tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private
History
Mugdha Lakhani 407163cc49 Add neverallow rules to protect SDK's private data 
SDK's data should not be accessible directly by other domains, including
system server. Added neverallow to ensure that.

Bug: b/279885689
Test: make and boot device
Change-Id: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
2023-05-03 13:25:00 +00:00
..
compat Merge "Add a new system property persist.graphics.egl" 2023-04-13 18:49:26 +00:00
access_vectors Add SELinux Policy For io_uring 2023-01-27 11:44:59 -05:00
adbd.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
aidl_lazy_test_server.te Add aidl_lazy_test_server 2020-01-07 15:11:03 -08:00
apex_test_prepostinstall.te
apexd.te Modifed sepolicy for new apex ready prop 2022-09-01 22:20:10 +00:00
apexd_derive_classpath.te Allow apexd to call derive_classpath binary 2021-10-28 16:27:09 +01:00
app.te Merge "Add persist.sysui.notification.builder_extras_ovrd" 2023-04-03 13:47:09 +00:00
app_neverallows.te Merge changes from topic "iso_compute" 2023-02-01 17:33:59 +00:00
app_zygote.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
artd.te Allow artd to create dirs and files for artifacts before restorecon. 2023-01-18 01:07:49 +08:00
asan_extract.te Move system property rules to private 2020-03-18 16:46:04 +00:00
atrace.te Iorapd and friends have been removed 2022-05-18 12:07:39 +02:00
attributes Add expandattribute to system_and_vendor_property_type 2020-12-01 19:58:02 +09:00
audioserver.te Add SELinux policy for accessing the AudioService 2022-07-27 12:11:50 +00:00
auditctl.te Add policy for /system/bin/auditctl 2019-04-09 20:55:30 -07:00
automotive_display_service.te Revert^2 "Updates sepolicy for EVS HAL" 2022-02-10 17:21:54 +00:00
binderservicedomain.te Allow service managers access to apex data. 2022-09-23 21:33:58 +00:00
blank_screen.te Allow blank_screen to make binder calls to the servicemanager 2020-04-02 19:38:36 +00:00
blkid.te
blkid_untrusted.te
bluetooth.te Allow Bluetooth stack to read security log sysprop 2022-05-25 21:05:02 +00:00
bluetoothdomain.te
bootanim.te Label /data/bootanim with bootanim_data_file. 2021-12-23 15:00:31 -08:00
bootstat.te Enable incidentd access to ro.boot.bootreason 2020-04-09 15:57:06 -07:00
boringssl_self_test.te SEPolicy changes to allow vendor BoringSSL self test. 2019-10-01 14:14:36 +01:00
bpfdomain.te refactor: get_prop(bpfdomain, bpf_progs_loaded_prop) 2023-01-06 10:09:33 +00:00
bpfloader.te netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps 2023-03-28 03:11:42 +00:00
bufferhubd.te
bug_map Remove netd entries in bug_map 2023-03-22 10:02:37 +11:00
cameraserver.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
canhalconfigurator.te SEPolicy for AIDL CAN HAL 2022-12-09 11:00:10 -08:00
charger.te Add charger_type. 2021-11-05 18:44:04 -07:00
charger_type.te Add charger_vendor type 2021-12-07 16:24:23 -08:00
clatd.te clatd.te - no longer need netlink 2023-03-16 10:53:18 +00:00
compos_fd_server.te Delete more unused policies by CompOS 2022-01-25 08:40:46 -08:00
compos_verify.te Allow compos_verify to write VM logs 2022-06-17 13:41:51 +01:00
composd.te Allow system server to set dynamic ART properties. 2023-03-31 11:46:05 +01:00
coredomain.te Add a new system property persist.graphics.egl 2023-04-13 04:38:46 +00:00
cppreopts.te Ignore the denial when system_other is erased 2020-03-31 20:10:26 +08:00
crash_dump.te [dice] Remove all the sepolicy relating the hal service dice 2023-02-24 08:34:26 +00:00
credstore.te Remove RemoteProvisioner and remoteprovisioning services 2023-03-14 15:45:35 -07:00
crosvm.te Introduce vm_manager_device_type for crosvm 2023-03-29 10:19:06 -07:00
derive_classpath.te Add support for invoking derive_classpath from otadexopt 2021-04-27 14:31:54 -07:00
derive_sdk.te Allow dumpstate to exec derive_sdk 2022-09-28 14:26:46 +02:00
device_as_webcam.te Add selinux permissions for DeviceAsWebcam Service 2023-02-02 12:26:33 -08:00
dex2oat.te Additional sepolicy rules for dex2oat 2023-01-17 15:43:58 +00:00
dexoptanalyzer.te dontaudit dexoptanalyzer's DM file check on secondary dex files. 2023-01-30 07:56:10 +00:00
dhcp.te Move system property rules to private 2020-03-18 16:46:04 +00:00
dmesgd.te dmesgd: sepolicies 2022-02-10 17:42:52 +00:00
dnsmasq.te
domain.te Merge "Allow virtualizationmanager to open test artifacts in shell_data_file" 2023-04-17 04:00:16 +00:00
drmserver.te Relabel drm related props from exported*_prop 2020-06-19 10:52:10 +09:00
dumpstate.te Don't emit audit logs for dumpstate->keystore 2023-03-21 09:16:47 +00:00
ephemeral_app.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
evsmanagerd.te Revert^2 "Adds a sepolicy for EVS manager service" 2022-02-10 17:21:14 +00:00
extra_free_kbytes.te Add policies for ro.kernel.watermark_scale_factor property 2022-09-08 19:35:34 +00:00
fastbootd.te Add SELinux Policy For io_uring 2023-01-27 11:44:59 -05:00
file.te Introduce vm_manager_device_type for crosvm 2023-03-29 10:19:06 -07:00
file_contexts Revert "Modify the automotive display service file context" 2023-04-08 00:14:14 +00:00
file_contexts_asan Fix data/asan/system/system_ext/lib selinux rule for file_contexts_asan 2020-06-08 10:05:07 +00:00
file_contexts_overlayfs
fingerprintd.te
flags_health_check.te Add SELinux policy for edgetpu_native device_config prop 2023-02-13 21:55:57 +00:00
fs_use private/fs_use: Enable selinux for virtiofs 2020-03-06 17:19:04 +09:00
fsck.te Remove microdroid specific rules and files 2021-06-07 19:22:18 +09:00
fsck_untrusted.te
fsverity_init.te Clean up proc_fs_verity which is no longer used 2022-12-06 09:10:41 -08:00
fuseblkd.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
fuseblkd_untrusted.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
fwk_bufferhub.te Remove bufferhub HAL policy. 2021-10-27 10:54:45 -07:00
gatekeeperd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
genfs_contexts SEPolicy for trace event suspend_resume_minimal 2023-04-05 07:55:43 +00:00
gki_apex_prepostinstall.te Allow GKI APEX to use apexd:fd 2020-08-28 17:29:58 -07:00
gmscore_app.te Allow GMSCore to read RKP properties. 2023-02-08 17:14:47 -08:00
gpuservice.te Allow gpuservice to query permission 2023-04-17 04:12:43 +00:00
gsid.te Add proc_cmdline read permission to read_fstab 2022-03-20 16:35:19 +08:00
hal_allocator_default.te sepolicy: remove ashmemd 2019-09-27 17:43:53 +00:00
hal_lazy_test.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
halclientdomain.te
halserverdomain.te
healthd.te Remove healthd. 2021-10-20 18:47:41 -07:00
heapprofd.te [dice] Remove all the sepolicy relating the hal service dice 2023-02-24 08:34:26 +00:00
hidl_lazy_test_server.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
hwservice.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
hwservice_contexts Revert "Add sepolicies for CPU HAL." 2022-11-09 16:47:07 +00:00
hwservicemanager.te Allow service managers access to apex data. 2022-09-23 21:33:58 +00:00
idmap.te
incident.te Allow dumpstate to call incident CLI 2019-08-21 16:10:39 -07:00
incident_helper.te
incidentd.te Add build properties for attestation feature 2023-02-02 18:52:35 +08:00
init.te Introduce vm_manager_device_type for crosvm 2023-03-29 10:19:06 -07:00
initial_sid_contexts
initial_sids
inputflinger.te
installd.te Allow installd to kill profman. 2023-01-30 11:09:08 +00:00
isolated_app.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
isolated_app_all.te Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf 2023-03-01 14:45:57 -08:00
isolated_compute_app.te Fix attribute plurals for isolated_compute_allowed 2023-04-20 16:39:39 +00:00
iw.te
kernel.te Supress permissive audit messages post OTA reboot 2022-10-10 21:58:41 +00:00
keys.conf Changing selinux policy for privapps for new certs. 2022-04-05 17:31:49 -07:00
keystore.te Merge "Allow service managers access to apex data." 2022-10-14 18:04:46 +00:00
keystore2_key_contexts Add keystore2 namespace for LocksettingsService. 2021-04-14 16:03:13 -07:00
keystore_keys.te Add keystore2 namespace for LocksettingsService. 2021-04-14 16:03:13 -07:00
linkerconfig.te Allow linkerconfig to use pseudo tty 2023-04-10 11:07:11 +09:00
llkd.te [dice] Remove all the sepolicy relating the hal service dice 2023-02-24 08:34:26 +00:00
lmkd.te Add search in bpf directory for bpfdomains 2022-03-21 17:31:17 -07:00
logd.te Add sepolicy for logd and logcat services 2022-01-13 11:38:43 -08:00
logpersist.te Add logd.ready 2021-11-30 15:10:53 +09:00
lpdumpd.te Add rules for calling ReadDefaultFstab() 2021-03-29 15:23:29 +08:00
mac_permissions.xml Changing selinux policy for privapps for new certs. 2022-04-05 17:31:49 -07:00
mdnsd.te
mediadrmserver.te
mediaextractor.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
mediametrics.te Allow communication between mediametrics & statsd 2021-03-12 04:06:23 -08:00
mediaprovider.te Add FUNCTIONFS_ENDPOINT_ALLOC to ioctl_defines and mediaprovider.te 2021-07-13 09:33:15 +08:00
mediaprovider_app.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
mediaserver.te Allow communication between mediaserver & statsd 2023-02-01 22:33:28 +00:00
mediaswcodec.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
mediatranscoding.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
mediatuner.te Add properties to configure whether the lazy tuner is enabled. 2022-08-23 07:01:05 +00:00
migrate_legacy_obb_data.te sepolicy: Adjust policy for migrate_legacy_obb_data.sh 2019-07-16 02:55:25 +00:00
mls Add SELinux policy for using userfaultfd 2021-03-17 04:57:22 -07:00
mls_decl
mls_macros
mlstrustedsubject.te Update SELinux policy to allow artd to perform secondary dex compilation 2022-10-24 16:07:01 +01:00
mm_events.te Sepolicy for mm_events 2021-04-06 22:46:32 -04:00
modprobe.te
mtectrl.te [MTE] ignore mtectrl selinux error for device tree. 2022-09-29 22:53:58 +00:00
mtp.te
net.te Merge "Enforce MAC address restrictions for priv apps." am: 6b2fefbf46 am: a9723095c7 2022-05-18 13:56:49 +00:00
netd.te netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps 2023-03-28 03:11:42 +00:00
netutils_wrapper.te netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps 2023-03-28 03:11:42 +00:00
network_stack.te netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps 2023-03-28 03:11:42 +00:00
nfc.te Add sepolicy to allow read/write nfc snoop log data 2020-09-24 17:36:07 +08:00
odrefresh.te Remove odrefresh privileges no longer needed for CompOS 2022-01-18 12:56:27 -08:00
odsign.te Selinux setup for /data/misc/odsign/metrics/ 2022-04-07 14:18:37 +00:00
otapreopt_chroot.te Revert "Allow otapreopt_chroot to call otadexopt binder service" 2021-07-06 17:06:22 +00:00
otapreopt_slot.te Sepolicy: Clean up moved files 2019-02-22 08:36:41 -08:00
perfetto.te Allow perfetto to write into perfetto_traces_bugreport_data_file 2023-03-28 11:34:58 +00:00
performanced.te
permissioncontroller_app.te Add missing permissions for Cuttlefish to support GSI testing 2021-05-03 16:49:07 -07:00
platform_app.te Add persist.sysui.notification.builder_extras_ovrd 2023-03-29 16:35:39 +00:00
policy_capabilities
port_contexts
postinstall.te Use postinstall file_contexts 2021-03-25 00:01:25 +00:00
postinstall_dexopt.te postinstall_dexopt: allow reading odsign.verification.status 2021-07-19 19:47:33 +00:00
ppp.te
preloads_copy.te Ignore the denial when system_other is erased 2020-03-31 20:10:26 +08:00
preopt2cachename.te Sepolicy: Clean up moved files 2019-02-22 08:36:41 -08:00
priv_app.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
prng_seeder.te Add SEPolicy for PRNG seeder daemon. 2022-11-15 01:50:22 +00:00
profcollectd.te profcollectd: allow to request wakelock from system_suspend. 2022-02-17 10:20:08 -08:00
profman.te Update SELinux policy for app compilation CUJ. 2022-07-29 14:07:52 +00:00
property.te Merge "Add persist.sysui.notification.builder_extras_ovrd" 2023-04-03 13:47:09 +00:00
property_contexts Merge "Add a new system property persist.graphics.egl" 2023-04-13 18:49:26 +00:00
racoon.te
radio.te make ril.cdma.inecmmode system property internal 2021-10-01 21:36:49 +00:00
recovery.te Allow update_engine, recovery, and fastbootd to read snapuserd properties. 2021-07-28 22:30:22 -07:00
recovery_persist.te In native coverage builds, allow all domains to access /data/misc/trace 2019-06-19 16:27:17 -07:00
recovery_refresh.te In native coverage builds, allow all domains to access /data/misc/trace 2019-06-19 16:27:17 -07:00
remount.te Add remount.te to allow adb remount-related operations 2021-11-02 22:10:05 +08:00
rkpd.te Add SELinux policies for remote_key_provisioning_native namespace. 2022-09-29 21:32:58 +00:00
rkpd_app.te Add set property permissions to RKPD application. 2023-03-16 18:05:10 +00:00
roles_decl
rs.te Allow priv_app to run the renderscript compiler. am: 737b098a71 2021-06-15 19:15:27 +00:00
rss_hwm_reset.te
runas.te
runas_app.te runas_app: allow sigkill of untrusted_app 2023-01-20 09:02:19 +01:00
sdcardd.te
sdk_sandbox.te Add neverallow rules to protect SDK's private data 2023-05-03 13:25:00 +00:00
seapp_contexts Remove RemoteProvisioner and remoteprovisioning services 2023-03-14 15:45:35 -07:00
secure_element.te Added sepolicy rule for vendor uuid mapping config 2021-11-20 01:08:11 +00:00
security_classes Add SELinux Policy For io_uring 2023-01-27 11:44:59 -05:00
service.te Add sepolicy for background_install_control service 2022-10-24 11:26:35 -07:00
service_contexts Define sepolicy for ivn HAL. 2023-04-10 17:42:51 -07:00
servicemanager.te Allow service managers access to apex data. 2022-09-23 21:33:58 +00:00
sgdisk.te
shared_relro.te Make shared_relro policy private. 2021-01-05 09:48:10 +00:00
shell.te Add persist.sysui.notification.builder_extras_ovrd 2023-03-29 16:35:39 +00:00
simpleperf.te Revert "Revert "allow simpleperf to profile more app types."" 2021-10-27 11:05:01 -07:00
simpleperf_app_runner.te Revert "Revert "allow simpleperf to profile more app types."" 2021-10-27 11:05:01 -07:00
simpleperf_boot.te Add sepolicy for simpleperf_boot. 2022-01-15 16:12:51 -08:00
slideshow.te
snapshotctl.te snapshotctl: allow to write stats 2020-02-14 20:51:53 +00:00
snapuserd.te Add SELinux Policy For io_uring 2023-01-27 11:44:59 -05:00
stats.te Allow traced_probes to subscribe to statsd atoms 2023-03-22 19:53:34 +00:00
statsd.te Allow statsd to write to priv app FDs 2021-10-28 13:07:19 -07:00
storaged.te Revert "Revert "Add neverallows for debugfs access"" 2021-05-04 22:06:46 -07:00
su.te Start using virtmgr for running VMs 2023-01-05 17:39:39 +00:00
surfaceflinger.te Grant surfaceflinger and graphics allocator access to the secure heap 2023-01-19 09:02:56 +00:00
system_app.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
system_server.te Merge changes from topic "cherrypicker-L58100000960054695:N31200001359782734" 2023-04-20 15:06:22 +00:00
system_server_startup.te Allow system_server_startup to load system server odex files 2021-06-28 17:00:55 +00:00
system_suspend.te suspend: Allow access to /sys/power/wake_[un]lock 2022-12-14 14:18:55 -08:00
technical_debt.cil Enable NNAPI for isolated compute app 2023-03-01 20:27:13 +00:00
tombstoned.te Fix broken neverallow rules 2021-03-10 10:44:22 +09:00
toolbox.te Dontaudit chmod of virtualizationsevice_data_file 2022-06-15 17:25:20 +01:00
traced.te Allow perfetto to write into perfetto_traces_bugreport_data_file 2023-03-28 11:34:58 +00:00
traced_perf.te [dice] Remove all the sepolicy relating the hal service dice 2023-02-24 08:34:26 +00:00
traced_probes.te Merge "traced_probes: allow traced_probes to access diskstats info" 2023-04-04 01:25:18 +00:00
traceur_app.te Cleanup mechanism for enabling perfetto daemon. 2020-06-01 11:56:03 -07:00
ueventd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
uncrypt.te Move system property rules to private 2020-03-18 16:46:04 +00:00
untrusted_app.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_25.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_27.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_29.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_30.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_32.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_all.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
update_engine.te Add sepolicy for IBootControl AIDL 2022-06-07 16:26:19 -07:00
update_engine_common.te Use postinstall file_contexts 2021-03-25 00:01:25 +00:00
update_verifier.te Allow update_verifier to connect to snapuserd daemon 2022-06-08 20:26:18 +00:00
usbd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
users
vdc.te Add vehicle_binding_util SELinux context 2021-07-15 19:44:27 +00:00
vehicle_binding_util.te Revert "Revert "Allow vehicle_binding_util to access AIDL VHAL. am: d5af7b7cea am: 565699bc61 am: e4ddf119a1 am: 54e7d19e1d am: 3686a43f8f"" 2022-05-11 18:14:06 +00:00
vendor_init.te Introduce vm_manager_device_type for crosvm 2023-03-29 10:19:06 -07:00
viewcompiler.te Give map permission to viewcompiler 2019-08-27 10:43:55 -07:00
virtual_touchpad.te
virtualizationmanager.te Allow virtualizationmanager to open test artifacts in shell_data_file 2023-04-03 15:46:26 +09:00
virtualizationservice.te virtualizationservice: Allow checking permissions 2023-01-12 21:10:33 +00:00
vold.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
vold_prepare_subdirs.te Create a separate label for sandbox root directory 2022-05-19 16:01:15 +01:00
vzwomatrigger_app.te Don't run vzwomatrigger_app in permissive mode 2019-12-02 09:41:54 -08:00
wait_for_keymaster.te Remove wait_for_keymaster and references 2021-06-17 11:12:16 -07:00
watchdogd.te
webview_zygote.te Allow zygotes and installd to read odsign properties 2021-07-02 11:57:24 +01:00
wificond.te Rename vpnprofilestore to legacykeystore. 2021-06-30 12:40:39 -07:00
zygote.te Add persist.sysui.notification.builder_extras_ovrd 2023-04-19 18:29:04 +00:00