tequilaOS/platform_system_sepolicy

Fork 0

Commit graph

Author	SHA1	Message	Date
Wyatt Riley	799c23490d	Removing UDP access for hal_gnss Underlying data services setup no longer needs this Bug: 35757613 Bug: 36085168 Test: GPS, XTRA & avc denial checks Change-Id: I679ee70f65f34d5a7d1fc1f1fe92af6a92ec92c5	2017-05-18 13:55:51 -07:00
Jeff Vander Stoep	84b96a6b68	Enforce one HAL per domain. HALs are intended to be limited responsibility and thus limited permission. In order to enforce this, place limitations on: 1. What processes may transition into a HAL - currently only init 2. What methods may be used to transition into a HAL - no using seclabel 3. When HALs exec - only allow exec with a domain transition. Bug: 36376258 Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules are compile time assertions, so building is a sufficient test. Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131	2017-03-21 12:16:31 -07:00
Jeff Vander Stoep	f9be765d66	Restrict HAL network access to HALS that manage network hardware Only HALs that manage networks need network capabilities and network sockets. Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow rules are compile time assertions and do not change the on-device policy. Bug: 36185625 Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df	2017-03-13 21:35:48 -07:00

Author

SHA1

Message

Date

Wyatt Riley

799c23490d

Removing UDP access for hal_gnss

Underlying data services setup no longer needs this

Bug: 35757613
Bug: 36085168
Test: GPS, XTRA & avc denial checks
Change-Id: I679ee70f65f34d5a7d1fc1f1fe92af6a92ec92c5

2017-05-18 13:55:51 -07:00

Jeff Vander Stoep

84b96a6b68

Enforce one HAL per domain.

HALs are intended to be limited responsibility and thus limited
permission. In order to enforce this, place limitations on:
1. What processes may transition into a HAL - currently only init
2. What methods may be used to transition into a HAL - no using
   seclabel
3. When HALs exec - only allow exec with a domain transition.

Bug: 36376258
Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules
      are compile time assertions, so building is a sufficient test.

Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131

2017-03-21 12:16:31 -07:00

Jeff Vander Stoep

f9be765d66

Restrict HAL network access to HALS that manage network hardware

Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df

2017-03-13 21:35:48 -07:00

3 commits