Commit graph

475 commits

Author SHA1 Message Date
Dan Cashman
9c03807223 Split seapp_contexts into plat and nonplat components.
Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e
2017-01-09 10:10:59 -08:00
dcashman
d225b6979d Split file_contexts for on-device compilation.
Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device.  Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.

Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0

Bring back file_contexts.bin.

Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-05 11:22:45 -08:00
Richard Uhler
c5c3abc6bc Remove option for non-pic dex preopt.
Test: make checkbuild, aosp_bullhead-userdebug boots.
Bug: 33192586

Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8
2016-12-28 08:49:55 +00:00
Steven Moreland
52b759777b Remove ENABLE_TREBLE from sepolicy.
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
2016-12-21 12:29:02 -08:00
Daniel Cashman
65d01349a0 Revert "Move sepolicy and recovery from on-device tree and add dependency."
This reverts commit cf5c6ecb93.

Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
2016-12-17 00:53:26 +00:00
Dan Cashman
cf5c6ecb93 Move sepolicy and recovery from on-device tree and add dependency.
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it.  Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
  denials.  Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
2016-12-16 14:29:59 -08:00
Dan Cashman
1c04027795 Switch recovery to versioned policy and split into components.
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.

Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
2016-12-16 10:19:17 -08:00
dcashman
90b3b94897 Split mac_permissions.xml into plat and non-plat components.
Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
2016-12-15 10:20:35 -08:00
dcashman
1faa644c81 Split policy for on-device compilation.
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
2016-12-13 10:06:12 -08:00
dcashman
0779155805 Restore checkfc and neverallow checks.
Bug: 33388095
Test: Builds and boots.
Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf
2016-12-07 11:27:47 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Jorge Lucangeli Obes
2899434716 Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro.
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.

Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
2016-11-21 11:57:08 -05:00
Jorge Lucangeli Obes
84db84e6cd Use with_dexpreopt macro for zygote execute permissions.
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.

Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 14:22:37 -05:00
Jeff Vander Stoep
d733d161cf Add macros for treble and non-treble only policy
Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
2016-10-19 15:05:05 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Douglas Leung
5807d1d2b9 Fix ioctl defines for Mips.
This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496
2016-08-29 14:43:07 -07:00
William Roberts
7d9487c996 Merge \"service_contexts: strip blank lines and comments\"
am: afad0c35ec

Change-Id: Id4a4937cc3b7c2ddd6d363144e6fafc90be60498
2016-07-18 22:56:49 +00:00
William Roberts
a584f2f6cd Merge \"property_contexts: strip blank lines and comments\"
am: ee69a2e775

Change-Id: If61f5720180243ec1b5aa9e16d66c95c37f49b88
2016-07-15 21:24:34 +00:00
William Roberts
c9fce3fa59 service_contexts: strip blank lines and comments
Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-07-01 15:01:13 +00:00
William Roberts
371918c1fe property_contexts: strip blank lines and comments
Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-07-01 15:01:01 +00:00
Shinichiro Hamaji
2f7b0514fa Merge "Add keys to prerequisites of mac_permissions.xml" am: d1eb0ede9c
am: a8f65aa156

* commit 'a8f65aa156331487153456ed111b7feb1434355e':
  Add keys to prerequisites of mac_permissions.xml

Change-Id: I9b6f11e61f31ec6c11ec35283eff4936b66497f9
2016-05-17 04:09:02 +00:00
Shinichiro Hamaji
ef0c14d3a2 Add keys to prerequisites of mac_permissions.xml
Bug: 27954979
Change-Id: Ia0403e2dc2726523a41742e23beff29b47274392
2016-05-13 16:04:58 +09:00
Nick Kralevich
3116b83f83 suppress unnecessary makefile output am: 6ef10bd48b
am: 1274aa15d4

* commit '1274aa15d415ea317c48b321445583bf25999b6a':
  suppress unnecessary makefile output
2016-03-02 01:47:59 +00:00
Nick Kralevich
6ef10bd48b suppress unnecessary makefile output
checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
2016-02-29 16:59:33 -08:00
Nick Kralevich
6710e5c377 Don\'t allow permissive SELinux domains on user builds. am: bca98efa57
am: 0551e9e8d4

* commit '0551e9e8d4764578d7304d695ba20040a6e0ea0b':
  Don't allow permissive SELinux domains on user builds.
2016-02-27 04:39:39 +00:00
Nick Kralevich
bca98efa57 Don't allow permissive SELinux domains on user builds.
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
2016-02-26 20:06:52 -08:00
Jeffrey Vander Stoep
7a29402717 Merge changes from topic \'fc_sort-2\' am: 87a73f199a
am: af77ab6b13

* commit 'af77ab6b136b0c4d44e912bbd2b98f958f7ceb45':
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's
2016-01-15 19:41:30 +00:00
William Roberts
49693f1b4d fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-14 17:39:07 -08:00
Jeffrey Vander Stoep
b9053767ab Merge "Revert "fc_sort: initial commit"" am: 5de7574a59
am: 62871e5874

* commit '62871e5874e6b1663c732c7f2a2b2d6b36604534':
  Revert "fc_sort: initial commit"
2016-01-15 01:12:54 +00:00
Jeffrey Vander Stoep
b1fb7e4037 Revert "fc_sort: initial commit"
Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887e.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
2016-01-14 23:28:51 +00:00
Jeffrey Vander Stoep
a654d9f3aa Merge "fc_sort: initial commit" am: 2dea4525f3
am: faddabe6f5

* commit 'faddabe6f58f30f81938b928597ee7a792c34984':
  fc_sort: initial commit
2016-01-14 20:19:47 +00:00
William Roberts
29d146887e fc_sort: initial commit
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 10:11:52 -08:00
Jeffrey Vander Stoep
9aa378ec31 Merge "Reduce socket ioctl perms" 2016-01-04 22:06:54 +00:00
Jeff Vander Stoep
cbaa2b7d37 Reduce socket ioctl perms
Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2016-01-04 12:15:19 -08:00
Daniel Cashman
efeac86de4 Merge changes from topic \'sepolicy-makefile-cleanup\' am: 1e5b7a1962
am: 26f06d172d

* commit '26f06d172dc2b55c42b1543c7ef02563241efce1':
  Android.mk: cleanse all set but not unset variables
  Android.mk: clean dependencies and clear variables
2015-12-29 17:39:18 +00:00
William Roberts
50a478ef72 Android.mk: cleanse all set but not unset variables
Discovered by diffing the set of "set variables" with
the set of "cleared variables".

Script:

mydir=$(mktemp -d)

grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk  | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars
grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars
diff $mydir/set_vars $mydir/unset_vars
rm -rf $mydir

Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-28 16:19:54 -08:00
William Roberts
46749752e5 Android.mk: clean dependencies and clear variables
Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.

Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.

Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-28 16:17:24 -08:00
William Roberts
4b412232c1 sectxfile_nl: fix superfluous dependencies am: cb1ab9858e
am: aeb403f233

* commit 'aeb403f233ada241a099777ccd0ef3b007e935e2':
  sectxfile_nl: fix superfluous dependencies
2015-12-16 23:44:41 +00:00
William Roberts
cb1ab9858e sectxfile_nl: fix superfluous dependencies
The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.

Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.

Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-16 14:01:58 -08:00
Jeffrey Vander Stoep
e927937f2d Merge "checkfc: add attribute test" am: d48773ab3e
am: c435b7590b

* commit 'c435b7590bd7d7f0594d48976fe931d1f6c07f32':
  checkfc: add attribute test
2015-12-16 16:35:36 +00:00
William Roberts
ad3cb39e54 checkfc: add attribute test
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-12-14 23:37:10 +00:00
Nick Kralevich
edb41d8744 Merge "Ensure newlines are added between context config files" am: d6765a99f3
am: 5cfd34957e

* commit '5cfd34957e48cd79e53fbfb8aa4acf1d53f8f638':
  Ensure newlines are added between context config files
2015-12-13 14:45:40 -08:00
Richard Haines
c8801fec63 Ensure newlines are added between context config files
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-12-13 12:01:53 +00:00
Jeff Vander Stoep
3a0ce49b86 Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-11 18:07:17 +00:00
Jeffrey Vander Stoep
4f9107df8f Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 12:14:50 -08:00
Jeffrey Vander Stoep
5ca5696e8b Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 18:19:04 +00:00
Jeff Vander Stoep
2ea23a6e1a Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-08 07:18:41 -08:00
Jeff Vander Stoep
0fc831c3b0 Temporarily downgrade to policy version number
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
2015-10-23 10:16:00 -07:00
William Roberts
f88e31ea90 am 7fc865a4: service_contexts: don\'t delete intermediate on failure
* commit '7fc865a4caec1a2ced41918449e34596f50f8c43':
  service_contexts: don't delete intermediate on failure
2015-10-01 22:24:59 +00:00
William Roberts
630fd5d80c am dcffd2b4: property_contexts: don\'t delete intermediate on failure
* commit 'dcffd2b482a625a99233d82019d7b96919c41600':
  property_contexts: don't delete intermediate on failure
2015-10-01 22:11:37 +00:00
Colin Cross
0f1b1f353b am 9eb6c874: Revert "property_contexts: don\'t delete intermediate on failure"
* commit '9eb6c87439da2b00699f644a8b8c335bf8cd9680':
  Revert "property_contexts: don't delete intermediate on failure"
2015-10-01 22:11:33 +00:00
Colin Cross
2a41cb70a7 am efcaecab: Revert "service_contexts: don\'t delete intermediate on failure"
* commit 'efcaecab4eb075fdc69942e6915999458fb5f88b':
  Revert "service_contexts: don't delete intermediate on failure"
2015-10-01 22:11:32 +00:00
Jeffrey Vander Stoep
4f821319f7 am 23c42c38: Merge "service_contexts: don\'t delete intermediate on failure"
* commit '23c42c389b07f6ebda69ca8e834c27b27460879a':
  service_contexts: don't delete intermediate on failure
2015-10-01 22:11:25 +00:00
Jeffrey Vander Stoep
89c1fd2582 am e6e94762: Merge "property_contexts: don\'t delete intermediate on failure"
* commit 'e6e947622514bdf0b80bf093c0df1a7d9ae12c37':
  property_contexts: don't delete intermediate on failure
2015-10-01 22:11:24 +00:00
William Roberts
7fc865a4ca service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 22:01:50 +00:00
William Roberts
dcffd2b482 property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-01 14:56:19 -07:00
Colin Cross
9eb6c87439 Revert "property_contexts: don't delete intermediate on failure"
This reverts commit 7f81b337bc.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6
2015-10-01 21:25:55 +00:00
Colin Cross
efcaecab4e Revert "service_contexts: don't delete intermediate on failure"
This reverts commit f6ee7a5219.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663
2015-10-01 21:25:25 +00:00
William Roberts
f6ee7a5219 service_contexts: don't delete intermediate on failure
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
7f81b337bc property_contexts: don't delete intermediate on failure
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-29 14:25:01 -07:00
William Roberts
92461b6169 am 3746a0ae: file_contexts: don\'t delete intermediate on failure
* commit '3746a0ae63a56a6b18fabd3e89bfe4760a1691e3':
  file_contexts: don't delete intermediate on failure
2015-09-28 18:23:43 +00:00
William Roberts
3746a0ae63 file_contexts: don't delete intermediate on failure
Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-28 10:36:49 -07:00
Ivan Krasin
b49f5cf83f am 9aa41303: asan: update condition to work with multiple SANITIZE_TARGET values.
* commit '9aa413036bde2c80c25b381bd685ab05f8390127':
  asan: update condition to work with multiple SANITIZE_TARGET values.
2015-09-19 19:52:05 +00:00
Ivan Krasin
9aa413036b asan: update condition to work with multiple SANITIZE_TARGET values.
The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
2015-09-18 12:05:51 -07:00
William Roberts
4d526d8675 am 031e5ce9: Android.mk: Cleanup GENERAL_*_CONTEXTS variables
* commit '031e5ce9c5cd3334cd2a09645cb03306fb552494':
  Android.mk: Cleanup GENERAL_*_CONTEXTS variables
2015-08-13 18:00:43 +00:00
William Roberts
dc858fe64d am 6aabc1c7: Android.mk: drop polluting variables
* commit '6aabc1c77b98d0ce8e13871047504afb90108733':
  Android.mk: drop polluting variables
2015-08-13 17:26:59 +00:00
William Roberts
031e5ce9c5 Android.mk: Cleanup GENERAL_*_CONTEXTS variables
Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:11:31 -07:00
William Roberts
6aabc1c77b Android.mk: drop polluting variables
Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-13 10:09:23 -07:00
Richard Haines
32bbafc194 am c2d01914: Update Android.mk to support file_contexts.bin
* commit 'c2d01914d12b1c153b5ef32293079764a4342169':
  Update Android.mk to support file_contexts.bin
2015-08-13 00:40:32 +00:00
Richard Haines
c2d01914d1 Update Android.mk to support file_contexts.bin
This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-08-12 08:45:44 -07:00
Dan Willemsen
10c1e872cc am bc2a49f2: Don\'t assume ordering of
* commit 'bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5':
  Don't assume ordering of $(wildcard ...)
2015-08-11 20:23:15 +00:00
Dan Willemsen
bc2a49f247 Don't assume ordering of $(wildcard ...)
There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
2015-08-11 12:27:08 -07:00
William Roberts
deb2f8b5f7 am d2185582: Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
* commit 'd21855824d178abea9ac93376757c7aed765cd83':
  Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
2015-07-27 18:02:27 +00:00
William Roberts
d21855824d Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-24 23:20:53 +00:00
Colin Cross
07039d386a am 29a463d5: Use build fingerprint from file
* commit '29a463d5d594a1b83288eff2da1f8829a69d3d46':
  Use build fingerprint from file
2015-07-23 19:01:40 +00:00
Colin Cross
29a463d5d5 Use build fingerprint from file
Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53
2015-07-17 13:40:42 -07:00
Nick Kralevich
457e446fe7 am 1a6e29e2: Merge "android.mk: drop duplicate spaces"
* commit '1a6e29e251ead902509e4ff25fdfdcaf023d860e':
  android.mk: drop duplicate spaces
2015-07-16 19:57:51 +00:00
William Roberts
85402534f3 android.mk: drop duplicate spaces
Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-16 11:40:21 -07:00
William Roberts
b2420cf4ec am ffc86bea: Correct local variables for file_contexts_asan
* commit 'ffc86bea0e38147a9330177708aedbccd603627a':
  Correct local variables for file_contexts_asan
2015-07-10 20:34:46 +00:00
William Roberts
ffc86bea0e Correct local variables for file_contexts_asan
Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-10 19:55:35 +00:00
William Roberts
e1a2001fc5 am 99fe8df2: hide checkseapp command invocation
* commit '99fe8df245f4346c14a3dfaf856006c7ebf51ad2':
  hide checkseapp command invocation
2015-07-07 19:13:59 +00:00
William Roberts
0046404b2c am b876993f: use a general sepolicy when building general targets
* commit 'b876993f4ee25fb299b7521b0dc565248d3db2a6':
  use a general sepolicy when building general targets
2015-07-07 19:13:58 +00:00
William Roberts
99fe8df245 hide checkseapp command invocation
Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-07 17:45:51 +00:00
William Roberts
807b8a6f9d am 3a74555c: Drop unused variable in Android.mk
* commit '3a74555c4e6c3b87c43b1eb311a2e418f6d88453':
  Drop unused variable in Android.mk
2015-07-07 15:49:25 +00:00
William Roberts
b876993f4e use a general sepolicy when building general targets
Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-30 14:02:17 -07:00
William Roberts
3a74555c4e Drop unused variable in Android.mk
Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 16:14:15 -07:00
William Roberts
bf4568d1cd am 4ee7131a: Introduce seapp_neverallow test
* commit '4ee7131ade43a046ad784a91bdded7c3c77206cd':
  Introduce seapp_neverallow test
2015-06-29 20:36:17 +00:00
William Roberts
4ee7131ade Introduce seapp_neverallow test
Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 10:57:06 -07:00
William Roberts
8f519b3f0f am da52e859: correct colon usage on make targets
* commit 'da52e85906289d5b691404ffed1fb830065140f9':
  correct colon usage on make targets
2015-06-29 17:53:41 +00:00
William Roberts
da52e85906 correct colon usage on make targets
Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-27 07:22:34 -07:00
William Roberts
942c0ea901 am 81e1f90c: check_seapp: add support for "neverallow" checks
* commit '81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0':
  check_seapp: add support for "neverallow" checks
2015-06-26 21:02:10 +00:00
William Roberts
81e1f90cd1 check_seapp: add support for "neverallow" checks
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-25 23:53:46 +00:00
Evgenii Stepanov
651a315ad2 am 4b4c5645: Merge "Extend sepolicy for SANITIZE_TARGET."
* commit '4b4c5645931a0e187d261c4db6caac67d09ab4e4':
  Extend sepolicy for SANITIZE_TARGET.
2015-06-15 21:09:13 +00:00
Evgenii Stepanov
930304829b Extend sepolicy for SANITIZE_TARGET.
SANITIZE_TARGET adds shared libraries in /data/lib.

Bug: 21785137
Change-Id: I8ac3d059d88d57d24ed762ffc6202a4ce5a42333
2015-06-12 17:19:30 -07:00
Jeff Vander Stoep
de9b5301a1 restrict app access to socket ioctls
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
2015-06-05 22:35:51 +00:00
Jeff Vander Stoep
64b01c6165 Update policy version to enable ioctl whitelisting
Bug: 20756547
Bug: 18087110
Change-Id: I9ff76f1cf359e38c19d7b50a5b7236fd673d937e
2015-05-04 11:14:23 -07:00
Stephen Smalley
8e0ca8867e Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:18:17 -04:00
Stephen Smalley
b4f17069b3 sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support.
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze.  The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets.  However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies

Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 10:26:00 -04:00
Stephen Smalley
c93617315e Fix rules for general_property_contexts.
Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 09:36:57 -04:00
Stephen Smalley
2e0cd5ad36 Generate general versions of the other contexts files for tests.
Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 17:45:03 -04:00
Stephen Smalley
377128778d Generate a general_seapp_contexts file for tests.
Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.

Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-12 15:46:36 -04:00
Nick Kralevich
f435a8e556 Delete unconfined domain
No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
2015-02-28 11:27:35 -08:00
William Roberts
754f5ea7ee Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.

Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
2014-12-20 15:15:33 +00:00
William Roberts
f330f37529 Remove network shell script
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
2014-11-13 07:34:39 -08:00
Stephen Smalley
ee58864b95 Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true"
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3f0.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-07 09:50:38 -05:00
Nick Kralevich
39f92a8350 am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
  recovery.te: add /data neverallow rules
2014-11-06 19:22:09 +00:00
Nick Kralevich
a17a266e7e recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-05 15:30:41 -08:00
dcashman
5a6ac67476 am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build."
* commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915':
  Generate selinux_policy.xml as part of CTS build.
2014-08-04 20:24:23 +00:00
dcashman
704741a5c2 Generate selinux_policy.xml as part of CTS build.
Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
2014-07-28 17:57:22 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
2014-07-14 09:15:08 -07:00
Nick Kralevich
db644f98ad am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit '8eb63f24bb34639d76246a2fe0276f5cada5c764':
  Add SELinux rules for service_manager.
2014-06-12 21:13:06 +00:00
Nick Kralevich
8eb63f24bb am b0ee91a4: Merge "Add SELinux rules for service_manager."
* commit 'b0ee91a418a899dbd39678711ea65ed60418154e':
  Add SELinux rules for service_manager.
2014-06-12 21:06:37 +00:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Robert Craig
33bf667ab1 am ec87ecb9: am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit 'ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968':
  Build the selinux_version file.
2014-05-31 11:38:45 +00:00
Robert Craig
ec87ecb991 am 8571ed16: am 8b7545bf: Build the selinux_version file.
* commit '8571ed162e85c507ea93b06c6816cdf99019625a':
  Build the selinux_version file.
2014-05-31 08:49:29 +00:00
Robert Craig
8b7545bf57 Build the selinux_version file.
The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.

Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-05-30 20:24:18 +00:00
Stephen Smalley
4a247480b3 am c664083b: am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'c664083badd1c73c144f53354c015681cd7e6951':
  Create a separate recovery policy.
2014-05-30 19:01:44 +00:00
Stephen Smalley
c664083bad am ffbba62e: am e60723ab: Create a separate recovery policy.
* commit 'ffbba62eafb759573aad4bcdc77d56026697ea00':
  Create a separate recovery policy.
2014-05-30 18:27:02 +00:00
Stephen Smalley
e60723ab59 Create a separate recovery policy.
Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 12:53:32 -04:00
Nick Kralevich
863b282366 am d188f5be: Merge "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" into klp-modular-dev
* commit 'd188f5be07e168c19a2cd46439c0319f4866c641':
  DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
2014-02-05 23:50:47 +00:00
Nick Kralevich
2772e78ff9 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
2014-02-05 14:57:14 -08:00
Robert Craig
6b0ff4756a Catch nonexistent BOARD_SEPOLICY_UNION policy files.
Added a new check to make sure that all listed
BOARD_SEPOLICY_UNION files are located somewhere
in the listed BOARD_SEPOLICY_DIRS locations. The
build will error out otherwise.

Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-29 13:14:49 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
88ce951d89 Create new conditional userdebug_or_eng
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
2014-01-09 15:31:37 -08:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Nick Kralevich
c3c9052bc7 Make DEFAULT_SYSTEM_DEV_CERTIFICATE available in keys.conf
In 9af6f1bd59, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.

Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)

This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.

Steps to reproduce.

1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"

Expected:

  $ adb shell ps -Z | grep process.media
  u:r:media_app:s0               u0_a5     1332  202   android.process.media

Actual:

  $ adb shell ps -Z | grep process.media
  u:r:untrusted_app:s0           u0_a5     3617  187   android.process.media

Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822
2013-10-28 13:08:14 -07:00
William Roberts
9af6f1bd59 Drop -d option on insertkeys.py in Android.mk
This breaks the ability for users to have certs in many
directories. Currently the design is to allow keys.conf
to specify arbitrary locations for pem files, relative to
the root of the Android tree. If users want to have a
common prefix on all the keys, then they can export
DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment
variable in their keys.conf file.

Signed-off-by: William Roberts <wroberts@tresys.com>

Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640
Signed-off-by: William Roberts <wroberts@tresys.com>
2013-09-06 09:51:27 +00:00
Stephen Smalley
e267afa320 am e543a8bc: Increase policy version to 26.
* commit 'e543a8bc2a2d08ff381e5ae9e34cc2a094acf895':
  Increase policy version to 26.
2013-04-01 11:09:14 -07:00
Stephen Smalley
e543a8bc2a Increase policy version to 26.
Increase the SELinux policy version to 26.  This is needed
for name-based transitions used by the manta sepolicy.
Requires kernel 3.0 or higher.

Change-Id: I046fa9f7122f77506c70b2c735345bc0194935df
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-01 13:42:25 -04:00
Geremy Condra
020b5ff631 Add a key directory argument to insertkeys.py
This allows us to better integrate key selection with our existing
build process.

Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
2013-03-29 16:29:43 -07:00
William Roberts
e693ed7c18 Remove the su domain from -user builds.
Change-Id: I86f2f28f7c558b8e9a70e5aa9ebcfa8bf26f9ef7
2013-03-27 13:39:12 -07:00
Robert Craig
7f2392eeb0 Expand insertkeys.py script to allow union of files.
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 20:34:29 +00:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
William Roberts
52fc95d1b7 Fix makefile error with ANDROID_BUILD_TOP
Use TOP instead of ANDROID_BUILD_TOP

Fix spelling issues in keys.conf

Change-Id: Ib90b3041af5ef68f30f4ab78c768ad225987ef2d
2013-03-26 14:10:47 -07:00
Geremy Condra
cd4104e84b Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""
This reverts commit 1446e714af

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
2013-03-26 18:19:34 +00:00
William Roberts
15b3ceda5c Add BOARD_SEPOLICY_IGNORE
See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
2013-03-21 02:55:49 +00:00
Geremy Condra
1446e714af Revert "Dynamic insertion of pubkey to mac_permissions.xml"
This reverts commit 22fc04103b

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
William Roberts
5a2988fcb5 Remove duplicate paths from sepolicy_replace_paths
Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
2013-03-19 22:49:13 +00:00
Robert Craig
d98d26ef3c property_contexts checks added to checkfc.
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
22fc04103b Dynamic insertion of pubkey to mac_permissions.xml
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
2c8a55dcf4 Replaceable mac_permission.xml support
Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
2012-12-06 05:57:49 +09:00
Jean-Baptiste Queru
eab23895cd Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
Alice Chu
eefaa83d4c am cdfb06f5: Moved Android policy tools to tools directory
* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
  Moved Android policy tools to tools directory
2012-11-01 14:15:23 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Alice Chu
cdfb06f553 Moved Android policy tools to tools directory
Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
2012-11-01 11:33:04 -07:00
Kenny Root
a2517b20cb resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp
Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
2012-10-29 16:49:22 -07:00
rpcraig
47cd396b11 Add better per-device sepolicy support.
This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
2012-10-26 11:17:24 -07:00
Ying Wang
6b964fa1f2 am d8b122c7: Use file target as dependency.
* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
  Use file target as dependency.
2012-10-26 09:51:39 -07:00
Ying Wang
d8b122c7bb Use file target as dependency.
"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
2012-10-25 19:01:31 -07:00
Stephen Smalley
ced365aa64 am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.
* commit '01a58af19494420bb259505bc5404790a21fdd64':
  Add a checkfc utility to check file_contexts validity and invoke it.
2012-10-17 12:57:32 -07:00
Stephen Smalley
01a58af194 Add a checkfc utility to check file_contexts validity and invoke it.
Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-10-17 12:02:25 -07:00
Kenny Root
44374bc5ed am 659aaced: Remove HAVE_SELINUX guard
* commit '659aaced054c21048c712fe1f5831a86c99213d8':
  Remove HAVE_SELINUX guard
2012-10-16 17:48:23 -07:00
Kenny Root
659aaced05 Remove HAVE_SELINUX guard
Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119
2012-10-10 10:52:46 -07:00
Stephen Smalley
9822c1d08f am 66a3e8d9: Drop the use of a policy version suffix on the sepolicy file.
* commit '66a3e8d91ef6098dd7cab127530f1cdb7973f53e':
  Drop the use of a policy version suffix on the sepolicy file.
2012-09-18 16:29:39 -07:00
Stephen Smalley
66a3e8d91e Drop the use of a policy version suffix on the sepolicy file.
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies.  This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.

Requires a corresponding change to libselinux.

Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-18 15:11:49 -04:00
Jean-Baptiste Queru
d0f027ccc8 am 10f9a372: Merge upstream sepolicy into AOSP
* commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9':
  Corrected gramatical issues
  Added new line to end of file
  Changed seapp_contexts temporary file naming
  Fix mls checking code
  Support overrides in seapp_contexts
  Add tf_daemon labeling support.
  Add ppp/mtp policy.
  per device seapp_context support
  dhcp policy.
  Trusted Execution Environment policy.
2012-09-05 19:46:52 -07:00
William Roberts
98ed392e68 Changed seapp_contexts temporary file naming
Change-Id: I4f522869eeaa6f84771e4ee2328f65296dcc29db
2012-09-05 11:23:19 -07:00
William Roberts
0ae3a8a2d5 Fix mls checking code
Change-Id: I614caa520e218f8f148eef641fed2301571da8e1
2012-09-04 11:51:04 -07:00
William Roberts
f0e0a94e03 Support overrides in seapp_contexts
Provides support for overriding seapp_contexts declerations
in per device seapp_contexts files.

Change-Id: I23a0ffa1d24f1ce57825b168f29a2e885d3e1c51
2012-09-04 10:55:38 -07:00
William Roberts
171a062571 per device seapp_context support 2012-08-16 14:00:19 -04:00
Jean-Baptiste Queru
aa7fb3be1b resolved conflicts for merge of 0c2e5705 to jb-mr1-dev
Change-Id: Iee1d877788b9397ca29a6cfe7bc3015c3edbe5ac
2012-08-13 09:06:44 -07:00
rpcraig
b19665c39d Add mac_permissions.xml file.
This was moved from external/mac-policy.git
2012-07-30 09:33:03 -04:00
Matt Finifter
af56ac1954 Include su.te only for userdebug/eng builds.
Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
2012-07-18 13:25:23 -07:00
William Roberts
dc1072365e Support for ocontexts per device.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
2012-07-12 10:02:45 -04:00
Joshua Brindle
70d4fc2243 Add selinux network script to policy
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2012-06-21 09:19:43 -04:00
Stephen Smalley
efd6d6e0da Apply m4 to file_contexts and property_contexts to support includes. 2012-05-18 08:24:25 -04:00
The Android Open Source Project
f5f899c3c0 Merge from upstream sepolicy
Change-Id: I99085d575e3d884fb04ac03ac998eb3c53eb2d9f
2012-04-10 09:52:59 -07:00
Ying Wang
f4ea5b2539 Use the checkpolicy built from source.
Change-Id: I22f49db3d59b50ed8975d8c1146bb9c322adbf7e
2012-04-10 09:11:08 -07:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00
Stephen Smalley
64935c7d87 Limit per-device policy files to a well-defined sepolicy prefix.
Avoid any future collisions with the use of .fc or .te suffixes in the
per-device directories.  If we want multiple file support, add a separate
subdirectory for sepolicy files.
2012-03-06 13:27:39 -05:00
Stephen Smalley
5b340befb4 Add support for per-device .te and .fc files. 2012-03-06 11:12:41 -05:00
Stephen Smalley
7e8cf24f58 Do not build if HAVE_SELINUX=false. 2012-02-02 13:28:28 -05:00
Stephen Smalley
2b826fcbe8 Add a dependency on checkpolicy. 2012-01-24 08:46:13 -05:00
Ying Wang
02fb5f3c6a Rewrite Android.mk. 2012-01-18 14:01:08 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00