tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
19947 commits 1 branch 0 tags 50 MiB
Commit graph

19947 commits

This branch
This branch
All branches
Author SHA1 Message Date
Joel Galenson
072332b20f Merge "Fix CTS neverallow violation." am: 412cc87475 
am: a1a7a91cb5

Change-Id: I5406a62fb9e695017d29326dbc352d7f7a1c8572
 2019-02-28 14:49:00 -08:00
Andreas Gampe
c4389e3468 Sepolicy: Add base runtime APEX postinstall policies am: 4c2d06c458 
am: b3fafa2f62

Change-Id: I416bacb3f064cbdefd33b9eb40254634fcdfce05
 2019-02-28 14:48:22 -08:00
Andreas Gampe
047f827be6 Sepolicy: Add runtime APEX preinstall fsverity permissions am: 57346a0566 
am: 7710cf6e09

Change-Id: Ic0cb99ee626d82490fbc7ceec979449504ab2b13
 2019-02-28 14:48:02 -08:00
Andreas Gampe
e5ab7a049e Sepolicy: Add base runtime APEX preinstall policies am: ae127d8340 
am: 105dea9f8f

Change-Id: I8bc0ac9941b624898c31473715c6600ec9879f58
 2019-02-28 14:47:36 -08:00
David Anderson
da4057e3a4 Merge "Allow system_server and shell to start gsid on-demand." 
am: 753225ce9c

Change-Id: I7f818ce217666ae4edf28cc0a7609fafd1317a28
 2019-02-28 14:32:38 -08:00
Tri Vo
16f4d00cd6 Merge "ashmem: expand app access" 
am: e8cb09db42

Change-Id: I15f1084ad94e8ec0a495b136ec93f8dad39e98db
 2019-02-28 14:32:12 -08:00
Joel Galenson
a1a7a91cb5 Merge "Fix CTS neverallow violation." 
am: 412cc87475

Change-Id: I91e2626070087fcfdd8c1a5863c7aaa7b30436fd
 2019-02-28 14:31:47 -08:00
Andreas Gampe
b3fafa2f62 Sepolicy: Add base runtime APEX postinstall policies 
am: 4c2d06c458

Change-Id: Id7fa13a77b131d8471ba974ee97b9ce008422061
 2019-02-28 14:30:46 -08:00
Andreas Gampe
7710cf6e09 Sepolicy: Add runtime APEX preinstall fsverity permissions 
am: 57346a0566

Change-Id: Ie93e847135cc4b03f3b3b832dd2b64bac30cc5d4
 2019-02-28 14:30:33 -08:00
Andreas Gampe
105dea9f8f Sepolicy: Add base runtime APEX preinstall policies 
am: ae127d8340

Change-Id: I10adffa505da330ad3fdfccbb6f9c12bc7282629
 2019-02-28 14:30:19 -08:00
Sudheer Shanka
a32080bcc2 Remove priv_app SELinux denial tracking. 
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.

Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
 2019-02-28 14:15:47 -08:00
David Anderson
753225ce9c Merge "Allow system_server and shell to start gsid on-demand." 2019-02-28 22:08:10 +00:00
Tri Vo
e8cb09db42 Merge "ashmem: expand app access" 2019-02-28 22:00:50 +00:00
Treehugger Robot
412cc87475 Merge "Fix CTS neverallow violation." 2019-02-28 21:52:44 +00:00
Tri Vo
9fbc87c89f ashmem: expand app access 
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem

Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
 2019-02-28 10:47:35 -08:00
Andreas Gampe
4c2d06c458 Sepolicy: Add base runtime APEX postinstall policies 
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.

Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
 2019-02-28 09:24:17 -08:00
David Anderson
64bbf05150 Allow system_server and shell to start gsid on-demand. 
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.

Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
 2019-02-28 07:54:25 -08:00
Andreas Gampe
57346a0566 Sepolicy: Add runtime APEX preinstall fsverity permissions 
Add rights to create and install fsverity data.

Bug: 125474642
Test: m
Change-Id: I752c40c7b396b2da082cb17641702a2c5c11b9c3
 2019-02-28 05:12:56 -08:00
Andreas Gampe
ae127d8340 Sepolicy: Add base runtime APEX preinstall policies 
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.

Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
 2019-02-28 05:12:56 -08:00
Kevin Rocard
02e7e8a282 Allow audioserver to access the package manager am: 83f65ebbb2 am: 3cd55154c5 
am: eed8985d7f

Change-Id: I3ba2e99985e288b3c9482e9284281ec615ca3563
 2019-02-28 00:10:22 -08:00
Kevin Rocard
eed8985d7f Allow audioserver to access the package manager am: 83f65ebbb2 
am: 3cd55154c5

Change-Id: Ifb9b64f49787ceb0758a7ca6800718d3ab03de09
 2019-02-28 00:06:13 -08:00
Kevin Rocard
3cd55154c5 Allow audioserver to access the package manager 
am: 83f65ebbb2

Change-Id: I64a1de43a3cc72afb21423c735b55746d4a5c34a
 2019-02-27 23:58:56 -08:00
Kevin Rocard
f9246b399f Merge "Allow audioserver to access the package manager" 2019-02-28 05:19:58 +00:00
Joel Galenson
a92753538f Fix CTS neverallow violation. 
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.

Change-Id: I0716e566570114878842644339401331513bae22
 2019-02-27 19:33:11 -08:00
Kevin Rocard
83f65ebbb2 Allow audioserver to access the package manager 
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).

Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
 2019-02-28 01:50:22 +00:00
Kevin Rocard
25f60574ee Allow audioserver to access the package manager 
The audioserver needs to know if an app allows its audio to be recorded.
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).

Test: adb shell audiorecorder --target /data/file.raw
      play sound
      adb shell dumpsys media.audio_policy | sed -n '/Mix:/,/^$/p'
      adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
 2019-02-27 17:38:27 -08:00
Tri Vo
c9b3c15a90 Merge "Neverallow app open access to /dev/ashmem" am: 7eb9143e46 am: 897933a3ae 
am: 131b3dabe2

Change-Id: I92dfad7c36f5d00fbac9347d75a9e3d1210d441f
 2019-02-27 16:42:10 -08:00
Tri Vo
131b3dabe2 Merge "Neverallow app open access to /dev/ashmem" am: 7eb9143e46 
am: 897933a3ae

Change-Id: I16d9e87d0978747db568c751591072c375e924bf
 2019-02-27 16:18:43 -08:00
Tri Vo
897933a3ae Merge "Neverallow app open access to /dev/ashmem" 
am: 7eb9143e46

Change-Id: I23b2cc49048f79365a7360f916a23ad51507d062
 2019-02-27 16:14:44 -08:00
Tri Vo
7eb9143e46 Merge "Neverallow app open access to /dev/ashmem" 2019-02-28 00:02:14 +00:00
Tri Vo
858ae7c145 Merge "Decouple system_suspend from hal attributes." am: c67a1ff8d9 am: e9aa4fc320 
am: 4ac6a82aba

Change-Id: I98fe101822b62754dc2562d056cb3e92013c2be5
 2019-02-27 13:38:07 -08:00
Tri Vo
4ac6a82aba Merge "Decouple system_suspend from hal attributes." am: c67a1ff8d9 
am: e9aa4fc320

Change-Id: I04dc2d59e215c47bc5b5c2524143540e99d55a82
 2019-02-27 13:33:59 -08:00
Alan Stokes
3f7cd0685b Merge "Audit execution of app_data_file by untrusted_app." am: 1c8b376f81 am: 4ced2163d7 
am: 257490643a

Change-Id: I425abb1250a162c2d36f4bfcd0bad9fca2a52438
 2019-02-27 13:30:21 -08:00
Tri Vo
e9aa4fc320 Merge "Decouple system_suspend from hal attributes." 
am: c67a1ff8d9

Change-Id: I87ec7345cd1a5970cba7d7808c479c34cc7c202f
 2019-02-27 13:29:52 -08:00
Tri Vo
c67a1ff8d9 Merge "Decouple system_suspend from hal attributes." 2019-02-27 21:25:27 +00:00
Alan Stokes
257490643a Merge "Audit execution of app_data_file by untrusted_app." am: 1c8b376f81 
am: 4ced2163d7

Change-Id: I3e777b8525a25cefdbbdd0cdc093875464a52740
 2019-02-27 13:21:53 -08:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem 
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
 2019-02-27 21:17:25 +00:00
Alan Stokes
4ced2163d7 Merge "Audit execution of app_data_file by untrusted_app." 
am: 1c8b376f81

Change-Id: I218480b0419c4b75b5d522fa6766e5bc86f1cf9a
 2019-02-27 13:16:48 -08:00
Alan Stokes
1c8b376f81 Merge "Audit execution of app_data_file by untrusted_app." 2019-02-27 21:07:19 +00:00
Nicolas Geoffray
b6591f6652 Allow installd to scan JARs in /vendor/framework. 
So it can dexopt these JARs.

Bug: 119800099
Test: DeviceBootTest.DeviceBootTest#SELinuxUncheckedDenialBootTest
Change-Id: I40b25319381654c607e17d6fc61e1a1c6fb0c1f1
 2019-02-27 20:23:24 +00:00
Alan Stokes
931623e5b9 Audit execution of app_data_file by untrusted_app. 
Test: Builds
Bug: 126536482
Change-Id: I9fe7623353cbb980db3853a8979f03ba033c7f45
 2019-02-27 18:07:09 +00:00
Andreas Gampe
25065a2f64 Merge changes I6a76eba4,Iff1ecabc am: 025cab88ab am: cccc373fd2 
am: 6b47e652fd

Change-Id: I585055f93e50de58efb660c399447506a70480b5
 2019-02-27 09:20:50 -08:00
Andreas Gampe
6b47e652fd Merge changes I6a76eba4,Iff1ecabc am: 025cab88ab 
am: cccc373fd2

Change-Id: I4264d21df01611f9901b06fb20f0dfdb5512216f
 2019-02-27 09:08:40 -08:00
Andreas Gampe
cccc373fd2 Merge changes I6a76eba4,Iff1ecabc 
am: 025cab88ab

Change-Id: I8de3d21fdca3a2444decf274250c7514131539bd
 2019-02-27 09:04:53 -08:00
Andreas Gampe
025cab88ab Merge changes I6a76eba4,Iff1ecabc 
* changes:
  Sepolicy: Move dex2oat and postinstall_dexopt to private
  Sepolicy: Move dac_override checks to private
 2019-02-27 16:56:52 +00:00
Nikita Ioffe
b6cff4dc20 Merge "Allow apexd to reboot device" am: 53c0743d79 am: c96e3b1fc7 
am: 91cce1fc3f

Change-Id: I7dbb697ce931277a36aee30189ea221fab5fbaf1
 2019-02-27 05:09:19 -08:00
Nikita Ioffe
91cce1fc3f Merge "Allow apexd to reboot device" am: 53c0743d79 
am: c96e3b1fc7

Change-Id: Icb36bfce890663742e08183fbfed4cbc784f2f21
 2019-02-27 04:55:31 -08:00
Nikita Ioffe
c96e3b1fc7 Merge "Allow apexd to reboot device" 
am: 53c0743d79

Change-Id: If70b976bceffc59f8b901286a24ce1fbf1ee6259
 2019-02-27 04:38:02 -08:00
Nikita Ioffe
53c0743d79 Merge "Allow apexd to reboot device" 2019-02-27 08:49:32 +00:00
Nick Kralevich
f7f82f8f82 allow shell rs_exec:file rx_file_perms am: 68e27caeb6 am: b464e1944e 
am: 81159c7e52

Change-Id: Idb5bd461ade773bd352156c71170c43154921085
 2019-02-26 18:14:05 -08:00