- Mar 14, 2014
-
-
Stephen Smalley authoredChange-Id: I68a8f37576d0d04d0f9df9ef8991407b6846ba15 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Jan 14, 2014
-
-
Stephen Smalley authored
Change-Id: Ie7414b49eac92f7d57789cc3082dbce774561126 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
- Oct 21, 2013
-
-
Nick Kralevich authored
This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
-
- May 20, 2013
-
-
repo sync authored
This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
-
- May 15, 2013
-
-
repo sync authored
Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
-
- Aug 13, 2012
-
-
rpcraig authored
-
- Jan 04, 2012
-
-
Stephen Smalley authored
-