Commit graph

3172 commits

Author SHA1 Message Date
Stephen Smalley
78ec44500b am 58b0fb6d: Fix invalid specification for adb_keys.
* commit '58b0fb6ddee7257a6a27f31ba97d47fa23efac15':
  Fix invalid specification for adb_keys.
2013-01-11 15:34:38 -08:00
Stephen Smalley
58b0fb6dde Fix invalid specification for adb_keys.
A prior change added an entry for adb_keys without any security context,
yielding warnings like the following during build:
out/target/product/manta/root/file_contexts:  line 7 is missing fields, skipping

This adds the missing security context field.

Change-Id: If48731c8aa7d22a3f547d0854f288ff68f9006da
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-01-11 15:05:03 -05:00
Colin Cross
19740e1806 am 92b9aa0e: add file_contexts entries for root filesystem
* commit '92b9aa0eeff49e5bc3dc6297f3d35ec41d6ab73d':
  add file_contexts entries for root filesystem
2012-12-28 09:47:47 -08:00
Colin Cross
92b9aa0eef add file_contexts entries for root filesystem
It may be useful to generate an ext4 image of the root filesystem
instead of using a ramdisk.  Whitelist entries in file_contexts to
support selinux labeling a root filesystem image.

Change-Id: I91a38d0aee4408c46cbfe5dc5e6eda198572e90f
2012-12-21 13:55:25 -08:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
2c8a55dcf4 Replaceable mac_permission.xml support
Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
2012-12-06 05:57:49 +09:00
rpcraig
4c266ba1bc Change security policy so all apps can read /dev/xt_qtaguid.
Generic init.rc allows any process to use
socket tagging. Adjust app policy to ensure
that any app can read from the misc device.

Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-12-05 10:08:19 -05:00
William Roberts
4e030c2a0f mediaserver.te refactor
Change-Id: Ieaff9f3362c71e25e5c8e7204397a85ff14fff97
2012-11-28 12:18:30 -08:00
William Roberts
e2ad318e45 Label persist audio properties
label all persist.audio.* properties
and allow mediaserver access to them.

Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7
2012-11-28 12:15:02 -08:00
William Roberts
fff2980a1a Whitespace and doxygen fix
Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3
2012-11-27 14:20:34 -08:00
Stephen Smalley
7e7003ca16 am e8848726: Add policy for run-as program.
* commit 'e8848726553e3abee6033200c98a657c9ca7cdb8':
  Add policy for run-as program.
2012-11-27 11:25:43 -08:00
Kenny Root
ab1a61f28c am fdaa7869: Merge "README for configuration of selinux policy"
* commit 'fdaa7869a5541b55413f59845dc5f7c56bab0614':
  README for configuration of selinux policy
2012-11-27 11:25:43 -08:00
William Roberts
8afb51c117 am c34a2527: Allow shell to connect to property service
* commit 'c34a2527837daeeef51cde0fe77582d51a3bc744':
  Allow shell to connect to property service
2012-11-27 11:25:42 -08:00
Stephen Smalley
e884872655 Add policy for run-as program.
Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-27 10:05:42 -08:00
Kenny Root
fdaa7869a5 Merge "README for configuration of selinux policy" 2012-11-27 09:56:59 -08:00
William Roberts
c34a252783 Allow shell to connect to property service
Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a
2012-11-27 08:18:52 -08:00
William Roberts
3f1ed6ec62 README for configuration of selinux policy
This README intends to document the various configuration options
that exist for specifiying device specific additions to the policy.

Change-Id: I7db708429a67deeb89b0c155a116606dcbbbc975
2012-11-26 17:16:05 -08:00
Stephen Smalley
ba95362533 am 61c80d5e: Update policy for Android 4.2 / latest master.
* commit '61c80d5ec8632cadcf754eed0986b23284217c06':
  Update policy for Android 4.2 / latest master.
2012-11-19 11:25:54 -08:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
Jean-Baptiste Queru
82616b4f14 am eab23895: Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp
* commit 'eab23895cd13ccb2a552dd9713bd1e88cf41e522':
  Revert "Include su.te only for userdebug/eng builds."
2012-11-01 14:24:33 -07:00
Jean-Baptiste Queru
eab23895cd Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
Kenny Root
6b3c9e1d3d am 8c87a18d: am df822f41: Merge "Add SELinux policy for asec containers."
* commit '8c87a18d39db0104d97d72ed51e4654c9d29fd4b':
  Add SELinux policy for asec containers.
2012-11-01 14:18:41 -07:00
Alice Chu
dccd2395c1 am eefaa83d: am cdfb06f5: Moved Android policy tools to tools directory
* commit 'eefaa83d4c8437b216718115f6d4d407b2e9d0d8':
  Moved Android policy tools to tools directory
2012-11-01 14:18:41 -07:00
Kenny Root
8c87a18d39 am df822f41: Merge "Add SELinux policy for asec containers."
* commit 'df822f4168b71629e336e3f484028b510ed21ee4':
  Add SELinux policy for asec containers.
2012-11-01 14:15:23 -07:00
Alice Chu
eefaa83d4c am cdfb06f5: Moved Android policy tools to tools directory
* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
  Moved Android policy tools to tools directory
2012-11-01 14:15:23 -07:00
Kenny Root
df822f4168 Merge "Add SELinux policy for asec containers." 2012-11-01 13:54:37 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00
Alice Chu
9eeb758f55 am 83dde220: am f6647eb9: Change 0 to NULL Byte
* commit '83dde22099e69b7751d112b061ca22e24cac639c':
  Change 0 to NULL Byte
2012-10-31 10:46:23 -07:00
Alice Chu
83dde22099 am f6647eb9: Change 0 to NULL Byte
* commit 'f6647eb9f40a6a3d6dc3c1374d583e176a735498':
  Change 0 to NULL Byte
2012-10-31 10:44:02 -07:00
Alice Chu
f6647eb9f4 Change 0 to NULL Byte
Change-Id: I16b47f8dbf64e8dffb550b5a89321f920604ef7a
2012-10-30 16:27:00 -07:00
Kenny Root
2d086adc06 am a2517b20: resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
* commit 'a2517b20cb340a6dd19c846b21f34ed0244b65d6':
  Add better per-device sepolicy support.
2012-10-30 10:11:28 -07:00
Kenny Root
a2517b20cb resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
2012-10-29 16:49:22 -07:00
rpcraig
47cd396b11 Add better per-device sepolicy support.
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
2012-10-26 11:17:24 -07:00
Ying Wang
467f85bb8a am 6b964fa1: am d8b122c7: Use file target as dependency.
* commit '6b964fa1f265c1c0d6f236efbf3c471b76fdf05c':
  Use file target as dependency.
2012-10-26 09:54:19 -07:00
Ying Wang
6b964fa1f2 am d8b122c7: Use file target as dependency.
* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
  Use file target as dependency.
2012-10-26 09:51:39 -07:00
Ying Wang
d8b122c7bb Use file target as dependency.
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
2012-10-25 19:01:31 -07:00
rpcraig
f1cd33ff05 am 8f4600c0: am 5dbfdc0b: Add double free protection to checkseapp.
* commit '8f4600c0f84584ebbf23f17821b4461e71550f05':
  Add double free protection to checkseapp.
2012-10-23 16:10:53 -07:00
rpcraig
8f4600c0f8 am 5dbfdc0b: Add double free protection to checkseapp.
* commit '5dbfdc0b0fec04d670912c4eed179983f98abe8a':
  Add double free protection to checkseapp.
2012-10-23 16:07:27 -07:00
rpcraig
5dbfdc0b0f Add double free protection to checkseapp.
A double free error occurs when building with non glibc
devices. The hdestroy() function frees all comparison
keys internally in these cases. So avoid an explicit
call to free().

Change-Id: If9c5dc1a969605cd1eeb9218de02a9f8dbbd3ae1
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-23 13:46:11 -04:00
rpcraig
7672eac5fb Add SELinux policy for asec containers.
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-22 14:14:11 -04:00
Kenny Root
560463548f am 84b7472d: am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"
* commit '84b7472db097580a68899470b20f5770de9eaf4e':
  allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
2012-10-19 13:22:11 -07:00
Kenny Root
d7de0b7f4c am ca895fbc: am 91c12e3c: Merge "file class macro cleanup"
* commit 'ca895fbc0b6bf4070c2c275945cbdfae22150590':
  file class macro cleanup
2012-10-19 13:22:06 -07:00
Kenny Root
84b7472db0 am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"
* commit '6766cc9e3c1d5dcec5db445a8d06bb6d4f301562':
  allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
2012-10-19 12:15:12 -07:00
Kenny Root
ca895fbc0b am 91c12e3c: Merge "file class macro cleanup"
* commit '91c12e3c0c7639cae727e8dec2d390474de546f9':
  file class macro cleanup
2012-10-19 12:15:11 -07:00
Kenny Root
6766cc9e3c Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access" 2012-10-19 11:44:34 -07:00
Kenny Root
91c12e3c0c Merge "file class macro cleanup" 2012-10-19 11:29:38 -07:00
Stephen Smalley
37c885ac1e am ced365aa: am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit 'ced365aa645d35f022f413f53731af61ada812fd':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 13:00:21 -07:00
Stephen Smalley
ced365aa64 am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit '01a58af19494420bb259505bc5404790a21fdd64':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 12:57:32 -07:00
Stephen Smalley
01a58af194 Add a checkfc utility to check file_contexts validity and invoke it.
Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-10-17 12:02:25 -07:00