"README.md" did not exist on "4b7f7802c897341a564c91d984ecece09df3309d"
- Jul 30, 2012
-
-
rpcraig authoredThis was moved from external/mac-policy.git
-
Haiqing Jiang authored
-
Haiqing Jiang authored
-
Haiqing Jiang authored
-
- Jul 27, 2012
-
-
Stephen Smalley authored
-
Haiqing Jiang authored
-
Haiqing Jiang authored
-
Haiqing Jiang authored
-
Haiqing Jiang authored
-
Stephen Smalley authored
Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps. Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps. Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps. Specify this new type for the platform app entries in seapp_contexts. Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
-
- Jul 24, 2012
-
-
Haiqing Jiang authored
-
hqjiang authored
-
hqjiang authored
-
- Jul 19, 2012
-
-
hqjiang authored
Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. Actually, some of policies related to qtaguid have been there already, but we refind existing ones and add new ones.
-
hqjiang authored
-
- Jul 12, 2012
-
-
Stephen Smalley authored
-
Stephen Smalley authored
-
William Roberts authored
ocontexts was split up into 4 files: 1.fs_use 2.genfs_contexts 3.initial_sid_contexts 4.port_contexts Each file has their respective declerations in them. Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
-
Michal Mašek authored
-
hqjiang authored
-
hqjiang authored
-
hqjiang authored
-
- Jun 28, 2012
-
-
Stephen Smalley authored
Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev.
-
Stephen Smalley authored
-
William Roberts authored
-
Stephen Smalley authored
-
Bob Craig authored
-
- Jun 27, 2012
-
-
Stephen Smalley authored
-
Stephen Smalley authored
-
Stephen Smalley authored
-
Stephen Smalley authored
-
William Roberts authored
perms.
-
- Jun 21, 2012
-
-
Joshua Brindle authored
Signed-off-by:
Joshua Brindle <jbrindle@tresys.com>
-
- Jun 20, 2012
-
-
William Roberts authored
-
- Jun 19, 2012
-
-
Stephen Smalley authored
-
- Jun 07, 2012
-
-
William Roberts authored
Tested on a maguro variant.
-
- May 31, 2012
-
-
William Roberts authored
-
William Roberts authored
-
- May 18, 2012
-
-
Stephen Smalley authored
-
- Apr 19, 2012
-
-
Stephen Smalley authored
-