Commits · fdaa7869a5541b55413f59845dc5f7c56bab0614 · Werner Sembach / AndroidSystemSEPolicy

Nov 19, 2012

Update policy for Android 4.2 / latest master. · 61c80d5e

Stephen Smalley authored 12 years ago


Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

61c80d5e

Oct 17, 2012

Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth." · b83bb3f0

Kenny Root authored 12 years ago

This reverts commit b620dc60.

(cherry picked from commit 128db962)

Change-Id: I21227e6232c925a42597e5c8fc0fcc0585d7a876

b83bb3f0

Oct 16, 2012

allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access · f26d8130

Joshua Brindle authored 12 years ago


- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

f26d8130

Sep 20, 2012
- ISSUE 6849488 Bluedroid stack, remove system/bluetooth. · b620dc60
  Zhihai Xu authored 12 years ago
  
  remove system/bluetooth dependency. bug 6849488 Change-Id: I259322385adafa4128deef5324e854bebef2b033
  b620dc60
Aug 20, 2012

Add ppp/mtp policy. · d49f7e6e

rpcraig authored 12 years ago

Initial policy for Point-to-Point tunneling and
tunneling manager services.

d49f7e6e

Aug 09, 2012
- Allow debugfs access and setsched for mediaserver. · fed24651
  Stephen Smalley authored 12 years ago
  
  fed24651
Jul 31, 2012
- Allow system_server to relabel /data/anr. · 1d19f7e3
  Stephen Smalley authored 12 years ago
  
  1d19f7e3
Jul 27, 2012
- mediaserver and system require abstract socket connnection · 19e7fbeb
  Haiqing Jiang authored 12 years ago
  
  19e7fbeb
Jul 24, 2012
- external/sepolicy: system r/w udp_socket of appdomain · 569f589a
  hqjiang authored 12 years ago
  
  569f589a
Jul 19, 2012

Target the denials/policies over qtaguid file and device: 1. Relabel... · 4c06d273

hqjiang authored 12 years ago

Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.

Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.

4c06d273

Jul 12, 2012
- Address various denials introduced by JB/4.1. · 1c735165
  Stephen Smalley authored 12 years ago
  
  1c735165
- Corrected denials for LocationManager when accessing gps over uart. · 81039ab5
  hqjiang authored 12 years ago
  
  81039ab5
Jun 28, 2012
- Add key_socket class to socket_class_set macro. Allow system to trigger... · 60e4f114
  Stephen Smalley authored 12 years ago
  
  Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev.
  60e4f114
- Allow system_app to set MAC enforcing mode and read MAC denials. · 965f2ff1
  Stephen Smalley authored 12 years ago
  
  965f2ff1
Jun 27, 2012
- system needs open permission to qtaguid ctrl file. · 35c8d4fd
  Stephen Smalley authored 12 years ago
  
  35c8d4fd
- Update system rule for qtaguid file. · 322b37a9
  Stephen Smalley authored 12 years ago
  
  322b37a9
- Make wallpaper_file a mlstrustedobject to permit writes from any app level. · 6c39ee00
  Stephen Smalley authored 12 years ago
  
  6c39ee00
Apr 13, 2012
- Added policy to allow SEAndroidManager to read AVC messages. · a83fc379
  James Carter authored 12 years ago
  
  a83fc379
Apr 04, 2012

Rework the radio vs rild property split. · 730957ae

Stephen Smalley authored 12 years ago

Only label properties with the ril. prefix with rild_prop.
Allow rild and system (and radio) to set radio_prop.
Only rild can set rild_prop presently.

730957ae

Add policy for property service. · 124720a6

Stephen Smalley authored 12 years ago

New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.

124720a6

Mar 19, 2012
- Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. · f7948230
  Stephen Smalley authored 13 years ago
  
  f7948230
- Introduce a separate wallpaper_file type for the wallpaper file. · f6cbbe25
  Stephen Smalley authored 13 years ago
  
  f6cbbe25
- Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files. · 59d28035
  Stephen Smalley authored 13 years ago
  
  59d28035
Mar 07, 2012
- Policy changes to support running the latest CTS. · c83d0087
  Stephen Smalley authored 13 years ago
  
  c83d0087
Feb 02, 2012
- Allow Settings to set enforcing and booleans if settings_manage_selinux is true. · 4c6f1ce8
  Stephen Smalley authored 13 years ago
  
  4c6f1ce8
Jan 10, 2012
- Allow system server to set scheduling info for apps. · 0d76f4e5
  Stephen Smalley authored 13 years ago
  
  0d76f4e5
Jan 06, 2012
- Further policy for Motorola Xoom. · c94e2392
  Stephen Smalley authored 13 years ago
  
  c94e2392
Jan 04, 2012
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d