/src/cil_build_ast.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 307b1ee3..02cdcc65 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -386,6 +386,14 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct struct cil_tree_node *perms = NULL; int rc = SEPOL_ERR; + { + const char* path = cil_tree_get_cil_path(parse_current); + if(strstr(path, "vendor")) { + cil_clear_node(ast_node); + return SEPOL_OK; + } + } + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); if (rc != SEPOL_OK) { goto exit; @@ -452,6 +460,14 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s struct cil_list_item *head = NULL; int rc = SEPOL_ERR; + { + const char* path = cil_tree_get_cil_path(parse_current); + if(strstr(path, "vendor")) { + cil_clear_node(ast_node); + return SEPOL_OK; + } + } + if (db == NULL || parse_current == NULL || ast_node == NULL) { goto exit; } @@ -2050,6 +2066,14 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as rule->src_str = parse_current->next->data; rule->tgt_str = parse_current->next->next->data; + { + const char *classname = parse_current->next->next->next->cl_head->data; + if(strcmp(classname, "keystore_moto_key") == 0) { + cil_clear_node(ast_node); + return SEPOL_OK; + } + } + rc = cil_fill_classperms_list(parse_current->next->next->next, &rule->perms.classperms); if (rc != SEPOL_OK) { goto exit; |