Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c
commit3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Tue Feb 11 14:40:14 2014 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Wed Feb 12 13:03:38 2014 -0500
treeeb39bd38941732aa9d8b8b785ac9007445597204
parent5487ca00d4788de367a9d099714f6df4d86ef261 [diff]
Remove block device access from unconfined domains.

Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
5 files changed
tree: eb39bd38941732aa9d8b8b785ac9007445597204
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dhcp.te
  14. dnsmasq.te
  15. domain.te
  16. drmserver.te
  17. dumpstate.te
  18. file.te
  19. file_contexts
  20. fs_use
  21. genfs_contexts
  22. global_macros
  23. gpsd.te
  24. hci_attach.te
  25. healthd.te
  26. hostapd.te
  27. init.te
  28. init_shell.te
  29. initial_sid_contexts
  30. initial_sids
  31. inputflinger.te
  32. installd.te
  33. isolated_app.te
  34. kernel.te
  35. keys.conf
  36. keystore.te
  37. lmkd.te
  38. logd.te
  39. mac_permissions.xml
  40. media_app.te
  41. mediaserver.te
  42. mls
  43. mls_macros
  44. mtp.te
  45. net.te
  46. netd.te
  47. nfc.te
  48. NOTICE
  49. platform_app.te
  50. policy_capabilities
  51. port_contexts
  52. ppp.te
  53. property.te
  54. property_contexts
  55. qemud.te
  56. racoon.te
  57. radio.te
  58. README
  59. recovery.te
  60. release_app.te
  61. rild.te
  62. roles
  63. runas.te
  64. sdcardd.te
  65. seapp_contexts
  66. security_classes
  67. selinux-network.sh
  68. servicemanager.te
  69. shared_app.te
  70. shell.te
  71. shelldomain.te
  72. su.te
  73. surfaceflinger.te
  74. system_app.te
  75. system_server.te
  76. te_macros
  77. tee.te
  78. ueventd.te
  79. unconfined.te
  80. untrusted_app.te
  81. users
  82. vold.te
  83. watchdogd.te
  84. wpa_supplicant.te
  85. zygote.te