tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15104 commits 1 branch 0 tags 50 MiB
Commit graph

15104 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jiyong Park
94f3850de9 Reland "Allow dexopt to follow /odm/lib(64) symlinks."" am: a6d9d6b68a 
am: ee92ff78be

Change-Id: I9a52c76e5c7d72d848f0594e01a437f4a88bb455
 2018-04-02 18:26:27 +00:00
Jiyong Park
ee92ff78be Reland "Allow dexopt to follow /odm/lib(64) symlinks."" 
am: a6d9d6b68a

Change-Id: If482dd99535d544fa39e287ed5787aa156dcac56
 2018-04-02 18:15:41 +00:00
Jiyong Park
a6d9d6b68a Reland "Allow dexopt to follow /odm/lib(64) symlinks."" 
This reverts commit 942500b910.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
 2018-04-02 10:43:22 +09:00
yro
866a240900 Merge "Update sepolicy to have system_server access stats_data" am: 8b11302e89 
am: 7718295a7d

Change-Id: I1cd45d3bdc5a5826dd73376b7480375fefb3ca78
 2018-03-31 03:01:33 +00:00
yro
7718295a7d Merge "Update sepolicy to have system_server access stats_data" 
am: 8b11302e89

Change-Id: Iaed05ea224d163f69047ef9ffd4053e2abe03e6f
 2018-03-31 02:42:49 +00:00
Treehugger Robot
8b11302e89 Merge "Update sepolicy to have system_server access stats_data" 2018-03-31 01:19:49 +00:00
Jong Wook Kim
24e74b3bf9 Merge "Wifi HAL SIOCSIFHWADDR sepolicy" into pi-dev 
am: ce02b00794

Change-Id: I9fc51fbe9633583b12aaa20b23673077f2a4640a
 2018-03-31 00:05:29 +00:00
Chenbo Feng
d361421962 Merge "Allow netutils_wrapper to use pinned bpf program" into pi-dev 
am: 6577b988ac

Change-Id: Ibb631c419c8bf9deb561802b97e1370c18c1d666
 2018-03-31 00:04:59 +00:00
TreeHugger Robot
ce02b00794 Merge "Wifi HAL SIOCSIFHWADDR sepolicy" into pi-dev 2018-03-30 23:51:43 +00:00
Yi Jin
08eb755511 Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" am: 855c6c162a 
am: 1bcbab21a7

Change-Id: I03d4e32114d41991c9e23bd35e4f2e809958e382
 2018-03-30 23:42:39 +00:00
Yi Jin
1bcbab21a7 Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" 
am: 855c6c162a

Change-Id: I0da863030a919dbd4f6f9591edc0f74d88357b02
 2018-03-30 23:36:54 +00:00
Treehugger Robot
855c6c162a Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" 2018-03-30 23:24:24 +00:00
TreeHugger Robot
6577b988ac Merge "Allow netutils_wrapper to use pinned bpf program" into pi-dev 2018-03-30 23:10:47 +00:00
yro
36dd2a410c Update sepolicy to have system_server access stats_data 
Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
 2018-03-30 15:58:58 -07:00
Chenbo Feng
be9b15c512 Allow netutils_wrapper to use pinned bpf program 
The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.

Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
(cherry picked from aosp commit 2623ebcf8e)
 2018-03-30 13:54:31 -07:00
Chenbo Feng
563491d40d Merge "Allow netutils_wrapper to use pinned bpf program" am: 4fb1a145d1 
am: 4a0c24edcb

Change-Id: I294bd92866c978e605b4a69d06aa54a6c4bfd85a
 2018-03-30 20:18:21 +00:00
Chenbo Feng
4a0c24edcb Merge "Allow netutils_wrapper to use pinned bpf program" 
am: 4fb1a145d1

Change-Id: Idc53868180280f2710d75dacb42918f6e27599a7
 2018-03-30 20:12:19 +00:00
Treehugger Robot
4fb1a145d1 Merge "Allow netutils_wrapper to use pinned bpf program" 2018-03-30 20:03:19 +00:00
Pawin Vongmasa
514dde5170 Merge "Put in sepolicies for Codec2.0 services" into pi-dev 
am: eaee65f043

Change-Id: I2f4c80d5cf5616f39e1659e23d4d162c84dcfb00
 2018-03-30 19:05:15 +00:00
TreeHugger Robot
eaee65f043 Merge "Put in sepolicies for Codec2.0 services" into pi-dev 2018-03-30 17:51:38 +00:00
Android Build Merger (Role)
a5c6a5ac7d Merge "Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" into pi-dev am: 941cc9c8d2" into pi-dev-plus-aosp 2018-03-30 17:46:24 +00:00
Tri Vo
ff7fa3164f Merge "Test frozen sepolicy has not diverged from prebuilts." am: 8cafb58a2e 
am: 654134a47b

Change-Id: Idc0fcf72e56b7612cd0abff400c53b9aeb3c6379
 2018-03-30 17:31:08 +00:00
Yi Jin
7312abeb37 Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" into pi-dev 
am: 941cc9c8d2

Change-Id: I5fa2ede7234c3c2180ca89a547e15c8dac2d12b1
 2018-03-30 17:26:54 +00:00
Tri Vo
654134a47b Merge "Test frozen sepolicy has not diverged from prebuilts." 
am: 8cafb58a2e

Change-Id: Iedffb50a6cdbc0fd84169f15e0fddb19b476aeff
 2018-03-30 17:25:48 +00:00
Yi Jin
76238cd4ef Allow incidentd to read LAST_KMSG only for userdebug builds 
Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
 2018-03-30 10:15:24 -07:00
Treehugger Robot
8cafb58a2e Merge "Test frozen sepolicy has not diverged from prebuilts." 2018-03-30 17:11:36 +00:00
TreeHugger Robot
941cc9c8d2 Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" into pi-dev 2018-03-30 14:54:55 +00:00
Florian Mayer
e5fa68cb15 SELinux changes for I/O tracing. am: 9fcf22bb81 
am: bf456fa7c8

Change-Id: I85d9e8624103cfdaefed8191f56da708724b35bd
 2018-03-30 02:36:40 +00:00
Joel Galenson
01b125683f Label /proc/sys/kernel/sched_schedstats. am: 4b625e4a35 
am: c4201260ba

Change-Id: Ia7258a0ca65818cfaad60dba5d11a0039c894399
 2018-03-30 02:35:15 +00:00
Florian Mayer
bf456fa7c8 SELinux changes for I/O tracing. 
am: 9fcf22bb81

Change-Id: Ic61e460916a6bd07c117367d240e8883f4ca1fa2
 2018-03-30 02:25:34 +00:00
Joel Galenson
c4201260ba Label /proc/sys/kernel/sched_schedstats. 
am: 4b625e4a35

Change-Id: Iee12d5e7573c0681b4adba682085ceb3cc26e0ee
 2018-03-30 02:24:19 +00:00
Primiano Tucci
5e4ce771e4 Merge "SELinux changes for I/O tracing." into pi-dev 
am: c2e249dd41

Change-Id: I53e5669f0b13193b175a7980ab8d5b2d639ca487
 2018-03-30 01:24:52 +00:00
Florian Mayer
9fcf22bb81 SELinux changes for I/O tracing. 
See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
 2018-03-30 00:32:34 +00:00
Primiano Tucci
c2e249dd41 Merge "SELinux changes for I/O tracing." into pi-dev 2018-03-30 00:31:59 +00:00
Joel Galenson
d65e38b238 Merge "Label /proc/sys/kernel/sched_schedstats." into pi-dev 
am: aebeae8156

Change-Id: I42a1ee99885b87391ef1aa49b5554a8e16a3d065
 2018-03-29 22:48:18 +00:00
Tri Vo
81198bb8bb Test frozen sepolicy has not diverged from prebuilts. 
This will test that system/sepolicy/{public/, private/} are identical to
prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0.

Bug: 74622750
Test: build policy
Test: correctly catches divergence from prebuilts for frozen policies

Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a
 2018-03-29 15:42:28 -07:00
Elliott Hughes
9fdcf842a3 Merge "Remove unused dalvik.vm.stack-trace-dir." am: 242399a1cf 
am: 6bf3198ee6

Change-Id: Ic478798b50ca5449385452798a073525656db721
 2018-03-29 22:05:30 +00:00
Joel Galenson
4b625e4a35 Label /proc/sys/kernel/sched_schedstats. 
This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413bc)
 2018-03-29 14:57:10 -07:00
TreeHugger Robot
aebeae8156 Merge "Label /proc/sys/kernel/sched_schedstats." into pi-dev 2018-03-29 21:54:07 +00:00
Elliott Hughes
6bf3198ee6 Merge "Remove unused dalvik.vm.stack-trace-dir." 
am: 242399a1cf

Change-Id: I62e7477947cb7e8f7210aaeb0740c969cadfa8d7
 2018-03-29 21:50:40 +00:00
Jeff Vander Stoep
ffaecbbec8 Improve neverallows on /proc and /sys 
am: 3079d01ad8

Change-Id: Iac19d40e84eabc8cea3950c09c6581663bb8e928
 2018-03-29 21:31:19 +00:00
Elliott Hughes
242399a1cf Merge "Remove unused dalvik.vm.stack-trace-dir." 2018-03-29 21:15:16 +00:00
Florian Mayer
8d81905567 SELinux changes for I/O tracing. 
See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad
 2018-03-29 21:15:29 +01:00
Alan Stokes
c0adecabff Merge "Suppress harmless denials for file creation in cgroupfs." am: 9a76c280d6 
am: 7d39a5312f

Change-Id: I8829bc1d20d9b1330b8130bad9aaf140d3f69b64
 2018-03-29 20:14:25 +00:00
Alan Stokes
7d39a5312f Merge "Suppress harmless denials for file creation in cgroupfs." 
am: 9a76c280d6

Change-Id: I7a6b5de668d06fe709a0ae922623fcc76474de12
 2018-03-29 20:07:52 +00:00
Treehugger Robot
9a76c280d6 Merge "Suppress harmless denials for file creation in cgroupfs." 2018-03-29 19:54:04 +00:00
Tri Vo
83e0de3e36 Merge "Test that /proc files have proc_type attribute." am: 2c36eb6d91 
am: ec35668f5d

Change-Id: I24b3d928b20141494df0c6d3106338709596aac0
 2018-03-29 19:29:41 +00:00
Tri Vo
ec35668f5d Merge "Test that /proc files have proc_type attribute." 
am: 2c36eb6d91

Change-Id: If078058751c8a5f88a93012350a11159d8d6839b
 2018-03-29 19:18:21 +00:00
Joel Galenson
dce07413bc Label /proc/sys/kernel/sched_schedstats. 
This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
 2018-03-29 12:15:48 -07:00
Treehugger Robot
2c36eb6d91 Merge "Test that /proc files have proc_type attribute." 2018-03-29 19:04:06 +00:00