tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
17784 commits 1 branch 0 tags 50 MiB
Commit graph

17784 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sudheer Shanka
8c93e1cfa2 Merge "Allow zygote to create dirs under /mnt/user/*." 
am: 53713d5d9a

Change-Id: Ie67bc67b2e3d8e916d7ce83b4ff502021a625c32
 2019-02-08 16:47:05 -08:00
Sudheer Shanka
53713d5d9a Merge "Allow zygote to create dirs under /mnt/user/*." 2019-02-08 23:49:58 +00:00
Henry Fang
a372b98b44 Change sepolicy to allow cas@1.1 service 
am: 1f1e36069d

Change-Id: I58fb6aab09b43f00d663793d52dd8ce5622eb4bd
 2019-02-08 15:27:11 -08:00
Henry Fang
1f1e36069d Change sepolicy to allow cas@1.1 service 
Modify sepolicy configure file, so that cas@1.1 service can run
Test: Manual
bug: 124016538

Change-Id: I0b160bc1c575aa18ffead7ff136509fc9dcfb472
Merged-In: I142a6cd66a81ad9e0c8b4d87da672fb8f5c181d6
 2019-02-08 22:05:25 +00:00
Sudheer Shanka
176c91cc19 Allow zygote to create dirs under /mnt/user/*. 
Bug: 124058579
Test: manual
Change-Id: I5b6736544cc8ffc9fd823834fe0edb7a388c6cf0
 2019-02-08 12:01:50 -08:00
David Anderson
300d0ef2c5 Full sepolicy for gsid. 
am: db90b91ea0

Change-Id: I0e827f6b63f042a7a06b0dadeaf6a801a3cef30b
 2019-02-07 22:10:29 -08:00
David Anderson
db90b91ea0 Full sepolicy for gsid. 
Bug: 122556707
Test: manual test
Change-Id: I2536deefb3aa75deee4aeae7df074349b705b0f0
 2019-02-08 05:56:58 +00:00
Daniel Rosenberg
3e40a3c938 Allow update_verifier to call checkpointing 
am: 650981d2a8

Change-Id: I9f4e86f8c0a78be8899395df2afa5e05d927762d
 2019-02-07 17:49:34 -08:00
Daniel Rosenberg
650981d2a8 Allow update_verifier to call checkpointing 
This lets update_verifier call supportsCheckpoint to defer marking the
boot as successful when we may end up failing before we would commit
the checkpoint. In this case, we will mark the boot as successful just
before committing the checkpoint.

Test: Check that marking the boot as succesful was deferred in
      update_verifier, and done later on.
Change-Id: I9b4f3dd607ff5301860e78f4604b600b4ee416b7
 2019-02-08 00:19:28 +00:00
Tri Vo
54ce1f9e94 Merge "Build product hashes together." 
am: c74699105c

Change-Id: If283c0093751e29022c68603083ae23a74c39a01
 2019-02-07 14:46:46 -08:00
Tri Vo
c74699105c Merge "Build product hashes together." 2019-02-07 22:39:02 +00:00
Jeff Vander Stoep
949efb86c5 Merge "crash_dump: suppress denials on properties" 
am: 30fabbf50e

Change-Id: I8b4adc7181ce4fd76c8b36aa61432bb3286cd514
 2019-02-07 12:33:52 -08:00
Treehugger Robot
30fabbf50e Merge "crash_dump: suppress denials on properties" 2019-02-07 20:19:19 +00:00
Tri Vo
24a5587594 Build product hashes together. 
Simplifies our reasoning about product hashes. They are either
present on both sides of the Treble boundary or not.

Might be worth installing all four hashes unconditionally in the future.

Fixes: 123996710
Test: boot taimen, precompiled policy loaded
Change-Id: I749e4b0cc4c85870407a10b7d41a2e2001a75ffb
 2019-02-07 10:55:23 -08:00
Sudheer Shanka
40a245c336 Merge "Allow zygote to mounton /mnt/user/*." 
am: 310b7fd9b3

Change-Id: I273ba63b03d1ee79f05e76a6ce880aae4e15dda0
 2019-02-07 10:49:06 -08:00
Sudheer Shanka
310b7fd9b3 Merge "Allow zygote to mounton /mnt/user/*." 2019-02-07 18:45:05 +00:00
Mark Salyzyn
05d343aad9 Merge "fs_mgr: overlayfs support legacy devices (marlin)" 
am: 969af6966b

Change-Id: I6ba081f911be48380eb3cb53dc67a32648845a2d
 2019-02-07 10:17:22 -08:00
Mark Salyzyn
969af6966b Merge "fs_mgr: overlayfs support legacy devices (marlin)" 2019-02-07 18:03:55 +00:00
Jeff Vander Stoep
44f06601e8 crash_dump: suppress denials on properties 
Addresses:
avc: denied { read } for comm="crash_dump64"
name="u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=17280
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_prop:s0
tclass=file

Test: build
Change-Id: I176038ea6add34b5277305073a20f9c1a930e74b
 2019-02-07 08:45:15 -08:00
Joel Fernandes
b80724d882 Merge "Add permissions for sys.use_memfd property" 
am: f6085fefe6

Change-Id: Ief976058f90c94b80569435610fb3a293da6ac1d
 2019-02-07 06:24:10 -08:00
Joel Fernandes
f6085fefe6 Merge "Add permissions for sys.use_memfd property" 2019-02-07 14:17:13 +00:00
Joel Galenson
68fa5e936d Merge "Hide denial seen during boot." 
am: 099347178d

Change-Id: I59af13cb473f3f5167dfd70bf7698c10b2374496
 2019-02-06 23:07:06 -08:00
Treehugger Robot
099347178d Merge "Hide denial seen during boot." 2019-02-07 06:58:28 +00:00
Joel Galenson
b9eba65808 Merge "Hide denial seen during boot." 
am: 513065c195

Change-Id: Ic9e85c4fb31b378ac0545a198a47962a87a43c06
 2019-02-06 22:46:38 -08:00
Treehugger Robot
513065c195 Merge "Hide denial seen during boot." 2019-02-07 06:35:22 +00:00
Nick Kralevich
0897a8a372 Merge "allow untrusted_app_all system_linker_exec:file execute_no_trans" 
am: 60f11d0861

Change-Id: I31d3d84c9a61c884cc70ee82b49b2361c4b813e0
 2019-02-06 17:03:25 -08:00
Treehugger Robot
60f11d0861 Merge "allow untrusted_app_all system_linker_exec:file execute_no_trans" 2019-02-07 00:51:31 +00:00
Carmen Jackson
3908f9d7c3 Allow the init process to execute the notify_traceur.sh script 
am: 07cb0ded7b

Change-Id: I723ec870b13f0fd498a2a6e01b45d6576f17bbcc
 2019-02-06 16:38:22 -08:00
Carmen Jackson
07cb0ded7b Allow the init process to execute the notify_traceur.sh script 
This sets up a selinux domain (notify_traceur) that can be called from
init and has the permissions to run the activitymanager script.

Bug: 116754134
Test: manual
Change-Id: Ia371bafe5d3d354efdf8cd29365cd74ed3e5cdfd
 2019-02-07 00:28:40 +00:00
Joel Galenson
fb0ab2e14e Hide denial seen during boot. 
Test: Build.
Change-Id: Iae56f10eb4257bb0970906cb77b19d0b00c9d2be
 2019-02-06 15:32:58 -08:00
Chenjie Yu
5278613fad Merge "active metric dir for statsd" 
am: 0cb6b7be10

Change-Id: Ib43db77ee6a126b65e348f2eead55b635035f6f8
 2019-02-06 15:26:56 -08:00
Sudheer Shanka
21095967f8 Allow zygote to mounton /mnt/user/*. 
Bug: 124009234
Test: manual
Change-Id: Ia06506f5dbdacbb5e6e3c1b2bee7f58dec0ed0e7
 2019-02-06 15:18:51 -08:00
Treehugger Robot
0cb6b7be10 Merge "active metric dir for statsd" 2019-02-06 23:17:07 +00:00
Nick Kralevich
9ea8c0701d allow untrusted_app_all system_linker_exec:file execute_no_trans 
Chrome Crashpad uses the the dynamic linker to load native executables
from an APK (b/112050209, crbug.com/928422)

Addresses the following denial:

  avc: denied { execute_no_trans } for comm="Chrome_IOThread" path="/bionic/bin/linker" dev="loop5" ino=24 scontext=u:r:untrusted_app_27:s0:c106,c256,c512,c768 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0 app=com.android.chrome

Test: compiles and builds.
Change-Id: I14f80592a74c36754c28313e94399258b2c42170
 2019-02-06 13:19:19 -08:00
Joel Galenson
d3aed93575 Hide denial seen during boot. 
Test: Build.
Change-Id: Ic365b3faf107f15bf27987ca6162f478a3bf8ebd
 2019-02-06 12:49:26 -08:00
Jeff Sharkey
41481caa7e Merge "Allow system watchdog to collect traces from vold." 
am: bdabddfe12

Change-Id: I270a20ad22e8d3281fcc53c65ef66b67d7b4c45f
 2019-02-06 12:25:07 -08:00
Joel Fernandes
deef7f0afd Add permissions for sys.use_memfd property 
Will be used to forcefully turn on memfd if device supports it.
Currently used only for debugging.

Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a
Signed-off-by: Joel Fernandes <joelaf@google.com>
 2019-02-06 15:16:16 -05:00
Jeff Sharkey
bdabddfe12 Merge "Allow system watchdog to collect traces from vold." 2019-02-06 20:08:39 +00:00
Primiano Tucci
ba8180db1e Merge "Allow traced to notify traceur via property" 
am: 9125a0aefd

Change-Id: Iddaa62f6562e0f28af5528cfa8b8c449e7c9d126
 2019-02-06 10:23:28 -08:00
Neil Fuller
970f28223c Merge "Revert "sepolicy entries for time zone detector service"" 
am: 5f145acff0

Change-Id: Ied46d69d3fbb215712cc807e7b812843d0db6ec0
 2019-02-06 10:15:23 -08:00
Primiano Tucci
9125a0aefd Merge "Allow traced to notify traceur via property" 2019-02-06 18:12:38 +00:00
Chenjie Yu
4ee5304bb2 active metric dir for statsd 
Bug: 123904359
Test: unit test
Change-Id: I92ac4ef97fb4f951270679f829601b1aca893b7c
 2019-02-06 18:06:01 +00:00
Neil Fuller
5f145acff0 Merge "Revert "sepolicy entries for time zone detector service"" 2019-02-06 18:02:38 +00:00
Hector Dearman
14e7c236c7 Merge "Allow reading /d/tracing/events/ftrace/print on user" 
am: d2bce13296

Change-Id: If7c76a5f688ac6a0adfbc7f81e528666ecd45a21
 2019-02-06 09:10:42 -08:00
Hector Dearman
d2bce13296 Merge "Allow reading /d/tracing/events/ftrace/print on user" 2019-02-06 17:02:48 +00:00
Wei Wang
7602d3180e Merge "Fix prebuilt policy from pi-dev" 
am: 1e67133f47

Change-Id: Ie851286a3653d6071d0380470a0ce4fe3f052569
 2019-02-06 08:58:38 -08:00
Treehugger Robot
1e67133f47 Merge "Fix prebuilt policy from pi-dev" 2019-02-06 16:43:56 +00:00
Jeff Sharkey
759c4a905a Merge "Allow zygote to stat() sdcardfs file." 
am: b398160f72

Change-Id: If3f870314df923fcb52a4dcac78cb09aa8b03e8b
 2019-02-06 08:34:30 -08:00
Jeff Sharkey
d101896ec8 Allow system watchdog to collect traces from vold. 
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.

avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0

Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
 2019-02-06 09:25:00 -07:00
Jeff Sharkey
b398160f72 Merge "Allow zygote to stat() sdcardfs file." 2019-02-06 16:23:09 +00:00