tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private
History
Neil Fuller c5980699a4 Limit processes that can change settings sysprops 
Limit processes that can change global settings system properties.

Only system server and shell (for tests) should be able to set the
affected system properties.

Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
2022-09-27 16:08:59 +00:00
..
compat Add new type for system settings metadata 2022-09-27 16:06:57 +00:00
access_vectors Remove key migration related changes 2022-07-20 15:19:37 +10:00
adbd.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
aidl_lazy_test_server.te
apex_test_prepostinstall.te
apexd.te Modifed sepolicy for new apex ready prop 2022-09-01 22:20:10 +00:00
apexd_derive_classpath.te
app.te Merge "Allow all Apps to Recv UDP Sockets from SystemServer" am: c37a39c26d 2022-07-04 08:30:12 +00:00
app_neverallows.te Merge "Drop back-compatibility for hiding ro.debuggable and ro.secure" 2022-09-08 09:51:22 +00:00
app_zygote.te Add userfaultfd selinux policy for app_zygote 2022-03-09 21:50:52 -08:00
artd.te Allow reading process info from /proc. 2022-09-09 15:13:45 +00:00
asan_extract.te
atrace.te Iorapd and friends have been removed 2022-05-18 12:07:39 +02:00
attributes
audioserver.te Add SELinux policy for accessing the AudioService 2022-07-27 12:11:50 +00:00
auditctl.te
automotive_display_service.te Revert^2 "Updates sepolicy for EVS HAL" 2022-02-10 17:21:54 +00:00
binderservicedomain.te
blank_screen.te
blkid.te
blkid_untrusted.te
bluetooth.te Allow Bluetooth stack to read security log sysprop 2022-05-25 21:05:02 +00:00
bluetoothdomain.te
bootanim.te Label /data/bootanim with bootanim_data_file. 2021-12-23 15:00:31 -08:00
bootstat.te
boringssl_self_test.te
bpfdomain.te allow bpfloader to create symbolic links in /sys/fs/bpf 2022-07-18 05:14:44 -07:00
bpfloader.te allow bpfloader to create symbolic links in /sys/fs/bpf 2022-07-18 05:14:44 -07:00
bufferhubd.te
bug_map Track sys_module permission for system_server 2022-04-13 10:48:13 +10:00
cameraserver.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
canhalconfigurator.te
charger.te
charger_type.te
clatd.te Grants clatd privs since forked by system server 2022-01-21 18:17:45 +00:00
compos_fd_server.te Delete more unused policies by CompOS 2022-01-25 08:40:46 -08:00
compos_verify.te Allow compos_verify to write VM logs 2022-06-17 13:41:51 +01:00
composd.te Allow composd to pass some system properties to CompOS 2022-05-11 09:05:12 -07:00
coredomain.te Merge changes from topics "apex-ready-prop", "apex-update-prop" 2022-09-02 06:46:54 +00:00
cppreopts.te
crash_dump.te Remove inapplicable comment. 2022-08-02 11:01:25 -07:00
credstore.te Add remotely provisioned key pool se policy 2022-02-02 15:07:26 -08:00
crosvm.te crosvm: dontaudit netlink perms for acpi 2022-09-02 20:41:56 +00:00
derive_classpath.te
derive_sdk.te
dex2oat.te Update SELinux policy for app compilation CUJ. 2022-07-29 14:07:52 +00:00
dexoptanalyzer.te
dhcp.te
diced.te
dmesgd.te dmesgd: sepolicies 2022-02-10 17:42:52 +00:00
dnsmasq.te
domain.te Don't let ro.log.file_logger.path to be set 2022-09-18 23:39:41 +09:00
drmserver.te
dumpstate.te Merge "system_dlkm: allow dumpstate/bugreport to getattr" 2022-03-13 22:22:54 +00:00
ephemeral_app.te
evsmanagerd.te Revert^2 "Adds a sepolicy for EVS manager service" 2022-02-10 17:21:14 +00:00
extra_free_kbytes.te Add policies for ro.kernel.watermark_scale_factor property 2022-09-08 19:35:34 +00:00
fastbootd.te Fix selinux denials for fastbootd 2022-09-05 17:41:07 +00:00
file.te Update SELinux policy for app compilation CUJ. 2022-07-29 14:07:52 +00:00
file_contexts Rename migrate_legacy_obb_data.sh 2022-09-01 18:11:56 -07:00
file_contexts_asan
file_contexts_overlayfs
fingerprintd.te
flags_health_check.te sepolicy: allow vendor system native boot experiments property 2022-08-11 08:03:42 +00:00
fs_use
fsck.te
fsck_untrusted.te
fsverity_init.te
fwk_bufferhub.te
gatekeeperd.te
genfs_contexts much more finegrained bpf selinux privs for networking mainline 2022-06-22 16:07:42 -07:00
gki_apex_prepostinstall.te
gmscore_app.te Merge "Revert system app/process profileability on user builds" am: 829acbee3a 2022-07-04 15:56:18 +00:00
gpuservice.te Add search in bpf directory for bpfdomains 2022-03-21 17:31:17 -07:00
gsid.te Add proc_cmdline read permission to read_fstab 2022-03-20 16:35:19 +08:00
hal_allocator_default.te
hal_lazy_test.te
halclientdomain.te
halserverdomain.te
healthd.te
heapprofd.te perfetto profiling: fix access to ART apex files 2022-08-19 00:30:40 +01:00
hidl_lazy_test_server.te
hwservice.te
hwservice_contexts
hwservicemanager.te Allow (hw)servicemanager use bootstrap bionic 2022-07-14 11:31:03 +09:00
idmap.te
incident.te
incident_helper.te
incidentd.te
init.te Allow init to launch BootControlHAL in recovery 2022-09-02 17:50:10 +00:00
initial_sid_contexts
initial_sids
inputflinger.te
installd.te Allow installd delete staging folders. 2022-09-02 13:16:24 -07:00
isolated_app.te Add ThermalService and file access to SdkSandbox 2022-03-25 12:20:07 +00:00
iw.te
kernel.te Policy for using Apex sepolicy 2021-12-14 13:54:03 +01:00
keys.conf Changing selinux policy for privapps for new certs. 2022-04-05 17:31:49 -07:00
keystore.te Add ro.keystore.boot_level_key.strategy 2022-08-24 21:38:36 -07:00
keystore2_key_contexts
keystore_keys.te
linkerconfig.te
llkd.te
lmkd.te Add search in bpf directory for bpfdomains 2022-03-21 17:31:17 -07:00
logd.te Add sepolicy for logd and logcat services 2022-01-13 11:38:43 -08:00
logpersist.te
lpdumpd.te
mac_permissions.xml Changing selinux policy for privapps for new certs. 2022-04-05 17:31:49 -07:00
mdnsd.te
mediadrmserver.te
mediaextractor.te
mediametrics.te
mediaprovider.te
mediaprovider_app.te Restrict creating per-user encrypted directories 2022-05-05 04:12:46 +00:00
mediaserver.te
mediaswcodec.te
mediatranscoding.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
mediatuner.te Add properties to configure whether the lazy tuner is enabled. 2022-08-23 07:01:05 +00:00
migrate_legacy_obb_data.te
mls
mls_decl
mls_macros
mlstrustedsubject.te Iorapd and friends have been removed 2022-05-18 12:07:39 +02:00
mm_events.te
modprobe.te
mtectrl.te Move mtectrl to private 2022-01-26 08:59:55 +09:00
mtp.te
net.te Merge "Enforce MAC address restrictions for priv apps." am: 6b2fefbf46 am: a9723095c7 2022-05-18 13:56:49 +00:00
netd.te much more finegrained bpf selinux privs for networking mainline 2022-06-22 16:07:42 -07:00
netutils_wrapper.te much more finegrained bpf selinux privs for networking mainline 2022-06-22 16:07:42 -07:00
network_stack.te much more finegrained bpf selinux privs for networking mainline 2022-06-22 16:07:42 -07:00
nfc.te
odrefresh.te Remove odrefresh privileges no longer needed for CompOS 2022-01-18 12:56:27 -08:00
odsign.te Selinux setup for /data/misc/odsign/metrics/ 2022-04-07 14:18:37 +00:00
otapreopt_chroot.te
otapreopt_slot.te
perfetto.te Remove TZUvA feature. 2022-06-13 11:45:50 +00:00
performanced.te
permissioncontroller_app.te
platform_app.te Revert system app/process profileability on user builds 2022-07-01 12:41:01 +00:00
policy_capabilities
port_contexts
postinstall.te
postinstall_dexopt.te
ppp.te
preloads_copy.te
preopt2cachename.te
priv_app.te Allow priv-app to report off body events to keystore. 2022-02-07 22:42:51 +00:00
profcollectd.te profcollectd: allow to request wakelock from system_suspend. 2022-02-17 10:20:08 -08:00
profman.te Update SELinux policy for app compilation CUJ. 2022-07-29 14:07:52 +00:00
property.te Add new type for system settings metadata 2022-09-27 16:06:57 +00:00
property_contexts Add new type for system settings metadata 2022-09-27 16:06:57 +00:00
racoon.te
radio.te
recovery.te
recovery_persist.te
recovery_refresh.te
remote_prov_app.te Allow remote_prov_app to find mediametrics. 2022-06-15 13:42:32 -07:00
remount.te
roles_decl
rs.te
rss_hwm_reset.te
runas.te
runas_app.te
sdcardd.te
sdk_sandbox.te Revert^2 "Move allow rules of sdk_sandbox to apex policy" 2022-09-07 08:22:59 +00:00
seapp_contexts Changing selinux policy for privapps for new certs. 2022-04-05 17:31:49 -07:00
secure_element.te
security_classes
service.te Merge "SELinux policy changes for AmbientContext system API." am: 7bb9120ba7 am: 49527e07b6 am: f46b2a87dd am: ad1efe3c75 2022-01-21 22:54:30 +00:00
service_contexts Merge "Create selinux policy for remoteaccess HAL." 2022-09-22 01:17:00 +00:00
servicemanager.te servicemanager started property 2022-07-28 17:09:14 +00:00
sgdisk.te
shared_relro.te
shell.te Limit processes that can change settings sysprops 2022-09-27 16:08:59 +00:00
simpleperf.te
simpleperf_app_runner.te
simpleperf_boot.te Add sepolicy for simpleperf_boot. 2022-01-15 16:12:51 -08:00
slideshow.te
snapshotctl.te
snapuserd.te Fix io_uring permission denial for snapuserd 2022-09-06 17:11:54 +00:00
stats.te
statsd.te
storaged.te
su.te Add property for MTE permissive mode. 2022-06-14 10:21:25 -07:00
surfaceflinger.te Limit processes that can change settings sysprops 2022-09-27 16:08:59 +00:00
system_app.te Limit processes that can change settings sysprops 2022-09-27 16:08:59 +00:00
system_server.te Add new type for system settings metadata 2022-09-27 16:06:57 +00:00
system_server_startup.te
system_suspend.te
technical_debt.cil Restrict sandbox access to drmservice 2022-03-24 14:09:46 +01:00
tombstoned.te
toolbox.te Dontaudit chmod of virtualizationsevice_data_file 2022-06-15 17:25:20 +01:00
traced.te Remove TZUvA feature. 2022-06-13 11:45:50 +00:00
traced_perf.te perfetto profiling: fix access to ART apex files 2022-08-19 00:30:40 +01:00
traced_probes.te traced_probes: allow perfetto to read buddyinfo proc entry 2022-08-04 20:21:37 +00:00
traceur_app.te
ueventd.te
uncrypt.te
untrusted_app.te Add services and allow app to write to sdk_sandbox 2022-05-11 15:52:51 +00:00
untrusted_app_25.te Drop back-compatibility for hiding ro.debuggable and ro.secure 2022-08-18 13:43:17 +00:00
untrusted_app_27.te Drop back-compatibility for hiding ro.debuggable and ro.secure 2022-08-18 13:43:17 +00:00
untrusted_app_29.te Drop back-compatibility for hiding ro.debuggable and ro.secure 2022-08-18 13:43:17 +00:00
untrusted_app_30.te Drop back-compatibility for hiding ro.debuggable and ro.secure 2022-08-18 13:43:17 +00:00
untrusted_app_all.te Allow untrusted app to use virtualizationservice - even on user builds 2022-05-03 14:38:28 +09:00
update_engine.te Add sepolicy for IBootControl AIDL 2022-06-07 16:26:19 -07:00
update_engine_common.te
update_verifier.te Allow update_verifier to connect to snapuserd daemon 2022-06-08 20:26:18 +00:00
usbd.te
users
vdc.te
vehicle_binding_util.te Revert "Revert "Allow vehicle_binding_util to access AIDL VHAL. am: d5af7b7cea am: 565699bc61 am: e4ddf119a1 am: 54e7d19e1d am: 3686a43f8f"" 2022-05-11 18:14:06 +00:00
vendor_init.te Set apex. property as "system_restricted" 2022-09-02 18:11:33 +09:00
viewcompiler.te
virtual_touchpad.te
virtualizationservice.te Make sure only VS can access its data files 2022-08-31 17:39:59 +01:00
vold.te Remove init's write access to /data/user and /data/media 2022-05-12 00:19:29 +00:00
vold_prepare_subdirs.te Create a separate label for sandbox root directory 2022-05-19 16:01:15 +01:00
vzwomatrigger_app.te
wait_for_keymaster.te
watchdogd.te
webview_zygote.te
wificond.te
zygote.te Allow zygote to read persist.wm.debug.* prop 2022-08-04 14:48:06 -07:00