tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15418 commits 1 branch 0 tags 50 MiB
Commit graph

15418 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jaekyun Seok
a11b16c9ee Whitelist vendor-init-settable bluetooth_prop and wifi_prop 
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d18a)
 2018-04-13 11:08:48 +09:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop 
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
 2018-04-13 09:25:06 +09:00
Jaekyun Seok
4b488e59b8 [automerger skipped] Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete" am: 362f7d6bda 
am: 4a1af197c1  -s ours

Change-Id: Icc06e8943cf2d75892caa28e50703cca056df968
 2018-04-12 15:56:45 -07:00
Jaekyun Seok
4a1af197c1 Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete" 
am: 362f7d6bda

Change-Id: I16cb153698c0c924bc0f2051acf9c06c1384e517
 2018-04-12 15:52:12 -07:00
Treehugger Robot
362f7d6bda Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete" 2018-04-12 22:34:40 +00:00
Jeff Vander Stoep
a27a1b33f0 Merge "Suppress spurious denial" into pi-dev 
am: cb336d8965

Change-Id: Ic11ec1e173d97fc24730520e741806bf164564f7
 2018-04-12 13:42:18 -07:00
TreeHugger Robot
cb336d8965 Merge "Suppress spurious denial" into pi-dev 2018-04-12 19:04:58 +00:00
Florian Mayer
e3919e95fd Make traced_probes mlstrustedsubject. 
Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
 2018-04-12 19:05:22 +01:00
Jeff Vander Stoep
5f010c5457 [automerger skipped] Merge "priv_app: remove more logspam" am: 45c72ddfcf 
am: a3d199ddcb  -s ours

Change-Id: I09cf25b52e7c15b57e8a103d43b468dcef466154
 2018-04-12 09:39:04 -07:00
Bookatz
1300945c12 Statsd sepolicy hal_health 
Statsd monitors battery capacity, which requires calls to the health
hal.

Fixes: 77923174
Bug: 77916472
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity
Change-Id: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886
 2018-04-12 09:34:00 -07:00
Jeff Vander Stoep
a3d199ddcb Merge "priv_app: remove more logspam" 
am: 45c72ddfcf

Change-Id: Iad601fb52e9e145b1a2729a37867de40556d9d3a
 2018-04-12 09:30:15 -07:00
Treehugger Robot
45c72ddfcf Merge "priv_app: remove more logspam" 2018-04-12 16:23:20 +00:00
Jaekyun Seok
c1384ba0d0 Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete 
Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
Merged-In: I2d8bc91c305e665ed9c69459e51204117afb3eee
(cherry picked from commit ac2e4cce71)
 2018-04-12 05:28:09 +00:00
Jeff Vander Stoep
81bc398047 Merge "hal_tetheroffload: move hwservice mapping to core policy" into pi-dev 
am: 96805f15b6

Change-Id: I862b984b3f7508406183709fffda803284aade3e
 2018-04-11 21:04:53 -07:00
TreeHugger Robot
96805f15b6 Merge "hal_tetheroffload: move hwservice mapping to core policy" into pi-dev 2018-04-12 03:59:29 +00:00
Jaekyun Seok
252e871dd2 Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete 
am: ac2e4cce71

Change-Id: I595507e45f563ae0ecfb07e842f446a34b3e3446
 2018-04-11 20:38:58 -07:00
Jeff Vander Stoep
2d39f54cb6 Merge "hal_tetheroffload: move hwservice mapping to core policy" am: e0163411f8 
am: e63f0e9c9d

Change-Id: Ib6b1721b59b6df2944584a3236076885c9218930
 2018-04-11 17:46:45 -07:00
Jeff Vander Stoep
e63f0e9c9d Merge "hal_tetheroffload: move hwservice mapping to core policy" 
am: e0163411f8

Change-Id: I32f6cd37506d4e6f6feb73c6d1b2eabcdb4988b3
 2018-04-11 17:44:16 -07:00
Treehugger Robot
e0163411f8 Merge "hal_tetheroffload: move hwservice mapping to core policy" 2018-04-12 00:34:22 +00:00
Jaekyun Seok
ac2e4cce71 Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete 
Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
 2018-04-12 08:12:25 +09:00
Jeff Vander Stoep
8f126091e0 Merge changes If2413c30,Ic5d7c961 am: 45b4704e01 
am: 1382984cfc

Change-Id: Icc3cd3d88873627f93cb59f69083b0c68f1a51ea
 2018-04-11 15:06:17 -07:00
Jeff Vander Stoep
c41f5b8465 hal_tetheroffload: move hwservice mapping to core policy 
Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea732)
 2018-04-11 15:03:13 -07:00
Jeff Vander Stoep
1382984cfc Merge changes If2413c30,Ic5d7c961 
am: 45b4704e01

Change-Id: I29d90373b7cc4350244c81f9a5b24c31453d987d
 2018-04-11 15:00:07 -07:00
Joel Galenson
3c7c418246 Merge "Widen crash_dump dontaudit." into pi-dev 
am: 2e532d4039

Change-Id: I7cd5f36005f7e5c26384525a038b54dac87294bd
 2018-04-11 14:53:35 -07:00
Jeff Vander Stoep
3a346ea732 hal_tetheroffload: move hwservice mapping to core policy 
Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
 2018-04-11 14:52:48 -07:00
Treehugger Robot
45b4704e01 Merge changes If2413c30,Ic5d7c961 
* changes:
  Suppress spurious denial
  Suppress spurious denial
 2018-04-11 21:51:37 +00:00
Joel Galenson
93d12b8334 Merge "Hide sys_rawio SELinux denials." into pi-dev 
am: 106a5b31b4

Change-Id: Icebdaa72e68c6ac79cc05caf53cab612addb335f
 2018-04-11 14:51:37 -07:00
TreeHugger Robot
2e532d4039 Merge "Widen crash_dump dontaudit." into pi-dev 2018-04-11 21:48:23 +00:00
TreeHugger Robot
106a5b31b4 Merge "Hide sys_rawio SELinux denials." into pi-dev 2018-04-11 21:36:28 +00:00
Jeff Vander Stoep
7e5ec2bc3d Suppress spurious denial 
Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)
 2018-04-11 12:20:32 -07:00
Jeff Vander Stoep
f7a7f7d138 Suppress spurious denial 
Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c981)
 2018-04-11 12:19:46 -07:00
Max Bires
0cd168c742 Merge "Adding ability for priv apps to read traceur fd" am: 8966b8e53d 
am: a949ddb5ce

Change-Id: Ife6c721b66c23ddd8cfcf94a1f45b9491a272252
 2018-04-11 12:00:28 -07:00
Jeff Vander Stoep
443a43c981 Suppress spurious denial 
Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
 2018-04-11 11:08:01 -07:00
Joel Galenson
a01e93130d Widen crash_dump dontaudit. 
We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Bug: 77908066
Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
(cherry picked from commit a3b3bdbb2f)
 2018-04-11 11:02:06 -07:00
Joel Galenson
e477c781d4 Hide sys_rawio SELinux denials. 
We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
(cherry picked from commit bf4afae140)
 2018-04-11 10:53:36 -07:00
sqian
64839e874b Add sepolicy for radio sap 1.2 
Bug: 74114758
Test: Checked radio-service and sap-service is on the lshal after running the service
Change-Id: I1b18711286e000a7d17664e7d3a2045aeeb8c285
 2018-04-11 01:40:37 +00:00
Tri Vo
a5df96cf14 [automerger skipped] Merge "Add internal types to 27.0[.ignore].cil." am: be79c7b223 
am: 26776b0372  -s ours

Change-Id: Ia9ec9e2a510a495bd9b339b33f4c4c1b5735d91b
 2018-04-10 17:58:08 -07:00
Tri Vo
26776b0372 Merge "Add internal types to 27.0[.ignore].cil." 
am: be79c7b223

Change-Id: Iac6379199a0f0a0680bd0ddda32644333fbaef74
 2018-04-10 17:52:30 -07:00
Treehugger Robot
be79c7b223 Merge "Add internal types to 27.0[.ignore].cil." 2018-04-11 00:44:44 +00:00
Joel Galenson
d1c93612cc Merge "Hide sys_rawio SELinux denials." am: 6cdc9a820d 
am: 97e41802db

Change-Id: I07a20906f2c536e573198219e4d3d567ea715144
 2018-04-10 16:55:14 -07:00
Joel Galenson
97e41802db Merge "Hide sys_rawio SELinux denials." 
am: 6cdc9a820d

Change-Id: I3fdc8fa4f4486ccfadf785ff82e147ad47123c37
 2018-04-10 16:50:28 -07:00
Max Bires
a949ddb5ce Merge "Adding ability for priv apps to read traceur fd" 
am: 8966b8e53d

Bug: 74435522
Test: traceur can share to betterbug
Change-Id: Ic24196b6a4050696d92f18a6879c569ccf5eaec7
(cherry picked from commit f66fd5226f)
 2018-04-10 23:42:00 +00:00
Treehugger Robot
6cdc9a820d Merge "Hide sys_rawio SELinux denials." 2018-04-10 23:41:21 +00:00
Joel Galenson
fc29b9ba39 Merge "Widen crash_dump dontaudit." am: 354a253077 
am: b5f3e88e99

Change-Id: Ia52abf98b65da8309e014ac5fd3c642511e6f189
 2018-04-10 16:28:58 -07:00
Joel Galenson
b5f3e88e99 Merge "Widen crash_dump dontaudit." 
am: 354a253077

Change-Id: Iae854d7e794e9616cd1878e8096473cf9bbe0680
 2018-04-10 16:23:51 -07:00
Jeff Vander Stoep
9dc1d5381f priv_app: remove more logspam 
avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e99)
 2018-04-11 08:20:36 +09:00
Treehugger Robot
354a253077 Merge "Widen crash_dump dontaudit." 2018-04-10 23:14:42 +00:00
Tri Vo
fad493bff9 Add internal types to 27.0[.ignore].cil. 
Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd65200d)
 2018-04-11 08:02:06 +09:00
Joel Galenson
bf4afae140 Hide sys_rawio SELinux denials. 
We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
 2018-04-10 14:23:25 -07:00
Florian Mayer
ddba04d0bb Merge "Expose filesystem read events in SELinux policy." am: 589226dff9 
am: bf685274fd

Change-Id: I2d17d76e68d60454ca53f4448a71fc619bbd5cd7
 2018-04-10 14:22:40 -07:00