sepolicy: add version_policy tool and version non-platform policy.

In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
author: dcashman 2016-10-12 16:58:09 -0500
committer: dcashman 2016-12-06 10:56:02 -0600
commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 (patch)
tree: adc2e5997637f8eef6c51fc50663d0d1066b7cb8 /reqd_mask
parent: fed665edcab272c8b6741fc3114da85754f13223 (diff)
download: system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.tar.gz
system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.tar.xz
system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.zip
11 files changed, 13 insertions, 0 deletions
diff --git a/reqd_mask/access_vectors b/reqd_mask/access_vectors
new file mode 120000
index 00000000..8312c073
--- /dev/null
+++ b/reqd_mask/access_vectors
@@ -0,0 +1 @@
+../private/access_vectors
+\ No newline at end of file
diff --git a/reqd_mask/initial_sid_contexts b/reqd_mask/initial_sid_contexts
new file mode 100644
index 00000000..aa465cd9
--- /dev/null
+++ b/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/reqd_mask/initial_sids b/reqd_mask/initial_sids
new file mode 100644
index 00000000..366cfb1f
--- /dev/null
+++ b/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
+sid reqd_mask
+# FLASK
diff --git a/reqd_mask/mls b/reqd_mask/mls
new file mode 100644
index 00000000..d2769241
--- /dev/null
+++ b/reqd_mask/mls
@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/reqd_mask/mls_decl b/reqd_mask/mls_decl
new file mode 120000
index 00000000..5c505c97
--- /dev/null
+++ b/reqd_mask/mls_decl
@@ -0,0 +1 @@
+../private/mls_decl
+\ No newline at end of file
diff --git a/reqd_mask/mls_macros b/reqd_mask/mls_macros
new file mode 120000
index 00000000..323dd57a
--- /dev/null
+++ b/reqd_mask/mls_macros
@@ -0,0 +1 @@
+../private/mls_macros
+\ No newline at end of file
diff --git a/reqd_mask/reqd_mask.te b/reqd_mask/reqd_mask.te
new file mode 100644
index 00000000..f77eef43
--- /dev/null
+++ b/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
+type reqd_mask_type;
diff --git a/reqd_mask/roles b/reqd_mask/roles
new file mode 100644
index 00000000..926cb7a5
--- /dev/null
+++ b/reqd_mask/roles
@@ -0,0 +1 @@
+role r types reqd_mask_type;
diff --git a/reqd_mask/roles_decl b/reqd_mask/roles_decl
new file mode 100644
index 00000000..c84fcba0
--- /dev/null
+++ b/reqd_mask/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/reqd_mask/security_classes b/reqd_mask/security_classes
new file mode 120000
index 00000000..40c1d1d0
--- /dev/null
+++ b/reqd_mask/security_classes
@@ -0,0 +1 @@
+../private/security_classes
+\ No newline at end of file
diff --git a/reqd_mask/users b/reqd_mask/users
new file mode 100644
index 00000000..51b7b57e
--- /dev/null
+++ b/reqd_mask/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
author	dcashman	2016-10-12 16:58:09 -0500
committer	dcashman	2016-12-06 10:56:02 -0600
commit	2e00e6373faa6271d7839d33c5b9e69d998ff020 (patch)
tree	adc2e5997637f8eef6c51fc50663d0d1066b7cb8 /reqd_mask
parent	fed665edcab272c8b6741fc3114da85754f13223 (diff)
download	system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.tar.gz system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.tar.xz system-sepolicy-2e00e6373faa6271d7839d33c5b9e69d998ff020.zip

diff --git a/reqd_mask/access_vectors b/reqd_mask/access_vectors new file mode 120000 index 00000000..8312c073 --- /dev/null +++ b/reqd_mask/access_vectors
@@ -0,0 +1 @@
		../private/access_vectors \ No newline at end of file


diff --git a/reqd_mask/initial_sid_contexts b/reqd_mask/initial_sid_contexts new file mode 100644 index 00000000..aa465cd9 --- /dev/null +++ b/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
		sid reqd_mask u:r:reqd_mask_type:s0


diff --git a/reqd_mask/initial_sids b/reqd_mask/initial_sids new file mode 100644 index 00000000..366cfb1f --- /dev/null +++ b/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
	1	sid reqd_mask
	2
	3	# FLASK


diff --git a/reqd_mask/mls b/reqd_mask/mls new file mode 100644 index 00000000..d2769241 --- /dev/null +++ b/reqd_mask/mls
@@ -0,0 +1 @@
		mlsconstrain binder { set_context_mgr } (l1 eq l2);


diff --git a/reqd_mask/mls_decl b/reqd_mask/mls_decl new file mode 120000 index 00000000..5c505c97 --- /dev/null +++ b/reqd_mask/mls_decl
@@ -0,0 +1 @@
		../private/mls_decl \ No newline at end of file


diff --git a/reqd_mask/mls_macros b/reqd_mask/mls_macros new file mode 120000 index 00000000..323dd57a --- /dev/null +++ b/reqd_mask/mls_macros
@@ -0,0 +1 @@
		../private/mls_macros \ No newline at end of file


diff --git a/reqd_mask/reqd_mask.te b/reqd_mask/reqd_mask.te new file mode 100644 index 00000000..f77eef43 --- /dev/null +++ b/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
		type reqd_mask_type;


diff --git a/reqd_mask/roles b/reqd_mask/roles new file mode 100644 index 00000000..926cb7a5 --- /dev/null +++ b/reqd_mask/roles
@@ -0,0 +1 @@
		role r types reqd_mask_type;


diff --git a/reqd_mask/roles_decl b/reqd_mask/roles_decl new file mode 100644 index 00000000..c84fcba0 --- /dev/null +++ b/reqd_mask/roles_decl
@@ -0,0 +1 @@
		role r;


diff --git a/reqd_mask/security_classes b/reqd_mask/security_classes new file mode 120000 index 00000000..40c1d1d0 --- /dev/null +++ b/reqd_mask/security_classes
@@ -0,0 +1 @@
		../private/security_classes \ No newline at end of file


diff --git a/reqd_mask/users b/reqd_mask/users new file mode 100644 index 00000000..51b7b57e --- /dev/null +++ b/reqd_mask/users
@@ -0,0 +1 @@
		user u roles { r } level s0 range s0 - mls_systemhigh;