Commit graph

5455 commits

Author SHA1 Message Date
Stephen Smalley
ba95362533 am 61c80d5e: Update policy for Android 4.2 / latest master.
* commit '61c80d5ec8632cadcf754eed0986b23284217c06':
  Update policy for Android 4.2 / latest master.
2012-11-19 11:25:54 -08:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
Jean-Baptiste Queru
82616b4f14 am eab23895: Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp
* commit 'eab23895cd13ccb2a552dd9713bd1e88cf41e522':
  Revert "Include su.te only for userdebug/eng builds."
2012-11-01 14:24:33 -07:00
Jean-Baptiste Queru
eab23895cd Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
Kenny Root
6b3c9e1d3d am 8c87a18d: am df822f41: Merge "Add SELinux policy for asec containers."
* commit '8c87a18d39db0104d97d72ed51e4654c9d29fd4b':
  Add SELinux policy for asec containers.
2012-11-01 14:18:41 -07:00
Alice Chu
dccd2395c1 am eefaa83d: am cdfb06f5: Moved Android policy tools to tools directory
* commit 'eefaa83d4c8437b216718115f6d4d407b2e9d0d8':
  Moved Android policy tools to tools directory
2012-11-01 14:18:41 -07:00
Kenny Root
8c87a18d39 am df822f41: Merge "Add SELinux policy for asec containers."
* commit 'df822f4168b71629e336e3f484028b510ed21ee4':
  Add SELinux policy for asec containers.
2012-11-01 14:15:23 -07:00
Alice Chu
eefaa83d4c am cdfb06f5: Moved Android policy tools to tools directory
* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
  Moved Android policy tools to tools directory
2012-11-01 14:15:23 -07:00
Kenny Root
df822f4168 Merge "Add SELinux policy for asec containers." 2012-11-01 13:54:37 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00
Alice Chu
9eeb758f55 am 83dde220: am f6647eb9: Change 0 to NULL Byte
* commit '83dde22099e69b7751d112b061ca22e24cac639c':
  Change 0 to NULL Byte
2012-10-31 10:46:23 -07:00
Alice Chu
83dde22099 am f6647eb9: Change 0 to NULL Byte
* commit 'f6647eb9f40a6a3d6dc3c1374d583e176a735498':
  Change 0 to NULL Byte
2012-10-31 10:44:02 -07:00
Alice Chu
f6647eb9f4 Change 0 to NULL Byte
Change-Id: I16b47f8dbf64e8dffb550b5a89321f920604ef7a
2012-10-30 16:27:00 -07:00
Kenny Root
2d086adc06 am a2517b20: resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
* commit 'a2517b20cb340a6dd19c846b21f34ed0244b65d6':
  Add better per-device sepolicy support.
2012-10-30 10:11:28 -07:00
Kenny Root
a2517b20cb resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
2012-10-29 16:49:22 -07:00
rpcraig
47cd396b11 Add better per-device sepolicy support.
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
2012-10-26 11:17:24 -07:00
Ying Wang
467f85bb8a am 6b964fa1: am d8b122c7: Use file target as dependency.
* commit '6b964fa1f265c1c0d6f236efbf3c471b76fdf05c':
  Use file target as dependency.
2012-10-26 09:54:19 -07:00
Ying Wang
6b964fa1f2 am d8b122c7: Use file target as dependency.
* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
  Use file target as dependency.
2012-10-26 09:51:39 -07:00
Ying Wang
d8b122c7bb Use file target as dependency.
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
2012-10-25 19:01:31 -07:00
rpcraig
f1cd33ff05 am 8f4600c0: am 5dbfdc0b: Add double free protection to checkseapp.
* commit '8f4600c0f84584ebbf23f17821b4461e71550f05':
  Add double free protection to checkseapp.
2012-10-23 16:10:53 -07:00
rpcraig
8f4600c0f8 am 5dbfdc0b: Add double free protection to checkseapp.
* commit '5dbfdc0b0fec04d670912c4eed179983f98abe8a':
  Add double free protection to checkseapp.
2012-10-23 16:07:27 -07:00
rpcraig
5dbfdc0b0f Add double free protection to checkseapp.
A double free error occurs when building with non glibc
devices. The hdestroy() function frees all comparison
keys internally in these cases. So avoid an explicit
call to free().

Change-Id: If9c5dc1a969605cd1eeb9218de02a9f8dbbd3ae1
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-23 13:46:11 -04:00
rpcraig
7672eac5fb Add SELinux policy for asec containers.
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-22 14:14:11 -04:00
Kenny Root
560463548f am 84b7472d: am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"
* commit '84b7472db097580a68899470b20f5770de9eaf4e':
  allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
2012-10-19 13:22:11 -07:00
Kenny Root
d7de0b7f4c am ca895fbc: am 91c12e3c: Merge "file class macro cleanup"
* commit 'ca895fbc0b6bf4070c2c275945cbdfae22150590':
  file class macro cleanup
2012-10-19 13:22:06 -07:00
Kenny Root
84b7472db0 am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"
* commit '6766cc9e3c1d5dcec5db445a8d06bb6d4f301562':
  allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
2012-10-19 12:15:12 -07:00
Kenny Root
ca895fbc0b am 91c12e3c: Merge "file class macro cleanup"
* commit '91c12e3c0c7639cae727e8dec2d390474de546f9':
  file class macro cleanup
2012-10-19 12:15:11 -07:00
Kenny Root
6766cc9e3c Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access" 2012-10-19 11:44:34 -07:00
Kenny Root
91c12e3c0c Merge "file class macro cleanup" 2012-10-19 11:29:38 -07:00
Stephen Smalley
37c885ac1e am ced365aa: am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit 'ced365aa645d35f022f413f53731af61ada812fd':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 13:00:21 -07:00
Stephen Smalley
ced365aa64 am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit '01a58af19494420bb259505bc5404790a21fdd64':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 12:57:32 -07:00
Stephen Smalley
01a58af194 Add a checkfc utility to check file_contexts validity and invoke it.
Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-10-17 12:02:25 -07:00
Kenny Root
b3e8a10e0b am b83bb3f0: Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth."
* commit 'b83bb3f05d6fe76ec5dbdd3e669b81ca9563459e':
  Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth."
2012-10-16 18:11:27 -07:00
Kenny Root
b83bb3f05d Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth."
This reverts commit b620dc60b1.

(cherry picked from commit 128db96282)

Change-Id: I21227e6232c925a42597e5c8fc0fcc0585d7a876
2012-10-16 18:08:53 -07:00
Kenny Root
1cabf0f41e am 44374bc5: am 659aaced: Remove HAVE_SELINUX guard
* commit '44374bc5edc0ed46d402d1f0353fd9ff1e2ee0ac':
  Remove HAVE_SELINUX guard
2012-10-16 17:51:24 -07:00
Kenny Root
44374bc5ed am 659aaced: Remove HAVE_SELINUX guard
* commit '659aaced054c21048c712fe1f5831a86c99213d8':
  Remove HAVE_SELINUX guard
2012-10-16 17:48:23 -07:00
Joshua Brindle
f26d813033 allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2012-10-16 09:48:40 -04:00
Kenny Root
659aaced05 Remove HAVE_SELINUX guard
Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119
2012-10-10 10:52:46 -07:00
William Roberts
7104df5cae file class macro cleanup
Change-Id: I328bc882b3d6e200742e017aa23154fb01e638a5
2012-10-04 11:34:57 -07:00
Stephen Smalley
7f5975ca10 am 382381b6: am 3ac1d26a: Switch app_* and isolated to _app and _isolated in seapp_contexts.
* commit '382381b6d108a961967c106a82d4da7f6d5760db':
  Switch app_* and isolated to _app and _isolated in seapp_contexts.
2012-09-26 10:08:29 -07:00
Stephen Smalley
382381b6d1 am 3ac1d26a: Switch app_* and isolated to _app and _isolated in seapp_contexts.
* commit '3ac1d26a585b0cef73b626656e90005617725662':
  Switch app_* and isolated to _app and _isolated in seapp_contexts.
2012-09-26 09:58:23 -07:00
Kenny Root
128db96282 Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth."
This reverts commit b620dc60b1.
2012-09-26 08:44:31 -07:00
Stephen Smalley
3ac1d26a58 Switch app_* and isolated to _app and _isolated in seapp_contexts.
The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to libselinux.

Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-24 10:16:03 -04:00
Zhihai Xu
acbded32b2 Merge "ISSUE 6849488 Bluedroid stack, remove system/bluetooth." into jb-mr1-dev 2012-09-20 16:45:49 -07:00
Stephen Smalley
c6c6aba0ec am 061f254d: Define security labeling for isolated processes.
* commit '061f254def394fdc4784fe6c446bdd779cfec768':
  Define security labeling for isolated processes.
2012-09-20 13:04:55 -07:00
Zhihai Xu
b620dc60b1 ISSUE 6849488 Bluedroid stack, remove system/bluetooth.
remove system/bluetooth dependency.

bug 6849488

Change-Id: I259322385adafa4128deef5324e854bebef2b033
2012-09-20 11:14:34 -07:00
Stephen Smalley
061f254def Define security labeling for isolated processes.
Used when an app service is declared with android:isolatedProcess="true".
Place such processes in a separate domain, and further isolate them
from each other via categories.

Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-20 11:00:43 -04:00
Stephen Smalley
9822c1d08f am 66a3e8d9: Drop the use of a policy version suffix on the sepolicy file.
* commit '66a3e8d91ef6098dd7cab127530f1cdb7973f53e':
  Drop the use of a policy version suffix on the sepolicy file.
2012-09-18 16:29:39 -07:00
Stephen Smalley
66a3e8d91e Drop the use of a policy version suffix on the sepolicy file.
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies.  This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.

Requires a corresponding change to libselinux.

Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-18 15:11:49 -04:00