Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / e6a7b37d4c8e16dd92b2fa340a6798cb4dbe80ad
commite6a7b37d4c8e16dd92b2fa340a6798cb4dbe80ad[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Dec 09 13:24:25 2013 -0500
committerNick Kralevich <nnk@google.com>Mon Dec 09 13:19:49 2013 -0800
tree2393deba0dd263bb3b99f843a62f5ceaf556e5a0
parent95e0842e341352af16bed4055ccf67878c322985 [diff]
Restrict mapping low memory.

Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2 files changed
tree: 2393deba0dd263bb3b99f843a62f5ceaf556e5a0
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. bluetooth.te
  8. clatd.te
  9. debuggerd.te
  10. device.te
  11. dhcp.te
  12. dnsmasq.te
  13. domain.te
  14. drmserver.te
  15. file.te
  16. file_contexts
  17. fs_use
  18. genfs_contexts
  19. global_macros
  20. gpsd.te
  21. hci_attach.te
  22. healthd.te
  23. hostapd.te
  24. init.te
  25. init_shell.te
  26. initial_sid_contexts
  27. initial_sids
  28. installd.te
  29. isolated_app.te
  30. kernel.te
  31. keys.conf
  32. keystore.te
  33. lmkd.te
  34. mac_permissions.xml
  35. media_app.te
  36. mediaserver.te
  37. mls
  38. mls_macros
  39. mtp.te
  40. net.te
  41. netd.te
  42. nfc.te
  43. NOTICE
  44. ping.te
  45. platform_app.te
  46. policy_capabilities
  47. port_contexts
  48. ppp.te
  49. property.te
  50. property_contexts
  51. qemud.te
  52. racoon.te
  53. radio.te
  54. README
  55. release_app.te
  56. rild.te
  57. roles
  58. runas.te
  59. sdcardd.te
  60. seapp_contexts
  61. security_classes
  62. selinux-network.sh
  63. servicemanager.te
  64. shared_app.te
  65. shell.te
  66. shell_user.te
  67. su.te
  68. su_user.te
  69. surfaceflinger.te
  70. system_app.te
  71. system_server.te
  72. te_macros
  73. tee.te
  74. ueventd.te
  75. unconfined.te
  76. untrusted_app.te
  77. users
  78. vold.te
  79. watchdogd.te
  80. wpa_supplicant.te
  81. zygote.te