Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / de53051a8282ec59fdd21667850997bc4096f8d2
commitde53051a8282ec59fdd21667850997bc4096f8d2[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Tue Oct 06 09:11:02 2015 -0700
committerJeffrey Vander Stoep <jeffv@google.com>Wed Oct 07 20:40:24 2015 +0000
treebd062332a528158954439789773b49b9c0ab730c
parenta10f789d286d0f28c85488629cc92f5ab6ca8e00 [diff]
Do not allow untrusted_app to open tun_device

Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
2 files changed
tree: bd062332a528158954439789773b49b9c0ab730c
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. atrace.te
  7. attributes
  8. binderservicedomain.te
  9. blkid.te
  10. blkid_untrusted.te
  11. bluetooth.te
  12. bootanim.te
  13. clatd.te
  14. CleanSpec.mk
  15. debuggerd.te
  16. device.te
  17. dex2oat.te
  18. dhcp.te
  19. dnsmasq.te
  20. domain.te
  21. drmserver.te
  22. dumpstate.te
  23. file.te
  24. file_contexts
  25. file_contexts_asan
  26. fingerprintd.te
  27. fs_use
  28. fsck.te
  29. fsck_untrusted.te
  30. gatekeeperd.te
  31. genfs_contexts
  32. global_macros
  33. gpsd.te
  34. hci_attach.te
  35. healthd.te
  36. hostapd.te
  37. idmap.te
  38. init.te
  39. initial_sid_contexts
  40. initial_sids
  41. inputflinger.te
  42. install_recovery.te
  43. installd.te
  44. ioctl_macros
  45. isolated_app.te
  46. kernel.te
  47. keys.conf
  48. keystore.te
  49. lmkd.te
  50. logd.te
  51. mac_permissions.xml
  52. mdnsd.te
  53. mediaserver.te
  54. mls
  55. mls_macros
  56. MODULE_LICENSE_PUBLIC_DOMAIN
  57. mtp.te
  58. net.te
  59. netd.te
  60. neverallow_macros
  61. nfc.te
  62. NOTICE
  63. perfprofd.te
  64. platform_app.te
  65. policy_capabilities
  66. port_contexts
  67. ppp.te
  68. procrank.te
  69. property.te
  70. property_contexts
  71. racoon.te
  72. radio.te
  73. README
  74. recovery.te
  75. rild.te
  76. roles
  77. runas.te
  78. sdcardd.te
  79. seapp_contexts
  80. security_classes
  81. service.te
  82. service_contexts
  83. servicemanager.te
  84. sgdisk.te
  85. shared_relro.te
  86. shell.te
  87. slideshow.te
  88. su.te
  89. surfaceflinger.te
  90. system_app.te
  91. system_server.te
  92. te_macros
  93. tee.te
  94. toolbox.te
  95. tzdatacheck.te
  96. ueventd.te
  97. uncrypt.te
  98. untrusted_app.te
  99. update_engine.te
  100. users
  101. vdc.te
  102. vold.te
  103. watchdogd.te
  104. wpa.te
  105. zygote.te