Commit graph

5 commits

Author SHA1 Message Date
Nick Kralevich
35a4ed80a6 Add wpa neverallow rule
wpa should never trust any data coming from the sdcard. Add a
compile time assertion to make sure no rules are ever added
allowing this access.

Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
2014-11-06 10:57:03 -08:00
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Stephen Smalley
00b180dfb8 Eliminate some duplicated rules.
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-17 15:30:37 -04:00
Stephen Smalley
867e398d54 Allow wpa to perform binder IPC to keystore.
Addresses denials such as:
 avc:  denied  { call } for  pid=2275 comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder

Change-Id: I8ab148046dd06f56630a2876db787b293e14c0ae
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12 16:30:47 -04:00
Robert Craig
d9cec19bb2 Move wpa_supplicant.te to wpa.te.
The filename should be the same as the
domain with all the .te files.

Change-Id: Ib05eb84f881c680eb5bb43a4814cfb038fbff339
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-06 12:56:45 -05:00
Renamed from wpa_supplicant.te (Browse further)