platform_system_sepolicy/public
Alex Klyubin e539570694 Remove unnecessary rules from NFC HAL clients
Rules in clients of NFC HAL due to the HAL running (or previously
running) in passthrough mode are now targeting hal_nfc. Domains which
are clients of NFC HAL are associated with hal_nfc only the the HAL
runs in passthrough mode. NFC HAL server domains are always associated
with hal_nfc and thus get these rules unconditionally.

This commit also moves the policy of nfc domain to private. The only
thing remaining in the public policy is the existence of this domain.
This is needed because there are references to this domain in public
and vendor policy.

Test: Open a URL in Chrome, NFC-tap Android to another Android and
      observe that the same URL is opened in a web browser on the
      destination device. Do the same reversing the roles of the two
      Androids.
Test: Install an NFC reader app, tap a passive NFC tag with the
      Android and observe that the app is displaying information about
      the tag.
Test: No SELinux denials to do with NFC before and during and after
      the above tests on sailfish, bullhead, and angler.
Bug: 34170079

Change-Id: I29fe43f63d64b286c28eb19a3a9fe4f630612226
2017-03-22 16:22:33 -07:00
..
adbd.te Move adbd policy to private 2017-02-07 09:55:05 -08:00
attributes Switch Allocator HAL policy to _client/_server 2017-03-20 22:18:12 +00:00
audioserver.te Move audioserver policy to private 2017-02-07 10:47:18 -08:00
blkid.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
blkid_untrusted.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
bluetooth.te Move bluetooth policy to private 2017-02-06 15:29:10 -08:00
bootanim.te Allow bootanimation to talk to hwservicemanager. 2017-02-17 09:14:17 +00:00
bootstat.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
bufferhubd.te Allow fd access between mediacodec and bufferhubd 2017-03-15 15:56:27 -07:00
cameraserver.te Remove unnecessary binder_call from cameraserver 2017-03-21 12:39:13 -07:00
charger.te healthd: create SEPolicy for 'charger' and reduce healthd's scope 2016-12-15 18:17:13 -08:00
clatd.te
cppreopts.te
crash_dump.te crash_dump: allow appending to pipes. 2017-02-15 17:29:50 -08:00
device.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
dex2oat.te Sepolicy: Allow postinstall to read links 2017-03-17 10:08:52 -07:00
dhcp.te
dnsmasq.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
domain.te Allow fallback crash dumping for seccomped processes. 2017-03-07 15:53:46 -08:00
domain_deprecated.te sepolicy: Make wpa_supplicant a HIDL service 2017-03-07 01:34:28 +00:00
drmserver.te Merge ephemeral data and apk files into app 2017-02-06 10:16:50 -08:00
dumpstate.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
ephemeral_app.te Move ephemeral_app policy to private 2017-01-09 15:34:27 -08:00
file.te enabled /sbin/modprobe for recovery mode 2017-03-16 01:19:58 +00:00
fingerprintd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
fsck.te fsck: allow stat access on /dev/block files 2017-02-17 12:47:25 -08:00
fsck_untrusted.te fsck: allow stat access on /dev/block files 2017-02-17 12:47:25 -08:00
gatekeeperd.te Fix sepolicy for Gatekeeper HAL 2017-03-20 07:39:33 -07:00
global_macros Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. 2017-02-06 14:24:41 -05:00
hal_audio.te Enforce separation of privilege for HAL driver access 2017-03-13 22:40:01 -07:00
hal_bluetooth.te Allow the Bluetooth HAL to toggle rfkill 2017-02-22 20:12:16 +00:00
hal_bootctl.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
hal_camera.te Switch Allocator HAL policy to _client/_server 2017-03-20 22:18:12 +00:00
hal_contexthub.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_drm.te Switch DRM HAL policy to _client/_server 2017-02-17 15:36:41 -08:00
hal_dumpstate.te dumpstate: allow HALs to read /proc/interrupts 2017-03-22 13:26:03 -07:00
hal_fingerprint.te Switch Fingerprint HAL policy to _client/_server 2017-02-21 16:11:25 -08:00
hal_gatekeeper.te Fix sepolicy for Gatekeeper HAL 2017-03-20 07:39:33 -07:00
hal_gnss.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_graphics_allocator.te Move Graphics Allocator HAL IPC rules to proper location 2017-03-20 15:02:20 -07:00
hal_graphics_composer.te Allow hwcomposer to change scheduling policy 2017-02-13 09:02:04 -08:00
hal_health.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_ir.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_keymaster.te Switch Keymaster HAL policy to _client/_server 2017-02-22 20:18:28 -08:00
hal_light.te hal_light: add permission to sys/class/leds. 2017-01-20 00:17:11 +00:00
hal_neverallows.te Enforce one HAL per domain. 2017-03-21 12:16:31 -07:00
hal_nfc.te Remove unnecessary rules from NFC HAL clients 2017-03-22 16:22:33 -07:00
hal_sensors.te Switch Sensors HAL policy to _client/_server 2017-03-14 12:43:29 -07:00
hal_telephony.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_thermal.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_usb.te sepolicy for usb hal 2017-01-27 00:05:19 +00:00
hal_vibrator.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_vr.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_wifi.te sepolicy: Allow hal_wifi to set wlan driver status prop 2017-03-03 09:32:03 -08:00
hal_wifi_supplicant.te wpa_supplicant: Remove unnecessary permissions from system_server 2017-03-22 17:43:38 +00:00
healthd.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hostapd.te
hwservicemanager.te hwservicemanager: halserverdomain 2017-03-22 08:43:43 -07:00
idmap.te Add service 'overlay' to service_contexts 2017-02-22 11:28:15 -08:00
incident.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
incidentd.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
init.te init.te: only allow wifi tracing restorecon twice 2017-03-05 22:29:28 -08:00
inputflinger.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
install_recovery.te install_recovery.te: remove domain_deprecated 2017-01-09 16:47:36 +00:00
installd.te Split preloads into media_file and data_file 2017-03-15 00:49:37 +00:00
ioctl_defines
ioctl_macros Add TCSETS to unpriv_tty_ioctls 2016-12-07 15:59:34 -08:00
isolated_app.te Move isolated_app policy to private 2017-01-05 16:06:54 -08:00
kernel.te kernel: neverallow dac_{override,read_search} perms 2017-02-22 14:33:08 -08:00
keystore.te Switch Keymaster HAL policy to _client/_server 2017-02-22 20:18:28 -08:00
lmkd.te more ephemeral_app cleanup 2017-01-20 14:35:17 +00:00
logd.te logd: add getEventTag command and service 2017-01-31 15:50:42 +00:00
logpersist.te logpersist: do not permit dynamic transition to domain 2016-12-29 09:29:36 -08:00
mdnsd.te Move mdnsd policy to private 2017-02-06 15:02:32 -08:00
mediacodec.te Allow fd access between mediacodec and bufferhubd 2017-03-15 15:56:27 -07:00
mediadrmserver.te MediaCAS: adding media.cas to service 2017-02-28 12:31:45 -08:00
mediaextractor.te Allow fallback crash dumping for seccomped processes. 2017-03-07 15:53:46 -08:00
mediametrics.te Add documentation on neverallow rules 2017-02-17 22:37:23 +00:00
mediaserver.te Split preloads into media_file and data_file 2017-03-15 00:49:37 +00:00
modprobe.te enabled /sbin/modprobe for recovery mode 2017-03-16 01:19:58 +00:00
mtp.te
net.te Move netdomain policy to private 2017-02-06 15:02:00 -08:00
netd.te netd.te: drop dccp_socket support 2017-02-27 09:23:31 -08:00
neverallow_macros
nfc.te Remove unnecessary rules from NFC HAL clients 2017-03-22 16:22:33 -07:00
otapreopt_chroot.te
otapreopt_slot.te Sepolicy: Allow getattr for otapreopt_slot 2017-03-17 10:05:31 -07:00
performanced.te Add policies for new services. 2017-02-09 15:15:11 -08:00
perfprofd.te Fix build. 2016-12-06 16:49:25 -08:00
platform_app.te Move platform_app policy to private 2017-01-09 14:52:59 -08:00
postinstall.te
postinstall_dexopt.te Sepolicy: Allow postinstall to read links 2017-03-17 10:08:52 -07:00
ppp.te ppp: Allow specific ioctls on mtp:socket. 2017-03-17 17:09:19 -04:00
preopt2cachename.te
priv_app.te Move priv_app policy to private 2017-01-05 15:44:32 -08:00
profman.te Allow profman to analyze profiles for the secondary dex files 2017-03-15 18:47:13 -07:00
property.te make ro.persistent_properties.ready accessible for hidl client 2017-03-01 12:31:04 -08:00
racoon.te remove setuid SELinux capability for racoon. 2017-02-22 03:31:23 +00:00
radio.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
recovery.te Recovery can use HALs only in passthrough mode 2017-03-20 13:11:33 -07:00
recovery_persist.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
recovery_refresh.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
rild.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
roles sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
runas.te allow run-as to carry unix_stream_sockets 2017-03-14 16:25:07 -07:00
sdcardd.te Remove logspam 2017-02-10 12:06:38 -08:00
sensord.te Add policies for new services. 2017-02-09 15:15:11 -08:00
service.te sepolicy: Make wpa_supplicant a HIDL service 2017-03-07 01:34:28 +00:00
servicemanager.te Remove domain_deprecated from some domains. 2016-11-25 17:37:30 -08:00
sgdisk.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
shared_relro.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
shell.te shell.te: hwbinder for lshal 2017-02-13 15:42:42 -08:00
slideshow.te
su.te Introduce crash_dump debugging helper. 2017-01-18 15:03:24 -08:00
surfaceflinger.te Move surfaceflinger policy to private 2017-02-07 10:06:12 -08:00
system_app.te Move system_app policy to private 2017-01-05 17:20:28 -08:00
system_server.te Move system_server policy to private 2017-02-07 20:24:05 +00:00
te_macros Grant additional permissions for ASAN builds 2017-03-22 14:03:07 -07:00
tee.te
tombstoned.te tombstoned: temporarily allow write to anr_data_file. 2017-01-23 12:54:03 -08:00
toolbox.te
tzdatacheck.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
ueventd.te Removing init and ueventd access to generic char files 2017-02-01 21:35:08 +00:00
uncrypt.te
untrusted_app.te Move untrusted_app policy to private 2017-01-05 14:39:52 -08:00
untrusted_app_25.te untrusted_app: policy versioning based on targetSdkVersion 2017-02-14 13:30:12 -08:00
untrusted_v2_app.te Add new untrusted_v2_app domain 2017-02-21 12:39:55 -08:00
update_engine.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
update_engine_common.te Label /proc/misc 2017-03-03 12:20:38 -08:00
update_verifier.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
vdc.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
virtual_touchpad.te Add policies for new services. 2017-02-09 15:15:11 -08:00
vold.te SElinux: Clean up code related to foreign dex use 2017-03-07 10:59:26 -08:00
watchdogd.te
webview_zygote.te Move webview_zygote policy to private 2017-01-27 17:01:43 +00:00
wificond.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
zygote.te Move zygote policy to private 2017-01-26 13:31:16 -08:00