| 061f254def394fdc4784fe6c446bdd779cfec768 |
|
20-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define security labeling for isolated processes.
Used when an app service is declared with android:isolatedProcess="true".
Place such processes in a separate domain, and further isolate them
from each other via categories.
Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
| abd977a79ec0a1f90cf236339e080775491b9919 |
|
10-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Additions for grouper/JB
/external/sepolicy/app.te
|
| 901cc36664399f5803c64bd5a26932807d6749aa |
|
30-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Untrusted_app gets route information
/external/sepolicy/app.te
|
| d28714c6f9169b4a3ac6e8ada9b3ffdd1a225480 |
|
30-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce app_read_logs boolean.
/external/sepolicy/app.te
|
| 3261feef9794db542516097faba62c58492c13bb |
|
30-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
untrusted_app reads logs when android_cts enabled
/external/sepolicy/app.te
|
| 1f0f77fcdf95fefb5ac7737f33a891e0bff42455 |
|
28-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Allow CTS Test apps to access to system_data_file
/external/sepolicy/app.te
|
| 59e9680825b6d07c2ce42a0bd70fa420b8d90acd |
|
28-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
socket permissions to untrusted_app
/external/sepolicy/app.te
|
| 2b47c3fc351977b801d1c154bb7a8def2e784948 |
|
27-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
allocate perms to platformappdomain over system_data_file
/external/sepolicy/app.te
|
| 7585fc64003a2caf56643e80fbc9984903cf3d2d |
|
27-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Platform app domain sdcard accesses
/external/sepolicy/app.te
|
| b9760aa0d59aafe5c36ee4522fb36d51a9c147df |
|
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
/external/sepolicy/app.te
|
| 4c06d273bc3d278e7061bf93cfa97fdf2a4e8ee3 |
|
19-Jul-2012 |
hqjiang <hqjiang1988@gmail.com> |
Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.
Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.
/external/sepolicy/app.te
|
| 1c7351652c69bc571b8edfa4a8874b58c73568aa |
|
12-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Address various denials introduced by JB/4.1.
/external/sepolicy/app.te
|
| 96bf5059621cd3903e1a402b2c90dbb652aedf90 |
|
11-Jul-2012 |
Michal MaĊĦek <michal.masek@circletech.net> |
Fix the app_ndk policy boolean allow rule.
/external/sepolicy/app.te
|
| 03d2803c542cbae539dba785153e58d81c503bf3 |
|
25-Jun-2012 |
William Roberts <bill.c.roberts@gmail.com> |
media app should have rw access to sdcard dir and files.
/external/sepolicy/app.te
|
| f3b587cab01a7a54a5a2c3296844083d90fc6641 |
|
21-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Rewrite app domains and seapp_contexts to leverage new seinfo tags.
/external/sepolicy/app.te
|
| e4682a63ab87f79130b4f914b79be0867e0d669d |
|
27-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow apps to write to /proc/net/xt_qtaguid/ctrl.
/external/sepolicy/app.te
|
| a883c3863739d5ada3509517af148a9499401600 |
|
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow apps to write to anr_data_file for /data/anr/traces.txt.
/external/sepolicy/app.te
|
| f6cbbe255bc57a241f35c35629705e8f63bdd77a |
|
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce a separate wallpaper_file type for the wallpaper file.
/external/sepolicy/app.te
|
| 59d28035a1e0779a81cde104ea9afffd2bb1a77f |
|
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.
/external/sepolicy/app.te
|
| c83d0087e457787fc0441d959a20d56fc5200048 |
|
07-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Policy changes to support running the latest CTS.
/external/sepolicy/app.te
|
| c94e2392f6d92064e3aa32fff2c5a70116c7398a |
|
06-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Further policy for Motorola Xoom.
/external/sepolicy/app.te
|
| 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 |
|
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
SE Android policy.
/external/sepolicy/app.te
|