No description
Find a file
Geremy Condra 140a9a3870 am 9c0f2df1: Merge changes I5a3584b6,Ic7252a8e,I2d4ace75
* commit '9c0f2df1832f82bd2867d2e2fa18dde31b05e63e':
  Various minor policy fixes based on CTS.
  Split internal and external sdcards
  Give sdcard sys_admin capability.
2013-03-22 14:20:25 -07:00
tools Generalize levelFromUid support. 2013-03-20 01:39:25 +00:00
access_vectors Update binder-related policy. 2013-03-19 22:48:17 +00:00
adbd.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
Android.mk Add BOARD_SEPOLICY_IGNORE 2013-03-21 02:55:49 +00:00
app.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
assert.te bluetooth app requires net_admin for enabling bluetooth. 2013-03-21 21:01:57 +00:00
attributes Split internal and external sdcards 2013-03-22 15:26:39 -04:00
bluetooth.te am f766c4d9: Allow bluetooth users to use socket provided by bluetooth app. 2013-03-22 14:20:24 -07:00
bluetoothd.te SE Android policy. 2012-01-04 12:33:27 -05:00
cts.te read permission over lnk_file to devices when android_cts enabled 2012-07-30 16:02:36 -04:00
dbusd.te SE Android policy. 2012-01-04 12:33:27 -05:00
debuggerd.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
device.te watchdog security policy. 2013-03-19 22:48:38 +00:00
dhcp.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
domain.te Allow domain search/getattr access to security file 2013-03-22 15:00:02 -04:00
drmserver.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
file.te Split internal and external sdcards 2013-03-22 15:26:39 -04:00
file_contexts am 9c0f2df1: Merge changes I5a3584b6,Ic7252a8e,I2d4ace75 2013-03-22 14:20:25 -07:00
fs_use Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
genfs_contexts Split internal and external sdcards 2013-03-22 15:26:39 -04:00
global_macros file class macro cleanup 2012-10-04 11:34:57 -07:00
gpsd.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
hci_attach.te Policy for hci_attach service. 2012-05-31 09:40:12 -04:00
init.te SE Android policy. 2012-01-04 12:33:27 -05:00
initial_sid_contexts Restore devnull initial sid context. 2012-07-12 10:14:38 -04:00
initial_sids SE Android policy. 2012-01-04 12:33:27 -05:00
installd.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
kernel.te SE Android policy. 2012-01-04 12:33:27 -05:00
keystore.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
mac_permissions.xml Revert "Dynamic insertion of pubkey to mac_permissions.xml" 2013-03-19 22:56:46 +00:00
mediaserver.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
mls Add policy for run-as program. 2012-11-27 10:05:42 -08:00
mls_macros SE Android policy. 2012-01-04 12:33:27 -05:00
mtp.te allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access 2012-10-16 09:48:40 -04:00
net.te SE Android policy. 2012-01-04 12:33:27 -05:00
netd.te Create policy for PAN connections. 2013-03-22 15:05:44 -04:00
nfc.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
NOTICE Public domain notice 2012-06-19 07:29:55 -04:00
policy_capabilities SE Android policy. 2012-01-04 12:33:27 -05:00
port_contexts Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
ppp.te Add ppp/mtp policy. 2012-08-20 06:19:36 -04:00
property.te Move policy files 2013-03-22 10:42:10 -07:00
property_contexts Move policy files 2013-03-22 10:42:10 -07:00
qemud.te SE Android policy. 2012-01-04 12:33:27 -05:00
radio.te Add policy for property service. 2012-04-04 10:11:16 -04:00
README Add BOARD_SEPOLICY_IGNORE 2013-03-21 02:55:49 +00:00
rild.te Split internal and external sdcards 2013-03-22 15:26:39 -04:00
roles Add explicit role declaration for newer checkpolicy versions. 2012-01-12 09:58:37 -05:00
runas.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
sdcardd.te Split internal and external sdcards 2013-03-22 15:26:39 -04:00
seapp_contexts Generalize levelFromUid support. 2013-03-20 01:39:25 +00:00
security_classes Add policy for property service. 2012-04-04 10:11:16 -04:00
selinux-network.sh Add selinux network script to policy 2012-06-21 09:19:43 -04:00
servicemanager.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
shell.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
su.te Revert "Include su.te only for userdebug/eng builds." 2012-11-01 13:17:29 -07:00
surfaceflinger.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
system.te Various minor policy fixes based on CTS. 2013-03-22 15:27:02 -04:00
te_macros Move policy files 2013-03-22 10:42:10 -07:00
tee.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
ueventd.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
unconfined.te Require entrypoint to be explicitly granted for unconfined domains. 2013-03-21 20:55:59 +00:00
users SE Android policy. 2012-01-04 12:33:27 -05:00
vold.te Split internal and external sdcards 2013-03-22 15:26:39 -04:00
watchdogd.te watchdog security policy. 2013-03-19 22:48:38 +00:00
wpa_supplicant.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
zygote.te Split internal and external sdcards 2013-03-22 15:26:39 -04:00

Policy Generation:

Additional, per device, policy files can be added into the
policy build.

They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS
4. BOARD_SEPOLICY_IGNORE

The variables should be set in the BoardConfig.mk file in
the device or vendor directories.

BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.

BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.

BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.

It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.

It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error. Unless it is in
BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
for more details.

It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.

It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.

BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
files that are not to be included in the resulting policy. This list
is passed to filter-out to remove any paths you may want to ignore. This
is useful if you have numerous config directories that contain a file
and you want to NOT include a particular file in your resulting
policy file, either by UNION or REPLACE.
Eg.) Suppose the follwoing:
     BOARD_SEPOLICY_DIRS := X Y
     BOARD_SEPOLICY_REPLACE := A
     BOARD_SEPOLICY_IGNORE := X/A

     Directories X and Y contain A.

     The resulting policy is created by using Y/A only, thus X/A was
     ignored.

Example BoardConfig.mk Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk

BOARD_SEPOLICY_DIRS := \
        device/samsung/tuna/sepolicy

BOARD_SEPOLICY_UNION := \
        genfs_contexts \
        file_contexts \
        sepolicy.te