tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3088 commits 1 branch 0 tags 50 MiB
Commit graph

3088 commits

This branch
This branch
All branches
Author SHA1 Message Date
Nick Kralevich
2cfe1fa0a6 am 7e953e77: am f5835666: Don\'t use don\'t 
* commit '7e953e77026650ef0468118fd553da5a9f7fb3bb':
  Don't use don't
 2014-07-10 02:59:01 +00:00
Nick Kralevich
7e953e7702 am f5835666: Don\'t use don\'t 
* commit 'f58356661632d4c08870122f2cf944ea4edfe810':
  Don't use don't
 2014-07-10 02:55:28 +00:00
Nick Kralevich
eec3c7cd86 am f7cf7a4b: am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit 'f7cf7a4be5e3eb5d415fc564d180761cc90d0442':
  ensure that untrusted_app can't set properties
 2014-07-10 02:11:16 +00:00
Nick Kralevich
f7cf7a4be5 am 99d86c7a: ensure that untrusted_app can\'t set properties 
* commit '99d86c7a77d402a106a1b3fe57af06dbb231c750':
  ensure that untrusted_app can't set properties
 2014-07-10 02:07:46 +00:00
Nick Kralevich
f583566616 Don't use don't 
Single quotes sometimes mess up m4 parsing

Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535
 2014-07-09 19:03:47 -07:00
Nick Kralevich
99d86c7a77 ensure that untrusted_app can't set properties 
Bug: 10243159
Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
 2014-07-09 18:58:04 -07:00
Colin Cross
88a65e2495 am bfd4eac7: am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit 'bfd4eac7f90e7b4b1bc095e9ed2a7e474f1f18ae':
  sepolicy: allow system server to remove cgroups
 2014-07-10 00:50:17 +00:00
Andres Morales
efcb5947f9 am aaaeb02e: am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit 'aaaeb02eb8891ac9cffaee2d5226a3c7ed3f4af4':
  Typedef+rules for SysSer to access persistent block device
 2014-07-10 00:42:54 +00:00
Jeff Sharkey
389ac06387 am 568443bc: am d3356826: Let DCS read staged APK clusters. 
* commit '568443bc93f39cbee48d800c859211b54f43b0ae':
  Let DCS read staged APK clusters.
 2014-07-10 00:42:54 +00:00
Colin Cross
bfd4eac7f9 am 5d60f04e: sepolicy: allow system server to remove cgroups 
* commit '5d60f04e5d43d084992d59c38a631a034b88e715':
  sepolicy: allow system server to remove cgroups
 2014-07-10 00:21:56 +00:00
Andres Morales
aaaeb02eb8 am 2cd9c9bd: Merge "Typedef+rules for SysSer to access persistent block device" 
* commit '2cd9c9bd3fa54ca78d0847763df4bca5fe940dcf':
  Typedef+rules for SysSer to access persistent block device
 2014-07-10 00:16:07 +00:00
Jeff Sharkey
568443bc93 am d3356826: Let DCS read staged APK clusters. 
* commit 'd33568264f0843feafc2d17c38e863f914f1fc57':
  Let DCS read staged APK clusters.
 2014-07-10 00:16:07 +00:00
Colin Cross
5d60f04e5d sepolicy: allow system server to remove cgroups 
Bug: 15313911
Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe
 2014-07-09 17:02:10 -07:00
Jeff Sharkey
d33568264f Let DCS read staged APK clusters. 
DCS is DefaultContainerService.

avc: denied { getattr } for path="/data/app/vmdl2.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:platform_app:s0
    tcontext=u:object_r:apk_tmp_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ifca9afb4e74ebbfbeb8c01e1e9ea65f5b55e9375
 2014-07-09 15:18:32 -07:00
Andres Morales
254953d9fe am 9c52a78c: am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit '9c52a78c6062a472f2dff96019a6a50f44bd0034':
  Allow SystemServer to start PersistentDataBlockService
 2014-07-09 17:57:55 +00:00
Andres Morales
9c52a78c60 am e844113b: Allow SystemServer to start PersistentDataBlockService 
* commit 'e844113bc114484339b0c74a978c0fa5cfa250e1':
  Allow SystemServer to start PersistentDataBlockService
 2014-07-09 17:44:04 +00:00
Andres Morales
2cd9c9bd3f Merge "Typedef+rules for SysSer to access persistent block device" 2014-07-09 14:45:53 +00:00
Andres Morales
d8447fdfe1 Typedef+rules for SysSer to access persistent block device 
Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
 2014-07-09 16:08:16 -07:00
Sreeram Ramachandran
43613e6b70 am 5e476c36: am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit '5e476c361f45a56a594112a72dedd4ee02c7d0b8':
  Allow dumpstate to read the list of routing tables.
 2014-07-09 12:26:46 +00:00
Andres Morales
e844113bc1 Allow SystemServer to start PersistentDataBlockService 
Change-Id: I0e8433c4fcbce04e2693a0f8cf1dd89c95684c24
 2014-07-08 17:57:34 -07:00
Sreeram Ramachandran
5e476c361f am d2d172a3: Allow dumpstate to read the list of routing tables. 
* commit 'd2d172a33ec747299961649e3cdb3095a38eef01':
  Allow dumpstate to read the list of routing tables.
 2014-07-08 23:52:04 +00:00
Sreeram Ramachandran
d2d172a33e Allow dumpstate to read the list of routing tables. 
Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
 2014-07-08 15:46:52 -07:00
Sreeram Ramachandran
d9cb5eaaa3 am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit 'e440972845371fa8a2727c563237cd705ca96b2d':
  Allow netd to create data files in /data/misc/net/.
 2014-07-08 19:22:28 +00:00
Sreeram Ramachandran
e440972845 am 65edb75d: Allow netd to create data files in /data/misc/net/. 
* commit '65edb75d530058ec3c8cb86d6d3e28f9394740ba':
  Allow netd to create data files in /data/misc/net/.
 2014-07-08 19:18:07 +00:00
Sreeram Ramachandran
65edb75d53 Allow netd to create data files in /data/misc/net/. 
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.

Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
 2014-07-08 19:06:28 +00:00
Nick Kralevich
0cbdd20a3d am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem 
* commit 'd27aeb218089360ecd17fabe0cefb953374dc33a':
  recovery: allow read access to fuse filesystem
 2014-07-08 18:17:43 +00:00
Nick Kralevich
d27aeb2180 am e9d97b74: recovery: allow read access to fuse filesystem 
* commit 'e9d97b744e95307020d461fd16f756323f25bba7':
  recovery: allow read access to fuse filesystem
 2014-07-08 18:12:43 +00:00
Nick Kralevich
e9d97b744e recovery: allow read access to fuse filesystem 
adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:

  type=1400 audit(17964905.699:7): avc:  denied  { search } for  pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir

Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59
 2014-07-08 10:52:05 -07:00
Nick Kralevich
31739880e2 am d86b0a81: am 9f6af083: New domain "install_recovery" 
* commit 'd86b0a81ab10cc48c4a2c52f27e8cdbfc927a52f':
  New domain "install_recovery"
 2014-07-08 16:33:06 +00:00
Nick Kralevich
d86b0a81ab am 9f6af083: New domain "install_recovery" 
* commit '9f6af083e8a31c9b5a9f9ac21885dfc3c0dc14b2':
  New domain "install_recovery"
 2014-07-08 16:30:42 +00:00
Nick Kralevich
9f6af083e8 New domain "install_recovery" 
Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8
 2014-07-08 16:22:14 +00:00
Jeff Sharkey
7deb1b0130 am e900e573: am 77e85289: Merge "Rules to allow installing package directories." 
* commit 'e900e57385fddb558e784089ba3c145d9dfbd659':
  Rules to allow installing package directories.
 2014-07-08 10:30:38 +00:00
Jeff Sharkey
e900e57385 am 77e85289: Merge "Rules to allow installing package directories." 
* commit '77e8528912a157d62243d81b95c4297648a3d222':
  Rules to allow installing package directories.
 2014-07-08 10:21:17 +00:00
Jeff Sharkey
c02c98d327 Rules to allow installing package directories. 
Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ia644c73ec10460a2a529fe197ade6afe46694651
 2014-07-08 00:49:06 -07:00
Nick Kralevich
0c9a873a78 am 51ad2ad3: am c2ba5ed9: recovery: start enforcing SELinux rules 
* commit '51ad2ad3aa9ad88c958b4c63bbdf4a4452c65087':
  recovery: start enforcing SELinux rules
 2014-07-07 23:09:40 +00:00
Nick Kralevich
51ad2ad3aa am c2ba5ed9: recovery: start enforcing SELinux rules 
* commit 'c2ba5ed90876e7c3f105ed658788557c68ab72b8':
  recovery: start enforcing SELinux rules
 2014-07-07 23:03:42 +00:00
Nick Kralevich
c2ba5ed908 recovery: start enforcing SELinux rules 
Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
 2014-07-07 22:05:28 +00:00
Nick Kralevich
094f399e5c am b23905e5: am 3508d611: fix build. 
* commit 'b23905e54cd2e03156a13af72256fa71693dfd0f':
  fix build.
 2014-07-07 21:08:49 +00:00
Nick Kralevich
b23905e54c am 3508d611: fix build. 
* commit '3508d611cc661730bdf0e706d2f1fd1814cd8c60':
  fix build.
 2014-07-07 21:05:18 +00:00
Nick Kralevich
48ffa6fe1f fix build. 
libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

(cherry picked from commit 3508d611cc)

Change-Id: I5efa1f2040fc40df1df44ed1b8e84b6080cb8f74
 2014-07-07 14:02:26 -07:00
Nick Kralevich
3508d611cc fix build. 
libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5
 2014-07-07 13:55:28 -07:00
Nick Kralevich
bb2a06a7c8 am e9f1c019: am 558710cd: recovery: allow relabelto unlabeled and other unlabeled rules 
* commit 'e9f1c019060a97017454309be05f31edae6d0850':
  recovery: allow relabelto unlabeled and other unlabeled rules
 2014-07-07 20:44:12 +00:00
Nick Kralevich
e9f1c01906 am 558710cd: recovery: allow relabelto unlabeled and other unlabeled rules 
* commit '558710cdcc619682ef600d281f09ab4dad221692':
  recovery: allow relabelto unlabeled and other unlabeled rules
 2014-07-07 20:41:26 +00:00
Nick Kralevich
558710cdcc recovery: allow relabelto unlabeled and other unlabeled rules 
The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.

Addresses the following denials:

  avc:  denied  { relabelto } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
  avc:  denied  { setattr } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
 2014-07-07 13:23:30 -07:00
Nick Kralevich
0cac452cb9 am 04aabbac: am c0088b80: Merge "Add neverallow rules further restricing service_manager." 
* commit '04aabbace8f23ace6def032d21f9d7bd9652037d':
  Add neverallow rules further restricing service_manager.
 2014-07-07 20:08:46 +00:00
Nick Kralevich
04aabbace8 am c0088b80: Merge "Add neverallow rules further restricing service_manager." 
* commit 'c0088b8064318210e775555ff4634994f7ab9e34':
  Add neverallow rules further restricing service_manager.
 2014-07-07 20:02:53 +00:00
Nick Kralevich
f43595382d am 7b7a25ea: am b8bdfde3: ueventd: Add policy support for ueventd labeling changes 
* commit '7b7a25eaa526197290f2190fc39c7dd81dd9b1a8':
  ueventd: Add policy support for ueventd labeling changes
 2014-07-07 19:51:05 +00:00
Nick Kralevich
7b7a25eaa5 am b8bdfde3: ueventd: Add policy support for ueventd labeling changes 
* commit 'b8bdfde3d0d23f4730155bba807276eb06a3aa48':
  ueventd: Add policy support for ueventd labeling changes
 2014-07-07 19:48:19 +00:00
Nick Kralevich
b8bdfde3d0 ueventd: Add policy support for ueventd labeling changes 
Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.

Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
 2014-07-07 12:13:27 -07:00
Jeff Sharkey
77e8528912 Merge "Rules to allow installing package directories." 2014-07-07 18:07:41 +00:00