android_system_sepolicy

PWN-Hunter/android_system_sepolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Stephen Smalley	f321456e28	Make clatd permissive or unconfined. Otherwise we'll never see denials in userdebug or eng builds and never make progress on confining it. clatd does exist in AOSP and is built by default, and is started via netd. Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>	2014-02-11 10:30:33 -05:00
Nick Kralevich	353c72e3b0	Move unconfined domains out of permissive mode. This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245	2013-10-21 12:52:03 -07:00
Lorenzo Colitti	ab7dfabb61	Fix clatd, broken by selinux policing /dev/tun Bug: 10175701 Change-Id: I185df22bdbaafd56725760ec6c71340b67455046	2013-08-05 19:53:23 +09:00

Author

SHA1

Message

Date

Stephen Smalley

f321456e28

Make clatd permissive or unconfined.

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  clatd does exist in AOSP
and is built by default, and is started via netd.

Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2014-02-11 10:30:33 -05:00

Nick Kralevich

353c72e3b0

Move unconfined domains out of permissive mode.

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

2013-10-21 12:52:03 -07:00

Lorenzo Colitti

ab7dfabb61

Fix clatd, broken by selinux policing /dev/tun

Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046

2013-08-05 19:53:23 +09:00

3 Commits