cfb6f3523159d87d444ace1b4c24fa09a11b31f0 |
|
14-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
build: run neverallow checks on platform sepolicy This will prevent us from breaking our own neverallow rules in the platform sepolicy regardless of vendor policy adding exceptions to the neverallow rules using "*_violators" attributes Bug: 62616897 Bug: 62343727 Test: Build policy for sailfish Test: Build policy with radio to rild socket rule enabled for all and ensure the build fails Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
|
b236eb6ca204cefcb926e19bd5682f9dcad4021d |
|
13-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Build split file_contexts for recovery [ 7.674739] selinux: selinux_android_file_context: Error getting file context handle (No such file or directory) Bug: 62564629 Test: build and flash marlin. Successfully switch between regular and recovery modes Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
/system/sepolicy/Android.mk
|
7a68c5ae4ca81778f222c2817b698463878e5700 |
|
08-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move non-treble devices to split file_contexts This change is primarily to fix CTS which checks file ordering of file_contexts. Having two separate means of loading file_contexts has resulted in ordering variations. Previously the binary file_contexts was preferred since it loaded faster. However with the move to libpcre2, there is no difference in loading time between text and binary file_contexts. This leaves us with build system complexity with no benefit. Thus removing this unnecessary difference between devices. Bug: 38502071 Test: build and boot non-Treble Bullhead, run CTS tests below Test: build and boot Treble Marlin, run CTS tests below Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testAospFileContexts Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testValidFileContexts Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
/system/sepolicy/Android.mk
|
1fc0682ec629d10c5c48714def2fc96369977169 |
|
01-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
/system/sepolicy/Android.mk
|
51455fe9773e5b3e920e149c6fc48e34b2ab1327 |
|
23-May-2017 |
Dan Cashman <dcashman@google.com> |
Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. These directories were added to allow for partner extensions to the android framework without needing to add changes to the AOSP global sepolicy. There should only ever be one owner of the framework and corresponding updates, so enforce this restriction to prevent accidental accrual of policy in the system image. Bug: 36467375 Test: Add public and private files to policy and verify that they are added to the appropriate policy files. Also test that specifying multiple directories for public or private results in an error. Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f (cherry picked from commit 1633da06afc155342b66c581668f52951a1278d7)
/system/sepolicy/Android.mk
|
1b0a71f308a18ab31147ea34c692f4fe7f4d7066 |
|
08-May-2017 |
Dan Cashman <dcashman@google.com> |
Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c Merged-In: I38efe2248520804a123603bb050bba75563fe45c (cherry picked from commit f893700c73f2e4e13385f11edcacf563f59b63c5)
/system/sepolicy/Android.mk
|
4816b8f00a129d0245d369fe34ac88dd82e566c6 |
|
04-May-2017 |
Ian Pedowitz <ijpedowitz@google.com> |
Revert "Revert "O is API 26"" This reverts commit 6b04a961b491d31368eab2924d84d3259330faf3. Bug: 37480230 Bug: 37896931 Bug: 37355569 Change-Id: I24ee1b4f0f23262cae25b2f575da9f16f4ebec34
/system/sepolicy/Android.mk
|
6b04a961b491d31368eab2924d84d3259330faf3 |
|
04-May-2017 |
Ian Pedowitz <ijpedowitz@google.com> |
Revert "O is API 26" This reverts commit 8713882bb8d082f997fa68b75606caa48a45862d. Reason for revert: b/37355569 Bug: 37480230 Bug: 37896931 Bug: 37355569 Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
/system/sepolicy/Android.mk
|
8713882bb8d082f997fa68b75606caa48a45862d |
|
02-May-2017 |
Michael Wright <michaelwr@google.com> |
O is API 26 Bug: 37480230 Bug: 37896931 Test: build, boot Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
/system/sepolicy/Android.mk
|
5edd96d915ef98dc92f21bd303bca5ee82b0f54a |
|
25-Apr-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Android.mk: fix dependency typo Bug: 37646565 Test: build marlin-userdebug Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
/system/sepolicy/Android.mk
|
b87876937b8ed73063fd44800beb86f3dd7079be |
|
22-Apr-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Retain neverallow rules in CIL files Fixes issue where attributes used exlusively in neverallow rules were removed from policy. For on-device compile use the -N flag to skip neverallow tests. Policy size increases: vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637 vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076 system/etc/selinux/plat_sepolicy.cil 567664 -> 745230 For a total increase in system/vendor: 266182. Boot time changes: Pixel uses precompiled policy so boot time is not impacted. When forcing on-device compile on Marlin selinux policy compile time increases 510-520 ms -> 550-560 ms. Bug: 37357742 Test: Build and boot Marlin. Test: Verify both precompiled and on-device compile work. Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
/system/sepolicy/Android.mk
|
748cae865d3aa1755c59b8cffbe4c1a7eb7ac363 |
|
13-Apr-2017 |
Jeff Vander Stoep <jeffv@google.com> |
secilc: expand generated attributes on non-treble devices Attributes added to the policy by the policy compiler are causing performance issues. Telling the compiler to expand these auto-generated attributes to their underlying types prevents preemtion during policy lookup. Bug: 3650825 Test: Build and boot Bullhead Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
/system/sepolicy/Android.mk
|
9bdb66b25ce55ee53fc57cafed291d004cbbd619 |
|
13-Apr-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "secilc: expand generated attributes" into oc-dev
|
f6daa78a82ea11f0fbbeb22ed7150066f664fd07 |
|
13-Apr-2017 |
Martijn Coenen <maco@google.com> |
Merge "Add hwservice_contexts and support for querying it." into oc-dev
|
3ea47b9249d4f9a4a90cae7867a119cbfdb7d4b6 |
|
08-Apr-2017 |
Martijn Coenen <maco@google.com> |
Add hwservice_contexts and support for querying it. hwservicemanager can check hwservice_contexts files both from the framework and vendor partitions. Initially, have a wildcard '*' in hwservice_contexts that maps to a label that can be added/found from domain. This needs to be removed when the proper policy is in place. Also, grant su/shell access to hwservicemanager list operations, so tools like 'lshal' continue to work. Bug: 34454312 Test: Marlin boots Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
/system/sepolicy/Android.mk
|
ac171b44372ad506fecf1cd0399db2fa9fd1289f |
|
13-Apr-2017 |
Jeff Vander Stoep <jeffv@google.com> |
secilc: expand generated attributes Attributes added to the policy by the policy compiler are causing performance issues. Telling the compiler to expand these auto-generated attributes to their underlying types prevents preemtion during policy lookup. With this patch the number of attributes in policy drops from 845 to 475. The number of attributes assigned to the bluetooth domain drops from 41 to 11. Bug: 3650825 Test: Build and boot Marlin Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
/system/sepolicy/Android.mk
|
4d24a77551d30369542ac15e48e02f3ae582d0e6 |
|
12-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Fix build part 2. Always create platform_mapping_file. commit 552fb537129e9b446e79af53216c08d15e69144e fixed an undefined module error by removing the module when not defined (on non-treble devices), but the sepolicy build on non-treble devices was changed to rely on the split treble files, even though the split is not used. Change this so that the file is always present, to allow policy compilation. Test: policy fully builds. Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
/system/sepolicy/Android.mk
|
552fb537129e9b446e79af53216c08d15e69144e |
|
12-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Fix build: encase $(platform_mapping_file) module in treble block. Specifying an empty module causes a build error, so make sure that if there is no $(platform_mapping_file) the MODULE is not included. Test: Makefiles parsed without error. Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
/system/sepolicy/Android.mk
|
6bf50e5c14a45088680ba5af971bf08657c343f5 |
|
12-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Remove BOARD_SEPOLICY_VERS_DIR build variable. The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the specification of an alternate platform public policy, primarily for testing purposes. This should not be a part of the released platform, since the only public policy and corresponding mapping file construction should be based on the current public platform policy, with compatibility with vendor policy targeting previous versions provided by static mapping files. Its continued presence muddles the generation of mapping files by potentially introducing a situation in which an incorrect mapping file is generated. Remove it. Bug: 36783775 Test: Device boots with compiled SELinux policy (SHA256s don't match for precompiled policy). Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
/system/sepolicy/Android.mk
|
c8d4535cc2a7691dd0a3562008a03a72b43f560c |
|
11-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Change recovery to static platform-only compilation. Recovery is not meant to be versioned in the treble model, but rather provided as part of the platform/framework component and self-sufficient. Simplify its compilation by removing the attribute versioning steps, but maintain device-specific policy, which is currently required for full functionality. Bug: 37240781 Bug: 36783775 Test: recovery boots and is able to select commands. Also tried: reboot system, boot to bootloader, factory reset, sideload, view logs, run graphics test, and power off. Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
/system/sepolicy/Android.mk
|
4f9a648e90ed95716224b96348805accd27f4f51 |
|
10-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Change mapping file name to reflect its platform version. As the platform progresses in the split SELinux world, the platform will need to maintain mapping files back to previous platform versions to maintain backwards compatibility with vendor images which have SELinux policy written based on the older versions. This requires shipping multiple mapping files with the system image so that the right one can be selected. Change the name and location of the mapping file to reflect this. Also add a file to the vendor partition indicating which version is being targeted that the platform can use to determine which mapping file to choose. Bug: 36783775 Test: Force compilation of sepolicy on-device with mapping file changed to new location and name, using the value reported on /vendor. Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
/system/sepolicy/Android.mk
|
6f14f6b7d957d4001160438882fb5cb7b09e399e |
|
08-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Add PLATFORM_SEPOLICY_VERSION. Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent the platform sepolicy of the form "NN.m" where "NN" mirrors the PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is incremented with every policy change that requires a new backward-compatible mapping file to be added to allow for future-proofing vendor policy against future platform policy. Bug: 36783775 Test: Device boots when sha256 doesn't match and compilation is forced. Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
/system/sepolicy/Android.mk
|
86123070836ede84a7db9a47d8367363975dd322 |
|
08-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy_version: change current version to NN.m format" into oc-dev
|
42f95984b501f39cd5f8270b5854a985d1b6d528 |
|
07-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
sepolicy_version: change current version to NN.m format The sepolicy version takes SDK_INT.<minor> format. Make sure our 'current' policy version reflects the format and make it '100000.0'. This ensures any vendor.img compiled with this will never work with a production framework image either. Make version_policy replace the '.' in version by '_' so secilc is happy too. This unblocks libvintf from giving out a runtme API to check vendor's sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will eventually be picked up from the build system. Bug: 35217573 Test: Build and boot sailfish. Boot sailfish with sepolicy compilation on device. Signed-off-by: Sandeep Patil <sspatil@google.com> Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
/system/sepolicy/Android.mk
|
df720941965e56ef394de73c0de5c59b4e372f18 |
|
07-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Merge "Preserve treble-only flag for CTS neverallows" into oc-dev
|
446279a6b9bcc9689c73c5e27f3f4757e1edd661 |
|
06-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Preserve treble-only flag for CTS neverallows CTS includes general_sepolicy.conf built from this project. CTS then tests this file's neverallow rules against the policy of the device under test. Prior to this commit, neverallow rules which must be enforced only for Treble devices we not included into general_sepolicy.conf. As a result, these rules were not enforced for Treble devices. This commit fixes the issue as follows. Because CTS includes only one policy, the policy now contains also the rules which are only for Treble devices. To enable CTS to distinguish rules needed for all devices from rules needed only on Treble devices, the latter rules are contained in sections delimited with BEGIN_TREBLE_ONLY and END_TREBLE_ONLY comments. This commit also removes the unnecessary sepolicy.general target. This target is not used anywhere and is causing trouble because it is verifying neverallows of the policy meant to be used by CTS. This policy can no longer be verified with checkpolicy without conditionally including or excluding Treble-only neverallows. Test: mmm system/sepolicy Test: Device boots -- no new denials Bug: 37082262 Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
/system/sepolicy/Android.mk
|
ee97662f17c278b7988857162ea0f11b9afcf707 |
|
07-Apr-2017 |
Martijn Coenen <maco@google.com> |
Fix checkfc options order. darwin's getopt() doesn't like putting arguments in the wrong order. Test: Mac/Linux builds Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
/system/sepolicy/Android.mk
|
d48d54a3a103a001301c9decc4ba3a09cb9c2d12 |
|
06-Apr-2017 |
Martijn Coenen <maco@google.com> |
Modify checkfc to check (vnd|hw)service_manager_type. added checkfc options 'l' and 'v' to verify hwservice_manager_type and vndservice_manager_type on service context files, respectively. The checkfc call to verify the new hwservice_contexts files will be added together with hwservicemanager ACL CLs later. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
/system/sepolicy/Android.mk
|
0e9c47c0af92005ea81772e82663865f1a3572b3 |
|
04-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Move mapping_sepolicy.cil to /system partition. This is a necessary first step to finalizing the SELinux policy build process. The mapping_sepolicy.cil file is required to provide backward compatibility with the indicated vendor-targeted version. This still needs to be extended to provide N mapping files and corresponding SHA256 outputs, one for each of the N previous platform versions with which we're backward-compatible. Bug: 36783775 Test: boot device with matching sha256 and non-matching and verify that device boots and uses either precompiled or compiled policy as needed. Also verify that mapping_sepolicy.cil has moved. Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
/system/sepolicy/Android.mk
|
6676c234fc6a634cdf5231a3e33b3edc075daa51 |
|
01-Apr-2017 |
Martijn Coenen <maco@google.com> |
Add target for vndservice_contexts. So we can limit vndservicemanager access to just vndservice_contexts. Bug: 36052864 Test: servicemanager,vndservicemanager work Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
/system/sepolicy/Android.mk
|
d4a3e9dd485ebd37b4e323098ae08cd0dc38e942 |
|
23-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Create selinux_policy phony target Moves selinux policy build decisions to system/sepolicy/Android.mk. This is done because the PRODUCT_FULL_TREBLE variable isn't available in embedded.mk and TARGET_SANITIZE isn't available to dependencies of init. Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are included in policy output. Bug: 36138508 Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
/system/sepolicy/Android.mk
|
5d0c2e417b5dd527ec22faaffe9b8dd28ba4c35e |
|
23-Mar-2017 |
William Roberts <william.c.roberts@intel.com> |
build: stop generating $T/file_contexts secilc is being used without -f which is causing a file_contexts file to be generated in the root of the tree where the build tools run: $ stat $T/file_contexts File: 'file_contexts' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fc00h/64512d Inode: 5508958 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/wcrobert) Gid: ( 1000/wcrobert) Access: 2017-03-23 11:23:41.691538047 -0700 Modify: 2017-03-23 11:23:41.691538047 -0700 Change: 2017-03-23 11:23:41.691538047 -0700 Test: remove $T/file_contexts, touch a policy file and make sepolicy, ensure file is not regenerated. Also, ensure hikey builds and boots. Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
7cda44f49f8b128f6a4673174220b4825024f654 |
|
21-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Mark all clients of Allocator HAL This change associates all domains which are clients of Allocator HAL with hal_allocator_client and the, required for all HAL client domains, halclientdomain. This enables this commit to remove the now unnecessary hwallocator_use macro because its binder_call(..., hal_allocator_server) is covered by binder_call(hal_allocator_client, hal_allocator_server) added in this commit. Unfortunately apps, except isolated app, are clients of Allocator HAL as well. This makes it hard to use the hal_client_domain(..., hal_allocator) macro because it translates into "typeattribute" which currently does not support being provided with a set of types, such as { appdomain -isolated_app }. As a workaround, hopefully until typeattribute is improved, this commit expresses the necessary association operation in CIL. private/technical_debt.cil introduced by this commit is appended into the platform policy CIL file, thus ensuring that the hack has effect on the final monolithic policy. P. S. This change also removes Allocator HAL access from isolated_app. Isolated app shouldn't have access to this HAL anyway. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
/system/sepolicy/Android.mk
|
f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/Android.mk
|
7443484831a858848d71b95c3e9fa4e96dcbf830 |
|
13-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant additional permissions for ASAN builds ASAN builds may require additional permissions to launch processes with ASAN wrappers. In this case, system_server needs permission to execute /system/bin/sh. Create with_asan() macro which can be used exclusively on debug builds. Note this means that ASAN builds with these additional permission will not pass the security portion of CTS - like any other debug build. Addresses: avc: denied { execute } for name="sh" dev="dm-0" ino=571 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file Test: lunch aosp_marlin-userdebug; cd system/sepolicy; mm SANITIZE_TARGET=address; Verify permissions granted using with_asan() are granted. Test: lunch aosp_marlin-userdebug; cd system/sepolicy; mm; Verify permissions granted using with_asan() are not granted. Test: lunch aosp_marlin-user; cd system/sepolicy; mm SANITIZE_TARGET=address; Verify permissions granted using with_asan() are not granted. Bug: 36138508 Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
/system/sepolicy/Android.mk
|
d2053bd024139d9993a3bfa9b81fd4e68b9bc865 |
|
15-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Specify intermediates dir for sepolicy Policy intermediates are being placed in a seemingly random intermediates directories. Currently: out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates Instead, place intermediates in the sepolicy_intermediates dir. Test: intermediates now placed in: out/target/product/marlin/obj/ETC/sepolicy_intermediates Test: Marlin builds, no change to sepolicy on device. Bug: 36269118 Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
/system/sepolicy/Android.mk
|
e8243518a7f8ddbc510c4d197f6a7c0b4091ce4f |
|
15-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Remove unused /selinux_version This file is no longer needed because it was needed for supporting reloadable/dynamic SELinux policy which is no longer supported. Test: Clean build, flash, device boots without additional denials. Reboot to recovery works, no additional denials. Bug: 33642277 Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
/system/sepolicy/Android.mk
|
ec6f393d0761c04fa9783ba7b176cc61b72be2fe |
|
15-Mar-2017 |
Xin Li <delphij@google.com> |
Fix build under GitC client. Test: build Bug: 36229129 Change-Id: I0654ce44f344729b0bb1f8716afa151e134fdc6a
/system/sepolicy/Android.mk
|
9d59041f63b22f3d1b59faa9afeb5bf2a02e3e17 |
|
08-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Correct location of property_contexts for TREBLE devices This makes the build system, for TREBLE devices only, place plat_property_contexts under /system/etc/selinux and nonplat_property_contexts under /vendor/etc/selinux. For other devices these files are placed under /, same as before. This change was previously reverted because it affected the location of property_contexts in recovery. Now that we have separate tagets for recovery (see ec78c377c006040d14d92f5b1a1a52da779f20aa), this change no longer affects is recovery. Test: *_property_contexts in correct locations when PRODUCT_FULL_TREBLE is set to true and when it is set to false. Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check \ --abi arm64-v8a --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testAospPropertyContexts This test was performed on bullhead (non A/B device) and sailfish (A/B device). Test: Clean build, flash, device boots with no additional denials. Rebooting to recovery, recovery boots fine with no denials. This test was performed on bullhead (non A/B device) and sailfish (A/B device). Bug: 36002573 (cherry picked from commit 4cb628a3be61efbd2abf8e92d38710d76ef828f3) Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
/system/sepolicy/Android.mk
|
ec78c377c006040d14d92f5b1a1a52da779f20aa |
|
10-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Targets for artifacts needed by recovery This ensures that SELinux policy artifact needed by recovery at runtime have targets in this build script. This is to make recoveryimage/bootimage targets depend on these artifacts explicitly, which reduces the element of surprise. Moreover, this enables us to move non-recovery artifacts around without affecting recovery artifacts. Test: Clean build, flash, device boots just fine, no new denials. Reboot to recovery, recovery boots just fine, no denials. This was tested on bullhead (non A/B device) and sailfish (A/B device). Bug: 33642277 Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
/system/sepolicy/Android.mk
|
bba9e7b92d903629c57dee02aa3675b27480a122 |
|
11-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Split mac_permissions.xml to /system and /vendor Test: Build and boot Marlin Test: See the following in the logs: 01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml 01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml Bug: 36003167 Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
/system/sepolicy/Android.mk
|
0cb417a6392c63e9670c2718fcb5e2f485d9baa4 |
|
08-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move split file_contexts to /system and /vendor Build file_contexts.bin on legacy builds. Test: Marlin and Bullhead build and boot with no new denials. Test: Marlin and Bullhead recovery boots with no new denials. Test: Bullhead boots with file_contexts.bin in / Test: Marlin boot with /system/etc/selinux/plat_file_contexts and /vendor/etc/selinux/nonplat_file_contexts. Bug: 36002414 Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
/system/sepolicy/Android.mk
|
84aa74218421f8d2dbad1408ba114f680331ace0 |
|
10-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Remove unnecessary recovery-related targets Recovery should always use monolithic policy. Thus, we don't need split policy files *.recovery.cil. This commit removes these targets and rolls up the relevant parts of the targets into "sepolicy.recovery" which is the target which produces monolithic policy for recovery. Test: make clean && make sepolicy.recovery, then confirm that repolicy.recovery is identical to the one produced prior to this change. Test: Clean build, flash, device boots up fine, no new denials. Device also boots into recovery just fine, no denials. Bug: 31363362 Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
/system/sepolicy/Android.mk
|
935ddb20c196fa8ee177abde9bd15401a5a1b3fc |
|
10-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Revert "Correct location of property_contexts for TREBLE devices" This reverts commit 4cb628a3be61efbd2abf8e92d38710d76ef828f3. Reason for revert: recovery image on marlin & sailfish no longer contained *property_contexts and thus recovery failed to boot. Test: Clean build, flash, sailfish and bullhead boot up just fine, and boot into recovery just fine. Bug: 36002573 Bug: 36108354 Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
/system/sepolicy/Android.mk
|
4e3a4c7b21f48eec2413d20e317d7d41d3fb0c0f |
|
09-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move service and seapp contexts to /system and /vendor Test: Build and boot Marlin and Bullhead. Test: Contexts split between /system and /vendor on Marlin. Remains stored in / on Bullhead. Bug: 36002816 Bug: 36002427 Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
/system/sepolicy/Android.mk
|
4cb628a3be61efbd2abf8e92d38710d76ef828f3 |
|
08-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Correct location of property_contexts for TREBLE devices This makes the build system, for TREBLE devices only, place plat_property_contexts under /system/etc/selinux and nonplat_property_contexts under /vendor/etc/selinux. For other devices these files are placed under /, same as before. Test: *_property_contexts in correct locations when PRODUCT_FULL_TREBLE is set to true and when it is set to false. Bug: 36002573 Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
/system/sepolicy/Android.mk
|
193dccda7922e3cfdcbbd19da93960335ca0d224 |
|
07-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Precompiled kernel policy for on-device use This adds build targets for outputing precompiled kernel policy usable on devices with policy split between system and vendor partitions. On such devices, precompiled policy must reside on the vendor partition. Because such devices support updating these partitions independently of each other, the precompiled policy must reference the system partition's policy against which it was compiled. This enables init to establish whether the precompiled policy is valid for the current combination of system and vendor partitions. The referencing is performed by both the system and vendor partitions including the SHA-256 digest of the system partition's policy (plat_sepolicy.cil). Only the when the digest is the same on both partitions can the precompiled policy be used. Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the SHA-256 digest of plat_sepolicy.cil Test: plat_sepolicy.cil.sha256 is identical precompiled_sepolicy.plat.sha256. Bug: 31363362 Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
/system/sepolicy/Android.mk
|
87ae5f7dbd894ad72da05bae6f3381c0eae190b7 |
|
07-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
assert plat neverallows on nonplat seapp_contexts With the plat/nonplat policy split, nonplat_seapp_contexts should still be checked against the plat_seapp_contexts_neverallows during build time to ensure no violations occur. Test: stock aosp_marlin builds. Test: name=foo.bar seinfo=default fails (as expected) in nonplat policy Test: name=foo.bar seinfo="" fails (as expected) in nonplat policy Bug: 36002816 Change-Id: I95b2c695b23e2bdf420575d631e85391e93fc869
/system/sepolicy/Android.mk
|
052b0bbb267d7629770184a6c53dd59a1eb0b671 |
|
02-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Move split sepolicy to correct locations This moves the CIL files comprising the split sepolicy to the directories/partitions based on whether the file is part of platform/system or non-platform/vendor. In particular: * plat_sepolicy.cil is moved to /system/etc/selinux, * nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and * mapping_sepolicy.cil is moved to /vendor/etc/selinux. Test: Device boots, no additional denials. The test is performed both for a device without the CIL files and with the three CIL files. Bug: 31363362 Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9
/system/sepolicy/Android.mk
|
8f7173b01601040ae17810d07dea37a895f94ddd |
|
25-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Test CIL policy when building it Prior to this commit, there was a bug in generated CIL where it wouldn't compile using secilc. The reason was that the build script was stripping out all lines containing "neverallow" from CIL files, accidentally removing lines which were not neverallow statements, such as lmx lines referencing app_neverallows.te. The commit fixes the build script's CIL neverallow filter to filter out only neverallow* statements, as originally intended. Moreover, to catch non-compiling CIL policy earlier in the future, this commit runs secilc on the policy at build time. In particular, it tests that platform policy compiles on its own and that nonplatform + platform + mappig policy compiles as well. Test: CIL policy builds and compiles on-device using secilc Bug: 31363362 Change-Id: I769aeb3d8c913a5599f1a2195c69460ece7f6465
/system/sepolicy/Android.mk
|
5596172d23a799d4131f36822e8afe817f2cf017 |
|
31-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Device-agnostic policy for vendor image Default HAL implementations are built from the platform tree and get placed into the vendor image. The SELinux rules needed for these HAL implementations to operate thus need to reside on the vendor partition. Up to now, the only place to define such rules in the source tree was the system/sepolicy/public directory. These rules are placed into the vendor partition. Unfortunately, they are also placed into the system/root partition, which thus unnecessarily grants these rules to all HAL implementations of the specified service, default/in-process shims or not. This commit adds a new directory, system/sepolicy/vendor, whose rules are concatenated with the device-specific rules at build time. These rules are thus placed into the vendor partition and are not placed into the system/root partition. Test: No change to SELinux policy. Test: Rules placed into vendor directory end up in nonplat* artefacts, but not in plat* artefacts. Bug: 34715716 Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
/system/sepolicy/Android.mk
|
a86316e85215de0e8bcd9920035af1a2d1f5a4cc |
|
28-Dec-2016 |
Sandeep Patil <sspatil@google.com> |
property_context: split into platform and non-platform components. Bug: 33746484 Test: Successfully boot with original service and property contexts. Successfully boot with split serivce and property contexts. Change-Id: I87f95292b5860283efb2081b2223e607a52fed04 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
|
e4665d7f85c7ee550f24d1799c09eb87a229b5c9 |
|
20-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Fix bugs in *_file_contexts targets This fixes the following issues introduced in commit d225b6979db89959c272b4351fb05363a7a18ea7: * plat_file_contexts was empty because the target was referencing system/sepolicy/private/file_contexts via a misspelled variable name. * plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt when system/sepolicy/private/file_contexts changed. This is because the file_contexts dependency was referenced via a misspelled variable name. * plat_file_contexts wasn't sorted (as opposed to other similar targets, such as nonplat_file_contexts and file_contexts.bin). This may lead to unnecessary non-determinism. * nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt when device-specific file_contexts file(s) changed. This is because the file_contexts files were referenced via a misspelled variable name. Test: "make plat_file_contexts" produces a non-empty file containing mappings from system/sepolicy/private/file_contexts Test: "make plat_file_contexts" updates output when system/sepolicy/private/file_contexts changes Test: "make plat_file_contexts" produces output which is sorted accroding to rules in fc_sort Test: "make nonplat_file_contexts" updates output when device/lge/bullhead/sepolicy/file_contexts changes (tested on aosp_bullhead-eng) Bug: 31363362 Change-Id: I540555651103f02c96cf958bb93618f600e47a75
/system/sepolicy/Android.mk
|
aa03ef26214767cc53d21be40d3027fc69684551 |
|
18-Jan-2017 |
Jorim Jaggi <jjaggi@google.com> |
Revert "property_context: split into platform and non-platform components." This reverts commit 262edc382ae4da130b211203bf05c03179794616. Fixes: 34370523 Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d
/system/sepolicy/Android.mk
|
262edc382ae4da130b211203bf05c03179794616 |
|
28-Dec-2016 |
Sandeep Patil <sspatil@google.com> |
property_context: split into platform and non-platform components. Bug: 33746484 Test: Successfully boot with original service and property contexts. Successfully boot with split serivce and property contexts. Change-Id: I7881af8922834dc69b37dae3b06d921e05206564 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
|
a058b569e4c7204a756ccb3fc4f23b17042a8f43 |
|
28-Dec-2016 |
Sandeep Patil <sspatil@google.com> |
service_context: split into platform and non-platform components. Bug: 33746484 Test: Successfully boot with original service and property contexts. Successfully boot with split serivce and property contexts. Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
|
9c038072231ea475cf0dc7a378f930e9b06e8dac |
|
22-Dec-2016 |
Dan Cashman <dcashman@google.com> |
Split seapp_contexts into plat and nonplat components. Bug: 33746381 Test: Device boots with no extra denials. Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e
/system/sepolicy/Android.mk
|
d225b6979db89959c272b4351fb05363a7a18ea7 |
|
12-Dec-2016 |
dcashman <dcashman@google.com> |
Split file_contexts for on-device compilation. Simulate platform and non-platform split by compiling two different file_contexts files and loading them together on-device. Leave the existing file_contexts.bin in place until we're ready to build images based on the new files. Bug: 31363362 Test: Builds and boots without additional denials. Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0 Bring back file_contexts.bin. Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
|
c5c3abc6bc14357fa3c537094514d2a23bac21e3 |
|
05-Dec-2016 |
Richard Uhler <ruhler@google.com> |
Remove option for non-pic dex preopt. Test: make checkbuild, aosp_bullhead-userdebug boots. Bug: 33192586 Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8
/system/sepolicy/Android.mk
|
52b759777b628c1d8734e0444940e0907beda4e7 |
|
20-Dec-2016 |
Steven Moreland <smoreland@google.com> |
Remove ENABLE_TREBLE from sepolicy. Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular enough (ref: b/32978887 #4). Bug: 32978887 Test: compiles, doesn't cause any additional denials on device. Nothing depends on these things I'm removing. Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
/system/sepolicy/Android.mk
|
65d01349a00e15a4bed55fc685e43b9058c480a4 |
|
17-Dec-2016 |
Daniel Cashman <dcashman@google.com> |
Revert "Move sepolicy and recovery from on-device tree and add dependency." This reverts commit cf5c6ecb93931ca5853b9954979d785d259453ce. Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
/system/sepolicy/Android.mk
|
cf5c6ecb93931ca5853b9954979d785d259453ce |
|
16-Dec-2016 |
Dan Cashman <dcashman@google.com> |
Move sepolicy and recovery from on-device tree and add dependency. Prevent sepolicy and sepolicy.recover from showing up in the root filesystem when they will not be created as part of it. Also make sure both are added as dependencies to version_policy to ensure the neverallow checks are run. Bug: 31363362 Test: Builds and boots, including recovery, without additional denials. Neverallow violations still caught at build time. Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
/system/sepolicy/Android.mk
|
1c0402779552e497900db0a649068019ce023dfb |
|
16-Dec-2016 |
Dan Cashman <dcashman@google.com> |
Switch recovery to versioned policy and split into components. And do some clean up: Replace LOCAL_TARGET_ARCH with global arch specifier that won't get clobbered, clean up sepolicy.recovery's eng specification, ensure that build macros are applied across all policy generation, not just plat_policy, and make sure that all private variables are cleared and alphabetized at the end. Bug: 31363362 Bug: 31369363 Test: Boot into recovery and observe no selinux denials. Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
/system/sepolicy/Android.mk
|
90b3b948971a01a2a8b83edcbf07ae493bd43bab |
|
14-Dec-2016 |
dcashman <dcashman@google.com> |
Split mac_permissions.xml into plat and non-plat components. Bug: 31363362 Test: Bullhead and Sailfish both build and boot w/out new denials. Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
/system/sepolicy/Android.mk
|
1faa644c81e90cfd226bb7e43cde68e309c10790 |
|
28-Nov-2016 |
dcashman <dcashman@google.com> |
Split policy for on-device compilation. Simulate platform and non-platform split by sending the split files to the device to be compiled by init. Bug: 31363362 Test: Policy builds on-device and boots. sediff shows no difference. Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
/system/sepolicy/Android.mk
|
07791558051d0ffbbb6ac015cd4f195455695523 |
|
07-Dec-2016 |
dcashman <dcashman@google.com> |
Restore checkfc and neverallow checks. Bug: 33388095 Test: Builds and boots. Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf
/system/sepolicy/Android.mk
|
2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/Android.mk
|
2899434716e069231d67133927bed25c9e27bcbc |
|
21-Nov-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro. |WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from /data. Bug: 32970029 Test: On HiKey and Marlin: Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial. Test: Apply this CL, no SELinux denials. Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
/system/sepolicy/Android.mk
|
84db84e6cdc6a04ac85fb4413c813412c0dea600 |
|
18-Nov-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
/system/sepolicy/Android.mk
|
d733d161cfd7b73e3d3087ca086abb646790fd1b |
|
19-Oct-2016 |
Jeff Vander Stoep <jeffv@google.com> |
Add macros for treble and non-treble only policy Test: builds Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
/system/sepolicy/Android.mk
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/Android.mk
|
5807d1d2b9bc1355acd7bec3dc7afe8227751f5b |
|
29-Jul-2016 |
Douglas Leung <douglas.leung@imgtec.com> |
Fix ioctl defines for Mips. This patch allows mips to boot in enforcing mode. Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496
/system/sepolicy/Android.mk
|
7d9487c996d21a2025c19440d03fe215e5f4e3fb |
|
19-Jul-2016 |
William Roberts <william.c.roberts@intel.com> |
Merge \"service_contexts: strip blank lines and comments\" am: afad0c35ec Change-Id: Id4a4937cc3b7c2ddd6d363144e6fafc90be60498
|
a584f2f6cd1958293a383ccdde57e75edf0a546a |
|
15-Jul-2016 |
William Roberts <william.c.roberts@intel.com> |
Merge \"property_contexts: strip blank lines and comments\" am: ee69a2e775 Change-Id: If61f5720180243ec1b5aa9e16d66c95c37f49b88
|
c9fce3fa595592fed96e0294bce55199c8582c7b |
|
06-Apr-2016 |
William Roberts <william.c.roberts@intel.com> |
service_contexts: strip blank lines and comments Strip whitespace and comments from service_context files to reduce size. On an aosp_x86_64 build it saves 36 bytes. However, on builds with more synclines and comments, further space savings can be realized. Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
371918c1fe8ce33c358a1f79c7babea596cd7fff |
|
06-Apr-2016 |
William Roberts <william.c.roberts@intel.com> |
property_contexts: strip blank lines and comments Strip whitespace and comments from property_context files to reduce size. On an aosp_x86_64 build it saves 851 bytes. However, on builds with more synclines and comments, further space savings can be realized. Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
2f7b0514fa4973a27bef06d84294207b29c11884 |
|
17-May-2016 |
Shinichiro Hamaji <hamaji@google.com> |
Merge "Add keys to prerequisites of mac_permissions.xml" am: d1eb0ede9c am: a8f65aa156 * commit 'a8f65aa156331487153456ed111b7feb1434355e': Add keys to prerequisites of mac_permissions.xml Change-Id: I9b6f11e61f31ec6c11ec35283eff4936b66497f9
|
ef0c14d3a2a469081a99111e48a3d421d4fe8d5b |
|
13-May-2016 |
Shinichiro Hamaji <hamaji@google.com> |
Add keys to prerequisites of mac_permissions.xml Bug: 27954979 Change-Id: Ia0403e2dc2726523a41742e23beff29b47274392
/system/sepolicy/Android.mk
|
3116b83f834fd34e2ac31a5ba9d422b425892901 |
|
02-Mar-2016 |
Nick Kralevich <nnk@google.com> |
suppress unnecessary makefile output am: 6ef10bd48b am: 1274aa15d4 * commit '1274aa15d415ea317c48b321445583bf25999b6a': suppress unnecessary makefile output
|
6ef10bd48b09ae0cb371c9d9f161c3b3b8f003fc |
|
01-Mar-2016 |
Nick Kralevich <nnk@google.com> |
suppress unnecessary makefile output checkpolicy spits out a bunch of unnecessary lines during normal operation, which bloat the logs and hide other more important warnings. Suppress the normal output. SELinux compile time errors are printed to stderr, and are uneffected by this change. Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
/system/sepolicy/Android.mk
|
6710e5c377a8f955be9d06fad96b0befa6605d06 |
|
27-Feb-2016 |
Nick Kralevich <nnk@google.com> |
Don\'t allow permissive SELinux domains on user builds. am: bca98efa57 am: 0551e9e8d4 * commit '0551e9e8d4764578d7304d695ba20040a6e0ea0b': Don't allow permissive SELinux domains on user builds.
|
bca98efa575bedab68f2d5eaee2cd1fd1741962b |
|
27-Feb-2016 |
Nick Kralevich <nnk@google.com> |
Don't allow permissive SELinux domains on user builds. It's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
/system/sepolicy/Android.mk
|
7a294027177e46a2025933d9ce8ab99135b74825 |
|
15-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge changes from topic \'fc_sort-2\' am: 87a73f199a am: af77ab6b13 * commit 'af77ab6b136b0c4d44e912bbd2b98f958f7ceb45': fc_sort: initial commit checkfc: do not die on 0 length fc's
|
49693f1b4d7871e0e6ce2576fa68541ecb6d1f03 |
|
04-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
fc_sort: initial commit Ordering matters in fc files; the last match wins. In builds where many BOARD_SEPOLICY_DIRS are set, the order of that list becomes increasingly important in order to maintain a cohesive built file_contexts. To correct this, we sort the device specific file_contexts entries with the upstream fc_sort tool. Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
b9053767ab46d587dc7e1ea3e0a6c93e598b9433 |
|
15-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "fc_sort: initial commit"" am: 5de7574a59 am: 62871e5874 * commit '62871e5874e6b1663c732c7f2a2b2d6b36604534': Revert "fc_sort: initial commit"
|
b1fb7e4037831a0e6f0fc474c5058cf47292f6a0 |
|
15-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "fc_sort: initial commit" Breaks builds with no device specific policy. Bug: 26568553 This reverts commit 29d146887eacf432b90c0ae460060f79d84dbaca. Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
/system/sepolicy/Android.mk
|
a654d9f3aadaba09f476bef9671130aa7f1b7f3e |
|
14-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "fc_sort: initial commit" am: 2dea4525f3 am: faddabe6f5 * commit 'faddabe6f58f30f81938b928597ee7a792c34984': fc_sort: initial commit
|
29d146887eacf432b90c0ae460060f79d84dbaca |
|
04-Jan-2016 |
William Roberts <william.c.roberts@intel.com> |
fc_sort: initial commit Ordering matters in fc files; the last match wins. In builds where many BOARD_SEPOLICY_DIRS are set, the order of that list becomes increasingly important in order to maintain a cohesive built file_contexts. To correct this, we sort the device specific file_contexts entries with the upstream fc_sort tool. Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
9aa378ec3165c7a80b43dda718e4e2e779a67646 |
|
04-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Reduce socket ioctl perms"
|
cbaa2b7d37c0810009cc0ffa4026334b4bf3096e |
|
22-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
/system/sepolicy/Android.mk
|
efeac86de4ca327eaab3725e28449e94e033d0f1 |
|
29-Dec-2015 |
Daniel Cashman <dcashman@google.com> |
Merge changes from topic \'sepolicy-makefile-cleanup\' am: 1e5b7a1962 am: 26f06d172d * commit '26f06d172dc2b55c42b1543c7ef02563241efce1': Android.mk: cleanse all set but not unset variables Android.mk: clean dependencies and clear variables
|
50a478ef72a91eb52797bec322c6cbaf58382da3 |
|
29-Dec-2015 |
William Roberts <william.c.roberts@intel.com> |
Android.mk: cleanse all set but not unset variables Discovered by diffing the set of "set variables" with the set of "cleared variables". Script: mydir=$(mktemp -d) grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars diff $mydir/set_vars $mydir/unset_vars rm -rf $mydir Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
46749752e5e64834bfeeb03b5346b8b82ce099e2 |
|
29-Dec-2015 |
William Roberts <william.c.roberts@intel.com> |
Android.mk: clean dependencies and clear variables Dependencies being built with newline files in between were also including the list of files without the newlines, thus make would have to process 3n-1 files instead of 2n-1 where n is the number of files to process. Additionally the *_with_nl variables were not being cleared out and polluting Make's global name-space. Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
4b412232c11c24797f72c395fd4c333828f05443 |
|
17-Dec-2015 |
William Roberts <william.c.roberts@intel.com> |
sectxfile_nl: fix superfluous dependencies am: cb1ab9858e am: aeb403f233 * commit 'aeb403f233ada241a099777ccd0ef3b007e935e2': sectxfile_nl: fix superfluous dependencies
|
cb1ab9858e4f44ee87c4a86f1cc9e858b8b36475 |
|
14-Dec-2015 |
William Roberts <william.c.roberts@intel.com> |
sectxfile_nl: fix superfluous dependencies The target sectxfile_nl, which is an auto-generated newline file, has dependencies on itself and the other files. The dependencies should be on the other files and this newline file, not the other way around. Ideally, the *_contexts recipes should have the dependency recorded for their "contexts" files and the newline file. Additionally, recipe dependencies for building the *_contexts files depended on the list of all the contexts files with the newline file in that list, however an additional explicit addition of the newline file was also added in. Remove this, since its in the full list of files. Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
e927937f2d54936a340044ef036a0001d5cb09e9 |
|
16-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "checkfc: add attribute test" am: d48773ab3e am: c435b7590b * commit 'c435b7590bd7d7f0594d48976fe931d1f6c07f32': checkfc: add attribute test
|
ad3cb39e54040e5a03328d8006f428579d1654e0 |
|
25-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
edb41d8744dac18f738523cde7275a88dea8a8c6 |
|
13-Dec-2015 |
Nick Kralevich <nnk@google.com> |
Merge "Ensure newlines are added between context config files" am: d6765a99f3 am: 5cfd34957e * commit '5cfd34957e48cd79e53fbfb8aa4acf1d53f8f638': Ensure newlines are added between context config files
|
c8801fec63a785be65808e70232ea241c779fcb5 |
|
11-Dec-2015 |
Richard Haines <richard_c_haines@btinternet.com> |
Ensure newlines are added between context config files When multiple file_contexts, service_contexts and property_contexts are processed by the m4(1) macro processor, they will fail if one or more of the intermediate files final line is not terminated by a newline. This patch adds an intervening file only containing a newline. Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4 Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/system/sepolicy/Android.mk
|
3a0ce49b8623299ac7458306b30bda6adda12383 |
|
07-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/Android.mk
|
4f9107df8f691164c56f86fa1d352c63b28bd02b |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Migrate to upstream policy version 30" This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584. Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/Android.mk
|
5ca5696e8b656466a9d46b13d7ab18a13d8c1bba |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Migrate to upstream policy version 30" This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584. Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/Android.mk
|
2ea23a6e1ade883ba81f58b364109c4da94ba584 |
|
07-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/Android.mk
|
0fc831c3b0b8d9a4e10d0931131a0eed06cd4275 |
|
29-Jul-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Temporarily downgrade to policy version number Temporarily move from policy version 30 to 29 until device kernels and prebuilts are all upgraded to the accepted upstream version of the selinux ioctl command whitelisting code. (cherry picked from commit 89765083f7da758ff5a5910027ea48ce065fe2fd) Bug: 22846070 Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
/system/sepolicy/Android.mk
|
f88e31ea90effd77a5af326780f952b5191cb67b |
|
02-Oct-2015 |
William Roberts <william.c.roberts@intel.com> |
am 7fc865a4: service_contexts: don\'t delete intermediate on failure * commit '7fc865a4caec1a2ced41918449e34596f50f8c43': service_contexts: don't delete intermediate on failure
|
630fd5d80c887b987c231d3f8923c272171ef870 |
|
02-Oct-2015 |
William Roberts <william.c.roberts@intel.com> |
am dcffd2b4: property_contexts: don\'t delete intermediate on failure * commit 'dcffd2b482a625a99233d82019d7b96919c41600': property_contexts: don't delete intermediate on failure
|
0f1b1f353b09560d0e52bcec2e6f66c5fb82756e |
|
02-Oct-2015 |
Colin Cross <ccross@android.com> |
am 9eb6c874: Revert "property_contexts: don\'t delete intermediate on failure" * commit '9eb6c87439da2b00699f644a8b8c335bf8cd9680': Revert "property_contexts: don't delete intermediate on failure"
|
2a41cb70a7e3ab987422443855c17a97ec61d3e0 |
|
02-Oct-2015 |
Colin Cross <ccross@android.com> |
am efcaecab: Revert "service_contexts: don\'t delete intermediate on failure" * commit 'efcaecab4eb075fdc69942e6915999458fb5f88b': Revert "service_contexts: don't delete intermediate on failure"
|
4f821319f7ef3a60800171390c41c4678009d96b |
|
02-Oct-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 23c42c38: Merge "service_contexts: don\'t delete intermediate on failure" * commit '23c42c389b07f6ebda69ca8e834c27b27460879a': service_contexts: don't delete intermediate on failure
|
89c1fd25822c7f0720d409d2e0e4782e001b4cfe |
|
02-Oct-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am e6e94762: Merge "property_contexts: don\'t delete intermediate on failure" * commit 'e6e947622514bdf0b80bf093c0df1a7d9ae12c37': property_contexts: don't delete intermediate on failure
|
7fc865a4caec1a2ced41918449e34596f50f8c43 |
|
29-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
service_contexts: don't delete intermediate on failure When service_contexts fails to build, the file is deleted leaving only the error message for debugging. Build service_contexts and general variant as a temporary intermediate before running checkfc. Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
dcffd2b482a625a99233d82019d7b96919c41600 |
|
29-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
property_contexts: don't delete intermediate on failure When property_contexts fails to build, the file is deleted leaving only the error message for debugging. Build property_contexts and general variant as a temporary intermediate before running checkfc. Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
9eb6c87439da2b00699f644a8b8c335bf8cd9680 |
|
01-Oct-2015 |
Colin Cross <ccross@android.com> |
Revert "property_contexts: don't delete intermediate on failure" This reverts commit 7f81b337bc600251b37de2dfa70c47781a2f2d3c. Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6
/system/sepolicy/Android.mk
|
efcaecab4eb075fdc69942e6915999458fb5f88b |
|
01-Oct-2015 |
Colin Cross <ccross@android.com> |
Revert "service_contexts: don't delete intermediate on failure" This reverts commit f6ee7a521942036ef7f5c0f6bc74520509934141. Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663
/system/sepolicy/Android.mk
|
f6ee7a521942036ef7f5c0f6bc74520509934141 |
|
29-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
service_contexts: don't delete intermediate on failure When service_contexts fails to build, the file is deleted leaving only the error message for debugging. Build service_contexts and general variant as a temporary intermediate before running checkfc. Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
7f81b337bc600251b37de2dfa70c47781a2f2d3c |
|
29-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
property_contexts: don't delete intermediate on failure When property_contexts fails to build, the file is deleted leaving only the error message for debugging. Build property_contexts and general variant as a temporary intermediate before running checkfc. Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
92461b61698e4a62ff698c35fee1d98aee6ec626 |
|
28-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
am 3746a0ae: file_contexts: don\'t delete intermediate on failure * commit '3746a0ae63a56a6b18fabd3e89bfe4760a1691e3': file_contexts: don't delete intermediate on failure
|
3746a0ae63a56a6b18fabd3e89bfe4760a1691e3 |
|
25-Sep-2015 |
William Roberts <william.c.roberts@intel.com> |
file_contexts: don't delete intermediate on failure Currently, if an error is detected in a file_contexts file, the intermediate file_context.tmp file is removed, thus making debugging of build issues problematic. Instead, employ checkfc tool during the compilation recipe so the m4 concatenated intermediate is preserved on failure. Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
b49f5cf83f84beae0cbcf52111a4c3040493ff4d |
|
19-Sep-2015 |
Ivan Krasin <krasin@google.com> |
am 9aa41303: asan: update condition to work with multiple SANITIZE_TARGET values. * commit '9aa413036bde2c80c25b381bd685ab05f8390127': asan: update condition to work with multiple SANITIZE_TARGET values.
|
9aa413036bde2c80c25b381bd685ab05f8390127 |
|
18-Sep-2015 |
Ivan Krasin <krasin@google.com> |
asan: update condition to work with multiple SANITIZE_TARGET values. The goal is to enable SANITIZE_TARGET='address coverage', which will be used by LLVMFuzzer. Bug: 22850550 Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
/system/sepolicy/Android.mk
|
4d526d86756bff4f3bdff9771b479d251613ae82 |
|
13-Aug-2015 |
William Roberts <william.c.roberts@intel.com> |
am 031e5ce9: Android.mk: Cleanup GENERAL_*_CONTEXTS variables * commit '031e5ce9c5cd3334cd2a09645cb03306fb552494': Android.mk: Cleanup GENERAL_*_CONTEXTS variables
|
dc858fe64da2d238569a28e153d469b6d6ace6f5 |
|
13-Aug-2015 |
William Roberts <william.c.roberts@intel.com> |
am 6aabc1c7: Android.mk: drop polluting variables * commit '6aabc1c77b98d0ce8e13871047504afb90108733': Android.mk: drop polluting variables
|
031e5ce9c5cd3334cd2a09645cb03306fb552494 |
|
13-Aug-2015 |
William Roberts <william.c.roberts@intel.com> |
Android.mk: Cleanup GENERAL_*_CONTEXTS variables Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
6aabc1c77b98d0ce8e13871047504afb90108733 |
|
30-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
Android.mk: drop polluting variables Some of the ALL_*_FILES variables remained that were used in a way that could not be cleared. Move them to lower case variants and use a build recipe PRIVATE_*_FILES variable. This avoids polluting the global namespace. Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
32bbafc1943a74645a7435beb841e0436e3ea628 |
|
13-Aug-2015 |
Richard Haines <richard_c_haines@btinternet.com> |
am c2d01914: Update Android.mk to support file_contexts.bin * commit 'c2d01914d12b1c153b5ef32293079764a4342169': Update Android.mk to support file_contexts.bin
|
c2d01914d12b1c153b5ef32293079764a4342169 |
|
06-Aug-2015 |
Richard Haines <richard_c_haines@btinternet.com> |
Update Android.mk to support file_contexts.bin This change supports external/libselinux changes to implement PCRE formatted binary file_contexts and general_file_contexts.bin files. The $(intermediates) directory will contain the original text file (that is no longer used on the device) with a .tmp extension as well as the .bin file to aid analysis. A CleanSpec.mk file is added to remove the old file_contexts file. Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/system/sepolicy/Android.mk
|
10c1e872cccc0a26f5d14fa5a79965c5e47f3c05 |
|
11-Aug-2015 |
Dan Willemsen <dwillemsen@google.com> |
am bc2a49f2: Don\'t assume ordering of * commit 'bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5': Don't assume ordering of $(wildcard ...)
|
bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5 |
|
11-Aug-2015 |
Dan Willemsen <dwillemsen@google.com> |
Don't assume ordering of $(wildcard ...) There are no guarantees on the order of the results from a call to the wildcard function. In fact, the order usually changes between make 3.81 and make 4.0 (and kati). Instead, sort the results of wildcard in each sepolicy directory, so that directory order is preserved, but content ordering is reliable. Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
/system/sepolicy/Android.mk
|
deb2f8b5f7dbb8360cf1b90bf17c9c7e3d925c41 |
|
27-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am d2185582: Android.mk: Add support for BOARD_SEPOLICY_M4DEFS * commit 'd21855824d178abea9ac93376757c7aed765cd83': Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
|
d21855824d178abea9ac93376757c7aed765cd83 |
|
16-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
Android.mk: Add support for BOARD_SEPOLICY_M4DEFS Allow device builders to pass arbitrary m4 definitions during the build via make variable BOARD_SEPOLICY_M4DEFS. This enables OEMs to define their own static policy build conditionals. Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
07039d386aa7bdb5c10115308fd9abbac0cccf93 |
|
23-Jul-2015 |
Colin Cross <ccross@android.com> |
am 29a463d5: Use build fingerprint from file * commit '29a463d5d594a1b83288eff2da1f8829a69d3d46': Use build fingerprint from file
|
29a463d5d594a1b83288eff2da1f8829a69d3d46 |
|
17-Jul-2015 |
Colin Cross <ccross@android.com> |
Use build fingerprint from file Improve incremental ninja builds by keeping the command line the same across builds. Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53
/system/sepolicy/Android.mk
|
457e446fe7353ca3520fb16063ee9d26a8f136b4 |
|
16-Jul-2015 |
Nick Kralevich <nnk@google.com> |
am 1a6e29e2: Merge "android.mk: drop duplicate spaces" * commit '1a6e29e251ead902509e4ff25fdfdcaf023d860e': android.mk: drop duplicate spaces
|
85402534f353ecbe1b627e4178ab1a871b16cbd3 |
|
16-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
android.mk: drop duplicate spaces Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
b2420cf4ece072d36d118cf43a3e2af355ff30ae |
|
10-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am ffc86bea: Correct local variables for file_contexts_asan * commit 'ffc86bea0e38147a9330177708aedbccd603627a': Correct local variables for file_contexts_asan
|
ffc86bea0e38147a9330177708aedbccd603627a |
|
29-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
Correct local variables for file_contexts_asan Lowercase local variables and clear them to be consistent with other recipes and prevent polluting Make's global name space with set variables. Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
e1a2001fc5d05368bc01fa8d655a6f0e2a7b9758 |
|
07-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am 99fe8df2: hide checkseapp command invocation * commit '99fe8df245f4346c14a3dfaf856006c7ebf51ad2': hide checkseapp command invocation
|
0046404b2c3b575c87418e0d790bbca9ea1a82cf |
|
07-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am b876993f: use a general sepolicy when building general targets * commit 'b876993f4ee25fb299b7521b0dc565248d3db2a6': use a general sepolicy when building general targets
|
99fe8df245f4346c14a3dfaf856006c7ebf51ad2 |
|
30-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
hide checkseapp command invocation Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
807b8a6f9dcd59c8bbe9086c9c3d42a87ef286cd |
|
07-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am 3a74555c: Drop unused variable in Android.mk * commit '3a74555c4e6c3b87c43b1eb311a2e418f6d88453': Drop unused variable in Android.mk
|
b876993f4ee25fb299b7521b0dc565248d3db2a6 |
|
30-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
use a general sepolicy when building general targets Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
3a74555c4e6c3b87c43b1eb311a2e418f6d88453 |
|
30-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
Drop unused variable in Android.mk Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
bf4568d1cda87bb987a85026c686f3032f9b35d4 |
|
29-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
am 4ee7131a: Introduce seapp_neverallow test * commit '4ee7131ade43a046ad784a91bdded7c3c77206cd': Introduce seapp_neverallow test
|
4ee7131ade43a046ad784a91bdded7c3c77206cd |
|
25-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
Introduce seapp_neverallow test Produce a list of neverallow assertions from seapp_contexts into a separate file, general_seapp_context_neverallows, to be used during CTS neverallow checking. Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
8f519b3f0f565783d0fab8c4769d2eb1320af0b3 |
|
29-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
am da52e859: correct colon usage on make targets * commit 'da52e85906289d5b691404ffed1fb830065140f9': correct colon usage on make targets
|
da52e85906289d5b691404ffed1fb830065140f9 |
|
27-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
correct colon usage on make targets Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
942c0ea901bdcc1dfbc91d61716daea4b20d19ca |
|
26-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
am 81e1f90c: check_seapp: add support for "neverallow" checks * commit '81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0': check_seapp: add support for "neverallow" checks
|
81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0 |
|
04-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
check_seapp: add support for "neverallow" checks Introduce "neverallow" rules for seapp_contexts. A neverallow rule is similar to the existing key-value-pair entries but the line begins with "neverallow". A neverallow violation is detected when all keys, both inputs and outputs are matched. The neverallow rules value parameter (not the key) can contain regular expressions to assist in matching. Neverallow rules are never output to the generated seapp_contexts file. Also, unless -o is specified, checkseapp runs in silent mode and outputs nothing. Specifying - as an argument to -o outputs to stdout. Sample Output: Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app" Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
|
651a315ad276643930d24f25970338d868786532 |
|
15-Jun-2015 |
Evgenii Stepanov <eugenis@google.com> |
am 4b4c5645: Merge "Extend sepolicy for SANITIZE_TARGET." * commit '4b4c5645931a0e187d261c4db6caac67d09ab4e4': Extend sepolicy for SANITIZE_TARGET.
|
930304829b2cadd3c88876c6234af702d1e43bd5 |
|
13-Jun-2015 |
Evgenii Stepanov <eugenis@google.com> |
Extend sepolicy for SANITIZE_TARGET. SANITIZE_TARGET adds shared libraries in /data/lib. Bug: 21785137 Change-Id: I8ac3d059d88d57d24ed762ffc6202a4ce5a42333
/system/sepolicy/Android.mk
|
de9b5301a14abf388589b06e819bb001d69e0cf1 |
|
06-Jun-2015 |
Jeff Vander Stoep <jeffv@google.com> |
restrict app access to socket ioctls Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
/system/sepolicy/Android.mk
|
64b01c6165e77292cfc3649dccba18c60670495d |
|
04-May-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Update policy version to enable ioctl whitelisting Bug: 20756547 Bug: 18087110 Change-Id: I9ff76f1cf359e38c19d7b50a5b7236fd673d937e
/system/sepolicy/Android.mk
|
8e0ca8867eac09f8fd740485f147684d6a88b803 |
|
01-Apr-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop BOARD_SEPOLICY_UNION. As suggested in the comments on https://android-review.googlesource.com/#/c/141560/ drop BOARD_SEPOLICY_UNION and simplify the build_policy logic. Union all files found under BOARD_SEPOLICY_DIRS. Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error to catch any lingering uses and force updating of the BoardConfig.mk files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid breaking the build until all device BoardConfig*.mk files have been updated, and since they should be harmless - the files will be unioned regardless. Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
b4f17069b3514a4b7b3f5c42e879494bbe96bbaf |
|
13-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support. With changes I431c1ab22fc53749f623937154b9ec43469d9645 and Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with any of the *_contexts files since the CTS requires the AOSP entries to be present in the device files. Further, these changes render BOARD_SEPOLICY_IGNORE unusable for most policy files since all domains and types referenced within any of the AOSP *_contexts entries must be defined in the kernel policy, so you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file that defines a type referenced in any of those *_contexts files. There does not seem to be a significant need for such a facility, as AOSP policy is small and only domains and types used by most devices should be defined in external/sepolicy. BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules from AOSP policy, which will only lead to CTS failures, especially since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow checking on the entire policy via sepolicy-analyze. The only remaining legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding AOSP .te files with more restrictive rule sets. However, the need for this facility has been significantly reduced by the fact that AOSP policy is now fully confined + enforcing for all domains, and further restrictions beyond AOSP carry a compatibility risk. Builders of custom policies and custom ROMs still have the freedom to apply patches on top of external/sepolicy to tighten rule sets (which are likely more maintainable than maintaining a completely separate copy of the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate policy build system as exemplified by https://bitbucket.org/quarksecurity/build-policies Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
c93617315e69f9bd7319476afbd3f91d00dd6b5a |
|
13-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix rules for general_property_contexts. Failed to include base_rules.mk, so this target was not being built. Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
2e0cd5ad36321fd7a8f21768dac080d09b658920 |
|
12-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Generate general versions of the other contexts files for tests. Generate general forms of the remaining *_contexts files with only the device-independent entries for use in CTS testing. Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
377128778d2d2055044c8f4a65e7b0097ab59fd4 |
|
12-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Generate a general_seapp_contexts file for tests. Generate a general_seapp_contexts file with only the device-independent entries, similar to general_sepolicy.conf. This is for use by CTS tests to compare with the prefix of device seapp_contexts. Change-Id: If8d1456afff5347adff7157411c6a160484e0b39 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
f435a8e55653be6e5d95a995d80ed4982f5a1628 |
|
28-Feb-2015 |
Nick Kralevich <nnk@google.com> |
Delete unconfined domain No longer used. :-) Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
/system/sepolicy/Android.mk
|
754f5ea7ee4bb252e6f84b2b1228d5e210abe0ce |
|
03-Dec-2014 |
William Roberts <bill.c.roberts@gmail.com> |
Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED It's beneficial to be able to overide this in a device makefile if you need to get the domains into an unconfined state to keep the logs from filling up on kernel entries without having to add rules into device specific policy. Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
/system/sepolicy/Android.mk
|
f330f3752922f124305c67683d061c19c9518bed |
|
13-Nov-2014 |
William Roberts <bill.c.roberts@gmail.com> |
Remove network shell script This seems to not really being used, especially considering that the init.rc does not have a oneshot service for it, and its not using the build_policy() and other things to even make it configurable. Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
/system/sepolicy/Android.mk
|
ee58864b953a2d3601e8e805be32bd71a16e9bd3 |
|
07-Nov-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended for lollipop, not for master. This reverts commit 2aa727e3f01f814384bd4a49281c7c39cf562ff6. Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
39f92a8350cd02eaa279687699bc4208e9ab0dd8 |
|
06-Nov-2014 |
Nick Kralevich <nnk@google.com> |
am f7e98fe2: Merge "recovery.te: add /data neverallow rules" * commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c': recovery.te: add /data neverallow rules
|
a17a266e7e466d281f0730449c492de46390fc76 |
|
06-Nov-2014 |
Nick Kralevich <nnk@google.com> |
recovery.te: add /data neverallow rules Recovery should never be accessing files from /data. In particular, /data may be encrypted, and the files within /data will be inaccessible to recovery, because recovery doesn't know the decryption key. Enforce write/execute restrictions on recovery. We can't tighten it up further because domain.te contains some /data read-only access rules, which shouldn't apply to recovery but do. Create neverallow_macros, used for storing permission macros useful for neverallow rules. Standardize recovery.te and property_data_file on the new macros. Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
/system/sepolicy/Android.mk
|
5a6ac67476cb642fc19206c9686488c0b21e224e |
|
04-Aug-2014 |
dcashman <dcashman@google.com> |
am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build." * commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915': Generate selinux_policy.xml as part of CTS build.
|
704741a5c24113b22a47bb854f20e2f2c607dd36 |
|
26-Jul-2014 |
dcashman <dcashman@google.com> |
Generate selinux_policy.xml as part of CTS build. Bug: 16563899 Bug: 14251916 Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
/system/sepolicy/Android.mk
|
2aa727e3f01f814384bd4a49281c7c39cf562ff6 |
|
14-Jul-2014 |
Nick Kralevich <nnk@google.com> |
DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true Force any experimental SELinux domains (ones tagged with "permissive_or_unconfined") into unconfined. This flag is intended to be flipped when we're preparing a release, to eliminate inconsistencies between user and userdebug devices, and to ensure that we're enforcing a minimal set of rules for all SELinux domains. Without this change, our user builds will behave differently than userdebug builds, complicating testing. Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
/system/sepolicy/Android.mk
|
db644f98ad302bcbf9e3a6ec184896c6b5c3ec9d |
|
12-Jun-2014 |
Nick Kralevich <nnk@google.com> |
am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager." * commit '8eb63f24bb34639d76246a2fe0276f5cada5c764': Add SELinux rules for service_manager.
|
8eb63f24bb34639d76246a2fe0276f5cada5c764 |
|
12-Jun-2014 |
Nick Kralevich <nnk@google.com> |
am b0ee91a4: Merge "Add SELinux rules for service_manager." * commit 'b0ee91a418a899dbd39678711ea65ed60418154e': Add SELinux rules for service_manager.
|
f90c41f6e8d5c1266e154f46586a2ceb260f1be6 |
|
06-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
/system/sepolicy/Android.mk
|
33bf667ab1f78ce35555d148ffb0e5f1b96fe9f0 |
|
31-May-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
am ec87ecb9: am 8571ed16: am 8b7545bf: Build the selinux_version file. * commit 'ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968': Build the selinux_version file.
|
ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968 |
|
31-May-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
am 8571ed16: am 8b7545bf: Build the selinux_version file. * commit '8571ed162e85c507ea93b06c6816cdf99019625a': Build the selinux_version file.
|
8b7545bf5745e1e0aba55b0334de40d2334728b1 |
|
20-Mar-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Build the selinux_version file. The selinux_version file is used to perform policy versioning checks by libselinux and SELinuxMMAC. When loading policy a check is first performed to determine if the policy out in /data/security/current should be used to override the base policy shipped with the device. The selinux_version file is used to make that choice. The contents of the file simply contains the BUILD_FINGERPRINT that the policy was built against. A simple string comparison is then performed by libselinux and SELinuxMMAC. Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
|
4a247480b3da612b60429b277ef508adfadb9de2 |
|
30-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
am c664083b: am ffbba62e: am e60723ab: Create a separate recovery policy. * commit 'c664083badd1c73c144f53354c015681cd7e6951': Create a separate recovery policy.
|
c664083badd1c73c144f53354c015681cd7e6951 |
|
30-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
am ffbba62e: am e60723ab: Create a separate recovery policy. * commit 'ffbba62eafb759573aad4bcdc77d56026697ea00': Create a separate recovery policy.
|
e60723ab59f48626c6a700ba645bfe5eac6f0fc3 |
|
29-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
863b28236651afd0d2f4bf5b858e519114def1c9 |
|
06-Feb-2014 |
Nick Kralevich <nnk@google.com> |
am d188f5be: Merge "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" into klp-modular-dev * commit 'd188f5be07e168c19a2cd46439c0319f4866c641': DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
|
2772e78ff99ae651df395ec10e7bb8fdf20b87f0 |
|
05-Feb-2014 |
Nick Kralevich <nnk@google.com> |
DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true Force any experimental SELinux domains (ones tagged with "permissive_or_unconfined") into unconfined. This flag is intended to be flipped when we're approaching stabilization, to eliminate inconsistencies between user and userdebug devices, and to ensure that we're enforcing a minimal set of rules for all SELinux domains. Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
/system/sepolicy/Android.mk
|
6b0ff4756a17e7af22d283ac3599a8b1925e5827 |
|
29-Jan-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Catch nonexistent BOARD_SEPOLICY_UNION policy files. Added a new check to make sure that all listed BOARD_SEPOLICY_UNION files are located somewhere in the listed BOARD_SEPOLICY_DIRS locations. The build will error out otherwise. Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
|
623975fa5aece708032aaf29689d73e1f3a615e7 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/Android.mk
|
88ce951d89c4c4ad4d870ca34cc5bdcc8b60f54d |
|
10-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Create new conditional userdebug_or_eng Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
/system/sepolicy/Android.mk
|
d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 |
|
02-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
c3c9052bc7bf7f55e66a7560a28800066a6e044b |
|
25-Oct-2013 |
Nick Kralevich <nnk@google.com> |
Make DEFAULT_SYSTEM_DEV_CERTIFICATE available in keys.conf In 9af6f1bd59ee2fb0622db8ff25c4806c5527a0b3, the -d option was dropped from insertkeys.py. This was done to allow an Android distribution to replace the default version of keys.conf distributed in external/sepolicy/keys.conf. keys.conf was modified to reference the publicly known test keys in build/target/product/security. Unfortunately, this broke Google's build of Android. Instead of incorporating our keys directory, we were using the default AOSP keys. As a result, apps were getting assigned to the wrong SELinux domain. (see "Steps to reproduce" below) This change continues to allow others to replace keys.conf, but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an environment variable in case the customized version wants to make reference to it. This change also modifies the stock version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE, which should be appropriate for most Android distributions. It doesn't make any sense to force each OEM to have a copy of this file. Steps to reproduce. 1) Compile and boot Android. 2) Run the following command: "adb shell ps -Z | grep process.media" Expected: $ adb shell ps -Z | grep process.media u:r:media_app:s0 u0_a5 1332 202 android.process.media Actual: $ adb shell ps -Z | grep process.media u:r:untrusted_app:s0 u0_a5 3617 187 android.process.media Bug: 11327304 Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822
/system/sepolicy/Android.mk
|
9af6f1bd59ee2fb0622db8ff25c4806c5527a0b3 |
|
22-Aug-2013 |
William Roberts <wroberts@tresys.com> |
Drop -d option on insertkeys.py in Android.mk This breaks the ability for users to have certs in many directories. Currently the design is to allow keys.conf to specify arbitrary locations for pem files, relative to the root of the Android tree. If users want to have a common prefix on all the keys, then they can export DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment variable in their keys.conf file. Signed-off-by: William Roberts <wroberts@tresys.com> Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640 Signed-off-by: William Roberts <wroberts@tresys.com>
/system/sepolicy/Android.mk
|
e267afa32070609b080d4a7900cd27179430e04d |
|
01-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
am e543a8bc: Increase policy version to 26. * commit 'e543a8bc2a2d08ff381e5ae9e34cc2a094acf895': Increase policy version to 26.
|
e543a8bc2a2d08ff381e5ae9e34cc2a094acf895 |
|
01-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Increase policy version to 26. Increase the SELinux policy version to 26. This is needed for name-based transitions used by the manta sepolicy. Requires kernel 3.0 or higher. Change-Id: I046fa9f7122f77506c70b2c735345bc0194935df Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
020b5ff6311044ef7a2200dd4db69f5cccf46213 |
|
28-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Add a key directory argument to insertkeys.py This allows us to better integrate key selection with our existing build process. Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
/system/sepolicy/Android.mk
|
e693ed7c187804b3b1ae49bf0d31bd43e7a19e08 |
|
15-Mar-2013 |
William Roberts <bill.c.roberts@gmail.com> |
Remove the su domain from -user builds. Change-Id: I86f2f28f7c558b8e9a70e5aa9ebcfa8bf26f9ef7
/system/sepolicy/Android.mk
|
7f2392eeb03eeb88f2699061f4adaeb1fcbd1de2 |
|
27-Mar-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Expand insertkeys.py script to allow union of files. Allow script to union mac_permissions.xml files specified using the BOARD_SEPOLICY_DIRS and BOARD_SEPOLICY_UNION constructs. Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
|
65d4f44c1fd999d9cf9c4ef4dc65deb71bafcd8e |
|
27-Mar-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Various policy updates. Assortment of policy changes include: * Bluetooth domain to talk to init and procfs. * New device node domains. * Allow zygote to talk to its executable. * Update system domain access to new device node domains. * Create a post-process sepolicy with dontaudits removed. * Allow rild to use the tty device. Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
|
52fc95d1b7e29a61d315eb7378c3b47985f4fd74 |
|
26-Mar-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Fix makefile error with ANDROID_BUILD_TOP Use TOP instead of ANDROID_BUILD_TOP Fix spelling issues in keys.conf Change-Id: Ib90b3041af5ef68f30f4ab78c768ad225987ef2d
/system/sepolicy/Android.mk
|
cd4104e84b438827fddd6a7fe6cb86e91392152d |
|
26-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml"" This reverts commit 1446e714af0b0c358b5ecf37c5d704c96c72cf7c Hidden dependency has been resolved. Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
/system/sepolicy/Android.mk
|
15b3ceda5cd0fea1f0b5b19d4795d7290a75b39d |
|
12-Feb-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Add BOARD_SEPOLICY_IGNORE See README for further details. Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
/system/sepolicy/Android.mk
|
1446e714af0b0c358b5ecf37c5d704c96c72cf7c |
|
19-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Revert "Dynamic insertion of pubkey to mac_permissions.xml" This reverts commit 22fc04103b70dd5a1cb1b5a8309ef20461e06289 Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
/system/sepolicy/Android.mk
|
5a2988fcb5f1b76c87d9bf8e671c38d1b03188ab |
|
04-Jan-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Remove duplicate paths from sepolicy_replace_paths Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
/system/sepolicy/Android.mk
|
d98d26ef3c1fe9b44497ed4e2a1fcf66505092ba |
|
23-Jan-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
property_contexts checks added to checkfc. Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
|
22fc04103b70dd5a1cb1b5a8309ef20461e06289 |
|
05-Dec-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Dynamic insertion of pubkey to mac_permissions.xml Support the inseretion of the public key from pem files into the mac_permissions.xml file at build time. Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
/system/sepolicy/Android.mk
|
2c8a55dcf4e571c198118dd4459d62894f6378f3 |
|
30-Nov-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Replaceable mac_permission.xml support Support overriding ma_permissions.xml in BOARD_SEPOLICY_REPLACE Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
/system/sepolicy/Android.mk
|
eab23895cd13ccb2a552dd9713bd1e88cf41e522 |
|
01-Nov-2012 |
Jean-Baptiste Queru <jbq@google.com> |
Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp
|
eefaa83d4c8437b216718115f6d4d407b2e9d0d8 |
|
01-Nov-2012 |
Alice Chu <alice.chu@sta.samsung.com> |
am cdfb06f5: Moved Android policy tools to tools directory * commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa': Moved Android policy tools to tools directory
|
9ceb47b0c0f693e760d6ad0535f4a165491fa772 |
|
01-Nov-2012 |
Kenny Root <kroot@google.com> |
Revert "Include su.te only for userdebug/eng builds." This reverts commit af56ac19545ff083ceb3c1ddf4bf8e2663d4b934. Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
/system/sepolicy/Android.mk
|
cdfb06f55394d68a7df1110d83070961a2cc52aa |
|
01-Nov-2012 |
Alice Chu <alice.chu@sta.samsung.com> |
Moved Android policy tools to tools directory Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
/system/sepolicy/Android.mk
|
a2517b20cb340a6dd19c846b21f34ed0244b65d6 |
|
30-Oct-2012 |
Kenny Root <kroot@google.com> |
resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
|
47cd396b11ca4b62d4d99902bec1b981760e818a |
|
18-Oct-2012 |
rpcraig <robertpcraig@gmail.com> |
Add better per-device sepolicy support. This is a rewrite of the existing implementation. Three new variables are now needed to add/modify the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION which govern what files are replaced and concatenated, and BOARD_SEPOLICY_DIRS which lists the various directories that will contain the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION policy files. Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493 Signed-off-by: rpcraig <robertpcraig@gmail.com>
/system/sepolicy/Android.mk
|
6b964fa1f265c1c0d6f236efbf3c471b76fdf05c |
|
26-Oct-2012 |
Ying Wang <wangying@google.com> |
am d8b122c7: Use file target as dependency. * commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081': Use file target as dependency.
|
d8b122c7bbe3a57620bee0a5c6bfcb8f7c574081 |
|
26-Oct-2012 |
Ying Wang <wangying@google.com> |
Use file target as dependency. "sepolicy" is a phony target defined by the build system. If you use it as dependency of a file target, you'll get unnecessary rebuild. Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
/system/sepolicy/Android.mk
|
ced365aa645d35f022f413f53731af61ada812fd |
|
17-Oct-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it. * commit '01a58af19494420bb259505bc5404790a21fdd64': Add a checkfc utility to check file_contexts validity and invoke it.
|
01a58af19494420bb259505bc5404790a21fdd64 |
|
02-Oct-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add a checkfc utility to check file_contexts validity and invoke it. Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
44374bc5edc0ed46d402d1f0353fd9ff1e2ee0ac |
|
17-Oct-2012 |
Kenny Root <kroot@google.com> |
am 659aaced: Remove HAVE_SELINUX guard * commit '659aaced054c21048c712fe1f5831a86c99213d8': Remove HAVE_SELINUX guard
|
659aaced054c21048c712fe1f5831a86c99213d8 |
|
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Remove HAVE_SELINUX guard Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119
/system/sepolicy/Android.mk
|
9822c1d08f11c9fb98a6f2530ba693285fe12f2b |
|
19-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
am 66a3e8d9: Drop the use of a policy version suffix on the sepolicy file. * commit '66a3e8d91ef6098dd7cab127530f1cdb7973f53e': Drop the use of a policy version suffix on the sepolicy file.
|
66a3e8d91ef6098dd7cab127530f1cdb7973f53e |
|
18-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop the use of a policy version suffix on the sepolicy file. The policy version suffix support was carried over from conventional Linux distributions, where we needed to support simultaneous installation of multiple kernels and policies. This isn't required for Android, so get rid of it and thereby simplify the policy pathname. We still default to generating a specific policy version (the highest one supported by the emulator kernel), but this can be overridden by setting POLICYVERS on the make command-line or in the environment. Requires a corresponding change to libselinux. Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
|
d0f027ccc8f4a7aa8d872df9a195197590f234dc |
|
06-Sep-2012 |
Jean-Baptiste Queru <jbq@google.com> |
am 10f9a372: Merge upstream sepolicy into AOSP * commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9': Corrected gramatical issues Added new line to end of file Changed seapp_contexts temporary file naming Fix mls checking code Support overrides in seapp_contexts Add tf_daemon labeling support. Add ppp/mtp policy. per device seapp_context support dhcp policy. Trusted Execution Environment policy.
|
98ed392e68e041340ca8881ebf0a3cdf6bd5e880 |
|
05-Sep-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Changed seapp_contexts temporary file naming Change-Id: I4f522869eeaa6f84771e4ee2328f65296dcc29db
/system/sepolicy/Android.mk
|
0ae3a8a2d50799d0b91d992434cdd4d3151b0348 |
|
04-Sep-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Fix mls checking code Change-Id: I614caa520e218f8f148eef641fed2301571da8e1
/system/sepolicy/Android.mk
|
f0e0a94e032e55c13bc54f1cffe243f04872278e |
|
28-Aug-2012 |
William Roberts <w.roberts@sta.samsung.com> |
Support overrides in seapp_contexts Provides support for overriding seapp_contexts declerations in per device seapp_contexts files. Change-Id: I23a0ffa1d24f1ce57825b168f29a2e885d3e1c51
/system/sepolicy/Android.mk
|
171a06257124401af2e7c33fbbcbc69c18e45486 |
|
16-Aug-2012 |
William Roberts <bill.c.roberts@gmail.com> |
per device seapp_context support
/system/sepolicy/Android.mk
|
aa7fb3be1b456a2884c3fa707aa590196b2c70c3 |
|
13-Aug-2012 |
Jean-Baptiste Queru <jbq@google.com> |
resolved conflicts for merge of 0c2e5705 to jb-mr1-dev Change-Id: Iee1d877788b9397ca29a6cfe7bc3015c3edbe5ac
|
b19665c39da76c0e24c8cd9583e30c4a50567510 |
|
30-Jul-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Add mac_permissions.xml file. This was moved from external/mac-policy.git
/system/sepolicy/Android.mk
|
af56ac19545ff083ceb3c1ddf4bf8e2663d4b934 |
|
17-Jul-2012 |
Matt Finifter <finifter@google.com> |
Include su.te only for userdebug/eng builds. Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
/system/sepolicy/Android.mk
|
dc1072365e99cef38e0d234989ba29e0e2df2b4c |
|
12-Jul-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Support for ocontexts per device. ocontexts was split up into 4 files: 1.fs_use 2.genfs_contexts 3.initial_sid_contexts 4.port_contexts Each file has their respective declerations in them. Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
/system/sepolicy/Android.mk
|
70d4fc2243721a54cd177959e05cf81b54c4e226 |
|
20-Jun-2012 |
Joshua Brindle <jbrindle@tresys.com> |
Add selinux network script to policy Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
/system/sepolicy/Android.mk
|
efd6d6e0dab97a49706f1116dde2ec87257f79c1 |
|
18-May-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Apply m4 to file_contexts and property_contexts to support includes.
/system/sepolicy/Android.mk
|
f5f899c3c0f684ffba6950b343e652abd78d0fd9 |
|
10-Apr-2012 |
The Android Open Source Project <initial-contribution@android.com> |
Merge from upstream sepolicy Change-Id: I99085d575e3d884fb04ac03ac998eb3c53eb2d9f
|
f4ea5b25399e4c6a10aa353b0c3d40564f78e89c |
|
10-Apr-2012 |
Ying Wang <wangying@google.com> |
Use the checkpolicy built from source. Change-Id: I22f49db3d59b50ed8975d8c1146bb9c322adbf7e
/system/sepolicy/Android.mk
|
124720a6976a69357522299afbe5591854e40775 |
|
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
/system/sepolicy/Android.mk
|
64935c7d87ce76ed542e16fce3dde9883b507d7a |
|
06-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Limit per-device policy files to a well-defined sepolicy prefix. Avoid any future collisions with the use of .fc or .te suffixes in the per-device directories. If we want multiple file support, add a separate subdirectory for sepolicy files.
/system/sepolicy/Android.mk
|
5b340befb4f964365c856606050254a65df909d1 |
|
06-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add support for per-device .te and .fc files.
/system/sepolicy/Android.mk
|
7e8cf24f58651228029eb4e53e4094a86f4d2bdb |
|
02-Feb-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not build if HAVE_SELINUX=false.
/system/sepolicy/Android.mk
|
2b826fcbe8231bf13affd63dbed865b315e1eddc |
|
24-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add a dependency on checkpolicy.
/system/sepolicy/Android.mk
|
02fb5f3c6abbb7f12c278a04966314d06f6378e3 |
|
18-Jan-2012 |
Ying Wang <wangying@google.com> |
Rewrite Android.mk.
/system/sepolicy/Android.mk
|
2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 |
|
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
SE Android policy.
/system/sepolicy/Android.mk
|