- Feb 06, 2017
-
-
Alex Klyubin authoredThis leaves only the existence of mdnsd domain as public API. All other rules are implementation details of this domains's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with mdnsd_current (as expected). Bug: 31364497 Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4
-
- Oct 06, 2016
-
-
dcashman authored
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
-
- Dec 02, 2015
-
-
Nick Kralevich authored
Remove domain_deprecated from mdnsd. This removes some unnecessarily permissive rules from mdnsd. As part of this, re-allow /proc/net access, which is removed as a result of removing domain_deprecated. Bug: 25433265 Change-Id: Ie1cf27179ac2e9170cf4cd418aea3256b9534603
-
- Nov 03, 2015
-
-
Jeff Vander Stoep authored
Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
-
- Sep 08, 2014
-
-
Stephen Smalley authored
When using MLS (i.e. enabling levelFrom= in seapp_contexts), certain domains and types must be exempted from the normal constraints defined in the mls file. Beyond the current set, adbd, logd, mdnsd, netd, and servicemanager need to be able to read/write to any level in order to communicate with apps running with any level, and the logdr and logdw sockets need to be writable by apps running with any level. This change has no impact unless levelFrom= is specified in seapp_contexts, so by itself it is a no-op. Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Mar 14, 2014
-
-
Stephen Smalley authored
Change-Id: I610723eb9f2edcb4525b0e2d7e55616a1d93957d Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
- Feb 25, 2014
-
-
Stephen Smalley authored
Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 96ff4c05)
Change-Id: Idfd734f07687925c1f35d2629d4b59d46822d0d4 -
Stephen Smalley authored
Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-