Commits · 28a711c89a1b51d0aaf9baa475994a255cd33f3c · Werner Sembach / AndroidSystemSEPolicy

Oct 21, 2013

Move unconfined domains out of permissive mode. · 353c72e3

Nick Kralevich authored 11 years ago

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

353c72e3

May 20, 2013

Make all domains unconfined. · 77d4731e

repo sync authored 11 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

May 15, 2013
- Move domains into per-domain permissive mode. · 50e37b93
  repo sync authored 11 years ago
  
  Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
  50e37b93
Apr 05, 2013
- Allow dhcpd to interact with ttys. · 47020462
  Geremy Condra authored 11 years ago
  
  Bug: 8539042 Change-Id: I27bcc4a485b031d54e17b03164642821d546e62f
  47020462
Apr 03, 2013
- Allow dhcpd to interact with ttys. · 4959ecd1
  Geremy Condra authored 11 years ago
  
  Bug: 8539042 Change-Id: I27bcc4a485b031d54e17b03164642821d546e62f
  4959ecd1
Mar 27, 2013

Revert "Revert "Various minor policy fixes based on CTS."" · e69552ba

Geremy Condra authored 12 years ago

This reverts commit ba84bf1d

Hidden dependency resolved.

Change-Id: I9f0844f643abfda8405db2c722a36c847882c392

e69552ba

Mar 22, 2013

Revert "Various minor policy fixes based on CTS." · ba84bf1d
Geremy Condra authored 12 years ago
```
This reverts commit 8a814a76

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
```
ba84bf1d

Various minor policy fixes based on CTS. · 8a814a76

Stephen Smalley authored 12 years ago


Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

8a814a76

Create policy for PAN connections. · ff7e5305

rpcraig authored 12 years ago


Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

ff7e5305

Oct 16, 2012

allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access · f26d8130

Joshua Brindle authored 12 years ago


- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

f26d8130

Aug 15, 2012
- dhcp policy. · 867ae056
  rpcraig authored 12 years ago
  
  867ae056