| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This is for the new addAuthToken keystore method from
I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to
authorize keymaster operations. The tokens are HMAC'd and so shouldn't
be fakeable but this is still limited to system_server only.
Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add neverallow rules to ensure that zygote commands are only taken from
system_server.
Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7
Bug: 19624279
Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
|
| |
|
|
|
|
|
|
|
|
| |
Permits the system server to change keystore passwords for users other
than primary.
(cherrypicked from commit de08be8aa006c313e5025ba5f032abf786a39f71)
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
|
| |
|
|
|
|
|
|
| |
Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.
Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
|
| |
|
|
|
|
|
|
|
|
| |
Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.
Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.
Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
| |
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
|
| |
|
|
|
|
|
|
|
|
| |
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Modeled after http://oss.tresys.com/pipermail/refpolicy/2013-January/006283.html
Addresses the following kernel error message:
<6>[ 3.855423] SELinux: Permission attach_queue in class tun_socket not defined in policy.
<6>[ 3.862482] SELinux: the above unknown classes and permissions will be denied
<7>[ 3.869668] SELinux: Completing initialization.
Change-Id: Iad87fcd5348d121a808dbe7ae3c63f8c90fc09fc
|
| |
|
|
|
|
|
|
| |
specifycapabilities is no longer specified by the zygote userspace manager.
It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8. Remove
this permission from policy.
Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985
|
| |
|
|
|
|
|
|
|
| |
The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.
Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| | |
|
| |
|
|
|
|
|
| |
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
|
| |
|
