- cc13203 am 7cd346a7: am 0055ea90: Allow recovery to create device nodes and modify rootfs by Nick Kralevich · 10 years ago
- 0055ea9 Allow recovery to create device nodes and modify rootfs by Nick Kralevich · 10 years ago
- d7e004e allow coredump functionality by Nick Kralevich · 10 years ago
- f2c0118 zygote: allow replacing /proc/cpuinfo by Nick Kralevich · 10 years ago
- 47bd730 Add support for factory reset protection. by dcashman · 10 years ago
- 9d2703a Prohibit execute to fs_type other than rootfs for most domains. by Stephen Smalley · 10 years ago
- bf69632 DO NOT MERGE: Remove service_manager audit_allows. by Riley Spahn · 10 years ago
- 344fc10 Add access control for each service_manager action. by Riley Spahn · 10 years ago
- b59dc27 Drop sys_rawio neverallow for tee by Nick Kralevich · 10 years ago
- 9f6af08 New domain "install_recovery" by Nick Kralevich · 10 years ago
- 3508d61 fix build. by Nick Kralevich · 10 years ago
- 76206ab Add neverallow rules further restricing service_manager. by Riley Spahn · 10 years ago
- c626a88 Allow init to relabel rootfs files. by Stephen Smalley · 10 years ago
- 04b8a75 Remove write access to rootfs files. by Stephen Smalley · 10 years ago
- bac4ccc Prevent adding transitions to kernel or init domains. by Stephen Smalley · 10 years ago
- 00b180d Eliminate some duplicated rules. by Stephen Smalley · 10 years ago
- 75e2ef9 Restrict use of context= mount options. by Stephen Smalley · 10 years ago
- 8670305 Remove world-read access to /data/dalvik-cache/profiles by Nick Kralevich · 10 years ago
- 42fb824 Refactor the shell domains. by Stephen Smalley · 10 years ago
- cb23ca9 Remove domain unlabeled access. by Stephen Smalley · 10 years ago
- 6f6c425 Adjust rules around /data/app entities by Christopher Tate · 10 years ago
- 3235f61 Restrict /data/security and setprop selinux.reload_policy access. by Stephen Smalley · 10 years ago
- 2c8bf56 Only auditallow unlabeled accesses not allowed elsewhere. by Stephen Smalley · 10 years ago
- 03ce512 Remove /system write from unconfined by Nick Kralevich · 10 years ago
- ad0d0fc Protect /data/property. by Stephen Smalley · 10 years ago
- 629fbc9 Assert executable content (mostly) only loaded from /system by Nick Kralevich · 10 years ago
- 356f4be Restrict requesting contexts other than policy-defined defaults. by Stephen Smalley · 10 years ago
- f007d03 make /dev/zero read-write by Nick Kralevich · 10 years ago
- 7a186b3 Suppress installd auditallow by Nick Kralevich · 10 years ago
- 5ce079b Bring back the unlabeled allowall rules by Nick Kralevich · 10 years ago
- 7ffb997 Neverallow low memory mappings. by Stephen Smalley · 10 years ago
- abae8a9 Revisit kernel setenforce by Nick Kralevich · 10 years ago
- 02dac03 Drop relabelto_domain() macro and its associated definitions. by Stephen Smalley · 10 years ago
- e69a32a Drop rw access to unlabeled files. by Stephen Smalley · 10 years ago
- 2562843 Audit accesses on unlabeled files. by Stephen Smalley · 10 years ago
- 19c5090 Define a type for /data/dalvik-cache/profiles. by Stephen Smalley · 10 years ago
- 853ffaa Deduplicate neverallow rules on selinuxfs operations. by Stephen Smalley · 10 years ago
- 20feb75 Allow all domains to read from socket_device directory. by Robert Craig · 10 years ago
- 3dad7b6 Address system_server denials. by Stephen Smalley · 10 years ago
- 1601132 Clean up socket rules. by Stephen Smalley · 10 years ago
- f926817 Allow reading of /data/security/current symlink. by Stephen Smalley · 10 years ago
- 96eeb1e initial policy for uncrypt. by Nick Kralevich · 10 years ago
- 3f40d4f Remove block device access from unconfined domains. by Stephen Smalley · 10 years ago
- 5487ca0 Remove several superuser capabilities from unconfined domains. by Stephen Smalley · 10 years ago
- b081cc1 Remove mount-related permissions from unconfined domains. by Stephen Smalley · 10 years ago
- 48b1883 Introduce asec_public_file type. by Robert Craig · 10 years ago
- 8ed750e sepolicy: Add write_logd, read_logd & control_logd by Mark Salyzyn · 11 years ago
- a637b2f assert: Do not allow access to generic device:chr_file by William Roberts · 10 years ago
- d0919ec assert: do not allow raw access to generic block_device by William Roberts · 10 years ago
- 04ee5df Remove MAC capabilities from unconfined domains. by Stephen Smalley · 10 years ago
- 7d0f955 Support running adbd in the su domain. by Nick Kralevich · 10 years ago
- d9b8ef4 Drop legacy device types. by Stephen Smalley · 10 years ago
- 39fd781 Remove domain init:unix_stream_socket connectto permission. by Stephen Smalley · 10 years ago
- 91c290b Allow access to unlabeled socket and fifo files. by Stephen Smalley · 10 years ago
- 959fdaa Remove unlabeled execute access from domain, add to appdomain. by Stephen Smalley · 10 years ago
- 8b51674 Restrict ability to set checkreqprot. by Stephen Smalley · 10 years ago
- 529fcbe Create proc_net type for /proc/sys/net entries. by Robert Craig · 10 years ago
- a730e50 Don't allow zygote init:binder call by Nick Kralevich · 10 years ago
- c4021ce Address adb backup/restore denials. by Stephen Smalley · 10 years ago
- ad7df7b Remove execmem permission from domain, add to appdomain. by Stephen Smalley · 11 years ago
- 712ca0a Confine shell domain in -user builds only. by Stephen Smalley · 11 years ago
- 7466f9b Label /data/misc/zoneinfo by Nick Kralevich · 11 years ago
- 95e0842 Restrict ptrace access by debuggerd and unconfineddomain. by Stephen Smalley · 11 years ago
- fea6e66 Allow kernel domain, not init domain, to set SELinux enforcing mode. by Stephen Smalley · 11 years ago
- 9e8b8d9 Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode." by Nick Kralevich · 11 years ago
- bf12e22 Allow kernel domain, not init domain, to set SELinux enforcing mode. by Stephen Smalley · 11 years ago
- 7adb999 Restrict the ability to set usermodehelpers and proc security settings. by Stephen Smalley · 11 years ago
- b254764 Drop tegra specific label from policy. by Robert Craig · 11 years ago
- d99e6d5 Restrict the ability to set SELinux enforcing mode to init. by Stephen Smalley · 11 years ago
- ddf98fa Neverallow access to the kmem device from userspace. by Geremy Condra · 11 years ago
- 2e0b4a1 Move goldfish-specific rules to their own directory. by Stephen Smalley · 11 years ago
- 967f39a Move sysfs_devices_system_cpu to the central policy. by Nick Kralevich · 11 years ago
- 85c5fc2 Start confining ueventd by William Roberts · 11 years ago
- 8d68831 Restrict access to /dev/hw_random to system_server and init. by Alex Klyubin · 11 years ago
- 0130154 Make sure exec_type is assigned to all entrypoint types. by Stephen Smalley · 11 years ago
- 1fdee11 1/2: Rename domain "system" to "system_server". by Alex Klyubin · 11 years ago
- c084503 Remove sys_nice capability from domains. by Stephen Smalley · 11 years ago
- 29326ed Drop domain write access to sysfs for the emulator. by Stephen Smalley · 11 years ago
- a247705 Permit writing to /dev/random and /dev/urandom. by Alex Klyubin · 11 years ago
- 8156073 Fix denials encountered while getting bugreports. by Geremy Condra · 11 years ago
- 2637198 Only init should be able to load a security policy by Nick Kralevich · 11 years ago
- 0b5b4fa Merge "untrusted_app.te / isolated_app.te / app.te first pass" by Nick Kralevich · 11 years ago
- ceff21b Merge "domain.te: Temporarily work around debuggerd connection bug" by Nick Kralevich · 11 years ago
- 5919d1c domain.te: Temporarily work around debuggerd connection bug by Nick Kralevich · 11 years ago
- 6634a10 untrusted_app.te / isolated_app.te / app.te first pass by Nick Kralevich · 11 years ago
- 9a19885 remove "self:process ptrace" from domain, netd neverallow rules by Nick Kralevich · 11 years ago
- 8758cc5 domain.te: allow access to /sys/kernel/debug/tracing/trace_marker by Nick Kralevich · 11 years ago
- 0c9708b domain.te: Add backwards compatibility for unlabeled files by Nick Kralevich · 11 years ago
- dbd28d9 Enable SELinux protections for netd. by Nick Kralevich · 11 years ago
- 77d4731 Make all domains unconfined. by repo sync · 11 years ago
- 74ba8c8 run-as policy fixes. by Stephen Smalley · 11 years ago
- 0e856a0 Allow all domains to read /dev symlinks. by Stephen Smalley · 11 years ago
- 81fe5f7 Allow all domains to read the log devices. by Stephen Smalley · 11 years ago
- c529c66 Add policy for __properties__ device. by Geremy Condra · 11 years ago
- 4d3f108 Allow domain search/getattr access to security file by William Roberts · 11 years ago
- 1f5939a Allow search of tmpfs mount for /storage/emulated. by Stephen Smalley · 11 years ago
- 6136284 Permit fstat of property mapping. by Stephen Smalley · 11 years ago
- aeb512d Disable debugfs access by default. by Stephen Smalley · 11 years ago
- 40356b9 Allow domain to random_device by William Roberts · 11 years ago
- 7672eac Add SELinux policy for asec containers. by rpcraig · 12 years ago