Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes"). This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).
Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary. Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes. For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 01d95c23ab)
Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
wpa should never trust any data coming from the sdcard. Add a
compile time assertion to make sure no rules are ever added
allowing this access.
Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.
Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).
Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The filename should be the same as the
domain with all the .te files.
Change-Id: Ib05eb84f881c680eb5bb43a4814cfb038fbff339
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
