tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
86 commits 1 branch 0 tags 50 MiB
Commit graph

86 commits

This branch
This branch
All branches
Author SHA1 Message Date
William Roberts
a861318074 Added new line to end of file 
Change-Id: I4f0576a47ca2e99bca719bf321349c7d7d05cd3c
 2012-09-05 11:23:40 -07:00
William Roberts
98ed392e68 Changed seapp_contexts temporary file naming 
Change-Id: I4f522869eeaa6f84771e4ee2328f65296dcc29db
 2012-09-05 11:23:19 -07:00
William Roberts
0ae3a8a2d5 Fix mls checking code 
Change-Id: I614caa520e218f8f148eef641fed2301571da8e1
 2012-09-04 11:51:04 -07:00
William Roberts
f0e0a94e03 Support overrides in seapp_contexts 
Provides support for overriding seapp_contexts declerations
in per device seapp_contexts files.

Change-Id: I23a0ffa1d24f1ce57825b168f29a2e885d3e1c51
 2012-09-04 10:55:38 -07:00
rpcraig
a363683c57 Add tf_daemon labeling support. 2012-08-24 08:23:20 -04:00
rpcraig
d49f7e6e36 Add ppp/mtp policy. 
Initial policy for Point-to-Point tunneling and
tunneling manager services.
 2012-08-20 06:19:36 -04:00
William Roberts
171a062571 per device seapp_context support 2012-08-16 14:00:19 -04:00
rpcraig
867ae0561c dhcp policy. 2012-08-15 06:25:14 -04:00
rpcraig
e07b8a56b9 Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
Stephen Smalley
a1ce2fa221 Define wake_alarm and block_suspect capabilities. 2012-08-10 09:23:21 -04:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
fed246510c Allow debugfs access and setsched for mediaserver. 2012-08-09 08:36:10 -04:00
Stephen Smalley
6cce6199c3 Merge asec changes. 2012-07-31 09:52:17 -04:00
Stephen Smalley
1d19f7e356 Allow system_server to relabel /data/anr. 2012-07-31 09:45:01 -04:00
Stephen Smalley
5f9917c136 Allow debuggerd to restorecon the tombstone directory. 2012-07-31 09:15:46 -04:00
Haiqing Jiang
901cc36664 Untrusted_app gets route information 2012-07-30 16:54:24 -04:00
Haiqing Jiang
c70dc4e3c7 domain writes to cgroup pseudo filesystem 2012-07-30 16:40:03 -04:00
Stephen Smalley
d28714c6f9 Introduce app_read_logs boolean. 2012-07-30 16:04:47 -04:00
Haiqing Jiang
3261feef97 untrusted_app reads logs when android_cts enabled 2012-07-30 16:02:44 -04:00
Haiqing Jiang
173cbdd352 read permission over lnk_file to devices when android_cts enabled 2012-07-30 16:02:36 -04:00
rpcraig
e7e65d474f New asec container labeling. 
This patchset covers the /mnt/asec variety only.
 2012-07-30 14:20:40 -04:00
rpcraig
b19665c39d Add mac_permissions.xml file. 
This was moved from external/mac-policy.git
 2012-07-30 09:33:03 -04:00
Haiqing Jiang
1f0f77fcdf Allow CTS Test apps to access to system_data_file 2012-07-30 08:26:53 -04:00
Haiqing Jiang
59e9680825 socket permissions to untrusted_app 2012-07-30 08:26:47 -04:00
Haiqing Jiang
1ce0fe382a appdomain r/w apk_tmp_file and shell_data_file on android_cts enabled 2012-07-30 08:26:40 -04:00
Stephen Smalley
dd31ddfd87 seinfo can be used to select types, and sebool is now supported. 2012-07-27 17:08:21 -04:00
Haiqing Jiang
2b47c3fc35 allocate perms to platformappdomain over system_data_file 2012-07-27 17:01:33 -04:00
Haiqing Jiang
19e7fbeb25 mediaserver and system require abstract socket connnection 2012-07-27 16:22:14 -04:00
Haiqing Jiang
f6ca1605bc installd unlink platform_app_data_file 2012-07-27 16:16:39 -04:00
Haiqing Jiang
7585fc6400 Platform app domain sdcard accesses 2012-07-27 15:10:47 -04:00
Stephen Smalley
b9760aa0d5 Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. 
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
 2012-07-27 11:07:09 -04:00
Haiqing Jiang
3296dea427 external/sepolicy: mediaserver open application data files 2012-07-24 09:01:02 -04:00
hqjiang
569f589aa6 external/sepolicy: system r/w udp_socket of appdomain 2012-07-24 09:00:32 -04:00
hqjiang
8f781f5767 external/sepolicy: install daemon unlink application data files 2012-07-24 08:59:27 -04:00
hqjiang
4c06d273bc Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. 
Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.
 2012-07-19 16:11:24 -04:00
hqjiang
20d6963ac2 allow camera calibration 2012-07-19 16:09:58 -04:00
Stephen Smalley
1c7351652c Address various denials introduced by JB/4.1. 2012-07-12 13:26:15 -04:00
Stephen Smalley
c331d0fefa Restore devnull initial sid context. 2012-07-12 10:14:38 -04:00
William Roberts
dc1072365e Support for ocontexts per device. 
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
 2012-07-12 10:02:45 -04:00
Michal Mašek
96bf505962 Fix the app_ndk policy boolean allow rule. 2012-07-12 09:57:32 -04:00
hqjiang
e1c545d82f correct denies of inter system processes communication over named pipe 2012-07-12 09:28:44 -04:00
hqjiang
ee5f400562 Correct denies of rpmsg device when accessing to remote processors. 2012-07-12 09:28:33 -04:00
hqjiang
81039ab556 Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
Stephen Smalley
60e4f114ac Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev. 2012-06-28 14:28:24 -04:00
Stephen Smalley
965f2ff1b4 Allow system_app to set MAC enforcing mode and read MAC denials. 2012-06-28 13:59:07 -04:00
William Roberts
03d2803c54 media app should have rw access to sdcard dir and files. 2012-06-28 10:56:43 -04:00
Stephen Smalley
f3b587cab0 Rewrite app domains and seapp_contexts to leverage new seinfo tags. 2012-06-28 10:56:28 -04:00
Bob Craig
92495b38d5 Add persist.mac_enforcing_mode context 2012-06-28 10:51:25 -04:00
Stephen Smalley
35c8d4fdde system needs open permission to qtaguid ctrl file. 2012-06-27 09:15:38 -04:00
Stephen Smalley
322b37a96c Update system rule for qtaguid file. 2012-06-27 09:07:33 -04:00