Update location of policy files

The location of policy files has changed from /data/system to /data/security. Also, a name change to mmac enforcing property name to place it under persist.mmac. namesepace. Adds api's for getting and setting the MMAC enforcing mode. Change-Id: I0e9468fe651cd6ec018d5c85d35d693e55479e89
author: William Roberts <w.roberts@sta.samsung.com> 2013-01-23 14:07:08 -0800
committer: Ricardo Cerqueira <cyanogenmod@cerqueira.org> 2013-07-18 21:02:23 +0100
commit: a5dfcb45325904879fc3859f3c654469481b5e0a (patch)
tree: 56506414fde276e462c2bf46eecd3184de7be27e /services
parent: 81a56239791c6d8d686171fb51438a82eaf8b9e1 (diff)
download: frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.zip
frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.tar.gz
frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.tar.bz2
2 files changed, 10 insertions, 16 deletions
diff --git a/services/java/com/android/server/DevicePolicyManagerService.java b/services/java/com/android/server/DevicePolicyManagerService.java
index e5c7337..b2212a3 100644
--- a/services/java/com/android/server/DevicePolicyManagerService.java
+++ b/services/java/com/android/server/DevicePolicyManagerService.java
@@ -45,6 +45,7 @@ import android.content.pm.IPackageManager;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.pm.ResolveInfo;
+import android.content.pm.SELinuxMMAC;
 import android.os.Binder;
 import android.os.Bundle;
 import android.os.Environment;
@@ -258,15 +259,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         }
     }
 
-    private static final String SEPOLICY_PATH_SEPOLICY = "/data/system/sepolicy";
+    private static final String SEPOLICY_PATH_SEPOLICY = "/data/security/sepolicy";
 
-    private static final String SEPOLICY_PATH_PROPCTXS = "/data/system/property_contexts";
+    private static final String SEPOLICY_PATH_PROPCTXS = "/data/security/property_contexts";
 
-    private static final String SEPOLICY_PATH_FILECTXS = "/data/system/file_contexts";
+    private static final String SEPOLICY_PATH_FILECTXS = "/data/security/file_contexts";
 
-    private static final String SEPOLICY_PATH_SEAPPCTXS = "/data/system/seapp_contexts";
+    private static final String SEPOLICY_PATH_SEAPPCTXS = "/data/security/seapp_contexts";
 
-    private static final String MMAC_POLICY_PATH = "/data/system/mac_permissions.xml";
+    private static final String MMAC_POLICY_PATH = "/data/security/mac_permissions.xml";
 
     private static final PolicyFileDescription[] POLICY_DESCRIPTIONS = {
         // 0 = SEPOLICY_FILE_SEPOLICY
@@ -3009,12 +3010,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     //                           FTF fails a,b
 
     /**
-     * This system property is used to share the state of the MAC enforcing mode.
-     * SE Android MAC protection layer is expected to read this property and act accordingly.
-     */
-    public static final String SYSTEM_PROP_ENFORCE_MAC = "persist.mac_enforcing_mode";
-
-    /**
      * Sync's the current MMAC admin's policies to the device. If there is
      * no MMAC admin, then this will set MMAC to permissive mode
      * and may remove the {@link MMAC_POLICY_PATH} file.
@@ -3030,12 +3025,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                 mmacAdmin.enforceMMAC = false;
             }
 
-            boolean systemState = SystemProperties.getBoolean(SYSTEM_PROP_ENFORCE_MAC, false);
+            boolean systemState = SELinuxMMAC.getEnforcingMode();
             boolean enforceMMAC = mmacAdmin.enforceMMAC;
             if (systemState != enforceMMAC) {
-                Slog.v(TAG, SYSTEM_PROP_ENFORCE_MAC + " was " + systemState + ", to be set to " + enforceMMAC);
-                String value = enforceMMAC ? "1" : "0";
-                SystemProperties.set(SYSTEM_PROP_ENFORCE_MAC, value);
+                Slog.v(TAG, "Changing MMAC enforcing status from " + systemState + ", to " + enforceMMAC);
+                SELinuxMMAC.setEnforcingMode(enforceMMAC);
             }
 
             if (removePolicy) {
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index 81ff2f3..b7a9a49 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -3660,7 +3660,7 @@ public class PackageManagerService extends IPackageManager.Stub {
         mScanningPath = scanFile;
 
         if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
-            SystemProperties.getBoolean("persist.mac_enforcing_mode", false)) {
+                SELinuxMMAC.getEnforcingMode()) {
             Slog.w(TAG, "Installing application package " + pkg.packageName
                    + " failed due to policy.");
             mLastScanError = PackageManager.INSTALL_FAILED_POLICY_REJECTED_PERMISSION;
author	William Roberts <w.roberts@sta.samsung.com>	2013-01-23 14:07:08 -0800
committer	Ricardo Cerqueira <cyanogenmod@cerqueira.org>	2013-07-18 21:02:23 +0100
commit	a5dfcb45325904879fc3859f3c654469481b5e0a (patch)
tree	56506414fde276e462c2bf46eecd3184de7be27e /services
parent	81a56239791c6d8d686171fb51438a82eaf8b9e1 (diff)
download	frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.zip frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.tar.gz frameworks_base-a5dfcb45325904879fc3859f3c654469481b5e0a.tar.bz2