tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
13313 commits 1 branch 0 tags 50 MiB
Commit graph

13313 commits

This branch
This branch
All branches
Author SHA1 Message Date
Joel Galenson
6771dc79ef Merge "Disallow most coredomains from accessing vendor_files on Treble." am: 6168a12ea9 
am: ea3942f0a7

Change-Id: I67615fa3fac8c88647e4e085269ad30405010c8c
 2017-12-21 19:53:12 +00:00
Joel Galenson
ea3942f0a7 Merge "Disallow most coredomains from accessing vendor_files on Treble." 
am: 6168a12ea9

Change-Id: Ie83d270b7fb1659d890e5dd9356ee69a0b6f6ea5
 2017-12-21 19:03:24 +00:00
Treehugger Robot
6168a12ea9 Merge "Disallow most coredomains from accessing vendor_files on Treble." 2017-12-21 17:07:20 +00:00
Tri Vo
6f31c4b2d4 system_server: remove access to /sys/class/leds. am: 89a7b21541 
am: ef3865076b

Change-Id: I5cf091be44cdab57a17fd064b7ba4eca768314bc
 2017-12-20 21:42:32 +00:00
Tri Vo
ef3865076b system_server: remove access to /sys/class/leds. 
am: 89a7b21541

Change-Id: Icdd87b3f76ebcbd5d05ad17f00368ef50fa1603d
 2017-12-20 21:22:10 +00:00
Tri Vo
89a7b21541 system_server: remove access to /sys/class/leds. 
Removing legacy rules. system_server now depends on Lights HAL (which
has its own domain) instead of /sys/class/leds.

Bug: 70846424
Test: sailfish boots; screen, flashlight work fine.

Change-Id: I6f116a599cab26ae71e45f462b33328bc8d43db5
 2017-12-20 18:51:26 +00:00
Joel Galenson
52e11be07a Disallow most coredomains from accessing vendor_files on Treble. 
Test: Built the policy for many devices.
Change-Id: Ic61023dc2d597865504d1a4bc955bd1bc973f83c
 2017-12-20 10:05:35 -08:00
Jeff Vander Stoep
a139dd2d61 Merge "app: move appdomain to public policy" am: d4bb9b7342 
am: 9a07f54ff7

Change-Id: I4e84b7164fa29628852a2ba07775dac7b92a4899
 2017-12-20 17:56:21 +00:00
Jeff Vander Stoep
9a07f54ff7 Merge "app: move appdomain to public policy" 
am: d4bb9b7342

Change-Id: I00f508e57619f3f5273095bd8e1c9cae84fa2aaf
 2017-12-20 17:53:48 +00:00
Treehugger Robot
d4bb9b7342 Merge "app: move appdomain to public policy" 2017-12-20 17:49:31 +00:00
Tri Vo
ea687901d0 Merge "init: tighten sysfs_type permissions" am: 021344cc51 
am: 677a6b2ecc

Change-Id: I3f956384f5221ace3ce5d5b7475b16a612bd6484
 2017-12-20 17:18:37 +00:00
Tri Vo
677a6b2ecc Merge "init: tighten sysfs_type permissions" 
am: 021344cc51

Change-Id: I6eb661d22f49cd9209f3b33075d04479184735fb
 2017-12-20 17:16:02 +00:00
Tri Vo
021344cc51 Merge "init: tighten sysfs_type permissions" 2017-12-20 17:11:10 +00:00
Tony Mak
17a7819801 Add selinux policy for CrossProfileAppsService am: 215fb3efe4 
am: 5c98a06f1d

Change-Id: I07bbb517dc6d26b6044f4972eedc179643e72267
 2017-12-20 07:03:44 +00:00
Tony Mak
5c98a06f1d Add selinux policy for CrossProfileAppsService 
am: 215fb3efe4

Change-Id: I6c451967c7e40250c29c7f696f61b4b61c27ad69
 2017-12-20 07:01:12 +00:00
Jeff Vander Stoep
77b290f303 app: move appdomain to public policy 
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.

Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
 2017-12-19 21:31:01 -08:00
Tony Mak
215fb3efe4 Add selinux policy for CrossProfileAppsService 
CrossProfileAppsService allows apps to do limited cross profile
operations, like checking the caller package is installed in
the specified user. It is similar to LauncherAppsService in some sense.

Merged-In: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Change-Id: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Fix: 67765768
Test: Built with ag/3063260. Can boot and verified those APIs are working.
(cherry picked from commit 6536c9e092)
 2017-12-20 09:42:37 +09:00
Tri Vo
55039509fd init: tighten sysfs_type permissions 
Removes open, read, setattr permissions to sysfs_type.
Adds explicit permissions to:
sysfs_dt_firmware_android
sysfs_vibrator
sysfs_wake_lock

Bug: 65643247
Test: walleye boots without denials to sysfs_type.
Change-Id: I2e344831655c2c8e8e48b07ecce6a2704f2a206a
 2017-12-19 16:17:42 -08:00
yro
e63570c375 Setting up SELinux policy for statsd and stats service am: 2970845577 
am: c9bfbc1686

Change-Id: Ia73d1db9eb3e616b061f3365a228d0c7b7a926cb
 2017-12-19 19:11:58 +00:00
yro
c9bfbc1686 Setting up SELinux policy for statsd and stats service 
am: 2970845577

Change-Id: Ib8c8a55ffe51b48eced90683192f6025a0ab15ec
 2017-12-19 18:56:05 +00:00
yro
2970845577 Setting up SELinux policy for statsd and stats service 
Bug: 63757906
Test: manual testing conducted
Change-Id: Id03413ce82b5646d4bceddc59e16c7d5ee5bc193
 2017-12-19 01:41:48 +00:00
Tri Vo
9ee60ea4a7 Merge "perfprofd: allow traversing sysfs directories." am: b73cd9f8df 
am: 2ee1a51c3c

Change-Id: Iba7931a041d6147ae90d49ba7c613811c38fe3ae
 2017-12-19 01:16:49 +00:00
Tri Vo
2ee1a51c3c Merge "perfprofd: allow traversing sysfs directories." 
am: b73cd9f8df

Change-Id: I732c3cc8dd293c4da679c5f617b9c01db4985187
 2017-12-19 01:13:51 +00:00
Treehugger Robot
b73cd9f8df Merge "perfprofd: allow traversing sysfs directories." 2017-12-19 01:04:17 +00:00
xshu
5a90141fbd Wifi hal - Firmware dump permissions am: 6ad3c891bc 
am: 40868b952e

Change-Id: If0a7e68f59f9d78af253ea5914b8fc5b6c32161c
 2017-12-19 01:00:27 +00:00
xshu
40868b952e Wifi hal - Firmware dump permissions 
am: 6ad3c891bc

Change-Id: Iec46b5bdc36327549d930058e562e386fb950c40
 2017-12-19 00:56:54 +00:00
xshu
6ad3c891bc Wifi hal - Firmware dump permissions 
we are aiming to improve logging performance by having wifi hal
directly write to the flash.

Wifi hal need to be able to create, write, and delete files in
a directory. This will be restricted to userdebug and eng builds only.

Bug: 70170285
Test: compile, run on device
Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb
 2017-12-18 13:11:02 -08:00
Howard Ro
02ca42e1e2 Revert "Setting up SELinux policy for statsd and stats service" am: d496ea7a61 
am: 744e67d7e6

Change-Id: I040ae4aa03ecc6052f7aeba21fbcfb0e6e35859b
 2017-12-16 02:31:37 +00:00
Howard Ro
744e67d7e6 Revert "Setting up SELinux policy for statsd and stats service" 
am: d496ea7a61

Change-Id: Ib6adf4bc2c608c86eebb5a174c91b4955c4d409c
 2017-12-16 02:29:07 +00:00
Howard Ro
d496ea7a61 Revert "Setting up SELinux policy for statsd and stats service" 
This reverts commit 5744cbdf8d.

Reason for revert: aosp_dragon-userdebug build broken

Change-Id: I5f8180273c32119ae9839f31610bbca37cd05c65
 2017-12-16 02:22:23 +00:00
yro
3d444093c9 Setting up SELinux policy for statsd and stats service am: 5744cbdf8d 
am: da67945df9

Change-Id: I641db56b690577dcc4b750fe970019f9730d243a
 2017-12-16 01:49:33 +00:00
yro
da67945df9 Setting up SELinux policy for statsd and stats service 
am: 5744cbdf8d

Change-Id: I43913ca176e7a9ca049da643a95daff26f1ce916
 2017-12-16 01:46:59 +00:00
yro
5744cbdf8d Setting up SELinux policy for statsd and stats service 
Test: manual testing conducted see if it interfere's with AOSP

Change-Id: If47a663557b2ebf825fc082edb838ae085ec66b3
 2017-12-16 01:40:45 +00:00
Jiyong Park
a212c863a6 Merge "/odm is another vendor partition that can be customied by ODMs" am: 5872e84f82 
am: acc882167b

Change-Id: Ia130d8211d9e0b849d5bef6c14a9dc5ecdc0f4ac
 2017-12-16 00:43:45 +00:00
Jiyong Park
acc882167b Merge "/odm is another vendor partition that can be customied by ODMs" 
am: 5872e84f82

Change-Id: Ice57a32ba00d99b74ed260706eee7dadae56e91a
 2017-12-16 00:38:11 +00:00
Treehugger Robot
5872e84f82 Merge "/odm is another vendor partition that can be customied by ODMs" 2017-12-16 00:27:08 +00:00
Jiyong Park
4c3ab18f49 /odm is another vendor partition that can be customied by ODMs 
Since /odm is an extension of /vendor, libs in /odm should be treated
just like the ones in /vendor.

Bug: 67890517
Test: none as we don't yet have /odm partition.
Change-Id: I5232baef769c7fa8c7641b462cfa1d7537d3cfdf
 2017-12-15 19:07:58 +09:00
Tri Vo
ae20791517 perfprofd: allow traversing sysfs directories. 
Bug: 70275668
Test: walleye builds, boots.
This change only expands the existing permissions, so shouldn't regress
runtime behavior.
Change-Id: I36e63f11d78998a88e3f8d1e6913e20762a359af
 2017-12-14 00:00:17 +00:00
Marissa Wall
3337c82e7c Merge "Restrict access to uid_concurrent_*_time" am: 40ed4283e4 
am: 5b17322a87

Change-Id: I6e4c79d36c6b3ed4f734c7a9d6fd24d3031d3ae6
 2017-12-13 20:15:02 +00:00
Marissa Wall
5b17322a87 Merge "Restrict access to uid_concurrent_*_time" 
am: 40ed4283e4

Change-Id: I21488f5a1d0ef9035a3ae165ca790ad18d1b354f
 2017-12-13 20:01:05 +00:00
Treehugger Robot
40ed4283e4 Merge "Restrict access to uid_concurrent_*_time" 2017-12-13 19:48:47 +00:00
Tom Cherry
c456286e3c Add /dev/__properties__/property_info am: 8b5433a9cc 
am: c878b4c56a

Change-Id: I0781ab5eaf7aec47a8657e1c6ef10080c3294463
 2017-12-13 02:32:13 +00:00
Tom Cherry
c878b4c56a Add /dev/__properties__/property_info 
am: 8b5433a9cc

Change-Id: I7cf94fdd9aa130b1a97f56d4a97852eae79fa8c7
 2017-12-13 01:37:51 +00:00
Tom Cherry
8b5433a9cc Add /dev/__properties__/property_info 
Allow init to create a serialized property_info file and allow all
processes to read it.

Bug: 36001741
Test: boot bullhead, walleye using property_info

Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093
 2017-12-13 01:28:15 +00:00
Tri Vo
3107b53241 Merge "Remove access to 'sysfs' files from healtd and charger." am: 1fc08a299c 
am: b10d2964b3

Change-Id: I07d6bdf0cf606b2ec56196e129a8340207d5d08b
 2017-12-12 23:55:07 +00:00
Tri Vo
049bf53a11 Merge "shell: directory access to sysfs_net" am: 5b8d279fcd 
am: cd06968498

Change-Id: Ib53a57006c73d54b1c62c18129aba5f67710bf2a
 2017-12-12 23:45:35 +00:00
Tri Vo
b10d2964b3 Merge "Remove access to 'sysfs' files from healtd and charger." 
am: 1fc08a299c

Change-Id: If06792db331fecabaaa3de4b77c680c8bc8b7833
 2017-12-12 23:41:16 +00:00
Tri Vo
cd06968498 Merge "shell: directory access to sysfs_net" 
am: 5b8d279fcd

Change-Id: Id86a7031965cc900a3ca72ff503544d02f07120e
 2017-12-12 23:40:36 +00:00
Treehugger Robot
1fc08a299c Merge "Remove access to 'sysfs' files from healtd and charger." 2017-12-12 23:18:08 +00:00
Treehugger Robot
5b8d279fcd Merge "shell: directory access to sysfs_net" 2017-12-12 23:11:36 +00:00