tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7753 commits 1 branch 0 tags 50 MiB
Commit graph

7753 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mitchell Wills
d89bc60064 Merge "Add selinux policy for legacy Wifi HAL" am: 10960aec9d 
am: 3acba6df5d

Change-Id: I47d52553a72930b13890dfbc32b192af4ca3fde3
 2016-09-23 16:35:04 +00:00
Mitchell Wills
3acba6df5d Merge "Add selinux policy for legacy Wifi HAL" 
am: 10960aec9d

Change-Id: I5facb64901c9621245f457cabc9d1f5bc8f572b6
 2016-09-23 16:33:03 +00:00
Treehugger Robot
10960aec9d Merge "Add selinux policy for legacy Wifi HAL" 2016-09-23 16:27:41 +00:00
bowgotsai
a6c215bcaf Clean up LOCAL_C_INCLUDES 
It should be specified by LOCAL_EXPORT_C_INCLUDE_DIRS from the imported
libraries.

Change-Id: I5b01ac24763a75984227d77671def6561325b7cc
 2016-09-23 09:21:25 +08:00
Felipe Leme
02656ef7f7 Merge "Let system_server writes to dumpstate.options property." am: 60c436cb76 am: 7ba85b1cde 
am: 1bca411711

Change-Id: Ifc83a9abdfae96aa074d9c42f8b839a1a918241b
 2016-09-22 23:17:44 +00:00
Felipe Leme
1bca411711 Merge "Let system_server writes to dumpstate.options property." am: 60c436cb76 
am: 7ba85b1cde

Change-Id: Ib12b7613dad360bc3dae5e3642e8073139dc2680
 2016-09-22 11:55:58 +00:00
Felipe Leme
7ba85b1cde Merge "Let system_server writes to dumpstate.options property." 
am: 60c436cb76

Change-Id: I30bb2d1e5230b2306847e142ff1502fd4f33fec8
 2016-09-22 08:22:51 +00:00
Treehugger Robot
60c436cb76 Merge "Let system_server writes to dumpstate.options property." 2016-09-22 04:54:33 +00:00
Felipe Leme
a5a8072f3c Let system_server writes to dumpstate.options property. 
Currently, we define 4 hardcoded init services to launch dumpstate with
different command-line options (since dumpstate must be launched by
root):

- bugreport
- bugreportplus
- bugreportwear
- bugreportremote

This approach does not scale well; a better option is to have just one
service, and let the framework pass the extra arguments through a system
property.

BUG: 31649719
Test: manual

Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
 2016-09-21 14:19:29 -07:00
Michal Karpinski
fe92ded530 Change name in the rules after renaming dns_listener -> netd_listener am: 59afa2414d am: 0285a2435a 
am: c0f38c1cec

Change-Id: Ia3ba2774a0e296b11be575f8a92dde6bd7514a4e
 2016-09-21 09:58:12 +00:00
Michal Karpinski
c0f38c1cec Change name in the rules after renaming dns_listener -> netd_listener am: 59afa2414d 
am: 0285a2435a

Change-Id: Ibcfd24bcb84750b4ea8442d08668e96392694402
 2016-09-21 08:48:11 +00:00
Michal Karpinski
0285a2435a Change name in the rules after renaming dns_listener -> netd_listener 
am: 59afa2414d

Change-Id: I7cd94efdd825e6e69c8f12bcd556d88953a962c8
 2016-09-21 08:39:45 +00:00
Michal Karpinski
59afa2414d Change name in the rules after renaming dns_listener -> netd_listener 
Change-Id: I4737a087f2d00e1028d1cb43d9eda814a008dbe8
 2016-09-21 12:47:49 +09:00
Svet Ganov
e1bb14d0f2 Move device serial behing a permission - selinux am: 3286fca7db am: 0b910049bd 
am: 56b1c9c54c

Change-Id: Id2dcc911f4135b9b2dfd62b846cd2c6cc8fc1cc8
 2016-09-20 23:14:44 +00:00
Svet Ganov
56b1c9c54c Move device serial behing a permission - selinux am: 3286fca7db 
am: 0b910049bd

Change-Id: Id8b4a6c6461eed0cfc7e506daa619759f16924f0
 2016-09-20 23:10:13 +00:00
Svet Ganov
0b910049bd Move device serial behing a permission - selinux 
am: 3286fca7db

Change-Id: I33086026f3ac103350c866c47a14bdb6d7efac95
 2016-09-20 23:06:42 +00:00
Hugo Benichi
4cc9180b17 Add app_api_service to connmetrics_service am: d0561efef3 
am: 76436c61bd

Change-Id: I815a9386c62a42eee6e86c22a9234f124ddfd084
 2016-09-20 08:39:56 +00:00
Hugo Benichi
76436c61bd Add app_api_service to connmetrics_service 
am: d0561efef3

Change-Id: Id1537bf36a218f3727caef36659a40087c19feb9
 2016-09-20 07:11:21 +00:00
Svet Ganov
3286fca7db Move device serial behing a permission - selinux 
Build serial is non-user resettable freely available device
identifier. It can be used by ad-netowrks to track the user
across apps which violates the user's privacy.

This change deprecates Build.SERIAL and adds a new Build.getSerial()
API which requires holding the read_phone_state permission.
The Build.SERIAL value is set to "undefined" for apps targeting
high enough SDK and for legacy app the value is still available.

bug:31402365

Change-Id: I6309aa58c8993b3db4fea7b55aae05592408b6e4
 2016-09-19 15:59:58 -07:00
Mitchell Wills
a18b41e752 Add selinux policy for legacy Wifi HAL 
avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=binder permissive=1

avc: denied { bind } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { call } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { getattr } for path="/proc/4355/net/psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { ioctl } for path="socket:[28193]" dev="sockfs" ino=28193 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { ioctl } for path="socket:[34821]" dev="sockfs" ino=34821 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { net_raw } for capability=13 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { open } for path="/proc/2754/net/psched" dev="proc" ino=4026535377 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/class/net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { transfer } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { write } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=0
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=0
avc: denied { read } for name="net" dev="sysfs" ino=9862 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=0

Bug: 31352200
Test: can boot angler & bullhead and start/stop HAL repeatedly
Change-Id: Ide93730d362fb93602742fc10b22fff6e7d56f6b
 2016-09-19 14:45:36 -07:00
Ajay Panicker
843d2345b2 Allow bluetooth service to access bluetooth directory and add /logs (6/6) am: a45672614d am: ebcc814eb5 
am: 82f9989062

Change-Id: I6ab020bf093d9eeed662815c93029c1d27e9134d
 2016-09-19 20:26:25 +00:00
Ajay Panicker
82f9989062 Allow bluetooth service to access bluetooth directory and add /logs (6/6) am: a45672614d 
am: ebcc814eb5

Change-Id: Iabada4aedcd7752909f985ca0cb09d0d7613c44d
 2016-09-19 20:18:58 +00:00
Ajay Panicker
ebcc814eb5 Allow bluetooth service to access bluetooth directory and add /logs (6/6) 
am: a45672614d

Change-Id: I295c9a5fb67688538d2cbc4470b9bf463e2cd3e3
 2016-09-19 20:11:01 +00:00
Ajay Panicker
a45672614d Allow bluetooth service to access bluetooth directory and add /logs (6/6) 
Bug: 31466840
Change-Id: I3984754034349e6c41de6ae9cccbaab95ca5a918
 2016-09-16 20:20:31 +00:00
Hugo Benichi
d0561efef3 Add app_api_service to connmetrics_service 
This allows the ConnectivityMetrics app to dump connmetrics service
metrics.

Bug: 31254800
Change-Id: I4c3da8cc80a5820dbed9843badc1464f3ae40581
 2016-09-16 11:47:41 +09:00
Fyodor Kupolov
a8e79d2a03 Merge "Allow system_server to delete directories in preloads" am: f23299c547 am: 66c10511ee 
am: eb7ecd7199

Change-Id: I6f699b73fb6c9a6d9ba1f5873f4745ca76161bee
 2016-09-15 19:44:34 +00:00
Fyodor Kupolov
eb7ecd7199 Merge "Allow system_server to delete directories in preloads" am: f23299c547 
am: 66c10511ee

Change-Id: I17cc645175060c6465b6571d25f31fb6f21c9a91
 2016-09-15 19:42:01 +00:00
Fyodor Kupolov
66c10511ee Merge "Allow system_server to delete directories in preloads" 
am: f23299c547

Change-Id: I5a9bc357635f8567ecd37a1041c1330decb43f0f
 2016-09-15 19:40:02 +00:00
Treehugger Robot
f23299c547 Merge "Allow system_server to delete directories in preloads" 2016-09-15 18:18:24 +00:00
Janis Danisevskis
7f15e76463 Allow debuggerd execmem on debuggable domains am: 071b935d0b am: 241f358f73 
am: 254e36b3ab

Change-Id: I565ea7d7d4ff14d072b5f07f123437b4d9324570
 2016-09-15 16:36:31 +00:00
Janis Danisevskis
254e36b3ab Allow debuggerd execmem on debuggable domains am: 071b935d0b 
am: 241f358f73

Change-Id: Icf5fcaf9725bfb5dd01fcba0d8e88229e359e27e
 2016-09-15 16:33:31 +00:00
Fyodor Kupolov
3189945192 Allow system_server to delete directories in preloads 
(cherry picked from commit 028ed753b5)

avc: denied { rmdir } for name="apps" scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0
avc: denied { rmdir } for name="demo" scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0

Bug: 28855287
Change-Id: Ia470f94d1d960cc4ebe68cb364b8425418acdbd4
 2016-09-15 09:31:05 -07:00
Janis Danisevskis
241f358f73 Allow debuggerd execmem on debuggable domains 
am: 071b935d0b

Change-Id: I77d1b7c6797d1401abc5e49617090f2e55cee2f6
 2016-09-15 16:31:00 +00:00
Janis Danisevskis
071b935d0b Allow debuggerd execmem on debuggable domains 
In anticipation of fixing a loophole in the Linux kernel that allows
circumventing the execmem permission by using the ptrace interface,
this patch grants execmem permission on debuggable domains to
debuggerd. This will be required for setting software break points
once the kernel has been fixed.

Bug: 31000401
Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
 2016-09-15 15:11:31 +01:00
Janis Danisevskis
8963e93709 Merge "Allow keystore to access KeyAttestationApplicationIDProviderService" am: 1a640f327d am: 8e74f2f817 
am: 5c3b1cdd67

Change-Id: Ie2e274a54e545f60f1989b0518bcfa0b8b8f5d86
 2016-09-14 21:36:03 +00:00
Janis Danisevskis
5c3b1cdd67 Merge "Allow keystore to access KeyAttestationApplicationIDProviderService" am: 1a640f327d 
am: 8e74f2f817

Change-Id: I4927882190874226b2d1ca6a5f824552988a02e0
 2016-09-14 21:33:04 +00:00
Janis Danisevskis
8e74f2f817 Merge "Allow keystore to access KeyAttestationApplicationIDProviderService" 
am: 1a640f327d

Change-Id: Ic6cd61685cd27b4a9213697eb24870aea91b0542
 2016-09-14 21:29:32 +00:00
Treehugger Robot
1a640f327d Merge "Allow keystore to access KeyAttestationApplicationIDProviderService" 2016-09-14 21:11:00 +00:00
Jeff Vander Stoep
3bece26358 Merge "nfc: allow access to drmserver_service" am: 52c8adb34a am: 2c24ec8bb3 
am: 6ce7513653

Change-Id: I887115494152054ef34b59277586f0b9acf1f244
 2016-09-14 20:09:51 +00:00
Jeff Vander Stoep
6ce7513653 Merge "nfc: allow access to drmserver_service" am: 52c8adb34a 
am: 2c24ec8bb3

Change-Id: I13929222fe188267325cd253658955ddcb9986f6
 2016-09-14 20:06:51 +00:00
Jeff Vander Stoep
2c24ec8bb3 Merge "nfc: allow access to drmserver_service" 
am: 52c8adb34a

Change-Id: Icc1dacfe3e9009c777a697e9c16884d8be7d2b50
 2016-09-14 20:03:54 +00:00
Takahiro Aizawa
37ef3e7393 Merge "selinux: Update policies for mediadrmserver" am: 0dc5d020ac am: 75bbefc03a 
am: 61043ff5cc

Change-Id: If57b451077f26912d74319aa896624863fd91063
 2016-09-14 20:03:36 +00:00
Tianjie Xu
bca360b38a Add sepolicy for update_verifier am: 59379d8b48 am: 8a521266d2 
am: 88fae39798

Change-Id: I19c7703f134836dc4f91c77590441588fa9386cd
 2016-09-14 20:03:36 +00:00
Tao Bao
1d2cbf4baf update_verifier: Allow searching /dev/block. am: 1e17dafc6d am: 58a3175c80 
am: a3e136f897  -s ours

Change-Id: Ic476faeadb47bdb8d8a1f9f6e93721f71ac843f3
 2016-09-14 20:03:25 +00:00
Treehugger Robot
52c8adb34a Merge "nfc: allow access to drmserver_service" 2016-09-14 19:59:19 +00:00
Takahiro Aizawa
61043ff5cc Merge "selinux: Update policies for mediadrmserver" am: 0dc5d020ac 
am: 75bbefc03a

Change-Id: I2b3f2c7f1315d25a3d3ae66768fed3fcd4c4e079
 2016-09-14 19:48:58 +00:00
Tianjie Xu
88fae39798 Add sepolicy for update_verifier am: 59379d8b48 
am: 8a521266d2

Change-Id: I3c504611c5a17ff2311ab961f5c1e92e13955582
 2016-09-14 19:48:58 +00:00
Tao Bao
a3e136f897 update_verifier: Allow searching /dev/block. am: 1e17dafc6d 
am: 58a3175c80

Change-Id: I1a421302231862c24ec7750d72e4a37b46ac5675
 2016-09-14 19:48:55 +00:00
Takahiro Aizawa
75bbefc03a Merge "selinux: Update policies for mediadrmserver" 
am: 0dc5d020ac

Change-Id: Ie03dd802e556b881c17ffe1701312e025ad75491
 2016-09-14 19:42:57 +00:00
Tianjie Xu
8a521266d2 Add sepolicy for update_verifier 
am: 59379d8b48

Change-Id: Ifb74c4dc2b611edd3549a0882faaa85d14654b32
 2016-09-14 19:42:57 +00:00