This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496

Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 27954979
Change-Id: Ia0403e2dc2726523a41742e23beff29b47274392

checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768

(cherry picked from commit bca98efa)

Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d14688.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d

Discovered by diffing the set of "set variables" with
the set of "cleared variables".

Script:

mydir=$(mktemp -d)

grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk  | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars
grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars
diff $mydir/set_vars $mydir/unset_vars
rm -rf $mydir

Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.

Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.

Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>

The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.

Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.

Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This reverts commit 7f81b337.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6

This reverts commit f6ee7a52.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>

The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6

Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4

Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53

Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>