Commits · 0130154985aa5042b9e40c45fe60492e40004761 · Werner Sembach / AndroidSystemSEPolicy

Sep 27, 2013

Make sure exec_type is assigned to all entrypoint types. · 01301549

Stephen Smalley authored 11 years ago


Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

01301549

May 20, 2013

Make all domains unconfined. · 77d4731e

repo sync authored 11 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

May 06, 2013

SELinux policy that separates "init_shell" from "shell". · 8199123c

Alex Klyubin authored 11 years ago

"init_shell" is used for shell processes spawned by init.

Change-Id: I9e35d485bac91f3d0e4f3704acdbb9af7d617173

8199123c

Apr 05, 2013

Allow all domains to read the log devices. · 81fe5f7c

Stephen Smalley authored 11 years ago


Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

81fe5f7c

Apr 04, 2013

Allow all domains to read the log devices. · 2b732237

Stephen Smalley authored 11 years ago


Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2b732237

Mar 27, 2013

Revert "Revert "Various minor policy fixes based on CTS."" · e69552ba

Geremy Condra authored 11 years ago

This reverts commit ba84bf1d

Hidden dependency resolved.

Change-Id: I9f0844f643abfda8405db2c722a36c847882c392

e69552ba

Mar 22, 2013

Revert "Various minor policy fixes based on CTS." · ba84bf1d
Geremy Condra authored 12 years ago
```
This reverts commit 8a814a76

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
```
ba84bf1d

Various minor policy fixes based on CTS. · 8a814a76

Stephen Smalley authored 12 years ago


Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

8a814a76

Split internal and external sdcards · c195ec31

William Roberts authored 12 years ago

Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

c195ec31

Mar 19, 2013

Drop shell from having access to dmesg · 767abc07

William Roberts authored 12 years ago

In normal, user builds, shell doesn't have the required
DAC permissions to acess the kernel log.

Change-Id: I001e6d65f508e07671bdb71ca2c0e1d53bc5b970

767abc07

Nov 27, 2012

Add policy for run-as program. · e8848726

Stephen Smalley authored 12 years ago


Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e8848726

Allow shell to connect to property service · c34a2527
William Roberts authored 12 years ago
```
Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a
```
c34a2527

Apr 04, 2012

Add policy for property service. · 124720a6

Stephen Smalley authored 12 years ago

New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.

124720a6

Mar 08, 2012
- Allow the shell to create files on the sdcard. · b660916b
  Stephen Smalley authored 13 years ago
  
  b660916b
Mar 07, 2012
- Drop redundant rules. · d5a70a7f
  Stephen Smalley authored 13 years ago
  
  d5a70a7f
- Policy changes to support running the latest CTS. · c83d0087
  Stephen Smalley authored 13 years ago
  
  c83d0087
Jan 12, 2012

Allow reading of properties area, which is now created before init has... · 6261d6d8

Stephen Smalley authored 13 years ago

Allow reading of properties area, which is now created before init has switched contexts.  Revisit this later - we should explicitly label the properties file.

6261d6d8

Jan 04, 2012
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d