Stephen Smalley
9709395b61
am c8106f12
: Only allow read/write not open on platform_app_data_file.
...
* commit 'c8106f12c09dfffebebcff6b435d4974e6b2a9d7':
Only allow read/write not open on platform_app_data_file.
2013-03-19 16:51:24 -07:00
Geremy Condra
1d7081e3cc
am d06104d8
: Merge "property_contexts checks added to checkfc."
...
* commit 'd06104d873a4256f8a6fb66ee0f930abbc15f8a1':
property_contexts checks added to checkfc.
2013-03-19 16:51:24 -07:00
Geremy Condra
e0c0ad2949
Revert "Dynamic insertion of pubkey to mac_permissions.xml"
...
This reverts commit 22fc04103b
Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 16:40:08 -07:00
William Roberts
767abc077e
Drop shell from having access to dmesg
...
In normal, user builds, shell doesn't have the required
DAC permissions to acess the kernel log.
Change-Id: I001e6d65f508e07671bdb71ca2c0e1d53bc5b970
2013-03-19 23:09:22 +00:00
Geremy Condra
1446e714af
Revert "Dynamic insertion of pubkey to mac_permissions.xml"
...
This reverts commit 22fc04103b
Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee
2013-03-19 22:56:46 +00:00
William Roberts
5a2988fcb5
Remove duplicate paths from sepolicy_replace_paths
...
Change-Id: I5d5362ad0055275052b0c2ba535b599a8e26112e
2013-03-19 22:49:13 +00:00
rpcraig
bac9992e86
watchdog security policy.
...
Initial policy for software watchdog daemon
which is started by init.
Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:48:38 +00:00
Stephen Smalley
9ce99e3908
Update binder-related policy.
...
The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.
Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:48:17 +00:00
Stephen Smalley
1f5939a976
Allow search of tmpfs mount for /storage/emulated.
...
Change-Id: Ie79ff3fb9c0a893e348c4adb2f457cae42d7800f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:47:20 +00:00
Stephen Smalley
6136284081
Permit fstat of property mapping.
...
Change-Id: Ie58185519252dad29a23d0d3d54b1cbafea83a83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:46:42 +00:00
Stephen Smalley
aeb512d2ed
Disable debugfs access by default.
...
Change-Id: I8265e34a76913a76eedd2d7a6fe3b14945fde924
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:45:53 +00:00
Stephen Smalley
c8106f12c0
Only allow read/write not open on platform_app_data_file.
...
Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:45:12 +00:00
Geremy Condra
a74dd1f0ea
am 6d6c617f
: Merge "Whitespace and doxygen fix"
...
* commit '6d6c617f6d6644c71bd83a0a17d258b4041c98cf':
Whitespace and doxygen fix
2013-03-19 15:43:58 -07:00
Stephen Smalley
85f5972c4b
am ee80bfb9
: Add policy assertions (neverallow rules).
...
* commit 'ee80bfb9cf5727ce9938f76d88ac50833edee48c':
Add policy assertions (neverallow rules).
2013-03-19 15:43:57 -07:00
Geremy Condra
8b206260b4
am c0890c89
: Merge "Allow domain to random_device"
...
* commit 'c0890c899f572785b6a14a91bae6122b72db4416':
Allow domain to random_device
2013-03-19 15:43:57 -07:00
William Roberts
9a35a01401
am 6a64897a
: Do not allow access to device:chr_file for system
...
* commit '6a64897a4b098e834f7b6679c0c5b85fdbb752b2':
Do not allow access to device:chr_file for system
2013-03-19 15:43:57 -07:00
rpcraig
842a9dce5a
am 1c8464e1
: App data backup security policy.
...
* commit '1c8464e1365950538e9e4647a4f220910f79ab1e':
App data backup security policy.
2013-03-19 15:43:56 -07:00
Geremy Condra
2886640128
am c57dbccb
: Merge "Change security policy so all apps can read /dev/xt_qtaguid."
...
* commit 'c57dbccb50ff804f2e002df8bd6db54b0477b877':
Change security policy so all apps can read /dev/xt_qtaguid.
2013-03-19 15:43:56 -07:00
Geremy Condra
2b7e767cc9
am 5988bbf8
: Merge "Dynamic insertion of pubkey to mac_permissions.xml"
...
* commit '5988bbf8a2b6c4b7f329ee007e75004269d71817':
Dynamic insertion of pubkey to mac_permissions.xml
2013-03-19 15:43:56 -07:00
Geremy Condra
61dddba79f
am 04598de8
: Merge "Replaceable mac_permission.xml support"
...
* commit '04598de87251c433594f1073ebcd8116cee49345':
Replaceable mac_permission.xml support
2013-03-19 15:43:56 -07:00
Geremy Condra
62495abcdc
am 669f6792
: Merge "mediaserver.te refactor"
...
* commit '669f679243431084adaaacd6e4857e2eed92b93a':
mediaserver.te refactor
2013-03-19 15:43:55 -07:00
Geremy Condra
cc32a792c0
am eeafabde
: Merge "Label persist audio properties"
...
* commit 'eeafabde6188a21d7df741fa93ab5156e1c10414':
Label persist audio properties
2013-03-19 15:43:55 -07:00
Geremy Condra
d06104d873
Merge "property_contexts checks added to checkfc."
2013-03-19 22:42:19 +00:00
Geremy Condra
6d6c617f6d
Merge "Whitespace and doxygen fix"
2013-03-19 22:35:44 +00:00
Stephen Smalley
ee80bfb9cf
Add policy assertions (neverallow rules).
...
Change-Id: I384ea9516a5ed2369f7fa703499e284e29a2c0eb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:30:03 +00:00
Geremy Condra
c0890c899f
Merge "Allow domain to random_device"
2013-03-19 22:29:32 +00:00
Robert Craig
d98d26ef3c
property_contexts checks added to checkfc.
...
Change-Id: If361ea93fabd343728196eed2663fd572ecaa70b
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:28:46 +00:00
William Roberts
6a64897a4b
Do not allow access to device:chr_file for system
...
Also labels /dev/mpu and /dev/mpuirq as gps device.
mpu is motion processing unit and is resposible for
gyroscope functionality.
Change-Id: If7f1a5752c550b72fac681566e1052f09e139ff0
2013-03-19 22:27:03 +00:00
rpcraig
1c8464e136
App data backup security policy.
...
Policy covers:
* backup_data_file type for labeling all
files/dirs under /data dealing with
backup mechanism.
* cache_backup_file type for labeling all
files/dirs under /cache dealing with
backup mechanism. This also covers the
the use of LocalTransport for local archive
and restore testing.
* the use of 'adb shell bmgr' to initiate
backup mechanism from shell.
* the use of 'adb backup/restore' to archive
and restore the device's data.
Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:22:10 +00:00
Geremy Condra
c57dbccb50
Merge "Change security policy so all apps can read /dev/xt_qtaguid."
2013-03-19 22:21:49 +00:00
Geremy Condra
5988bbf8a2
Merge "Dynamic insertion of pubkey to mac_permissions.xml"
2013-03-19 22:17:29 +00:00
Geremy Condra
04598de872
Merge "Replaceable mac_permission.xml support"
2013-03-19 22:17:10 +00:00
Geremy Condra
669f679243
Merge "mediaserver.te refactor"
2013-03-19 22:16:49 +00:00
Geremy Condra
eeafabde61
Merge "Label persist audio properties"
2013-03-19 22:16:31 +00:00
Stephen Smalley
17e91e8915
am e468016b
: zygote requires setpcap in order to drop from its bounding set.
...
* commit 'e468016b1bd79b505e62fd410f59a03bad8bbe06':
zygote requires setpcap in order to drop from its bounding set.
2013-02-19 12:28:38 -08:00
Stephen Smalley
e468016b1b
zygote requires setpcap in order to drop from its bounding set.
...
I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW. This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.
Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-02-19 13:20:55 -05:00
William Roberts
40356b993a
Allow domain to random_device
...
Change-Id: I1a728cbc78e30c0b43309acc125169528d352f11
2013-01-30 10:40:58 -08:00
Stephen Smalley
78ec44500b
am 58b0fb6d
: Fix invalid specification for adb_keys.
...
* commit '58b0fb6ddee7257a6a27f31ba97d47fa23efac15':
Fix invalid specification for adb_keys.
2013-01-11 15:34:38 -08:00
Stephen Smalley
58b0fb6dde
Fix invalid specification for adb_keys.
...
A prior change added an entry for adb_keys without any security context,
yielding warnings like the following during build:
out/target/product/manta/root/file_contexts: line 7 is missing fields, skipping
This adds the missing security context field.
Change-Id: If48731c8aa7d22a3f547d0854f288ff68f9006da
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-01-11 15:05:03 -05:00
Colin Cross
19740e1806
am 92b9aa0e
: add file_contexts entries for root filesystem
...
* commit '92b9aa0eeff49e5bc3dc6297f3d35ec41d6ab73d':
add file_contexts entries for root filesystem
2012-12-28 09:47:47 -08:00
Colin Cross
92b9aa0eef
add file_contexts entries for root filesystem
...
It may be useful to generate an ext4 image of the root filesystem
instead of using a ramdisk. Whitelist entries in file_contexts to
support selinux labeling a root filesystem image.
Change-Id: I91a38d0aee4408c46cbfe5dc5e6eda198572e90f
2012-12-21 13:55:25 -08:00
William Roberts
22fc04103b
Dynamic insertion of pubkey to mac_permissions.xml
...
Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.
Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a
2012-12-08 09:26:37 +09:00
William Roberts
2c8a55dcf4
Replaceable mac_permission.xml support
...
Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE
Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79
2012-12-06 05:57:49 +09:00
rpcraig
4c266ba1bc
Change security policy so all apps can read /dev/xt_qtaguid.
...
Generic init.rc allows any process to use
socket tagging. Adjust app policy to ensure
that any app can read from the misc device.
Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-12-05 10:08:19 -05:00
William Roberts
4e030c2a0f
mediaserver.te refactor
...
Change-Id: Ieaff9f3362c71e25e5c8e7204397a85ff14fff97
2012-11-28 12:18:30 -08:00
William Roberts
e2ad318e45
Label persist audio properties
...
label all persist.audio.* properties
and allow mediaserver access to them.
Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7
2012-11-28 12:15:02 -08:00
William Roberts
fff2980a1a
Whitespace and doxygen fix
...
Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3
2012-11-27 14:20:34 -08:00
Stephen Smalley
7e7003ca16
am e8848726
: Add policy for run-as program.
...
* commit 'e8848726553e3abee6033200c98a657c9ca7cdb8':
Add policy for run-as program.
2012-11-27 11:25:43 -08:00
Kenny Root
ab1a61f28c
am fdaa7869
: Merge "README for configuration of selinux policy"
...
* commit 'fdaa7869a5541b55413f59845dc5f7c56bab0614':
README for configuration of selinux policy
2012-11-27 11:25:43 -08:00
William Roberts
8afb51c117
am c34a2527
: Allow shell to connect to property service
...
* commit 'c34a2527837daeeef51cde0fe77582d51a3bc744':
Allow shell to connect to property service
2012-11-27 11:25:42 -08:00