tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15418 commits 1 branch 0 tags 50 MiB
Commit graph

15418 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alan Stokes
e6fa185ae6 Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""" 
am: a87a8db2ac

Change-Id: Ic9cb8e564c77a437b33159894d34f73686a1bfd6
 2018-04-18 02:42:19 -07:00
Alan Stokes
a87a8db2ac Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""" 2018-04-18 09:32:18 +00:00
Tianjie Xu
7d47427997 Allow dumpstate to read the update_engine logs 
Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
 2018-04-18 06:54:39 +00:00
Bookatz
7a69c9fd96 [automerger skipped] Merge "NO PARTIAL RERUN Statsd sepolicy hal_health" into pi-dev 
am: bc9f22a654  -s ours

Change-Id: Iba178959b20ec1e2e6afbdf7bfeb5df39deb51e7
 2018-04-17 16:23:54 -07:00
TreeHugger Robot
bc9f22a654 Merge "NO PARTIAL RERUN Statsd sepolicy hal_health" into pi-dev 2018-04-17 23:16:44 +00:00
Tom Cherry
18a284405f Allow vendor_init to access unencrypted_data_file 
FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
 2018-04-17 15:21:32 -07:00
Chong Zhang
ec0160a891 Allow system_server to adjust cpuset for media.codec 
Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf
 2018-04-17 14:24:57 -07:00
Bookatz
055a958dad NO PARTIAL RERUN 
Statsd sepolicy hal_health

Statsd monitors battery capacity, which requires calls to the health
hal.

Fixes: 77923174
Bug: 77916472
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity
Merged-In: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886
Change-Id: I767068c60cff6c1baba615d89186705107531c02
 2018-04-17 21:23:31 +00:00
Mark Salyzyn
8daacf64f1 init: lock down access to keychord_device 
The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
 2018-04-17 14:04:24 -07:00
Tri Vo
8c1a1b2472 Sepolicy for rw mount point for vendors. 
Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46)
 2018-04-17 21:04:15 +00:00
Tri Vo
5fd38baf04 Merge "Sepolicy for rw mount point for vendors." into pi-dev 
am: ae0b835c58

Change-Id: I72eb24a252571974b8732facf500a6f23eb9ccf1
 2018-04-17 13:42:27 -07:00
Mark Salyzyn
b79e00ac52 Merge "init: lock down access to keychord_device" am: 53cabd6c35 
am: 27696cae57

Change-Id: If252f78e4acccfafc7f46ec9d1c2556d66480523
 2018-04-17 13:09:38 -07:00
Florian Mayer
12dde4cc93 [automerger skipped] Merge "Make traced_probes mlstrustedsubject." am: cc23e48f9f 
am: 246226046e  -s ours

Change-Id: I6cd0d28357fca77d3079984633725e45c7582774
 2018-04-17 13:09:16 -07:00
Mark Salyzyn
27696cae57 Merge "init: lock down access to keychord_device" 
am: 53cabd6c35

Change-Id: Ic1ae863280e265db56f123e3d006bbaec2a47126
 2018-04-17 13:03:13 -07:00
Florian Mayer
246226046e Merge "Make traced_probes mlstrustedsubject." 
am: cc23e48f9f

Change-Id: I85e598c83d9e363c3341cbdebf3b05a53fc6888c
 2018-04-17 13:03:00 -07:00
Treehugger Robot
53cabd6c35 Merge "init: lock down access to keychord_device" 2018-04-17 19:59:58 +00:00
Treehugger Robot
cc23e48f9f Merge "Make traced_probes mlstrustedsubject." 2018-04-17 19:47:58 +00:00
TreeHugger Robot
ae0b835c58 Merge "Sepolicy for rw mount point for vendors." into pi-dev 2018-04-17 19:16:56 +00:00
Mark Salyzyn
f14f735455 init: lock down access to keychord_device 
The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
 2018-04-17 11:24:35 -07:00
Florian Mayer
4378ba7c84 Make traced_probes mlstrustedsubject. 
Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
Merged-In: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
 2018-04-17 18:12:28 +00:00
Suren Baghdasaryan
c08a28b152 [automerger skipped] Merge "Selinux: Give lmkd read access to /proc/meminfo" into pi-dev 
am: 1f4037f23a  -s ours

Change-Id: I092ec888c9d0b9a4feff5867387678a146d25f59
 2018-04-17 10:16:11 -07:00
TreeHugger Robot
1f4037f23a Merge "Selinux: Give lmkd read access to /proc/meminfo" into pi-dev 2018-04-17 16:58:17 +00:00
Alan Stokes
19b03639a8 Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power."" 
This reverts commit 12e73685b7.

Reason for revert: Rolling original change forward again, more carefully.

Change-Id: I266b181915c829d743c6d8d0b8c0d70b6bf3d620
 2018-04-17 16:02:03 +00:00
Joel Galenson
21f67b5b56 Merge "Let vold_prepare_subdirs completely clean deleted user data." into pi-dev 
am: f03783609f

Change-Id: I28c19ba3514b3e23df1d4ec585d35fbac290a4f7
 2018-04-17 08:53:35 -07:00
TreeHugger Robot
f03783609f Merge "Let vold_prepare_subdirs completely clean deleted user data." into pi-dev 2018-04-17 15:44:13 +00:00
Suren Baghdasaryan
f7010ab109 Selinux: Give lmkd read access to /proc/meminfo 
Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Bug: 75322373
Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Merged-In: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 76384b3ee0)
 2018-04-17 15:27:52 +00:00
Joel Galenson
ece94e9f6a Merge "Add bug_map entries for bugs we've seen." into pi-dev 
am: 53b0486de6

Change-Id: Iab11eab787e22b8c02ba0240a8df33c21eca4fd7
 2018-04-16 21:08:44 -07:00
TreeHugger Robot
53b0486de6 Merge "Add bug_map entries for bugs we've seen." into pi-dev 2018-04-17 04:02:40 +00:00
Jaekyun Seok
39776a021e [automerger skipped] Merge "Allow dumpstate to read property_type" into pi-dev 
am: c8a58767bb  -s ours

Change-Id: I8f55181d42e1f86bd90b8eb8150c13b0f42b15ce
 2018-04-16 18:57:14 -07:00
TreeHugger Robot
c8a58767bb Merge "Allow dumpstate to read property_type" into pi-dev 2018-04-17 01:44:50 +00:00
Bookatz
f09f56f65a Merge "Statsd sepolicy hal_health" am: ced43bc823 
am: bdc1197af7

Change-Id: Ifdef191044383b589280bbae5d193caac59a8005
 2018-04-16 17:19:06 -07:00
Jeff Sharkey
0207bc7dae Merge "Add exFAT support; unify behind "sdcard_type"." into pi-dev 
am: 7b90367a7b

Change-Id: I0588a3ceda6aa8266b31902192f5ceed5314716e
 2018-04-16 17:10:20 -07:00
Joel Galenson
1a4c83a856 Let vold_prepare_subdirs completely clean deleted user data. am: 254a872cab 
am: 397c854db6

Change-Id: I635703793fe5b980087900aa8cfcaacb402c101f
 2018-04-16 17:03:10 -07:00
Bookatz
bdc1197af7 Merge "Statsd sepolicy hal_health" 
am: ced43bc823

Change-Id: I0907274f5223d217da2bda6fec1b5372b8d88393
 2018-04-16 17:00:14 -07:00
Joel Galenson
397c854db6 Let vold_prepare_subdirs completely clean deleted user data. 
am: 254a872cab

Change-Id: I5de455d60678503f72ae8ee2985c5e7fb0c09b79
 2018-04-16 16:59:39 -07:00
Treehugger Robot
ced43bc823 Merge "Statsd sepolicy hal_health" 2018-04-16 23:51:12 +00:00
Joel Galenson
2bae5b9693 Let vold_prepare_subdirs completely clean deleted user data. 
After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872cab)
 2018-04-16 16:40:52 -07:00
Joel Galenson
254a872cab Let vold_prepare_subdirs completely clean deleted user data. 
After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
 2018-04-16 16:39:43 -07:00
sqian
f576b81c91 [automerger skipped] Merge "Add sepolicy for radio sap 1.2" am: e96766dc42 
am: 31b6f0bbea  -s ours

Change-Id: I3fc15d7967ff84298743debcba6bed8f26637f4f
 2018-04-16 16:24:59 -07:00
sqian
31b6f0bbea Merge "Add sepolicy for radio sap 1.2" 
am: e96766dc42

Change-Id: I6001e9f1094ee6da73ae48bc04559f10d3847060
 2018-04-16 16:22:32 -07:00
TreeHugger Robot
7b90367a7b Merge "Add exFAT support; unify behind "sdcard_type"." into pi-dev 2018-04-16 23:15:22 +00:00
Joel Galenson
18350e71c7 Merge "Add bug_map entries for bugs we've seen." am: e1ee3535be 
am: 2b15785f00

Change-Id: I4112a2adbfc4cd97ac42c09c6c8d8adcbd3bad6a
 2018-04-16 16:13:57 -07:00
Jaekyun Seok
c3ef1e7b45 Allow dumpstate to read property_type am: 4de238e9b9 
am: dfb48cf6fc

Change-Id: I4a5516f694a72624ce353a00b4dd0df0f14ebff6
 2018-04-16 16:13:38 -07:00
Treehugger Robot
e96766dc42 Merge "Add sepolicy for radio sap 1.2" 2018-04-16 23:08:50 +00:00
Joel Galenson
2b15785f00 Merge "Add bug_map entries for bugs we've seen." 
am: e1ee3535be

Change-Id: I3593d3bc6c9cea534d0752a439e485aaafd737c1
 2018-04-16 16:01:58 -07:00
Joel Galenson
fb0aed7451 Add bug_map entries for bugs we've seen. 
This adds numerous bug_map entries to try to annotate all denials
we've seen.

Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
(cherry picked from commit f55786cfce)
 2018-04-16 15:57:47 -07:00
Treehugger Robot
e1ee3535be Merge "Add bug_map entries for bugs we've seen." 2018-04-16 22:52:49 +00:00
Jaekyun Seok
dfb48cf6fc Allow dumpstate to read property_type 
am: 4de238e9b9

Change-Id: I2014df25df9903a210d5b0e26599e780e929f2e0
 2018-04-16 15:52:27 -07:00
Jaekyun Seok
f99c74ccf8 Allow dumpstate to read property_type 
dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Merged-In: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
(cherry picked from commit 4de238e9b9)
 2018-04-17 07:44:05 +09:00
Tom Cherry
2b54453f60 [automerger skipped] Merge "Allow vendor_init to write to misc_block_device" into pi-dev 
am: 6991a930e1  -s ours

Change-Id: I8307e8b7122d829f38df7773f1674cf65a5f2504
 2018-04-16 15:29:31 -07:00