Update location of policy files (a5dfcb45) · Commits · e / os / android_frameworks_base

core/java/android/content/pm/SELinuxMMAC.java

+20 −3

Original line number	Diff line number	Diff line
		@@ -49,7 +49,7 @@ public final class SELinuxMMAC {

		private static final String TAG = "SELinuxMMAC";
		private static final String MMAC_DENY = "MMAC_DENIAL:";

		private static final String MMAC_ENFORCE_PROPERTY = "persist.mmac.enforce";
		private static final boolean DEBUG_POLICY = true;
		private static final boolean DEBUG_POLICY_INSTALL = DEBUG_POLICY \|\| false;

		@@ -63,7 +63,7 @@ public final class SELinuxMMAC {

		// Locations of potential install policy files.
		private static final File[] INSTALL_POLICY_FILE = {
		new File(Environment.getDataDirectory(), "system/mac_permissions.xml"),
		new File(Environment.getDataDirectory(), "security/mac_permissions.xml"),
		new File(Environment.getRootDirectory(), "etc/security/mac_permissions.xml"),
		null};

		@@ -82,6 +82,23 @@ public final class SELinuxMMAC {
		return readInstallPolicy(INSTALL_POLICY_FILE);
		}

		/**
		* Returns the current status of MMAC enforcing mode.
		* @param none
		* @return boolean indicating whether or not the device is in enforcing mode.
		*/
		public static boolean getEnforcingMode() {
		return SystemProperties.getBoolean(MMAC_ENFORCE_PROPERTY, false);
		}

		/**
		* Returns the current status of MMAC enforcing mode.
		* @param boolean value to set the enforcing state too.
		*/
		public static void setEnforcingMode(boolean value) {
		SystemProperties.set(MMAC_ENFORCE_PROPERTY, value ? "1" : "0");
		}

		/**
		* Parses an MMAC install policy given as an argument.
		* @param File object representing the path of the policy.
		@@ -113,7 +130,7 @@ public final class SELinuxMMAC {

		Slog.d(TAG, "MMAC install enabled using file " + policyFiles[i].getPath());

		boolean enforcing = SystemProperties.getBoolean("persist.mac_enforcing_mode", false);
		boolean enforcing = getEnforcingMode();
		String mode = enforcing ? "enforcing" : "permissive";
		Slog.d(TAG, "MMAC install starting in " + mode + " mode.");

services/java/com/android/server/DevicePolicyManagerService.java

+9 −15

Original line number	Diff line number	Diff line
		@@ -45,6 +45,7 @@ import android.content.pm.IPackageManager;
		import android.content.pm.PackageManager;
		import android.content.pm.PackageManager.NameNotFoundException;
		import android.content.pm.ResolveInfo;
		import android.content.pm.SELinuxMMAC;
		import android.os.Binder;
		import android.os.Bundle;
		import android.os.Environment;
		@@ -258,15 +259,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}

		private static final String SEPOLICY_PATH_SEPOLICY = "/data/system/sepolicy";
		private static final String SEPOLICY_PATH_SEPOLICY = "/data/security/sepolicy";

		private static final String SEPOLICY_PATH_PROPCTXS = "/data/system/property_contexts";
		private static final String SEPOLICY_PATH_PROPCTXS = "/data/security/property_contexts";

		private static final String SEPOLICY_PATH_FILECTXS = "/data/system/file_contexts";
		private static final String SEPOLICY_PATH_FILECTXS = "/data/security/file_contexts";

		private static final String SEPOLICY_PATH_SEAPPCTXS = "/data/system/seapp_contexts";
		private static final String SEPOLICY_PATH_SEAPPCTXS = "/data/security/seapp_contexts";

		private static final String MMAC_POLICY_PATH = "/data/system/mac_permissions.xml";
		private static final String MMAC_POLICY_PATH = "/data/security/mac_permissions.xml";

		private static final PolicyFileDescription[] POLICY_DESCRIPTIONS = {
		// 0 = SEPOLICY_FILE_SEPOLICY
		@@ -3008,12 +3009,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		// FTT fails a
		// FTF fails a,b

		/**
		* This system property is used to share the state of the MAC enforcing mode.
		* SE Android MAC protection layer is expected to read this property and act accordingly.
		*/
		public static final String SYSTEM_PROP_ENFORCE_MAC = "persist.mac_enforcing_mode";

		/**
		* Sync's the current MMAC admin's policies to the device. If there is
		* no MMAC admin, then this will set MMAC to permissive mode
		@@ -3030,12 +3025,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		mmacAdmin.enforceMMAC = false;
		}

		boolean systemState = SystemProperties.getBoolean(SYSTEM_PROP_ENFORCE_MAC, false);
		boolean systemState = SELinuxMMAC.getEnforcingMode();
		boolean enforceMMAC = mmacAdmin.enforceMMAC;
		if (systemState != enforceMMAC) {
		Slog.v(TAG, SYSTEM_PROP_ENFORCE_MAC + " was " + systemState + ", to be set to " + enforceMMAC);
		String value = enforceMMAC ? "1" : "0";
		SystemProperties.set(SYSTEM_PROP_ENFORCE_MAC, value);
		Slog.v(TAG, "Changing MMAC enforcing status from " + systemState + ", to " + enforceMMAC);
		SELinuxMMAC.setEnforcingMode(enforceMMAC);
		}

		if (removePolicy) {

services/java/com/android/server/pm/PackageManagerService.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -3660,7 +3660,7 @@ public class PackageManagerService extends IPackageManager.Stub {
		mScanningPath = scanFile;

		if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
		SystemProperties.getBoolean("persist.mac_enforcing_mode", false)) {
		SELinuxMMAC.getEnforcingMode()) {
		Slog.w(TAG, "Installing application package " + pkg.packageName
		+ " failed due to policy.");
		mLastScanError = PackageManager.INSTALL_FAILED_POLICY_REJECTED_PERMISSION;