Home | History | Annotate | only in /external/sepolicy
Up to higher level directory
NameDateSize
access_vectors03-Dec-20149.2K
adbd.te03-Dec-20142.2K
Android.mk03-Dec-201410.4K
app.te03-Dec-201413.4K
attributes03-Dec-20141.6K
binderservicedomain.te03-Dec-2014784
bluetooth.te03-Dec-20142.2K
bootanim.te03-Dec-2014424
clatd.te03-Dec-2014841
debuggerd.te03-Dec-20141.3K
device.te03-Dec-20142.1K
dex2oat.te03-Dec-2014383
dhcp.te03-Dec-20141.1K
dnsmasq.te03-Dec-2014917
domain.te03-Dec-201411.7K
drmserver.te03-Dec-20141.7K
dumpstate.te03-Dec-20143.4K
file.te03-Dec-20146.5K
file_contexts03-Dec-201410.5K
fs_use03-Dec-2014818
genfs_contexts03-Dec-20141.8K
global_macros03-Dec-20142.6K
gpsd.te03-Dec-2014686
hci_attach.te03-Dec-2014313
healthd.te03-Dec-20141.5K
hostapd.te03-Dec-20141.1K
init.te03-Dec-20144.3K
init_shell.te03-Dec-2014455
initial_sid_contexts03-Dec-2014973
initial_sids03-Dec-2014416
inputflinger.te03-Dec-2014280
install_recovery.te03-Dec-20141,007
installd.te03-Dec-20144.2K
isolated_app.te03-Dec-2014631
kernel.te03-Dec-20142.6K
keys.conf03-Dec-2014851
keystore.te03-Dec-20141.1K
lmkd.te03-Dec-20141,003
logd.te03-Dec-2014992
mac_permissions.xml03-Dec-20141.3K
mdnsd.te03-Dec-2014118
mediaserver.te03-Dec-20142.9K
mls03-Dec-20144K
mls_macros03-Dec-20141.2K
mtp.te03-Dec-2014288
net.te03-Dec-2014852
netd.te03-Dec-20142.9K
nfc.te03-Dec-2014518
NOTICE03-Dec-20141K
platform_app.te03-Dec-20141K
policy_capabilities03-Dec-2014122
port_contexts03-Dec-201477
ppp.te03-Dec-2014493
property.te03-Dec-2014879
property_contexts03-Dec-20142.5K
racoon.te03-Dec-2014874
radio.te03-Dec-2014868
README03-Dec-20146.2K
recovery.te03-Dec-20144K
rild.te03-Dec-20141.7K
roles03-Dec-201429
runas.te03-Dec-2014913
sdcardd.te03-Dec-2014814
seapp_contexts03-Dec-20142K
security_classes03-Dec-20142.6K
selinux-network.sh03-Dec-20141K
service.te03-Dec-2014648
service_contexts03-Dec-20149.2K
servicemanager.te03-Dec-2014632
shared_relro.te03-Dec-2014442
shell.te03-Dec-20141.6K
su.te03-Dec-20141.5K
surfaceflinger.te03-Dec-20142.2K
system_app.te03-Dec-20142.2K
system_server.te03-Dec-201414.5K
te_macros03-Dec-201410.9K
tee.te03-Dec-2014434
tools/03-Dec-2014
ueventd.te03-Dec-20141.2K
unconfined.te03-Dec-20143.5K
uncrypt.te03-Dec-2014899
untrusted_app.te03-Dec-20143.4K
users03-Dec-201455
vdc.te03-Dec-2014622
vold.te03-Dec-20142.9K
watchdogd.te03-Dec-2014420
wpa.te03-Dec-20141.1K
zygote.te03-Dec-20142.4K

README

      1 Policy Generation:
      2 
      3 Additional, per device, policy files can be added into the
      4 policy build.
      5 
      6 They can be configured through the use of four variables,
      7 they are:
      8 1. BOARD_SEPOLICY_REPLACE
      9 2. BOARD_SEPOLICY_UNION
     10 3. BOARD_SEPOLICY_DIRS
     11 4. BOARD_SEPOLICY_IGNORE
     12 
     13 The variables should be set in the BoardConfig.mk file in
     14 the device or vendor directories.
     15 
     16 BOARD_SEPOLICY_UNION is a list of files that will be
     17 "unioned", IE concatenated, at the END of their respective
     18 file in external/sepolicy. Note, to add a unique file you
     19 would use this variable.
     20 
     21 BOARD_SEPOLICY_REPLACE is a list of files that will be
     22 used instead of the corresponding file in external/sepolicy.
     23 
     24 BOARD_SEPOLICY_DIRS contains a list of directories to search
     25 for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
     26 matters in this list.
     27 eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2
     28 instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
     29 The first one found (at the first search dir containing the file)
     30 gets processed first.
     31 Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
     32 will help sort out ordering issues.
     33 
     34 It is an error to specify a BOARD_POLICY_REPLACE file that does
     35 not exist in external/sepolicy.
     36 
     37 It is an error to specify a BOARD_POLICY_REPLACE file that appears
     38 multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
     39 eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
     40 BOARD_SEPOLICY_DIRS is set to
     41 "vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
     42 appears in both locations, it is an error. Unless it is in
     43 BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
     44 for more details.
     45 
     46 It is an error to specify the same file name in both
     47 BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
     48 
     49 It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
     50 specifying BOARD_SEPOLICY_REPLACE.
     51 
     52 It is an error to specify a BOARD_POLICY_UNION file that
     53 doesn't appear in any of the BOARD_SEPOLICY_DIRS locations.
     54 
     55 BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
     56 files that are not to be included in the resulting policy. This list
     57 is passed to filter-out to remove any paths you may want to ignore. This
     58 is useful if you have numerous config directories that contain a file
     59 and you want to NOT include a particular file in your resulting
     60 policy file, either by UNION or REPLACE.
     61 Eg.) Suppose the following:
     62      BOARD_SEPOLICY_DIRS += X Y
     63      BOARD_SEPOLICY_REPLACE += A
     64      BOARD_SEPOLICY_IGNORE += X/A
     65 
     66      Directories X and Y contain A.
     67 
     68      The resulting policy is created by using Y/A only, thus X/A was
     69      ignored.
     70 
     71 Example BoardConfig.mk Usage:
     72 From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
     73 
     74 BOARD_SEPOLICY_DIRS += \
     75         device/samsung/tuna/sepolicy
     76 
     77 BOARD_SEPOLICY_UNION += \
     78         genfs_contexts \
     79         file_contexts \
     80         sepolicy.te
     81 
     82 SPECIFIC POLICY FILE INFORMATION
     83 
     84 mac_permissions.xml:
     85   ABOUT:
     86     The mac_permissions.xml file is used for controlling the mmac solutions
     87     as well as mapping a public base16 signing key with an arbitrary seinfo
     88     string. Details of the files contents can be found in a comment at the
     89     top of that file. The seinfo string, previously mentioned, is the same string
     90     that is referenced in seapp_contexts.
     91 
     92     This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
     93     value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION
     94     variable. It is important to note the final processed version of this file
     95     is stripped of comments and whitespace. This is to preserve space on the
     96     system.img. If one wishes to view it in a more human friendly format,
     97     the "tidy" or "xmllint" command will assist you.
     98 
     99   TOOLING:
    100     insertkeys.py
    101       Is a helper script for mapping arbitrary tags in the signature stanzas of
    102       mac_permissions.xml to public keys found in pem files. This script takes
    103       a mac_permissions.xml file(s) and configuration file in order to operate.
    104       Details of the configuration file (keys.conf) can be found in the subsection
    105       keys.conf. This tool is also responsible for stripping the comments and
    106       whitespace during processing.
    107 
    108       keys.conf
    109         The keys.conf file is used for controlling the mapping of "tags" found in
    110         the mac_permissions.xml signature stanzas with actual public keys found in
    111         pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and
    112         BOARD_SEPOLICY_REPLACE variables and is processed via m4.
    113 
    114         The script allows for mapping any string contained in TARGET_BUILD_VARIANT
    115         with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
    116         user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
    117         any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
    118         and all options are matched lowercase. The options are "tolowered" automatically
    119         for the user, it is convention to specify tags and options in all uppercase
    120         and tags start with @. The option arguments can also use environment variables
    121         via the familiar $VARIABLE syntax. This is often useful for setting a location
    122         to ones release keys.
    123 
    124         Often times, one will need to integrate an application that was signed by a separate
    125         organization and may need to extract the pem file for the insertkeys/keys.conf tools.
    126         Extraction of the public key in the pem format is possible via openssl. First you need
    127         to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
    128         openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM  -print_certs
    129         On some occasions CERT.RSA has a different name, and you will need to adjust for that.
    130         After extracting the pem, you can rename it, and configure keys.conf and
    131         mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
    132         editor and strip out anything outside the opening and closing scissor lines. Failure to do
    133         so WILL cause a compile time issue thrown by insertkeys.py
    134 
    135         NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
    136               and setool all use base16 encodings.
    137