summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Tomasz Swierczek [Fri, 10 Jun 2022 09:53:19 +0000 (11:53 +0200)]
Add User::Shell System::Privileged wx Smack rule
It will allow programs with User::Shell to talk with services exposing socket
with System::Privileged (shell will be treated like apps which already have
such rules).
Change-Id: I24d69c151288a900d9d9fb2840aa60241d108e6f
Tomasz Swierczek [Fri, 7 Aug 2020 12:48:53 +0000 (14:48 +0200)]
Add internet & appdebugging privilege labels & their policy
Replacing nether with Smack-based network control requires
new labels that will be associated with network.
Added also policy for system daemons.
Change-Id: Ib06ff1bed4daede5e8aeefbcf8ac9e284b5193c3
Kidong Kim [Tue, 20 Nov 2018 01:34:28 +0000 (10:34 +0900)]
Add a rule for System::Tools
Change-Id: I73a29c1890862fb06e72a9b50c8382a7cdf6bf79
Signed-off-by: Kidong Kim <kd0228.kim@samsung.com>
Karol Lewandowski [Thu, 27 Sep 2018 09:52:56 +0000 (11:52 +0200)]
Allow User::Shell subject to create System::Shared files (via Smack transmute)
This change is required to support system wide dynamic filtering in DLog
(logger), as described below:
1. filtering is handled in the client - every client needs to access
filters
2. filters are changed dynamically by administrator - root shell via
a. serial console (with System::Privileged label)
b. sdb (with User::Shell label)
3. filters are stored in /run/dlog/filters.d/FILTERS file,
/run/dlog/filters.d has Smack::Shared & Smack transmute set
This commit ensures that case 2b is handled correctly (2a is handled
alredy). Without this change filters would have User::Shell label,
causing applications to not be able to access these files at all -
effectively disabling runtime filtering ability.
Change-Id: I3f15ae8e9822f3396bfbaf20cab005e15b346f83
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
Kidong Kim [Tue, 14 Aug 2018 06:41:43 +0000 (15:41 +0900)]
Add new label for system tools and rules
Change-Id: If373003182f149c5d258f228f12ad87252dc7721
Zofia Grzelewska [Wed, 7 Mar 2018 17:16:40 +0000 (18:16 +0100)]
Add rules for System::TEF
New system domain "System::TEF" is required for TEF service daemons.
Change-Id: I3b12c5a9dd6e5495a60333951eeb8bfd7f941209
jin-gyu.kim [Wed, 29 Mar 2017 05:32:23 +0000 (14:32 +0900)]
Add missing license file.
Change-Id: I43298dcc70c100a6a329dd02548633d974bc87e5
Rafal Krypa [Fri, 16 Dec 2016 11:24:00 +0000 (12:24 +0100)]
Add missing rules for signal delivery
Recent changes to kernel code and configuration changed Smack behavior
for access check on kill(). The sending process now needs "A" access
instead of "W".
Permit "System" and "System::Privileged" labeled processes to send signals
to "User" and "_" labeled processes.
Change-Id: Ie8a46fae4154f1b08ff9c2e9294cb81338f25c55
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Kidong Kim [Mon, 26 Sep 2016 05:53:47 +0000 (14:53 +0900)]
Define new domain for sdb shell - User::Shell
This is draft version of new domain(label).
Rules can be added according to further investigation.
Change-Id: Ifa9b5a3a10ca2914554509f4358c39bf7c31359a
Signed-off-by: Kidong Kim <kd0228.kim@samsung.com>
jooseong lee [Thu, 14 Jul 2016 09:57:19 +0000 (18:57 +0900)]
Add new sub domain('System::Privilege') to System domain
This is new sub domain('System::Privileged') for onlycap feature
Change-Id: I7cb403b5b3e4766954f23bf1041347c3191811a1
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Kidong Kim [Mon, 4 Jul 2016 12:10:02 +0000 (21:10 +0900)]
add System _ rwx rule
Change-Id: I21dcd54288ae1a3d460233fc24004e4db5cd2bae
Signed-off-by: Kidong Kim <kd0228.kim@samsung.com>
Kidong Kim [Mon, 28 Dec 2015 08:23:16 +0000 (17:23 +0900)]
add license file(GPL-2.0)
Change-Id: Ibcb1344b1188a81f26af59b752052462a2dbfcb5
Seongwook Chung [Thu, 10 Sep 2015 01:57:51 +0000 (10:57 +0900)]
Add rule for System domain
Change-Id: I6366d41e1a6c54551d7ec95bd5d974a30265418a
Signed-off-by: Seongwook Chung <seong.chung@samsung.com>
Kidong Kim [Sat, 5 Sep 2015 03:25:26 +0000 (12:25 +0900)]
add rule - System User::Home t
Change-Id: I0bf9b2a9f1f96c30812ea40c701efa21526d36be
José Bollo [Tue, 23 Jun 2015 14:47:45 +0000 (16:47 +0200)]
Add some rigths to System processes
In some situations, the sytem processes should have to
have read/write access to user domain.
Change-Id: I8e5d45df5ba8b706eccc1ca2d47176fa758613c1
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Rafal Krypa [Wed, 5 Aug 2015 11:12:54 +0000 (13:12 +0200)]
Remove explicit rules for lock access on the floor label
Kernel Smack code has changed with regard to floor and hat labels. Now
Every label has implicit access to lock the floor label. Explicit rules
allowing it for System and User labels in Tizen are not needed.
Change-Id: I027e14a988eb715ee9300d6528d5ecbefa2650b7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
jooseong [Mon, 3 Aug 2015 11:16:33 +0000 (20:16 +0900)]
Allow User domain to access lock System::Shared domain
Change-Id: I03bd776f05624989f3a984f16820369dc703680b
José Bollo [Thu, 8 Jan 2015 09:28:30 +0000 (10:28 +0100)]
Fixing a typographic error
The correct name is User::App::Shared
Change-Id: I9ac94c6db84a6baccfa211e0d3092dfbbaf35c1a
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Fri, 3 Oct 2014 14:35:18 +0000 (16:35 +0200)]
Implementation of User::Home and User::App::Shared
As proposed by Rafal Krypa during F2F meeting of
september 2014 in Vannes.
Change-Id: I35a3811f28bffba582f34f37130b31d34f419513
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Casey Schaufler [Fri, 20 Dec 2013 01:48:23 +0000 (17:48 -0800)]
Add the System::Log label for /var/log
Create the System domain label System::Log.
This is the label for /var/log.
Log files with System and User labels will get written to /var/log.
The accesses are not transmutting.
Change-Id: Iaa3aa8d3883c7c6bf1734e3e9224eaf6f701e86a
Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
Michael Demeter [Wed, 4 Dec 2013 01:46:25 +0000 (17:46 -0800)]
This adds new rules for locking for System to _ and
User to _
Change-Id: Id483970ad6606543fb3856f7d4bdd738e0cf1a9d
Signed-off-by: Michael Demeter <michael.demeter@intel.com>
Elena Reshetova [Fri, 1 Nov 2013 13:50:05 +0000 (15:50 +0200)]
Adding shared policy attribute to all domains
Change-Id: I07c921be228072a3d3867f940865e52689b9b506
Elena Reshetova [Fri, 1 Nov 2013 13:05:23 +0000 (15:05 +0200)]
Adding ^ domain, System::Run label and respective rules
Change-Id: I102bbd93200e1b0c59d2084823e2823a81e83a19
Elena Reshetova [Thu, 4 Jul 2013 10:17:38 +0000 (13:17 +0300)]
Creating System and User domains
Prajwal Mohan [Wed, 19 Jun 2013 22:18:55 +0000 (15:18 -0700)]
Created project
projects / platform / core / security / default-ac-domains.git / log