Commit graph

9 commits

Author SHA1 Message Date
Junjie Hu
c320536070 Fix data/asan/system/system_ext/lib selinux rule for file_contexts_asan
FMRadio dlopen fail and can't work
avc: denied { open } for
path="/data/asan/system/system_ext/lib64/libfmjni.so" dev="mmcblk0p38"
ino=190 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
app=com.android.fmradio

Fixes: 157108870
Test: Launch FMRadio, it can work well with asan enabled.
Change-Id: Ida35ad7248f361efbf649c30e905eeb38e1bf0b4
2020-06-08 10:05:07 +00:00
chunhui.li
233a193462 fix data/asan/product/lib(64) can't access by platform_app issue
FMRadio change from system image to product image, then FMRadio
can't launch
selinux denied log:
avc: denied { open } for path="/data/asan/product/lib64/libfmjni.so"
dev="mmcblk0p35" ino=18 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
app=com.android.fmradio
solution: label data/asan/product/lib(64) to system_lib_file

Bug: 136974466
Test: launch FMRadio, it can work
Change-Id: Icdfc794cb077b81d550816d2e7779c763604e050
2019-07-19 03:23:47 +00:00
Tri Vo
45d521a577 Label /data/asan/* libs as system_lib_file.
This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.

Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67
2018-10-10 11:23:00 -07:00
Tri Vo
93318192a0 asan: global read access to /system/asan.options
Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143
2018-10-08 17:27:06 +00:00
Jiyong Park
4c3ab18f49 /odm is another vendor partition that can be customied by ODMs
Since /odm is an extension of /vendor, libs in /odm should be treated
just like the ones in /vendor.

Bug: 67890517
Test: none as we don't yet have /odm partition.
Change-Id: I5232baef769c7fa8c7641b462cfa1d7537d3cfdf
2017-12-15 19:07:58 +09:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Andreas Gampe
82071b6859 Sepolicy: Add ASAN-Extract
Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b74305011)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
2017-04-05 13:09:29 -07:00
Vishwath Mohan
063de1e099 Refactor sanitized library on-disk layout - SELinux.
This CL changes the policy for ASAN files on-disk to support the
changes made by the following CLs -
https://android-review.googlesource.com/#/c/359087/
https://android-review.googlesource.com/#/c/359389/

which refactor the on-disk layout of sanitized libraries in the following
manner -
/data/lib* --> /data/asan/system/lib*
/data/vendor/* --> /data/asan/vendor/*

There are a couple of advantages to this, including better isolation
from other components, and more transparent linker renaming and
SELinux policies.

(cherry picked from commit 33ebdda80f)

Bug: 36574794
Bug: 36674745
Test: m -j40 && SANITIZE_TARGET="address" m -j40 and the device
boots. All sanitized libraries are correctly located in /data/asan/*,
and have the right SELinux permissions.

Change-Id: Ib08e360cecc8d77754a768a9af0f7db35d6921a9
2017-03-31 17:23:09 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from file_contexts_asan (Browse further)