tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3352 commits 1 branch 0 tags 50 MiB
Commit graph

3352 commits

This branch
This branch
All branches
Author SHA1 Message Date
Riley Spahn
f43e5bf77e am b8511e0d: Add access control for each service_manager action. 
* commit 'b8511e0d98880a683c276589ab7d8d7666b7f8c1':
  Add access control for each service_manager action.
 2014-07-14 20:46:47 +00:00
Sreeram Ramachandran
a72d7b9abe am 0ff90f1a: am 2f91ce55: am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit '0ff90f1ac9c30dd7cdedd2968558dbe5ef8fa359':
 2014-07-14 19:13:09 +00:00
Nick Kralevich
ec94cc324a am deb52ba4: am 1c7463ac: am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit 'deb52ba4d6089826239233089114764d5bf51b0f':
 2014-07-14 19:13:09 +00:00
Nick Kralevich
d765ba5089 am 69aaf4a9: am ddfaf822: am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit '69aaf4a9c59343f29e77c3f67e18bcc541ad6b35':
 2014-07-14 19:13:08 +00:00
Jeff Sharkey
68f9a15e3f am 611922e7: am 554a8a3d: am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit '611922e7e15bbc7b4d524f3ce1112d4b19bcd3da':
 2014-07-14 19:13:08 +00:00
Doug Zongker
c5b8fd9c96 am 9f88bc55: support newer-style adbd interface in recovery 
* commit '9f88bc554d93dd2f6efafb67e11cc002cc6ea14e':
  support newer-style adbd interface in recovery
 2014-07-14 19:13:07 +00:00
Nick Kralevich
dfb0b95a4d am a50467c3: am a2933b66: am 2b3c5de2: Merge "install_recovery: start enforcing SELinux rules" 
* commit 'a50467c3c78fa31cfab05f0e56b0292a0425f026':
 2014-07-14 19:13:07 +00:00
Nick Kralevich
417c0986dd am d684f1a5: am 5b347a60: am 1d2ff869: allow ueventd sysfs_type lnk_file 
* commit 'd684f1a5c664b61e561e683efe4cd42a5b8c6b6d':
 2014-07-14 19:13:06 +00:00
Nick Kralevich
5015799317 am feb59442: am 5b5ba50f: am b59dc27a: Drop sys_rawio neverallow for tee 
* commit 'feb594422cc9949a72195e03ee740133b334cd93':
 2014-07-14 19:13:06 +00:00
Nick Kralevich
805e103851 am 2cfe1fa0: am 7e953e77: am f5835666: Don\'t use don\'t 
* commit '2cfe1fa0a61784320f0674a9357c049873a32bdb':
 2014-07-14 19:13:01 +00:00
Nick Kralevich
d9db78f5b8 am eec3c7cd: am f7cf7a4b: am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit 'eec3c7cd86197fe5e60d7ec0daba7eaf58c71bcb':
 2014-07-14 19:13:00 +00:00
Colin Cross
1b3498617c am 88a65e24: am bfd4eac7: am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit '88a65e2495fc04b1522237daf8e355cf65d478e2':
 2014-07-14 19:13:00 +00:00
Andres Morales
cf996894a7 am efcb5947: am aaaeb02e: am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit 'efcb5947f98014baf06d5a4d7846aff5a65f292d':
 2014-07-14 19:12:59 +00:00
Jeff Sharkey
fd3d06a24b am 389ac063: am 568443bc: am d3356826: Let DCS read staged APK clusters. 
* commit '389ac0638789fbf29918264b398e2a282b65fd6c':
 2014-07-14 19:12:59 +00:00
Andres Morales
ec149fc006 am 254953d9: am 9c52a78c: am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit '254953d9fe912e38b6116c8b3aee01bfc6e7f108':
 2014-07-14 19:12:58 +00:00
Sreeram Ramachandran
8d90bd7932 am 43613e6b: am 5e476c36: am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit '43613e6b70be9962db5a297a8ff63e78e8321dd3':
 2014-07-14 19:12:58 +00:00
Sreeram Ramachandran
23bf1c71ae am d9cb5eaa: am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit 'd9cb5eaaa343794b5718a3ac7638037e3a5b726d':
 2014-07-14 19:12:58 +00:00
Nick Kralevich
69de791be7 am 0cbdd20a: am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit '0cbdd20a3d181d3bc773175d85f7505e7ddd6eed':
 2014-07-14 19:12:57 +00:00
Nick Kralevich
026c7d90d3 am 31739880: am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit '31739880e215b0ee1daa3170f9e3a8c8ae2dcfe1':
 2014-07-14 19:12:57 +00:00
Jeff Sharkey
dcd9393438 am 7deb1b01: am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit '7deb1b0130b699716cbdc1f6084bdb12c635f09b':
 2014-07-14 19:12:56 +00:00
Jeff Sharkey
817f8ee2be am c02c98d3: Rules to allow installing package directories. 
* commit 'c02c98d3271be09483cd8de3e79ecae459c3a1ce':
  Rules to allow installing package directories.
 2014-07-14 19:12:56 +00:00
Nick Kralevich
f6a4ba354b am c103da87: Merge "Put dex2oat in it\'s own sandbox" 
* commit 'c103da877b72aae80616dbc192982aaf75dfe888':
  Put dex2oat in it's own sandbox
 2014-07-14 18:17:27 +00:00
Todd Poynor
ce8f84bbf1 am 3a8c5dc0: Allow oemfs search for system_server and bootanim 
* commit '3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea':
  Allow oemfs search for system_server and bootanim
 2014-07-14 18:17:21 +00:00
Nick Kralevich
a678c97e91 am a7c04dcd: Remove domain:process from unconfined 
* commit 'a7c04dcd748e1a9daf374551303a3bd578305cf9':
  Remove domain:process from unconfined
 2014-07-14 18:17:20 +00:00
Doug Zongker
341e954735 am bad4e91d: support newer-style adbd interface in recovery 
* commit 'bad4e91dd2c7c043707d93b347b06d45f1f9b25b':
  support newer-style adbd interface in recovery
 2014-07-14 18:17:20 +00:00
Nick Kralevich
06a890a29d am 4da3bb14: Merge "Rename sdcard_internal/external types." 
* commit '4da3bb1481e4e894a7dee3f3b9ec8cef6f6b1aed':
  Rename sdcard_internal/external types.
 2014-07-14 18:17:19 +00:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action. 
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
 2014-07-14 11:09:27 -07:00
Nick Kralevich
9477227bd8 am 2b3c5de2: Merge "install_recovery: start enforcing SELinux rules" 
* commit '2b3c5de21e96668f203628cddf88241774b3735d':
  install_recovery: start enforcing SELinux rules
 2014-07-14 17:48:51 +00:00
Nick Kralevich
885c2dc932 am 1d2ff869: allow ueventd sysfs_type lnk_file 
* commit '1d2ff869634649955fab0be3fb724d8b937c80bf':
  allow ueventd sysfs_type lnk_file
 2014-07-14 17:48:50 +00:00
Nick Kralevich
90fcfb64fd am b59dc27a: Drop sys_rawio neverallow for tee 
* commit 'b59dc27a1b580a13c50477d2af1cbdaf95601d8f':
  Drop sys_rawio neverallow for tee
 2014-07-14 17:48:45 +00:00
Nick Kralevich
e446a74acd am f5835666: Don\'t use don\'t 
* commit 'f58356661632d4c08870122f2cf944ea4edfe810':
  Don't use don't
 2014-07-14 17:48:44 +00:00
Nick Kralevich
6996ff50a6 am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit '99d86c7a77d402a106a1b3fe57af06dbb231c750':
  ensure that untrusted_app can't set properties
 2014-07-14 17:48:43 +00:00
Colin Cross
3fb3b74986 am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit '5d60f04e5d43d084992d59c38a631a034b88e715':
  sepolicy: allow system server to remove cgroups
 2014-07-14 17:48:41 +00:00
Andres Morales
b6645b089a am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit '2cd9c9bd3fa54ca78d0847763df4bca5fe940dcf':
  Typedef+rules for SysSer to access persistent block device
 2014-07-14 17:48:30 +00:00
Jeff Sharkey
b766f69971 am d3356826: Let DCS read staged APK clusters. 
* commit 'd33568264f0843feafc2d17c38e863f914f1fc57':
  Let DCS read staged APK clusters.
 2014-07-14 17:48:29 +00:00
Andres Morales
e49fc0958a am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit 'e844113bc114484339b0c74a978c0fa5cfa250e1':
  Allow SystemServer to start PersistentDataBlockService
 2014-07-14 17:48:26 +00:00
Sreeram Ramachandran
d978aca99b am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit 'd2d172a33ec747299961649e3cdb3095a38eef01':
  Allow dumpstate to read the list of routing tables.
 2014-07-14 16:23:29 +00:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true 
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
 2014-07-14 09:15:08 -07:00
Sreeram Ramachandran
0ff90f1ac9 am 2f91ce55: am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit '2f91ce5519d46e38a609e3aed0c507af072507ec':
 2014-07-11 17:56:33 +00:00
Nick Kralevich
deb52ba4d6 am 1c7463ac: am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit '1c7463aca155e397855e2863dd85a4b90965cc3a':
 2014-07-11 17:56:32 +00:00
Nick Kralevich
69aaf4a9c5 am ddfaf822: am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit 'ddfaf822e9786100a7bb9a399bea906f0ed7b7c8':
 2014-07-11 17:33:00 +00:00
Jeff Sharkey
611922e7e1 am 554a8a3d: am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit '554a8a3d2928faf3117bc77bff4214d63ba504c3':
 2014-07-11 17:32:59 +00:00
Sreeram Ramachandran
2f91ce5519 am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit 'e440972845371fa8a2727c563237cd705ca96b2d':
  Allow netd to create data files in /data/misc/net/.
 2014-07-11 17:29:03 +00:00
Nick Kralevich
1c7463aca1 am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit 'd27aeb218089360ecd17fabe0cefb953374dc33a':
  recovery: allow read access to fuse filesystem
 2014-07-11 17:28:50 +00:00
Nick Kralevich
ddfaf822e9 am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit 'd86b0a81ab10cc48c4a2c52f27e8cdbfc927a52f':
  New domain "install_recovery"
 2014-07-11 16:19:04 +00:00
Jeff Sharkey
554a8a3d29 am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit 'e900e57385fddb558e784089ba3c145d9dfbd659':
  Rules to allow installing package directories.
 2014-07-11 16:19:00 +00:00
Todd Poynor
3a8c5dc05f Allow oemfs search for system_server and bootanim 
Address denials in devices that use /oem

Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403
 2014-07-11 01:47:52 +00:00
Doug Zongker
9f88bc554d support newer-style adbd interface in recovery 
Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45
 2014-07-10 15:58:17 -07:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined 
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
 2014-07-10 13:54:20 -07:00
Nick Kralevich
c103da877b Merge "Put dex2oat in it's own sandbox" 2014-07-10 20:43:44 +00:00