b1016ed568cc01c81cd13381917e0e28481b75e5 |
|
06-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Make hci_attach enforcing. Change-Id: I27c62a7ab7223eb74f44a78c273dd97f1380bc61 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/hci_attach.te
|
623975fa5aece708032aaf29689d73e1f3a615e7 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/external/sepolicy/hci_attach.te
|
e14a51dd31f407e3463a95b1667fd44201405110 |
|
29-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine hci_attach, but leave it permissive for now. Change-Id: I4b6cacf70805065ad6fd9678417283c25a53b51b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/hci_attach.te
|
353c72e3b0b4d7d729af20f0c9a13c976baa8753 |
|
21-Oct-2013 |
Nick Kralevich <nnk@google.com> |
Move unconfined domains out of permissive mode. This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
/external/sepolicy/hci_attach.te
|
77d4731e9d30c8971e076e2469d6957619019921 |
|
18-May-2013 |
repo sync <gcondra@google.com> |
Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
/external/sepolicy/hci_attach.te
|
50e37b93ac97631dcac6961285b92af5026557af |
|
15-May-2013 |
repo sync <gcondra@google.com> |
Move domains into per-domain permissive mode. Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
/external/sepolicy/hci_attach.te
|
7fa2f9e0f5ea5c24d4e14ba4aef14cfc7090a388 |
|
31-May-2012 |
William Roberts <bill.c.roberts@gmail.com> |
Policy for hci_attach service.
/external/sepolicy/hci_attach.te
|