Commits

Anonymous committed 7611b60 Merge

Merge "Support forcing permissive domains to unconfined."

Comments (0)

Files changed (19)

 
 include $(CLEAR_VARS)
 
+# Force permissive domains to be unconfined+enforcing?
+#
+# During development, this should be set to false.
+# Permissive means permissive.
+#
+# When we're close to a release and SELinux new policy development
+# is frozen, we should flip this to true. This forces any currently
+# permissive domains into unconfined+enforcing.
+#
+FORCE_PERMISSIVE_TO_UNCONFINED:=false
+
+ifeq ($(TARGET_BUILD_VARIANT),user)
+  # User builds are always forced unconfined+enforcing
+  FORCE_PERMISSIVE_TO_UNCONFINED:=true
+endif
+
 # SELinux policy version.
 # Must be <= /selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
+		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
+permissive_or_unconfined(bluetooth)
 app_domain(bluetooth)
 
 # Data file accesses.
 
 # Superuser capabilities.
 # bluetooth requires net_admin.
-neverallow bluetooth self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
 type dhcp, domain;
-permissive dhcp;
+permissive_or_unconfined(dhcp)
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
+permissive_or_unconfined(drmserver)
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
 # dumpstate
 type dumpstate, domain;
-permissive dumpstate;
+permissive_or_unconfined(dumpstate)
 type dumpstate_exec, exec_type, file_type;
 
 init_daemon_domain(dumpstate)
 type hci_attach, domain;
-permissive hci_attach;
+permissive_or_unconfined(hci_attach)
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
 # userspace wifi access points
 type hostapd, domain;
-permissive hostapd;
+permissive_or_unconfined(hostapd)
 type hostapd_exec, exec_type, file_type;
 
 allow hostapd self:capability { net_admin net_raw setuid setgid };
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
+permissive_or_unconfined(mediaserver)
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
 ###
 
 type platform_app, domain;
-permissive platform_app;
+permissive_or_unconfined(platform_app)
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
 ###
 
 type release_app, domain;
-permissive release_app;
+permissive_or_unconfined(release_app)
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
 # rild - radio interface layer daemon
 type rild, domain;
-permissive rild;
+permissive_or_unconfined(rild)
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
 type sdcardd, domain;
-permissive sdcardd;
+permissive_or_unconfined(sdcardd)
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
 ###
 
 type shared_app, domain;
-permissive shared_app;
+permissive_or_unconfined(shared_app)
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.

surfaceflinger.te

 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive surfaceflinger;
+permissive_or_unconfined(surfaceflinger)
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
 # server.
 #
 type system_app, domain;
-permissive system_app;
+permissive_or_unconfined(system_app)
 app_domain(system_app)
 
 # Perform binder IPC to any app domain.
 # Most of the framework services run in this process.
 #
 type system_server, domain, mlstrustedsubject;
-permissive system_server;
+permissive_or_unconfined(system_server)
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# permissive_or_unconfined
+# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
+# and "unconfined($1)" otherwise.
+#
+# This is used for experimental domains, where we want to ensure
+# the domain is unconfined+enforcing once new SELinux policy development
+# has ceased.
+#
+define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
 ###
 
 type untrusted_app, domain;
-permissive untrusted_app;
+permissive_or_unconfined(untrusted_app)
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)

wpa_supplicant.te

 # wpa - wpa supplicant or equivalent
 type wpa, domain;
-permissive wpa;
+permissive_or_unconfined(wpa)
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)