| 4b4b2b92939cd25095e247d0ed78f600fe40036d |
|
08-Jun-2015 |
dcashman <dcashman@google.com> |
Remove service_manager_local_audit_domain.
service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules. This is no
longer needed.
(cherry-pick of commit: eab26faa60cc0fdadfe128433e0357bdde3f9d9b)
Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
/external/sepolicy/attributes
|
| bd7f5803f924b0ca318c1d426b683c3f658754f9 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:
registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window
Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/external/sepolicy/attributes
|
| d12993f0846744ae8188a299cb1bb135014f626a |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Add system_api_service and app_api_service attributes.
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
/external/sepolicy/attributes
|
| f435a8e55653be6e5d95a995d80ed4982f5a1628 |
|
28-Feb-2015 |
Nick Kralevich <nnk@google.com> |
Delete unconfined domain
No longer used. :-)
Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
/external/sepolicy/attributes
|
| 4a89cdfa89448c8660308a31bfcb517fffaa239e |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/external/sepolicy/attributes
|
| b8511e0d98880a683c276589ab7d8d7666b7f8c1 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/external/sepolicy/attributes
|
| d2503ba864b4a8b992529178608aa3c881626006 |
|
30-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define contextmount_type attribute and add it to oemfs.
Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.
Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/attributes
|
| f90c41f6e8d5c1266e154f46586a2ceb260f1be6 |
|
06-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
/external/sepolicy/attributes
|
| 42fb824ca9f3e46b4419f05083f2694ac67a8229 |
|
11-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Refactor the shell domains.
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/attributes
|
| 02dac03a8c7cc79306cf5807f86af3e01f5dc4af |
|
09-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/attributes
|
| 9ba844fea12a0b08770e870d63f3d3c375c7c9b5 |
|
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Coalesce shared_app, media_app, release_app into untrusted_app.
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).
It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.
As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.
Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.
Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/attributes
|
| 712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2 |
|
23-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine shell domain in -user builds only.
Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g. console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.
Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/attributes
|
| 0c9708b2af4ea345277a47ae7bc1ce890e90d2bc |
|
10-Jul-2013 |
Nick Kralevich <nnk@google.com> |
domain.te: Add backwards compatibility for unlabeled files
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.
Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.
To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.
Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
/external/sepolicy/attributes
|
| c195ec31485766d065d3e3101268d5ce727ff4c0 |
|
07-Mar-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external
The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.
The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.
Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
/external/sepolicy/attributes
|
| b9760aa0d59aafe5c36ee4522fb36d51a9c147df |
|
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
/external/sepolicy/attributes
|
| 124720a6976a69357522299afbe5591854e40775 |
|
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
/external/sepolicy/attributes
|
| 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 |
|
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
SE Android policy.
/external/sepolicy/attributes
|