Cross Reference: /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java

History log of /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
2cfdf62ed20016c6f64bba3ce6d7ec1c446c272f	12-Mar-2017	Jeff Vander Stoep <jeffv@google.com>	Merge "Move mac_permissions to etc/selinux" am: b063fe384f am: 1376b937ed am: 7f9630868c Change-Id: Ie90342ef543ed0803fc279adbfb3e919f6bf63d5
d2820e4e8913741ce5b34344ed37c7ced3cc2d96	11-Mar-2017	Jeff Vander Stoep <jeffv@google.com>	Move mac_permissions to etc/selinux Test: Build and boot Marlin Test: See the following in the logs: 01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml 01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml Bug: 36003167 Change-Id: I97479260eabe14c1b1dcc238d7322016f6b5c4dd /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
be0b8896d1bc385d4c8fb54c21929745935dcbea	15-Feb-2017	Todd Kennedy <toddke@google.com>	Revert "Revert "Per user setting for instant app"" This reverts commit be9ffa15af9e1906e9ffb505768328d62d4a3793. Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest Change-Id: Ib21321cf157a79890de487060a093840f7182047 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
be9ffa15af9e1906e9ffb505768328d62d4a3793	15-Feb-2017	Guang Zhu <guangzhu@google.com>	Revert "Per user setting for instant app" Bug: 35390781 This reverts commit 2f5811dcfd840e149851a9333e27ef3cdddf7a46. Change-Id: Ibb1c8dacbdc6908fc7fa2bc5dca664f2455162bf /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
2f5811dcfd840e149851a9333e27ef3cdddf7a46	30-Jan-2017	Todd Kennedy <toddke@google.com>	Per user setting for instant app The same application can run as either an instant app or an installed app. Store this setting per-user instead of based upon the install location. Bug: 25119046 Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest Change-Id: Iff565bb1ac10d631499f0bd0f69b401cb073c10e /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
7c4787b4df31600cc700c751222003fd6bab0af2	14-Feb-2017	Michael Peck <mpeck@mitre.org>	Pass targetSdkVersion specifier for SELinux labeling Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: Ib9f6ded9bd2f426861a6d843861b4074084253b0 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
5b51730b8a6c06fdf7912016919209769136e8e2	08-Jan-2016	Michael Peck <mpeck@mitre.org>	Pass targetSdkVersion specifier for SELinux labeling Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: Ib9f6ded9bd2f426861a6d843861b4074084253b0 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
096d304ae3d85c1bfcda1a1d9cd4eb13d0815500	31-Jan-2017	Svetoslav Ganov <svetoslavganov@google.com>	Add instant cookie APIs This change adds APIs for instant apps to store cookie data that is presisted across instant installs and across the upgrade from an instant to a standard app. Standard apps can use the cookie APIs but when they are uninstalled the cookie is also deleted. The cookies are kept longer than the instant apps as they are much smaller - 16KB by default. We can change the cookie size via a system setting i.e. after we ship we can increase size if needed. We also add internal APIs to surface information about installed and uninstalled instant apps which should be used for showing them in the UI. For this puporse we store the icon, permissions, and label of uninstalled apps. If the app is re-installed we drop this meta-data but keep the cookie around. If we have cookie data stored and the signing cert of the app changes when it gets re-intalled we wipe the cookie. Test: CTS tests pass; hiddent APIs tested manually Change-Id: If145c0440cc61a5303e2cbb70228d235d36037a5 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
11e45075221680dcc25e3da1d3c32710e5a98603	25-Jan-2017	Todd Kennedy <toddke@google.com>	Define targetSandboxVersion The new attribute allows both ephemeral and non-ephemeral apps to opt into a new, tighter security model. Test: Manual; built app w/ targetSandboxVersion and verified the security domain Change-Id: I8fcaf84e25f0519b438ba51302f79790e680e025 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
d9a76c34bbe3d6ad6673b08b93d1b9ca59b792d4	15-Dec-2016	dcashman <dcashman@google.com>	Split mac_permissions.xml into plat and non-plat components. am: b1cc4f8ca4 am: 2a7ce100b7 am: 46d6966f43 am: aa9ada00e6 Change-Id: I1af0ca0508e0b9fb9b30644e9f097ad7da7f5f34
b1cc4f8ca4202556d41e48cd7b0bb0559ea4b182	14-Dec-2016	dcashman <dcashman@google.com>	Split mac_permissions.xml into plat and non-plat components. Bug: 31363362 Test: Bullhead and Sailfish both build and boot without new denials. Change-Id: Ic9523ce4b0755d6c585548f4f2b1f00e7000195b /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
45abcf44c5a1735905ec5a481dd396ef3fad6c54	07-Oct-2016	Chad Brubaker <cbrubaker@google.com>	Move ephemeral apps into the ephemeral SELinux domain This also removes AutoplayApp which was the previous (ununsed) N domain and flag for ephemeral apps. Test: Ephemeral apps now run in ephemeral_app Change-Id: Ie339885c3996acbdcfe12452daa1d5edb3b93cda /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
7e2bb3e6dd1e016f74d174eb154ef44b72fe4b4c	22-Sep-2016	Jeff Sharkey <jsharkey@android.com>	Recursively restorecon when SELinux label changes. PackageManager has been pretty aggressive about asking installd to restorecon over app data when it thinks something might have changed. However, in the vast majority of cases these are no-op requests, and we waste a bunch of time recursively walking all private data, easily costing 60+ seconds on dogfooder devices. This change relies on new installd "create_app_data" behavior that kicks off a recursive restorecon if it detects that the top-level SELinux label on the app private data directory changes. This means that PackageManager no longer needs to track restoreconNeeded state. Test: booted, verified that a label change triggered restorecon Bug: 30768146 Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
141594b5ee928f99a9dc08b38f70301ef1e08a0b	22-Sep-2016	Jeff Sharkey <jsharkey@android.com>	Recursively restorecon when SELinux label changes. PackageManager has been pretty aggressive about asking installd to restorecon over app data when it thinks something might have changed. However, in the vast majority of cases these are no-op requests, and we waste a bunch of time recursively walking all private data, easily costing 60+ seconds on dogfooder devices. This change relies on new installd "create_app_data" behavior that kicks off a recursive restorecon if it detects that the top-level SELinux label on the app private data directory changes. This means that PackageManager no longer needs to track restoreconNeeded state. Test: booted, verified that a label change triggered restorecon Bug: 30768146 Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
be5137f4cb70ca47e4c929a878cfee2a9bf5ebfb	29-Aug-2016	Yi Kong <yikong@google.com>	Merge "Track getxattr API change" am: c4c4a1e76e am: f897e1c3b6 am: 2b5a0d299d Change-Id: I845657a3c8f14f38f0c3b490d16677620ba0bcc4
c44a6e08e2e60672f83e50a7d6948bce1199f055	27-Aug-2016	Yi Kong <yikong@google.com>	Track getxattr API change Bug: 30992227 Change-Id: I788b3e51a536c7df7896f622038fe762f9848a2a /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
6da39a4406a5768cefb99e5a5426fb22248523bc	12-Aug-2016	Jeff Sharkey <jsharkey@android.com>	Add property to force restorecon to run. As an optimization, we typically only run restorecon when seapp_contexts changes. This CL checks a property that can be used to always force a restorecon to help investigate boot timing. Bug: 30213213 Change-Id: I4d65c1a4e4a0830ef4a32cd2fae1d3ab188b65cc /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
e91dba06f9240451510a4542c463ef9d2cdb1f42	13-Apr-2016	Nick Kralevich <nnk@google.com>	change directory name external/sepolicy was renamed system/sepolicy Change-Id: Id27cd8c22d966958e481c9ed0171f637b3ffe2c0 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
0e62384ccbd00e9f78851929ca88b919679ee32e	14-Jan-2016	Jeff Sharkey <jsharkey@android.com>	Prepare app data only when storage is available. Before this change, scanning a package aggressively tried checking to ensure that private app data was prepared. However, in an FBE world we may not have access to that data at scan time. So this change shifts the preparing of private app data until later: it prepares DE storage when a user is started, and CE storage when a user is unlocked. Wire ourselves into the user lifecycle so we can prepare storage at both user start and unlock. When DE/CE storage becomes available, this change reconciles any found packages against known installed apps, and deletes any orphaned data directories. We now need to store the last-restorecon hash in an xattr on a per-user directory basis, since we can't restorecon CE storage until it's unlocked, or adopted storage until it's mounted. Remove a bunch of used logic for loading dynamic SELinux policy at runtime; our policy always comes from the system image. Bug: 26466827, 26544104 Change-Id: I8d0a4ef862c35f4e4ef5c7f20d3bb8f12ba3fd4b /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
a4407bfceef1bdb7eb4d83990722a61082d926c9	30-Oct-2015	Jeff Vander Stoep <jeffv@google.com>	pm: selinux support for AutoPlay apps Add AutoPlay flag to ApplicationInfo. Append autoplay flag to seinfo string - passed to libselinux for domain labeling decision. Change-Id: Ieb45ba328140888c0b679bf344df154658f9fbae /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
098593733170244d615e8868355c7cb85e834cf6	12-Oct-2015	Jeff Vander Stoep <jeffv@google.com>	Pass privapp specifier for selinux labeling Allow privileged apps to run in their own priv_app domain. Motivation: Untrusted_app is overprivileged due to the inclusion of privileged apps like gmscore, play store and finsky. Moving these and other privileged apps to their own domain reduces the permissions required by untrusted_app. A separate priv_app domain also protects priv-apps by further isolating them from third party apps. Bug: 22033466 Change-Id: I8e6ae5677c5a978301c453d0aa51ebed4459f5a0 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
712205bac075dc59a1ccd79a860d553ba31402f0	01-Sep-2015	Nick Kralevich <nnk@google.com>	am 9d586927: Merge "Automatically assign default seinfo labels using the string "default"." * commit '9d586927102b597845607ccc82661e350821de82': Automatically assign default seinfo labels using the string "default".
5e16bc5a143b46bbe9a4873adceed85a6241d1d0	28-Aug-2015	Robert Craig <rpcraig@tycho.ncsc.mil>	Automatically assign default seinfo labels using the string "default". default seinfo values are those for which policy lacks a matching stanza in the corresponding mac_permissions.xml file. Prior to this change the null object reference was used to represent the non-matching state. This is in contrast to a policy supplied default stanza which will assign a non null seinfo value. Confused yet? Basically, two default states were distinguished in the code to describe the two cases where either a policy stanza spelled out the base case seinfo label or not. Policy writers could either supply a default stanza or rely on the class instantiated value assigned by the ApplicationInfo object. The hope was that the later assignment could be used to help distinguish the cases where policy writers intentionally white listed apps. This change will just use the hard coded "default" string implicitly to describe all cases and removes the idea of a policy supplied default stanza. Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
a3e28e69e5c8592b1fec92099a379119a14b4cef	10-Apr-2015	Nick Kralevich <nnk@google.com>	am 12a597a2: am a55ec9c2: am 08d76a94: Merge "Impose an ordering on created SELinuxMMAC Policy objects." * commit '12a597a2bc92eda2f33bc85bb1c525989c261abf': Impose an ordering on created SELinuxMMAC Policy objects.
4caa6b1efbac3a518328b581ac665876fa6aac77	10-Apr-2015	Robert Craig <rpcraig@tycho.ncsc.mil>	Impose an ordering on created SELinuxMMAC Policy objects. Imposing an order on Policy objects allows us to extend the policy writers ability to union mac_permissions.xml files. Policy developers can now create new mac_permissions.xml entries under their device specific directories. This is in contrast to current methods which only allow differing stanzas to appear outside the base mac_permissions.xml. Also, report on stanzas with duplicate input selectors and treat these as errors. There are some ambiguities that can arise otherwise. Lastly, impose an XOR condition on signer stanzas w.r.t seinfo and package tags. This finer distinction helps the union feature of policy to become clearer and simpler to code. Change-Id: Idd86df8ad9a63d1b8ba6e8270670814ca6cee8d2 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
08c7116ab9cd04ad6dd3c04aa1017237e7f409ac	28-Feb-2015	John Spurlock <jspurlock@google.com>	Remove unused imports in frameworks/base. Change-Id: I031443de83f93eb57a98863001826671b18f3b17 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
2e1f052f45cd0f3b0b52a7eae2f05da770702cb0	19-Nov-2014	Robert Craig <rpcraig@tycho.ncsc.mil>	Mods to the SELinuxMMAC engine code. * We now require that all certs used to sign the apk and all certs stored with policy be tested for set equality. Prior efforts required that the cert included with policy only needed to match one of the certs included with an apk. * Allowed a new tag to be included with policy describing the signatures. <cert signature=""/> is now allowed as a child element of the <signer> tag describing multiple certs. The old way of describing signatures attached as attributes to the root signer tag is still supported. The engine now treats it the same as if they used the new layout with the outer signature as the first signature value. * Moved the class which holds all policy from an inner static to a builder pattern governed by the Policy.PolicyBuilder class. This will help provide more clarity and allow for easier enforcement of certain invariants as the policy representation is being built. * Loads of new comments. Change-Id: I38eb00ed8962fdef71bc9f2e7370cb910cadeff4 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java
10170acbc6518c9952ddaa5b248350017be5ab11	02-Sep-2014	Nick Kralevich <nnk@google.com>	am 60888dba: am 0988daaa: Merge "Add testing api to SELinuxMMAC code." * commit '60888dbad1919634a61fc4f1e96126a3c387a228': Add testing api to SELinuxMMAC code.
db32fb646d90abb5e2281bd145d9d9615c65cbed	01-Jul-2014	Nick Kralevich <nnk@google.com>	am d172419e: am 9b1a7d45: Merge "Allow different SELinux policies for third party apps." * commit 'd172419e9a36f61af8c98d316ec2625e1f1304f6': Allow different SELinux policies for third party apps.
532536f145c3f295cd3ec790dd79f95c00d9d8f5	31-May-2014	Nick Kralevich <nnk@google.com>	am daa0ee13: am 4f8785f2: Merge "SELinuxMMAC additions to perform policy versioning checks." * commit 'daa0ee137d43850c834b1ead3f871ceaa49814a7': SELinuxMMAC additions to perform policy versioning checks.
d236d625b4a4e938629fbcc55687ca7bebaab6e8	22-Apr-2014	Nick Kralevich <nnk@google.com>	am 3ab7882a: am a67d4a6e: Merge "remove unused import." * commit '3ab7882a57d3c7a0e13f58837cd02138df43f301': remove unused import.
0b4f63c319f211ddd0d572b6b1eb647d0a6dc8a7	20-Mar-2014	Nick Kralevich <nnk@google.com>	am dd6b7495: am 83725810: Merge "Get rid of noise during boot." * commit 'dd6b7495577eca7a00aa37bfdca3449cf1443681': Get rid of noise during boot.
b630ffe3fdd72be186495f2c0a8d05b936a73d46	19-Mar-2014	Nick Kralevich <nnk@google.com>	am e75d340a: am 5c8e1a6e: Merge "Allow PMS to restorecon directories under /data." * commit 'e75d340ae5919942d19f57856ae9e3f8bc62e098': Allow PMS to restorecon directories under /data.
9158825f9c41869689d6b1786d7c7aa8bdd524ce	22-Nov-2013	Amith Yamasani <yamasani@google.com>	Move some system services to separate directories Refactored the directory structure so that services can be optionally excluded. This is step 1. Will be followed by another change that makes it possible to remove services from the build. Change-Id: Ideacedfd34b5e213217ad3ff4ebb21c4a8e73f85 /frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java