Merge "Do not allow apps to access network address file"
diff --git a/Android.mk b/Android.mk
index 487ae4d..bad7257 100644
--- a/Android.mk
+++ b/Android.mk
@@ -22,6 +22,10 @@
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
+ifdef BOARD_SEPOLICY_M4DEFS
+LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
+endif
+
# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS))))
@@ -57,9 +61,11 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
- $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -84,9 +90,11 @@
sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
- $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_recovery=true \
-s $^ > $@
@@ -155,9 +163,10 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(all_fc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): $(all_fc_files) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_FC_FILES) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
built_fc := $(LOCAL_BUILT_MODULE)
@@ -246,9 +255,10 @@
ALL_PC_FILES := $(call build_policy, property_contexts)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) m4 -s $(ALL_PC_FILES) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(ALL_PC_FILES) > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
built_pc := $(LOCAL_BUILT_MODULE)
@@ -283,9 +293,10 @@
ALL_SVC_FILES := $(call build_policy, service_contexts)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) m4 -s $(ALL_SVC_FILES) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(ALL_SVC_FILES) > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
built_svc := $(LOCAL_BUILT_MODULE)
@@ -319,9 +330,10 @@
# Build keys.conf
mac_perms_keys.tmp := $(intermediates)/keys.tmp
+$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
@mkdir -p $(dir $@)
- $(hide) m4 -s $^ > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
@@ -342,7 +354,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
- $(hide) echo -n $(BUILD_FINGERPRINT) > $@
+ $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
##################################
diff --git a/README b/README
index 8202c67..972997a 100644
--- a/README
+++ b/README
@@ -26,6 +26,21 @@
BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
+definitions during the build. A definition consists of a string in the form
+of macro-name=value. Spaces must NOT be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+ * All *.te and SE Linux policy files as passed to checkpolicy
+ * file_contexts
+ * service_contexts
+ * property_contexts
+ * keys.conf
+
+Example BoardConfig.mk Usage:
+BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
SPECIFIC POLICY FILE INFORMATION
mac_permissions.xml:
diff --git a/domain.te b/domain.te
index 23dabf5..87422de 100644
--- a/domain.te
+++ b/domain.te
@@ -327,7 +327,8 @@
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
diff --git a/init.te b/init.te
index 9fdfd22..e81a612 100644
--- a/init.te
+++ b/init.te
@@ -43,7 +43,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;