Commit graph

16077 commits

Author SHA1 Message Date
Alan Stokes
7b377b1f59 Temporarily add auditing of execmod by apps. am: 708aa90dd2 am: a55f637a3d
am: 9563a64d93

Change-Id: Ied75b1303d2ad7061fb74f5185946cdbe7a2386e
2018-07-20 07:00:08 -07:00
Alan Stokes
9563a64d93 Temporarily add auditing of execmod by apps. am: 708aa90dd2
am: a55f637a3d

Change-Id: I7a7d2f284caaf264c6c74e9d8c8046ce9559789d
2018-07-20 06:56:44 -07:00
Alan Stokes
a55f637a3d Temporarily add auditing of execmod by apps.
am: 708aa90dd2

Change-Id: I4a0fdea7adead3baceb089644ed37a0c479d2e62
2018-07-20 06:52:41 -07:00
Alan Stokes
708aa90dd2 Temporarily add auditing of execmod by apps.
This is so we can get data on which apps are actually doing this.

Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea
2018-07-20 12:40:29 +01:00
Xin Li
a006a5484c Merge "Merge pi-dev-plus-aosp-without-vendor into stage-dr1-aosp-master" into stage-dr1-aosp-master
am: f7288e703c

Change-Id: I4a0d70b1c57b037d64c56aa5b51eb9777d9fa2fa
2018-07-19 23:52:43 -07:00
TreeHugger Robot
f7288e703c Merge "Merge pi-dev-plus-aosp-without-vendor into stage-dr1-aosp-master" into stage-dr1-aosp-master 2018-07-20 06:03:49 +00:00
Tri Vo
eee30d0d01 Merge "Add mapping files for 28.0.[ignore.]cil" am: 13e60ed1fa am: 6c32e0624f
am: a7bec59eaf

Change-Id: Iae7ec677989153c98e797471aca4cd61d4535618
2018-07-19 18:11:27 -07:00
Tri Vo
a7bec59eaf Merge "Add mapping files for 28.0.[ignore.]cil" am: 13e60ed1fa
am: 6c32e0624f

Change-Id: Icce3d18a40640787c8f41bfb510759e19559168f
2018-07-19 18:07:16 -07:00
Tri Vo
6c32e0624f Merge "Add mapping files for 28.0.[ignore.]cil"
am: 13e60ed1fa

Change-Id: I5b19874975830ddcb2765851544eebc9848d3df4
2018-07-19 18:03:05 -07:00
Tri Vo
13e60ed1fa Merge "Add mapping files for 28.0.[ignore.]cil" 2018-07-20 00:56:27 +00:00
Xin Li
5818c714cd Merge pi-dev-plus-aosp-without-vendor into stage-dr1-aosp-master
Bug: 111615259
Change-Id: Ibfeb032b9e24541dcb3885cd15e31ca5ae3728e9
2018-07-19 13:50:39 -07:00
Jae Shin
1fa9634896 Add mapping files for 28.0.[ignore.]cil
Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
2018-07-18 20:08:38 -07:00
Todd Poynor
e0ff3fbe4e [automerger skipped] Merge changes from topic "selinux_cherry_picks" into stage-aosp-master
am: 39f114d79d  -s ours

Change-Id: I5d4b19d7fb15641b8022c748ec1ed8cfdef44362
2018-07-18 17:31:27 -07:00
TreeHugger Robot
39f114d79d Merge changes from topic "selinux_cherry_picks" into stage-aosp-master
* changes:
  remove thermalcallback_hwservice
  reorder api 27 compat entries for removed types to match AOSP
2018-07-19 00:21:31 +00:00
Jeff Vander Stoep
5d094a5aff app: exempt su from auditallow statement am: f95bf194c1
am: 7f6087c972

Change-Id: I8b828255b4a3c710b2e0c60e843d336228489ced
2018-07-18 16:24:35 -07:00
Jeff Vander Stoep
7f6087c972 app: exempt su from auditallow statement
am: f95bf194c1

Change-Id: Idcdcb03b7764a6f0f3a7dd2d3110ed5f7166b772
2018-07-18 16:21:00 -07:00
Todd Poynor
c3e9ff90d3 remove thermalcallback_hwservice
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
(cherry picked from commit c6afcb7fc0)
2018-07-18 16:18:50 -07:00
Todd Poynor
d1ff81c2a7 reorder api 27 compat entries for removed types to match AOSP
Avoids subsequent merge conflicts in this section of the file.

Test: manual: compile
Change-Id: I9af723dccff54039031dc4d8f3e5ee34be5960d1
Merged-In: I9af723dccff54039031dc4d8f3e5ee34be5960d1
(cherry picked from commit 6682530515)
2018-07-18 16:17:40 -07:00
Tri Vo
8b624a1add resolve merge conflicts of d07ab2fe93 to stage-aosp-master
am: 690de22d48

Change-Id: I1cd29a8f72cb1cdb90f4f6459c9f231d2284a092
2018-07-18 14:35:43 -07:00
Jeff Vander Stoep
f95bf194c1 app: exempt su from auditallow statement
Cut down on logspam during kernel_net_tests

Test: /data/nativetest64/kernel_net_tests/kernel_net_tests
Change-Id: Id19f50caebc09711f80b7d5f9d87be103898dd9a
2018-07-18 21:21:46 +00:00
Tri Vo
690de22d48 resolve merge conflicts of d07ab2fe93 to stage-aosp-master
BUG: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: I58fff9dc7826eb60520b087d08ecd931cba63bf0
2018-07-18 13:08:55 -07:00
Tri Vo
d07ab2fe93 Merge "Add 28.0 prebuilts" 2018-07-18 18:31:23 +00:00
Steven Thomas
f7d5d2d936 Merge "Selinux changes for vr flinger vsync service" am: 663a827b47
am: 4b3ec1984e

Change-Id: Ib6786e4c5a7cf3713d8cc4b3fb0ce013831e74d1
2018-07-17 16:26:06 -07:00
Steven Thomas
4b3ec1984e Merge "Selinux changes for vr flinger vsync service"
am: 663a827b47

Change-Id: Icc345eda8c645065cc30f14fe4d3de07ba888c25
2018-07-17 16:21:34 -07:00
Treehugger Robot
663a827b47 Merge "Selinux changes for vr flinger vsync service" 2018-07-17 23:15:13 +00:00
Tri Vo
afdfeeb506 Add 28.0 prebuilts
Bug: n/a
Test: n/a
Change-Id: I11e6baaa45bcb01603fc06e8a16002727f4e5a00
2018-07-17 15:31:47 -07:00
Josh Gao
dc86cc0da9 system_server: allow appending to debuggerd -j pipe. am: 5ca755e05e
am: 98545f075c

Change-Id: Ie60925c143519732d737fd82948aab7a88b050df
2018-07-17 15:29:40 -07:00
Josh Gao
98545f075c system_server: allow appending to debuggerd -j pipe.
am: 5ca755e05e

Change-Id: I92b326f5f1c9f1db083c329ecc8eca952039dc06
2018-07-17 15:25:36 -07:00
Yifan Hong
bf7bf3ba0e perfprofd: talk to health HAL.
am: 65c568d0dd

Change-Id: I67a358cb33f9ba546ab3b42f58d48c1c0a5c763e
2018-07-17 13:24:23 -07:00
Josh Gao
5ca755e05e system_server: allow appending to debuggerd -j pipe.
Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3
2018-07-17 12:46:01 -07:00
Yifan Hong
65c568d0dd perfprofd: talk to health HAL.
Test: perfprofd tests
Bug: 110890430
Change-Id: I0f7476d76b8d35b6b48fe6b77544ca8ccc71534d
2018-07-17 11:37:26 -07:00
Jeff Vander Stoep
a0afe6eaf6 [automerger skipped] crash_dump: disallow ptrace of TCB components am: f0e6a70ab5 am: 7f6df93026 am: db8835e0c3 -s ours
am: a2bc6f8cfc  -s ours

Change-Id: Ib11f5cda0d40754fb773e7c4f3a8b2e364f83c8a
2018-07-13 21:47:05 -07:00
Jeff Vander Stoep
a2bc6f8cfc [automerger skipped] crash_dump: disallow ptrace of TCB components am: f0e6a70ab5 am: 7f6df93026
am: db8835e0c3  -s ours

Change-Id: I29ed491f8e482f0233f5e68847b96f98c147b47b
2018-07-13 21:41:59 -07:00
Jeff Vander Stoep
db8835e0c3 crash_dump: disallow ptrace of TCB components am: f0e6a70ab5
am: 7f6df93026

Change-Id: I6b3b7204317bdad91f44bcf6cfce7d3810693b42
2018-07-13 21:37:55 -07:00
Jeff Vander Stoep
3d4d8899d1 crash_dump: disallow ptrace of TCB components
am: 573d333589

Change-Id: I5d0bd81b6b486a6a5cffd8159d99cfcdcf0f464f
2018-07-13 21:35:08 -07:00
Jeff Vander Stoep
7f6df93026 crash_dump: disallow ptrace of TCB components
am: f0e6a70ab5

Change-Id: Ia2c196281ae051e2d3ee1ad3f810b12901af8d69
2018-07-13 21:34:51 -07:00
Steven Thomas
7bec967402 Selinux changes for vr flinger vsync service
Add selinux policy for the new Binder-based vr flinger vsync service.

Bug: 72890037

Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.

- Confirmed the CTS test
  android.security.cts.SELinuxHostTest#testAospServiceContexts, when
  built from the local source tree with this CL applied, passes.

- Confirmed the CTS test
  android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
  when built from the local source tree with this CL applied, passes.

Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
2018-07-13 17:17:01 -07:00
Yifan Hong
b1b3a31e61 Merge changes from topic "coredomain_batteryinfo" am: 6397d7e0cb
am: c74c0fbb34

Change-Id: I43163ef3484dd31d0ead3f5432b572bc5568bde3
2018-07-13 13:08:55 -07:00
Yifan Hong
c74c0fbb34 Merge changes from topic "coredomain_batteryinfo"
am: 6397d7e0cb

Change-Id: I88c793acd19ce05e275d6f2883f90540f37d52b6
2018-07-13 12:42:47 -07:00
Treehugger Robot
6397d7e0cb Merge changes from topic "coredomain_batteryinfo"
* changes:
  vold: not allowed to read sysfs_batteryinfo
  full_treble: coredomain must not have access to sysfs_batteryinfo
2018-07-13 18:42:32 +00:00
Yifan Hong
711908e60b vold: not allowed to read sysfs_batteryinfo
It doesn't need to read batteryinfo to function properly.
Bug: 110891415
Test: builds and boots

Change-Id: I7f388180a25101bfd0c088291ef03a9bf8ba2b2c
2018-07-12 11:45:28 -07:00
Yifan Hong
b5f7f28c26 full_treble: coredomain must not have access to sysfs_batteryinfo
... but should do it via health HAL and healthd.

Bug: 110891415
Test: builds
Change-Id: Ib124f82d31f1dfbe99a56475dba04a37f81bdca3
2018-07-12 11:45:28 -07:00
Jeff Vander Stoep
573d333589 crash_dump: disallow ptrace of TCB components
Remove permissions.

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: If8b9c932af03a551e40e786d591544ecdd4e5c98
Merged-In: If8b9c932af03a551e40e786d591544ecdd4e5c98
(cherry picked from commit f1554f1588)
2018-07-12 11:33:30 -07:00
Jeff Vander Stoep
f0e6a70ab5 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: If8b9c932af03a551e40e786d591544ecdd4e5c98
Merged-In: If8b9c932af03a551e40e786d591544ecdd4e5c98
(cherry picked from commit f1554f1588)
2018-07-12 17:30:25 +00:00
Aalique Grahame
c1e84a6ac5 Merge "sepolicy: create rules for system properties" am: 280c6afab2
am: 5626ee67a9

Change-Id: Icd66784f207472346ac823ad565e6e7b834dcbc8
2018-07-10 21:45:02 -07:00
Aalique Grahame
5626ee67a9 Merge "sepolicy: create rules for system properties"
am: 280c6afab2

Change-Id: I879d46d8e004a4ea63c1b131cdb5348e90adca0d
2018-07-10 21:40:58 -07:00
Florian Mayer
9d144e1f00 Merge "Allow to read events/header_page with debugfs_tracing" am: 7d7328b807
am: 139bb3f279

Change-Id: Ifb564911815c938a489c32f4c648d9b8c3612c6f
2018-07-10 21:38:01 -07:00
Treehugger Robot
280c6afab2 Merge "sepolicy: create rules for system properties" 2018-07-11 04:36:36 +00:00
Florian Mayer
139bb3f279 Merge "Allow to read events/header_page with debugfs_tracing"
am: 7d7328b807

Change-Id: I6bd14e069dd07b81b6cf33cfe8dd22e641d8f1f9
2018-07-10 21:35:06 -07:00
Treehugger Robot
7d7328b807 Merge "Allow to read events/header_page with debugfs_tracing" 2018-07-11 04:28:23 +00:00