tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
2022 commits 1 branch 0 tags 50 MiB
Commit graph

6 commits

Author SHA1 Message Date
Riley Spahn
b8511e0d98 Add access control for each service_manager action. 
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
 2014-07-14 11:09:27 -07:00
Stephen Smalley
701aebb59c Make inputflinger enforcing. 
Change-Id: I99f93e4dd5dc1f43291c46f6ed07e51097613689
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-06-13 12:14:10 +00:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager. 
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
 2014-06-12 20:46:07 +00:00
Stephen Smalley
e06e536388 Allow inputflinger to call system_server. 
Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-03-21 10:40:56 -04:00
Stephen Smalley
38b7f43021 Make inputflinger permissive or unconfined. 
Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  Of course we cannot truly
test until it is released into AOSP, but this prepares the way
and potentially allows for internal testing and collection of denials.

Change-Id: I800ab23baee1c84b7c4cf7399b17611a62ca6804
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-02-11 09:40:47 -05:00
Nick Kralevich
caa6a32d76 initial inputflinger domain 
Add a placeholder domain for inputflinger.
Mark it initially unconfined and enforcing.

Change-Id: I433fd9e1954486136cb8abb084b4e19bb7fc2f19
 2013-12-16 08:46:47 -08:00