tequilaOS/platform_system_sepolicy

7108 commits 1 branch 0 tags 50 MiB

Author	SHA1	Message	Date
Roshan Pius	cec44a61ba	wpa.te: Add binder permission back Adding back the binder permission to access keystore from wpa_supplicant. This was removed by mistake in the previous patch (commit#: 6caeac) to add hwbinder permissions. Denials in logs: 11-03 14:37:54.831 9011 9011 I auditd : type=1400 audit(0.0:1490): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:54.831 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:55.838 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:55.834 9011 9011 I auditd : type=1400 audit(0.0:1491): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:55.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:56.838 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:56.834 9011 9011 I auditd : type=1400 audit(0.0:1492): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:56.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:57.839 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:57.834 9011 9011 I auditd : type=1400 audit(0.0:1493): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:57.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 Bug: 32655747 Test: Compiles. Will send for integration testing. Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8	2016-11-07 12:51:07 -08:00
Roshan Pius	6caeac7b47	wpa: Add permissions for hwbinder Modify permissions for wpa_supplicant to use hwbinder (for HIDL), instead of binder. Denials: 01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0 01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0 BUG: 31365276 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2	2016-10-26 14:52:12 -07:00
dcashman	cc39f63773	Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c	2016-10-06 13:09:06 -07:00

Author

SHA1

Message

Date

Roshan Pius

cec44a61ba

wpa.te: Add binder permission back

Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.

Denials in logs:
11-03 14:37:54.831  9011  9011 I auditd  : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834  9011  9011 I auditd  : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834  9011  9011 I auditd  : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834  9011  9011 I auditd  : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8

2016-11-07 12:51:07 -08:00

Roshan Pius

6caeac7b47

wpa: Add permissions for hwbinder

Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2

2016-10-26 14:52:12 -07:00

dcashman

cc39f63773

Split general policy into public and private components.

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

2016-10-06 13:09:06 -07:00

Renamed from wpa.te (Browse further)

3 commits