Commits · 274d2927a7ccbfd266c83d6da5e9e2772805fbd5 · halo / external_sepolicy

20 May, 2013 1 commit

repo sync authored 12 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

15 May, 2013 1 commit
- Move domains into per-domain permissive mode. · 50e37b93
  repo sync authored 12 years ago
```
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
```
  50e37b93
05 Apr, 2013 1 commit

Give domains read access to security_file domain. · 7bb2a55c

William Roberts authored 12 years ago

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

7bb2a55c

29 Mar, 2013 1 commit

Add remount capability to Zygote. · 06575ee4

Geremy Condra authored 12 years ago

This is a consequence of https://googleplex-android-review.googlesource.com/#/c/278069/

Change-Id: I9b310860534a80e7145950f6c632cf5ba0ad56a7

06575ee4

27 Mar, 2013 1 commit

Various policy updates. · 65d4f44c

Robert Craig authored 12 years ago


Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

65d4f44c

23 Mar, 2013 1 commit
- Allow zygote to search tmpfs. · 8b3b4fe7
  rpcraig authored 12 years ago
```
Change-Id: Ib0bdcbc1a7e45e1d1a046c9fa8aff89183ebfe0d
```
  8b3b4fe7
22 Mar, 2013 1 commit

Split internal and external sdcards · c195ec31

William Roberts authored 12 years ago

Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

c195ec31

19 Feb, 2013 1 commit

zygote requires setpcap in order to drop from its bounding set. · e468016b

Stephen Smalley authored 12 years ago

I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW. This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.

Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e468016b

19 Nov, 2012 1 commit

Update policy for Android 4.2 / latest master. · 61c80d5e

Stephen Smalley authored 12 years ago


Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

61c80d5e

04 Jan, 2012 1 commit
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d