tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
10354 commits 1 branch 0 tags 50 MiB
Commit graph

10354 commits

This branch
This branch
All branches
Author SHA1 Message Date
Steven Moreland
ab9241c952 Allow hals to read hwservicemanager prop. am: d3ce5dc38c am: d437f0e09d 
am: 4c013db7d6

Change-Id: I77c714f588bdc78020af4e7dbf6a89d9e6792ca6
 2017-03-23 03:53:11 +00:00
Steven Moreland
4c013db7d6 Allow hals to read hwservicemanager prop. am: d3ce5dc38c 
am: d437f0e09d

Change-Id: Ib72b4435a8173a213f1ddb3331afc0bebf991029
 2017-03-23 03:49:39 +00:00
Steven Moreland
d437f0e09d Allow hals to read hwservicemanager prop. 
am: d3ce5dc38c

Change-Id: Ifd66a82a429b18f6e0077b042dccef38ddcd636d
 2017-03-23 03:47:10 +00:00
Steven Moreland
d3ce5dc38c Allow hals to read hwservicemanager prop. 
Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2
 2017-03-23 01:50:50 +00:00
Jeff Vander Stoep
3ee107ff5e Merge "Grant additional permissions for ASAN builds" am: 63211f8da2 am: 1c05f80071 
am: 8f0abfec15

Change-Id: Id2a898b91932fa74389586bb534cb1dba3bfe26c
 2017-03-22 23:14:43 +00:00
Jeff Vander Stoep
8f0abfec15 Merge "Grant additional permissions for ASAN builds" am: 63211f8da2 
am: 1c05f80071

Change-Id: Icb9150c5828272df8ccfce8a4145df2f3c987c45
 2017-03-22 23:12:08 +00:00
Jeff Vander Stoep
1c05f80071 Merge "Grant additional permissions for ASAN builds" 
am: 63211f8da2

Change-Id: If8aa9152a643522fc896b7a412d3fafb19043649
 2017-03-22 23:09:29 +00:00
Treehugger Robot
63211f8da2 Merge "Grant additional permissions for ASAN builds" 2017-03-22 22:46:58 +00:00
Sandeep Patil
2819620e8f Merge "dumpstate: allow HALs to read /proc/interrupts" am: 871e44c456 am: e2f8626ed3 
am: e43f5c9792

Change-Id: I40ee71a3473e23a29b370cdc8be7cabd8e8245fc
 2017-03-22 22:32:39 +00:00
Sandeep Patil
e43f5c9792 Merge "dumpstate: allow HALs to read /proc/interrupts" am: 871e44c456 
am: e2f8626ed3

Change-Id: If401e4107787e6620ed31115c45b7d594812dbe5
 2017-03-22 22:30:05 +00:00
Sandeep Patil
e2f8626ed3 Merge "dumpstate: allow HALs to read /proc/interrupts" 
am: 871e44c456

Change-Id: I1c261dc247b93306c6d1a70dd0014532c84843c5
 2017-03-22 22:29:11 +00:00
Martijn Coenen
7cfba9a773 Merge "Initial sepolicy for vndservicemanager." 2017-03-22 22:14:05 +00:00
Treehugger Robot
871e44c456 Merge "dumpstate: allow HALs to read /proc/interrupts" 2017-03-22 22:09:39 +00:00
Steven Moreland
bc915757f0 Merge "hwservicemanager: halserverdomain" am: 6456542f3e am: 3d49330bed 
am: 23bf2d440b

Change-Id: Ib9d7b139d7792eedf3c8963cdc12fbe9f194f0f4
 2017-03-22 21:39:53 +00:00
Steven Moreland
23bf2d440b Merge "hwservicemanager: halserverdomain" am: 6456542f3e 
am: 3d49330bed

Change-Id: I1ceaf1d95f07b8c4635a6055384cf6dcff932d51
 2017-03-22 21:37:01 +00:00
Steven Moreland
3d49330bed Merge "hwservicemanager: halserverdomain" 
am: 6456542f3e

Change-Id: I353c8d695a5c995f72fe865f27682a05011f8f55
 2017-03-22 21:34:44 +00:00
Treehugger Robot
6456542f3e Merge "hwservicemanager: halserverdomain" 2017-03-22 21:28:46 +00:00
Jeff Vander Stoep
7443484831 Grant additional permissions for ASAN builds 
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
 2017-03-22 14:03:07 -07:00
Sandeep Patil
a866a416e9 dumpstate: allow HALs to read /proc/interrupts 
/proc/interrupts may be dumped by dumpstate HAL if required.

Bug: 36486169
Test: 'adb shell bugreport' on sailfish

Change-Id: Ifc41a516aeea846bc56b86b064bda555b43c58ed
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-03-22 13:26:03 -07:00
Roshan Pius
66cf8ebe9a Merge "wpa_supplicant: Remove unnecessary permissions from system_server" am: e1a350a035 am: 790052147c 
am: 180a688261

Change-Id: Ic5e8018fd106a645d24f52b8502fff3e4c603f7e
 2017-03-22 20:26:02 +00:00
Roshan Pius
180a688261 Merge "wpa_supplicant: Remove unnecessary permissions from system_server" am: e1a350a035 
am: 790052147c

Change-Id: Icf0aefc596f8c3df64be9bc68b4c1f4243059747
 2017-03-22 20:23:26 +00:00
Roshan Pius
790052147c Merge "wpa_supplicant: Remove unnecessary permissions from system_server" 
am: e1a350a035

Change-Id: Ib2f28bdd5aa8dc1a6641f3f114965ac3ddec17e2
 2017-03-22 20:21:56 +00:00
Treehugger Robot
e1a350a035 Merge "wpa_supplicant: Remove unnecessary permissions from system_server" 2017-03-22 20:17:09 +00:00
Martijn Coenen
cba70be751 Initial sepolicy for vndservicemanager. 
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387
 2017-03-22 12:53:13 -07:00
Nick Kralevich
84abfb0031 Merge "app.te: prevent locks of files on /system" am: cc45b87cfa am: 6fcbd0f542 
am: acc1701fd2

Change-Id: I7b732b74d4495c9b6aede9530e7944b5b3e07584
 2017-03-22 19:25:22 +00:00
Nick Kralevich
acc1701fd2 Merge "app.te: prevent locks of files on /system" am: cc45b87cfa 
am: 6fcbd0f542

Change-Id: Ibc6947686cc6edf439e25cda9aaf5b1444da6c8c
 2017-03-22 19:23:22 +00:00
Nick Kralevich
6fcbd0f542 Merge "app.te: prevent locks of files on /system" 
am: cc45b87cfa

Change-Id: I17fe3e79b7f673a0703be5be7bb93838cd2f7ed6
 2017-03-22 19:21:45 +00:00
Treehugger Robot
cc45b87cfa Merge "app.te: prevent locks of files on /system" 2017-03-22 19:14:27 +00:00
TreeHugger Robot
0c9d8d8165 Merge "vr_wm hal client domain of graphics allocator." 2017-03-22 18:44:00 +00:00
Alex Klyubin
8c73485d4f Merge "Remove unnecessary binder_call from cameraserver" am: bbe7213fa1 am: a6445395a7 
am: 52cc23c9f1

Change-Id: I02062a80ab0a489c0e00f7890ecdcd0731ced405
 2017-03-22 18:30:49 +00:00
Alex Klyubin
52cc23c9f1 Merge "Remove unnecessary binder_call from cameraserver" am: bbe7213fa1 
am: a6445395a7

Change-Id: I7c47721f7fd0c30ce20c4948e412c1bb0d5b34f1
 2017-03-22 18:28:18 +00:00
Alex Klyubin
a6445395a7 Merge "Remove unnecessary binder_call from cameraserver" 
am: bbe7213fa1

Change-Id: I0c82b4e73e54cf7ac1f434c97558bd3cef3c36e7
 2017-03-22 18:25:53 +00:00
Treehugger Robot
bbe7213fa1 Merge "Remove unnecessary binder_call from cameraserver" 2017-03-22 18:16:37 +00:00
Roshan Pius
f27e8f09c2 wpa_supplicant: Remove unnecessary permissions from system_server 
Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c
 2017-03-22 17:43:38 +00:00
Nick Kralevich
92c44a578c app.te: prevent locks of files on /system 
Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
 2017-03-22 10:35:24 -07:00
Steven Moreland
2e5fc3e35c vr_wm hal client domain of graphics allocator. 
Test: no denials seen
Bug: 36278706
Change-Id: I78d6fc84073a6ca006fb2b1ef95c73935cc9a1e0
 2017-03-22 10:06:15 -07:00
Steven Moreland
e91cbcba4e hwservicemanager: halserverdomain 
Test: no neverallows triggered
Bug: 36494354
Change-Id: I52e21a9be5400027d4e96a8befdd4faaffb06a93
 2017-03-22 08:43:43 -07:00
TreeHugger Robot
5f8812302a Merge "Move mediacodec to vendor partition." 2017-03-22 06:15:35 +00:00
Janis Danisevskis
516dd24611 Merge "Fix sepolicy for Gatekeeper HAL" am: 9d5f97b381 am: dfded77d42 
am: 5939dc8dbc

Change-Id: I9e97e5dede3b58db66dc3391e48f247b890e82d7
 2017-03-22 00:41:30 +00:00
Alex Klyubin
30577414f3 Merge "Remove unused hal_impl_domain macro" am: 6de0d9a756 am: fbd2227977 
am: 52c5bde41a

Change-Id: Ie51eefe6c99adc6d266c96c15dae6df81363109c
 2017-03-22 00:41:18 +00:00
Janis Danisevskis
5939dc8dbc Merge "Fix sepolicy for Gatekeeper HAL" am: 9d5f97b381 
am: dfded77d42

Change-Id: I3a6e966ad54f4ea505dacb5c60269cc733e9212c
 2017-03-22 00:14:07 +00:00
Alex Klyubin
52c5bde41a Merge "Remove unused hal_impl_domain macro" am: 6de0d9a756 
am: fbd2227977

Change-Id: I3c1c3d20bd28b656087643891b3a7d37aed6e01c
 2017-03-22 00:13:55 +00:00
Janis Danisevskis
dfded77d42 Merge "Fix sepolicy for Gatekeeper HAL" 
am: 9d5f97b381

Change-Id: Ic75010f7e11129e879a7eea1605969f2511f6fc9
 2017-03-22 00:12:11 +00:00
Alex Klyubin
fbd2227977 Merge "Remove unused hal_impl_domain macro" 
am: 6de0d9a756

Change-Id: I7f971d6f1a9fe4247490070f2f00bede2b828494
 2017-03-22 00:10:26 +00:00
Treehugger Robot
9d5f97b381 Merge "Fix sepolicy for Gatekeeper HAL" 2017-03-22 00:10:21 +00:00
Alex Klyubin
6de0d9a756 Merge "Remove unused hal_impl_domain macro" 2017-03-21 23:57:55 +00:00
Chad Brubaker
d86b3d7c1a Merge "Disallow access to proc_net for ephemeral_app" am: 2e7fa9d82f am: 98c4f82e18 
am: 1c4472a943

Change-Id: I6b0ccf590d69dc2f23e3af5387e53bdc6de624be
 2017-03-21 22:50:07 +00:00
Chad Brubaker
1c4472a943 Merge "Disallow access to proc_net for ephemeral_app" am: 2e7fa9d82f 
am: 98c4f82e18

Change-Id: Ib55c8c4accd5a25aa0908ca9e496e0b1bce3d97a
 2017-03-21 22:33:58 +00:00
Chad Brubaker
98c4f82e18 Merge "Disallow access to proc_net for ephemeral_app" 
am: 2e7fa9d82f

Change-Id: I85d2895bb6f44bf3461214e4c679954a79b30cee
 2017-03-21 22:28:51 +00:00
Chad Brubaker
2e7fa9d82f Merge "Disallow access to proc_net for ephemeral_app" 2017-03-21 22:24:31 +00:00