No description
Find a file
Geremy Condra 36c87bbdb8 am ae0fcf1f: Merge "watchdog security policy."
* commit 'ae0fcf1fb60de1d63fc1944111398497b655224b':
  watchdog security policy.
2013-03-19 19:01:39 -07:00
tools Revert "Dynamic insertion of pubkey to mac_permissions.xml" 2013-03-19 22:56:46 +00:00
access_vectors Update binder-related policy. 2013-03-19 22:48:17 +00:00
adbd.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
Android.mk Revert "Dynamic insertion of pubkey to mac_permissions.xml" 2013-03-19 22:56:46 +00:00
app.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
assert.te Add policy assertions (neverallow rules). 2013-03-19 22:30:03 +00:00
attributes Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. 2012-07-27 11:07:09 -04:00
bluetooth.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
bluetoothd.te SE Android policy. 2012-01-04 12:33:27 -05:00
cts.te read permission over lnk_file to devices when android_cts enabled 2012-07-30 16:02:36 -04:00
dbusd.te SE Android policy. 2012-01-04 12:33:27 -05:00
debuggerd.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
device.te watchdog security policy. 2013-03-19 22:48:38 +00:00
dhcp.te allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access 2012-10-16 09:48:40 -04:00
domain.te Allow search of tmpfs mount for /storage/emulated. 2013-03-19 22:47:20 +00:00
drmserver.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
file.te App data backup security policy. 2013-03-19 22:22:10 +00:00
file_contexts watchdog security policy. 2013-03-19 22:48:38 +00:00
fs_use Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
genfs_contexts Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. 2012-07-19 16:11:24 -04:00
global_macros file class macro cleanup 2012-10-04 11:34:57 -07:00
gpsd.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
hci_attach.te Policy for hci_attach service. 2012-05-31 09:40:12 -04:00
init.te SE Android policy. 2012-01-04 12:33:27 -05:00
initial_sid_contexts Restore devnull initial sid context. 2012-07-12 10:14:38 -04:00
initial_sids SE Android policy. 2012-01-04 12:33:27 -05:00
installd.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
kernel.te SE Android policy. 2012-01-04 12:33:27 -05:00
keystore.te Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
mac_permissions.xml Revert "Dynamic insertion of pubkey to mac_permissions.xml" 2013-03-19 22:56:46 +00:00
mediaserver.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
mls Add policy for run-as program. 2012-11-27 10:05:42 -08:00
mls_macros SE Android policy. 2012-01-04 12:33:27 -05:00
mtp.te allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access 2012-10-16 09:48:40 -04:00
net.te SE Android policy. 2012-01-04 12:33:27 -05:00
netd.te Further policy for Motorola Xoom. 2012-01-06 10:25:53 -05:00
nfc.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
NOTICE Public domain notice 2012-06-19 07:29:55 -04:00
policy_capabilities SE Android policy. 2012-01-04 12:33:27 -05:00
port_contexts Support for ocontexts per device. 2012-07-12 10:02:45 -04:00
ppp.te Add ppp/mtp policy. 2012-08-20 06:19:36 -04:00
property.te Label persist audio properties 2012-11-28 12:15:02 -08:00
property_contexts Label persist audio properties 2012-11-28 12:15:02 -08:00
qemud.te SE Android policy. 2012-01-04 12:33:27 -05:00
radio.te Add policy for property service. 2012-04-04 10:11:16 -04:00
README Revert "Dynamic insertion of pubkey to mac_permissions.xml" 2013-03-19 22:56:46 +00:00
rild.te Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
roles Add explicit role declaration for newer checkpolicy versions. 2012-01-12 09:58:37 -05:00
runas.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
sdcardd.te Address various denials introduced by JB/4.1. 2012-07-12 13:26:15 -04:00
seapp_contexts Update policy for Android 4.2 / latest master. 2012-11-19 09:55:10 -05:00
security_classes Add policy for property service. 2012-04-04 10:11:16 -04:00
selinux-network.sh Add selinux network script to policy 2012-06-21 09:19:43 -04:00
servicemanager.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
shell.te Add policy for run-as program. 2012-11-27 10:05:42 -08:00
su.te Revert "Include su.te only for userdebug/eng builds." 2012-11-01 13:17:29 -07:00
surfaceflinger.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
system.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
te_macros Update binder-related policy. 2013-03-19 22:48:17 +00:00
tee.te Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
ueventd.te Remove all denials caused by rild on tuna devices. 2012-06-07 11:52:51 -04:00
unconfined.te Update binder-related policy. 2013-03-19 22:48:17 +00:00
users SE Android policy. 2012-01-04 12:33:27 -05:00
vold.te Add SELinux policy for asec containers. 2012-10-22 14:14:11 -04:00
watchdogd.te watchdog security policy. 2013-03-19 22:48:38 +00:00
wpa_supplicant.te Additions for grouper/JB 2012-08-10 06:25:52 -04:00
zygote.te zygote requires setpcap in order to drop from its bounding set. 2013-02-19 13:20:55 -05:00

Policy Generation:

Additional, per device, policy files can be added into the
policy build.

They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS

The variables should be set in the BoardConfig.mk file in
the device or vendor directories.

BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.

BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.

BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.

It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.

It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error.

It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.

It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.

Example Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk

BOARD_SEPOLICY_DIRS := \
        device/samsung/tuna/sepolicy

BOARD_SEPOLICY_UNION := \
        genfs_contexts \
        file_contexts \
        sepolicy.te