SE Android release

SE Android release

[Stephen Smalley]

Hi,

We have made an initial public release of SE Android. More information
is available at:
http://selinuxproject.org/page/SEAndroid

Enjoy!

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid
> 
> Enjoy!

We have made a few updates to the source code repositories and the wiki
page.  A repo sync will refresh your copy of the source code if you
already have a copy.  The changes are:
- Merged latest AOSP master branch and resolved conflicts.  This also
resolves a build problem due to a change in AOSP that wasn't reflected
in our trees.
- Updated sepolicy to allow building with latest checkpolicy. This
allows building on Fedora 16 in addition to Fedora 15 and 14.
- Added support for x86-based builds, see:
http://selinuxproject.org/page/SEAndroid#Building_for_the_x86-based_Emulator

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have made further updates to the source code repositories and the
wiki page.  You can refresh your sources by downloading the latest
local_manifest.xml file, dropping it into your .repo subdirectory, and
running repo sync -j1 again.

Some of the notable changes:
- We have added lightly modified versions of libsepol and checkpolicy to
the tree so that you can build on MacOS X in addition to Linux.  You
need to download the new local_manifest.xml file to pick up the new
libsepol and checkpolicy projects.

- All of our changes are now wrapped with HAVE_SELINUX conditionals.
Therefore, you must add HAVE_SELINUX := true to your BoardConfig.mk or
specify HAVE_SELINUX=true on the make command line.  We have added
HAVE_SELINUX := true to the board configs for the emulator, Nexus S, and
Motorola Xoom (wingray) devices.

- Our changes to the bionic C library have been merged by AOSP.  Thus,
it is no longer necessary to use our bionic tree, and it has been
dropped from the local_manifest.xml file.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have updated the source code repositories.  A repo sync -j1 will
refresh your copy of the source code if you already have a copy.  The
changes are:

- The Settings app can now be used to manage the SELinux enforcing
status and policy booleans (under Security options).  Changes made via
the Settings app are not yet saved and restored across reboot; this is
work in progress.  The ability of the Settings app to manage SELinux can
be controlled via a new settings_manage_selinux policy boolean. 

- The JNI bindings for the SELinux APIs have been extended to support
the new Settings functionality.   They have also been reworked to ensure
that the framework services and apps can safely call the SELinux APIs
even when SELinux is disabled.

- Support for -R has been added to the init chown built-in command so
that ownership can be set on all SELinux booleans in selinuxfs to permit
management by the Settings app (which runs in the system UID).  The
init.rc file has been modified to apply this ownership change at boot.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have updated the source code repositories.  A repo sync -j1 will
refresh your copy of the source code if you already have a copy.

The major change since the last update is that there is now support for
setting file security contexts in OTA and update packages.  This
includes changes to the bootable/recovery, build, and system/extras
projects.  To test, you can build the images, reflash the recovery
partition with the new recovery image, do a 'make dist' to generate an
ota .zip file, push the .zip file to the /sdcard via adb, and then
reboot into recovery and apply the update from the .zip file.  The
resulting updated image should have security contexts set properly on
its files, as shown by ls -Z /system.

Also, for users who are unable to use the git protocol to access the
source code repositories due to firewall restrictions, we have added
instructions on the wiki and an alternate local_manifest.xml file for
downloading via http only.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote: 
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have updated the source code repositories and the wiki page.  A repo
sync -j1 will refresh your copy of the source code if you already have a
copy.  The changes since the last update are:

- (code) Merged the latest AOSP master branch.  Note that some of our
changes have been merged into the AOSP master branch since our last
update.  In particular, the base set of init/ueventd and toolbox changes
under system/core have been merged.  However, you still need to use our
system/core tree to pick up some of the subsequent changes that have not
yet been merged.

- (code) Updated libsepol and checkpolicy to the latest upstream
release.

- (code) Minor cleanups for the chown -R implementation.

- (wiki) Added instructions for building on MacOS X.

- (wiki) Added links to the slides and video from our talk at the
Android Builders Summit.

- (wiki) Added a note about the need to generate your own keys for
production builds to the section on Building for a Device.

-- 
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have made further updates to the source code repositories and the
wiki page.  You can refresh your sources by downloading the latest
local_manifest.xml file, dropping it into your .repo subdirectory, and
running repo sync -j1. The changes since the last update are:

- Merged the latest AOSP master branch.  There are two caveats regarding
the current state of AOSP master: we had to revert the 64-bit emulator
change (c7389bd) from external/qemu in order to build, and we had to
apply https://android-review.googlesource.com/#/c/34210/ to bionic in
order to resolve a deadlock during boot.  These issues have been
reported to AOSP and are not related to SE Android in any way.

- Merged Bryan Hinton's patches for the Galaxy Nexus, along with a
cleanup by William Roberts.  Some of the policy changes were directly
integrated into the base policy, while others were left in the
per-device sepolicy.* files.  Also defined HAVE_SELINUX := true in the
tuna BoardConfig.mk so that it will be enabled by default.

- Moved the SELinux management functionality out of the Settings app and
into a new SEAndroidManager app.  The Settings app now only displays the
SELinux status under About phone.  Setting the SELinux enforcing mode
and booleans can only be done via the SEAndroidManager app.  Further,
the SEAndroidManager app now saves the enforcing status and booleans on
a (clean) shutdown and restores them at boot so that they are preserved
across a power cycle. Work is in progress to save the settings
immediately so that they will be preserved even upon a low-level reboot
(e.g. adb reboot), and work is planned to migrate more of the
functionality into the framework services so that the app can ultimately
run without the system UID.

- Added preliminary support for loading policy files from /data/system
in order to support runtime policy updates, and for notifying various
components to reload their policy files.  This is still work in
progress, but provides the first stages of the underlying infrastructure
support for runtime policy management of the device. You can exercise a
portion of this functionality by copying policy files under /data/system
and can trigger a policy reload at runtime by setting the
selinux.loadpolicy property to 1 (setprop selinux.loadpolicy 1 from
init.rc or an adb shell). There is also support for notifying installd
of an updated seapp_contexts configuration via its command socket, and
an interface in Installer.java for use by the framework services to
perform this notification when a new seapp_contexts file is installed
to /data/system.  This interface is not yet being used, but would
ultimately be leveraged by the DevicePolicyManager service.

- Added a restorecon JNI binding for use by the framework services to
restore the security context of files, and modified the
PackageManagerService and WallpaperManagerService to use it.  In the
case of the PackageManagerService, restorecon is invoked to label the
vmdl*.tmp files created when installing packages with a type
(apk_tmp_file) that is writable by the client app, and restorecon is
then invoked again when the file is renamed to the final apk file so
that the final apk file is protected against subsequent access.  This
avoids the need to allow write access to the /data/app type
(apk_data_file) by the app domains.  In the case of the
WallpaperManagerService, restorecon is invoked to label the wallpaper
file with its own type so that apps can be allowed to write to it
without being able to write to other files under com.android.settings.

- Rewrote the MLS constraints in the sepolicy to only constrain open for
app_data_file, not read/write.  This is an attempt to allow open fd
passing by apps for explicit sharing via Binder or local socket IPC
while prohibiting direct open of the app's private data files by another
app.  However, we still need to distinguish shared_prefs from files
given that the former appears to be accessed via direct open and the
latter via fd passing.

- Support for device-specific additions to policy and improved policy
support for running the Android CTS, as previously discussed on the list
and documented in the wiki.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

seandroid-4.0.3 branch created

[Stephen Smalley]

We have created a seandroid-4.0.3 branch with the SE Android
modifications relative to the android-4.0.3_r1 tag rather than the
master branch.  This may be helpful to users who wish to use a stable
release of Android as their baseline and do not wish to track master.
Our own development will continue on the seandroid branch relative to
the master branch, but we will try to back port our changes to the
seandroid-4.0.3 branches when feasible and as time permits.  Information
about how to use the seandroid-4.0.3 branch can be found at:
http://selinuxproject.org/page/SEAndroid#Using_android-4.0.3_r1

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

seandroid-4.0.4 branch created

[Stephen Smalley]

Hi,

We have created a seandroid-4.0.4 branch with the SE Android
modifications relative to the android-4.0.4_r1.1 tag.  See the
wiki page, http://selinuxproject.org/page/SEAndroid, for updated
instructions on how to use the 4.0.4 branch.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Android release

[Stephen Smalley]

On Fri, 2012-01-06 at 16:08 -0500, Stephen Smalley wrote:
> Hi,
> 
> We have made an initial public release of SE Android. More information
> is available at:
> http://selinuxproject.org/page/SEAndroid

We have made further updates to the source code repositories and the
wiki page. You can refresh your sources by downloading the latest
local_manifest.xml file, dropping it into your .repo subdirectory, and
running repo sync -j1.  The changes since the last update are:

- Merged the latest AOSP master branch.  The emulator build and bionic
deadlock issues in AOSP that were previously mentioned have been
resolved.  The SE Android changes for system/extras and
bootable/recovery related to labeling of files in ext4 images have been
merged into the AOSP master branch.  Some of the SE Android changes have
been revised based on further feedback and re-uploaded to AOSP.

- Created seandroid-4.0.3 and seandroid-4.0.4 branches relative to
android-4.0.3_r1 and android-4.0.4_r1.1 for users who want to use a
stable release of Android as their baseline and do not wish to track
master.  The instructions on the wiki page have been updated
accordingly.

- Reverted the changes to installd and Installer.java to support
reloading of seapp_contexts via a new installd socket command.  Instead,
the init.rc was modified to restart installd in addition to ueventd when
the selinux.loadpolicy property is set.  Thus, if you drop new policy
files under /data/system and set the selinux.loadpolicy property to 1,
init will reload the kernel policy and any other policy files it uses,
and both ueventd and installd will be restarted to pick up the new
policy configurations relevant to their operation.

- Added SELinux/MAC permission checking and labeling for the init
property service.  This is the second example of a SELinux userspace
object manager for Android (the first being the zygote).  There is a new
property_contexts configuration in the policy for labeling properties,
along with an associated selabel backend in libselinux for looking up
the property contexts.  Device-specific properties may be placed in a
sepolicy.pc file under one of the device-specific directories.

- Updated the SEAndroidManager app to save settings immediately (not
just on a clean shutdown), to handle the SELinux disabled and no
booleans cases gracefully, and to remove unneeded libraries.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.