tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
23125 commits 1 branch 0 tags 50 MiB
Commit graph

23125 commits

This branch
This branch
All branches
Author SHA1 Message Date
Automerger Merge Worker
be2679723d Merge "priv_app: Remove permissions for selinuxfs" am: ffd496776a am: 6277ff1c53 
Change-Id: Id93ffd3a164a8cfaed8794d2f3fb7c62e188011a
 2020-01-22 01:57:53 +00:00
Automerger Merge Worker
ae79b55dec Merge "recovery: Allow BLKPBSZGET on cache_block_device" am: 3862b2778f am: 1bd4ac4990 
Change-Id: Ib92f2fb2cdf8a507465cf8dce5325cb67dbe84d0
 2020-01-22 01:57:34 +00:00
Ashwini Oruganti
6277ff1c53 Merge "priv_app: Remove permissions for selinuxfs" 
am: ffd496776a

Change-Id: If572d29334dd58952adbb87e66f2c43b015a256f
 2020-01-21 17:42:44 -08:00
Alistair Delva
1bd4ac4990 Merge "recovery: Allow BLKPBSZGET on cache_block_device" 
am: 3862b2778f

Change-Id: I11c9ac93c84da9755ea27c749bac8862625a665f
 2020-01-21 17:42:12 -08:00
Ashwini Oruganti
ffd496776a Merge "priv_app: Remove permissions for selinuxfs" 2020-01-22 01:38:11 +00:00
Alistair Delva
3862b2778f Merge "recovery: Allow BLKPBSZGET on cache_block_device" 2020-01-22 01:32:51 +00:00
Ashwini Oruganti
db553aa416 priv_app: Remove permissions for selinuxfs 
Looking at go/sedenials, we see this permission being used by
MediaProvider like so:

type=1400 audit(0.0:3651): avc: granted { getattr } for comm=4173796E635461736B202331 path="/sys/fs/selinux/class/tipc_socket/perms/recvfrom" dev="selinuxfs" ino=67111391 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file app=com.google.android.providers.media.module

... and numerous other directories, apparently from a filesystem walk.

It appears that this permission should not be granted to all priv-apps
now that GMS core has been split out into its own domain. This change
removes the permission for the priv_app domain and the corresponding
auditallow.

Bug: 147833123
Test: TH
Change-Id: I88146785c7ac3a8c15fe9b5f34f05d936f08ea48
 2020-01-21 15:30:12 -08:00
Automerger Merge Worker
6951ed98f3 Merge "Allow isolated_app to use TCP and UDP sockets brokered over IPC." am: 3689c1481a am: 72fc061517 
Change-Id: Icd06374ccba7792ddcac14678af336a743fa68d9
 2020-01-21 22:34:26 +00:00
Automerger Merge Worker
771c280d2b Merge "More neverallows for default_android_service." am: 64c8ddb123 am: 41e8d29253 
Change-Id: If85ee5cf3190d6e777afe3d3bc13fd44c380e76a
 2020-01-21 22:33:47 +00:00
Robert Sesek
72fc061517 Merge "Allow isolated_app to use TCP and UDP sockets brokered over IPC." 
am: 3689c1481a

Change-Id: Ia7a95ebc33cc55c1fe6176a9790e0047cf8f7661
 2020-01-21 14:20:45 -08:00
Steven Moreland
41e8d29253 Merge "More neverallows for default_android_service." 
am: 64c8ddb123

Change-Id: I54336f7f52cbd19b56ea6c6584a921d655d23f71
 2020-01-21 14:18:44 -08:00
Robert Sesek
3689c1481a Merge "Allow isolated_app to use TCP and UDP sockets brokered over IPC." 2020-01-21 21:38:40 +00:00
Steven Moreland
64c8ddb123 Merge "More neverallows for default_android_service." 2020-01-21 21:31:57 +00:00
Automerger Merge Worker
d33a22ff31 Merge "Add sysprop for init's perf_event_open LSM hook check" am: c9cc4001e4 am: 0aa85a1806 
Change-Id: I921dd52b876f6cc7d423c7f67e627b071337a650
 2020-01-21 20:51:52 +00:00
Automerger Merge Worker
2f75747305 Sepolicy update for Automotive Display Service am: 741b9cd5ac am: 8f52ce8bea 
Change-Id: I15b92a6128e14c782cebbc2510c1cf7e5fa7b721
 2020-01-21 20:51:40 +00:00
Ryan Savitski
0aa85a1806 Merge "Add sysprop for init's perf_event_open LSM hook check" 
am: c9cc4001e4

Change-Id: I6368382ceb506893015f80eefa63a67417ea9bfb
 2020-01-21 12:46:28 -08:00
Haoxiang Li
8f52ce8bea Sepolicy update for Automotive Display Service 
am: 741b9cd5ac

Change-Id: I569cc5b9b628cc7ee81ad263748756010404a487
 2020-01-21 12:41:11 -08:00
Ryan Savitski
c9cc4001e4 Merge "Add sysprop for init's perf_event_open LSM hook check" 2020-01-21 20:40:50 +00:00
Steven Moreland
a30464c06e More neverallows for default_android_service. 
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.

Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
 2020-01-21 11:13:22 -08:00
Ryan Savitski
52b3d315a2 Add sysprop for init's perf_event_open LSM hook check 
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.

Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
 2020-01-21 19:03:33 +00:00
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service 
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
 2020-01-21 18:43:27 +00:00
Alistair Delva
07e6aa994a recovery: Allow BLKPBSZGET on cache_block_device 
The comment in this file acknowledges that this is needed for "Wipe
data/cache", however it does not actually grant the permission for
cache_block_device. Add it. Fixes a denial seen on cuttlefish:

avc:  denied  { ioctl } for  pid=223 comm="mke2fs"
  path="/dev/block/vda3" dev="tmpfs" ino=486 ioctlcmd=0x127b
  scontext=u:r:recovery:s0 tcontext=u:object_r:cache_block_device:s0
  tclass=blk_file permissive=0

Bug: 146898312
Change-Id: I82b9975085c027941c970ca44dbb1a7a370295fa
 2020-01-21 16:34:42 +00:00
Automerger Merge Worker
7900c7f08b Revert "untrusted_app_29: add new targetSdk domain" am: 1d241db7e5 am: c5cc25ec03 
Change-Id: I6097aa999bedecdd3ae9840181d16a84b204e2b8
 2020-01-21 12:47:14 +00:00
Santiago Seifert
c5cc25ec03 Revert "untrusted_app_29: add new targetSdk domain" 
am: 1d241db7e5

Change-Id: Ic7dbb89c4feca5cfca0449bbe67d6b361186ada9
 2020-01-21 04:32:13 -08:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain" 
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
 2020-01-21 11:35:24 +00:00
Automerger Merge Worker
49303f5f68 untrusted_app_29: add new targetSdk domain am: a1aa2210a9 am: cc7cc7b562 
Change-Id: I333c79f0f2353fdee1cfc6d3e69a6aad930d3056
 2020-01-20 19:13:05 +00:00
Jeff Vander Stoep
cc7cc7b562 untrusted_app_29: add new targetSdk domain 
am: a1aa2210a9

Change-Id: I28af036bc87fe7152e91c194f44045e2b71b6af5
 2020-01-20 11:05:00 -08:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain 
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
 2020-01-20 15:31:52 +01:00
Automerger Merge Worker
54b47f91df Merge "Make the sepolicy for gsid cleaner" am: 6ec3b17b43 am: 24beb9b5c5 
Change-Id: I898eb8c0ac7006b77f9aaa89bc5c118a76b3aaae
 2020-01-20 03:01:23 +00:00
Howard Chen
24beb9b5c5 Merge "Make the sepolicy for gsid cleaner" 
am: 6ec3b17b43

Change-Id: I9b609f53e1a7236709f0ec12dedc5a1da9d2b57e
 2020-01-19 18:52:38 -08:00
Howard Chen
6ec3b17b43 Merge "Make the sepolicy for gsid cleaner" 2020-01-20 02:47:39 +00:00
Automerger Merge Worker
46c443759b Merge "add dontaudit dnsmasq kernel:system module_request" am: a712b3dbd3 am: 56ec6f5cfc 
Change-Id: Ie7b42dff6aab6d676addcffb904546c3ec566fe5
 2020-01-19 19:28:17 +00:00
Maciej Żenczykowski
56ec6f5cfc Merge "add dontaudit dnsmasq kernel:system module_request" 
am: a712b3dbd3

Change-Id: I689aba6fa33734aa1ec4ff110b20391dfb625984
 2020-01-19 11:20:33 -08:00
Treehugger Robot
a712b3dbd3 Merge "add dontaudit dnsmasq kernel:system module_request" 2020-01-19 19:18:28 +00:00
Automerger Merge Worker
d2950af40a Merge "access_vectors: remove flow_in and flow_out permissions from packet class" am: 73ed785807 am: 1a5f34195b 
Change-Id: Idaa018a8313f867a971e77d0fbce304d49b8f89b
 2020-01-19 14:37:06 +00:00
Stephen Smalley
1a5f34195b Merge "access_vectors: remove flow_in and flow_out permissions from packet class" 
am: 73ed785807

Change-Id: Ia44acdb7f120212a79cd92b1afa8aa3a9ead9e21
 2020-01-19 06:20:30 -08:00
Treehugger Robot
73ed785807 Merge "access_vectors: remove flow_in and flow_out permissions from packet class" 2020-01-19 14:17:58 +00:00
Maciej Żenczykowski
4a865b3089 add dontaudit dnsmasq kernel:system module_request 
This was originally added due to:
  avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.'

This is most likely simply triggered by a race condition on attempting
to access a non existent network device 'bt-pan'.

While we've never seen this anywhere else, it could potentially happen
on any device so we might as well make this global...

Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c
 2020-01-18 18:22:12 -08:00
Automerger Merge Worker
0c6b19072a Merge "Add file contexts for com.android.extservices APEX." am: 7eca7d1e9b am: 079a18bf42 
Change-Id: Iee81444152ae7e5b8f28c6d2e115c62b78290d84
 2020-01-18 03:54:36 +00:00
Dario Freni
079a18bf42 Merge "Add file contexts for com.android.extservices APEX." 
am: 7eca7d1e9b

Change-Id: Idb44556206acbb72eee61b331e0c9b753041a1ca
 2020-01-17 19:44:35 -08:00
Treehugger Robot
7eca7d1e9b Merge "Add file contexts for com.android.extservices APEX." 2020-01-18 03:39:04 +00:00
Automerger Merge Worker
f5cc380442 Merge "sepolicy(wifi): Allow keystore-wificond communication" am: 2bde15c66b am: 8fc3504ac8 
Change-Id: I1d3f038ec35c8a49b1a584611a31ca2e275323c8
 2020-01-18 01:16:42 +00:00
Sunil Ravi
8fc3504ac8 Merge "sepolicy(wifi): Allow keystore-wificond communication" 
am: 2bde15c66b

Change-Id: I31d86ac7ae59e15ef639e5f276c595a576c5eef3
 2020-01-17 17:04:30 -08:00
Sunil Ravi
2bde15c66b Merge "sepolicy(wifi): Allow keystore-wificond communication" 2020-01-18 00:57:02 +00:00
Automerger Merge Worker
2f9d693267 Merge "Add policies for permission APEX data directory." am: 4f0bf97b41 am: 587e49e0be 
Change-Id: I19c64ad401b5e9c3fbe1831698dbedade9c1e542
 2020-01-18 00:04:29 +00:00
Hai Zhang
587e49e0be Merge "Add policies for permission APEX data directory." 
am: 4f0bf97b41

Change-Id: I0b0829f6209582b84e02a9c499a74dbd1c428106
 2020-01-17 15:52:43 -08:00
Treehugger Robot
4f0bf97b41 Merge "Add policies for permission APEX data directory." 2020-01-17 23:45:54 +00:00
Automerger Merge Worker
ba4e8fd064 Merge "Add rules for an unix domain socket for system_server" am: d1b9526ea0 am: 0542be7d19 
Change-Id: I3bd4db791a647e3c168075d83a48eb80e62f5e7b
 2020-01-17 22:19:40 +00:00
Sunil Ravi
d8843d1c2e sepolicy(wifi): Allow keystore-wificond communication 
Denial log:
1. 10-30 11:02:50.279  wifi  1119  1119 W HwBinder:1119_1:
type=1400 audit(0.0:113): avc: denied { transfer } for
scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0
tclass=binder permissive=0

2. 01-15 16:24:04.214 W/keystore( 1007): type=1400
audit(0.0:109): avc: denied { call } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

3. 01-16 12:11:19.704 W/keystore( 1021): type=1400
audit(0.0:163): avc: denied { transfer } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

Bug: 143638513
Bug: 145310496
Test: Installed CA and wifi certificates and connects
to enterprise network.
No selinux denial seen from wificond and keystore.

Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
 2020-01-17 21:14:25 +00:00
Jing Ji
0542be7d19 Merge "Add rules for an unix domain socket for system_server" 
am: d1b9526ea0

Change-Id: I0ceb427b6db004764b234db6939d5a40735c4390
 2020-01-17 12:50:03 -08:00