Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Oct 21, 2013
    • Nick Kralevich's avatar
      Move unconfined domains out of permissive mode. · 353c72e3
      Nick Kralevich authored 
      This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
      353c72e3
  3. May 20, 2013
    • repo sync's avatar
      Make all domains unconfined. · 77d4731e
      repo sync authored 
      This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
      77d4731e
  5. May 15, 2013
  7. May 06, 2013
  9. Mar 27, 2013
    • Robert Craig's avatar
      Various policy updates. · 65d4f44c
      Robert Craig authored 
      
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: default avatarrpcraig <rpcraig@tycho.ncsc.mil>
      65d4f44c
  11. Mar 22, 2013
  13. Mar 21, 2013
  15. Nov 19, 2012
    • Stephen Smalley's avatar
      Update policy for Android 4.2 / latest master. · 61c80d5e
      Stephen Smalley authored 
      
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      61c80d5e
  17. Jan 04, 2012