2cfdf62ed20016c6f64bba3ce6d7ec1c446c272f |
|
12-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Move mac_permissions to etc/selinux" am: b063fe384f am: 1376b937ed am: 7f9630868c Change-Id: Ie90342ef543ed0803fc279adbfb3e919f6bf63d5
|
d2820e4e8913741ce5b34344ed37c7ced3cc2d96 |
|
11-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move mac_permissions to etc/selinux Test: Build and boot Marlin Test: See the following in the logs: 01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml 01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml Bug: 36003167 Change-Id: I97479260eabe14c1b1dcc238d7322016f6b5c4dd
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
be0b8896d1bc385d4c8fb54c21929745935dcbea |
|
15-Feb-2017 |
Todd Kennedy <toddke@google.com> |
Revert "Revert "Per user setting for instant app"" This reverts commit be9ffa15af9e1906e9ffb505768328d62d4a3793. Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest Change-Id: Ib21321cf157a79890de487060a093840f7182047
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
be9ffa15af9e1906e9ffb505768328d62d4a3793 |
|
15-Feb-2017 |
Guang Zhu <guangzhu@google.com> |
Revert "Per user setting for instant app" Bug: 35390781 This reverts commit 2f5811dcfd840e149851a9333e27ef3cdddf7a46. Change-Id: Ibb1c8dacbdc6908fc7fa2bc5dca664f2455162bf
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
2f5811dcfd840e149851a9333e27ef3cdddf7a46 |
|
30-Jan-2017 |
Todd Kennedy <toddke@google.com> |
Per user setting for instant app The same application can run as either an instant app or an installed app. Store this setting per-user instead of based upon the install location. Bug: 25119046 Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest Change-Id: Iff565bb1ac10d631499f0bd0f69b401cb073c10e
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
7c4787b4df31600cc700c751222003fd6bab0af2 |
|
14-Feb-2017 |
Michael Peck <mpeck@mitre.org> |
Pass targetSdkVersion specifier for SELinux labeling Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: Ib9f6ded9bd2f426861a6d843861b4074084253b0
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
5b51730b8a6c06fdf7912016919209769136e8e2 |
|
08-Jan-2016 |
Michael Peck <mpeck@mitre.org> |
Pass targetSdkVersion specifier for SELinux labeling Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: Ib9f6ded9bd2f426861a6d843861b4074084253b0
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
096d304ae3d85c1bfcda1a1d9cd4eb13d0815500 |
|
31-Jan-2017 |
Svetoslav Ganov <svetoslavganov@google.com> |
Add instant cookie APIs This change adds APIs for instant apps to store cookie data that is presisted across instant installs and across the upgrade from an instant to a standard app. Standard apps can use the cookie APIs but when they are uninstalled the cookie is also deleted. The cookies are kept longer than the instant apps as they are much smaller - 16KB by default. We can change the cookie size via a system setting i.e. after we ship we can increase size if needed. We also add internal APIs to surface information about installed and uninstalled instant apps which should be used for showing them in the UI. For this puporse we store the icon, permissions, and label of uninstalled apps. If the app is re-installed we drop this meta-data but keep the cookie around. If we have cookie data stored and the signing cert of the app changes when it gets re-intalled we wipe the cookie. Test: CTS tests pass; hiddent APIs tested manually Change-Id: If145c0440cc61a5303e2cbb70228d235d36037a5
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
11e45075221680dcc25e3da1d3c32710e5a98603 |
|
25-Jan-2017 |
Todd Kennedy <toddke@google.com> |
Define targetSandboxVersion The new attribute allows both ephemeral and non-ephemeral apps to opt into a new, tighter security model. Test: Manual; built app w/ targetSandboxVersion and verified the security domain Change-Id: I8fcaf84e25f0519b438ba51302f79790e680e025
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
d9a76c34bbe3d6ad6673b08b93d1b9ca59b792d4 |
|
15-Dec-2016 |
dcashman <dcashman@google.com> |
Split mac_permissions.xml into plat and non-plat components. am: b1cc4f8ca4 am: 2a7ce100b7 am: 46d6966f43 am: aa9ada00e6 Change-Id: I1af0ca0508e0b9fb9b30644e9f097ad7da7f5f34
|
b1cc4f8ca4202556d41e48cd7b0bb0559ea4b182 |
|
14-Dec-2016 |
dcashman <dcashman@google.com> |
Split mac_permissions.xml into plat and non-plat components. Bug: 31363362 Test: Bullhead and Sailfish both build and boot without new denials. Change-Id: Ic9523ce4b0755d6c585548f4f2b1f00e7000195b
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
45abcf44c5a1735905ec5a481dd396ef3fad6c54 |
|
07-Oct-2016 |
Chad Brubaker <cbrubaker@google.com> |
Move ephemeral apps into the ephemeral SELinux domain This also removes AutoplayApp which was the previous (ununsed) N domain and flag for ephemeral apps. Test: Ephemeral apps now run in ephemeral_app Change-Id: Ie339885c3996acbdcfe12452daa1d5edb3b93cda
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
7e2bb3e6dd1e016f74d174eb154ef44b72fe4b4c |
|
22-Sep-2016 |
Jeff Sharkey <jsharkey@android.com> |
Recursively restorecon when SELinux label changes. PackageManager has been pretty aggressive about asking installd to restorecon over app data when it thinks something might have changed. However, in the vast majority of cases these are no-op requests, and we waste a bunch of time recursively walking all private data, easily costing 60+ seconds on dogfooder devices. This change relies on new installd "create_app_data" behavior that kicks off a recursive restorecon if it detects that the top-level SELinux label on the app private data directory changes. This means that PackageManager no longer needs to track restoreconNeeded state. Test: booted, verified that a label change triggered restorecon Bug: 30768146 Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
141594b5ee928f99a9dc08b38f70301ef1e08a0b |
|
22-Sep-2016 |
Jeff Sharkey <jsharkey@android.com> |
Recursively restorecon when SELinux label changes. PackageManager has been pretty aggressive about asking installd to restorecon over app data when it thinks something might have changed. However, in the vast majority of cases these are no-op requests, and we waste a bunch of time recursively walking all private data, easily costing 60+ seconds on dogfooder devices. This change relies on new installd "create_app_data" behavior that kicks off a recursive restorecon if it detects that the top-level SELinux label on the app private data directory changes. This means that PackageManager no longer needs to track restoreconNeeded state. Test: booted, verified that a label change triggered restorecon Bug: 30768146 Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
be5137f4cb70ca47e4c929a878cfee2a9bf5ebfb |
|
29-Aug-2016 |
Yi Kong <yikong@google.com> |
Merge "Track getxattr API change" am: c4c4a1e76e am: f897e1c3b6 am: 2b5a0d299d Change-Id: I845657a3c8f14f38f0c3b490d16677620ba0bcc4
|
c44a6e08e2e60672f83e50a7d6948bce1199f055 |
|
27-Aug-2016 |
Yi Kong <yikong@google.com> |
Track getxattr API change Bug: 30992227 Change-Id: I788b3e51a536c7df7896f622038fe762f9848a2a
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
6da39a4406a5768cefb99e5a5426fb22248523bc |
|
12-Aug-2016 |
Jeff Sharkey <jsharkey@android.com> |
Add property to force restorecon to run. As an optimization, we typically only run restorecon when seapp_contexts changes. This CL checks a property that can be used to always force a restorecon to help investigate boot timing. Bug: 30213213 Change-Id: I4d65c1a4e4a0830ef4a32cd2fae1d3ab188b65cc
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
e91dba06f9240451510a4542c463ef9d2cdb1f42 |
|
13-Apr-2016 |
Nick Kralevich <nnk@google.com> |
change directory name external/sepolicy was renamed system/sepolicy Change-Id: Id27cd8c22d966958e481c9ed0171f637b3ffe2c0
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
0e62384ccbd00e9f78851929ca88b919679ee32e |
|
14-Jan-2016 |
Jeff Sharkey <jsharkey@android.com> |
Prepare app data only when storage is available. Before this change, scanning a package aggressively tried checking to ensure that private app data was prepared. However, in an FBE world we may not have access to that data at scan time. So this change shifts the preparing of private app data until later: it prepares DE storage when a user is started, and CE storage when a user is unlocked. Wire ourselves into the user lifecycle so we can prepare storage at both user start and unlock. When DE/CE storage becomes available, this change reconciles any found packages against known installed apps, and deletes any orphaned data directories. We now need to store the last-restorecon hash in an xattr on a per-user directory basis, since we can't restorecon CE storage until it's unlocked, or adopted storage until it's mounted. Remove a bunch of used logic for loading dynamic SELinux policy at runtime; our policy always comes from the system image. Bug: 26466827, 26544104 Change-Id: I8d0a4ef862c35f4e4ef5c7f20d3bb8f12ba3fd4b
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
a4407bfceef1bdb7eb4d83990722a61082d926c9 |
|
30-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
pm: selinux support for AutoPlay apps Add AutoPlay flag to ApplicationInfo. Append autoplay flag to seinfo string - passed to libselinux for domain labeling decision. Change-Id: Ieb45ba328140888c0b679bf344df154658f9fbae
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
098593733170244d615e8868355c7cb85e834cf6 |
|
12-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Pass privapp specifier for selinux labeling Allow privileged apps to run in their own priv_app domain. Motivation: Untrusted_app is overprivileged due to the inclusion of privileged apps like gmscore, play store and finsky. Moving these and other privileged apps to their own domain reduces the permissions required by untrusted_app. A separate priv_app domain also protects priv-apps by further isolating them from third party apps. Bug: 22033466 Change-Id: I8e6ae5677c5a978301c453d0aa51ebed4459f5a0
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
712205bac075dc59a1ccd79a860d553ba31402f0 |
|
01-Sep-2015 |
Nick Kralevich <nnk@google.com> |
am 9d586927: Merge "Automatically assign default seinfo labels using the string "default"." * commit '9d586927102b597845607ccc82661e350821de82': Automatically assign default seinfo labels using the string "default".
|
5e16bc5a143b46bbe9a4873adceed85a6241d1d0 |
|
28-Aug-2015 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Automatically assign default seinfo labels using the string "default". default seinfo values are those for which policy lacks a matching stanza in the corresponding mac_permissions.xml file. Prior to this change the null object reference was used to represent the non-matching state. This is in contrast to a policy supplied default stanza which will assign a non null seinfo value. Confused yet? Basically, two default states were distinguished in the code to describe the two cases where either a policy stanza spelled out the base case seinfo label or not. Policy writers could either supply a default stanza or rely on the class instantiated value assigned by the ApplicationInfo object. The hope was that the later assignment could be used to help distinguish the cases where policy writers intentionally white listed apps. This change will just use the hard coded "default" string implicitly to describe all cases and removes the idea of a policy supplied default stanza. Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
a3e28e69e5c8592b1fec92099a379119a14b4cef |
|
10-Apr-2015 |
Nick Kralevich <nnk@google.com> |
am 12a597a2: am a55ec9c2: am 08d76a94: Merge "Impose an ordering on created SELinuxMMAC Policy objects." * commit '12a597a2bc92eda2f33bc85bb1c525989c261abf': Impose an ordering on created SELinuxMMAC Policy objects.
|
4caa6b1efbac3a518328b581ac665876fa6aac77 |
|
10-Apr-2015 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Impose an ordering on created SELinuxMMAC Policy objects. Imposing an order on Policy objects allows us to extend the policy writers ability to union mac_permissions.xml files. Policy developers can now create new mac_permissions.xml entries under their device specific directories. This is in contrast to current methods which only allow differing stanzas to appear outside the base mac_permissions.xml. Also, report on stanzas with duplicate input selectors and treat these as errors. There are some ambiguities that can arise otherwise. Lastly, impose an XOR condition on signer stanzas w.r.t seinfo and package tags. This finer distinction helps the union feature of policy to become clearer and simpler to code. Change-Id: Idd86df8ad9a63d1b8ba6e8270670814ca6cee8d2 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
08c7116ab9cd04ad6dd3c04aa1017237e7f409ac |
|
28-Feb-2015 |
John Spurlock <jspurlock@google.com> |
Remove unused imports in frameworks/base. Change-Id: I031443de83f93eb57a98863001826671b18f3b17
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
2e1f052f45cd0f3b0b52a7eae2f05da770702cb0 |
|
19-Nov-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Mods to the SELinuxMMAC engine code. * We now require that all certs used to sign the apk and all certs stored with policy be tested for set equality. Prior efforts required that the cert included with policy only needed to match one of the certs included with an apk. * Allowed a new tag to be included with policy describing the signatures. <cert signature=""/> is now allowed as a child element of the <signer> tag describing multiple certs. The old way of describing signatures attached as attributes to the root signer tag is still supported. The engine now treats it the same as if they used the new layout with the outer signature as the first signature value. * Moved the class which holds all policy from an inner static to a builder pattern governed by the Policy.PolicyBuilder class. This will help provide more clarity and allow for easier enforcement of certain invariants as the policy representation is being built. * Loads of new comments. Change-Id: I38eb00ed8962fdef71bc9f2e7370cb910cadeff4 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|
10170acbc6518c9952ddaa5b248350017be5ab11 |
|
02-Sep-2014 |
Nick Kralevich <nnk@google.com> |
am 60888dba: am 0988daaa: Merge "Add testing api to SELinuxMMAC code." * commit '60888dbad1919634a61fc4f1e96126a3c387a228': Add testing api to SELinuxMMAC code.
|
db32fb646d90abb5e2281bd145d9d9615c65cbed |
|
01-Jul-2014 |
Nick Kralevich <nnk@google.com> |
am d172419e: am 9b1a7d45: Merge "Allow different SELinux policies for third party apps." * commit 'd172419e9a36f61af8c98d316ec2625e1f1304f6': Allow different SELinux policies for third party apps.
|
532536f145c3f295cd3ec790dd79f95c00d9d8f5 |
|
31-May-2014 |
Nick Kralevich <nnk@google.com> |
am daa0ee13: am 4f8785f2: Merge "SELinuxMMAC additions to perform policy versioning checks." * commit 'daa0ee137d43850c834b1ead3f871ceaa49814a7': SELinuxMMAC additions to perform policy versioning checks.
|
d236d625b4a4e938629fbcc55687ca7bebaab6e8 |
|
22-Apr-2014 |
Nick Kralevich <nnk@google.com> |
am 3ab7882a: am a67d4a6e: Merge "remove unused import." * commit '3ab7882a57d3c7a0e13f58837cd02138df43f301': remove unused import.
|
0b4f63c319f211ddd0d572b6b1eb647d0a6dc8a7 |
|
20-Mar-2014 |
Nick Kralevich <nnk@google.com> |
am dd6b7495: am 83725810: Merge "Get rid of noise during boot." * commit 'dd6b7495577eca7a00aa37bfdca3449cf1443681': Get rid of noise during boot.
|
b630ffe3fdd72be186495f2c0a8d05b936a73d46 |
|
19-Mar-2014 |
Nick Kralevich <nnk@google.com> |
am e75d340a: am 5c8e1a6e: Merge "Allow PMS to restorecon directories under /data." * commit 'e75d340ae5919942d19f57856ae9e3f8bc62e098': Allow PMS to restorecon directories under /data.
|
9158825f9c41869689d6b1786d7c7aa8bdd524ce |
|
22-Nov-2013 |
Amith Yamasani <yamasani@google.com> |
Move some system services to separate directories Refactored the directory structure so that services can be optionally excluded. This is step 1. Will be followed by another change that makes it possible to remove services from the build. Change-Id: Ideacedfd34b5e213217ad3ff4ebb21c4a8e73f85
/frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
|