History log of /system/sepolicy/Android.mk
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
cfb6f3523159d87d444ace1b4c24fa09a11b31f0 14-Jun-2017 Sandeep Patil <sspatil@google.com> build: run neverallow checks on platform sepolicy

This will prevent us from breaking our own neverallow rules
in the platform sepolicy regardless of vendor policy adding
exceptions to the neverallow rules using "*_violators" attributes

Bug: 62616897
Bug: 62343727

Test: Build policy for sailfish
Test: Build policy with radio to rild socket rule enabled for all
and ensure the build fails

Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
b236eb6ca204cefcb926e19bd5682f9dcad4021d 13-Jun-2017 Jeff Vander Stoep <jeffv@google.com> Build split file_contexts for recovery

[ 7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)

Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
and recovery modes

Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
/system/sepolicy/Android.mk
7a68c5ae4ca81778f222c2817b698463878e5700 08-Jun-2017 Jeff Vander Stoep <jeffv@google.com> Move non-treble devices to split file_contexts

This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
/system/sepolicy/Android.mk
1fc0682ec629d10c5c48714def2fc96369977169 01-Jun-2017 Jeff Vander Stoep <jeffv@google.com> Run Treble sepolicy tests at build time

Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
(cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
/system/sepolicy/Android.mk
51455fe9773e5b3e920e149c6fc48e34b2ab1327 23-May-2017 Dan Cashman <dcashman@google.com> Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir.

These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy. There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files. Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06afc155342b66c581668f52951a1278d7)
/system/sepolicy/Android.mk
1b0a71f308a18ab31147ea34c692f4fe7f4d7066 08-May-2017 Dan Cashman <dcashman@google.com> Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS

Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.

Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.

Change-Id: I38efe2248520804a123603bb050bba75563fe45c
Merged-In: I38efe2248520804a123603bb050bba75563fe45c
(cherry picked from commit f893700c73f2e4e13385f11edcacf563f59b63c5)
/system/sepolicy/Android.mk
4816b8f00a129d0245d369fe34ac88dd82e566c6 04-May-2017 Ian Pedowitz <ijpedowitz@google.com> Revert "Revert "O is API 26""

This reverts commit 6b04a961b491d31368eab2924d84d3259330faf3.

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: I24ee1b4f0f23262cae25b2f575da9f16f4ebec34
/system/sepolicy/Android.mk
6b04a961b491d31368eab2924d84d3259330faf3 04-May-2017 Ian Pedowitz <ijpedowitz@google.com> Revert "O is API 26"

This reverts commit 8713882bb8d082f997fa68b75606caa48a45862d.

Reason for revert: b/37355569

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
/system/sepolicy/Android.mk
8713882bb8d082f997fa68b75606caa48a45862d 02-May-2017 Michael Wright <michaelwr@google.com> O is API 26

Bug: 37480230
Bug: 37896931
Test: build, boot
Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
/system/sepolicy/Android.mk
5edd96d915ef98dc92f21bd303bca5ee82b0f54a 25-Apr-2017 Jeff Vander Stoep <jeffv@google.com> Android.mk: fix dependency typo

Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
/system/sepolicy/Android.mk
b87876937b8ed73063fd44800beb86f3dd7079be 22-Apr-2017 Jeff Vander Stoep <jeffv@google.com> Retain neverallow rules in CIL files

Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil 567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
/system/sepolicy/Android.mk
748cae865d3aa1755c59b8cffbe4c1a7eb7ac363 13-Apr-2017 Jeff Vander Stoep <jeffv@google.com> secilc: expand generated attributes on non-treble devices

Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
/system/sepolicy/Android.mk
9bdb66b25ce55ee53fc57cafed291d004cbbd619 13-Apr-2017 Jeffrey Vander Stoep <jeffv@google.com> Merge "secilc: expand generated attributes" into oc-dev
f6daa78a82ea11f0fbbeb22ed7150066f664fd07 13-Apr-2017 Martijn Coenen <maco@google.com> Merge "Add hwservice_contexts and support for querying it." into oc-dev
3ea47b9249d4f9a4a90cae7867a119cbfdb7d4b6 08-Apr-2017 Martijn Coenen <maco@google.com> Add hwservice_contexts and support for querying it.

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
/system/sepolicy/Android.mk
ac171b44372ad506fecf1cd0399db2fa9fd1289f 13-Apr-2017 Jeff Vander Stoep <jeffv@google.com> secilc: expand generated attributes

Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

With this patch the number of attributes in policy drops from
845 to 475. The number of attributes assigned to the bluetooth domain
drops from 41 to 11.

Bug: 3650825
Test: Build and boot Marlin
Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
/system/sepolicy/Android.mk
4d24a77551d30369542ac15e48e02f3ae582d0e6 12-Apr-2017 Dan Cashman <dcashman@google.com> Fix build part 2. Always create platform_mapping_file.

commit 552fb537129e9b446e79af53216c08d15e69144e fixed an undefined
module error by removing the module when not defined (on non-treble
devices), but the sepolicy build on non-treble devices was changed
to rely on the split treble files, even though the split is not used.
Change this so that the file is always present, to allow policy
compilation.

Test: policy fully builds.
Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
/system/sepolicy/Android.mk
552fb537129e9b446e79af53216c08d15e69144e 12-Apr-2017 Dan Cashman <dcashman@google.com> Fix build: encase $(platform_mapping_file) module in treble block.

Specifying an empty module causes a build error, so make sure that
if there is no $(platform_mapping_file) the MODULE is not included.

Test: Makefiles parsed without error.
Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
/system/sepolicy/Android.mk
6bf50e5c14a45088680ba5af971bf08657c343f5 12-Apr-2017 Dan Cashman <dcashman@google.com> Remove BOARD_SEPOLICY_VERS_DIR build variable.

The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
specification of an alternate platform public policy, primarily for
testing purposes. This should not be a part of the released platform,
since the only public policy and corresponding mapping file construction
should be based on the current public platform policy, with compatibility
with vendor policy targeting previous versions provided by static mapping
files. Its continued presence muddles the generation of mapping files by
potentially introducing a situation in which an incorrect mapping file is
generated. Remove it.

Bug: 36783775
Test: Device boots with compiled SELinux policy (SHA256s don't match for
precompiled policy).

Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
/system/sepolicy/Android.mk
c8d4535cc2a7691dd0a3562008a03a72b43f560c 11-Apr-2017 Dan Cashman <dcashman@google.com> Change recovery to static platform-only compilation.

Recovery is not meant to be versioned in the treble model, but rather
provided as part of the platform/framework component and self-sufficient.
Simplify its compilation by removing the attribute versioning steps, but
maintain device-specific policy, which is currently required for full
functionality.

Bug: 37240781
Bug: 36783775
Test: recovery boots and is able to select commands. Also tried:
reboot system, boot to bootloader, factory reset, sideload, view logs,
run graphics test, and power off.

Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
/system/sepolicy/Android.mk
4f9a648e90ed95716224b96348805accd27f4f51 10-Apr-2017 Dan Cashman <dcashman@google.com> Change mapping file name to reflect its platform version.

As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions. This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this. Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
/system/sepolicy/Android.mk
6f14f6b7d957d4001160438882fb5cb7b09e399e 08-Apr-2017 Dan Cashman <dcashman@google.com> Add PLATFORM_SEPOLICY_VERSION.

Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
/system/sepolicy/Android.mk
86123070836ede84a7db9a47d8367363975dd322 08-Apr-2017 TreeHugger Robot <treehugger-gerrit@google.com> Merge "sepolicy_version: change current version to NN.m format" into oc-dev
42f95984b501f39cd5f8270b5854a985d1b6d528 07-Apr-2017 Sandeep Patil <sspatil@google.com> sepolicy_version: change current version to NN.m format

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
/system/sepolicy/Android.mk
df720941965e56ef394de73c0de5c59b4e372f18 07-Apr-2017 Alex Klyubin <klyubin@google.com> Merge "Preserve treble-only flag for CTS neverallows" into oc-dev
446279a6b9bcc9689c73c5e27f3f4757e1edd661 06-Apr-2017 Alex Klyubin <klyubin@google.com> Preserve treble-only flag for CTS neverallows

CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
/system/sepolicy/Android.mk
ee97662f17c278b7988857162ea0f11b9afcf707 07-Apr-2017 Martijn Coenen <maco@google.com> Fix checkfc options order.

darwin's getopt() doesn't like putting arguments
in the wrong order.

Test: Mac/Linux builds
Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
/system/sepolicy/Android.mk
d48d54a3a103a001301c9decc4ba3a09cb9c2d12 06-Apr-2017 Martijn Coenen <maco@google.com> Modify checkfc to check (vnd|hw)service_manager_type.

added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
/system/sepolicy/Android.mk
0e9c47c0af92005ea81772e82663865f1a3572b3 04-Apr-2017 Dan Cashman <dcashman@google.com> Move mapping_sepolicy.cil to /system partition.

This is a necessary first step to finalizing the SELinux policy build
process. The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
/system/sepolicy/Android.mk
6676c234fc6a634cdf5231a3e33b3edc075daa51 01-Apr-2017 Martijn Coenen <maco@google.com> Add target for vndservice_contexts.

So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
/system/sepolicy/Android.mk
d4a3e9dd485ebd37b4e323098ae08cd0dc38e942 23-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Create selinux_policy phony target

Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
/system/sepolicy/Android.mk
5d0c2e417b5dd527ec22faaffe9b8dd28ba4c35e 23-Mar-2017 William Roberts <william.c.roberts@intel.com> build: stop generating $T/file_contexts

secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
File: 'file_contexts'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fc00h/64512d Inode: 5508958 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/wcrobert) Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
ensure file is not regenerated. Also, ensure hikey builds and
boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
7cda44f49f8b128f6a4673174220b4825024f654 21-Mar-2017 Alex Klyubin <klyubin@google.com> Mark all clients of Allocator HAL

This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
/system/sepolicy/Android.mk
f5446eb1486816c00136b2b5f0a3cc4a01706000 23-Mar-2017 Alex Klyubin <klyubin@google.com> Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/Android.mk
7443484831a858848d71b95c3e9fa4e96dcbf830 13-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Grant additional permissions for ASAN builds

ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm;
Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
/system/sepolicy/Android.mk
d2053bd024139d9993a3bfa9b81fd4e68b9bc865 15-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Specify intermediates dir for sepolicy

Policy intermediates are being placed in a seemingly random
intermediates directories.

Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates

Instead, place intermediates in the sepolicy_intermediates dir.

Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118

Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
/system/sepolicy/Android.mk
e8243518a7f8ddbc510c4d197f6a7c0b4091ce4f 15-Mar-2017 Alex Klyubin <klyubin@google.com> Remove unused /selinux_version

This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.

Test: Clean build, flash, device boots without additional denials.
Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
/system/sepolicy/Android.mk
ec6f393d0761c04fa9783ba7b176cc61b72be2fe 15-Mar-2017 Xin Li <delphij@google.com> Fix build under GitC client.

Test: build
Bug: 36229129
Change-Id: I0654ce44f344729b0bb1f8716afa151e134fdc6a
/system/sepolicy/Android.mk
9d59041f63b22f3d1b59faa9afeb5bf2a02e3e17 08-Mar-2017 Alex Klyubin <klyubin@google.com> Correct location of property_contexts for TREBLE devices

This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377c006040d14d92f5b1a1a52da779f20aa), this change
no longer affects is recovery.

Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.

Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospPropertyContexts

This test was performed on bullhead (non A/B device) and sailfish
(A/B device).

Test: Clean build, flash, device boots with no additional denials.
Rebooting to recovery, recovery boots fine with no denials.
This test was performed on bullhead (non A/B device) and sailfish
(A/B device).
Bug: 36002573

(cherry picked from commit 4cb628a3be61efbd2abf8e92d38710d76ef828f3)

Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
/system/sepolicy/Android.mk
ec78c377c006040d14d92f5b1a1a52da779f20aa 10-Mar-2017 Alex Klyubin <klyubin@google.com> Targets for artifacts needed by recovery

This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.

Test: Clean build, flash, device boots just fine, no new denials.
Reboot to recovery, recovery boots just fine, no denials.
This was tested on bullhead (non A/B device) and sailfish (A/B
device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
/system/sepolicy/Android.mk
bba9e7b92d903629c57dee02aa3675b27480a122 11-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Split mac_permissions.xml to /system and /vendor

Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167

Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
/system/sepolicy/Android.mk
0cb417a6392c63e9670c2718fcb5e2f485d9baa4 08-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Move split file_contexts to /system and /vendor

Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
/vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414

Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
/system/sepolicy/Android.mk
84aa74218421f8d2dbad1408ba114f680331ace0 10-Mar-2017 Alex Klyubin <klyubin@google.com> Remove unnecessary recovery-related targets

Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.

Test: make clean && make sepolicy.recovery, then confirm that
repolicy.recovery is identical to the one produced prior to this
change.
Test: Clean build, flash, device boots up fine, no new denials. Device
also boots into recovery just fine, no denials.
Bug: 31363362

Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
/system/sepolicy/Android.mk
935ddb20c196fa8ee177abde9bd15401a5a1b3fc 10-Mar-2017 Alex Klyubin <klyubin@google.com> Revert "Correct location of property_contexts for TREBLE devices"

This reverts commit 4cb628a3be61efbd2abf8e92d38710d76ef828f3.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
/system/sepolicy/Android.mk
4e3a4c7b21f48eec2413d20e317d7d41d3fb0c0f 09-Mar-2017 Jeff Vander Stoep <jeffv@google.com> Move service and seapp contexts to /system and /vendor

Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427

Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
/system/sepolicy/Android.mk
4cb628a3be61efbd2abf8e92d38710d76ef828f3 08-Mar-2017 Alex Klyubin <klyubin@google.com> Correct location of property_contexts for TREBLE devices

This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573

Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
/system/sepolicy/Android.mk
193dccda7922e3cfdcbbd19da93960335ca0d224 07-Mar-2017 Alex Klyubin <klyubin@google.com> Precompiled kernel policy for on-device use

This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.

Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.

The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.

Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
/system/sepolicy/Android.mk
87ae5f7dbd894ad72da05bae6f3381c0eae190b7 07-Mar-2017 Jeff Vander Stoep <jeffv@google.com> assert plat neverallows on nonplat seapp_contexts

With the plat/nonplat policy split, nonplat_seapp_contexts should still
be checked against the plat_seapp_contexts_neverallows during build
time to ensure no violations occur.

Test: stock aosp_marlin builds.
Test: name=foo.bar seinfo=default fails (as expected) in nonplat policy
Test: name=foo.bar seinfo="" fails (as expected) in nonplat policy
Bug: 36002816
Change-Id: I95b2c695b23e2bdf420575d631e85391e93fc869
/system/sepolicy/Android.mk
052b0bbb267d7629770184a6c53dd59a1eb0b671 02-Mar-2017 Alex Klyubin <klyubin@google.com> Move split sepolicy to correct locations

This moves the CIL files comprising the split sepolicy to the
directories/partitions based on whether the file is part of
platform/system or non-platform/vendor. In particular:
* plat_sepolicy.cil is moved to /system/etc/selinux,
* nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and
* mapping_sepolicy.cil is moved to /vendor/etc/selinux.

Test: Device boots, no additional denials. The test is performed both
for a device without the CIL files and with the three CIL files.
Bug: 31363362

Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9
/system/sepolicy/Android.mk
8f7173b01601040ae17810d07dea37a895f94ddd 25-Feb-2017 Alex Klyubin <klyubin@google.com> Test CIL policy when building it

Prior to this commit, there was a bug in generated CIL where it
wouldn't compile using secilc. The reason was that the build script
was stripping out all lines containing "neverallow" from CIL files,
accidentally removing lines which were not neverallow statements,
such as lmx lines referencing app_neverallows.te.

The commit fixes the build script's CIL neverallow filter to filter
out only neverallow* statements, as originally intended. Moreover, to
catch non-compiling CIL policy earlier in the future, this commit runs
secilc on the policy at build time. In particular, it tests that
platform policy compiles on its own and that nonplatform + platform +
mappig policy compiles as well.

Test: CIL policy builds and compiles on-device using secilc
Bug: 31363362
Change-Id: I769aeb3d8c913a5599f1a2195c69460ece7f6465
/system/sepolicy/Android.mk
5596172d23a799d4131f36822e8afe817f2cf017 31-Jan-2017 Alex Klyubin <klyubin@google.com> Device-agnostic policy for vendor image

Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.

Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.

This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.

Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
/system/sepolicy/Android.mk
a86316e85215de0e8bcd9920035af1a2d1f5a4cc 28-Dec-2016 Sandeep Patil <sspatil@google.com> property_context: split into platform and non-platform components.

Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.

Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
e4665d7f85c7ee550f24d1799c09eb87a229b5c9 20-Jan-2017 Alex Klyubin <klyubin@google.com> Fix bugs in *_file_contexts targets

This fixes the following issues introduced in commit
d225b6979db89959c272b4351fb05363a7a18ea7:
* plat_file_contexts was empty because the target was referencing
system/sepolicy/private/file_contexts via a misspelled variable
name.
* plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt
when system/sepolicy/private/file_contexts changed. This is because
the file_contexts dependency was referenced via a misspelled
variable name.
* plat_file_contexts wasn't sorted (as opposed to other similar
targets, such as nonplat_file_contexts and file_contexts.bin). This
may lead to unnecessary non-determinism.
* nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt
when device-specific file_contexts file(s) changed. This is because
the file_contexts files were referenced via a misspelled variable
name.

Test: "make plat_file_contexts" produces a non-empty file containing
mappings from system/sepolicy/private/file_contexts
Test: "make plat_file_contexts" updates output when
system/sepolicy/private/file_contexts changes
Test: "make plat_file_contexts" produces output which is sorted
accroding to rules in fc_sort
Test: "make nonplat_file_contexts" updates output when
device/lge/bullhead/sepolicy/file_contexts changes (tested on
aosp_bullhead-eng)
Bug: 31363362
Change-Id: I540555651103f02c96cf958bb93618f600e47a75
/system/sepolicy/Android.mk
aa03ef26214767cc53d21be40d3027fc69684551 18-Jan-2017 Jorim Jaggi <jjaggi@google.com> Revert "property_context: split into platform and non-platform components."

This reverts commit 262edc382ae4da130b211203bf05c03179794616.

Fixes: 34370523
Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d
/system/sepolicy/Android.mk
262edc382ae4da130b211203bf05c03179794616 28-Dec-2016 Sandeep Patil <sspatil@google.com> property_context: split into platform and non-platform components.

Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
a058b569e4c7204a756ccb3fc4f23b17042a8f43 28-Dec-2016 Sandeep Patil <sspatil@google.com> service_context: split into platform and non-platform components.

Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
9c038072231ea475cf0dc7a378f930e9b06e8dac 22-Dec-2016 Dan Cashman <dcashman@google.com> Split seapp_contexts into plat and nonplat components.

Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e
/system/sepolicy/Android.mk
d225b6979db89959c272b4351fb05363a7a18ea7 12-Dec-2016 dcashman <dcashman@google.com> Split file_contexts for on-device compilation.

Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device. Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.

Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0

Bring back file_contexts.bin.

Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/Android.mk
c5c3abc6bc14357fa3c537094514d2a23bac21e3 05-Dec-2016 Richard Uhler <ruhler@google.com> Remove option for non-pic dex preopt.

Test: make checkbuild, aosp_bullhead-userdebug boots.
Bug: 33192586

Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8
/system/sepolicy/Android.mk
52b759777b628c1d8734e0444940e0907beda4e7 20-Dec-2016 Steven Moreland <smoreland@google.com> Remove ENABLE_TREBLE from sepolicy.

Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
/system/sepolicy/Android.mk
65d01349a00e15a4bed55fc685e43b9058c480a4 17-Dec-2016 Daniel Cashman <dcashman@google.com> Revert "Move sepolicy and recovery from on-device tree and add dependency."

This reverts commit cf5c6ecb93931ca5853b9954979d785d259453ce.

Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
/system/sepolicy/Android.mk
cf5c6ecb93931ca5853b9954979d785d259453ce 16-Dec-2016 Dan Cashman <dcashman@google.com> Move sepolicy and recovery from on-device tree and add dependency.

Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it. Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
denials. Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
/system/sepolicy/Android.mk
1c0402779552e497900db0a649068019ce023dfb 16-Dec-2016 Dan Cashman <dcashman@google.com> Switch recovery to versioned policy and split into components.

And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.

Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
/system/sepolicy/Android.mk
90b3b948971a01a2a8b83edcbf07ae493bd43bab 14-Dec-2016 dcashman <dcashman@google.com> Split mac_permissions.xml into plat and non-plat components.

Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
/system/sepolicy/Android.mk
1faa644c81e90cfd226bb7e43cde68e309c10790 28-Nov-2016 dcashman <dcashman@google.com> Split policy for on-device compilation.

Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots. sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
/system/sepolicy/Android.mk
07791558051d0ffbbb6ac015cd4f195455695523 07-Dec-2016 dcashman <dcashman@google.com> Restore checkfc and neverallow checks.

Bug: 33388095
Test: Builds and boots.
Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf
/system/sepolicy/Android.mk
2e00e6373faa6271d7839d33c5b9e69d998ff020 12-Oct-2016 dcashman <dcashman@google.com> sepolicy: add version_policy tool and version non-platform policy.

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/Android.mk
2899434716e069231d67133927bed25c9e27bcbc 21-Nov-2016 Jorge Lucangeli Obes <jorgelo@google.com> Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro.

|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.

Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
/system/sepolicy/Android.mk
84db84e6cdc6a04ac85fb4413c813412c0dea600 18-Nov-2016 Jorge Lucangeli Obes <jorgelo@google.com> Use with_dexpreopt macro for zygote execute permissions.

When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.

Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
/system/sepolicy/Android.mk
d733d161cfd7b73e3d3087ca086abb646790fd1b 19-Oct-2016 Jeff Vander Stoep <jeffv@google.com> Add macros for treble and non-treble only policy

Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
/system/sepolicy/Android.mk
cc39f637734a8d84bc861b649bfd109290c06401 22-Jul-2016 dcashman <dcashman@google.com> Split general policy into public and private components.

Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/Android.mk
5807d1d2b9bc1355acd7bec3dc7afe8227751f5b 29-Jul-2016 Douglas Leung <douglas.leung@imgtec.com> Fix ioctl defines for Mips.

This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496
/system/sepolicy/Android.mk
7d9487c996d21a2025c19440d03fe215e5f4e3fb 19-Jul-2016 William Roberts <william.c.roberts@intel.com> Merge \"service_contexts: strip blank lines and comments\"
am: afad0c35ec

Change-Id: Id4a4937cc3b7c2ddd6d363144e6fafc90be60498
a584f2f6cd1958293a383ccdde57e75edf0a546a 15-Jul-2016 William Roberts <william.c.roberts@intel.com> Merge \"property_contexts: strip blank lines and comments\"
am: ee69a2e775

Change-Id: If61f5720180243ec1b5aa9e16d66c95c37f49b88
c9fce3fa595592fed96e0294bce55199c8582c7b 06-Apr-2016 William Roberts <william.c.roberts@intel.com> service_contexts: strip blank lines and comments

Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
371918c1fe8ce33c358a1f79c7babea596cd7fff 06-Apr-2016 William Roberts <william.c.roberts@intel.com> property_contexts: strip blank lines and comments

Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
2f7b0514fa4973a27bef06d84294207b29c11884 17-May-2016 Shinichiro Hamaji <hamaji@google.com> Merge "Add keys to prerequisites of mac_permissions.xml" am: d1eb0ede9c
am: a8f65aa156

* commit 'a8f65aa156331487153456ed111b7feb1434355e':
Add keys to prerequisites of mac_permissions.xml

Change-Id: I9b6f11e61f31ec6c11ec35283eff4936b66497f9
ef0c14d3a2a469081a99111e48a3d421d4fe8d5b 13-May-2016 Shinichiro Hamaji <hamaji@google.com> Add keys to prerequisites of mac_permissions.xml

Bug: 27954979
Change-Id: Ia0403e2dc2726523a41742e23beff29b47274392
/system/sepolicy/Android.mk
3116b83f834fd34e2ac31a5ba9d422b425892901 02-Mar-2016 Nick Kralevich <nnk@google.com> suppress unnecessary makefile output am: 6ef10bd48b
am: 1274aa15d4

* commit '1274aa15d415ea317c48b321445583bf25999b6a':
suppress unnecessary makefile output
6ef10bd48b09ae0cb371c9d9f161c3b3b8f003fc 01-Mar-2016 Nick Kralevich <nnk@google.com> suppress unnecessary makefile output

checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
/system/sepolicy/Android.mk
6710e5c377a8f955be9d06fad96b0befa6605d06 27-Feb-2016 Nick Kralevich <nnk@google.com> Don\'t allow permissive SELinux domains on user builds. am: bca98efa57
am: 0551e9e8d4

* commit '0551e9e8d4764578d7304d695ba20040a6e0ea0b':
Don't allow permissive SELinux domains on user builds.
bca98efa575bedab68f2d5eaee2cd1fd1741962b 27-Feb-2016 Nick Kralevich <nnk@google.com> Don't allow permissive SELinux domains on user builds.

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

userdebug_or_eng(`
permissive foo;
')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
/system/sepolicy/Android.mk
7a294027177e46a2025933d9ce8ab99135b74825 15-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Merge changes from topic \'fc_sort-2\' am: 87a73f199a
am: af77ab6b13

* commit 'af77ab6b136b0c4d44e912bbd2b98f958f7ceb45':
fc_sort: initial commit
checkfc: do not die on 0 length fc's
49693f1b4d7871e0e6ce2576fa68541ecb6d1f03 04-Jan-2016 William Roberts <william.c.roberts@intel.com> fc_sort: initial commit

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
b9053767ab46d587dc7e1ea3e0a6c93e598b9433 15-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Merge "Revert "fc_sort: initial commit"" am: 5de7574a59
am: 62871e5874

* commit '62871e5874e6b1663c732c7f2a2b2d6b36604534':
Revert "fc_sort: initial commit"
b1fb7e4037831a0e6f0fc474c5058cf47292f6a0 15-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Revert "fc_sort: initial commit"

Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887eacf432b90c0ae460060f79d84dbaca.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
/system/sepolicy/Android.mk
a654d9f3aadaba09f476bef9671130aa7f1b7f3e 14-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Merge "fc_sort: initial commit" am: 2dea4525f3
am: faddabe6f5

* commit 'faddabe6f58f30f81938b928597ee7a792c34984':
fc_sort: initial commit
29d146887eacf432b90c0ae460060f79d84dbaca 04-Jan-2016 William Roberts <william.c.roberts@intel.com> fc_sort: initial commit

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
9aa378ec3165c7a80b43dda718e4e2e779a67646 04-Jan-2016 Jeffrey Vander Stoep <jeffv@google.com> Merge "Reduce socket ioctl perms"
cbaa2b7d37c0810009cc0ffa4026334b4bf3096e 22-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Reduce socket ioctl perms

Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
/system/sepolicy/Android.mk
efeac86de4ca327eaab3725e28449e94e033d0f1 29-Dec-2015 Daniel Cashman <dcashman@google.com> Merge changes from topic \'sepolicy-makefile-cleanup\' am: 1e5b7a1962
am: 26f06d172d

* commit '26f06d172dc2b55c42b1543c7ef02563241efce1':
Android.mk: cleanse all set but not unset variables
Android.mk: clean dependencies and clear variables
50a478ef72a91eb52797bec322c6cbaf58382da3 29-Dec-2015 William Roberts <william.c.roberts@intel.com> Android.mk: cleanse all set but not unset variables

Discovered by diffing the set of "set variables" with
the set of "cleared variables".

Script:

mydir=$(mktemp -d)

grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars
grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars
diff $mydir/set_vars $mydir/unset_vars
rm -rf $mydir

Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
46749752e5e64834bfeeb03b5346b8b82ce099e2 29-Dec-2015 William Roberts <william.c.roberts@intel.com> Android.mk: clean dependencies and clear variables

Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.

Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.

Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
4b412232c11c24797f72c395fd4c333828f05443 17-Dec-2015 William Roberts <william.c.roberts@intel.com> sectxfile_nl: fix superfluous dependencies am: cb1ab9858e
am: aeb403f233

* commit 'aeb403f233ada241a099777ccd0ef3b007e935e2':
sectxfile_nl: fix superfluous dependencies
cb1ab9858e4f44ee87c4a86f1cc9e858b8b36475 14-Dec-2015 William Roberts <william.c.roberts@intel.com> sectxfile_nl: fix superfluous dependencies

The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.

Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.

Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
e927937f2d54936a340044ef036a0001d5cb09e9 16-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Merge "checkfc: add attribute test" am: d48773ab3e
am: c435b7590b

* commit 'c435b7590bd7d7f0594d48976fe931d1f6c07f32':
checkfc: add attribute test
ad3cb39e54040e5a03328d8006f428579d1654e0 25-Sep-2015 William Roberts <william.c.roberts@intel.com> checkfc: add attribute test

Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
edb41d8744dac18f738523cde7275a88dea8a8c6 13-Dec-2015 Nick Kralevich <nnk@google.com> Merge "Ensure newlines are added between context config files" am: d6765a99f3
am: 5cfd34957e

* commit '5cfd34957e48cd79e53fbfb8aa4acf1d53f8f638':
Ensure newlines are added between context config files
c8801fec63a785be65808e70232ea241c779fcb5 11-Dec-2015 Richard Haines <richard_c_haines@btinternet.com> Ensure newlines are added between context config files

When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/system/sepolicy/Android.mk
3a0ce49b8623299ac7458306b30bda6adda12383 07-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Migrate to upstream policy version 30

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/Android.mk
4f9107df8f691164c56f86fa1d352c63b28bd02b 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Revert "Migrate to upstream policy version 30"

This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/Android.mk
5ca5696e8b656466a9d46b13d7ab18a13d8c1bba 08-Dec-2015 Jeffrey Vander Stoep <jeffv@google.com> Revert "Migrate to upstream policy version 30"

This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/Android.mk
2ea23a6e1ade883ba81f58b364109c4da94ba584 07-Dec-2015 Jeff Vander Stoep <jeffv@google.com> Migrate to upstream policy version 30

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/Android.mk
0fc831c3b0b8d9a4e10d0931131a0eed06cd4275 29-Jul-2015 Jeff Vander Stoep <jeffv@google.com> Temporarily downgrade to policy version number

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7da758ff5a5910027ea48ce065fe2fd)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
/system/sepolicy/Android.mk
f88e31ea90effd77a5af326780f952b5191cb67b 02-Oct-2015 William Roberts <william.c.roberts@intel.com> am 7fc865a4: service_contexts: don\'t delete intermediate on failure

* commit '7fc865a4caec1a2ced41918449e34596f50f8c43':
service_contexts: don't delete intermediate on failure
630fd5d80c887b987c231d3f8923c272171ef870 02-Oct-2015 William Roberts <william.c.roberts@intel.com> am dcffd2b4: property_contexts: don\'t delete intermediate on failure

* commit 'dcffd2b482a625a99233d82019d7b96919c41600':
property_contexts: don't delete intermediate on failure
0f1b1f353b09560d0e52bcec2e6f66c5fb82756e 02-Oct-2015 Colin Cross <ccross@android.com> am 9eb6c874: Revert "property_contexts: don\'t delete intermediate on failure"

* commit '9eb6c87439da2b00699f644a8b8c335bf8cd9680':
Revert "property_contexts: don't delete intermediate on failure"
2a41cb70a7e3ab987422443855c17a97ec61d3e0 02-Oct-2015 Colin Cross <ccross@android.com> am efcaecab: Revert "service_contexts: don\'t delete intermediate on failure"

* commit 'efcaecab4eb075fdc69942e6915999458fb5f88b':
Revert "service_contexts: don't delete intermediate on failure"
4f821319f7ef3a60800171390c41c4678009d96b 02-Oct-2015 Jeffrey Vander Stoep <jeffv@google.com> am 23c42c38: Merge "service_contexts: don\'t delete intermediate on failure"

* commit '23c42c389b07f6ebda69ca8e834c27b27460879a':
service_contexts: don't delete intermediate on failure
89c1fd25822c7f0720d409d2e0e4782e001b4cfe 02-Oct-2015 Jeffrey Vander Stoep <jeffv@google.com> am e6e94762: Merge "property_contexts: don\'t delete intermediate on failure"

* commit 'e6e947622514bdf0b80bf093c0df1a7d9ae12c37':
property_contexts: don't delete intermediate on failure
7fc865a4caec1a2ced41918449e34596f50f8c43 29-Sep-2015 William Roberts <william.c.roberts@intel.com> service_contexts: don't delete intermediate on failure

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
dcffd2b482a625a99233d82019d7b96919c41600 29-Sep-2015 William Roberts <william.c.roberts@intel.com> property_contexts: don't delete intermediate on failure

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
9eb6c87439da2b00699f644a8b8c335bf8cd9680 01-Oct-2015 Colin Cross <ccross@android.com> Revert "property_contexts: don't delete intermediate on failure"

This reverts commit 7f81b337bc600251b37de2dfa70c47781a2f2d3c.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6
/system/sepolicy/Android.mk
efcaecab4eb075fdc69942e6915999458fb5f88b 01-Oct-2015 Colin Cross <ccross@android.com> Revert "service_contexts: don't delete intermediate on failure"

This reverts commit f6ee7a521942036ef7f5c0f6bc74520509934141.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663
/system/sepolicy/Android.mk
f6ee7a521942036ef7f5c0f6bc74520509934141 29-Sep-2015 William Roberts <william.c.roberts@intel.com> service_contexts: don't delete intermediate on failure

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
7f81b337bc600251b37de2dfa70c47781a2f2d3c 29-Sep-2015 William Roberts <william.c.roberts@intel.com> property_contexts: don't delete intermediate on failure

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
92461b61698e4a62ff698c35fee1d98aee6ec626 28-Sep-2015 William Roberts <william.c.roberts@intel.com> am 3746a0ae: file_contexts: don\'t delete intermediate on failure

* commit '3746a0ae63a56a6b18fabd3e89bfe4760a1691e3':
file_contexts: don't delete intermediate on failure
3746a0ae63a56a6b18fabd3e89bfe4760a1691e3 25-Sep-2015 William Roberts <william.c.roberts@intel.com> file_contexts: don't delete intermediate on failure

Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
b49f5cf83f84beae0cbcf52111a4c3040493ff4d 19-Sep-2015 Ivan Krasin <krasin@google.com> am 9aa41303: asan: update condition to work with multiple SANITIZE_TARGET values.

* commit '9aa413036bde2c80c25b381bd685ab05f8390127':
asan: update condition to work with multiple SANITIZE_TARGET values.
9aa413036bde2c80c25b381bd685ab05f8390127 18-Sep-2015 Ivan Krasin <krasin@google.com> asan: update condition to work with multiple SANITIZE_TARGET values.

The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6
/system/sepolicy/Android.mk
4d526d86756bff4f3bdff9771b479d251613ae82 13-Aug-2015 William Roberts <william.c.roberts@intel.com> am 031e5ce9: Android.mk: Cleanup GENERAL_*_CONTEXTS variables

* commit '031e5ce9c5cd3334cd2a09645cb03306fb552494':
Android.mk: Cleanup GENERAL_*_CONTEXTS variables
dc858fe64da2d238569a28e153d469b6d6ace6f5 13-Aug-2015 William Roberts <william.c.roberts@intel.com> am 6aabc1c7: Android.mk: drop polluting variables

* commit '6aabc1c77b98d0ce8e13871047504afb90108733':
Android.mk: drop polluting variables
031e5ce9c5cd3334cd2a09645cb03306fb552494 13-Aug-2015 William Roberts <william.c.roberts@intel.com> Android.mk: Cleanup GENERAL_*_CONTEXTS variables

Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
6aabc1c77b98d0ce8e13871047504afb90108733 30-Jul-2015 William Roberts <william.c.roberts@intel.com> Android.mk: drop polluting variables

Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
32bbafc1943a74645a7435beb841e0436e3ea628 13-Aug-2015 Richard Haines <richard_c_haines@btinternet.com> am c2d01914: Update Android.mk to support file_contexts.bin

* commit 'c2d01914d12b1c153b5ef32293079764a4342169':
Update Android.mk to support file_contexts.bin
c2d01914d12b1c153b5ef32293079764a4342169 06-Aug-2015 Richard Haines <richard_c_haines@btinternet.com> Update Android.mk to support file_contexts.bin

This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/system/sepolicy/Android.mk
10c1e872cccc0a26f5d14fa5a79965c5e47f3c05 11-Aug-2015 Dan Willemsen <dwillemsen@google.com> am bc2a49f2: Don\'t assume ordering of

* commit 'bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5':
Don't assume ordering of $(wildcard ...)
bc2a49f24726faec8699ad2eefa73ccbdc7ff3d5 11-Aug-2015 Dan Willemsen <dwillemsen@google.com> Don't assume ordering of $(wildcard ...)

There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775
/system/sepolicy/Android.mk
deb2f8b5f7dbb8360cf1b90bf17c9c7e3d925c41 27-Jul-2015 William Roberts <william.c.roberts@intel.com> am d2185582: Android.mk: Add support for BOARD_SEPOLICY_M4DEFS

* commit 'd21855824d178abea9ac93376757c7aed765cd83':
Android.mk: Add support for BOARD_SEPOLICY_M4DEFS
d21855824d178abea9ac93376757c7aed765cd83 16-Jul-2015 William Roberts <william.c.roberts@intel.com> Android.mk: Add support for BOARD_SEPOLICY_M4DEFS

Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
07039d386aa7bdb5c10115308fd9abbac0cccf93 23-Jul-2015 Colin Cross <ccross@android.com> am 29a463d5: Use build fingerprint from file

* commit '29a463d5d594a1b83288eff2da1f8829a69d3d46':
Use build fingerprint from file
29a463d5d594a1b83288eff2da1f8829a69d3d46 17-Jul-2015 Colin Cross <ccross@android.com> Use build fingerprint from file

Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53
/system/sepolicy/Android.mk
457e446fe7353ca3520fb16063ee9d26a8f136b4 16-Jul-2015 Nick Kralevich <nnk@google.com> am 1a6e29e2: Merge "android.mk: drop duplicate spaces"

* commit '1a6e29e251ead902509e4ff25fdfdcaf023d860e':
android.mk: drop duplicate spaces
85402534f353ecbe1b627e4178ab1a871b16cbd3 16-Jul-2015 William Roberts <william.c.roberts@intel.com> android.mk: drop duplicate spaces

Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
b2420cf4ece072d36d118cf43a3e2af355ff30ae 10-Jul-2015 William Roberts <william.c.roberts@intel.com> am ffc86bea: Correct local variables for file_contexts_asan

* commit 'ffc86bea0e38147a9330177708aedbccd603627a':
Correct local variables for file_contexts_asan
ffc86bea0e38147a9330177708aedbccd603627a 29-Jun-2015 William Roberts <william.c.roberts@intel.com> Correct local variables for file_contexts_asan

Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
e1a2001fc5d05368bc01fa8d655a6f0e2a7b9758 07-Jul-2015 William Roberts <william.c.roberts@intel.com> am 99fe8df2: hide checkseapp command invocation

* commit '99fe8df245f4346c14a3dfaf856006c7ebf51ad2':
hide checkseapp command invocation
0046404b2c3b575c87418e0d790bbca9ea1a82cf 07-Jul-2015 William Roberts <william.c.roberts@intel.com> am b876993f: use a general sepolicy when building general targets

* commit 'b876993f4ee25fb299b7521b0dc565248d3db2a6':
use a general sepolicy when building general targets
99fe8df245f4346c14a3dfaf856006c7ebf51ad2 30-Jun-2015 William Roberts <william.c.roberts@intel.com> hide checkseapp command invocation

Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
807b8a6f9dcd59c8bbe9086c9c3d42a87ef286cd 07-Jul-2015 William Roberts <william.c.roberts@intel.com> am 3a74555c: Drop unused variable in Android.mk

* commit '3a74555c4e6c3b87c43b1eb311a2e418f6d88453':
Drop unused variable in Android.mk
b876993f4ee25fb299b7521b0dc565248d3db2a6 30-Jun-2015 William Roberts <william.c.roberts@intel.com> use a general sepolicy when building general targets

Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
3a74555c4e6c3b87c43b1eb311a2e418f6d88453 30-Jun-2015 William Roberts <william.c.roberts@intel.com> Drop unused variable in Android.mk

Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
bf4568d1cda87bb987a85026c686f3032f9b35d4 29-Jun-2015 William Roberts <william.c.roberts@intel.com> am 4ee7131a: Introduce seapp_neverallow test

* commit '4ee7131ade43a046ad784a91bdded7c3c77206cd':
Introduce seapp_neverallow test
4ee7131ade43a046ad784a91bdded7c3c77206cd 25-Jun-2015 William Roberts <william.c.roberts@intel.com> Introduce seapp_neverallow test

Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
8f519b3f0f565783d0fab8c4769d2eb1320af0b3 29-Jun-2015 William Roberts <william.c.roberts@intel.com> am da52e859: correct colon usage on make targets

* commit 'da52e85906289d5b691404ffed1fb830065140f9':
correct colon usage on make targets
da52e85906289d5b691404ffed1fb830065140f9 27-Jun-2015 William Roberts <william.c.roberts@intel.com> correct colon usage on make targets

Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
942c0ea901bdcc1dfbc91d61716daea4b20d19ca 26-Jun-2015 William Roberts <william.c.roberts@intel.com> am 81e1f90c: check_seapp: add support for "neverallow" checks

* commit '81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0':
check_seapp: add support for "neverallow" checks
81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0 04-Jun-2015 William Roberts <william.c.roberts@intel.com> check_seapp: add support for "neverallow" checks

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/Android.mk
651a315ad276643930d24f25970338d868786532 15-Jun-2015 Evgenii Stepanov <eugenis@google.com> am 4b4c5645: Merge "Extend sepolicy for SANITIZE_TARGET."

* commit '4b4c5645931a0e187d261c4db6caac67d09ab4e4':
Extend sepolicy for SANITIZE_TARGET.
930304829b2cadd3c88876c6234af702d1e43bd5 13-Jun-2015 Evgenii Stepanov <eugenis@google.com> Extend sepolicy for SANITIZE_TARGET.

SANITIZE_TARGET adds shared libraries in /data/lib.

Bug: 21785137
Change-Id: I8ac3d059d88d57d24ed762ffc6202a4ce5a42333
/system/sepolicy/Android.mk
de9b5301a14abf388589b06e819bb001d69e0cf1 06-Jun-2015 Jeff Vander Stoep <jeffv@google.com> restrict app access to socket ioctls

Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
/system/sepolicy/Android.mk
64b01c6165e77292cfc3649dccba18c60670495d 04-May-2015 Jeff Vander Stoep <jeffv@google.com> Update policy version to enable ioctl whitelisting

Bug: 20756547
Bug: 18087110
Change-Id: I9ff76f1cf359e38c19d7b50a5b7236fd673d937e
/system/sepolicy/Android.mk
8e0ca8867eac09f8fd740485f147684d6a88b803 01-Apr-2015 Stephen Smalley <sds@tycho.nsa.gov> Drop BOARD_SEPOLICY_UNION.

As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
b4f17069b3514a4b7b3f5c42e879494bbe96bbaf 13-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> sepolicy: Drop BOARD_SEPOLICY_IGNORE/REPLACE support.

With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze. The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets. However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies

Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
c93617315e69f9bd7319476afbd3f91d00dd6b5a 13-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> Fix rules for general_property_contexts.

Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
2e0cd5ad36321fd7a8f21768dac080d09b658920 12-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> Generate general versions of the other contexts files for tests.

Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
377128778d2d2055044c8f4a65e7b0097ab59fd4 12-Mar-2015 Stephen Smalley <sds@tycho.nsa.gov> Generate a general_seapp_contexts file for tests.

Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.

Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
f435a8e55653be6e5d95a995d80ed4982f5a1628 28-Feb-2015 Nick Kralevich <nnk@google.com> Delete unconfined domain

No longer used. :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
/system/sepolicy/Android.mk
754f5ea7ee4bb252e6f84b2b1228d5e210abe0ce 03-Dec-2014 William Roberts <bill.c.roberts@gmail.com> Allow overiding FORCE_PERMISSIVE_TO_UNCONFINED

It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.

Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
/system/sepolicy/Android.mk
f330f3752922f124305c67683d061c19c9518bed 13-Nov-2014 William Roberts <bill.c.roberts@gmail.com> Remove network shell script

This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
/system/sepolicy/Android.mk
ee58864b953a2d3601e8e805be32bd71a16e9bd3 07-Nov-2014 Stephen Smalley <sds@tycho.nsa.gov> Revert "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true"

Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3f01f814384bd4a49281c7c39cf562ff6.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
39f92a8350cd02eaa279687699bc4208e9ab0dd8 06-Nov-2014 Nick Kralevich <nnk@google.com> am f7e98fe2: Merge "recovery.te: add /data neverallow rules"

* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
recovery.te: add /data neverallow rules
a17a266e7e466d281f0730449c492de46390fc76 06-Nov-2014 Nick Kralevich <nnk@google.com> recovery.te: add /data neverallow rules

Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
/system/sepolicy/Android.mk
5a6ac67476cb642fc19206c9686488c0b21e224e 04-Aug-2014 dcashman <dcashman@google.com> am 3fe1bcbb: Merge "Generate selinux_policy.xml as part of CTS build."

* commit '3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915':
Generate selinux_policy.xml as part of CTS build.
704741a5c24113b22a47bb854f20e2f2c607dd36 26-Jul-2014 dcashman <dcashman@google.com> Generate selinux_policy.xml as part of CTS build.

Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475
/system/sepolicy/Android.mk
2aa727e3f01f814384bd4a49281c7c39cf562ff6 14-Jul-2014 Nick Kralevich <nnk@google.com> DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true

Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
/system/sepolicy/Android.mk
db644f98ad302bcbf9e3a6ec184896c6b5c3ec9d 12-Jun-2014 Nick Kralevich <nnk@google.com> am 8eb63f24: am b0ee91a4: Merge "Add SELinux rules for service_manager."

* commit '8eb63f24bb34639d76246a2fe0276f5cada5c764':
Add SELinux rules for service_manager.
8eb63f24bb34639d76246a2fe0276f5cada5c764 12-Jun-2014 Nick Kralevich <nnk@google.com> am b0ee91a4: Merge "Add SELinux rules for service_manager."

* commit 'b0ee91a418a899dbd39678711ea65ed60418154e':
Add SELinux rules for service_manager.
f90c41f6e8d5c1266e154f46586a2ceb260f1be6 06-Jun-2014 Riley Spahn <rileyspahn@google.com> Add SELinux rules for service_manager.

Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
/system/sepolicy/Android.mk
33bf667ab1f78ce35555d148ffb0e5f1b96fe9f0 31-May-2014 Robert Craig <rpcraig@tycho.ncsc.mil> am ec87ecb9: am 8571ed16: am 8b7545bf: Build the selinux_version file.

* commit 'ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968':
Build the selinux_version file.
ec87ecb99187ce4e7c4b01e3e2ff79e9f61a5968 31-May-2014 Robert Craig <rpcraig@tycho.ncsc.mil> am 8571ed16: am 8b7545bf: Build the selinux_version file.

* commit '8571ed162e85c507ea93b06c6816cdf99019625a':
Build the selinux_version file.
8b7545bf5745e1e0aba55b0334de40d2334728b1 20-Mar-2014 Robert Craig <rpcraig@tycho.ncsc.mil> Build the selinux_version file.

The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.

Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
4a247480b3da612b60429b277ef508adfadb9de2 30-May-2014 Stephen Smalley <sds@tycho.nsa.gov> am c664083b: am ffbba62e: am e60723ab: Create a separate recovery policy.

* commit 'c664083badd1c73c144f53354c015681cd7e6951':
Create a separate recovery policy.
c664083badd1c73c144f53354c015681cd7e6951 30-May-2014 Stephen Smalley <sds@tycho.nsa.gov> am ffbba62e: am e60723ab: Create a separate recovery policy.

* commit 'ffbba62eafb759573aad4bcdc77d56026697ea00':
Create a separate recovery policy.
e60723ab59f48626c6a700ba645bfe5eac6f0fc3 29-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Create a separate recovery policy.

Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
863b28236651afd0d2f4bf5b858e519114def1c9 06-Feb-2014 Nick Kralevich <nnk@google.com> am d188f5be: Merge "DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true" into klp-modular-dev

* commit 'd188f5be07e168c19a2cd46439c0319f4866c641':
DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
2772e78ff99ae651df395ec10e7bb8fdf20b87f0 05-Feb-2014 Nick Kralevich <nnk@google.com> DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true

Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1
/system/sepolicy/Android.mk
6b0ff4756a17e7af22d283ac3599a8b1925e5827 29-Jan-2014 Robert Craig <rpcraig@tycho.ncsc.mil> Catch nonexistent BOARD_SEPOLICY_UNION policy files.

Added a new check to make sure that all listed
BOARD_SEPOLICY_UNION files are located somewhere
in the listed BOARD_SEPOLICY_DIRS locations. The
build will error out otherwise.

Change-Id: Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
623975fa5aece708032aaf29689d73e1f3a615e7 11-Jan-2014 Nick Kralevich <nnk@google.com> Support forcing permissive domains to unconfined.

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/Android.mk
88ce951d89c4c4ad4d870ca34cc5bdcc8b60f54d 10-Jan-2014 Nick Kralevich <nnk@google.com> Create new conditional userdebug_or_eng

Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
/system/sepolicy/Android.mk
d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 02-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Restrict the ability to set SELinux enforcing mode to init.

Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
c3c9052bc7bf7f55e66a7560a28800066a6e044b 25-Oct-2013 Nick Kralevich <nnk@google.com> Make DEFAULT_SYSTEM_DEV_CERTIFICATE available in keys.conf

In 9af6f1bd59ee2fb0622db8ff25c4806c5527a0b3, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.

Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)

This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.

Steps to reproduce.

1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"

Expected:

$ adb shell ps -Z | grep process.media
u:r:media_app:s0 u0_a5 1332 202 android.process.media

Actual:

$ adb shell ps -Z | grep process.media
u:r:untrusted_app:s0 u0_a5 3617 187 android.process.media

Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822
/system/sepolicy/Android.mk
9af6f1bd59ee2fb0622db8ff25c4806c5527a0b3 22-Aug-2013 William Roberts <wroberts@tresys.com> Drop -d option on insertkeys.py in Android.mk

This breaks the ability for users to have certs in many
directories. Currently the design is to allow keys.conf
to specify arbitrary locations for pem files, relative to
the root of the Android tree. If users want to have a
common prefix on all the keys, then they can export
DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment
variable in their keys.conf file.

Signed-off-by: William Roberts <wroberts@tresys.com>

Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640
Signed-off-by: William Roberts <wroberts@tresys.com>
/system/sepolicy/Android.mk
e267afa32070609b080d4a7900cd27179430e04d 01-Apr-2013 Stephen Smalley <sds@tycho.nsa.gov> am e543a8bc: Increase policy version to 26.

* commit 'e543a8bc2a2d08ff381e5ae9e34cc2a094acf895':
Increase policy version to 26.
e543a8bc2a2d08ff381e5ae9e34cc2a094acf895 01-Apr-2013 Stephen Smalley <sds@tycho.nsa.gov> Increase policy version to 26.

Increase the SELinux policy version to 26. This is needed
for name-based transitions used by the manta sepolicy.
Requires kernel 3.0 or higher.

Change-Id: I046fa9f7122f77506c70b2c735345bc0194935df
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
020b5ff6311044ef7a2200dd4db69f5cccf46213 28-Mar-2013 Geremy Condra <gcondra@google.com> Add a key directory argument to insertkeys.py

This allows us to better integrate key selection with our existing
build process.

Change-Id: I6e3eb5fbbfffb8e31c5edcf16f74df7c38abe537
/system/sepolicy/Android.mk
e693ed7c187804b3b1ae49bf0d31bd43e7a19e08 15-Mar-2013 William Roberts <bill.c.roberts@gmail.com> Remove the su domain from -user builds.

Change-Id: I86f2f28f7c558b8e9a70e5aa9ebcfa8bf26f9ef7
/system/sepolicy/Android.mk
7f2392eeb03eeb88f2699061f4adaeb1fcbd1de2 27-Mar-2013 Robert Craig <rpcraig@tycho.ncsc.mil> Expand insertkeys.py script to allow union of files.

Allow script to union mac_permissions.xml files
specified using the BOARD_SEPOLICY_DIRS and
BOARD_SEPOLICY_UNION constructs.

Change-Id: I4fc65fd1ab4c612f25e966f030247e54a270b614
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
65d4f44c1fd999d9cf9c4ef4dc65deb71bafcd8e 27-Mar-2013 Robert Craig <rpcraig@tycho.ncsc.mil> Various policy updates.

Assortment of policy changes include:
* Bluetooth domain to talk to init and procfs.
* New device node domains.
* Allow zygote to talk to its executable.
* Update system domain access to new device node domains.
* Create a post-process sepolicy with dontaudits removed.
* Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
52fc95d1b7e29a61d315eb7378c3b47985f4fd74 26-Mar-2013 William Roberts <w.roberts@sta.samsung.com> Fix makefile error with ANDROID_BUILD_TOP

Use TOP instead of ANDROID_BUILD_TOP

Fix spelling issues in keys.conf

Change-Id: Ib90b3041af5ef68f30f4ab78c768ad225987ef2d
/system/sepolicy/Android.mk
cd4104e84b438827fddd6a7fe6cb86e91392152d 26-Mar-2013 Geremy Condra <gcondra@google.com> Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""

This reverts commit 1446e714af0b0c358b5ecf37c5d704c96c72cf7c

Hidden dependency has been resolved.

Change-Id: Ia535c0b9468ea5f705dff9813186a7fa8bab84ae
/system/sepolicy/Android.mk
15b3ceda5cd0fea1f0b5b19d4795d7290a75b39d 12-Feb-2013 William Roberts <w.roberts@sta.samsung.com> Add BOARD_SEPOLICY_IGNORE

See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
/system/sepolicy/Android.mk
1446e714af0b0c358b5ecf37c5d704c96c72cf7c 19-Mar-2013 Geremy Condra <gcondra@google.com> Revert "Dynamic insertion of pubkey to mac_permissions.xml"

This reverts commit 22fc04103b70dd5a1cb1b5a8309ef20461e06289

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
/system/sepolicy/Android.mk
5a2988fcb5f1b76c87d9bf8e671c38d1b03188ab 04-Jan-2013 William Roberts <w.roberts@sta.samsung.com> Remove duplicate paths from sepolicy_replace_paths

Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
/system/sepolicy/Android.mk
d98d26ef3c1fe9b44497ed4e2a1fcf66505092ba 23-Jan-2013 Robert Craig <rpcraig@tycho.ncsc.mil> property_contexts checks added to checkfc.

Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/Android.mk
22fc04103b70dd5a1cb1b5a8309ef20461e06289 05-Dec-2012 William Roberts <w.roberts@sta.samsung.com> Dynamic insertion of pubkey to mac_permissions.xml

Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
/system/sepolicy/Android.mk
2c8a55dcf4e571c198118dd4459d62894f6378f3 30-Nov-2012 William Roberts <w.roberts@sta.samsung.com> Replaceable mac_permission.xml support

Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
/system/sepolicy/Android.mk
eab23895cd13ccb2a552dd9713bd1e88cf41e522 01-Nov-2012 Jean-Baptiste Queru <jbq@google.com> Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp
eefaa83d4c8437b216718115f6d4d407b2e9d0d8 01-Nov-2012 Alice Chu <alice.chu@sta.samsung.com> am cdfb06f5: Moved Android policy tools to tools directory

* commit 'cdfb06f55394d68a7df1110d83070961a2cc52aa':
Moved Android policy tools to tools directory
9ceb47b0c0f693e760d6ad0535f4a165491fa772 01-Nov-2012 Kenny Root <kroot@google.com> Revert "Include su.te only for userdebug/eng builds."

This reverts commit af56ac19545ff083ceb3c1ddf4bf8e2663d4b934.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
/system/sepolicy/Android.mk
cdfb06f55394d68a7df1110d83070961a2cc52aa 01-Nov-2012 Alice Chu <alice.chu@sta.samsung.com> Moved Android policy tools to tools directory

Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711
/system/sepolicy/Android.mk
a2517b20cb340a6dd19c846b21f34ed0244b65d6 30-Oct-2012 Kenny Root <kroot@google.com> resolved conflicts for merge of 47cd396b to jb-mr1-dev-plus-aosp

Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22
47cd396b11ca4b62d4d99902bec1b981760e818a 18-Oct-2012 rpcraig <robertpcraig@gmail.com> Add better per-device sepolicy support.

This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>
/system/sepolicy/Android.mk
6b964fa1f265c1c0d6f236efbf3c471b76fdf05c 26-Oct-2012 Ying Wang <wangying@google.com> am d8b122c7: Use file target as dependency.

* commit 'd8b122c7bbe3a57620bee0a5c6bfcb8f7c574081':
Use file target as dependency.
d8b122c7bbe3a57620bee0a5c6bfcb8f7c574081 26-Oct-2012 Ying Wang <wangying@google.com> Use file target as dependency.

"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001
/system/sepolicy/Android.mk
ced365aa645d35f022f413f53731af61ada812fd 17-Oct-2012 Stephen Smalley <sds@tycho.nsa.gov> am 01a58af1: Add a checkfc utility to check file_contexts validity and invoke it.

* commit '01a58af19494420bb259505bc5404790a21fdd64':
Add a checkfc utility to check file_contexts validity and invoke it.
01a58af19494420bb259505bc5404790a21fdd64 02-Oct-2012 Stephen Smalley <sds@tycho.nsa.gov> Add a checkfc utility to check file_contexts validity and invoke it.

Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
44374bc5edc0ed46d402d1f0353fd9ff1e2ee0ac 17-Oct-2012 Kenny Root <kroot@google.com> am 659aaced: Remove HAVE_SELINUX guard

* commit '659aaced054c21048c712fe1f5831a86c99213d8':
Remove HAVE_SELINUX guard
659aaced054c21048c712fe1f5831a86c99213d8 10-Oct-2012 Kenny Root <kroot@google.com> Remove HAVE_SELINUX guard

Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119
/system/sepolicy/Android.mk
9822c1d08f11c9fb98a6f2530ba693285fe12f2b 19-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> am 66a3e8d9: Drop the use of a policy version suffix on the sepolicy file.

* commit '66a3e8d91ef6098dd7cab127530f1cdb7973f53e':
Drop the use of a policy version suffix on the sepolicy file.
66a3e8d91ef6098dd7cab127530f1cdb7973f53e 18-Sep-2012 Stephen Smalley <sds@tycho.nsa.gov> Drop the use of a policy version suffix on the sepolicy file.

The policy version suffix support was carried over from conventional
Linux distributions, where we needed to support simultaneous installation
of multiple kernels and policies. This isn't required for Android, so
get rid of it and thereby simplify the policy pathname.

We still default to generating a specific policy version (the highest
one supported by the emulator kernel), but this can be overridden
by setting POLICYVERS on the make command-line or in the environment.

Requires a corresponding change to libselinux.

Change-Id: I40c88e13e8063ea37c2b9ab5b3ff8b0aa595402a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/Android.mk
d0f027ccc8f4a7aa8d872df9a195197590f234dc 06-Sep-2012 Jean-Baptiste Queru <jbq@google.com> am 10f9a372: Merge upstream sepolicy into AOSP

* commit '10f9a3727a5c46ef23f5f0385ae4ffec20cb46d9':
Corrected gramatical issues
Added new line to end of file
Changed seapp_contexts temporary file naming
Fix mls checking code
Support overrides in seapp_contexts
Add tf_daemon labeling support.
Add ppp/mtp policy.
per device seapp_context support
dhcp policy.
Trusted Execution Environment policy.
98ed392e68e041340ca8881ebf0a3cdf6bd5e880 05-Sep-2012 William Roberts <w.roberts@sta.samsung.com> Changed seapp_contexts temporary file naming

Change-Id: I4f522869eeaa6f84771e4ee2328f65296dcc29db
/system/sepolicy/Android.mk
0ae3a8a2d50799d0b91d992434cdd4d3151b0348 04-Sep-2012 William Roberts <w.roberts@sta.samsung.com> Fix mls checking code

Change-Id: I614caa520e218f8f148eef641fed2301571da8e1
/system/sepolicy/Android.mk
f0e0a94e032e55c13bc54f1cffe243f04872278e 28-Aug-2012 William Roberts <w.roberts@sta.samsung.com> Support overrides in seapp_contexts

Provides support for overriding seapp_contexts declerations
in per device seapp_contexts files.

Change-Id: I23a0ffa1d24f1ce57825b168f29a2e885d3e1c51
/system/sepolicy/Android.mk
171a06257124401af2e7c33fbbcbc69c18e45486 16-Aug-2012 William Roberts <bill.c.roberts@gmail.com> per device seapp_context support
/system/sepolicy/Android.mk
aa7fb3be1b456a2884c3fa707aa590196b2c70c3 13-Aug-2012 Jean-Baptiste Queru <jbq@google.com> resolved conflicts for merge of 0c2e5705 to jb-mr1-dev

Change-Id: Iee1d877788b9397ca29a6cfe7bc3015c3edbe5ac
b19665c39da76c0e24c8cd9583e30c4a50567510 30-Jul-2012 rpcraig <rpcraig@tycho.ncsc.mil> Add mac_permissions.xml file.

This was moved from external/mac-policy.git
/system/sepolicy/Android.mk
af56ac19545ff083ceb3c1ddf4bf8e2663d4b934 17-Jul-2012 Matt Finifter <finifter@google.com> Include su.te only for userdebug/eng builds.

Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
/system/sepolicy/Android.mk
dc1072365e99cef38e0d234989ba29e0e2df2b4c 12-Jul-2012 William Roberts <bill.c.roberts@gmail.com> Support for ocontexts per device.

ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
/system/sepolicy/Android.mk
70d4fc2243721a54cd177959e05cf81b54c4e226 20-Jun-2012 Joshua Brindle <jbrindle@tresys.com> Add selinux network script to policy

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
/system/sepolicy/Android.mk
efd6d6e0dab97a49706f1116dde2ec87257f79c1 18-May-2012 Stephen Smalley <sds@tycho.nsa.gov> Apply m4 to file_contexts and property_contexts to support includes.
/system/sepolicy/Android.mk
f5f899c3c0f684ffba6950b343e652abd78d0fd9 10-Apr-2012 The Android Open Source Project <initial-contribution@android.com> Merge from upstream sepolicy

Change-Id: I99085d575e3d884fb04ac03ac998eb3c53eb2d9f
f4ea5b25399e4c6a10aa353b0c3d40564f78e89c 10-Apr-2012 Ying Wang <wangying@google.com> Use the checkpolicy built from source.

Change-Id: I22f49db3d59b50ed8975d8c1146bb9c322adbf7e
/system/sepolicy/Android.mk
124720a6976a69357522299afbe5591854e40775 04-Apr-2012 Stephen Smalley <sds@tycho.nsa.gov> Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
/system/sepolicy/Android.mk
64935c7d87ce76ed542e16fce3dde9883b507d7a 06-Mar-2012 Stephen Smalley <sds@tycho.nsa.gov> Limit per-device policy files to a well-defined sepolicy prefix.

Avoid any future collisions with the use of .fc or .te suffixes in the
per-device directories. If we want multiple file support, add a separate
subdirectory for sepolicy files.
/system/sepolicy/Android.mk
5b340befb4f964365c856606050254a65df909d1 06-Mar-2012 Stephen Smalley <sds@tycho.nsa.gov> Add support for per-device .te and .fc files.
/system/sepolicy/Android.mk
7e8cf24f58651228029eb4e53e4094a86f4d2bdb 02-Feb-2012 Stephen Smalley <sds@tycho.nsa.gov> Do not build if HAVE_SELINUX=false.
/system/sepolicy/Android.mk
2b826fcbe8231bf13affd63dbed865b315e1eddc 24-Jan-2012 Stephen Smalley <sds@tycho.nsa.gov> Add a dependency on checkpolicy.
/system/sepolicy/Android.mk
02fb5f3c6abbb7f12c278a04966314d06f6378e3 18-Jan-2012 Ying Wang <wangying@google.com> Rewrite Android.mk.
/system/sepolicy/Android.mk
2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 04-Jan-2012 Stephen Smalley <sds@tycho.nsa.gov> SE Android policy.
/system/sepolicy/Android.mk