tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7764 commits 1 branch 0 tags 50 MiB
Commit graph

107 commits

Author SHA1 Message Date
Chad Brubaker
7ece155217 Label ephemeral APKs and handle their install/uninstall 
am: 6f090f6911

Change-Id: I97d83d29f28fb04500f30bd29c4a316f3bbb7ee0
 2016-11-12 00:36:35 +00:00
Chad Brubaker
6f090f6911 Label ephemeral APKs and handle their install/uninstall 
Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
 2016-11-12 00:27:28 +00:00
Nick Kralevich
b1985a8498 property.te: delete security_prop 
am: ee751c33c5

Change-Id: I2acdab95a5d2302a10ed6cf57c0705edc480bc6c
 2016-11-11 22:44:33 +00:00
Nick Kralevich
ee751c33c5 property.te: delete security_prop 
This property is never used.

Test: policy compiles
Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a
 2016-11-11 12:31:19 -08:00
Nick Kralevich
4778d65665 Merge "property.te: sort entries" 
am: 7da34af860

Change-Id: Ifee77468b2596cc3570abfa276e3ba23dcf2c2e4
 2016-11-11 17:27:09 +00:00
Treehugger Robot
7da34af860 Merge "property.te: sort entries" 2016-11-11 17:20:33 +00:00
Robert Sesek
d94ae33832 Add the "webview_zygote" domain. 
am: dc43f7cd84

Change-Id: I5f2e21e9ea3a85c8f0cb4b8e15ae54a54eb9e1ab
 2016-11-11 15:30:00 +00:00
Robert Sesek
dc43f7cd84 Add the "webview_zygote" domain. 
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
 2016-11-11 10:13:17 -05:00
Nick Kralevich
26c6d726dd property.te: sort entries 
Sort the entries in property.te. This will make it slightly easier to
read, and avoids merge conflicts by discouraging the common practice of
adding entries to the bottom of this file.

Test: policy compiles.
Change-Id: I87ae96b33156dba73fb7eafc0f9a2a961b689853
 2016-11-11 02:44:51 -08:00
Jason Monk
829672f098 Add persist.vendor.overlay. to properties 
am: 0e1cbf568a

Change-Id: Ic60dfc5a0caf4cd43c2fdc25c44f58eaacf4fd66
 2016-11-11 00:07:08 +00:00
Jason Monk
0e1cbf568a Add persist.vendor.overlay. to properties 
Allow the system_server to change. Allow the zygote to read it as well.

Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
 2016-11-10 17:35:39 -05:00
Nick Kralevich
b2245d6420 Revert "Restore system_server ioctl socket access." 
am: 58305da980

Change-Id: I9379e8a7d52d6daccfadae4c0e2b19ee43f1932b
 2016-11-09 01:33:12 +00:00
Nick Kralevich
58305da980 Revert "Restore system_server ioctl socket access." 
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.

A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.

This reverts commit ec3285cde0.

(cherrypicked from commit 863ce3e7c7)

Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
 2016-11-08 12:40:44 -08:00
Nick Kralevich
d62abbeea3 profman/debuggerd: allow libart_file:file r_file_perms 
am: 364fd19782

Change-Id: I4022ab4a4f92a197c48db96a9847cc8166ed2dab
 2016-11-08 20:08:38 +00:00
Nick Kralevich
364fd19782 profman/debuggerd: allow libart_file:file r_file_perms 
Addresses the following auditallow spam:

avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
 2016-11-08 09:28:28 -08:00
Polina Bondarenko
458888a7d3 sepolicy: Add policy for thermal HIDL service 
am: 9785f2addd

Change-Id: I2543991deefb4ba16ef0476e92442cfadba25793
 2016-11-08 15:13:48 +00:00
Polina Bondarenko
9785f2addd sepolicy: Add policy for thermal HIDL service 
Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8
 2016-11-08 13:34:31 +01:00
Nick Kralevich
b8b0d3746f installd: r_dir_file(installd, system_file) 
am: 68f233648e

Change-Id: I3dbbe8bc411dfb530e1363ad563db2dbdbfc1736
 2016-11-08 03:25:38 +00:00
Nick Kralevich
68f233648e installd: r_dir_file(installd, system_file) 
Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app

Addresses the following auditallow spam:

avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
 2016-11-07 16:18:38 -08:00
Roshan Pius
fd637d065f Merge "wpa.te: Add binder permission back" 
am: b0c375d46d

Change-Id: I592ed31123b505a1863b514ff6acb98b2771ee41
 2016-11-07 23:39:02 +00:00
Treehugger Robot
b0c375d46d Merge "wpa.te: Add binder permission back" 2016-11-07 23:28:35 +00:00
Roshan Pius
cec44a61ba wpa.te: Add binder permission back 
Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.

Denials in logs:
11-03 14:37:54.831  9011  9011 I auditd  : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834  9011  9011 I auditd  : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834  9011  9011 I auditd  : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834  9011  9011 I auditd  : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
 2016-11-07 12:51:07 -08:00
Etan Cohen
2143eab887 Merge "[NAN-AWARE] Remove NAN service" 
am: 0182a87dab

Change-Id: Iae511c7d37b80cb142ed2bafa8232920acc7c6ca
 2016-11-06 22:01:22 +00:00
Etan Cohen
0182a87dab Merge "[NAN-AWARE] Remove NAN service" 2016-11-06 21:56:05 +00:00
Etan Cohen
66502077a9 Merge "[NAN-AWARE] Add Aware service" 
am: 8da9cd640b

Change-Id: I3b249385f40083bc598784e0b27b91d42fdec16b
 2016-11-05 04:06:07 +00:00
Etan Cohen
8da9cd640b Merge "[NAN-AWARE] Add Aware service" 2016-11-05 04:00:40 +00:00
Etan Cohen
43b96aaf12 [NAN-AWARE] Remove NAN service 
Finish NAN -> Aware rename process. Removes old NAN service.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: I2f0d9595efea2494b56074752194e7a6e66070f2
 2016-11-04 13:38:14 -07:00
Etan Cohen
44527cb970 [NAN-AWARE] Add Aware service 
Add Aware service - new name for NAN. But do not remove NAN
yet. Enables smooth transition.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: Ieb9f1ebf1d2f31ee27f228562b4601023da5282d
 2016-11-04 13:37:17 -07:00
dcashman
84992ead69 Restore system_server ioctl socket access. 
am: ec3285cde0

Change-Id: Id926897e8a5d72771dddbda3fbe06cbe6302be7d
 2016-11-04 05:16:16 +00:00
dcashman
ec3285cde0 Restore system_server ioctl socket access. 
Bug: 32290392
Test: Builds.
Change-Id: I46e8af202b41131cfc9bb280f04a214859c9b0de
 2016-11-03 19:36:11 -07:00
Ruchi Kandoi
bd85244dbc hal_memtrack: Add sepolicy for memtrack service. 
am: 0a924a6e1a

Change-Id: I7038ee63b1c662f226a3a1fdc5fc1ea905b667df
 2016-11-04 00:16:28 +00:00
Ruchi Kandoi
77a862665c hal_power: Add sepolicy for power service. 
am: 3c30c4e2db

Change-Id: I9393144a4aa777dcf71571f0f4b659d2ea495524
 2016-11-04 00:16:26 +00:00
Ruchi Kandoi
0a924a6e1a hal_memtrack: Add sepolicy for memtrack service. 
Bug: 31180823
Test: reduced sepolicy errors
Change-Id: Ibfba2efa903adec340e37abec2afb3b94a262678
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2016-11-03 13:05:48 -07:00
Ruchi Kandoi
3c30c4e2db hal_power: Add sepolicy for power service. 
Bug: 31177288
Test: reduced sepolicy errors
Change-Id: I29556276ee14c341ac8f472875e6b69f903851ff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2016-11-03 13:01:48 -07:00
Steven Moreland
cdd1bd76fa Sepolicy for light hal. 
am: 1ec710c8ff

Change-Id: Idec0f4922dac7b12a909e83ce963806de78653b7
 2016-11-01 23:40:27 +00:00
Steven Moreland
1ec710c8ff Sepolicy for light hal. 
Bug: 32022100
Test: end to end
Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7
 2016-11-01 21:30:51 +00:00
Dianne Hackborn
33619e31de Allow new settings system service. 
am: 11877133ba

Change-Id: I379cb009d5a47f3c52a69cca1a80321a9e9859b5
 2016-11-01 21:30:34 +00:00
Felipe Leme
517a9ed1e3 Merge "Added permissions for the dumpstate service." 
am: ae9d3c0c31

Change-Id: Ic15a4bfac6fd0bad7325eaae311150b057e4da0d
 2016-11-01 21:18:49 +00:00
Dianne Hackborn
11877133ba Allow new settings system service. 
Test: N/A
Change-Id: Ib3c85118bf752152f5ca75ec13371073fc2873cc
 2016-11-01 21:16:56 +00:00
Treehugger Robot
ae9d3c0c31 Merge "Added permissions for the dumpstate service." 2016-11-01 21:13:31 +00:00
Jorge Lucangeli Obes
52dd15a0c1 Merge "init: Allow SETPCAP for dropping bounding set." 
am: 02c8383521

Change-Id: Ia923906119e34aa64c8a81fa53b8b53b4dc4af46
 2016-11-01 20:28:16 +00:00
Treehugger Robot
02c8383521 Merge "init: Allow SETPCAP for dropping bounding set." 2016-11-01 20:23:14 +00:00
Jorge Lucangeli Obes
847bfa4ab2 init: Allow SETPCAP for dropping bounding set. 
This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.

Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
 2016-11-01 14:32:13 -04:00
Felipe Leme
b5f5931e8c Added permissions for the dumpstate service. 
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
 2016-11-01 10:43:25 -07:00
Nick Kralevich
a9aac6a9bf Merge "system_server: allow appendable file descriptors" 
am: 184851a212

Change-Id: Iea91ab9bd1cc9c45cb1efdc0db0d42d4cda9630d
 2016-10-31 15:55:34 +00:00
Nick Kralevich
fa418650d2 Merge "Get rid of more auditallow spam" 
am: 82b9182ef3

Change-Id: I3dc912af723af37c9fdee2118e0621ed74704f2e
 2016-10-31 15:55:22 +00:00
Treehugger Robot
184851a212 Merge "system_server: allow appendable file descriptors" 2016-10-31 15:45:38 +00:00
Treehugger Robot
82b9182ef3 Merge "Get rid of more auditallow spam" 2016-10-31 15:43:42 +00:00
Nick Kralevich
74b8425929 kernel.te: tighten entrypoint / execute_no_trans neverallow 
am: 02cfce49ae

Change-Id: I68d9a9a44eb6e11a3d9471a46c307e66afe42c35
 2016-10-31 15:22:50 +00:00
Nick Kralevich
02cfce49ae kernel.te: tighten entrypoint / execute_no_trans neverallow 
The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.

Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.

Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
 2016-10-30 18:46:44 -07:00