Sohani Rao
3dd460ba2b
SE Policy for Wifi Offload HAL
...
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.
Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
2017-04-04 14:28:39 -07:00
Steven Moreland
11468f373c
Merge "Remove hal_binderization_prop" am: 1871fc0a88 am: 2261cab6f2 am: 484a277c29
...
am: 7138973fe8
2017-04-04 20:26:04 +00:00
Steven Moreland
7138973fe8
Merge "Remove hal_binderization_prop" am: 1871fc0a88 am: 2261cab6f2
...
am: 484a277c29
2017-04-04 20:22:31 +00:00
Steven Moreland
484a277c29
Merge "Remove hal_binderization_prop" am: 1871fc0a88
...
am: 2261cab6f2
2017-04-04 20:17:49 +00:00
Steven Moreland
2261cab6f2
Merge "Remove hal_binderization_prop"
...
am: 1871fc0a88
2017-04-04 20:12:30 +00:00
Treehugger Robot
1871fc0a88
Merge "Remove hal_binderization_prop"
2017-04-04 19:49:52 +00:00
Alex Klyubin
5786f36b53
Merge "Move TEE rules to vendor image" into oc-dev am: fbccda3423
...
am: 4234d95f02
2017-04-04 19:21:29 +00:00
Alex Klyubin
4234d95f02
Merge "Move TEE rules to vendor image" into oc-dev
...
am: fbccda3423
2017-04-04 19:10:59 +00:00
TreeHugger Robot
fbccda3423
Merge "Move TEE rules to vendor image" into oc-dev
2017-04-04 18:59:24 +00:00
Steven Moreland
d40474ec55
Remove hal_binderization_prop
...
Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
2017-04-04 09:46:45 -07:00
Roshan Pius
a32386bbf3
Merge "sepolicy: Add new wifi keystore HAL" into oc-dev am: 29f273ce6a
...
am: a21b8b0e1f
2017-04-04 16:26:04 +00:00
Roshan Pius
a21b8b0e1f
Merge "sepolicy: Add new wifi keystore HAL" into oc-dev
...
am: 29f273ce6a
2017-04-04 16:22:05 +00:00
TreeHugger Robot
29f273ce6a
Merge "sepolicy: Add new wifi keystore HAL" into oc-dev
2017-04-04 16:12:48 +00:00
Martijn Coenen
f09591ef61
Merge "Add target for vndservice_contexts." into oc-dev am: c3a9e7df5f
...
am: f89f35ecc9
2017-04-04 03:57:58 +00:00
Martijn Coenen
f89f35ecc9
Merge "Add target for vndservice_contexts." into oc-dev
...
am: c3a9e7df5f
2017-04-04 03:51:31 +00:00
Martijn Coenen
c3a9e7df5f
Merge "Add target for vndservice_contexts." into oc-dev
2017-04-04 03:41:47 +00:00
Jeff Vander Stoep
6875f9d16c
Merge "adbd/shell: grant access to sepolicy for cts" into oc-dev am: bab5872cb1
...
am: 2afd33839f
2017-04-04 02:18:27 +00:00
Jeff Vander Stoep
2afd33839f
Merge "adbd/shell: grant access to sepolicy for cts" into oc-dev
...
am: bab5872cb1
2017-04-04 02:10:57 +00:00
TreeHugger Robot
bab5872cb1
Merge "adbd/shell: grant access to sepolicy for cts" into oc-dev
2017-04-04 02:01:43 +00:00
Ningyuan Wang
b5efa1c88c
Merge "Remove unused wificond sepolicy for dropping privileges" into oc-dev am: 9337a4dd87
...
am: 2ec492f1a2
2017-04-03 23:49:17 +00:00
Ningyuan Wang
2ec492f1a2
Merge "Remove unused wificond sepolicy for dropping privileges" into oc-dev
...
am: 9337a4dd87
2017-04-03 23:41:51 +00:00
Ningyuan Wang
9337a4dd87
Merge "Remove unused wificond sepolicy for dropping privileges" into oc-dev
2017-04-03 23:31:39 +00:00
Jeff Vander Stoep
892d1e40ce
adbd/shell: grant access to sepolicy for cts
...
Test: Test: make cts && \
cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
Fails as expected.
Bug: 36002573
Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
2017-04-03 16:31:09 -07:00
Martijn Coenen
6676c234fc
Add target for vndservice_contexts.
...
So we can limit vndservicemanager access to
just vndservice_contexts.
Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
2017-04-03 15:39:42 -07:00
Tom Cherry
9e1e2d242f
Merge "Grant vdc access to kmsg" into oc-dev am: 0c31c85a28
...
am: 81e1c12f56
2017-04-03 22:12:47 +00:00
Tom Cherry
81e1c12f56
Merge "Grant vdc access to kmsg" into oc-dev
...
am: 0c31c85a28
2017-04-03 22:06:05 +00:00
Tom Cherry
0c31c85a28
Merge "Grant vdc access to kmsg" into oc-dev
2017-04-03 21:58:44 +00:00
Shubang Lu
50c84c5a58
Merge "Add sepolicy for tv.input" into oc-dev am: a1c0650898
...
am: 7e9f535288
2017-04-03 20:08:29 +00:00
Shubang Lu
7e9f535288
Merge "Add sepolicy for tv.input" into oc-dev
...
am: a1c0650898
2017-04-03 20:00:43 +00:00
Shubang Lu
a1c0650898
Merge "Add sepolicy for tv.input" into oc-dev
2017-04-03 19:55:53 +00:00
Alex Klyubin
304d653637
Move TEE rules to vendor image
...
"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.
What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
character devices labeled tee_device.
If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.
Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
2017-04-03 11:11:48 -07:00
Ningyuan Wang
9576785df5
Remove unused wificond sepolicy for dropping privileges
...
Bug: 36855921
Test: compile, wifi works with toggling
Change-Id: Ib0819a2d552472e482e192a69530441cfc2c0fd7
2017-04-03 10:27:39 -07:00
TreeHugger Robot
f3f2b0717b
Merge "Sepolicy: Add ASAN-Extract"
2017-04-03 15:33:27 +00:00
Daniel Nicoara
24c6334cc8
Merge "VR: Add sepolicy for VR HWC service" into oc-dev am: ed82acb912
...
am: 888bc0bbee
2017-04-03 14:42:35 +00:00
Daniel Nicoara
888bc0bbee
Merge "VR: Add sepolicy for VR HWC service" into oc-dev
...
am: ed82acb912
2017-04-03 14:40:02 +00:00
TreeHugger Robot
ed82acb912
Merge "VR: Add sepolicy for VR HWC service" into oc-dev
2017-04-03 14:17:09 +00:00
Ningyuan Wang
6fb8c9c60a
Merge "Remove unused wificond sepolicy privilges" into oc-dev am: a299bc8028
...
am: 3c0561b13f
2017-04-02 04:00:21 +00:00
Ningyuan Wang
3c0561b13f
Merge "Remove unused wificond sepolicy privilges" into oc-dev
...
am: a299bc8028
2017-04-02 03:57:55 +00:00
Ningyuan Wang
a299bc8028
Merge "Remove unused wificond sepolicy privilges" into oc-dev
2017-04-02 03:53:06 +00:00
Jeffrey Vander Stoep
14f2127c04
Merge "Ban core components from accessing vendor data types" into oc-dev am: 814edf8c90
...
am: f9b6368a56
2017-04-01 14:27:39 +00:00
Jeffrey Vander Stoep
f9b6368a56
Merge "Ban core components from accessing vendor data types" into oc-dev
...
am: 814edf8c90
2017-04-01 14:24:39 +00:00
Jeffrey Vander Stoep
814edf8c90
Merge "Ban core components from accessing vendor data types" into oc-dev
2017-04-01 14:20:37 +00:00
Jeff Vander Stoep
50563c0367
Ban core components from accessing vendor data types
...
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.
This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.
A temporary exemption is granted to domains that currently rely on
access.
(cherry picked from commit cd97e71084
2017-04-01 07:16:40 -07:00
TreeHugger Robot
5cb81f59c5
Merge "Ban core components from accessing vendor data types"
2017-04-01 04:43:18 +00:00
Vishwath Mohan
e2108fd560
Merge "Refactor sanitized library on-disk layout - SELinux." into oc-dev am: 45f699c792
...
am: 99575587f4
2017-04-01 04:38:47 +00:00
Vishwath Mohan
99575587f4
Merge "Refactor sanitized library on-disk layout - SELinux." into oc-dev
...
am: 45f699c792
2017-04-01 04:28:54 +00:00
TreeHugger Robot
45f699c792
Merge "Refactor sanitized library on-disk layout - SELinux." into oc-dev
2017-04-01 04:18:33 +00:00
Jeff Vander Stoep
8efb8b684b
Merge "domain: grant all domains access to zoneinfo" into oc-dev am: 386f946025
...
am: 035a04245f
2017-04-01 02:05:20 +00:00
Jeff Vander Stoep
035a04245f
Merge "domain: grant all domains access to zoneinfo" into oc-dev
...
am: 386f946025
2017-04-01 01:59:50 +00:00
TreeHugger Robot
386f946025
Merge "domain: grant all domains access to zoneinfo" into oc-dev
2017-04-01 01:55:52 +00:00
