No description
Find a file
Colin Cross 19740e1806 am 92b9aa0e: add file_contexts entries for root filesystem
* commit '92b9aa0eeff49e5bc3dc6297f3d35ec41d6ab73d':
  add file_contexts entries for root filesystem
2012-12-28 09:47:47 -08:00
tools Moved Android policy tools to tools directory 2012-11-01 11:33:04 -07:00
access_vectors Define wake_alarm and block_suspect capabilities. 2012-08-10 09:23:21 -04:00
adbd.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
Android.mk Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp 2012-11-01 14:21:26 -07:00
app.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
attributes Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. 2012-07-27 11:07:09 -04:00
bluetooth.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
bluetoothd.te Revert "ISSUE 6849488 Bluedroid stack, remove system/bluetooth." 2012-10-16 18:08:53 -07:00
cts.te read permission over lnk_file to devices when android_cts enabled 2012-07-30 16:02:36 -04:00
dbusd.te SE Android policy. 2012-01-04 12:33:27 -05:00
debuggerd.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
device.te Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. 2012-07-19 16:11:24 -04:00
dhcp.te allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access 2012-10-16 09:48:40 -04:00
domain.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
drmserver.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
file.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
file_contexts add file_contexts entries for root filesystem 2012-12-21 13:55:25 -08:00
fs_use Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
genfs_contexts Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. 2012-07-19 16:11:24 -04:00
global_macros file class macro cleanup 2012-10-04 11:34:57 -07:00
gpsd.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
hci_attach.te Policy for hci_attach service. 2012-05-31 09:40:12 -04:00
init.te SE Android policy. 2012-01-04 12:33:27 -05:00
initial_sid_contexts Restore devnull initial sid context. 2012-07-12 10:14:38 -04:00
initial_sids SE Android policy. 2012-01-04 12:33:27 -05:00
installd.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
kernel.te SE Android policy. 2012-01-04 12:33:27 -05:00
keystore.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
mac_permissions.xml Add mac_permissions.xml file. 2012-07-30 09:33:03 -04:00
mediaserver.te Allow domain access to /dev/ion 2012-09-13 14:30:11 -07:00
mls Add policy for run-as program. 2012-11-27 10:05:42 -08:00
mls_macros SE Android policy. 2012-01-04 12:33:27 -05:00
mtp.te allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access 2012-10-16 09:48:40 -04:00
net.te SE Android policy. 2012-01-04 12:33:27 -05:00
netd.te Further policy for Motorola Xoom. 2012-01-06 10:25:53 -05:00
nfc.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
NOTICE Public domain notice 2012-06-19 07:29:55 -04:00
policy_capabilities SE Android policy. 2012-01-04 12:33:27 -05:00
port_contexts Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
ppp.te Add ppp/mtp policy. 2012-08-20 06:19:36 -04:00
property.te Add policy for property service. 2012-04-04 10:11:16 -04:00
property_contexts Add persist.mac_enforcing_mode context 2012-06-28 10:51:25 -04:00
qemud.te SE Android policy. 2012-01-04 12:33:27 -05:00
radio.te Add policy for property service. 2012-04-04 10:11:16 -04:00
README README for configuration of selinux policy 2012-11-26 17:16:05 -08:00
rild.te Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
roles Add explicit role declaration for newer checkpolicy versions. 2012-01-12 09:58:37 -05:00
runas.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
sdcardd.te Address various denials introduced by JB/4.1. 2012-07-12 13:26:15 -04:00
seapp_contexts Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
security_classes Add policy for property service. 2012-04-04 10:11:16 -04:00
selinux-network.sh Add selinux network script to policy 2012-06-21 09:19:43 -04:00
servicemanager.te SE Android policy. 2012-01-04 12:33:27 -05:00
shell.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
su.te Revert "Include su.te only for userdebug/eng builds." 2012-11-01 13:17:29 -07:00
surfaceflinger.te Address various denials introduced by JB/4.1. 2012-07-12 13:26:15 -04:00
system.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
te_macros Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. 2012-07-27 11:07:09 -04:00
tee.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
ueventd.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
unconfined.te Add policy for property service. 2012-04-04 10:11:16 -04:00
users SE Android policy. 2012-01-04 12:33:27 -05:00
vold.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
wpa_supplicant.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
zygote.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00

Policy Generation:

Additional, per device, policy files can be added into the
policy build.

They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS

The variables should be set in the BoardConfig.mk file in
the device or vendor directories.

BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.

BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.

BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.

It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.

It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error.

It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.

It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.

Example Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk

BOARD_SEPOLICY_DIRS := \
        device/samsung/tuna/sepolicy

BOARD_SEPOLICY_UNION := \
        genfs_contexts \
        file_contexts \
        sepolicy.te