- Oct 21, 2013
-
-
Nick Kralevich authoredThis change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
-
- Sep 27, 2013
-
-
Stephen Smalley authored
Otherwise it defaults to the label of /data/system and cannot be distinguished from any other socket in that directory. Also adds allow rule required for pre-existing wpa_socket transition to function without unconfined_domain. Change-Id: I57179aa18786bd56d247f397347e546cca978e41 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Jul 12, 2013
-
-
Nick Kralevich authored
In 0c9708b2, we removed relabelto from unconfined.te. This broke debuggerd. Fixed. type=1400 audit(1373668537.550:5): avc: denied { relabelto } for pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5
-
- May 20, 2013
-
-
repo sync authored
This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
-
- May 15, 2013
-
-
repo sync authored
Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
-
- Apr 05, 2013
-
-
William Roberts authored
/data/security is another location that policy files can reside. In fact, these policy files take precedence over their rootfs counterparts under certain circumstances. Give the appropriate players the rights to read these policy files. Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
-
Stephen Smalley authored
Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov> -
William Roberts authored
/data/security is another location that policy files can reside. In fact, these policy files take precedence over their rootfs counterparts under certain circumstances. Give the appropriate players the rights to read these policy files. Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
-
- Apr 04, 2013
-
-
Stephen Smalley authored
Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
- Aug 10, 2012
-
-
rpcraig authored
-
- Jul 31, 2012
-
-
Stephen Smalley authored
-
- Mar 07, 2012
-
-
Stephen Smalley authored
-
- Jan 04, 2012
-
-
Stephen Smalley authored
-