Commits

Stephen Smalley committed 815a818 Merge

Merge branch 'seandroid' into seandroid-4.3

  • Participants
  • Parent commits c14e797, 58de2a8
  • Branches seandroid-4.3

Comments (0)

Files changed (21)

 
 $(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
+	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
+		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
 
 mac_perms_keys.tmp :=
 
         any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
         and all options are matched lowercase. The options are "tolowered" automatically
         for the user, it is convention to specify tags and options in all uppercase
-        and tags start with @.
+        and tags start with @. The option arguments can also use environment variables
+        via the familiar $VARIABLE syntax. This is often useful for setting a location
+        to ones release keys.
+
+        Often times, one will need to integrate an application that was signed by a separate
+        organization and may need to extract the pem file for the insertkeys/keys.conf tools.
+        Extraction of the public key in the pem format is possible via openssl. First you need
+        to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
+        openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM  -print_certs
+        On some occasions CERT.RSA has a different name, and you will need to adjust for that.
+        After extracting the pem, you can rename it, and configure keys.conf and
+        mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
+        editor and strip out anything outside the opening and closing scissor lines. Failure to do
+        so WILL cause a compile time issue thrown by insertkeys.py
 
         NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
               and setool all use base16 encodings.
 neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
 
 # Write access to /proc/pid entries for any non-app domain.
-neverallow { appdomain -unconfineddomain } { domain - appdomain }:file write;
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
 
 # signal access to non-app domains.
 # sigchld allowed for parent death notification.
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;
 
+# Allow write access to bluetooth specific properties
+allow bluetooth bluetooth_prop:property_service set;
+
 ###
 ### Neverallow rules
 ###
 type ram_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type fscklogs, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 # Read access to pseudo filesystems.
 r_dir_file(domain, proc)
 r_dir_file(domain, sysfs)
+r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+# /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type, mlstrustedobject;
 type gps_data_file, file_type, data_file_type;
 # /data/misc subdirectories
 type bluetooth_data_file, file_type, data_file_type;
+type media_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
+/dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
+/data/misc/media(/.*)?		u:object_r:media_data_file:s0
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 /sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
 /sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
 #############################
 type healthd_exec, exec_type, file_type;
 
 init_daemon_domain(healthd)
-allow healthd rootfs:file entrypoint;
+allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
+
+allow healthd self:capability { net_admin mknod };
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(healthd)
+binder_call(healthd, system_server)
+
+# Workaround for 0x10 / block_suspend capability2 denials.
+# Requires a kernel patch to fix properly.
+permissive healthd;
 #
 
 [@PLATFORM]
-ALL : build/target/product/security/platform.x509.pem
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
 
 [@MEDIA]
-ALL : build/target/product/security/media.x509.pem
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
 
 [@SHARED]
-ALL : build/target/product/security/shared.x509.pem
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
 
 # Example of ALL TARGET_BUILD_VARIANTS
 [@RELEASE]
-ENG       : build/target/product/security/testkey.x509.pem
-USER      : build/target/product/security/testkey.x509.pem
-USERDEBUG : build/target/product/security/testkey.x509.pem
+ENG       : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER      : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
 

mac_permissions.xml

 
     <!-- shared dev key in AOSP -->
     <signer signature="@SHARED" >
-      <allow-permission name="android.permission.ACCESS_COARSE_LOCATION" />
-      <allow-permission name="android.permission.ACCESS_FINE_LOCATION" />
-      <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
-      <allow-permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK" />
-      <allow-permission name="android.permission.BIND_APPWIDGET" />
-      <allow-permission name="android.permission.BIND_DIRECTORY_SEARCH" />
-      <allow-permission name="android.permission.BIND_WALLPAPER" />
-      <allow-permission name="android.permission.CALL_PHONE" />
-      <allow-permission name="android.permission.CALL_PRIVILEGED" />
-      <allow-permission name="android.permission.CAMERA" />
-      <allow-permission name="android.permission.DOWNLOAD_WITHOUT_NOTIFICATION" />
-      <allow-permission name="android.permission.GET_ACCOUNTS" />
-      <allow-permission name="android.permission.GLOBAL_SEARCH" />
-      <allow-permission name="android.permission.INTERNET" />
-      <allow-permission name="android.permission.MANAGE_ACCOUNTS" />
-      <allow-permission name="android.permission.MODIFY_AUDIO_SETTINGS" />
-      <allow-permission name="android.permission.MODIFY_PHONE_STATE" />
-      <allow-permission name="android.permission.NFC" />
-      <allow-permission name="android.permission.PACKAGE_USAGE_STATS" />
-      <allow-permission name="android.permission.READ_CALL_LOG" />
-      <allow-permission name="android.permission.READ_CONTACTS"/>
-      <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
-      <allow-permission name="android.permission.READ_PHONE_STATE" />
-      <allow-permission name="android.permission.READ_PROFILE" />
-      <allow-permission name="android.permission.READ_SOCIAL_STREAM" />
-      <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
-      <allow-permission name="android.permission.READ_SYNC_STATS" />
-      <allow-permission name="android.permission.READ_USER_DICTIONARY" />
-      <allow-permission name="android.permission.REBOOT" />
-      <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
-      <allow-permission name="android.permission.RECORD_AUDIO" />
-      <allow-permission name="android.permission.SET_WALLPAPER" />
-      <allow-permission name="android.permission.SET_WALLPAPER_COMPONENT" />
-      <allow-permission name="android.permission.SET_WALLPAPER_HINTS" />
-      <allow-permission name="android.permission.SUBSCRIBED_FEEDS_READ" />
-      <allow-permission name="android.permission.SUBSCRIBED_FEEDS_WRITE" />
-      <allow-permission name="android.permission.UPDATE_APP_OPS_STATS" />
-      <allow-permission name="android.permission.USE_CREDENTIALS" />
-      <allow-permission name="android.permission.VIBRATE" />
-      <allow-permission name="android.permission.WAKE_LOCK" />
-      <allow-permission name="android.permission.WRITE_CALL_LOG" />
-      <allow-permission name="android.permission.WRITE_CONTACTS" />
-      <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
-      <allow-permission name="android.permission.WRITE_PROFILE" />
-      <allow-permission name="android.permission.WRITE_SETTINGS" />
-      <allow-permission name="android.permission.WRITE_USER_DICTIONARY" />
-      <allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
-      <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT" />
-      <allow-permission name="com.android.launcher.permission.READ_SETTINGS" />
-      <allow-permission name="com.android.launcher.permission.WRITE_SETTINGS" />
-      <allow-permission name="com.android.voicemail.permission.ADD_VOICEMAIL" />
-      <allow-permission name="com.android.voicemail.permission.READ_WRITE_ALL_VOICEMAIL" />
-      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH" />
-      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.cp" />
-      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.mail" />
+	  <allow-all />
       <seinfo value="shared" />
     </signer>
 
 
 allow mediaserver self:process execmem;
 allow mediaserver kernel:system module_request;
+allow mediaserver media_data_file:dir rw_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 type default_prop, property_type;
 type shell_prop, property_type;
+type debug_prop, property_type;
 type radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;

property_contexts

 dhcp.                   u:object_r:system_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
 
-debug.                  u:object_r:shell_prop:s0
+debug.                  u:object_r:debug_prop:s0
 log.                    u:object_r:shell_prop:s0
 service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 # Allow settings app to read from asec
 allow system_app asec_apk_file:dir search;
 allow system_app asec_apk_file:file r_file_perms;
+
+# Write to properties
+allow system_app system_prop:property_service set;
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
+binder_call(system_server, healthd)
 binder_service(system_server)
 
 # Read /proc/pid files for Binder clients.
 # Property Service write
 allow system_server system_prop:property_service set;
 allow system_server radio_prop:property_service set;
+allow system_server debug_prop:property_service set;
+allow system_server powerctl_prop:property_service set;
 
 # ctl interface
 allow system_server ctl_default_prop:property_service set;
 
 # Access to wake locks
 allow system_server sysfs_wake_lock:file rw_file_perms;
+
+# Create files under /dev/fscklogs.
+allow system_server fscklogs:dir rw_dir_perms;
+allow system_server fscklogs:file create_file_perms;
 LOCAL_MODULE := checkseapp
 LOCAL_MODULE_TAGS := optional
 LOCAL_C_INCLUDES := external/libsepol/include/
-LOCAL_CFLAGS := -DLINK_SEPOL_STATIC
+LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
 LOCAL_SRC_FILES := check_seapp.c
 LOCAL_STATIC_LIBRARIES := libsepol
 
 LOCAL_MODULE_TAGS := optional
 LOCAL_C_INCLUDES := external/libsepol/include \
                     external/libselinux/include
+LOCAL_CFLAGS := -Wall -Werror
 LOCAL_SRC_FILES := checkfc.c
 LOCAL_STATIC_LIBRARIES := libsepol libselinux
 
 LOCAL_MODULE := sepolicy-check
 LOCAL_MODULE_TAGS := optional
 LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_CFLAGS := -Wall -Werror
 LOCAL_SRC_FILES := sepolicy-check.c
 LOCAL_STATIC_LIBRARIES := libsepol
 
 LOCAL_MODULE := sepolicy-analyze
 LOCAL_MODULE_TAGS := optional
 LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_CFLAGS := -Wall -Werror
 LOCAL_SRC_FILES := sepolicy-analyze.c
 LOCAL_STATIC_LIBRARIES := libsepol
 

tools/check_seapp.c

  * @param rm
  * 	rule map to be freed.
  */
-static void rule_map_free(rule_map *rm, rule_map_switch s) {
+static void rule_map_free(rule_map *rm,
+		rule_map_switch s __attribute__((unused)) /* only glibc builds, ignored otherwise */) {
 
 	size_t i;
 	size_t len = rm->length;
 	bool found_name = false;
 	bool found_seinfo = false;
 	char *name = NULL;
-	key_map *tmp;
+	const key_map *tmp;
 
 	for(i=0; i < rm->length; i++) {
 		tmp = &(rm->m[i]);

tools/sepolicy-analyze.c

-/*
- * This was derived from public domain works with updates to
- * work with more modern SELinux libraries.
- *
- * It is released into the public domain.
- *
- */
-
 #include <getopt.h>
 #include <unistd.h>
 #include <stddef.h>
     printf("    allow %s %s:%s { %s };\n",
            policydb->p_type_val_to_name[n->key.source_type
                                         ? n->key.source_type - 1 : idx],
-	   n->key.target_type == n->key.source_type ? "self" :
+           n->key.target_type == n->key.source_type ? "self" :
            policydb->p_type_val_to_name[n->key.target_type
                                         ? n->key.target_type - 1 : idx],
            policydb->p_class_val_to_name[n->key.target_class - 1],
     avtab_t exp_avtab, exp_cond_avtab;
     struct avtab_node *type_rules, *l1, *l2;
     struct type_datum *type;
-    int i, j;
+    size_t i, j;
 
     /*
      * Create a list of access vector rules for each type

tools/sepolicy-check.c

-/*
- * This was derived from public domain works with updates to
- * work with more modern SELinux libraries.
- *
- * It is released into the public domain.
- *
- */
-
 #include <getopt.h>
 #include <unistd.h>
 #include <stdlib.h>
 	avtab_key_t key;
 	int match;
 
+	key.source_type = key.target_type = key.target_class = 0;
+
 	if (s_op != ANY) {
 		src = hashtab_search(policy->p_types.table, s);
 		if (src == NULL) {
 allow ueventd sysfs:file rw_file_perms;
 allow ueventd sysfs:file setattr;
 allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };