Skip to content
Snippets Groups Projects
Commit 29b74271 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am e4da594d: Merge "Delete unconfined domain" 

* commit 'e4da594d':
  Delete unconfined domain
parents 547aa018 e4da594d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Android.mk
+ 0
19
View file @ 29b74271
...@@ -2,22 +2,6 @@ LOCAL_PATH:= $(call my-dir) ...@@ -2,22 +2,6 @@ LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS) include $(CLEAR_VARS)
# Force permissive domains to be unconfined+enforcing?
#
# During development, this should be set to false.
# Permissive means permissive.
#
# When we're close to a release and SELinux new policy development
# is frozen, we should flip this to true. This forces any currently
# permissive domains into unconfined+enforcing.
#
FORCE_PERMISSIVE_TO_UNCONFINED ?= false
ifeq ($(TARGET_BUILD_VARIANT),user)
# User builds are always forced unconfined+enforcing
FORCE_PERMISSIVE_TO_UNCONFINED := true
endif
# SELinux policy version. # SELinux policy version.
# Must be <= /selinux/policyvers reported by the Android kernel. # Must be <= /selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V. # Must be within the compatibility range reported by checkpolicy -V.
...@@ -114,7 +98,6 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) ...@@ -114,7 +98,6 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-s $^ > $@ -s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
...@@ -142,7 +125,6 @@ $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files)) ...@@ -142,7 +125,6 @@ $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-D target_recovery=true \ -D target_recovery=true \
-s $^ > $@ -s $^ > $@
...@@ -171,7 +153,6 @@ $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files) ...@@ -171,7 +153,6 @@ $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
mkdir -p $(dir $@) mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \ -D target_build_variant=user \
-D force_permissive_to_unconfined=true \
-s $^ > $@ -s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
......
attributes
+ 0
3
View file @ 29b74271
...@@ -56,9 +56,6 @@ attribute mlstrustedsubject; ...@@ -56,9 +56,6 @@ attribute mlstrustedsubject;
# i.e. files that can be read by lower and written by higher # i.e. files that can be read by lower and written by higher
attribute mlstrustedobject; attribute mlstrustedobject;
# Domains that are allowed all permissions ("unconfined").
attribute unconfineddomain;
# All domains used for apps. # All domains used for apps.
attribute appdomain; attribute appdomain;
......
te_macros
+ 0
22
View file @ 29b74271
...@@ -70,17 +70,6 @@ allow $1 $2:dir r_dir_perms; ...@@ -70,17 +70,6 @@ allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms; allow $1 $2:{ file lnk_file } r_file_perms;
') ')
#####################################
# unconfined_domain(domain)
# Allow the specified domain to perform more privileged operations
# than would be typically allowed. Please see the comments at the
# top of unconfined.te.
#
define(`unconfined_domain', `
typeattribute $1 mlstrustedsubject;
typeattribute $1 unconfineddomain;
')
##################################### #####################################
# tmpfs_domain(domain) # tmpfs_domain(domain)
# Define and allow access to a unique type for # Define and allow access to a unique type for
...@@ -307,17 +296,6 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, )) ...@@ -307,17 +296,6 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
# #
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# permissive_or_unconfined
# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
# and "unconfined($1)" otherwise.
#
# This is used for experimental domains, where we want to ensure
# the domain is unconfined+enforcing once new SELinux policy development
# has ceased.
#
define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
##################################### #####################################
# write_logd(domain) # write_logd(domain)
# Ability to write to android log # Ability to write to android log
......
unconfined.te deleted 100644 → 0
+ 0
93
View file @ 547aa018
#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:{
socket
netlink_socket
key_socket
unix_stream_socket
unix_dgram_socket
netlink_route_socket
netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_selinux_socket
netlink_audit_socket
netlink_ip6fw_socket
netlink_dnrt_socket
netlink_kobject_uevent_socket
tun_socket
} *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain {
file_type
-keystore_data_file
-property_data_file
-system_file
-exec_type
-security_file
-shell_data_file
-app_data_file
-unlabeled
}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain exec_type:dir r_dir_perms;
allow unconfineddomain exec_type:file { r_file_perms execute };
allow unconfineddomain exec_type:lnk_file r_file_perms;
allow unconfineddomain system_file:dir r_dir_perms;
allow unconfineddomain system_file:file { r_file_perms execute };
allow unconfineddomain system_file:lnk_file r_file_perms;
allow unconfineddomain {
fs_type
-usermodehelper
-proc_security
-contextmount_type
-rootfs
-sdcard_type
-device
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain {
file_type
-keystore_data_file
-property_data_file
-system_file
-exec_type
-security_file
-shell_data_file
-app_data_file
-unlabeled
-dalvikcache_data_file
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain rootfs:file execute;
allow unconfineddomain contextmount_type:dir r_dir_perms;
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
allow unconfineddomain node_type:node *;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment