Commits · c3295802d7fb22213c073705480d1c1314d71d27 · Werner Sembach / AndroidSystemSEPolicy

Mar 23, 2013

Merge "New users need a wallpaper_file type." · c3295802
Geremy Condra authored 12 years ago

c3295802
Merge "Allow zygote to search tmpfs." · eee138c2
Geremy Condra authored 12 years ago

eee138c2

New users need a wallpaper_file type. · c5baaff7

rpcraig authored 12 years ago


Change-Id: I7ff4ed9f73f43918cac05a026af68cca8dbe02c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

c5baaff7

Allow zygote to search tmpfs. · 8b3b4fe7
rpcraig authored 12 years ago
```
Change-Id: Ib0bdcbc1a7e45e1d1a046c9fa8aff89183ebfe0d
```
8b3b4fe7

New dev_types and other minor adjustments. · 41e53901

rpcraig authored 12 years ago


Add new dev_type:
- ump_device : Unified Memory Provider driver.
       The file_contexts entry should be
       described on a per device basis.

Minor adjustments:
- tee needs netlink socket access.
- ueventd needs to grant file operations.

Change-Id: I915304da687d3a2b9aa417e6f91ea915bd697676
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

41e53901

Make ion_device mls trusted. · 905e316d

rpcraig authored 12 years ago

Allow device node access irrespective
of MLS restrictions. Third party apps
(untrusted_app) domains need access too.

Change-Id: I132b8201bccb1ff31dc0c15a735f81f645c9836d

905e316d

racoon policy. · 18b5f87e

Robert Craig authored 12 years ago


Initial policy for racoon (IKE key management).

Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479

18b5f87e

Mar 22, 2013

Merge "Revert "Various minor policy fixes based on CTS."" · dbb82fd8
Geremy Condra authored 12 years ago

dbb82fd8
Revert "Various minor policy fixes based on CTS." · ba84bf1d
Geremy Condra authored 12 years ago
```
This reverts commit 8a814a76

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
```
ba84bf1d

Merge changes I5a3584b6,Ic7252a8e,I2d4ace75 · 9c0f2df1

Geremy Condra authored 12 years ago

* changes:
  Various minor policy fixes based on CTS.
  Split internal and external sdcards
  Give sdcard sys_admin capability.

9c0f2df1

Various minor policy fixes based on CTS. · 8a814a76

Stephen Smalley authored 12 years ago


Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

8a814a76

Split internal and external sdcards · c195ec31

William Roberts authored 12 years ago

Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

c195ec31

Give sdcard sys_admin capability. · 1ed1effa
Robert Craig authored 12 years ago
```
Change-Id: I2d4ace75f3e75f47f99e93d58922d5719b47fffe
```
1ed1effa
Allow bluetooth users to use socket provided by bluetooth app. · f766c4d9
Stephen Smalley authored 12 years ago
```
Change-Id: Ia061aa3b19229b96f643ca0285a7fa5fa06fd780
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
```
f766c4d9

Create policy for PAN connections. · ff7e5305

rpcraig authored 12 years ago


Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

ff7e5305

Allow domain search/getattr access to security file · 4d3f1089
William Roberts authored 12 years ago
```
Change-Id: I3b35b68247f35d5d9d9afd33c203aa97e437dc14
```
4d3f1089

Move policy files · 9e70c8bf

William Roberts authored 12 years ago

Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9

9e70c8bf

Mar 21, 2013
- bluetooth app requires net_admin for enabling bluetooth. · 346cae27
  Stephen Smalley authored 12 years ago
  
  Change-Id: I571731169036a3203d0145af67f45b3d9eb6366b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  346cae27
- Merge "Strengthen setenforce and setbool assertions" · cf141426
  Geremy Condra authored 12 years ago
  
  cf141426
- Require entrypoint to be explicitly granted for unconfined domains. · 9aea69c0
  Stephen Smalley authored 12 years ago
  
  Change-Id: Ieeaa002061c9e4224ea90dfa60dffb112aa152c2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  9aea69c0
- Strengthen setenforce and setbool assertions · 193d1292
  William Roberts authored 12 years ago
  
  Change-Id: I58f15889c248b49f9e29028a3c0a86b4c950ff07
  193d1292
- Add BOARD_SEPOLICY_IGNORE · 15b3ceda
  William Roberts authored 12 years ago
  
  See README for further details. Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
  15b3ceda
Mar 20, 2013

Merge "Drop shell from having access to dmesg" · acea73d5
Geremy Condra authored 12 years ago

acea73d5

Generalize levelFromUid support. · 38084146

Stephen Smalley authored 12 years ago


Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

38084146

Merge "watchdog security policy." · ae0fcf1f
Geremy Condra authored 12 years ago

ae0fcf1f
Merge "Update binder-related policy." · 566553e3
Geremy Condra authored 12 years ago

566553e3

Mar 19, 2013

Drop shell from having access to dmesg · 767abc07

William Roberts authored 12 years ago

In normal, user builds, shell doesn't have the required
DAC permissions to acess the kernel log.

Change-Id: I001e6d65f508e07671bdb71ca2c0e1d53bc5b970

767abc07

Revert "Dynamic insertion of pubkey to mac_permissions.xml" · 1446e714
Geremy Condra authored 12 years ago
```
This reverts commit 22fc0410

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
```
1446e714
Remove duplicate paths from sepolicy_replace_paths · 5a2988fc
William Roberts authored 12 years ago
```
Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
```
5a2988fc

watchdog security policy. · bac9992e

rpcraig authored 12 years ago


Initial policy for software watchdog daemon
which is started by init.

Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

bac9992e

Update binder-related policy. · 9ce99e39

Stephen Smalley authored 12 years ago

The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.

Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

9ce99e39

Allow search of tmpfs mount for /storage/emulated. · 1f5939a9

Stephen Smalley authored 12 years ago


Change-Id: Ie79ff3fb9c0a893e348c4adb2f457cae42d7800f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1f5939a9

Permit fstat of property mapping. · 61362840

Stephen Smalley authored 12 years ago


Change-Id: Ie58185519252dad29a23d0d3d54b1cbafea83a83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

61362840

Disable debugfs access by default. · aeb512d2

Stephen Smalley authored 12 years ago


Change-Id: I8265e34a76913a76eedd2d7a6fe3b14945fde924
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

aeb512d2

Only allow read/write not open on platform_app_data_file. · c8106f12
Stephen Smalley authored 12 years ago
```
Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
```
c8106f12
Merge "property_contexts checks added to checkfc." · d06104d8
Geremy Condra authored 12 years ago

d06104d8
Merge "Whitespace and doxygen fix" · 6d6c617f
Geremy Condra authored 12 years ago

6d6c617f

Add policy assertions (neverallow rules). · ee80bfb9

Stephen Smalley authored 12 years ago


Change-Id: I384ea9516a5ed2369f7fa703499e284e29a2c0eb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ee80bfb9

Merge "Allow domain to random_device" · c0890c89
Geremy Condra authored 12 years ago

c0890c89

property_contexts checks added to checkfc. · d98d26ef

Robert Craig authored 12 years ago


Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>

d98d26ef