android_system_sepolicy

PWN-Hunter/android_system_sepolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Stephen Smalley	e06e536388	Allow inputflinger to call system_server. Resolves denials such as: avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { open } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { search } for pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { call } for pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: I099d7dacf7116efa73163245597c3de629d358c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>	2014-03-21 10:40:56 -04:00
Stephen Smalley	38b7f43021	Make inputflinger permissive or unconfined. Otherwise we'll never see denials in userdebug or eng builds and never make progress on confining it. Of course we cannot truly test until it is released into AOSP, but this prepares the way and potentially allows for internal testing and collection of denials. Change-Id: I800ab23baee1c84b7c4cf7399b17611a62ca6804 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>	2014-02-11 09:40:47 -05:00
Nick Kralevich	caa6a32d76	initial inputflinger domain Add a placeholder domain for inputflinger. Mark it initially unconfined and enforcing. Change-Id: I433fd9e1954486136cb8abb084b4e19bb7fc2f19	2013-12-16 08:46:47 -08:00

Author

SHA1

Message

Date

Stephen Smalley

e06e536388

Allow inputflinger to call system_server.

Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2014-03-21 10:40:56 -04:00

Stephen Smalley

38b7f43021

Make inputflinger permissive or unconfined.

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  Of course we cannot truly
test until it is released into AOSP, but this prepares the way
and potentially allows for internal testing and collection of denials.

Change-Id: I800ab23baee1c84b7c4cf7399b17611a62ca6804
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2014-02-11 09:40:47 -05:00

Nick Kralevich

caa6a32d76

initial inputflinger domain

Add a placeholder domain for inputflinger.
Mark it initially unconfined and enforcing.

Change-Id: I433fd9e1954486136cb8abb084b4e19bb7fc2f19

2013-12-16 08:46:47 -08:00

3 Commits