tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
11872 commits 1 branch 0 tags 50 MiB
Commit graph

11872 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeff Vander Stoep
96f0e1fd6c Remove more domain_deprecated permissions am: e39d5c875e am: 9ce812fbe0 am: 685db0b279 
am: 4b7aa90918

Change-Id: I222af35247d5fc4d99f2cdeca79f86cd0a815739
 2017-07-01 14:48:57 +00:00
Jeff Vander Stoep
4b7aa90918 Remove more domain_deprecated permissions am: e39d5c875e am: 9ce812fbe0 
am: 685db0b279

Change-Id: I5c4ae29b9623ee04f0409c5f2e4da9fb325a430f
 2017-07-01 14:43:57 +00:00
Jeff Vander Stoep
685db0b279 Remove more domain_deprecated permissions am: e39d5c875e 
am: 9ce812fbe0

Change-Id: Ie71e8eb97e3ace63a230fcd70b81961d1a8f4884
 2017-07-01 14:38:56 +00:00
Jeff Vander Stoep
9ce812fbe0 Remove more domain_deprecated permissions 
am: e39d5c875e

Change-Id: Ibdb49f80b11fca40f5c4de7a92780be26b3280eb
 2017-07-01 14:33:56 +00:00
Andres Oportus
880932d95b Merge "Allow only system_server to read uid_time_in_state" am: 439364d20e am: e96aad0998 am: 3ce2c6f866 
am: 2f0d04962a

Change-Id: I0a3b2c00a083bebdf658cd3695d51ed7af21b1ca
 2017-07-01 13:09:12 +00:00
Jeff Vander Stoep
6f842f8aea Merge "Remove adbd tcontexts from domain_deprecated" am: 056710b38a am: 2af7c84fac am: 1a1cefcc96 
am: 902dbafbe8

Change-Id: I2b0c214e4e6842c7e9eb56a28d014c814a9c8670
 2017-07-01 13:08:52 +00:00
Andres Oportus
2f0d04962a Merge "Allow only system_server to read uid_time_in_state" am: 439364d20e am: e96aad0998 
am: 3ce2c6f866

Change-Id: Ic54d118a477d1827952e1c54216ff01838d985d7
 2017-07-01 13:04:04 +00:00
Jeff Vander Stoep
902dbafbe8 Merge "Remove adbd tcontexts from domain_deprecated" am: 056710b38a am: 2af7c84fac 
am: 1a1cefcc96

Change-Id: I93ad1ad5f769f68c856e7a3cfcc0bcd8792633f2
 2017-07-01 13:03:51 +00:00
Andres Oportus
3ce2c6f866 Merge "Allow only system_server to read uid_time_in_state" am: 439364d20e 
am: e96aad0998

Change-Id: I0742836c6b613afeab2dcf6d59c37dd9787dc91a
 2017-07-01 12:59:05 +00:00
Jeff Vander Stoep
1a1cefcc96 Merge "Remove adbd tcontexts from domain_deprecated" am: 056710b38a 
am: 2af7c84fac

Change-Id: Id52f1fd3e79a0a36df42abca24c93b28b277c570
 2017-07-01 12:58:51 +00:00
Andres Oportus
e96aad0998 Merge "Allow only system_server to read uid_time_in_state" 
am: 439364d20e

Change-Id: I726672b2e3379e2e53d3c6b26482147f11d06d8e
 2017-07-01 12:54:07 +00:00
Jeff Vander Stoep
2af7c84fac Merge "Remove adbd tcontexts from domain_deprecated" 
am: 056710b38a

Change-Id: Id44e16b03b1b5398bb4fd73bc4950e5da8acd5b7
 2017-07-01 12:53:51 +00:00
Jeff Vander Stoep
e39d5c875e Remove more domain_deprecated permissions 
Logs indicate no usage of these permissions.

Bug: 28760354
Test: check logs.
Change-Id: I3d75aea6afd4e326f705274ab2790e5d0bbdb367
 2017-07-01 12:49:22 +00:00
Treehugger Robot
439364d20e Merge "Allow only system_server to read uid_time_in_state" 2017-07-01 12:48:41 +00:00
Treehugger Robot
056710b38a Merge "Remove adbd tcontexts from domain_deprecated" 2017-07-01 12:47:40 +00:00
TreeHugger Robot
20a319de4d Merge "file_contexts: allow to run make_f2fs during initial boot-up" 2017-07-01 08:06:24 +00:00
Jeff Vander Stoep
4d5721a5a3 Remove adbd tcontexts from domain_deprecated 
Logs indicate apps, system_server, and runas are the only
domains that require this permission.

Bug: 28760354
Test: check logs.
Change-Id: I93dc53ec2d892bb91c0cd6f5d7e9cbf76b9bcd9f
 2017-07-01 06:30:58 +00:00
Andres Oportus
97b955de13 Allow only system_server to read uid_time_in_state 
Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
(cherry picked from commit 4dc88795d0)
 2017-06-30 22:07:57 -07:00
Jeff Vander Stoep
e7d7f3ab66 dexoptanalyzer: suppress access(2) denial am: 06aee357e4 am: e8bf363d3f am: 2d74ecde52 
am: 3afd02581a

Change-Id: I5b44585eaf29c8a68e3ea7c0ddfc1e8d8ea8e127
 2017-07-01 00:02:48 +00:00
Jeff Vander Stoep
3afd02581a dexoptanalyzer: suppress access(2) denial am: 06aee357e4 am: e8bf363d3f 
am: 2d74ecde52

Change-Id: I553c794c40406da42f36d64fdd84684d157bccad
 2017-06-30 23:57:38 +00:00
Jeff Vander Stoep
2d74ecde52 dexoptanalyzer: suppress access(2) denial am: 06aee357e4 
am: e8bf363d3f

Change-Id: Ic3e7a595e2878becc5ecf81631e8088f487c51e2
 2017-06-30 23:52:36 +00:00
Jeff Vander Stoep
e8bf363d3f dexoptanalyzer: suppress access(2) denial 
am: 06aee357e4

Change-Id: Ib49585b7e3a39969ebc23113c2b3ccdb04602cb5
 2017-06-30 23:48:06 +00:00
Jeff Vander Stoep
06aee357e4 dexoptanalyzer: suppress access(2) denial 
A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e627081)
 2017-06-30 15:30:06 -07:00
Narayan Kamath
3a4e5bd4b4 Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev am: 4f0776560a -s ours 
am: c88753c1da  -s ours

Change-Id: I88869af7eaa026873744850033daba5ee31939ef
 2017-06-30 18:15:12 +00:00
Narayan Kamath
c88753c1da Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev 
am: 4f0776560a  -s ours

Change-Id: Ife60e3ca9dd346ca927e1fafdceef2fe71d33499
 2017-06-30 18:10:12 +00:00
TreeHugger Robot
4f0776560a Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev 2017-06-30 18:02:16 +00:00
TreeHugger Robot
0271c4338e Merge "Gatekeeper no longer needs to access UserManager." 2017-06-29 11:52:12 +00:00
Jeff Vander Stoep
0f697a7e88 Merge "hal_tetheroffload: Grant permissions" into oc-dr1-dev am: 243c46cc46 
am: 6907f57417

Change-Id: I2b073252ccdcd30fce523a83ba43dea14eeaad3b
 2017-06-29 04:36:30 +00:00
Jeff Vander Stoep
6907f57417 Merge "hal_tetheroffload: Grant permissions" into oc-dr1-dev 
am: 243c46cc46

Change-Id: I08aa08c6e23c0e78569d06c4e4e36a27dd861459
 2017-06-29 04:32:30 +00:00
TreeHugger Robot
243c46cc46 Merge "hal_tetheroffload: Grant permissions" into oc-dr1-dev 2017-06-29 04:26:11 +00:00
Jeff Vander Stoep
e58a8de5e7 hal_tetheroffload: Grant permissions 
avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21
 2017-06-29 04:24:14 +00:00
TreeHugger Robot
724e825a62 Merge "cas: add CAS hal and switch to use hwservice" 2017-06-28 20:37:18 +00:00
Pavel Grafov
43dd1b5ce9 Gatekeeper no longer needs to access UserManager. 
This is a revert of http://ag/741434

Bug: 38259874
Test: manually, using ConfirmCredential sample app.
Change-Id: I0cbb955110935de605cb90e26a6a1d851a93a4b8
 2017-06-28 20:17:51 +01:00
TreeHugger Robot
bec1341337 Merge "Mark debugfs type with debugfs_type attribute" 2017-06-28 16:42:16 +00:00
TreeHugger Robot
1c93a40bbf Merge "Sepolicy: Give asan_extract access to powerctl" 2017-06-28 00:55:13 +00:00
TreeHugger Robot
dd0b3c94df Merge "Add domain_deprecated to bluetooth domains in 26.0." 2017-06-27 23:21:24 +00:00
TreeHugger Robot
412d4ef00a Merge "remove /dev/log" 2017-06-27 23:21:16 +00:00
TreeHugger Robot
e93d6eef53 Merge "Add /dev/kmsg_debug." 2017-06-27 23:21:07 +00:00
Andreas Gampe
8c7514adb1 Sepolicy: Give asan_extract access to powerctl 
rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

(orginally commit: 8267208921)

Bug: 36458146
Bug: 38241921
Test: Builds and boots.
Change-Id: I7d6e583f5e98b671986a2071abf157c86e288a10
 2017-06-27 15:38:29 -07:00
Jeff Vander Stoep
2256bf8a85 Merge "Suppress su access to pdx sockets" into oc-dr1-dev am: ae548746dc 
am: cbe69fe83e

Change-Id: I6d60d0daf9b5d301affeef3be0ffe14f5eb356e7
 2017-06-27 22:28:59 +00:00
Jeff Vander Stoep
cbe69fe83e Merge "Suppress su access to pdx sockets" into oc-dr1-dev 
am: ae548746dc

Change-Id: Ie16d24ad9e950e279ca79ba89ec1aaf4ab273ef5
 2017-06-27 22:25:59 +00:00
TreeHugger Robot
ae548746dc Merge "Suppress su access to pdx sockets" into oc-dr1-dev 2017-06-27 22:21:27 +00:00
Jeff Vander Stoep
3d09e12153 Merge "dexoptanalyzer: suppress access(2) denial" into oc-dr1-dev am: 7b065f82a7 
am: eebc36eb3a

Change-Id: I6e6e31e8d25a797d200bbf4c6f5ad32c491322cb
 2017-06-27 20:38:24 +00:00
Jeff Vander Stoep
eebc36eb3a Merge "dexoptanalyzer: suppress access(2) denial" into oc-dr1-dev 
am: 7b065f82a7

Change-Id: I82e82541eac5abd668fdc4b94324bc17d753a768
 2017-06-27 20:29:53 +00:00
TreeHugger Robot
7b065f82a7 Merge "dexoptanalyzer: suppress access(2) denial" into oc-dr1-dev 2017-06-27 20:20:15 +00:00
Dan Cashman
c10e0e552f Add domain_deprecated to bluetooth domains in 26.0. 
domain_deprecated is a private attribute, which means that none of
its rules will be copied to vendor policy.  Unfortunately, this
means that any public type that used the attribute now loses policy
rules on which a vendor may have been relying unknowingly.  Add the
domain back in the compatiblity file so that O vendor policy remains
sufficient.

Bug: 62573845
Test: None, prebuilt change and prebuilt tests not in yet.
Change-Id: I2c4ce00ecb102f087472e183fa52d072fe6eb398
 2017-06-27 11:42:40 -07:00
Neil Fuller
e226b96e7c Revert "DO NOT MERGE. Revert "Enable the TimeZoneManagerService"" 
This reinstates the selinux changes for the timezone service that
were reverted on oc-dr1-dev and undesirably merged down to master.

This reverts commit 96c619c826.

Test: make
Bug: 31008728
Change-Id: Ief2129c409de09b2782881a6556d918af59badd9
 2017-06-27 19:32:16 +01:00
Tom Cherry
cfc625d14a remove /dev/log 
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

(Originally submitted in commit: 8c60f74dcc)

Bug: 38242876
Test: Builds and boots.

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
 2017-06-27 10:10:22 -07:00
Josh Gao
3458ec135e Add /dev/kmsg_debug. 
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186fab)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
 2017-06-27 07:20:44 -07:00
Stephen Smalley
2d1927595e Define smc_socket security class. am: 2be9799bcc am: 52909aca44 am: ad01d1f6ab 
am: 06a22e41fe

Change-Id: Ib3549463537470e9af49cc4b1e6b2a526c2a9c76
 2017-06-27 01:13:29 +00:00