tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7090 commits 1 branch 0 tags 50 MiB
Commit graph

7090 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jorge Lucangeli Obes
847bfa4ab2 init: Allow SETPCAP for dropping bounding set. 
This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.

Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
 2016-11-01 14:32:13 -04:00
Felipe Leme
b5f5931e8c Added permissions for the dumpstate service. 
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
 2016-11-01 10:43:25 -07:00
Treehugger Robot
184851a212 Merge "system_server: allow appendable file descriptors" 2016-10-31 15:45:38 +00:00
Treehugger Robot
82b9182ef3 Merge "Get rid of more auditallow spam" 2016-10-31 15:43:42 +00:00
Nick Kralevich
02cfce49ae kernel.te: tighten entrypoint / execute_no_trans neverallow 
The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.

Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.

Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
 2016-10-30 18:46:44 -07:00
Nick Kralevich
8044129f42 system_server: allow appendable file descriptors 
system_server is currently allowed write (but not open) access to
various app file descriptor types, to allow it to perform write
operations on file descriptors passed to it from Android processes.
However, system_server was not allowed to handle file descriptors
open only for append operations.

Write operations are a superset of that allowed by appendable
operations, so it makes no sense to deny system_server the use of
appendable file descriptors. Allow it for app data types, as well as a
few other types (for robustness).

Addresses the following denial generated when adb bugreport is run:

  type=1400 audit(0.0:12): avc: denied { append } for
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt"
  dev="dm-2" ino=384984 scontext=u:r:system_server:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 32246161
Test: policy compiles
Test: No more append denials when running adb shell am bug-report --progress
Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487
 2016-10-29 08:20:56 -07:00
Nick Kralevich
2c8ea36ad8 Get rid of more auditallow spam 
Addresses the following audit messages:

[    7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

[   65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
 2016-10-29 08:15:08 -07:00
Treehugger Robot
ece327292c Merge changes I5bbbcad3,Ifa4630ed 
* changes:
  wifi_hal: Rename to 'hal_wifi'
  wpa: Add permissions for hwbinder
 2016-10-28 23:36:21 +00:00
Nick Kralevich
79a08e13bd Get rid of auditallow spam. 
Fixes the following SELinux messages when running adb bugreport:

avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

[  169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
 2016-10-28 11:46:00 -07:00
Roshan Pius
8224596a32 wifi_hal: Rename to 'hal_wifi' 
Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
 2016-10-28 09:00:31 -07:00
Treehugger Robot
e112faeaa8 Merge "domain: neverallow on setfcap" 2016-10-27 23:45:58 +00:00
William Roberts
c3f1da99b2 domain: neverallow on setfcap 
Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-10-27 12:45:47 -07:00
Roshan Pius
6caeac7b47 wpa: Add permissions for hwbinder 
Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2
 2016-10-26 14:52:12 -07:00
Treehugger Robot
70591fedf5 Merge "Rename macros for (non)binderized HALs" 2016-10-26 18:48:30 +00:00
Jeff Vander Stoep
f579ef15a8 Rename macros for (non)binderized HALs 
Test: builds
Bug: 32243668
Change-Id: I1ad4b53003462e932cf80b6972db1520dc66d735
 2016-10-26 10:04:18 -07:00
Jeff Vander Stoep
27ae545a78 clean up hal types 
Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d
 2016-10-26 09:50:04 -07:00
Connor O'Brien
2370fc775c sepolicy for boot_control HAL service 
Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>
 2016-10-25 13:33:48 -07:00
Treehugger Robot
367d90b6a4 Merge "Add macros for treble and non-treble only policy" 2016-10-25 20:06:02 +00:00
Treehugger Robot
ce3b2a41a5 Merge "fc_sort: cleanup warnings caught by clang tidy / static analyzer." 2016-10-24 19:03:57 +00:00
Treehugger Robot
626edc7555 Merge "isolated_app: no sdcard access" 2016-10-21 20:29:01 +00:00
Mikhail Naganov
2ff6b4da73 Update SELinux policy for audiohal 
Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
 2016-10-21 09:53:15 -07:00
Jeff Vander Stoep
ce4b5eeaee isolated_app: no sdcard access 
Remove and neverallow isolated_app access to external storage and
USB accessories.

Test: aosp_angler-userdebug builds
Bug: 21643067
Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36
 2016-10-21 09:15:48 -07:00
Treehugger Robot
f5312f8e81 Merge "Creates an autofill system service." 2016-10-21 16:09:31 +00:00
Felipe Leme
8221d59711 Creates an autofill system service. 
BUG: 31001899
Test: manual
Change-Id: I8d462b40d931310eab26bafa09645ac88f13fc97
 2016-10-20 17:33:27 -07:00
Craig Donner
7ba0485665 sepolicy: Add policy for VR HIDL service. 
Test: built and ran on device.
Bug: 31442830
Change-Id: Idd7870b4dd70eed8cd4dc55e292be39ff703edd2
 2016-10-20 17:03:54 -07:00
Treehugger Robot
fe360ad6bd Merge "Cleanup and renaming of vibrator HAL sepolicy" 2016-10-20 21:42:19 +00:00
Treehugger Robot
70d1d30eac Merge "check_seapp: correct output on invalid policy file" 2016-10-20 18:00:20 +00:00
Treehugger Robot
41c727bce8 Merge "racoon: remove domain_deprecated attribute" 2016-10-20 02:27:39 +00:00
Treehugger Robot
76b467aedb Merge "racoon: allow setting options on tun interface" 2016-10-20 00:22:52 +00:00
Jeff Vander Stoep
d733d161cf Add macros for treble and non-treble only policy 
Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
 2016-10-19 15:05:05 -07:00
William Roberts
f7d6bb3f71 check_seapp: correct output on invalid policy file 
If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-10-19 22:03:41 +00:00
Prashant Malani
2d9d3e6de3 Cleanup and renaming of vibrator HAL sepolicy 
Renaming vibrator sepolicy to remove the version number.
Also moving the related binder_call() to maintain alphabetical order.

Bug: 32123421
Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
Test: booted, and checked vibrate on keypress on bullhead
 2016-10-19 09:54:20 -07:00
Prashant Malani
c86eb96f45 Add sysfs rule for vibrator in system_server 
Helps fix vibrator HAL open issue

avc: denied { write } for pid=907 comm="system_server" name="enable" dev="sysfs" ino=20423 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file permissive=0

Bug: 32209928
Bug: 32225232

Test: m, booted, tested keypad to make sure vibrator works
Change-Id: I4977c42b7fac0c9503be04b6520487f2d6cbc903
 2016-10-18 12:59:20 -07:00
Treehugger Robot
b99424f0c4 Merge "check_seapp: cleanup warning caught by clang tidy / static analyzer." 2016-10-17 22:15:21 +00:00
Jeff Vander Stoep
d7a64e4e8b racoon: remove domain_deprecated attribute 
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: Ib6da57f6249a5571015b649bae843590229be714
 2016-10-15 17:15:25 -07:00
Jeff Vander Stoep
d063d23032 racoon: allow setting options on tun interface 
Fixes failure in VPN connection

avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket

Test: VPN works
Bug: 32011648
Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9
 2016-10-15 14:09:45 -07:00
Daniel Micay
510771ff92 remove unnecessary dalvik rules from recovery 
Change-Id: Ic0dd1162e268ce54e11de08b18dd7df47ab12147
 2016-10-14 02:27:31 -04:00
Prashant Malani
b32b4a112f sepolicy: Add policy for vibrator HIDL service 
Fixes the following denials:
avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1

Test: m
Bug: 32021191
Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c
 2016-10-13 11:41:30 -07:00
Rahul Chaudhry
e1682c71a1 check_seapp: cleanup warning caught by clang tidy / static analyzer. 
check_seapp.c:993:6: warning: Passed-by-value struct argument contains
uninitialized data (e.g., field: 'data')

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I3fc2ca8f862356628864f2a37b8d39222c8d658a
 2016-10-12 12:27:29 -07:00
Rahul Chaudhry
66dd3ca6ce fc_sort: cleanup warnings caught by clang tidy / static analyzer. 
Value stored to 'i' is never read.
Variable 'j' is never used.

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553
 2016-10-12 12:19:48 -07:00
liminghao
b1b872c362 sepolicy: add tune2fs file context. 
N/A

Test: builds
Change-Id: I10a53c07f5b56c362cc599a901a2d74d7e96e917
Signed-off-by: liminghao <liminghao@xiaomi.com>
 2016-10-11 17:29:37 -06:00
Chad Brubaker
06cf31eb63 Rename autoplay_app to ephemeral_app 
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
 2016-10-07 09:52:31 -07:00
Prashant Malani
abb5c72b8b system_server: Allow hwservicemanager to make binder calls 
Fixes the following denial:
avc: denied { call } for pid=791 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

Test: Builds, boots, vibrator works on bullhead
Change-Id: I56a0a86b64f5d46dc490f6f3255009c40e6e3f8f
 2016-10-06 14:41:49 -07:00
dcashman
cc39f63773 Split general policy into public and private components. 
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
 2016-10-06 13:09:06 -07:00
Andreas Gampe
f1eabc5683 Sepolicy: Ignore otapreopt_chroot setsched denial 
Ignore, as it's a side effect of mounting /vendor.

Bug: 31116514
Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0
(cherry picked from commit 0f81e06630)
 2016-10-06 10:19:51 -07:00
Treehugger Robot
da3c86ffb8 Merge "Create unique labels for /dev/snd/{seq,timer}" 2016-10-05 18:47:49 +00:00
Jeff Vander Stoep
c7e6074c0d Create unique labels for /dev/snd/{seq,timer} 
No core android component needs access to /dev/snd/{seq,timer}, but
currently audioserver, bootanim, init, system_server and ueventd have
access. Seq and timer have been the source of many bugs in the past
[1]. Giving these files new labels without explicitly granting access
removes access from audioserver, bootanim, and system_server.
Init and ueventd still require access for /dev setup.

TODO: Explore unsetting CONFIG_SND_TIMER device kernels.

[1] https://github.com/google/syzkaller/wiki/Found-Bugs

Test: media CTS "cts-tradefed run cts -m CtsMediaTestCases" on Bullhead
and Dragon completed with no denials.

Bug: 29045223
(cherry picked from commit db4510d87a)
Change-Id: I2d069920e792ce8eef70c7b4a038b9e7000f39f5
 2016-10-05 10:32:03 -07:00
Janis Danisevskis
639ae65d1b Merge changes from topic 'strict_service_lookup' 
* changes:
  fix lax service context lookup (II)
  fix lax service context lookup
 2016-10-05 14:43:08 +00:00
Jeff Vander Stoep
96a85d12c8 app: audit usage of ion ioctls 
Test: builds and boots on Bullhead with no selinux audit messages.

Bug: 29795149
Bug: 30400942
Change-Id: I93295424a03488234b233d5e2f86d3bf329e53fd
 2016-10-02 21:32:52 -07:00
Treehugger Robot
cd623e3459 Merge "gatekeeperd: remove domain_deprecated attribute" 2016-10-02 06:57:06 +00:00