platform_system_sepolicy/mac_permissions.xml

<?xml version="1.0" encoding="utf-8"?>
<policy>

<!--

    * A signature is a hex encoded X.509 certificate or a tag defined in
      keys.conf and is required for each signer tag.
    * A signer tag may contain a seinfo tag and multiple package stanzas.
    * A default tag is allowed that can contain policy for all apps not signed with a
      previously listed cert. It may not contain any inner package stanzas.
    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
      represents additional info that each app can use in setting a SELinux security
      context on the eventual process.
    * When a package is installed the following logic is used to determine what seinfo
      value, if any, is assigned.
      - All signatures used to sign the app are checked first.
      - If a signer stanza has inner package stanzas, those stanza will be checked
        to try and match the package name of the app. If the package name matches
        then that seinfo tag is used. If no inner package matches then the outer
        seinfo tag is assigned.
      - The default tag is consulted last if needed.
-->

    <!-- Platform dev key in AOSP -->
    <signer signature="@PLATFORM" >
      <seinfo value="platform" />
    </signer>

    <!-- All other keys -->
    <default>
      <seinfo value="default" />
    </default>

</policy>
Add mac_permissions.xml file. This was moved from external/mac-policy.git 2012-07-30 15:33:03 +02:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<policy>`

Add inline documentation for mac_permissions.xml. Copied from our tree, adjusted to note relationship to keys.conf and to be consistent with the AOSP implementation. Change-Id: I09ba86d4c9a1b11a8865890e11283456ea2ffbcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 14:40:43 +01:00			`<!--`

			`* A signature is a hex encoded X.509 certificate or a tag defined in`
			`keys.conf and is required for each signer tag.`
			`* A signer tag may contain a seinfo tag and multiple package stanzas.`
			`* A default tag is allowed that can contain policy for all apps not signed with a`
			`previously listed cert. It may not contain any inner package stanzas.`
			`* Each signer/default/package tag is allowed to contain one seinfo tag. This tag`
			`represents additional info that each app can use in setting a SELinux security`
			`context on the eventual process.`
			`* When a package is installed the following logic is used to determine what seinfo`
			`value, if any, is assigned.`
			`- All signatures used to sign the app are checked first.`
			`- If a signer stanza has inner package stanzas, those stanza will be checked`
			`to try and match the package name of the app. If the package name matches`
			`then that seinfo tag is used. If no inner package matches then the outer`
			`seinfo tag is assigned.`
			`- The default tag is consulted last if needed.`
			`-->`

Add missing seinfo tag from mac_permissions.xml policy. A prior merge accidentally dropped the seinfo tag from the release keys stanza. Change-Id: I99f9ea8d0981c5324c3875896b0673552a03d2ca Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> 2013-03-28 11:48:27 +01:00			`<!-- Platform dev key in AOSP -->`
Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml"" This reverts commit 1446e714af0b0c358b5ecf37c5d704c96c72cf7c Hidden dependency has been resolved. Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae 2013-03-26 19:19:12 +01:00			`<signer signature="@PLATFORM" >`
Add mac_permissions.xml file. This was moved from external/mac-policy.git 2012-07-30 15:33:03 +02:00			`<seinfo value="platform" />`
			`</signer>`

			`<!-- All other keys -->`
			`<default>`
			`<seinfo value="default" />`
			`</default>`

			`</policy>`