Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Feb 11, 2017
  3. Feb 09, 2017
  5. Feb 06, 2017
    • Stephen Smalley's avatar
      Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. · 4921085d
      Stephen Smalley authored 
      
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      4921085d
  7. Jan 31, 2017
    • Calin Juravle's avatar
      Remove SElinux audit to libart_file · 01ee59a7
      Calin Juravle authored 
      Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
      01ee59a7
  9. Jan 26, 2017
    • Alex Klyubin's avatar
      Move appdomain policy to private · 8429a331
      Alex Klyubin authored 
      This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497

Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
      8429a331
  11. Dec 06, 2016
    • dcashman's avatar
      sepolicy: add version_policy tool and version non-platform policy. · 2e00e637
      dcashman authored 
      In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
      2e00e637