Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.
In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.
Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
armeabi-v7a CtsSecurityHostTestCases completed in 4s.
501 passed, 0 failed, 0 not executed
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
The code used to look like this, but in commit
4cae28d43c we replaced the generic
regexes to improve performance. Now that we've switched to genfs,
this no longer affects performance, so let's simplify the labeling.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: I1a859d17075fa25543ee090cc7a7478391bc45c1
This should slightly improve performance, as file_contexts is slower
than genfs_contexts.
Now that the kernel patch enabling genfs labeling of tracefs has
landed, we can re-enable this.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: Ifc1c6ac634b94e060ed1f311049bd37f6fcc8313
Commits 7fa51593c8 and
92fdd8954f removed the
tracing_shell_writable and tracing_shell_writable_debug types, and
relabeled the files with debugfs_tracing and debugfs_tracing_debug,
respectively. Record this in the compatibility file so that vendor
policy using these types will still work.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ic6573518035514a86abe2081483431427612699e
Commit: abb1ba6532 added policy for a
new property, which was not present in O. This policy introduced a
new type. Record it as such.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I7d90cd69a5e6e29677598cc109676d5b1ce5ba05
Commit: bde5c8013d added a new type,
mediaprovider, which is being applied to an object (process) formerly
labeled as priv_app. Add the new type to the versioned attribute for
priv_app so that any vendor policy written for interaction with
mediaprovider continues to work.
Bug: 62573845
Test: None. Prebuilt-only change.
Change-Id: Id98293369401a2af23c2328a1cb4a5bb2258aac8
Commit: 50889ce0eb added policy for a
new service, which was not present in O. This policy introduced a
new type. Record it as such.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: If9cfaff813c47d3b1c8374e8abfb4aedb902d486
Commit: 11bfcc1e96 added policy for
a new socket which was not present in O. This socket has a new
type associated with it. Record the type as a new type so that
compatibility testing will not complain.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I375fc9ca0bd201e277a0302d9b34c0da0eb40fbd
Commit 5f573ab2aa added policy for
the additions of upstream fs tools. Make sure the new types are
denoted as such (no object relabeling needs to be done) and that
objects which are relabeled are.
Bug: 35219933
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6515e05ebc60ca08e98029f471cf2861826036fc
Logs show that only dumpstate requires access.
avc: granted { read open } for comm="screencap" path="/dev/ion"
dev="tmpfs" ino=14324 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=14324 ioctlcmd=4906 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Grant ion permission to dumpstate which uses it for screencap
feature.
Bug: 28760354
Test: build. Check logs.
Change-Id: I6435b7dbf7656669dac5dcfb205cf0aeda93991b
