tequilaOS/platform_system_sepolicy

11268 commits 1 branch 0 tags 50 MiB

Author	SHA1	Message	Date
Sandeep Patil	2ee66e7d14	sepolicy: make exec_types in /vendor a subset of vendor_file_type We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address all files installed in /vendor throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>	2017-04-11 17:20:36 +00:00
Alex Klyubin	9e6b24c6a5	Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9	2017-03-16 19:55:16 -07:00
Chia-I Wu	1b95d88c6d	Allow HWC to be binderized Test: manual Bug: 32021609 Change-Id: I6793794f3b1fb95b8dd9336f75362447de618274	2017-02-06 12:50:03 -08:00

Author

SHA1

Message

Date

Sandeep Patil

2ee66e7d14

sepolicy: make exec_types in /vendor a subset of vendor_file_type

We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.

Bug: 36463595
Test: Boot sailfish without any new denials

Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>

2017-04-11 17:20:36 +00:00

Alex Klyubin

9e6b24c6a5

Annotate most remaining HALs with _client/_server

This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9

2017-03-16 19:55:16 -07:00

Chia-I Wu

1b95d88c6d

Allow HWC to be binderized

Test: manual
Bug: 32021609
Change-Id: I6793794f3b1fb95b8dd9336f75362447de618274

2017-02-06 12:50:03 -08:00

Renamed from private/hal_graphics_composer_default.te (Browse further)

3 commits