Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.
Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Assortment of policy changes include:
* Bluetooth domain to talk to init and procfs.
* New device node domains.
* Allow zygote to talk to its executable.
* Update system domain access to new device node domains.
* Create a post-process sepolicy with dontaudits removed.
* Allow rild to use the tty device.
Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.
Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.
Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.
Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies. This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.
We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.
Requires a corresponding change to libselinux.
Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9':
Corrected gramatical issues
Added new line to end of file
Changed seapp_contexts temporary file naming
Fix mls checking code
Support overrides in seapp_contexts
Add tf_daemon labeling support.
Add ppp/mtp policy.
per device seapp_context support
dhcp policy.
Trusted Execution Environment policy.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts
Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
Avoid any future collisions with the use of .fc or .te suffixes in the
per-device directories. If we want multiple file support, add a separate
subdirectory for sepolicy files.