Commit graph

8281 commits

Author SHA1 Message Date
Stephen Smalley
a1ce2fa221 Define wake_alarm and block_suspect capabilities. 2012-08-10 09:23:21 -04:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
fed246510c Allow debugfs access and setsched for mediaserver. 2012-08-09 08:36:10 -04:00
Stephen Smalley
6cce6199c3 Merge asec changes. 2012-07-31 09:52:17 -04:00
Stephen Smalley
1d19f7e356 Allow system_server to relabel /data/anr. 2012-07-31 09:45:01 -04:00
Stephen Smalley
5f9917c136 Allow debuggerd to restorecon the tombstone directory. 2012-07-31 09:15:46 -04:00
Haiqing Jiang
901cc36664 Untrusted_app gets route information 2012-07-30 16:54:24 -04:00
Haiqing Jiang
c70dc4e3c7 domain writes to cgroup pseudo filesystem 2012-07-30 16:40:03 -04:00
Stephen Smalley
d28714c6f9 Introduce app_read_logs boolean. 2012-07-30 16:04:47 -04:00
Haiqing Jiang
3261feef97 untrusted_app reads logs when android_cts enabled 2012-07-30 16:02:44 -04:00
Haiqing Jiang
173cbdd352 read permission over lnk_file to devices when android_cts enabled 2012-07-30 16:02:36 -04:00
rpcraig
e7e65d474f New asec container labeling.
This patchset covers the /mnt/asec variety only.
2012-07-30 14:20:40 -04:00
rpcraig
b19665c39d Add mac_permissions.xml file.
This was moved from external/mac-policy.git
2012-07-30 09:33:03 -04:00
Haiqing Jiang
1f0f77fcdf Allow CTS Test apps to access to system_data_file 2012-07-30 08:26:53 -04:00
Haiqing Jiang
59e9680825 socket permissions to untrusted_app 2012-07-30 08:26:47 -04:00
Haiqing Jiang
1ce0fe382a appdomain r/w apk_tmp_file and shell_data_file on android_cts enabled 2012-07-30 08:26:40 -04:00
Stephen Smalley
dd31ddfd87 seinfo can be used to select types, and sebool is now supported. 2012-07-27 17:08:21 -04:00
Haiqing Jiang
2b47c3fc35 allocate perms to platformappdomain over system_data_file 2012-07-27 17:01:33 -04:00
Haiqing Jiang
19e7fbeb25 mediaserver and system require abstract socket connnection 2012-07-27 16:22:14 -04:00
Haiqing Jiang
f6ca1605bc installd unlink platform_app_data_file 2012-07-27 16:16:39 -04:00
Haiqing Jiang
7585fc6400 Platform app domain sdcard accesses 2012-07-27 15:10:47 -04:00
Stephen Smalley
b9760aa0d5 Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
2012-07-27 11:07:09 -04:00
Haiqing Jiang
3296dea427 external/sepolicy: mediaserver open application data files 2012-07-24 09:01:02 -04:00
hqjiang
569f589aa6 external/sepolicy: system r/w udp_socket of appdomain 2012-07-24 09:00:32 -04:00
hqjiang
8f781f5767 external/sepolicy: install daemon unlink application data files 2012-07-24 08:59:27 -04:00
hqjiang
4c06d273bc Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.
Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.
2012-07-19 16:11:24 -04:00
hqjiang
20d6963ac2 allow camera calibration 2012-07-19 16:09:58 -04:00
Matt Finifter
af56ac1954 Include su.te only for userdebug/eng builds.
Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
2012-07-18 13:25:23 -07:00
Stephen Smalley
1c7351652c Address various denials introduced by JB/4.1. 2012-07-12 13:26:15 -04:00
Stephen Smalley
c331d0fefa Restore devnull initial sid context. 2012-07-12 10:14:38 -04:00
William Roberts
dc1072365e Support for ocontexts per device.
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
2012-07-12 10:02:45 -04:00
Michal Mašek
96bf505962 Fix the app_ndk policy boolean allow rule. 2012-07-12 09:57:32 -04:00
hqjiang
e1c545d82f correct denies of inter system processes communication over named pipe 2012-07-12 09:28:44 -04:00
hqjiang
ee5f400562 Correct denies of rpmsg device when accessing to remote processors. 2012-07-12 09:28:33 -04:00
hqjiang
81039ab556 Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
Stephen Smalley
60e4f114ac Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev. 2012-06-28 14:28:24 -04:00
Stephen Smalley
965f2ff1b4 Allow system_app to set MAC enforcing mode and read MAC denials. 2012-06-28 13:59:07 -04:00
William Roberts
03d2803c54 media app should have rw access to sdcard dir and files. 2012-06-28 10:56:43 -04:00
Stephen Smalley
f3b587cab0 Rewrite app domains and seapp_contexts to leverage new seinfo tags. 2012-06-28 10:56:28 -04:00
Bob Craig
92495b38d5 Add persist.mac_enforcing_mode context 2012-06-28 10:51:25 -04:00
Stephen Smalley
35c8d4fdde system needs open permission to qtaguid ctrl file. 2012-06-27 09:15:38 -04:00
Stephen Smalley
322b37a96c Update system rule for qtaguid file. 2012-06-27 09:07:33 -04:00
Stephen Smalley
e4682a63ab Allow apps to write to /proc/net/xt_qtaguid/ctrl. 2012-06-27 08:54:53 -04:00
Stephen Smalley
6c39ee00e1 Make wallpaper_file a mlstrustedobject to permit writes from any app level. 2012-06-27 08:50:27 -04:00
William Roberts
56ad8c7322 This patch fixes rild trying to access the bluetooth efs dir with read
perms.
2012-06-27 08:45:51 -04:00
Joshua Brindle
70d4fc2243 Add selinux network script to policy
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2012-06-21 09:19:43 -04:00
William Roberts
07ef7227f9 ion fix 2012-06-20 08:03:16 -04:00
Stephen Smalley
e8bc32b46e Public domain notice 2012-06-19 07:29:55 -04:00
William Roberts
f6f87105d4 Remove all denials caused by rild on tuna devices.
Tested on a maguro variant.
2012-06-07 11:52:51 -04:00
William Roberts
80ea1d2305 sdcard policy and fuse device label. 2012-05-31 09:44:51 -04:00