Merge "Support forcing permissive domains to unconfined."

7611b608 · Nick Kralevich · Gerrit Code Review · 570e5f43 · 623975fa · 7611b608
Commit 7611b608 authored 11 years ago by Nick Kralevich Committed by Gerrit Code Review 11 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -2,6 +2,22 @@ LOCAL_PATH:= $(call my-dir)
 include $(CLEAR_VARS)
+# Force permissive domains to be unconfined+enforcing?
+#
+# During development, this should be set to false.
+# Permissive means permissive.
+#
+# When we're close to a release and SELinux new policy development
+# is frozen, we should flip this to true. This forces any currently
+# permissive domains into unconfined+enforcing.
+#
+FORCE_PERMISSIVE_TO_UNCONFINED:=false
+ifeq ($(TARGET_BUILD_VARIANT),user)
+  # User builds are always forced unconfined+enforcing
+  FORCE_PERMISSIVE_TO_UNCONFINED:=true
+endif
 # SELinux policy version.
 # Must be <= /selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
@@ -69,7 +85,10 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
+		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy

--- a/bluetooth.te
+++ b/bluetooth.te
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
+permissive_or_unconfined(bluetooth)
 app_domain(bluetooth)
 # Data file accesses.
@@ -50,4 +50,4 @@ allow bluetooth bluetooth_prop:property_service set;
 # Superuser capabilities.
 # bluetooth requires net_admin.
-neverallow bluetooth self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
--- a/dhcp.te
+++ b/dhcp.te
 type dhcp, domain;
-permissive dhcp;
+permissive_or_unconfined(dhcp)
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;

--- a/drmserver.te
+++ b/drmserver.te
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
+permissive_or_unconfined(drmserver)
 type drmserver_exec, exec_type, file_type;
 init_daemon_domain(drmserver)

--- a/dumpstate.te
+++ b/dumpstate.te
 # dumpstate
 type dumpstate, domain;
-permissive dumpstate;
+permissive_or_unconfined(dumpstate)
 type dumpstate_exec, exec_type, file_type;
 init_daemon_domain(dumpstate)

--- a/hci_attach.te
+++ b/hci_attach.te
 type hci_attach, domain;
-permissive hci_attach;
+permissive_or_unconfined(hci_attach)
 type hci_attach_exec, exec_type, file_type;
 init_daemon_domain(hci_attach)

--- a/hostapd.te
+++ b/hostapd.te
 # userspace wifi access points
 type hostapd, domain;
-permissive hostapd;
+permissive_or_unconfined(hostapd)
 type hostapd_exec, exec_type, file_type;
 allow hostapd self:capability { net_admin net_raw setuid setgid };

--- a/mediaserver.te
+++ b/mediaserver.te
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
+permissive_or_unconfined(mediaserver)
 type mediaserver_exec, exec_type, file_type;
 typeattribute mediaserver mlstrustedsubject;

--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,7 @@
 ###
 type platform_app, domain;
-permissive platform_app;
+permissive_or_unconfined(platform_app)
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.

--- a/release_app.te
+++ b/release_app.te
@@ -3,7 +3,7 @@
 ###
 type release_app, domain;
-permissive release_app;
+permissive_or_unconfined(release_app)
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.

--- a/rild.te
+++ b/rild.te
 # rild - radio interface layer daemon
 type rild, domain;
-permissive rild;
+permissive_or_unconfined(rild)
 type rild_exec, exec_type, file_type;
 init_daemon_domain(rild)

--- a/sdcardd.te
+++ b/sdcardd.te
 type sdcardd, domain;
-permissive sdcardd;
+permissive_or_unconfined(sdcardd)
 type sdcardd_exec, exec_type, file_type;
 init_daemon_domain(sdcardd)

--- a/shared_app.te
+++ b/shared_app.te
@@ -3,7 +3,7 @@
 ###
 type shared_app, domain;
-permissive shared_app;
+permissive_or_unconfined(shared_app)
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive surfaceflinger;
+permissive_or_unconfined(surfaceflinger)
 type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)

--- a/system_app.te
+++ b/system_app.te
@@ -4,7 +4,7 @@
 # server.
 #
 type system_app, domain;
-permissive system_app;
+permissive_or_unconfined(system_app)
 app_domain(system_app)
 # Perform binder IPC to any app domain.

--- a/system_server.te
+++ b/system_server.te
@@ -3,7 +3,7 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain, mlstrustedsubject;
-permissive system_server;
+permissive_or_unconfined(system_server)
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)

--- a/te_macros
+++ b/te_macros
@@ -327,3 +327,14 @@ define(`non_system_app_set', `{ appdomain -system_app }')
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+#####################################
+# permissive_or_unconfined
+# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
+# and "unconfined($1)" otherwise.
+#
+# This is used for experimental domains, where we want to ensure
+# the domain is unconfined+enforcing once new SELinux policy development
+# has ceased.
+#
+define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -10,7 +10,7 @@
 ###
 type untrusted_app, domain;
-permissive untrusted_app;
+permissive_or_unconfined(untrusted_app)
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)

--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
-permissive wpa;
+permissive_or_unconfined(wpa)
 type wpa_exec, exec_type, file_type;
 init_daemon_domain(wpa)