Commit graph

9 commits

Author SHA1 Message Date
Stephen Smalley
b1cb3205ca Confine wpa_supplicant, but leave it permissive for now.
Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:30:55 -05:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
repo sync
2cb928ba4e Remove special rules for interacting with sockets from init.
Change-Id: I544c0c1bbe84834970958a65fcef1d10e7e29047
2013-05-07 22:12:59 -07:00
repo sync
fb076f8b11 Add temporary policy for wpa_supplicant.
This allows wpa_supplicant to interact with the sockets created
for it by init. Eventually we'll want those to be properly
labelled, but allow until then.

Change-Id: I33fcd22173a8d47bbc4ada8d6aa62b4d159cbb15
2013-05-07 16:58:01 -07:00
Jon Larimer
c65b2ba338 Update wpa_supplicant policy
Change-Id: I9b05f0f2ce6c6c52b4207cac3120f06565b7da30
2013-05-06 16:29:42 -04:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00