diff options
| -rw-r--r-- | Android.mk | 21 | ||||
| -rw-r--r-- | bluetooth.te | 4 | ||||
| -rw-r--r-- | dhcp.te | 2 | ||||
| -rw-r--r-- | drmserver.te | 2 | ||||
| -rw-r--r-- | dumpstate.te | 2 | ||||
| -rw-r--r-- | hci_attach.te | 2 | ||||
| -rw-r--r-- | hostapd.te | 2 | ||||
| -rw-r--r-- | mediaserver.te | 2 | ||||
| -rw-r--r-- | platform_app.te | 2 | ||||
| -rw-r--r-- | release_app.te | 2 | ||||
| -rw-r--r-- | rild.te | 2 | ||||
| -rw-r--r-- | sdcardd.te | 2 | ||||
| -rw-r--r-- | shared_app.te | 2 | ||||
| -rw-r--r-- | surfaceflinger.te | 2 | ||||
| -rw-r--r-- | system_app.te | 2 | ||||
| -rw-r--r-- | system_server.te | 2 | ||||
| -rw-r--r-- | te_macros | 11 | ||||
| -rw-r--r-- | untrusted_app.te | 2 | ||||
| -rw-r--r-- | wpa_supplicant.te | 2 |
19 files changed, 49 insertions, 19 deletions
@@ -2,6 +2,22 @@ LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) +# Force permissive domains to be unconfined+enforcing? +# +# During development, this should be set to false. +# Permissive means permissive. +# +# When we're close to a release and SELinux new policy development +# is frozen, we should flip this to true. This forces any currently +# permissive domains into unconfined+enforcing. +# +FORCE_PERMISSIVE_TO_UNCONFINED:=false + +ifeq ($(TARGET_BUILD_VARIANT),user) + # User builds are always forced unconfined+enforcing + FORCE_PERMISSIVE_TO_UNCONFINED:=true +endif + # SELinux policy version. # Must be <= /selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. @@ -69,7 +85,10 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts) @mkdir -p $(dir $@) - $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@ + $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ + -D target_build_variant=$(TARGET_BUILD_VARIANT) \ + -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ + -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy diff --git a/bluetooth.te b/bluetooth.te index a6e0c4e..6b48ed4 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -1,6 +1,6 @@ # bluetooth subsystem type bluetooth, domain; -permissive bluetooth; +permissive_or_unconfined(bluetooth) app_domain(bluetooth) # Data file accesses. @@ -50,4 +50,4 @@ allow bluetooth bluetooth_prop:property_service set; # Superuser capabilities. # bluetooth requires net_admin. -neverallow bluetooth self:capability ~net_admin; +neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; @@ -1,5 +1,5 @@ type dhcp, domain; -permissive dhcp; +permissive_or_unconfined(dhcp) type dhcp_exec, exec_type, file_type; type dhcp_data_file, file_type, data_file_type; diff --git a/drmserver.te b/drmserver.te index 112d7a1..7bc0b38 100644 --- a/drmserver.te +++ b/drmserver.te @@ -1,6 +1,6 @@ # drmserver - DRM service type drmserver, domain; -permissive drmserver; +permissive_or_unconfined(drmserver) type drmserver_exec, exec_type, file_type; init_daemon_domain(drmserver) diff --git a/dumpstate.te b/dumpstate.te index e0fe4ce..fbf9ce9 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -1,6 +1,6 @@ # dumpstate type dumpstate, domain; -permissive dumpstate; +permissive_or_unconfined(dumpstate) type dumpstate_exec, exec_type, file_type; init_daemon_domain(dumpstate) diff --git a/hci_attach.te b/hci_attach.te index 2a55d51..5115292 100644 --- a/hci_attach.te +++ b/hci_attach.te @@ -1,5 +1,5 @@ type hci_attach, domain; -permissive hci_attach; +permissive_or_unconfined(hci_attach) type hci_attach_exec, exec_type, file_type; init_daemon_domain(hci_attach) @@ -1,6 +1,6 @@ # userspace wifi access points type hostapd, domain; -permissive hostapd; +permissive_or_unconfined(hostapd) type hostapd_exec, exec_type, file_type; allow hostapd self:capability { net_admin net_raw setuid setgid }; diff --git a/mediaserver.te b/mediaserver.te index f84a424..7589ee8 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -1,6 +1,6 @@ # mediaserver - multimedia daemon type mediaserver, domain; -permissive mediaserver; +permissive_or_unconfined(mediaserver) type mediaserver_exec, exec_type, file_type; typeattribute mediaserver mlstrustedsubject; diff --git a/platform_app.te b/platform_app.te index 40f2dd3..bbbc0f7 100644 --- a/platform_app.te +++ b/platform_app.te @@ -3,7 +3,7 @@ ### type platform_app, domain; -permissive platform_app; +permissive_or_unconfined(platform_app) app_domain(platform_app) platform_app_domain(platform_app) # Access the network. diff --git a/release_app.te b/release_app.te index 6be3620..69cff19 100644 --- a/release_app.te +++ b/release_app.te @@ -3,7 +3,7 @@ ### type release_app, domain; -permissive release_app; +permissive_or_unconfined(release_app) app_domain(release_app) platform_app_domain(release_app) # Access the network. @@ -1,6 +1,6 @@ # rild - radio interface layer daemon type rild, domain; -permissive rild; +permissive_or_unconfined(rild) type rild_exec, exec_type, file_type; init_daemon_domain(rild) @@ -1,5 +1,5 @@ type sdcardd, domain; -permissive sdcardd; +permissive_or_unconfined(sdcardd) type sdcardd_exec, exec_type, file_type; init_daemon_domain(sdcardd) diff --git a/shared_app.te b/shared_app.te index e469bdd..4ab90fe 100644 --- a/shared_app.te +++ b/shared_app.te @@ -3,7 +3,7 @@ ### type shared_app, domain; -permissive shared_app; +permissive_or_unconfined(shared_app) app_domain(shared_app) platform_app_domain(shared_app) # Access the network. diff --git a/surfaceflinger.te b/surfaceflinger.te index 39781fc..edbe22f 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -1,6 +1,6 @@ # surfaceflinger - display compositor service type surfaceflinger, domain; -permissive surfaceflinger; +permissive_or_unconfined(surfaceflinger) type surfaceflinger_exec, exec_type, file_type; init_daemon_domain(surfaceflinger) diff --git a/system_app.te b/system_app.te index 63aa76c..41e446b 100644 --- a/system_app.te +++ b/system_app.te @@ -4,7 +4,7 @@ # server. # type system_app, domain; -permissive system_app; +permissive_or_unconfined(system_app) app_domain(system_app) # Perform binder IPC to any app domain. diff --git a/system_server.te b/system_server.te index 22d739b..06bca76 100644 --- a/system_server.te +++ b/system_server.te @@ -3,7 +3,7 @@ # Most of the framework services run in this process. # type system_server, domain, mlstrustedsubject; -permissive system_server; +permissive_or_unconfined(system_server) # Define a type for tmpfs-backed ashmem regions. tmpfs_domain(system_server) @@ -327,3 +327,14 @@ define(`non_system_app_set', `{ appdomain -system_app }') # SELinux rules which apply only to userdebug or eng builds # define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) + +##################################### +# permissive_or_unconfined +# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, +# and "unconfined($1)" otherwise. +# +# This is used for experimental domains, where we want to ensure +# the domain is unconfined+enforcing once new SELinux policy development +# has ceased. +# +define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) diff --git a/untrusted_app.te b/untrusted_app.te index 2630f9e..1904249 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -10,7 +10,7 @@ ### type untrusted_app, domain; -permissive untrusted_app; +permissive_or_unconfined(untrusted_app) app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) diff --git a/wpa_supplicant.te b/wpa_supplicant.te index 12202fb..6ff1e10 100644 --- a/wpa_supplicant.te +++ b/wpa_supplicant.te @@ -1,6 +1,6 @@ # wpa - wpa supplicant or equivalent type wpa, domain; -permissive wpa; +permissive_or_unconfined(wpa) type wpa_exec, exec_type, file_type; init_daemon_domain(wpa) |