tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
23473 commits 1 branch 0 tags 50 MiB
Commit graph

23473 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mark Salyzyn
c3eb896930 bootstat: enhance last reboot reason property with file backing am: 79f9ca6789 am: d5c3a11681 
Change-Id: Idfd5cd446ca870f0a633d9471d1c8f666e771cbe
 2020-02-14 23:58:12 +00:00
Mark Salyzyn
d5c3a11681 bootstat: enhance last reboot reason property with file backing am: 79f9ca6789 
Change-Id: I45c0026a8436c0ee7052e311591b06a3f3106f9a
 2020-02-14 23:46:10 +00:00
Maciej Żenczykowski
63920a9f22 Merge "grant bpfloader CAP_CHOWN" am: 1d896ff5e5 am: 66b4be49d7 
Change-Id: I7b6a7b642bf63763fb6f94c3865e5a840d8b24c2
 2020-02-14 21:48:48 +00:00
Maciej Żenczykowski
66b4be49d7 Merge "grant bpfloader CAP_CHOWN" am: 1d896ff5e5 
Change-Id: I9667f3b499b44f4264c8dac9abcff3147044c853
 2020-02-14 21:35:07 +00:00
Mark Salyzyn
79f9ca6789 bootstat: enhance last reboot reason property with file backing 
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.  For now, label this file metadata_bootstat_file.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
 2020-02-14 13:30:21 -08:00
Maciej Żenczykowski
1d896ff5e5 Merge "grant bpfloader CAP_CHOWN" 2020-02-14 21:19:16 +00:00
Treehugger Robot
875b7a9352 Merge "Allow init to stat the root directory of FUSE filesystems." am: b4d3c575b3 am: cbc02c695a 
Change-Id: I83776a7483b00c1a126e4b3bd5e8320129e60609
 2020-02-14 21:11:32 +00:00
Treehugger Robot
cbc02c695a Merge "Allow init to stat the root directory of FUSE filesystems." am: b4d3c575b3 
Change-Id: I9ba637c13c6334e2563e5584fa5b1b09b04206a3
 2020-02-14 20:56:20 +00:00
Treehugger Robot
b4d3c575b3 Merge "Allow init to stat the root directory of FUSE filesystems." 2020-02-14 20:40:28 +00:00
Treehugger Robot
cb085e398f Merge "perfetto: allow producers to supply shared memory" am: 429ce33777 am: 63b0c52392 
Change-Id: I7f5aa7880defd434b69b7981ccfcb18cd19dd468
 2020-02-14 20:28:54 +00:00
Treehugger Robot
63b0c52392 Merge "perfetto: allow producers to supply shared memory" am: 429ce33777 
Change-Id: I231c8ac22c5645e356b7b5ad2c2ca9db6d231f23
 2020-02-14 20:15:51 +00:00
Treehugger Robot
429ce33777 Merge "perfetto: allow producers to supply shared memory" 2020-02-14 19:59:49 +00:00
Songchun Fan
23cb5adc6e Merge changes Ie973be6b,Ie090e085 am: ff40f150e8 am: a403503c57 
Change-Id: I9d06c6f73149786152c637dced2291b5973c1e70
 2020-02-14 18:25:56 +00:00
Songchun Fan
a403503c57 Merge changes Ie973be6b,Ie090e085 am: ff40f150e8 
Change-Id: I027ddb483a7697fa1059f3873ed6eb52ba1f1eb1
 2020-02-14 18:16:13 +00:00
Songchun Fan
ff40f150e8 Merge changes Ie973be6b,Ie090e085 
* changes:
  permissions for incremental control file
  new label for incremental control files
 2020-02-14 18:00:02 +00:00
Martijn Coenen
a0fa53ead6 Allow init to stat the root directory of FUSE filesystems. 
init has a mount handler that stats mount-points for block devices; on
devices without sdcardfs, that handler will stat the FUSE filesystem,
since we have a bindmount on FUSE to the lower filesystem, which is an
actual block device.

Test: no more denial on cf without sdcardfs
Change-Id: Idb351f5ccba00440f4f8b39616de76336bb81a1b
 2020-02-14 17:17:36 +01:00
George Chang
989fcaae3c Merge "Add sepolicy for persist.nfc_cfg." am: 9cc657e43e am: 4fc2a2396a 
Change-Id: Ic3731f6ea1159a1347f2225f4113a5bfe3f901f1
 2020-02-14 12:12:25 +00:00
George Chang
4fc2a2396a Merge "Add sepolicy for persist.nfc_cfg." am: 9cc657e43e 
Change-Id: I612768a6cc57180aa3bf056128a9f95156009e26
 2020-02-14 11:49:02 +00:00
George Chang
9cc657e43e Merge "Add sepolicy for persist.nfc_cfg." 2020-02-14 11:37:33 +00:00
Treehugger Robot
86a25241c5 Merge "access_vectors: add lockdown class" am: 98d0a95753 am: 9c6a92e0e7 
Change-Id: I1a58cebddd76891473aad1b256046eaa3af59b4c
 2020-02-14 10:48:18 +00:00
Treehugger Robot
9c6a92e0e7 Merge "access_vectors: add lockdown class" am: 98d0a95753 
Change-Id: I91e2e21af1c7a4d5b507927ccfb5a9016fd02ec8
 2020-02-14 10:31:33 +00:00
Treehugger Robot
98d0a95753 Merge "access_vectors: add lockdown class" 2020-02-14 10:18:17 +00:00
Treehugger Robot
23a17b4b5d Merge "Update selinux policy for statsd apex" am: 16e12a5ee3 am: 5d360fc02e 
Change-Id: I224138aa6908ac0898735b4dc27f3df84fe0b13f
 2020-02-14 05:11:26 +00:00
Treehugger Robot
5d360fc02e Merge "Update selinux policy for statsd apex" am: 16e12a5ee3 
Change-Id: I65a8d3cffaf0aec75080ef9fd6cf4b5da94e415d
 2020-02-14 04:59:04 +00:00
Treehugger Robot
16e12a5ee3 Merge "Update selinux policy for statsd apex" 2020-02-14 04:43:51 +00:00
stevensd
f3187f3949 Merge "selinux policy for buffer queue config" am: e3e16a313b am: c8f9abad21 
Change-Id: I8ea094448b9ac72740b68e900b365f9e3a03afcc
 2020-02-14 04:03:31 +00:00
stevensd
c8f9abad21 Merge "selinux policy for buffer queue config" am: e3e16a313b 
Change-Id: Iee1983864bdb008cf0149f9ed59905db6264202d
 2020-02-14 03:09:29 +00:00
stevensd
e3e16a313b Merge "selinux policy for buffer queue config" 2020-02-14 02:54:20 +00:00
Jeffrey Huang
baacdfa48b Update selinux policy for statsd apex 
Bug: 145923087
Test: m -j
Change-Id: I6197e6005d7c6e5c69b42de54f07965798663565
 2020-02-13 15:42:23 -08:00
Nick Kralevich
e4686b4d8e access_vectors: add lockdown class 
Needed to support upstream patch
59438b4647

Bug: 148822198
Test: compiles
Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
 2020-02-13 13:05:54 -08:00
Songchun Fan
6262f99b5a remove incfs genfscon label am: d9b78b4c84 am: b55fd10e0b 
Change-Id: I2f46b66a5a8872797a5a2cfb189e05c55b4047ce
 2020-02-13 21:02:25 +00:00
Songchun Fan
3922253de9 permissions for incremental control file 
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
 2020-02-13 12:53:36 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files 
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
 2020-02-13 12:52:51 -08:00
Songchun Fan
b55fd10e0b remove incfs genfscon label am: d9b78b4c84 
Change-Id: I78fa1acada138b0f6e038f2b842766d0951c46b7
 2020-02-13 20:50:37 +00:00
Maciej Żenczykowski
1189fac418 grant bpfloader CAP_CHOWN 
so that it can change the uid/gid of pinned bpf progs and maps

Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1d873c7799e1d9fa5d4bde145e89254dabb75a01
 2020-02-13 20:46:02 +00:00
Songchun Fan
d9b78b4c84 remove incfs genfscon label 
Test: manual with incremental installation
BUG: 133435829
Change-Id: I8b38db18851a5b3baf925be621de3eb0e83efbb4
 2020-02-13 08:44:48 -08:00
David Stevens
3942fe1682 selinux policy for buffer queue config 
Test: boot and check for no policy violations

Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
 2020-02-13 20:11:47 +09:00
Automerger Merge Worker
5677813c9a Merge "property_contexts: add location cache" am: d39a906a25 am: e27c59412d 
Change-Id: I172dd2ee5325c9ef23cc7ada51a82c6a9448501b
 2020-02-13 04:58:18 +00:00
Automerger Merge Worker
e27c59412d Merge "property_contexts: add location cache" am: d39a906a25 
Change-Id: Iee3a29e28721c11f69a32470630cb0c0a8b9b802
 2020-02-13 04:41:01 +00:00
Automerger Merge Worker
09a4e3c0f0 Update Q sepolicy prebuilt am: 5f6290f3a9 am: daa110d022 
Change-Id: I78a4b47a575710502045a5b22e597dce8392829e
 2020-02-13 04:30:15 +00:00
Treehugger Robot
d39a906a25 Merge "property_contexts: add location cache" 2020-02-13 04:27:21 +00:00
Automerger Merge Worker
daa110d022 Update Q sepolicy prebuilt am: 5f6290f3a9 
Change-Id: Ie2970158c52e3675e17421ef4973cc926ddd4db5
 2020-02-13 04:13:10 +00:00
George Chang
db1dbd94a1 Add sepolicy for persist.nfc_cfg. 
Add a new nfc_cfg persist property for nfc features

Bug: 142626304
Test: set property and load target files.
Change-Id: I853c97e8113dbcf729cf59ad45895402b0c82b3e
 2020-02-12 16:20:52 +00:00
Automerger Merge Worker
f4ccc4ba1a Update Q sepolicy prebuilt am: 1dd6321a00 
Change-Id: I8caa160f6c9e7b86f6bab5848f9027a45c0a16c5
 2020-02-12 12:18:45 +00:00
Automerger Merge Worker
bdfd9bcc18 [automerger skipped] Fix: dumpstate HAL service property context am: 5927933c70 -s ours 
am skip reason: Change-Id Ie24e2d42e92410a935ca4c9364b476d72aa459f3 with SHA-1 046c510402 is in history

Change-Id: Iff9d6ccbff59635c0549662234b82d0ea4232479
 2020-02-12 12:18:41 +00:00
Alex Hong
5f6290f3a9 Update Q sepolicy prebuilt 
This updates 29.0 api for dumpstate restart control property contexts

Bug: 147730517
Change-Id: I0aa7450dc0fb34de321cf8d2ba357b2ecabbcf43
 2020-02-12 12:07:43 +08:00
Automerger Merge Worker
1ae4188d63 Merge "Use setxattr for incremental-fs" am: 2ddfad3709 am: 3b77d78709 
Change-Id: I60e7729ebbc64259c0176852547d2c53db0d9723
 2020-02-12 00:39:23 +00:00
Automerger Merge Worker
3b77d78709 Merge "Use setxattr for incremental-fs" am: 2ddfad3709 
Change-Id: Ia0773813cc8c81517f09e2dd3e2e4134f6146ffb
 2020-02-12 00:14:17 +00:00
Songchun Fan
2ddfad3709 Merge "Use setxattr for incremental-fs" 2020-02-11 23:56:51 +00:00
Songchun Fan
ecafc55b70 Use setxattr for incremental-fs 
BUG: b/133435829
Test: manual
Change-Id: I782f2041da5824fe28917789208e00d6ed10de79
 2020-02-11 14:33:08 -08:00