Commit graph

44 commits

Author SHA1 Message Date
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
William Roberts
52fc95d1b7 Fix makefile error with ANDROID_BUILD_TOP
Use TOP instead of ANDROID_BUILD_TOP

Fix spelling issues in keys.conf

Change-Id: Ib90b3041af5ef68f30f4ab78c768ad225987ef2d
2013-03-26 14:10:47 -07:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
William Roberts
15b3ceda5c Add BOARD_SEPOLICY_IGNORE
See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
2013-03-21 02:55:49 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
William Roberts
5a2988fcb5 Remove duplicate paths from sepolicy_replace_paths
Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
2013-03-19 22:49:13 +00:00
Robert Craig
d98d26ef3c property_contexts checks added to checkfc.
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
2c8a55dcf4 Replaceable mac_permission.xml support
Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
2012-12-06 05:57:49 +09:00
Jean-Baptiste Queru
eab23895cd Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
Alice Chu
eefaa83d4c am cdfb06f5: Moved Android policy tools to tools directory
* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
  Moved Android policy tools to tools directory
2012-11-01 14:15:23 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00
Kenny Root
a2517b20cb resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
2012-10-29 16:49:22 -07:00
rpcraig
47cd396b11 Add better per-device sepolicy support.
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
2012-10-26 11:17:24 -07:00
Ying Wang
6b964fa1f2 am d8b122c7: Use file target as dependency.
* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
  Use file target as dependency.
2012-10-26 09:51:39 -07:00
Ying Wang
d8b122c7bb Use file target as dependency.
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
2012-10-25 19:01:31 -07:00
Stephen Smalley
ced365aa64 am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit '01a58af19494420bb259505bc5404790a21fdd64':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 12:57:32 -07:00
Stephen Smalley
01a58af194 Add a checkfc utility to check file_contexts validity and invoke it.
Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-10-17 12:02:25 -07:00
Kenny Root
44374bc5ed am 659aaced: Remove HAVE_SELINUX guard
* commit '659aaced054c21048c712fe1f5831a86c99213d8':
  Remove HAVE_SELINUX guard
2012-10-16 17:48:23 -07:00
Kenny Root
659aaced05 Remove HAVE_SELINUX guard
Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119
2012-10-10 10:52:46 -07:00
Stephen Smalley
9822c1d08f am 66a3e8d9: Drop the use of a policy version suffix on the sepolicy file.
* commit '66a3e8d91ef6098dd7cab127530f1cdb7973f53e':
  Drop the use of a policy version suffix on the sepolicy file.
2012-09-18 16:29:39 -07:00
Stephen Smalley
66a3e8d91e Drop the use of a policy version suffix on the sepolicy file.
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies.  This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.

Requires a corresponding change to libselinux.

Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-18 15:11:49 -04:00
Jean-Baptiste Queru
d0f027ccc8 am 10f9a372: Merge upstream sepolicy into AOSP
* commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9':
  Corrected gramatical issues
  Added new line to end of file
  Changed seapp_contexts temporary file naming
  Fix mls checking code
  Support overrides in seapp_contexts
  Add tf_daemon labeling support.
  Add ppp/mtp policy.
  per device seapp_context support
  dhcp policy.
  Trusted Execution Environment policy.
2012-09-05 19:46:52 -07:00
William Roberts
98ed392e68 Changed seapp_contexts temporary file naming
Change-Id: I4f522869eeaa6f84771e4ee2328f65296dcc29db
2012-09-05 11:23:19 -07:00
William Roberts
0ae3a8a2d5 Fix mls checking code
Change-Id: I614caa520e218f8f148eef641fed2301571da8e1
2012-09-04 11:51:04 -07:00
William Roberts
f0e0a94e03 Support overrides in seapp_contexts
Provides support for overriding seapp_contexts declerations
in per device seapp_contexts files.

Change-Id: I23a0ffa1d24f1ce57825b168f29a2e885d3e1c51
2012-09-04 10:55:38 -07:00
William Roberts
171a062571 per device seapp_context support 2012-08-16 14:00:19 -04:00
Jean-Baptiste Queru
aa7fb3be1b resolved conflicts for merge of 0c2e5705 to jb-mr1-dev
Change-Id: Iee1d877788b9397ca29a6cfe7bc3015c3edbe5ac
2012-08-13 09:06:44 -07:00
rpcraig
b19665c39d Add mac_permissions.xml file.
This was moved from external/mac-policy.git
2012-07-30 09:33:03 -04:00
Matt Finifter
af56ac1954 Include su.te only for userdebug/eng builds.
Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
2012-07-18 13:25:23 -07:00
William Roberts
dc1072365e Support for ocontexts per device.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
2012-07-12 10:02:45 -04:00
Joshua Brindle
70d4fc2243 Add selinux network script to policy
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2012-06-21 09:19:43 -04:00
Stephen Smalley
efd6d6e0da Apply m4 to file_contexts and property_contexts to support includes. 2012-05-18 08:24:25 -04:00
The Android Open Source Project
f5f899c3c0 Merge from upstream sepolicy
Change-Id: I99085d575e3d884fb04ac03ac998eb3c53eb2d9f
2012-04-10 09:52:59 -07:00
Ying Wang
f4ea5b2539 Use the checkpolicy built from source.
Change-Id: I22f49db3d59b50ed8975d8c1146bb9c322adbf7e
2012-04-10 09:11:08 -07:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00
Stephen Smalley
64935c7d87 Limit per-device policy files to a well-defined sepolicy prefix.
Avoid any future collisions with the use of .fc or .te suffixes in the
per-device directories.  If we want multiple file support, add a separate
subdirectory for sepolicy files.
2012-03-06 13:27:39 -05:00
Stephen Smalley
5b340befb4 Add support for per-device .te and .fc files. 2012-03-06 11:12:41 -05:00
Stephen Smalley
7e8cf24f58 Do not build if HAVE_SELINUX=false. 2012-02-02 13:28:28 -05:00
Stephen Smalley
2b826fcbe8 Add a dependency on checkpolicy. 2012-01-24 08:46:13 -05:00
Ying Wang
02fb5f3c6a Rewrite Android.mk. 2012-01-18 14:01:08 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00