tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3116 commits 1 branch 0 tags 50 MiB
Commit graph

3116 commits

This branch
This branch
All branches
Author SHA1 Message Date
Colin Cross
2203fda5e7 lmkd: allow removing cgroups and setting self to SCHED_FIFO 
Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

(cherry picked from commit 5329731802)

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
 2014-07-15 20:41:15 -07:00
Nick Kralevich
caf347b515 Tweak rules for su domain. 
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45bdd)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d
 2014-07-15 10:45:46 -07:00
Riley Spahn
344fc109e9 Add access control for each service_manager action. 
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
 2014-07-15 10:09:52 -07:00
Nick Kralevich
10370f5ff4 fix system_server dex2oat exec 
Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
 2014-07-15 16:10:16 +00:00
Ed Heyl
8ee37b4f1c reconcile aosp (c103da877b) after branching. Please do not merge. 
Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
 2014-07-14 23:32:08 -07:00
Ed Heyl
81839dfb24 reconcile aosp (3a8c5dc05f) after branching. Please do not merge. 
Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
 2014-07-14 23:31:31 -07:00
Ed Heyl
7563a6f1fb reconcile aosp (a7c04dcd74) after branching. Please do not merge. 
Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
 2014-07-14 23:31:01 -07:00
Ed Heyl
e9c90bddce reconcile aosp (4da3bb1481) after branching. Please do not merge. 
Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
 2014-07-14 23:29:21 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true 
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
 2014-07-14 09:15:08 -07:00
Sreeram Ramachandran
0ff90f1ac9 am 2f91ce55: am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit '2f91ce5519d46e38a609e3aed0c507af072507ec':
 2014-07-11 17:56:33 +00:00
Nick Kralevich
deb52ba4d6 am 1c7463ac: am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit '1c7463aca155e397855e2863dd85a4b90965cc3a':
 2014-07-11 17:56:32 +00:00
Nick Kralevich
69aaf4a9c5 am ddfaf822: am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit 'ddfaf822e9786100a7bb9a399bea906f0ed7b7c8':
 2014-07-11 17:33:00 +00:00
Jeff Sharkey
611922e7e1 am 554a8a3d: am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit '554a8a3d2928faf3117bc77bff4214d63ba504c3':
 2014-07-11 17:32:59 +00:00
Sreeram Ramachandran
2f91ce5519 am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit 'e440972845371fa8a2727c563237cd705ca96b2d':
  Allow netd to create data files in /data/misc/net/.
 2014-07-11 17:29:03 +00:00
Nick Kralevich
1c7463aca1 am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit 'd27aeb218089360ecd17fabe0cefb953374dc33a':
  recovery: allow read access to fuse filesystem
 2014-07-11 17:28:50 +00:00
Nick Kralevich
ddfaf822e9 am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit 'd86b0a81ab10cc48c4a2c52f27e8cdbfc927a52f':
  New domain "install_recovery"
 2014-07-11 16:19:04 +00:00
Jeff Sharkey
554a8a3d29 am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit 'e900e57385fddb558e784089ba3c145d9dfbd659':
  Rules to allow installing package directories.
 2014-07-11 16:19:00 +00:00
Doug Zongker
9f88bc554d support newer-style adbd interface in recovery 
Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45
 2014-07-10 15:58:17 -07:00
Nick Kralevich
a50467c3c7 am a2933b66: am 2b3c5de2: Merge "install_recovery: start enforcing SELinux rules" 
* commit 'a2933b6605cba5c9d7e10385a0804cc5935bfa30':
  install_recovery: start enforcing SELinux rules
 2014-07-10 15:48:33 +00:00
Nick Kralevich
a2933b6605 am 2b3c5de2: Merge "install_recovery: start enforcing SELinux rules" 
* commit '2b3c5de21e96668f203628cddf88241774b3735d':
  install_recovery: start enforcing SELinux rules
 2014-07-10 15:44:55 +00:00
Nick Kralevich
d684f1a5c6 am 5b347a60: am 1d2ff869: allow ueventd sysfs_type lnk_file 
* commit '5b347a6065c0684a02404d5404b0eaf2ded43b6f':
  allow ueventd sysfs_type lnk_file
 2014-07-10 14:22:26 +00:00
Nick Kralevich
5b347a6065 am 1d2ff869: allow ueventd sysfs_type lnk_file 
* commit '1d2ff869634649955fab0be3fb724d8b937c80bf':
  allow ueventd sysfs_type lnk_file
 2014-07-10 14:19:06 +00:00
Nick Kralevich
1d2ff86963 allow ueventd sysfs_type lnk_file 
ueventd is allowed to change files and directories in /sys,
but not symbolic links. This is, at a minimum, causing the
following denial:

type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file

Allow ueventd to modify labeling / attributes of symlinks.

Change-Id: If641a218e07ef479d1283f3171b2743f3956386d
 2014-07-09 23:07:10 -07:00
Nick Kralevich
feb594422c am 5b5ba50f: am b59dc27a: Drop sys_rawio neverallow for tee 
* commit '5b5ba50fa9e8a4baaea0fe551e74ca2bbeee5dcc':
  Drop sys_rawio neverallow for tee
 2014-07-10 03:44:42 +00:00
Nick Kralevich
5b5ba50fa9 am b59dc27a: Drop sys_rawio neverallow for tee 
* commit 'b59dc27a1b580a13c50477d2af1cbdaf95601d8f':
  Drop sys_rawio neverallow for tee
 2014-07-10 03:42:03 +00:00
Nick Kralevich
b59dc27a1b Drop sys_rawio neverallow for tee 
The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.

Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396
 2014-07-09 20:06:05 -07:00
Nick Kralevich
2cfe1fa0a6 am 7e953e77: am f5835666: Don\'t use don\'t 
* commit '7e953e77026650ef0468118fd553da5a9f7fb3bb':
  Don't use don't
 2014-07-10 02:59:01 +00:00
Nick Kralevich
7e953e7702 am f5835666: Don\'t use don\'t 
* commit 'f58356661632d4c08870122f2cf944ea4edfe810':
  Don't use don't
 2014-07-10 02:55:28 +00:00
Nick Kralevich
eec3c7cd86 am f7cf7a4b: am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit 'f7cf7a4be5e3eb5d415fc564d180761cc90d0442':
  ensure that untrusted_app can't set properties
 2014-07-10 02:11:16 +00:00
Nick Kralevich
f7cf7a4be5 am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit '99d86c7a77d402a106a1b3fe57af06dbb231c750':
  ensure that untrusted_app can't set properties
 2014-07-10 02:07:46 +00:00
Nick Kralevich
f583566616 Don't use don't 
Single quotes sometimes mess up m4 parsing

Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535
 2014-07-09 19:03:47 -07:00
Nick Kralevich
99d86c7a77 ensure that untrusted_app can't set properties 
Bug: 10243159
Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
 2014-07-09 18:58:04 -07:00
Colin Cross
88a65e2495 am bfd4eac7: am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit 'bfd4eac7f90e7b4b1bc095e9ed2a7e474f1f18ae':
  sepolicy: allow system server to remove cgroups
 2014-07-10 00:50:17 +00:00
Andres Morales
efcb5947f9 am aaaeb02e: am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit 'aaaeb02eb8891ac9cffaee2d5226a3c7ed3f4af4':
  Typedef+rules for SysSer to access persistent block device
 2014-07-10 00:42:54 +00:00
Jeff Sharkey
389ac06387 am 568443bc: am d3356826: Let DCS read staged APK clusters. 
* commit '568443bc93f39cbee48d800c859211b54f43b0ae':
  Let DCS read staged APK clusters.
 2014-07-10 00:42:54 +00:00
Colin Cross
bfd4eac7f9 am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit '5d60f04e5d43d084992d59c38a631a034b88e715':
  sepolicy: allow system server to remove cgroups
 2014-07-10 00:21:56 +00:00
Andres Morales
aaaeb02eb8 am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit '2cd9c9bd3fa54ca78d0847763df4bca5fe940dcf':
  Typedef+rules for SysSer to access persistent block device
 2014-07-10 00:16:07 +00:00
Jeff Sharkey
568443bc93 am d3356826: Let DCS read staged APK clusters. 
* commit 'd33568264f0843feafc2d17c38e863f914f1fc57':
  Let DCS read staged APK clusters.
 2014-07-10 00:16:07 +00:00
Colin Cross
5d60f04e5d sepolicy: allow system server to remove cgroups 
Bug: 15313911
Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe
 2014-07-09 17:02:10 -07:00
Jeff Sharkey
d33568264f Let DCS read staged APK clusters. 
DCS is DefaultContainerService.

avc: denied { getattr } for path="/data/app/vmdl2.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:platform_app:s0
    tcontext=u:object_r:apk_tmp_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ifca9afb4e74ebbfbeb8c01e1e9ea65f5b55e9375
 2014-07-09 15:18:32 -07:00
Andres Morales
254953d9fe am 9c52a78c: am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit '9c52a78c6062a472f2dff96019a6a50f44bd0034':
  Allow SystemServer to start PersistentDataBlockService
 2014-07-09 17:57:55 +00:00
Andres Morales
9c52a78c60 am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit 'e844113bc114484339b0c74a978c0fa5cfa250e1':
  Allow SystemServer to start PersistentDataBlockService
 2014-07-09 17:44:04 +00:00
Nick Kralevich
2b3c5de21e Merge "install_recovery: start enforcing SELinux rules" 2014-07-09 14:45:53 +00:00
Nick Kralevich
0f30a44b6a install_recovery: start enforcing SELinux rules 
Start enforcing SELinux rules for install_recovery.

Change-Id: I052c7d2203babf3e146cf32794283e80ca21dd9a
 2014-07-09 12:02:28 -07:00
Andres Morales
2cd9c9bd3f Merge "Typedef+rules for SysSer to access persistent block device" 2014-07-09 14:45:53 +00:00
Andres Morales
d8447fdfe1 Typedef+rules for SysSer to access persistent block device 
Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
 2014-07-09 16:08:16 -07:00
Sreeram Ramachandran
43613e6b70 am 5e476c36: am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit '5e476c361f45a56a594112a72dedd4ee02c7d0b8':
  Allow dumpstate to read the list of routing tables.
 2014-07-09 12:26:46 +00:00
Andres Morales
e844113bc1 Allow SystemServer to start PersistentDataBlockService 
Change-Id: I0e8433c4fcbce04e2693a0f8cf1dd89c95684c24
 2014-07-08 17:57:34 -07:00
Sreeram Ramachandran
5e476c361f am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit 'd2d172a33ec747299961649e3cdb3095a38eef01':
  Allow dumpstate to read the list of routing tables.
 2014-07-08 23:52:04 +00:00
Sreeram Ramachandran
d2d172a33e Allow dumpstate to read the list of routing tables. 
Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
 2014-07-08 15:46:52 -07:00