tequilaOS/platform_system_sepolicy

No description

Find a file

Stephen Smalley 17e91e8915 am `e468016b`: zygote requires setpcap in order to drop from its bounding set. * commit 'e468016b1bd79b505e62fd410f59a03bad8bbe06': zygote requires setpcap in order to drop from its bounding set.		2013-02-19 12:28:38 -08:00
tools	Moved Android policy tools to tools directory	2012-11-01 11:33:04 -07:00
access_vectors	Define wake_alarm and block_suspect capabilities.	2012-08-10 09:23:21 -04:00
adbd.te	Update policy for Android 4.2 / latest master.	2012-11-19 09:55:10 -05:00
Android.mk	Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp	2012-11-01 14:21:26 -07:00
app.te	Add SELinux policy for asec containers.	2012-10-22 14:14:11 -04:00
attributes	Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.	2012-07-27 11:07:09 -04:00
bluetooth.te	Update policy for Android 4.2 / latest master.	2012-11-19 09:55:10 -05:00
bluetoothd.te	Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth."	2012-10-16 18:08:53 -07:00
cts.te	read permission over lnk_file to devices when android_cts enabled	2012-07-30 16:02:36 -04:00
dbusd.te	SE Android policy.	2012-01-04 12:33:27 -05:00
debuggerd.te	Additions for grouper/JB	2012-08-10 06:25:52 -04:00
device.te	Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.	2012-07-19 16:11:24 -04:00
dhcp.te	allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access	2012-10-16 09:48:40 -04:00
domain.te	Add SELinux policy for asec containers.	2012-10-22 14:14:11 -04:00
drmserver.te	Trusted Execution Environment policy.	2012-08-13 06:09:39 -04:00
file.te	Add policy for run-as program.	2012-11-27 10:05:42 -08:00
file_contexts	Fix invalid specification for adb_keys.	2013-01-11 15:05:03 -05:00
fs_use	Support for ocontexts per device.	2012-07-12 10:02:45 -04:00
genfs_contexts	Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.	2012-07-19 16:11:24 -04:00
global_macros	file class macro cleanup	2012-10-04 11:34:57 -07:00
gpsd.te	Trusted Execution Environment policy.	2012-08-13 06:09:39 -04:00
hci_attach.te	Policy for hci_attach service.	2012-05-31 09:40:12 -04:00
init.te	SE Android policy.	2012-01-04 12:33:27 -05:00
initial_sid_contexts	Restore devnull initial sid context.	2012-07-12 10:14:38 -04:00
initial_sids	SE Android policy.	2012-01-04 12:33:27 -05:00
installd.te	Add SELinux policy for asec containers.	2012-10-22 14:14:11 -04:00
kernel.te	SE Android policy.	2012-01-04 12:33:27 -05:00
keystore.te	Update policy for Android 4.2 / latest master.	2012-11-19 09:55:10 -05:00
mac_permissions.xml	Add mac_permissions.xml file.	2012-07-30 09:33:03 -04:00
mediaserver.te	Allow domain access to /dev/ion	2012-09-13 14:30:11 -07:00
mls	Add policy for run-as program.	2012-11-27 10:05:42 -08:00
mls_macros	SE Android policy.	2012-01-04 12:33:27 -05:00
mtp.te	allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access	2012-10-16 09:48:40 -04:00
net.te	SE Android policy.	2012-01-04 12:33:27 -05:00
netd.te	Further policy for Motorola Xoom.	2012-01-06 10:25:53 -05:00
nfc.te	Remove all denials caused by rild on tuna devices.	2012-06-07 11:52:51 -04:00
NOTICE	Public domain notice	2012-06-19 07:29:55 -04:00
policy_capabilities	SE Android policy.	2012-01-04 12:33:27 -05:00
port_contexts	Support for ocontexts per device.	2012-07-12 10:02:45 -04:00
ppp.te	Add ppp/mtp policy.	2012-08-20 06:19:36 -04:00
property.te	Add policy for property service.	2012-04-04 10:11:16 -04:00
property_contexts	Add persist.mac_enforcing_mode context	2012-06-28 10:51:25 -04:00
qemud.te	SE Android policy.	2012-01-04 12:33:27 -05:00
radio.te	Add policy for property service.	2012-04-04 10:11:16 -04:00
README	README for configuration of selinux policy	2012-11-26 17:16:05 -08:00
rild.te	Corrected denials for LocationManager when accessing gps over uart.	2012-07-12 09:27:40 -04:00
roles	Add explicit role declaration for newer checkpolicy versions.	2012-01-12 09:58:37 -05:00
runas.te	Add policy for run-as program.	2012-11-27 10:05:42 -08:00
sdcardd.te	Address various denials introduced by JB/4.1.	2012-07-12 13:26:15 -04:00
seapp_contexts	Update policy for Android 4.2 / latest master.	2012-11-19 09:55:10 -05:00
security_classes	Add policy for property service.	2012-04-04 10:11:16 -04:00
selinux-network.sh	Add selinux network script to policy	2012-06-21 09:19:43 -04:00
servicemanager.te	SE Android policy.	2012-01-04 12:33:27 -05:00
shell.te	Add policy for run-as program.	2012-11-27 10:05:42 -08:00
su.te	Revert "Include su.te only for userdebug/eng builds."	2012-11-01 13:17:29 -07:00
surfaceflinger.te	Address various denials introduced by JB/4.1.	2012-07-12 13:26:15 -04:00
system.te	Update policy for Android 4.2 / latest master.	2012-11-19 09:55:10 -05:00
te_macros	Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.	2012-07-27 11:07:09 -04:00
tee.te	Trusted Execution Environment policy.	2012-08-13 06:09:39 -04:00
ueventd.te	Remove all denials caused by rild on tuna devices.	2012-06-07 11:52:51 -04:00
unconfined.te	Add policy for property service.	2012-04-04 10:11:16 -04:00
users	SE Android policy.	2012-01-04 12:33:27 -05:00
vold.te	Add SELinux policy for asec containers.	2012-10-22 14:14:11 -04:00
wpa_supplicant.te	Additions for grouper/JB	2012-08-10 06:25:52 -04:00
zygote.te	zygote requires setpcap in order to drop from its bounding set.	2013-02-19 13:20:55 -05:00

README

Policy Generation:

Additional, per device, policy files can be added into the
policy build.

They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS

The variables should be set in the BoardConfig.mk file in
the device or vendor directories.

BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.

BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.

BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.

It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.

It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error.

It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.

It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.

Example Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk

BOARD_SEPOLICY_DIRS := \
        device/samsung/tuna/sepolicy

BOARD_SEPOLICY_UNION := \
        genfs_contexts \
        file_contexts \
        sepolicy.te