tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15584 commits 1 branch 0 tags 50 MiB
Commit graph

15584 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tom Cherry
ee2e5ced22 Merge "Allow vendor_init to access unencrypted_data_file" am: 09ade7fce4 
am: 2f69dd8c43

Change-Id: Ic0227f3b7735e719d449196db532dd57fc054d98
 2018-04-18 15:32:06 -07:00
Tom Cherry
2f69dd8c43 Merge "Allow vendor_init to access unencrypted_data_file" 
am: 09ade7fce4

Change-Id: I3813dac8d74d77e6973cbe98220f5915c9794ddb
 2018-04-18 15:22:59 -07:00
Tom Cherry
09ade7fce4 Merge "Allow vendor_init to access unencrypted_data_file" 2018-04-18 22:08:57 +00:00
Jeff Vander Stoep
df6d77cd45 Protect dropbox service data with selinux am: 4d3ee1a5b6 
am: 1874950d21

Change-Id: Id2e5359054ae6d1882b0c99011ee09d1b75fa604
 2018-04-18 15:05:34 -07:00
Jeff Vander Stoep
1874950d21 Protect dropbox service data with selinux 
am: 4d3ee1a5b6

Change-Id: Idc82f95ff479cdb860dbb5c968d58448c0b289e3
 2018-04-18 15:02:26 -07:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux 
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
 2018-04-18 19:53:03 +00:00
Tri Vo
1ff62be936 [automerger skipped] Merge "Sepolicy for rw mount point for vendors." am: 5a5894a979 
am: 1ab34eb09e  -s ours

Change-Id: I971a76ef38eba5a5a50f2e5532e291d7d5616208
 2018-04-18 12:48:53 -07:00
Tri Vo
1ab34eb09e Merge "Sepolicy for rw mount point for vendors." 
am: 5a5894a979

Change-Id: Iad07653a6b49eee4f757b7fdee22975605984ea1
 2018-04-18 12:45:16 -07:00
Tom Cherry
620dc7f814 Allow vendor_init to access unencrypted_data_file 
FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a284405f)
 2018-04-18 19:39:04 +00:00
Tri Vo
5a5894a979 Merge "Sepolicy for rw mount point for vendors." 2018-04-18 19:32:32 +00:00
Mark Salyzyn
fdf4c6bfb8 Merge "init: lock down access to keychord_device" into pi-dev 
am: 8ace003930

Change-Id: Ia75172c00c82fdb4c6fd9675514cbed67ad97853
 2018-04-18 12:31:08 -07:00
TreeHugger Robot
8ace003930 Merge "init: lock down access to keychord_device" into pi-dev 2018-04-18 18:56:32 +00:00
Tom Cherry
95bcffaa45 Merge "Allow vendor_init to access unencrypted_data_file" into pi-dev 
am: 4f0a21cca8

Change-Id: I5962ef88fd66889724bafa938bede39581318bfb
 2018-04-18 10:47:57 -07:00
Tom Cherry
4f0a21cca8 Merge "Allow vendor_init to access unencrypted_data_file" into pi-dev 2018-04-18 17:37:23 +00:00
Alan Stokes
62913dbfd2 Remove fixed bug from bug_map. 
Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
 2018-04-18 17:11:45 +01:00
Alan Stokes
051b47c865 Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""" am: a87a8db2ac 
am: e6fa185ae6

Change-Id: Ie57c8b2a0d99148b16383a5f4199c10ad7c5210a
 2018-04-18 02:47:49 -07:00
Alan Stokes
e6fa185ae6 Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""" 
am: a87a8db2ac

Change-Id: Ic9cb8e564c77a437b33159894d34f73686a1bfd6
 2018-04-18 02:42:19 -07:00
Alan Stokes
a87a8db2ac Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""" 2018-04-18 09:32:18 +00:00
Tianjie Xu
7d47427997 Allow dumpstate to read the update_engine logs 
Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
 2018-04-18 06:54:39 +00:00
Bookatz
7a69c9fd96 [automerger skipped] Merge "NO PARTIAL RERUN Statsd sepolicy hal_health" into pi-dev 
am: bc9f22a654  -s ours

Change-Id: Iba178959b20ec1e2e6afbdf7bfeb5df39deb51e7
 2018-04-17 16:23:54 -07:00
TreeHugger Robot
bc9f22a654 Merge "NO PARTIAL RERUN Statsd sepolicy hal_health" into pi-dev 2018-04-17 23:16:44 +00:00
Tom Cherry
18a284405f Allow vendor_init to access unencrypted_data_file 
FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
 2018-04-17 15:21:32 -07:00
Chong Zhang
ec0160a891 Allow system_server to adjust cpuset for media.codec 
Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf
 2018-04-17 14:24:57 -07:00
Bookatz
055a958dad NO PARTIAL RERUN 
Statsd sepolicy hal_health

Statsd monitors battery capacity, which requires calls to the health
hal.

Fixes: 77923174
Bug: 77916472
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity
Merged-In: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886
Change-Id: I767068c60cff6c1baba615d89186705107531c02
 2018-04-17 21:23:31 +00:00
Mark Salyzyn
8daacf64f1 init: lock down access to keychord_device 
The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
 2018-04-17 14:04:24 -07:00
Tri Vo
8c1a1b2472 Sepolicy for rw mount point for vendors. 
Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46)
 2018-04-17 21:04:15 +00:00
Tri Vo
5fd38baf04 Merge "Sepolicy for rw mount point for vendors." into pi-dev 
am: ae0b835c58

Change-Id: I72eb24a252571974b8732facf500a6f23eb9ccf1
 2018-04-17 13:42:27 -07:00
Mark Salyzyn
b79e00ac52 Merge "init: lock down access to keychord_device" am: 53cabd6c35 
am: 27696cae57

Change-Id: If252f78e4acccfafc7f46ec9d1c2556d66480523
 2018-04-17 13:09:38 -07:00
Florian Mayer
12dde4cc93 [automerger skipped] Merge "Make traced_probes mlstrustedsubject." am: cc23e48f9f 
am: 246226046e  -s ours

Change-Id: I6cd0d28357fca77d3079984633725e45c7582774
 2018-04-17 13:09:16 -07:00
Mark Salyzyn
27696cae57 Merge "init: lock down access to keychord_device" 
am: 53cabd6c35

Change-Id: Ic1ae863280e265db56f123e3d006bbaec2a47126
 2018-04-17 13:03:13 -07:00
Florian Mayer
246226046e Merge "Make traced_probes mlstrustedsubject." 
am: cc23e48f9f

Change-Id: I85e598c83d9e363c3341cbdebf3b05a53fc6888c
 2018-04-17 13:03:00 -07:00
Treehugger Robot
53cabd6c35 Merge "init: lock down access to keychord_device" 2018-04-17 19:59:58 +00:00
Treehugger Robot
cc23e48f9f Merge "Make traced_probes mlstrustedsubject." 2018-04-17 19:47:58 +00:00
TreeHugger Robot
ae0b835c58 Merge "Sepolicy for rw mount point for vendors." into pi-dev 2018-04-17 19:16:56 +00:00
Mark Salyzyn
f14f735455 init: lock down access to keychord_device 
The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
 2018-04-17 11:24:35 -07:00
Florian Mayer
4378ba7c84 Make traced_probes mlstrustedsubject. 
Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
Merged-In: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
 2018-04-17 18:12:28 +00:00
Suren Baghdasaryan
c08a28b152 [automerger skipped] Merge "Selinux: Give lmkd read access to /proc/meminfo" into pi-dev 
am: 1f4037f23a  -s ours

Change-Id: I092ec888c9d0b9a4feff5867387678a146d25f59
 2018-04-17 10:16:11 -07:00
TreeHugger Robot
1f4037f23a Merge "Selinux: Give lmkd read access to /proc/meminfo" into pi-dev 2018-04-17 16:58:17 +00:00
Alan Stokes
19b03639a8 Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power."" 
This reverts commit 12e73685b7.

Reason for revert: Rolling original change forward again, more carefully.

Change-Id: I266b181915c829d743c6d8d0b8c0d70b6bf3d620
 2018-04-17 16:02:03 +00:00
Joel Galenson
21f67b5b56 Merge "Let vold_prepare_subdirs completely clean deleted user data." into pi-dev 
am: f03783609f

Change-Id: I28c19ba3514b3e23df1d4ec585d35fbac290a4f7
 2018-04-17 08:53:35 -07:00
TreeHugger Robot
f03783609f Merge "Let vold_prepare_subdirs completely clean deleted user data." into pi-dev 2018-04-17 15:44:13 +00:00
Suren Baghdasaryan
f7010ab109 Selinux: Give lmkd read access to /proc/meminfo 
Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Bug: 75322373
Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Merged-In: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 76384b3ee0)
 2018-04-17 15:27:52 +00:00
Joel Galenson
ece94e9f6a Merge "Add bug_map entries for bugs we've seen." into pi-dev 
am: 53b0486de6

Change-Id: Iab11eab787e22b8c02ba0240a8df33c21eca4fd7
 2018-04-16 21:08:44 -07:00
TreeHugger Robot
53b0486de6 Merge "Add bug_map entries for bugs we've seen." into pi-dev 2018-04-17 04:02:40 +00:00
Jaekyun Seok
39776a021e [automerger skipped] Merge "Allow dumpstate to read property_type" into pi-dev 
am: c8a58767bb  -s ours

Change-Id: I8f55181d42e1f86bd90b8eb8150c13b0f42b15ce
 2018-04-16 18:57:14 -07:00
TreeHugger Robot
c8a58767bb Merge "Allow dumpstate to read property_type" into pi-dev 2018-04-17 01:44:50 +00:00
Bookatz
f09f56f65a Merge "Statsd sepolicy hal_health" am: ced43bc823 
am: bdc1197af7

Change-Id: Ifdef191044383b589280bbae5d193caac59a8005
 2018-04-16 17:19:06 -07:00
Jeff Sharkey
0207bc7dae Merge "Add exFAT support; unify behind "sdcard_type"." into pi-dev 
am: 7b90367a7b

Change-Id: I0588a3ceda6aa8266b31902192f5ceed5314716e
 2018-04-16 17:10:20 -07:00
Joel Galenson
1a4c83a856 Let vold_prepare_subdirs completely clean deleted user data. am: 254a872cab 
am: 397c854db6

Change-Id: I635703793fe5b980087900aa8cfcaacb402c101f
 2018-04-16 17:03:10 -07:00
Bookatz
bdc1197af7 Merge "Statsd sepolicy hal_health" 
am: ced43bc823

Change-Id: I0907274f5223d217da2bda6fec1b5372b8d88393
 2018-04-16 17:00:14 -07:00