I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW.  This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.

Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A prior change added an entry for adb_keys without any security context,
yielding warnings like the following during build:
out/target/product/manta/root/file_contexts:  line 7 is missing fields, skipping

This adds the missing security context field.

Change-Id: If48731c8aa7d22a3f547d0854f288ff68f9006da
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

It may be useful to generate an ext4 image of the root filesystem
instead of using a ramdisk.  Whitelist entries in file_contexts to
support selinux labeling a root filesystem image.

Change-Id: I91a38d0aee4408c46cbfe5dc5e6eda198572e90f

label all persist.audio.* properties
and allow mediaserver access to them.

Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a

This README intends to document the various configuration options
that exist for specifiying device specific additions to the policy.

Change-Id: I7db708429a67deeb89b0c155a116606dcbbbc975

Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'df822f41':
  Add SELinux policy for asec containers.

* commit 'cdfb06f5':
  Moved Android policy tools to tools directory

This reverts commit af56ac19.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69

Change-Id: I57b0dd9f8071eae492020f410c87f465ba820711

* commit 'f6647eb9':
  Change 0 to NULL Byte

Change-Id: I16b47f8dbf64e8dffb550b5a89321f920604ef7a

Change-Id: I3112f4cf0fafb6e7e3c9c60084a097f5e6190c22

This is a rewrite of the existing implementation.
Three new variables are now needed to add/modify
the exisitng base policy. They are, BOARD_SEPOLICY_REPLACE
and BOARD_SEPOLICY_UNION which govern what files
are replaced and concatenated, and BOARD_SEPOLICY_DIRS
which lists the various directories that will contain
the BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
policy files.

Change-Id: Id33381268cef03245c56bc5242fec7da9b6c6493
Signed-off-by: rpcraig <robertpcraig@gmail.com>

* commit 'd8b122c7':
  Use file target as dependency.

"sepolicy" is a phony target defined by the build system.
If you use it as dependency of a file target, you'll get unnecessary
rebuild.

Change-Id: I3a948ebbaff6a146050eb86a3d04cdc050f7c001

* commit '5dbfdc0b':
  Add double free protection to checkseapp.

A double free error occurs when building with non glibc
devices. The hdestroy() function frees all comparison
keys internally in these cases. So avoid an explicit
call to free().

Change-Id: If9c5dc1a969605cd1eeb9218de02a9f8dbbd3ae1
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"

* commit '6766cc9e':
  allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access

* commit '91c12e3c':
  file class macro cleanup

* commit '01a58af1':
  Add a checkfc utility to check file_contexts validity and invoke it.

Change-Id: I4b12dc3dcb432edbdf95dd3bc97f809912ce86d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This reverts commit b620dc60.

(cherry picked from commit 128db962)

Change-Id: I21227e6232c925a42597e5c8fc0fcc0585d7a876

* commit '659aaced':
  Remove HAVE_SELINUX guard

- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

Change-Id: I45b4a749bf4fb085d96d912871bae33aa5288119

Change-Id: I328bc882b3d6e200742e017aa23154fb01e638a5

* commit '3ac1d26a':
  Switch app_* and isolated to _app and _isolated in seapp_contexts.

The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to libselinux.

Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '061f254d':
  Define security labeling for isolated processes.