Commit graph

21 commits

Author SHA1 Message Date
Felix
8c53a331c3 Android.mk: Support SYSTEM_EXT* sepolicy
The new variable name reflects its actual usage.

Keep compatibility with BOARD_PLAT_* because it has been a
convention for years.

Amend the README to document the new variables.

Test: `make selinux_policy` with
      `SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS` set,
      observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`

Signed-off-by: Felix <google@ix5.org>
Change-Id: If8188feb365eb9e500f2270241fa190a20e9de01
2020-07-14 21:28:51 +02:00
Felix
ec3ac470a9 README: Use BOARD_VENDOR_SEPOLICY_DIRS
BOARD_SEPOLICY_DIRS is deprecated and references should be updated.

Signed-off-by: Felix <google@ix5.org>
Change-Id: I063940a63256a881206740e8a7ecae215f3a5ca8
2019-06-07 09:23:00 +02:00
Bin Chen
14e8fda1d1 sepolicy: Fix the path of policy.conf
Change-Id: Ie2864875a46c2dd5f9be1cd901010c213aa6313c
Signed-off-by: Bin Chen <bin.chen@linaro.org>
2017-02-07 11:12:17 +11:00
Richard Haines
c8801fec63 Ensure newlines are added between context config files
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-12-13 12:01:53 +00:00
William Roberts
d21855824d Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-24 23:20:53 +00:00
Stephen Smalley
8e0ca8867e Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:18:17 -04:00
Stephen Smalley
b4f17069b3 sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support.
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze.  The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets.  However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies

Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 10:26:00 -04:00
Stephen Smalley
68a8f780d2 sepolicy: Add an introduction to the README.
The README jumped directly into using the BOARD_SEPOLICY_*
variables for device-specific policy; add a short introduction
describing what external/sepolicy contains and noting where to put
device-specific policy.

Change-Id: I3c800df93d70074384da993a689a5a0771ecb314
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-23 12:37:21 -05:00
dcashman
a8e4ecdefa Update readme to reflect addition of SEPOLICY_IGNORE.
Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee
2014-07-22 14:37:41 -07:00
Robert Craig
9dbd005ad2 Update README.
Commit Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
introduced a new error check for non existent
BOARD_SEPOLICY_UNION files. Need an update to
the docs describing the change.

Change-Id: If96c9046565b05e0811ab2d526ae12a3b8b90bf0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-03 11:12:27 -05:00
Nick Kralevich
7316b18a6c README: recommend concatenation vs assignment
Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.

Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f
2013-11-01 16:23:15 -07:00
William Roberts
9793a452e7 readme: add info on generating pem files from apks
Often times OEMs and other integrators will need to create PEM
files from presigned APKs they are integrating. This patch will
update the README to include a technique for doing so.

Change-Id: Ica52269542409d2038cfe30cbd5f28ead2fba4de
2013-10-30 11:48:22 -07:00
William Roberts
fd22922d59 README: Add quip on keys.conf supporting env vars
Since Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
the insert_keys.py tool has had support for expanding
environment variable strings. This change addresses the lack
of an updated README covering said change.

Change-Id: I88e81ea58fb84110da3fc3cfb8b49fd0d6c027c2
2013-10-29 04:52:22 +00:00
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Geremy Condra
edf7b4c861 Revert "Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""""
This reverts commit 60d4d71ead

This should (finally) be fixed in https://android-review.googlesource.com/#/c/54730/

Change-Id: I3dd358560f7236f28387ffbe247fc2b004e303ea
2013-03-26 22:19:03 +00:00
Geremy Condra
60d4d71ead Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml"""
This reverts commit cd4104e84b

This builds clean locally, but seems to explode on the build servers. Reverting until there's a solution.

Change-Id: I09200db37c193f39c77486d5957a8f5916e38aa0
2013-03-26 19:45:18 +00:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
William Roberts
15b3ceda5c Add BOARD_SEPOLICY_IGNORE
See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
2013-03-21 02:55:49 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
3f1ed6ec62 README for configuration of selinux policy
This README intends to document the various configuration options
that exist for specifiying device specific additions to the policy.

Change-Id: I7db708429a67deeb89b0c155a116606dcbbbc975
2012-11-26 17:16:05 -08:00