Skip to content

GitLab

Switch branch/tag
  1. 10 Sep, 2013 2 commits
  3. 09 Sep, 2013 1 commit
  5. 04 Sep, 2013 1 commit
  7. 28 Aug, 2013 1 commit
  9. 10 Jul, 2013 1 commit
  11. 01 Jul, 2013 1 commit
    • Nick Kralevich's avatar
      zygote: enable SELinux restrictions · 6aca515c
      Nick Kralevich authored 
      This change enables SELinux security enforcement on zygote
(but not zygote spawned apps).

For the zygote.te file only, this change is equivalent to reverting
the following commits:

* 50e37b93
* 77d4731e

No other changes were required.

Testing: As much as possible, I've tested that zygote properly
starts up, and that there's no problem spawning zygote or zygote
apps. There were no denials in the kernel dmesg log, and
everything appears to work correctly. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9657732
Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
      6aca515c
  13. 20 May, 2013 1 commit
    • repo sync's avatar
      Make all domains unconfined. · 77d4731e
      repo sync authored 
      This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
      77d4731e
  15. 15 May, 2013 1 commit
  17. 05 Apr, 2013 2 commits
    • William Roberts's avatar
      Give domains read access to security_file domain. · 7bb2a55c
      William Roberts authored 
      /data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
      7bb2a55c
    • William Roberts's avatar
      Give domains read access to security_file domain. · 6c4c27e6
      William Roberts authored 
      /data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
      6c4c27e6
  19. 29 Mar, 2013 1 commit
  21. 28 Mar, 2013 1 commit
  23. 27 Mar, 2013 1 commit
    • Robert Craig's avatar
      Various policy updates. · 65d4f44c
      Robert Craig authored 
      
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: default avatarrpcraig <rpcraig@tycho.ncsc.mil>
      65d4f44c
  25. 23 Mar, 2013 1 commit
  27. 22 Mar, 2013 1 commit
    • William Roberts's avatar
      Split internal and external sdcards · c195ec31
      William Roberts authored 
      Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
      c195ec31
  29. 19 Feb, 2013 1 commit
  31. 19 Nov, 2012 1 commit
    • Stephen Smalley's avatar
      Update policy for Android 4.2 / latest master. · 61c80d5e
      Stephen Smalley authored 
      
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      61c80d5e
  33. 04 Jan, 2012 1 commit