platform_system_sepolicy/public
Nick Kralevich 07c3a5a522 Move to ioctl whitelisting for /dev/pts/* files
In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 18:59:38 -08:00
..
adbd.te Rename autoplay_app to ephemeral_app 2016-10-07 09:52:31 -07:00
app.te only permit text relocations in untrusted_app 2016-11-20 15:10:34 +00:00
attributes Move hal_light to attribute. 2016-11-18 08:40:04 -08:00
audioserver.te clean up hal types 2016-10-26 09:50:04 -07:00
binderservicedomain.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
blkid.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
blkid_untrusted.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
bluetooth.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
bluetoothdomain.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
boot_control_hal.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
bootanim.te Add sepolicy for hwcomposer HAL 2016-11-14 01:10:02 +00:00
bootstat.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
cameraserver.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
clatd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
cppreopts.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
debuggerd.te profman/debuggerd: allow libart_file:file r_file_perms 2016-11-08 09:28:28 -08:00
device.te Collapse urandom_device into random_device 2016-11-21 16:37:07 +00:00
dex2oat.te Label ephemeral APKs and handle their install/uninstall 2016-11-12 00:27:28 +00:00
dhcp.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
dnsmasq.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
domain.te Move to ioctl whitelisting for /dev/pts/* files 2016-11-22 18:59:38 -08:00
domain_deprecated.te domain_deprecated.te: delete stale permissions 2016-11-20 08:34:02 -08:00
drmserver.te Rename autoplay_app to ephemeral_app 2016-10-07 09:52:31 -07:00
dumpstate.te Added permissions for the dumpstate service. 2016-11-01 10:43:25 -07:00
ephemeral_app.te Allow ephemeral apps network connections 2016-11-14 12:24:51 -08:00
file.te Label ephemeral APKs and handle their install/uninstall 2016-11-12 00:27:28 +00:00
fingerprintd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
fsck.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
fsck_untrusted.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
gatekeeperd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
global_macros Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
hal_audio.te clean up hal types 2016-10-26 09:50:04 -07:00
hal_boot.te Revert "Move boot_control_hal attribute to hal_boot domain" 2016-11-18 02:43:03 +00:00
hal_graphics_allocator.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
hal_graphics_composer.te Add sepolicy for hwcomposer HAL 2016-11-14 01:10:02 +00:00
hal_light.te Move hal_light to attribute. 2016-11-18 08:40:04 -08:00
hal_memtrack.te hal_memtrack: Add sepolicy for memtrack service. 2016-11-03 13:05:48 -07:00
hal_nfc.te clean up hal types 2016-10-26 09:50:04 -07:00
hal_power.te hal_power: Add sepolicy for power service. 2016-11-03 13:01:48 -07:00
hal_thermal.te sepolicy: Add policy for thermal HIDL service 2016-11-08 13:34:31 +01:00
hal_vibrator.te clean up hal types 2016-10-26 09:50:04 -07:00
hal_vr.te clean up hal types 2016-10-26 09:50:04 -07:00
hal_wifi.te wifi_hal: Rename to 'hal_wifi' 2016-10-28 09:00:31 -07:00
hci_attach.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
healthd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
hostapd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
hwservicemanager.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
idmap.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
init.te Collapse urandom_device into random_device 2016-11-21 16:37:07 +00:00
inputflinger.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
install_recovery.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
installd.te Label ephemeral APKs and handle their install/uninstall 2016-11-12 00:27:28 +00:00
ioctl_defines Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
ioctl_macros Move to ioctl whitelisting for /dev/pts/* files 2016-11-22 18:59:38 -08:00
isolated_app.te isolated_app: allow access to pre-opened sdcard FDs 2016-11-15 12:58:06 -08:00
kernel.te kernel.te: tighten entrypoint / execute_no_trans neverallow 2016-10-30 18:46:44 -07:00
keystore.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
lmkd.te Rename autoplay_app to ephemeral_app 2016-10-07 09:52:31 -07:00
logd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
mdnsd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
mediacodec.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
mediadrmserver.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
mediaextractor.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
mediaserver.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
mtp.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
net.te Allow ephemeral apps network connections 2016-11-14 12:24:51 -08:00
netd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
neverallow_macros Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
nfc.te clean up hal types 2016-10-26 09:50:04 -07:00
otapreopt_chroot.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
otapreopt_slot.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
platform_app.te Label ephemeral APKs and handle their install/uninstall 2016-11-12 00:27:28 +00:00
postinstall.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
postinstall_dexopt.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
ppp.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
preopt2cachename.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
priv_app.te Allow apps to search appfuse mount point and open a file on appfuse mount point. 2016-11-15 10:22:19 +09:00
profman.te profman/debuggerd: allow libart_file:file r_file_perms 2016-11-08 09:28:28 -08:00
property.te property.te: delete security_prop 2016-11-11 12:31:19 -08:00
racoon.te racoon: remove domain_deprecated attribute 2016-10-15 17:15:25 -07:00
radio.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
recovery.te remove unnecessary dalvik rules from recovery 2016-10-14 02:27:31 -04:00
recovery_persist.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
recovery_refresh.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
rild.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
runas.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
sdcardd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
service.te [NAN-AWARE] Remove NAN service 2016-11-04 13:38:14 -07:00
servicemanager.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
sgdisk.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
shared_relro.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
shell.te shell.te: revoke syslog(2) access to shell user 2016-11-16 10:22:51 -08:00
slideshow.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
surfaceflinger.te Add sepolicy for hwcomposer HAL 2016-11-14 01:10:02 +00:00
system_app.te Added permissions for the dumpstate service. 2016-11-01 10:43:25 -07:00
system_server.te Add sepolicy for gralloc-alloc HAL 2016-11-14 01:09:51 +00:00
te_macros Move to ioctl whitelisting for /dev/pts/* files 2016-11-22 18:59:38 -08:00
tee.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
toolbox.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
tzdatacheck.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
ueventd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
uncrypt.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
untrusted_app.te only permit text relocations in untrusted_app 2016-11-20 15:10:34 +00:00
update_engine.te Revert "Move boot_control_hal attribute to hal_boot domain" 2016-11-18 02:43:03 +00:00
update_engine_common.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
update_verifier.te Revert "Move boot_control_hal attribute to hal_boot domain" 2016-11-18 02:43:03 +00:00
vdc.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
vold.te Removed a duplicate rule. 2016-11-17 23:46:15 +00:00
watchdogd.te Split general policy into public and private components. 2016-10-06 13:09:06 -07:00
webview_zygote.te Add the "webview_zygote" domain. 2016-11-11 10:13:17 -05:00
wificond.te wifi_hal: Rename to 'hal_wifi' 2016-10-28 09:00:31 -07:00
wpa.te wpa.te: Add binder permission back 2016-11-07 12:51:07 -08:00
zygote.te Use with_dexpreopt macro for zygote execute permissions. 2016-11-18 14:22:37 -05:00