Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
add back SELinux policy hardening #725
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
jvanderstoep
commented
Sep 3, 2017
|
Better description needed ;) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Sep 3, 2017
Contributor
39e0e65a auditallow dynamic native code for untrusted_app
63183cd4 remove priv_app ota update access
9bb126c7 split out updater domain
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
3dd7d172 allow system_server to execute app_process
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Sep 3, 2017
Contributor
I'll probably split it into issues for whatever proves to be non-trivial to port.
|
I'll probably split it into issues for whatever proves to be non-trivial to port. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment|
Ah and the proc_net stuff also impacts device/ repositories. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Sep 25, 2017
Contributor
Remaining changes:
39e0e65a auditallow dynamic native code for untrusted_app
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
|
Remaining changes: |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Sep 25, 2017
Contributor
Replaced with a bunch of split up issues in https://github.com/copperhead/bugtracker/labels/restore-past-feature. The auditallow for dynamic native code in Nougat was a past feature we didn't end up having time to port to Nougat from when we used to have an exception system based on permissions for that so it's marked restore-past-feature but not oreo since it was already gone.
|
Replaced with a bunch of split up issues in https://github.com/copperhead/bugtracker/labels/restore-past-feature. The auditallow for dynamic native code in Nougat was a past feature we didn't end up having time to port to Nougat from when we used to have an exception system based on permissions for that so it's marked restore-past-feature but not oreo since it was already gone. |
thestinger commentedAug 29, 2017
No description provided.