add back SELinux policy hardening #725

Closed
thestinger opened this Issue Aug 29, 2017 · 6 comments

Comments

Projects
None yet
2 participants
@thestinger
Contributor

thestinger commented Aug 29, 2017

No description provided.

@jvanderstoep

This comment has been minimized.

Show comment Hide comment
@jvanderstoep

jvanderstoep Sep 3, 2017

Better description needed ;)

Better description needed ;)

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Sep 3, 2017

Contributor
39e0e65a auditallow dynamic native code for untrusted_app
63183cd4 remove priv_app ota update access
9bb126c7 split out updater domain
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
3dd7d172 allow system_server to execute app_process
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
Contributor

thestinger commented Sep 3, 2017

39e0e65a auditallow dynamic native code for untrusted_app
63183cd4 remove priv_app ota update access
9bb126c7 split out updater domain
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
3dd7d172 allow system_server to execute app_process
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Sep 3, 2017

Contributor

I'll probably split it into issues for whatever proves to be non-trivial to port.

Contributor

thestinger commented Sep 3, 2017

I'll probably split it into issues for whatever proves to be non-trivial to port.

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Sep 4, 2017

Contributor

Ah and the proc_net stuff also impacts device/ repositories.

Contributor

thestinger commented Sep 4, 2017

Ah and the proc_net stuff also impacts device/ repositories.

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Sep 25, 2017

Contributor

Remaining changes:

39e0e65a auditallow dynamic native code for untrusted_app
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
Contributor

thestinger commented Sep 25, 2017

Remaining changes:

39e0e65a auditallow dynamic native code for untrusted_app
0d03fe19 split netmonitor domain from untrusted_base_app
fcaa7c78 isolated_base_app: remove dalvik cache execute
1518503e split system isolated_app into isolated_base_app
2b5d189b untrusted_base_app: remove app_data_file execute
837b5e6d untrusted_base_app: remove dalvik cache execute
9a31335a untrusted_base_app: remove asec access
cafadcd9 untrusted_base_app: forbid dynamic code generation
510417e2 untrusted_base_app: forbid text relocations
c72c8ea4 split system untrusted_app into untrusted_base_app
d8b58e18 remove untrusted_app proc_net access
8821e0cf split out basic routing / iface info from proc_net
533667bb remove dalvik cache symlink policy
0708c0f7 remove execmem from most of the app domains
81bfb87b rm base system dalvikcache_data_file execute
@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Sep 25, 2017

Contributor

Replaced with a bunch of split up issues in https://github.com/copperhead/bugtracker/labels/restore-past-feature. The auditallow for dynamic native code in Nougat was a past feature we didn't end up having time to port to Nougat from when we used to have an exception system based on permissions for that so it's marked restore-past-feature but not oreo since it was already gone.

Contributor

thestinger commented Sep 25, 2017

Replaced with a bunch of split up issues in https://github.com/copperhead/bugtracker/labels/restore-past-feature. The auditallow for dynamic native code in Nougat was a past feature we didn't end up having time to port to Nougat from when we used to have an exception system based on permissions for that so it's marked restore-past-feature but not oreo since it was already gone.

@thestinger thestinger closed this Sep 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment