Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 14e2e9261fec015ab6fa66f2bc67439f13c45b8d
commit14e2e9261fec015ab6fa66f2bc67439f13c45b8d[log] [tgz]
authorNick Kralevich <nnk@google.com>Mon May 08 09:51:59 2017 -0700
committerNick Kralevich <nnk@google.com>Mon May 08 09:51:59 2017 -0700
tree92f33362cc5e0df3a92da542f484ca00934fe0a0
parentbf030965f9545b381fdec32eae553c09ad7ca480 [diff]
Further restrict SELinux API access

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
3 files changed
tree: 92f33362cc5e0df3a92da542f484ca00934fe0a0
  1. private/
  2. public/
  3. reqd_mask/
  4. tools/
  5. vendor/
  6. Android.mk
  7. CleanSpec.mk
  8. MODULE_LICENSE_PUBLIC_DOMAIN
  9. NOTICE
  10. PREUPLOAD.cfg
  11. README