tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Max Bires 3171829af3 Removing init and ueventd access to generic char files 
There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
2017-02-01 21:35:08 +00:00
..
adbd.te more ephemeral_app cleanup 2017-01-20 14:35:17 +00:00
atrace.te Fix build. 2016-12-06 16:49:25 -08:00
attributes Preliminary policy for hal_keymaster (TREBLE) 2017-01-27 15:02:57 -08:00
audioserver.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
binderservicedomain.te
blkid.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
blkid_untrusted.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
bluetooth.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
bluetoothdomain.te
boot_control_hal.te
bootanim.te Add sepolicy for hwcomposer HAL 2016-11-14 01:54:33 +00:00
bootstat.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
cameraserver.te Camera: grant system file perm for Treble 2017-01-30 14:52:21 -08:00
charger.te healthd: create SEPolicy for 'charger' and reduce healthd's scope 2016-12-15 18:17:13 -08:00
clatd.te
cppreopts.te
crash_dump.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
device.te Auditing init and ueventd access to chr device files. 2017-01-13 17:38:39 +00:00
dex2oat.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
dhcp.te
dnsmasq.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
domain.te Removing init and ueventd access to generic char files 2017-02-01 21:35:08 +00:00
domain_deprecated.te Introduce crash_dump debugging helper. 2017-01-18 15:03:24 -08:00
drmserver.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
dumpstate.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
ephemeral_app.te Move ephemeral_app policy to private 2017-01-09 15:34:27 -08:00
file.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
fingerprintd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
fsck.te
fsck_untrusted.te
gatekeeperd.te Remove hal_gatekeeper from gatekeeperd domain 2017-01-26 07:17:51 -08:00
global_macros
hal_allocator.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_audio.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_bluetooth.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_boot.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_camera.te haldomain: search for passthrough hals 2017-01-24 16:41:00 -08:00
hal_contexthub.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_drm.te Add sepolicy for drm HALs 2017-01-25 11:21:03 -08:00
hal_dumpstate.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_fingerprint.te haldomain: search for passthrough hals 2017-01-24 16:41:00 -08:00
hal_gatekeeper.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_gnss.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_graphics_allocator.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_graphics_composer.te more ephemeral_app cleanup 2017-01-20 14:35:17 +00:00
hal_health.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_ir.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_keymaster.te Preliminary policy for hal_keymaster (TREBLE) 2017-01-27 15:02:57 -08:00
hal_light.te hal_light: add permission to sys/class/leds. 2017-01-20 00:17:11 +00:00
hal_nfc.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_telephony.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_thermal.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_usb.te sepolicy for usb hal 2017-01-27 00:05:19 +00:00
hal_vibrator.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_vr.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_wifi.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
healthd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
hostapd.te
hwservicemanager.te hwbinder_use: allow for hwservicemanager callbacks. 2016-12-15 14:17:27 -08:00
idmap.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
init.te Removing init and ueventd access to generic char files 2017-02-01 21:35:08 +00:00
inputflinger.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
install_recovery.te install_recovery.te: remove domain_deprecated 2017-01-09 16:47:36 +00:00
installd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
ioctl_defines
ioctl_macros Add TCSETS to unpriv_tty_ioctls 2016-12-07 15:59:34 -08:00
isolated_app.te Move isolated_app policy to private 2017-01-05 16:06:54 -08:00
kernel.te kernel.te: tighten entrypoint / execute_no_trans neverallow 2016-10-30 18:46:44 -07:00
keystore.te Preliminary policy for hal_keymaster (TREBLE) 2017-01-27 15:02:57 -08:00
lmkd.te more ephemeral_app cleanup 2017-01-20 14:35:17 +00:00
logd.te logd: add getEventTag command and service 2017-01-31 15:50:42 +00:00
logpersist.te logpersist: do not permit dynamic transition to domain 2016-12-29 09:29:36 -08:00
mdnsd.te
mediacodec.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
mediadrmserver.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
mediaextractor.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
mediametrics.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
mediaserver.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
mtp.te
net.te Allow ephemeral apps network connections 2016-11-14 12:24:51 -08:00
netd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
neverallow_macros
nfc.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
otapreopt_chroot.te
otapreopt_slot.te
perfprofd.te Fix build. 2016-12-06 16:49:25 -08:00
platform_app.te Move platform_app policy to private 2017-01-09 14:52:59 -08:00
postinstall.te
postinstall_dexopt.te
ppp.te domain_deprecated.te: remove /proc/net access 2016-11-30 15:23:26 -08:00
preopt2cachename.te
priv_app.te Move priv_app policy to private 2017-01-05 15:44:32 -08:00
profman.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
property.te property: add persist.hal.binderization 2017-01-26 06:06:24 +00:00
racoon.te racoon: Add SIOCSIFNETMASK 2017-01-24 17:12:58 -08:00
radio.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
recovery.te Remove SElinux audit to libart_file 2017-01-31 23:43:14 +00:00
recovery_persist.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
recovery_refresh.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
rild.te Grant rild and gatekeeperd access to hwservicemanager 2017-01-20 13:01:47 -08:00
roles sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
runas.te
sdcardd.te Allow sdcardd to remount sdcardfs 2016-11-28 16:10:27 -08:00
service.te rename mediaanalytics->mediametrics, wider access 2017-01-24 16:57:19 -08:00
servicemanager.te Remove domain_deprecated from some domains. 2016-11-25 17:37:30 -08:00
sgdisk.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
shared_relro.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
shell.te property: add persist.hal.binderization 2017-01-26 06:06:24 +00:00
slideshow.te
su.te Introduce crash_dump debugging helper. 2017-01-18 15:03:24 -08:00
surfaceflinger.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
system_app.te Move system_app policy to private 2017-01-05 17:20:28 -08:00
system_server.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
te_macros logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
tee.te
tombstoned.te tombstoned: temporarily allow write to anr_data_file. 2017-01-23 12:54:03 -08:00
toolbox.te
tzdatacheck.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
ueventd.te Removing init and ueventd access to generic char files 2017-02-01 21:35:08 +00:00
uncrypt.te
untrusted_app.te Move untrusted_app policy to private 2017-01-05 14:39:52 -08:00
update_engine.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
update_engine_common.te
update_verifier.te update_verifier: read dir perms 2017-01-24 20:45:18 +00:00
vdc.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
vold.te Preliminary policy for hal_keymaster (TREBLE) 2017-01-27 15:02:57 -08:00
watchdogd.te
webview_zygote.te Move webview_zygote policy to private 2017-01-27 17:01:43 +00:00
wificond.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
wpa.te hal_wifi: Allow system_server to access wifi HIDL services 2016-12-12 10:40:14 -08:00
zygote.te Move zygote policy to private 2017-01-26 13:31:16 -08:00