Home | History | Annotate | only in /external/sepolicy
Up to higher level directory
NameDateSize
access_vectors11-Dec-20138.9K
adbd.te11-Dec-2013262
Android.mk11-Dec-20136.2K
app.te11-Dec-20135.8K
attributes11-Dec-20131.6K
bluetooth.te11-Dec-2013119
bluetoothd.te11-Dec-2013186
clatd.te11-Dec-2013164
dbusd.te11-Dec-2013143
debuggerd.te11-Dec-2013249
device.te11-Dec-20132K
dhcp.te11-Dec-2013307
dnsmasq.te11-Dec-2013159
domain.te11-Dec-20134.6K
drmserver.te11-Dec-2013175
file.te11-Dec-20134.2K
file_contexts11-Dec-20138.6K
fs_use11-Dec-2013775
genfs_contexts11-Dec-2013623
global_macros11-Dec-20132.4K
gpsd.te11-Dec-2013313
hci_attach.te11-Dec-2013154
healthd.te11-Dec-2013264
hostapd.te11-Dec-2013159
init.te11-Dec-2013361
init_shell.te11-Dec-2013182
initial_sid_contexts11-Dec-2013973
initial_sids11-Dec-2013416
installd.te11-Dec-20131.3K
isolated_app.te11-Dec-2013781
kernel.te11-Dec-2013223
keys.conf11-Dec-2013659
keystore.te11-Dec-2013162
mac_permissions.xml11-Dec-2013624
media_app.te11-Dec-2013290
mediaserver.te11-Dec-2013217
mls11-Dec-20134.7K
mls_macros11-Dec-20131.2K
mtp.te11-Dec-2013168
net.te11-Dec-201384
netd.te11-Dec-20132.6K
nfc.te11-Dec-201389
NOTICE11-Dec-20131K
ping.te11-Dec-2013129
platform_app.te11-Dec-2013289
policy_capabilities11-Dec-2013122
port_contexts11-Dec-201377
ppp.te11-Dec-2013225
property.te11-Dec-2013449
property_contexts11-Dec-20132.1K
qemud.te11-Dec-2013150
racoon.te11-Dec-2013135
radio.te11-Dec-2013141
README11-Dec-20135K
release_app.te11-Dec-2013299
rild.te11-Dec-2013179
roles11-Dec-201329
runas.te11-Dec-2013172
sdcardd.te11-Dec-2013139
seapp_contexts11-Dec-20132.1K
security_classes11-Dec-20132.5K
selinux-network.sh11-Dec-20131K
servicemanager.te11-Dec-2013220
shared_app.te11-Dec-2013273
shell.te11-Dec-2013188
su.te11-Dec-2013138
su_user.te11-Dec-201391
surfaceflinger.te11-Dec-2013314
system.te11-Dec-2013607
te_macros11-Dec-20139.2K
tee.te11-Dec-2013243
tools/11-Dec-2013
ueventd.te11-Dec-2013232
unconfined.te11-Dec-20131.3K
untrusted_app.te11-Dec-20131.9K
users11-Dec-201355
vold.te11-Dec-20132.3K
watchdogd.te11-Dec-2013168
wpa_supplicant.te11-Dec-2013213
zygote.te11-Dec-20132.1K

README

      1 Policy Generation:
      2 
      3 Additional, per device, policy files can be added into the
      4 policy build.
      5 
      6 They can be configured through the use of three variables,
      7 they are:
      8 1. BOARD_SEPOLICY_REPLACE
      9 2. BOARD_SEPOLICY_UNION
     10 3. BOARD_SEPOLICY_DIRS
     11 4. BOARD_SEPOLICY_IGNORE
     12 
     13 The variables should be set in the BoardConfig.mk file in
     14 the device or vendor directories.
     15 
     16 BOARD_SEPOLICY_UNION is a list of files that will be
     17 "unioned", IE concatenated, at the END of their respective
     18 file in external/sepolicy. Note, to add a unique file you
     19 would use this variable.
     20 
     21 BOARD_SEPOLICY_REPLACE is a list of files that will be
     22 used instead of the corresponding file in external/sepolicy.
     23 
     24 BOARD_SEPOLICY_DIRS contains a list of directories to search
     25 for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
     26 matters in this list.
     27 eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
     28 instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
     29 The first one found (at the first search dir containing the file)
     30 gets processed first.
     31 Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
     32 will help sort out ordering issues.
     33 
     34 It is an error to specify a BOARD_POLICY_REPLACE file that does
     35 not exist in external/sepolicy.
     36 
     37 It is an error to specify a BOARD_POLICY_REPLACE file that appears
     38 multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
     39 eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
     40 BOARD_SEPOLICY_DIRS is set to
     41 "vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
     42 appears in both locations, it is an error. Unless it is in
     43 BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
     44 for more details.
     45 
     46 It is an error to specify the same file name in both
     47 BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
     48 
     49 It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
     50 specifying BOARD_SEPOLICY_REPLACE.
     51 
     52 BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
     53 files that are not to be included in the resulting policy. This list
     54 is passed to filter-out to remove any paths you may want to ignore. This
     55 is useful if you have numerous config directories that contain a file
     56 and you want to NOT include a particular file in your resulting
     57 policy file, either by UNION or REPLACE.
     58 Eg.) Suppose the following:
     59      BOARD_SEPOLICY_DIRS := X Y
     60      BOARD_SEPOLICY_REPLACE := A
     61      BOARD_SEPOLICY_IGNORE := X/A
     62 
     63      Directories X and Y contain A.
     64 
     65      The resulting policy is created by using Y/A only, thus X/A was
     66      ignored.
     67 
     68 Example BoardConfig.mk Usage:
     69 From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
     70 
     71 BOARD_SEPOLICY_DIRS := \
     72         device/samsung/tuna/sepolicy
     73 
     74 BOARD_SEPOLICY_UNION := \
     75         genfs_contexts \
     76         file_contexts \
     77         sepolicy.te
     78 
     79 SPECIFIC POLICY FILE INFORMATION
     80 
     81 mac_permissions.xml:
     82   ABOUT:
     83     The mac_permissions.xml file is used for controlling the mmac solutions
     84     as well as mapping a public base16 signing key with an arbitrary seinfo
     85     string. Details of the files contents can be found in a comment at the
     86     top of that file. The seinfo string, previously mentioned, is the same string
     87     that is referenced in seapp_contexts.
     88 
     89     This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
     90     value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION
     91     variable. It is important to note the final processed version of this file
     92     is stripped of comments and whitespace. This is to preserve space on the
     93     system.img. If one wishes to view it in a more human friendly format,
     94     the "tidy" or "xmllint" command will assist you.
     95 
     96   TOOLING:
     97     insertkeys.py
     98       Is a helper script for mapping arbitrary tags in the signature stanzas of
     99       mac_permissions.xml to public keys found in pem files. This script takes
    100       a mac_permissions.xml file(s) and configuration file in order to operate.
    101       Details of the configuration file (keys.conf) can be found in the subsection
    102       keys.conf. This tool is also responsible for stripping the comments and
    103       whitespace during processing.
    104 
    105       keys.conf
    106         The keys.conf file is used for controlling the mapping of "tags" found in
    107         the mac_permissions.xml signature stanzas with actual public keys found in
    108         pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and
    109         BOARD_SEPOLICY_REPLACE variables and is processed via m4.
    110 
    111         The script allows for mapping any string contained in TARGET_BUILD_VARIANT
    112         with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
    113         user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
    114         any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
    115         and all options are matched lowercase. The options are "tolowered" automatically
    116         for the user, it is convention to specify tags and options in all uppercase
    117         and tags start with @.
    118 
    119         NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
    120               and setool all use base16 encodings.
    121