Commit graph

223 commits

Author SHA1 Message Date
Mike Palmiotto
070c01f8f1 tools: Don't error out of insertkeys script on whitespace
Many keys end with whitespace or otherwise have whitespace separating the
certificates.  If insertkeys is intended to support multiple certificates, we
should also support blank line separators.

Change-Id: I5fd17be5785ad1b89a6191e9ba33bbc7c5a4e8e9
2013-10-10 17:40:23 -04:00
William Roberts
1ecb4e8ad1 tools: Correct insert keys behavior on pem files
Insert keys would erroneously process pem files
with openssl headers in them. Also, the tool would
be fooled into attempting to use pem files that
had private keys and other things in the format.
This patch strengthens the formatting requirements
and increases the verboseness of error messages
when processing pem files.

Change-Id: I03353faaa641233a000d1a18943024ae47c63e0f
2013-10-08 10:43:56 -04:00
Stephen Smalley
640991bb3c Extend to check indirect allow rules and conditional rules.
$ sepolicy-check -s untrusted_app -t mediaserver -c binder -p call -P out/target/product/manta/root/sepolicy
Match found!

Also removed loading of initial SIDs as that is not required for
this functionality and it leaks memory as it is never freed.
valgrind now reports no leaks.

Change-Id: Ic7a26fd01c57914e4e96db504d669f5367542a35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-12 16:26:06 -04:00
Geremy Condra
2b8512cc59 Merge "Add sepolicy-check, a utility for auditing selinux policy." 2013-08-23 19:01:23 +00:00
Geremy Condra
01aaeb6a82 Add sepolicy-check, a utility for auditing selinux policy.
This is based on Joshua Brindle's sepolicy-inject.

Change-Id: Ie75bd56a2996481592dcfe7ad302b52f381d5b18
2013-08-23 11:57:42 -07:00
Richard Haines
1b46b2fe47 Fix insertkeys.py to resolve keys.conf path entries in a portable way
Currently a path to a key in keys.conf must be fully qualified or have
the -d option appended. This fix will allow paths to have environment
variables that will be expanded. This will give portability to the
entries. For example the following entry will now be resolved correctly:
[@NET_APPS]
ALL : $ANDROID_BUILD_TOP/device/demo_vendor/demo_dev/security/net_apps.x509.pem

Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-08-08 15:13:29 +01:00
William Roberts
5f4e6ee379 am 63297211: Support strict duplicate checking
* commit '632972117a754dc64102cf81154ae6aed86febf3':
  Support strict duplicate checking
2013-05-02 13:36:00 -07:00
William Roberts
3e273da29d am 1e8c061b: Fix segfault on -v with duplicates
* commit '1e8c061b053cdfd808c7a7649c78df4c33ded63d':
  Fix segfault on -v with duplicates
2013-05-02 13:36:00 -07:00
William Roberts
632972117a Support strict duplicate checking
Change-Id: I3bb4755b86a90414a3912c8099dd7a4389249b24
2013-04-29 11:05:40 -07:00
William Roberts
1e8c061b05 Fix segfault on -v with duplicates
Change-Id: Ic040af5cfcd1be22074a691ecdd01e890866bc19
2013-04-19 19:06:02 -07:00
Geremy Condra
020b5ff631 Add a key directory argument to insertkeys.py
This allows us to better integrate key selection with our existing
build process.

Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
2013-03-29 16:29:43 -07:00
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Geremy Condra
edf7b4c861 Revert "Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""""
This reverts commit 60d4d71ead

This should (finally) be fixed in https://android-review.googlesource.com/#/c/54730/

Change-Id: I3dd358560f7236f28387ffbe247fc2b004e303ea
2013-03-26 22:19:03 +00:00
Geremy Condra
60d4d71ead Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml"""
This reverts commit cd4104e84b

This builds clean locally, but seems to explode on the build servers. Reverting until there's a solution.

Change-Id: I09200db37c193f39c77486d5957a8f5916e38aa0
2013-03-26 19:45:18 +00:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
Stephen Smalley
38084146e0 Generalize levelFromUid support.
Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-20 01:39:25 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
Geremy Condra
d06104d873 Merge "property_contexts checks added to checkfc." 2013-03-19 22:42:19 +00:00
Geremy Condra
6d6c617f6d Merge "Whitespace and doxygen fix" 2013-03-19 22:35:44 +00:00
Robert Craig
d98d26ef3c property_contexts checks added to checkfc.
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
fff2980a1a Whitespace and doxygen fix
Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3
2012-11-27 14:20:34 -08:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00