tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7708 commits 1 branch 0 tags 50 MiB
Commit graph

7708 commits

This branch
This branch
All branches
Author SHA1 Message Date
Roshan Pius
35ac63bab2 wpa: Add permissions for hwbinder 
am: 6caeac7b47

Change-Id: I45bf2358586a6bb1dc5b17646c360c9065b17c23
 2016-10-28 23:43:15 +00:00
Nick Kralevich
6f2f72c2b1 Get rid of auditallow spam. 
am: 79a08e13bd

Change-Id: Iee32c3aab31156606142101a0f85a10383cdf712
 2016-10-28 20:50:31 +00:00
Nick Kralevich
79a08e13bd Get rid of auditallow spam. 
Fixes the following SELinux messages when running adb bugreport:

avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

[  169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
 2016-10-28 11:46:00 -07:00
William Roberts
14742b0f92 Merge "domain: neverallow on setfcap" 
am: e112faeaa8

Change-Id: I57d5ed15ae69613145a9ef4efc9e16ec72ad420b
 2016-10-28 00:03:22 +00:00
Treehugger Robot
e112faeaa8 Merge "domain: neverallow on setfcap" 2016-10-27 23:45:58 +00:00
William Roberts
c3f1da99b2 domain: neverallow on setfcap 
Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-10-27 12:45:47 -07:00
Roshan Pius
6caeac7b47 wpa: Add permissions for hwbinder 
Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2
 2016-10-26 14:52:12 -07:00
Jeff Vander Stoep
3ad4428c73 Merge "Rename macros for (non)binderized HALs" 
am: 70591fedf5

Change-Id: Idc7a114d5a80be369db31ad9954fde6a555bcd64
 2016-10-26 19:06:41 +00:00
Treehugger Robot
70591fedf5 Merge "Rename macros for (non)binderized HALs" 2016-10-26 18:48:30 +00:00
Jeff Vander Stoep
95bd7984b5 clean up hal types 
am: 27ae545a78

Change-Id: If6c2fdc6d0313b212724e7c3448668049d77e9d4
 2016-10-26 18:32:44 +00:00
Jeff Vander Stoep
f579ef15a8 Rename macros for (non)binderized HALs 
Test: builds
Bug: 32243668
Change-Id: I1ad4b53003462e932cf80b6972db1520dc66d735
 2016-10-26 10:04:18 -07:00
Jeff Vander Stoep
27ae545a78 clean up hal types 
Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d
 2016-10-26 09:50:04 -07:00
Connor O'Brien
6771f2885f sepolicy for boot_control HAL service 
am: 2370fc775c

Change-Id: I63f386c60595b9a8db29ecb2715558c78ddb4c70
 2016-10-25 22:31:02 +00:00
Connor O'Brien
2370fc775c sepolicy for boot_control HAL service 
Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>
 2016-10-25 13:33:48 -07:00
Jeff Vander Stoep
fb2be31617 Merge "Add macros for treble and non-treble only policy" 
am: 367d90b6a4

Change-Id: I032862523987c6d59965c332a92c0fadaeda6250
 2016-10-25 20:10:24 +00:00
Treehugger Robot
367d90b6a4 Merge "Add macros for treble and non-treble only policy" 2016-10-25 20:06:02 +00:00
Rahul Chaudhry
1e5aca27ce Merge "fc_sort: cleanup warnings caught by clang tidy / static analyzer." 
am: ce3b2a41a5

Change-Id: Ia2261cc8d9dff87484e5462c715aaf36f2cfcf2d
 2016-10-24 19:10:26 +00:00
Treehugger Robot
ce3b2a41a5 Merge "fc_sort: cleanup warnings caught by clang tidy / static analyzer." 2016-10-24 19:03:57 +00:00
Jeff Vander Stoep
5855b4884c Merge "isolated_app: no sdcard access" 
am: 626edc7555

Change-Id: I6a02275d4b618677f6540295c0290e53c62ff55e
 2016-10-21 20:45:29 +00:00
Treehugger Robot
626edc7555 Merge "isolated_app: no sdcard access" 2016-10-21 20:29:01 +00:00
Mikhail Naganov
9f90cadc1d Update SELinux policy for audiohal 
am: 2ff6b4da73

Change-Id: I10765cef79fa42538e5987985de24de1c0090396
 2016-10-21 19:08:08 +00:00
Mikhail Naganov
2ff6b4da73 Update SELinux policy for audiohal 
Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
 2016-10-21 09:53:15 -07:00
Felipe Leme
ce4c82a8c2 Merge "Creates an autofill system service." 
am: f5312f8e81

Change-Id: I6472e55c079805a97bd3f60800331ace7b3959a5
 2016-10-21 16:19:26 +00:00
Jeff Vander Stoep
ce4b5eeaee isolated_app: no sdcard access 
Remove and neverallow isolated_app access to external storage and
USB accessories.

Test: aosp_angler-userdebug builds
Bug: 21643067
Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36
 2016-10-21 09:15:48 -07:00
Treehugger Robot
f5312f8e81 Merge "Creates an autofill system service." 2016-10-21 16:09:31 +00:00
Craig Donner
8bae22ecea sepolicy: Add policy for VR HIDL service. 
am: 7ba0485665

Change-Id: I5ab2f5a0924715128420ba7edf877ee2ed3d2bc0
 2016-10-21 02:47:31 +00:00
Felipe Leme
8221d59711 Creates an autofill system service. 
BUG: 31001899
Test: manual
Change-Id: I8d462b40d931310eab26bafa09645ac88f13fc97
 2016-10-20 17:33:27 -07:00
Craig Donner
7ba0485665 sepolicy: Add policy for VR HIDL service. 
Test: built and ran on device.
Bug: 31442830
Change-Id: Idd7870b4dd70eed8cd4dc55e292be39ff703edd2
 2016-10-20 17:03:54 -07:00
Prashant Malani
566ffd0252 Merge "Cleanup and renaming of vibrator HAL sepolicy" 
am: fe360ad6bd

Change-Id: I880c24b3b566e8566b5cb3ececbe27ddd513a4e4
 2016-10-20 21:53:31 +00:00
Treehugger Robot
fe360ad6bd Merge "Cleanup and renaming of vibrator HAL sepolicy" 2016-10-20 21:42:19 +00:00
William Roberts
29877e71f5 Merge "check_seapp: correct output on invalid policy file" 
am: 70d1d30eac

Change-Id: I3c74c31807bacb557e65d14ea5ca834906f5a670
 2016-10-20 18:12:16 +00:00
Treehugger Robot
70d1d30eac Merge "check_seapp: correct output on invalid policy file" 2016-10-20 18:00:20 +00:00
Jeff Vander Stoep
9ec8d943c1 Merge "racoon: remove domain_deprecated attribute" 
am: 41c727bce8

Change-Id: I2b8992af4e888d1f16996509f13f4ef17dc2d7c7
 2016-10-20 02:34:04 +00:00
Treehugger Robot
41c727bce8 Merge "racoon: remove domain_deprecated attribute" 2016-10-20 02:27:39 +00:00
Jeff Vander Stoep
4692d61295 Merge "racoon: allow setting options on tun interface" 
am: 76b467aedb

Change-Id: Ifc036b3562fbc6b925b64272c4e75795504993eb
 2016-10-20 00:33:20 +00:00
Treehugger Robot
76b467aedb Merge "racoon: allow setting options on tun interface" 2016-10-20 00:22:52 +00:00
Jeff Vander Stoep
d733d161cf Add macros for treble and non-treble only policy 
Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
 2016-10-19 15:05:05 -07:00
William Roberts
f7d6bb3f71 check_seapp: correct output on invalid policy file 
If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-10-19 22:03:41 +00:00
Prashant Malani
2d9d3e6de3 Cleanup and renaming of vibrator HAL sepolicy 
Renaming vibrator sepolicy to remove the version number.
Also moving the related binder_call() to maintain alphabetical order.

Bug: 32123421
Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
Test: booted, and checked vibrate on keypress on bullhead
 2016-10-19 09:54:20 -07:00
Prashant Malani
bd1d36de60 Add sysfs rule for vibrator in system_server 
am: c86eb96f45

Change-Id: Ibf07cf30cccc798699be28156f50bbca55df5db7
 2016-10-18 21:51:20 +00:00
Prashant Malani
c86eb96f45 Add sysfs rule for vibrator in system_server 
Helps fix vibrator HAL open issue

avc: denied { write } for pid=907 comm="system_server" name="enable" dev="sysfs" ino=20423 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file permissive=0

Bug: 32209928
Bug: 32225232

Test: m, booted, tested keypad to make sure vibrator works
Change-Id: I4977c42b7fac0c9503be04b6520487f2d6cbc903
 2016-10-18 12:59:20 -07:00
Rahul Chaudhry
c0f8c0b107 Merge "check_seapp: cleanup warning caught by clang tidy / static analyzer." 
am: b99424f0c4

Change-Id: I6c1d92289dff14f9501fee78a5e3b58d19331aa9
 2016-10-17 22:23:40 +00:00
Treehugger Robot
b99424f0c4 Merge "check_seapp: cleanup warning caught by clang tidy / static analyzer." 2016-10-17 22:15:21 +00:00
Jeff Vander Stoep
d7a64e4e8b racoon: remove domain_deprecated attribute 
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: Ib6da57f6249a5571015b649bae843590229be714
 2016-10-15 17:15:25 -07:00
Jeff Vander Stoep
d063d23032 racoon: allow setting options on tun interface 
Fixes failure in VPN connection

avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket

Test: VPN works
Bug: 32011648
Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9
 2016-10-15 14:09:45 -07:00
Daniel Micay
1573f55bdd remove unnecessary dalvik rules from recovery 
am: 510771ff92

Change-Id: I13496eb190ff2c611f87d2ee6b81978f09f6f2a3
 2016-10-14 23:53:48 +00:00
Daniel Micay
510771ff92 remove unnecessary dalvik rules from recovery 
Change-Id: Ic0dd1162e268ce54e11de08b18dd7df47ab12147
 2016-10-14 02:27:31 -04:00
Prashant Malani
d7cbaf298e sepolicy: Add policy for vibrator HIDL service am: b32b4a112f am: d55ef92371 
am: 5b87c66933

Change-Id: I964fcb218f92c6f74dbff5f551229956abe01b68
 2016-10-13 21:01:40 +00:00
Prashant Malani
5b87c66933 sepolicy: Add policy for vibrator HIDL service am: b32b4a112f 
am: d55ef92371

Change-Id: I02d9c27f40cdd32596521a3e01c81fe2fdc4b6a1
 2016-10-13 20:54:33 +00:00
Prashant Malani
d55ef92371 sepolicy: Add policy for vibrator HIDL service 
am: b32b4a112f

Change-Id: I1da20c57ca9e4b129638103884bcbeb5da5d7ee7
 2016-10-13 20:52:03 +00:00