Modified SEPolicy rules
346cae2781
Change-Id: I571731169036a3203d0145af67f45b3d9eb6366b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
|---|---|---|
| tools | ||
| access_vectors | ||
| adbd.te | ||
| Android.mk | ||
| app.te | ||
| assert.te | ||
| attributes | ||
| bluetooth.te | ||
| bluetoothd.te | ||
| cts.te | ||
| dbusd.te | ||
| debuggerd.te | ||
| device.te | ||
| dhcp.te | ||
| domain.te | ||
| drmserver.te | ||
| file_contexts | ||
| file.te | ||
| fs_use | ||
| genfs_contexts | ||
| global_macros | ||
| gpsd.te | ||
| hci_attach.te | ||
| init.te | ||
| initial_sid_contexts | ||
| initial_sids | ||
| installd.te | ||
| kernel.te | ||
| keystore.te | ||
| mac_permissions.xml | ||
| mediaserver.te | ||
| mls | ||
| mls_macros | ||
| mtp.te | ||
| net.te | ||
| netd.te | ||
| nfc.te | ||
| NOTICE | ||
| policy_capabilities | ||
| port_contexts | ||
| ppp.te | ||
| property_contexts | ||
| property.te | ||
| qemud.te | ||
| radio.te | ||
| README | ||
| rild.te | ||
| roles | ||
| runas.te | ||
| sdcardd.te | ||
| seapp_contexts | ||
| security_classes | ||
| selinux-network.sh | ||
| servicemanager.te | ||
| shell.te | ||
| su.te | ||
| surfaceflinger.te | ||
| system.te | ||
| te_macros | ||
| tee.te | ||
| ueventd.te | ||
| unconfined.te | ||
| users | ||
| vold.te | ||
| watchdogd.te | ||
| wpa_supplicant.te | ||
| zygote.te | ||
Policy Generation:
Additional, per device, policy files can be added into the
policy build.
They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS
4. BOARD_SEPOLICY_IGNORE
The variables should be set in the BoardConfig.mk file in
the device or vendor directories.
BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.
BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.
BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.
It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.
It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error. Unless it is in
BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
for more details.
It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.
BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
files that are not to be included in the resulting policy. This list
is passed to filter-out to remove any paths you may want to ignore. This
is useful if you have numerous config directories that contain a file
and you want to NOT include a particular file in your resulting
policy file, either by UNION or REPLACE.
Eg.) Suppose the follwoing:
BOARD_SEPOLICY_DIRS := X Y
BOARD_SEPOLICY_REPLACE := A
BOARD_SEPOLICY_IGNORE := X/A
Directories X and Y contain A.
The resulting policy is created by using Y/A only, thus X/A was
ignored.
Example BoardConfig.mk Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
BOARD_SEPOLICY_DIRS := \
device/samsung/tuna/sepolicy
BOARD_SEPOLICY_UNION := \
genfs_contexts \
file_contexts \
sepolicy.te