tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
13299 commits 1 branch 0 tags 50 MiB
Commit graph

13299 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tri Vo
c135f0acd6 Label /sys/class/net as sysfs_net. 
We already expect contents of /sys/class/net to be labeled as sysfs_net.
Also label the directory for consistensy since we usually label
/sys/class/foo directories as sysfs_foo.

Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: I9d28ab4baf71df99ae966276532f14684d1abca6
 2017-12-08 16:12:52 -08:00
Treehugger Robot
6413f9dadc Merge "Add broadcast radio HAL 2.0 default implementation to the sepolicy." 2017-12-08 23:46:45 +00:00
Andreas Gampe
e40d676058 Sepolicy: Update rules for perfprofd 
Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915
 2017-12-08 15:21:09 -08:00
Jaegeuk Kim
336424b606 add sload_f2fs permission 
Change-Id: Icfcf02a21dace99ab3f466de495db24a88127ad7
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
 2017-12-08 00:36:31 +00:00
Tomasz Wasilczyk
4f7bb7576a Add broadcast radio HAL 2.0 default implementation to the sepolicy. 
Test: VTS
Bug: 69958777
Change-Id: I6db7dd9afc9c7f254a0233ff3144b02e48727038
 2017-12-07 09:48:16 -08:00
Elliott Hughes
2b42fe4bf6 Add a /bin symlink for convenience. 
Bug: http://b/63142920
Test: `make dist`
Change-Id: Iae363fd5e7181941408d3d75cbf248e651bc8b49
 2017-12-07 16:55:15 +00:00
Treehugger Robot
0500c7e867 Merge "Commit 27.0 compat mapping file to master." 2017-12-07 06:20:35 +00:00
Dan Cashman
f26e39728e Commit 27.0 compat mapping file to master. 
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: Ie793eb4a35927cb494281df59ae0a63666bb6e76
 2017-12-06 20:30:26 -08:00
Treehugger Robot
f543ddb384 Merge "Revert "Renames nonplat_* to vendor_*"" 2017-12-07 04:02:29 +00:00
Treehugger Robot
bffa911d6b Merge "Commit 27.0 sepolicy prebuilts to master." 2017-12-07 01:52:56 +00:00
Bo Hu
283dd9ebb9 Revert "Renames nonplat_* to vendor_*" 
This reverts commit 8b562206bf.

Reason for revert: broke mac build

b/70273082

FAILED: out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil
/bin/bash -c "(out/host/darwin-x86/bin/version_policy -b out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -t out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil -n 10000.0 -o out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp ) && (grep -Fxv -f out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp > out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil ) && (out/host/darwin-x86/bin/secilc -m -M true -G -N -c 30 		out/target/product/generic_x86/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/10000.0.cil_intermediates/10000.0.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil -o /dev/null -f /dev/null )"
Parsing out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil
Parsing out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil
grep: out of memory

Change-Id: I14f0801fdd6b9be28e53dfcc0f352b844005db59
 2017-12-07 00:16:13 +00:00
Treehugger Robot
f691b12732 Merge "Sepolicy: Give perfprofd access to kernel notes" 2017-12-07 00:13:50 +00:00
Treehugger Robot
1d7fcdd59a Merge "Sepolicy: Label kernel notes" 2017-12-07 00:09:25 +00:00
Xin Li
91690c904c Merge "DO NOT MERGE: Merge Oreo MR1 into master" 2017-12-06 23:18:28 +00:00
Xin Li
4b836a8216 DO NOT MERGE: Merge Oreo MR1 into master 
Exempt-From-Owner-Approval: Changes already landed internally
Change-Id: I11a15296360fd68485402e33814e7e756925c6a8
 2017-12-06 14:24:58 -08:00
Andreas Gampe
365dd03cb1 Sepolicy: Give perfprofd access to kernel notes 
Simpleperf reads kernel notes.

Bug: 70275668
Test: m
Test: manual
Change-Id: I1a2403c959464586bd52f0398ece0f02e3980fc4
 2017-12-06 13:55:06 -08:00
Andreas Gampe
9213fe0217 Sepolicy: Label kernel notes 
Label /sys/kernel/notes.

Bug: 70275668
Test: m
Change-Id: Ieb666425d2db13f85225fb902fe06b0bf2335bef
 2017-12-06 13:55:06 -08:00
Treehugger Robot
61f5f287ba Merge "Sepolicy: Silence /data/local/tmp access of perfprofd" 2017-12-06 21:31:30 +00:00
Josh Gao
914a7fb95a crash_dump: allow reading from pipes. 
Bug: http://b/63989615
Test: mma
Change-Id: I41506ecb0400867230502181c1aad7e51ce16d70
 2017-12-06 11:05:54 -08:00
Tri Vo
3ed2877372 Merge "init: remove open, read, write access to 'sysfs' type." 
am: 9b2dc9cfbb

Change-Id: I1921ca6c85e74935686d10918f0b0fb616e78ace
 2017-12-06 19:05:42 +00:00
Treehugger Robot
9b2dc9cfbb Merge "init: remove open, read, write access to 'sysfs' type." 2017-12-06 18:51:09 +00:00
Andreas Gampe
ec5bcd70b0 Sepolicy: Silence /data/local/tmp access of perfprofd 
Until simpleperf does not optimistically try /data/local/tmp for
tmp storage, silence the denials.

Bug: 70232908
Test: m
Test: manual
Change-Id: Icbc230dbfbfa6493b4e494185c536a10e3b0ae7b
 2017-12-06 10:19:39 -08:00
Dan Cashman
805824884f Commit 27.0 sepolicy prebuilts to master. 
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
 2017-12-06 09:23:36 -08:00
Tri Vo
0e3235f45d init: remove open, read, write access to 'sysfs' type. 
Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 70040773
Bug: 65643247
Change-Id: I68e2e796f5599c9d281897759c8d8eef9363559a
Test: walleye boots with no denials from init to sysfs.
 2017-12-06 17:00:59 +00:00
kaichieh
b616688eda Renames nonplat_* to vendor_* 
am: 8b562206bf

Change-Id: I5df30ebf4f0ba450ff3da8e54c76da23af955105
 2017-12-06 10:11:42 +00:00
kaichieh
8b562206bf Renames nonplat_* to vendor_* 
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: I53a9715b2f9ddccd214f4cf9ef081ac426721612
 2017-12-06 12:57:19 +08:00
Jason Monk
4021886a4f Add selinux for slice service 
am: 07131ec803

Change-Id: Id52c9d602fd05e07d79b39b78c164015eab888b0
 2017-12-05 20:23:19 +00:00
Jaegeuk Kim
ba828ff741 make_f2fs: grant rw to vold 
am: c8e7a9f4a7

Change-Id: Ib7ea2f91d6a2099f76c0124097db2f389da9b95e
 2017-12-05 17:57:37 +00:00
Jason Monk
07131ec803 Add selinux for slice service 
Test: make/sync
Bug: 68751119
Change-Id: Ie3c60ff68b563cef07f20d15f298d6b62e9356bc
 2017-12-05 11:26:08 -05:00
Jaegeuk Kim
c8e7a9f4a7 make_f2fs: grant rw to vold 
This allows to format sdcard for adoptable storage.

Bug: 69641635
Change-Id: I8d471be657e2e8f4df56c94437239510ca65096e
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
 2017-12-04 18:41:03 -08:00
rickywai
2a57b35f91 Merge "Add network watchlist service SELinux policy rules" 
am: e2c271834b

Change-Id: If5386ad857ccffa44be29545283e3ee792503572
 2017-12-04 08:35:01 +00:00
rickywai
e2c271834b Merge "Add network watchlist service SELinux policy rules" 2017-12-04 08:30:49 +00:00
Andreas Gampe
ffaaed8026 Sepolicy: Fix perfprofd path 
am: 99e4f40246

Change-Id: I80eaf2eb1867d99137c1c7afd1708ebaf6a60e35
 2017-12-02 22:03:42 +00:00
Andreas Gampe
99e4f40246 Sepolicy: Fix perfprofd path 
Corresponds to commit 410cdebaf966746d6667d6d0dd4cee62262905e1 in
system/extras.

Bug: 32286026
Test: m
Change-Id: I1e0934aa5bf4649d598ec460128de6f02711597f
 2017-12-01 17:29:36 -08:00
Tri Vo
996487ceda Revert "init: remove open, read, write access to 'sysfs' type." 
am: 423d14bfa1

Change-Id: I0cdadf49d68b77c7c6b93738deea4a1e72bc41a3
 2017-12-01 22:59:14 +00:00
Tri Vo
423d14bfa1 Revert "init: remove open, read, write access to 'sysfs' type." 
This reverts commit c2241a8d16.

Reason for revert: build breakage b/70040773

Change-Id: I6af098ae20c4771a1070800d02c98e5783999a39
 2017-12-01 22:31:01 +00:00
Tri Vo
317d6b4da2 init: remove open, read, write access to 'sysfs' type. 
am: c2241a8d16

Change-Id: I4178c482a6b1241bedbadea1aa721c7b08ae8cb3
 2017-12-01 19:18:24 +00:00
Tri Vo
c2241a8d16 init: remove open, read, write access to 'sysfs' type. 
Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 65643247
Test: walleye boots with no denials from init to sysfs.

Change-Id: Ibc9a54a5f43f3d53ab7cbb0fdb9589959b31ebde
 2017-12-01 19:13:11 +00:00
Joel Galenson
54d044c12e Merge "Allow init to create /dev/event-log-tags." 
am: cea60d7eb5

Change-Id: I9c0195571c616525fe8daaefc76661d111a57917
 2017-12-01 16:52:07 +00:00
Treehugger Robot
cea60d7eb5 Merge "Allow init to create /dev/event-log-tags." 2017-12-01 16:47:10 +00:00
Joel Galenson
0975d73010 Allow init to create /dev/event-log-tags. 
Now that creating a symlink automatically sets its context,
init needs permission to create this file.

Bug: 69965807
Test: Booted device and tested wifi and camera.
Change-Id: I41f5ca8f4d877312c9b2a909001fe9cd80c3d458
 2017-11-30 15:38:19 -08:00
Calin Juravle
2b20a162fe Allow system server to getattr profile_data_files 
am: acbda50484

Change-Id: I9575610aeae0464661ad23d0eac696915cb0064e
 2017-11-30 23:25:13 +00:00
Ricky Wai
c63529735a Add network watchlist service SELinux policy rules 
Bug: 63908748
Test: built, flashed, able to boot
Change-Id: I3cfead1d687112b5f8cd485c8f84083c566fbce2
 2017-11-30 15:53:19 +00:00
Calin Juravle
acbda50484 Allow system server to getattr profile_data_files 
This is needed in order to get the stat-size of the files.

Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Change-Id: I1df0ba941e8f9ff13a23df4063acc3c4f1555c1b
 2017-11-29 18:35:35 -08:00
Connor O'Brien
f410c694c6 Merge "selinux: set proc_uid_time_in_state type for /proc/uid" 
am: 33ba9c54d1

Change-Id: I09d49857f0bffc37090c4429879fb5288cbc9b90
 2017-11-30 01:57:33 +00:00
Connor O'Brien
33ba9c54d1 Merge "selinux: set proc_uid_time_in_state type for /proc/uid" 2017-11-30 01:44:02 +00:00
Jeff Vander Stoep
08c68e1a26 Merge "Fix bug map entry" 
am: f838a3bc46

Change-Id: Ia2c73bd7b5524da7df7aa96c14dd60e30feecce2
 2017-11-30 01:02:38 +00:00
Treehugger Robot
f838a3bc46 Merge "Fix bug map entry" 2017-11-30 00:52:21 +00:00
Jeff Vander Stoep
53950b6595 Fix bug map entry 
Tclass was omitted for two entries.

Bug: 69928154
Bug: 69366875
Test: build
Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
 2017-11-29 14:48:41 -08:00
Connor O'Brien
ac3c61eb40 selinux: set proc_uid_time_in_state type for /proc/uid 
/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>
 2017-11-29 12:54:13 -08:00