aboutsummaryrefslogtreecommitdiffstats
path: root/hci_attach.te
Commit message (Collapse)AuthorAgeFilesLines
* Make hci_attach enforcing.Stephen Smalley2014-01-141-1/+0
| | | | | Change-Id: I27c62a7ab7223eb74f44a78c273dd97f1380bc61 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Support forcing permissive domains to unconfined.Nick Kralevich2014-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
* Confine hci_attach, but leave it permissive for now.Stephen Smalley2013-10-291-1/+6
| | | | | Change-Id: I4b6cacf70805065ad6fd9678417283c25a53b51b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move unconfined domains out of permissive mode.Nick Kralevich2013-10-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
* Make all domains unconfined.repo sync2013-05-201-5/+1
| | | | | | | | This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
* Move domains into per-domain permissive mode.repo sync2013-05-141-0/+1
| | | | | Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
* Policy for hci_attach service.William Roberts2012-05-311-0/+9
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 08:49:00 +0000