tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
22806 commits 1 branch 0 tags 50 MiB
Commit graph

22806 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
b4d3c575b3 Merge "Allow init to stat the root directory of FUSE filesystems." 2020-02-14 20:40:28 +00:00
Treehugger Robot
429ce33777 Merge "perfetto: allow producers to supply shared memory" 2020-02-14 19:59:49 +00:00
Songchun Fan
ff40f150e8 Merge changes Ie973be6b,Ie090e085 
* changes:
  permissions for incremental control file
  new label for incremental control files
 2020-02-14 18:00:02 +00:00
Martijn Coenen
a0fa53ead6 Allow init to stat the root directory of FUSE filesystems. 
init has a mount handler that stats mount-points for block devices; on
devices without sdcardfs, that handler will stat the FUSE filesystem,
since we have a bindmount on FUSE to the lower filesystem, which is an
actual block device.

Test: no more denial on cf without sdcardfs
Change-Id: Idb351f5ccba00440f4f8b39616de76336bb81a1b
 2020-02-14 17:17:36 +01:00
George Chang
9cc657e43e Merge "Add sepolicy for persist.nfc_cfg." 2020-02-14 11:37:33 +00:00
Treehugger Robot
98d0a95753 Merge "access_vectors: add lockdown class" 2020-02-14 10:18:17 +00:00
Treehugger Robot
16e12a5ee3 Merge "Update selinux policy for statsd apex" 2020-02-14 04:43:51 +00:00
stevensd
e3e16a313b Merge "selinux policy for buffer queue config" 2020-02-14 02:54:20 +00:00
Jeffrey Huang
baacdfa48b Update selinux policy for statsd apex 
Bug: 145923087
Test: m -j
Change-Id: I6197e6005d7c6e5c69b42de54f07965798663565
 2020-02-13 15:42:23 -08:00
Nick Kralevich
e4686b4d8e access_vectors: add lockdown class 
Needed to support upstream patch
59438b4647

Bug: 148822198
Test: compiles
Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
 2020-02-13 13:05:54 -08:00
Songchun Fan
3922253de9 permissions for incremental control file 
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
 2020-02-13 12:53:36 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files 
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
 2020-02-13 12:52:51 -08:00
Songchun Fan
d9b78b4c84 remove incfs genfscon label 
Test: manual with incremental installation
BUG: 133435829
Change-Id: I8b38db18851a5b3baf925be621de3eb0e83efbb4
 2020-02-13 08:44:48 -08:00
David Stevens
3942fe1682 selinux policy for buffer queue config 
Test: boot and check for no policy violations

Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
 2020-02-13 20:11:47 +09:00
Treehugger Robot
d39a906a25 Merge "property_contexts: add location cache" 2020-02-13 04:27:21 +00:00
George Chang
db1dbd94a1 Add sepolicy for persist.nfc_cfg. 
Add a new nfc_cfg persist property for nfc features

Bug: 142626304
Test: set property and load target files.
Change-Id: I853c97e8113dbcf729cf59ad45895402b0c82b3e
 2020-02-12 16:20:52 +00:00
Alex Hong
5f6290f3a9 Update Q sepolicy prebuilt 
This updates 29.0 api for dumpstate restart control property contexts

Bug: 147730517
Change-Id: I0aa7450dc0fb34de321cf8d2ba357b2ecabbcf43
 2020-02-12 12:07:43 +08:00
Songchun Fan
2ddfad3709 Merge "Use setxattr for incremental-fs" 2020-02-11 23:56:51 +00:00
Songchun Fan
ecafc55b70 Use setxattr for incremental-fs 
BUG: b/133435829
Test: manual
Change-Id: I782f2041da5824fe28917789208e00d6ed10de79
 2020-02-11 14:33:08 -08:00
Kenny Root
4def25f171 Merge "rebootescrow: allow dumpstate to call via binder" 2020-02-11 21:25:29 +00:00
Songchun Fan
fcbfe3155f Merge "selinux rules for apk files installed with Incremental" 2020-02-11 21:24:04 +00:00
Wei Wang
a3b19be219 Merge "grant power hal client to access stable power hal service" 2020-02-11 17:18:38 +00:00
Kenny Root
7ae220742c rebootescrow: allow dumpstate to call via binder 
Allow dumpstate to call into rebootescrow to request debug information.

Bug: 148763226
Test: adb bugreport
Change-Id: Ib336cab755998b1ddcd7848b3e544c2e0f09c1aa
 2020-02-10 21:28:32 -08:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Alec Mouri
c95ae9044d Merge "Update sepolicy to allow pushing atoms from surfaceflinger to statsd" 2020-02-11 01:01:20 +00:00
Treehugger Robot
d13e12f9cc Merge "Allow dumpstate access to /dev/binderfs/binder_logs" 2020-02-11 00:40:23 +00:00
Wei Wang
e55f2318d5 grant power hal client to access stable power hal service 
Bug: 147913776
Test: Build
Change-Id: Ibf0d6b7b5b4ac71994de53922d9ce685bdc5f704
 2020-02-10 16:32:35 -08:00
Jon Spivack
a85454834d Merge "Revert "Add sepolicy for persist.nfc"" 2020-02-10 23:42:41 +00:00
Hridya Valsaraju
4ea5709bc4 Allow dumpstate access to /dev/binderfs/binder_logs 
These permissions allow dumpstate to access binder logs
from /dev/binderfs.
avc: denied { read } for name="binder_logs" dev="binder" ino=1048580
scontext=u:r:dumpstate:s0 tcontext=u:object_r:binderfs_logs:s0 tclass=dir permissive=0
avc: denied { read } for comm="dumpstate" name="failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { open } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { getattr } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1

Test: adb shell dumpstate
Bug: 136497735
Change-Id: I5ff7223e431aab9baa3527570fff2da71ab6feb0
 2020-02-10 12:47:35 -08:00
Jon Spivack
c7bc7ee309 Revert "Add sepolicy for persist.nfc" 
This reverts commit 34240604aa.

Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.

Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
 2020-02-10 19:08:31 +00:00
Alec Mouri
b254ff2d5b Update sepolicy to allow pushing atoms from surfaceflinger to statsd 
Bug: 148543048
Test: builds
Test: statsd_testdrive
Change-Id: I8ea6659d575fa2e7e5961dc1fea3219c238c9e41
 2020-02-10 09:50:53 -08:00
Tim Murray
e61c1c98f6 property_contexts: add location cache 
Add support for isLocationEnabledForUser caching.

Test: location cache works
Bug: 140788621
Change-Id: Ic42da5ce770b21ff2304dec176b8761aed75ea20
 2020-02-10 09:33:44 -08:00
Treehugger Robot
8b02ee96f1 Merge "property_contexts: add cache for getDisplayInfo." 2020-02-10 17:29:04 +00:00
Nikita Ioffe
4119b07d1b Merge "Add userspace_reboot_log_prop" 2020-02-10 17:22:03 +00:00
Treehugger Robot
d21ecebb27 Merge "Reland: Rework platform version to hide codenames." 2020-02-10 15:58:38 +00:00
Treehugger Robot
036eb2518d Merge "Add sepolicy for persist.nfc" 2020-02-10 11:15:36 +00:00
Treehugger Robot
219137d6ca Merge "Move some properties to system_vendor_config_prop" 2020-02-09 01:38:26 +00:00
Anton Hansson
88ab8e9c75 Merge "Remove "ro." prefix from sdk extension props" 2020-02-08 11:26:57 +00:00
Inseob Kim
2597b513b3 Move some properties to system_vendor_config_prop 
system_vendor_config_prop defines a property contexts which can only be
set from vendor_init. It is one of the mostly used patterns of system
properties. This migrates some properties to help readability and
security.

Bug: 148125056
Test: system/sepolicy/build_policies.sh
Change-Id: I6b53ef520331b32417ad59f4daa04bdfc077f682
 2020-02-08 08:34:17 +09:00
Treehugger Robot
d832c69a94 Merge "Add macros for vendor_init writeonce properties" 2020-02-07 22:17:42 +00:00
Songchun Fan
3cf7d1b5ee Merge "selinux rules for loading incremental module" 2020-02-07 19:33:08 +00:00
Anton Hansson
3c7cc7a896 Remove "ro." prefix from sdk extension props 
It needs to be reset during userspace reboot, so isn't
readonly.

Bug: 148668435
Test: presubmit
Change-Id: If6b5f15eb7ade143a939c815bf8787659ceeb951
 2020-02-07 19:04:06 +00:00
Treehugger Robot
571dbd9e58 Merge "Add TEST_MAPPING for pre-submit tests" 2020-02-07 18:36:09 +00:00
Tim Murray
541ab34a0c property_contexts: add cache for getDisplayInfo. 
Test: getDisplayInfo works
Bug: 140788621
Change-Id: I131b9b34b9d2814ab2b2f95e5cef3635a67765e2
 2020-02-07 10:07:01 -08:00
Jeffrey Huang
53114d6184 Merge "GpuService binder call StatsManagerService" 2020-02-07 18:03:26 +00:00
Jeffrey Huang
aac4b2f8c0 Merge "Allow system server to add StatsHal" 2020-02-07 18:03:04 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module 
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
 2020-02-07 09:52:34 -08:00
Songchun Fan
020e3ab035 selinux rules for apk files installed with Incremental 
Apk files installed with Incremental are actually stored under the
/data/incremental directory.

Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.

Denial messages:

=== vold ===
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760   599   599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766  1431  1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923  1431  1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326  8839  8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1

02-04 15:32:02.386   591   591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1

=== system_app ===
02-04 14:22:45.793  5064  5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
 2020-02-07 16:34:42 +00:00
Martijn Coenen
e7c8f0425d Merge "Allow vold FS_IOC_{GET|SET}FLAGS ioctl." 2020-02-07 10:29:14 +00:00
Treehugger Robot
3d44d91d0b Merge "sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate" 2020-02-07 03:11:52 +00:00