Merge "ISSUE 6849488 Bluedroid stack, remove system/bluetooth." into jb-mr1-dev
diff --git a/Android.mk b/Android.mk
index 90e430c..2d4a38b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -9,7 +9,7 @@
# SELinux policy version.
# Must be <= /selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS := 24
+POLICYVERS ?= 24
MLS_SENS=1
MLS_CATS=1024
@@ -31,7 +31,6 @@
LOCAL_MODULE := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_SUFFIX := .$(POLICYVERS)
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -92,9 +91,9 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy.$(POLICYVERS) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy $(HOST_OUT_EXECUTABLES)/checkseapp
@mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy.24 -o $@ $<
+ $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy -o $@ $<
seapp_contexts.tmp :=
##################################
diff --git a/app.te b/app.te
index 028bf45..7984f10 100644
--- a/app.te
+++ b/app.te
@@ -67,6 +67,10 @@
# Read logs.
allow release_app log_device:chr_file read;
+# Services with isolatedProcess=true in their manifest.
+type isolated_app, domain;
+app_domain(isolated_app)
+
#
# An example of a specific domain for a specific app
# A domain for com.android.browser.
diff --git a/check_seapp/check_seapp.c b/check_seapp/check_seapp.c
index 5865bd0..93ecb2f 100644
--- a/check_seapp/check_seapp.c
+++ b/check_seapp/check_seapp.c
@@ -277,15 +277,18 @@
log_error("Could not check selinux boolean, error: %s\n",
strerror(errno));
rc = 0;
- goto bool_err;
+ sepol_bool_key_free(se_key);
+ goto out;
}
if(!resp) {
log_error("Could not find selinux boolean \"%s\" on line: %d in file: %s\n",
value, lineno, out_file_name);
rc = 0;
- goto bool_err;
+ sepol_bool_key_free(se_key);
+ goto out;
}
+ sepol_bool_key_free(se_key);
}
else if (!strcasecmp(key, "type") || !strcasecmp(key, "domain")) {
@@ -296,7 +299,6 @@
}
goto out;
}
-
else if (!strcasecmp(key, "level")) {
ret = sepol_mls_check(pol.handle, pol.db, value);
@@ -308,9 +310,6 @@
}
}
-bool_err:
- sepol_bool_key_free(se_key);
-
out:
log_info("Key map validate returning: %d\n", rc);
return rc;
@@ -500,19 +499,23 @@
/* Only build key off of inputs*/
if (r->dir == dir_in) {
char *tmp;
- int l = strlen(k->key);
- l += strlen(k->value);
- l += (new_map->key) ? strlen(new_map->key) : 0;
+ int key_len = strlen(k->key);
+ int val_len = strlen(k->value);
+ int l = (new_map->key) ? strlen(new_map->key) : 0;
+ l = l + key_len + val_len;
l += 1;
tmp = realloc(new_map->key, l);
if (!tmp)
goto oom;
+ if (!new_map->key)
+ memset(tmp, 0, l);
+
new_map->key = tmp;
- strcat(new_map->key, k->key);
- strcat(new_map->key, k->value);
+ strncat(new_map->key, k->key, key_len);
+ strncat(new_map->key, k->value, val_len);
}
break;
}
@@ -619,7 +622,7 @@
log_info("Output file set to: %s\n", (out_file_name == NULL) ? "stdout" : out_file_name);
#if !defined(LINK_SEPOL_STATIC)
- log_warning("LINK_SEPOL_STATIC is not defined\n""Not checking types!");
+ log_warn("LINK_SEPOL_STATIC is not defined\n""Not checking types!");
#endif
}
diff --git a/seapp_contexts b/seapp_contexts
index 71eca75..0050cc2 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,3 +39,4 @@
user=app_* seinfo=media domain=media_app type=platform_app_data_file
user=app_* seinfo=release domain=release_app type=platform_app_data_file
user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
+user=isolated domain=isolated_app levelFromUid=true
