Commit graph

73 commits

Author SHA1 Message Date
William Roberts
754f5ea7ee Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.

Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
2014-12-20 15:15:33 +00:00
William Roberts
f330f37529 Remove network shell script
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
2014-11-13 07:34:39 -08:00
Stephen Smalley
ee58864b95 Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true"
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3f0.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-07 09:50:38 -05:00
Nick Kralevich
39f92a8350 am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
  recovery.te: add /data neverallow rules
2014-11-06 19:22:09 +00:00
Nick Kralevich
a17a266e7e recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-05 15:30:41 -08:00
dcashman
5a6ac67476 am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build."
* commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915':
  Generate selinux_policy.xml as part of CTS build.
2014-08-04 20:24:23 +00:00
dcashman
704741a5c2 Generate selinux_policy.xml as part of CTS build.
Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
2014-07-28 17:57:22 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
2014-07-14 09:15:08 -07:00
Nick Kralevich
db644f98ad am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit '8eb63f24bb34639d76246a2fe0276f5cada5c764':
  Add SELinux rules for service_manager.
2014-06-12 21:13:06 +00:00
Nick Kralevich
8eb63f24bb am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit 'b0ee91a418a899dbd39678711ea65ed60418154e':
  Add SELinux rules for service_manager.
2014-06-12 21:06:37 +00:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Robert Craig
33bf667ab1 am ec87ecb9: am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit 'ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968':
  Build the selinux_version file.
2014-05-31 11:38:45 +00:00
Robert Craig
ec87ecb991 am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit '8571ed162e85c507ea93b06c6816cdf99019625a':
  Build the selinux_version file.
2014-05-31 08:49:29 +00:00
Robert Craig
8b7545bf57 Build the selinux_version file.
The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.

Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-05-30 20:24:18 +00:00
Stephen Smalley
4a247480b3 am c664083b: am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'c664083badd1c73c144f53354c015681cd7e6951':
  Create a separate recovery policy.
2014-05-30 19:01:44 +00:00
Stephen Smalley
c664083bad am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'ffbba62eafb759573aad4bcdc77d56026697ea00':
  Create a separate recovery policy.
2014-05-30 18:27:02 +00:00
Stephen Smalley
e60723ab59 Create a separate recovery policy.
Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 12:53:32 -04:00
Nick Kralevich
863b282366 am d188f5be: Merge "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" into klp-modular-dev
* commit 'd188f5be07e168c19a2cd46439c0319f4866c641':
  DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
2014-02-05 23:50:47 +00:00
Nick Kralevich
2772e78ff9 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
2014-02-05 14:57:14 -08:00
Robert Craig
6b0ff4756a Catch nonexistent BOARD_SEPOLICY_UNION policy files.
Added a new check to make sure that all listed
BOARD_SEPOLICY_UNION files are located somewhere
in the listed BOARD_SEPOLICY_DIRS locations. The
build will error out otherwise.

Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-29 13:14:49 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
88ce951d89 Create new conditional userdebug_or_eng
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
2014-01-09 15:31:37 -08:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Nick Kralevich
c3c9052bc7 Make DEFAULT_SYSTEM_DEV_CERTIFICATE available in keys.conf
In 9af6f1bd59, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.

Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)

This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.

Steps to reproduce.

1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"

Expected:

  $ adb shell ps -Z | grep process.media
  u:r:media_app:s0               u0_a5     1332  202   android.process.media

Actual:

  $ adb shell ps -Z | grep process.media
  u:r:untrusted_app:s0           u0_a5     3617  187   android.process.media

Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822
2013-10-28 13:08:14 -07:00
William Roberts
9af6f1bd59 Drop -d option on insertkeys.py in Android.mk
This breaks the ability for users to have certs in many
directories. Currently the design is to allow keys.conf
to specify arbitrary locations for pem files, relative to
the root of the Android tree. If users want to have a
common prefix on all the keys, then they can export
DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment
variable in their keys.conf file.

Signed-off-by: William Roberts <wroberts@tresys.com>

Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640
Signed-off-by: William Roberts <wroberts@tresys.com>
2013-09-06 09:51:27 +00:00
Stephen Smalley
e267afa320 am e543a8bc: Increase policy version to 26.
* commit 'e543a8bc2a2d08ff381e5ae9e34cc2a094acf895':
  Increase policy version to 26.
2013-04-01 11:09:14 -07:00
Stephen Smalley
e543a8bc2a Increase policy version to 26.
Increase the SELinux policy version to 26.  This is needed
for name-based transitions used by the manta sepolicy.
Requires kernel 3.0 or higher.

Change-Id: I046fa9f7122f77506c70b2c735345bc0194935df
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-01 13:42:25 -04:00
Geremy Condra
020b5ff631 Add a key directory argument to insertkeys.py
This allows us to better integrate key selection with our existing
build process.

Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
2013-03-29 16:29:43 -07:00
William Roberts
e693ed7c18 Remove the su domain from -user builds.
Change-Id: I86f2f28f7c558b8e9a70e5aa9ebcfa8bf26f9ef7
2013-03-27 13:39:12 -07:00
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
William Roberts
52fc95d1b7 Fix makefile error with ANDROID_BUILD_TOP
Use TOP instead of ANDROID_BUILD_TOP

Fix spelling issues in keys.conf

Change-Id: Ib90b3041af5ef68f30f4ab78c768ad225987ef2d
2013-03-26 14:10:47 -07:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
William Roberts
15b3ceda5c Add BOARD_SEPOLICY_IGNORE
See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
2013-03-21 02:55:49 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
William Roberts
5a2988fcb5 Remove duplicate paths from sepolicy_replace_paths
Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
2013-03-19 22:49:13 +00:00
Robert Craig
d98d26ef3c property_contexts checks added to checkfc.
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
2c8a55dcf4 Replaceable mac_permission.xml support
Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
2012-12-06 05:57:49 +09:00
Jean-Baptiste Queru
eab23895cd Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
Alice Chu
eefaa83d4c am cdfb06f5: Moved Android policy tools to tools directory
* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
  Moved Android policy tools to tools directory
2012-11-01 14:15:23 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00
Kenny Root
a2517b20cb resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
2012-10-29 16:49:22 -07:00
rpcraig
47cd396b11 Add better per-device sepolicy support.
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
2012-10-26 11:17:24 -07:00
Ying Wang
6b964fa1f2 am d8b122c7: Use file target as dependency.
* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
  Use file target as dependency.
2012-10-26 09:51:39 -07:00
Ying Wang
d8b122c7bb Use file target as dependency.
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
2012-10-25 19:01:31 -07:00
Stephen Smalley
ced365aa64 am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit '01a58af19494420bb259505bc5404790a21fdd64':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 12:57:32 -07:00
Stephen Smalley
01a58af194 Add a checkfc utility to check file_contexts validity and invoke it.
Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-10-17 12:02:25 -07:00
Kenny Root
44374bc5ed am 659aaced: Remove HAVE_SELINUX guard
* commit '659aaced054c21048c712fe1f5831a86c99213d8':
  Remove HAVE_SELINUX guard
2012-10-16 17:48:23 -07:00