Commits · bff9801521abb36a243131114e70f905fb1238ef · Werner Sembach / AndroidSystemSEPolicy

Dec 14, 2015

label /sys/kernel/debug/tracing and remove debugfs write · fe12b616

Nick Kralevich authored 9 years ago

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

fe12b616

Nov 03, 2015

Create attribute for moving perms out of domain · d22987b4

Jeff Vander Stoep authored 9 years ago

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

d22987b4

Sep 04, 2015
- Fix perfprofd denial (simpleperf debugfs read). · b55f10e9
  Than McIntosh authored 9 years ago
  
  Bug: http://b/23814810 Change-Id: I731bd70ec982e47b86befb32a9edcb71570e9d64
  b55f10e9
Aug 25, 2015

Only allow toolbox exec where /system exec was already allowed. · a3c97a76

Stephen Smalley authored 9 years ago

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

a3c97a76

Jun 11, 2015

Update perfprofd rules to allow wake_unlock inspection. · 4ae43094

Than McIntosh authored 9 years ago

Bug: http://b/19483574

(cherry picked from commit beadf17a)

Change-Id: Ibd2898efb29209d55df1335147d9b0bb6cba77c4

4ae43094

Jun 10, 2015
- Update perfprofd rules to allow wake_unlock inspection. · beadf17a
  Than McIntosh authored 9 years ago
  
  Bug: http://b/19483574 Change-Id: Ie620011cb1d2c05fdfd4f2da375a57e47140b98f
  beadf17a
May 15, 2015

Tweak perfprofd sepolicy to include ipc_lock self capability. · aee12c37

Than McIntosh authored 9 years ago

Bug: http://b/19483574
Change-Id: Id39a5aaf531d2a75a22647bdafb34a6ef18201c8
(cherry picked from commit 728fe3d4)

aee12c37

May 14, 2015
- Tweak perfprofd sepolicy to include ipc_lock self capability. · 728fe3d4
  Than McIntosh authored 9 years ago
  
  Bug: http://b/19483574 Change-Id: Id39a5aaf531d2a75a22647bdafb34a6ef18201c8
  728fe3d4
May 06, 2015
- Update sepolicy to add label for /data/misc/perfprofd. · 34a468fa
  Dehao Chen authored 9 years ago
  
  Bug: 19483574 (cherry picked from commit 7d66f783) Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48
  34a468fa
- New sepolicy for perfprofd, simpleperf. · 38d0247d
  Than McIntosh authored 9 years ago
  
  Bug: http://b/19483574 (cherry picked from commit 0fdd364e) Change-Id: If29946a5d7f92522f3bbb807cea5f9f1b42a6513
  38d0247d
- Update sepolicy to add label for /data/misc/perfprofd. · 7d66f783
  Dehao Chen authored 9 years ago
  
  Bug: 19483574 Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
  7d66f783
May 04, 2015
- New sepolicy for perfprofd, simpleperf. · 0fdd364e
  Than McIntosh authored 9 years ago
  
  Bug: http://b/19483574 Change-Id: I594f04004cccd2cbfadbd0f9d1bbb9815a2ea59d
  0fdd364e