Commits · b9760aa0d59aafe5c36ee4522fb36d51a9c147df · CodeLinaro / public-release-test / platform / system / sepolicy

Jul 27, 2012

Only enforce per-app process and file isolation via SELinux for third party... · b9760aa0

Stephen Smalley authored 12 years ago

Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.

Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.

b9760aa0

Jul 24, 2012
- external/sepolicy: mediaserver open application data files · 3296dea4
  Haiqing Jiang authored 12 years ago
  
  3296dea4
- external/sepolicy: system r/w udp_socket of appdomain · 569f589a
  hqjiang authored 12 years ago
  
  569f589a
- external/sepolicy: install daemon unlink application data files · 8f781f57
  hqjiang authored 12 years ago
  
  8f781f57
Jul 19, 2012

Target the denials/policies over qtaguid file and device: 1. Relabel... · 4c06d273

hqjiang authored 12 years ago

Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.

Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.

4c06d273

allow camera calibration · 20d6963a
hqjiang authored 12 years ago

20d6963a

Jul 12, 2012
- Address various denials introduced by JB/4.1. · 1c735165
  Stephen Smalley authored 12 years ago
  
  1c735165
- Restore devnull initial sid context. · c331d0fe
  Stephen Smalley authored 12 years ago
  
  c331d0fe
- Support for ocontexts per device. · dc107236
  William Roberts authored 12 years ago
```
ocontexts was split up into 4 files:
1.fs_use
2.genfs_contexts
3.initial_sid_contexts
4.port_contexts

Each file has their respective declerations in them.
Devices, in their respective device directory, can now specify sepolicy.fs_use, sepolicy.genfs_contexts, sepolicy.port_contexts, and sepolicy.initial_sid_contexts. These declerations will be added right behind their respective sepolicy counterparts in the concatenated configuration file.
```
  dc107236
- Fix the app_ndk policy boolean allow rule. · 96bf5059
  Michal Mašek authored 12 years ago
  
  96bf5059
- correct denies of inter system processes communication over named pipe · e1c545d8
  hqjiang authored 12 years ago
  
  e1c545d8
- Correct denies of rpmsg device when accessing to remote processors. · ee5f4005
  hqjiang authored 12 years ago
  
  ee5f4005
- Corrected denials for LocationManager when accessing gps over uart. · 81039ab5
  hqjiang authored 12 years ago
  
  81039ab5
Jun 28, 2012
- Add key_socket class to socket_class_set macro. Allow system to trigger... · 60e4f114
  Stephen Smalley authored 12 years ago
```
Add key_socket class to socket_class_set macro.  Allow system to trigger module auto-loading and to write to sockets created under /dev.
```
  60e4f114
- Allow system_app to set MAC enforcing mode and read MAC denials. · 965f2ff1
  Stephen Smalley authored 12 years ago
  
  965f2ff1
- media app should have rw access to sdcard dir and files. · 03d2803c
  William Roberts authored 12 years ago
  
  03d2803c
- Rewrite app domains and seapp_contexts to leverage new seinfo tags. · f3b587ca
  Stephen Smalley authored 12 years ago
  
  f3b587ca
- Add persist.mac_enforcing_mode context · 92495b38
  Bob Craig authored 12 years ago
  
  92495b38
Jun 27, 2012
- system needs open permission to qtaguid ctrl file. · 35c8d4fd
  Stephen Smalley authored 12 years ago
  
  35c8d4fd
- Update system rule for qtaguid file. · 322b37a9
  Stephen Smalley authored 12 years ago
  
  322b37a9
- Allow apps to write to /proc/net/xt_qtaguid/ctrl. · e4682a63
  Stephen Smalley authored 12 years ago
  
  e4682a63
- Make wallpaper_file a mlstrustedobject to permit writes from any app level. · 6c39ee00
  Stephen Smalley authored 12 years ago
  
  6c39ee00
- This patch fixes rild trying to access the bluetooth efs dir with read · 56ad8c73
  William Roberts authored 12 years ago
```
perms.
```
  56ad8c73
Jun 21, 2012
- Add selinux network script to policy · 70d4fc22
  Joshua Brindle authored 12 years ago
```
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
```
  70d4fc22
Jun 20, 2012
- ion fix · 07ef7227
  William Roberts authored 12 years ago
  
  07ef7227
Jun 19, 2012
- Public domain notice · e8bc32b4
  Stephen Smalley authored 12 years ago
  
  e8bc32b4
Jun 07, 2012
- Remove all denials caused by rild on tuna devices. · f6f87105
  William Roberts authored 12 years ago
```
Tested on a maguro variant.
```
  f6f87105
May 31, 2012
- sdcard policy and fuse device label. · 80ea1d23
  William Roberts authored 12 years ago
  
  80ea1d23
- Policy for hci_attach service. · 7fa2f9e0
  William Roberts authored 12 years ago
  
  7fa2f9e0
May 18, 2012
- Apply m4 to file_contexts and property_contexts to support includes. · efd6d6e0
  Stephen Smalley authored 12 years ago
  
  efd6d6e0
Apr 19, 2012
- Merge branch 'aosp' · 4e856333
  Stephen Smalley authored 12 years ago
  
  4e856333
Apr 13, 2012
- Added policy to allow SEAndroidManager to read AVC messages. · a83fc379
  James Carter authored 12 years ago
  
  a83fc379
Apr 10, 2012
- Merge from upstream sepolicy · f5f899c3
  The Android Open Source Project authored 12 years ago
```
Change-Id: I99085d575e3d884fb04ac03ac998eb3c53eb2d9f
```
  f5f899c3
- Use the checkpolicy built from source. · f4ea5b25
  Ying Wang authored 12 years ago
```
Change-Id: I22f49db3d59b50ed8975d8c1146bb9c322adbf7e
```
  f4ea5b25
Apr 04, 2012

Rework the radio vs rild property split. · 730957ae

Stephen Smalley authored 12 years ago

Only label properties with the ril. prefix with rild_prop.
Allow rild and system (and radio) to set radio_prop.
Only rild can set rild_prop presently.

730957ae

Allow apps to write to anr_data_file for /data/anr/traces.txt. · a883c386
Stephen Smalley authored 12 years ago

a883c386

Add policy for property service. · 124720a6

Stephen Smalley authored 12 years ago

New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.

124720a6

Apr 03, 2012
- Allow adbd to access the qemu device and label /dev/eac correctly. · 2cb1b31f
  Stephen Smalley authored 12 years ago
  
  2cb1b31f
Mar 19, 2012
- Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. · f7948230
  Stephen Smalley authored 13 years ago
  
  f7948230
- Rewrite MLS constraints to only constrain open for app_data_file, not read/write. · 0e85c17e
  Stephen Smalley authored 13 years ago
  
  0e85c17e