As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.
Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.
Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.
Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.
BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze. The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets. However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.
Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies
Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The README jumped directly into using the BOARD_SEPOLICY_*
variables for device-specific policy; add a short introduction
describing what external/sepolicy contains and noting where to put
device-specific policy.
Change-Id: I3c800df93d70074384da993a689a5a0771ecb314
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
introduced a new error check for non existent
BOARD_SEPOLICY_UNION files. Need an update to
the docs describing the change.
Change-Id: If96c9046565b05e0811ab2d526ae12a3b8b90bf0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.
Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f
Often times OEMs and other integrators will need to create PEM
files from presigned APKs they are integrating. This patch will
update the README to include a technique for doing so.
Change-Id: Ica52269542409d2038cfe30cbd5f28ead2fba4de
Since Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
the insert_keys.py tool has had support for expanding
environment variable strings. This change addresses the lack
of an updated README covering said change.
Change-Id: I88e81ea58fb84110da3fc3cfb8b49fd0d6c027c2
Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.
Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This reverts commit cd4104e84b
This builds clean locally, but seems to explode on the build servers. Reverting until there's a solution.
Change-Id: I09200db37c193f39c77486d5957a8f5916e38aa0
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.
Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
This README intends to document the various configuration options
that exist for specifiying device specific additions to the policy.
Change-Id: I7db708429a67deeb89b0c155a116606dcbbbc975