| 895b446e8b4844f2da7354e74d5d96cc7f4418f3 |
19-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up libselinux logic for looking up seapp contexts entries.
Re-factor the logic shared by selinux_android_setfilecon2 and
selinux_android_setcontext into a common helper and replace the
use of getpwuid and username string parsing with direct use of
android_filesystem_config.h definitions. Also map isolated UIDs
to a separate isolated key so that we can label them differently
in the future if desired.
Change-Id: If2f9def21222588b440a6cedcceec0434f6797fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/android.c
|
| 4a655eca75a79149c25616c4a5a44f5b8d26b28f |
18-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop the use of a policy version suffix on the sepolicy file.
The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies. This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.
Requires a corresponding change to sepolicy.
Change-Id: I061607f5fe6457e469b4834da6fc659d7ddca6f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/android.c
|
| 8aeb5c5fd002c09d32f3151c17c645b85d1bb8e5 |
14-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only check SELinux enabled status once in selinux_check_access().
Move the SELinux enabled check to the once handler so that we do
not perform this on each call to selinux_check_access(). Reduces
overhead in both the SELinux-enabled and the SELinux-disabled cases.
Change-Id: I61fe85bc04fe53cbf840ba712c81bdb06e4e0c2f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/checkAccess.c
|
| 906742dfd76bf9f21bddbddc43966c2cc9b0da0e |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not return the libselinux-private sehandle from selinux_android_file_context_handle().
rc/android.c
|
| 4d1d14fbe2960a5aaf5f7b3138bf9e11722d1130 |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only call regfree if regcomp was previously called on the regex.
rc/label_file.c
|
| ce4e2e6a0819b0a23d80fa137b5ee0e351aff855 |
23-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Handle naming for system uids running as secondary users.
Commit bf9441e in bionic introduced a new scheme for naming system uids
as secondary users (as part of multi-user support). Update the libselinux
logic to correctly map these identities for lookup purposes in the
seapp_contexts configuration file.
rc/android.c
|
| bee88b2041e0c5cb51dd707a9e508d8573907515 |
06-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Fix once synchronization control structure for file_contexts.
This is not needed when used within the reload scenerio. We
actually need the file_contexts to be read multiple times.
rc/android.c
|
| f1724a371be1678ebf79474ab9a390dd6a5c96c7 |
01-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Add sepolicy loading functionality.
These changes reflect changes made to init.
The sepolicy reload now happens in libselinux.
nclude/selinux/android.h
rc/android.c
|
| e8b0fd8c21a68fd0a7fcf656a7b6eae10e61c8e5 |
31-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Close the selinux netlink socket when we set the app context.
rc/android.c
|
| d181826941c365f66b00a7f5accfd42bc09c19d6 |
31-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Ensure that we only close the selinux netlink socket once.
rc/avc_internal.c
|
| 689383dc7dd425b6026c97d49642b0c608602577 |
30-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Handle EINTR correctly in avc_netlink_receive.
rc/avc_internal.c
|
| 09f69843a9991d35888b35f0bfa8de0b11a824b2 |
28-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Allow non-matched apps to launch when no match found
Allows the zygote to still spawn apps in the zygote's
context when no match is found in seapp_contexts. In
enforcing mode, apps that are not matched will not be
spawned. A "No match" message will (still) be printed
to logcat.
Change-Id: Ibe362cc8e168be7acae5162c9ff6a310233fcbe6
rc/android.c
|
| 1b36ad00bfbea16ad4456a9fd715e594d57f2fd6 |
27-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
You can now specify a sebool= flag in seapp_contexts
The seapp rule will containing an sebool clause will
ONLY be applied on a match to that boolean,
and only if the boolean is set to true.
Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
rc/android.c
|
| f77e60de67dbc84d06aa77adef6bdf80455ee9f5 |
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "Allow zygote to spawn non matched apps in permissive mode"
This reverts commit 0beab96891a9ee1808b113479f167148cab5c998.
rc/android.c
|
| 0beab96891a9ee1808b113479f167148cab5c998 |
27-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Allow zygote to spawn non matched apps in permissive mode
This patch will allow non-matched apps in seapp_contexts to
still be spawned via the zygote. An error message will be sent
to logcat.
Change-Id: I9fb5dcfeb384a26e6a01d69bffd2ef14af74c51c
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
rc/android.c
|
| 047228a2a446603b21daf5116b830390d0642274 |
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
include selinux/label.h for struct sehandle declaration.
nclude/selinux/android.h
|
| 9b10083ab40e78cce8cc2b940ce22db6d1095fc5 |
27-Jul-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Introduce new function to return sehandle.
Add function selinux_android_file_context_handle
that opens the correct file_contexts policy file
and returns the available sehandle object.
nclude/selinux/android.h
rc/android.c
|
| edfaad87e34e7a5bb691d45fd6df3e0b5ad0bb1a |
12-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce selinux_android_setfilecon2 to support passing seinfo argument.
nclude/selinux/android.h
rc/android.c
|
| c9726aba339f3d935ff14c0734edf13116af3cbf |
11-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix handling of app id 0.
rc/android.c
|
| ba70ee4c5ab8026e97fce5c2452dfe588dfaac3e |
10-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add support for the new username mapping in JB, and backward compatibility.
ndroid.mk
rc/android.c
|
| fae1cf59f83fbca62f40b11638632076a288e85d |
19-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Public domain notice
OTICE
|
| a2e47cd90d84d48cde19575d044577a3fc7a4000 |
11-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Change selabel_open and label backends to take a const struct selinux_opt argument.
nclude/selinux/label.h
rc/label.c
rc/label_android_property.c
rc/label_file.c
rc/label_internal.h
|
| 52cd377a74a710b2476c6a4c46da8b59a0dce50d |
10-Apr-2012 |
The Android Open Source Project <initial-contribution@android.com> |
Merge from upstream libselinux
Change-Id: I1fd35714001e3fcf9022756334cbb89611ce5c66
|
| 3bc6d442097929a1579e91aa687d257b0cf82189 |
06-Apr-2012 |
Kenny Root <kroot@google.com> |
Revert "Do not build if HAVE_SELINUX=false."
We need to always build libselinux even if it's not being used by
anything in the system image. This makes sure some unrelated change
doesn't accidentally break libselinux.
This reverts commit 6670f53f78cd44a6cb484785b2837439e2ba9178.
ndroid.mk
|
| 35b01083fe5e34cbd318a78ef9b1a13432ae24d9 |
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define and implement Android property selabel backend.
ndroid.mk
nclude/selinux/label.h
rc/label.c
rc/label_android_property.c
rc/label_internal.h
|
| 32ebfe869edfc32633cf4f2ee2b56b7d8ce97a19 |
20-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Check for /data/system/file_contexts first in restorecon.
rc/android.c
|
| 7446c917148c778315e511ad5c990492d3c8cdb8 |
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add selinux_android_seapp_context_reload() to support reloading of
seapp_contexts configuration upon updates, and introduce support for
loading it from /data/system or /.
nclude/selinux/android.h
rc/android.c
|
| 0ca91b300c711079816fa67b4148cac3cd1eef8c |
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add a selinux_android_restorecon interface for use by the frameworks.
nclude/selinux/android.h
rc/android.c
|
| 6670f53f78cd44a6cb484785b2837439e2ba9178 |
02-Feb-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not build if HAVE_SELINUX=false.
ndroid.mk
|
| d409de2efd8c6ddc3929d1a5b79ab3163b65542c |
24-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop src/callbacks.h from LOCAL_COPY_HEADERS.
ndroid.mk
|
| cc3d76d1b717805740126aec7e0343f5a240cfbe |
24-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Support for building the host library on MacOS X.
ndroid.mk
rc/init.c
|
| 273c4c63a7314db7da4bc8312e80a39470a7f663 |
18-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move SELINUXMNT definition to public selinux.h for use by init.
nclude/selinux/selinux.h
rc/policy.h
|
| f074036424618c130dacb3464465a8b40bffef58 |
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Port of libselinux to Android.
ndroid.mk
nclude/selinux/android.h
nclude/selinux/avc.h
nclude/selinux/context.h
nclude/selinux/label.h
nclude/selinux/selinux.h
rc/android.c
rc/avc.c
rc/avc_internal.c
rc/avc_internal.h
rc/avc_sidtab.c
rc/avc_sidtab.h
rc/booleans.c
rc/callbacks.c
rc/callbacks.h
rc/canonicalize_context.c
rc/checkAccess.c
rc/check_context.c
rc/compute_av.c
rc/compute_create.c
rc/context.c
rc/context_internal.h
rc/disable.c
rc/dso.h
rc/enabled.c
rc/fgetfilecon.c
rc/freecon.c
rc/fsetfilecon.c
rc/get_initial_context.c
rc/getenforce.c
rc/getfilecon.c
rc/getpeercon.c
rc/init.c
rc/label.c
rc/label_file.c
rc/label_internal.h
rc/lgetfilecon.c
rc/load_policy.c
rc/lsetfilecon.c
rc/mapping.c
rc/mapping.h
rc/policy.h
rc/policyvers.c
rc/procattr.c
rc/selinux_internal.h
rc/selinux_netlink.h
rc/setenforce.c
rc/setfilecon.c
rc/stringrep.c
|