tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
14884 commits 1 branch 0 tags 50 MiB
Commit graph

14884 commits

This branch
This branch
All branches
Author SHA1 Message Date
Josh Gao
c754b990a0 Update sepolicy prebuilts for tombstoned. 
Bug: http://b/77729983
Test: treehugger
Change-Id: Ic8ce31396e5cad2e9b1f7aab2ace2f6c8e962d6d
 2018-05-03 13:14:39 -07:00
Josh Gao
5159b1c9d6 tombstoned: allow linking tombstones. 
Bug: http://b/77729983
Test: debuggerd_test
Test: adb shell 'for x in `seq 0 50`; do crasher; done'
Change-Id: I1d86d04047240a85b2e987116efd9be59607b766
(cherry picked from commit a7bf5810da)
 2018-05-02 14:44:18 -07:00
android-build-team Robot
9d4573c448 Merge changes Ic3f85992,I33f47db7 into pi-dev 
* changes:
  Sepolicy: Modify postinstall_dexopt
  Sepolicy: Modify postinstall_dexopt
 2018-05-02 18:52:02 +00:00
Jaekyun Seok
21b1015db3 Update prebuilts/api/28.0/public/property_contexts 
Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: Ie098b839a050058424673f0d8961b7a194a2caab
 2018-05-02 09:08:13 +09:00
Jaekyun Seok
d097ff9516 Allow vendor-init-settable for properties used in Android TV 
The following properties will be whitelisted.
- ro.hdmi.device_type, ro.hdmi.wake_on_hotplug and
persist.sys.hdmi.keep_awake for hdmi
- ro.sf.disable_triple_buffer for SurfaceFlinger
- media.stagefright.cache-params and persist.sys.media.avsync for
nuplayer

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
Merged-In: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
(cherry picked from commit 18aaaad937)
 2018-05-02 07:41:52 +09:00
Pavel Maltsev
811113e8b5 Merge "Revert "Allow auto HAL clients to access hw services"" into pi-dev 2018-05-01 20:28:14 +00:00
Pavel Maltsev
87ac80b874 Revert "Allow auto HAL clients to access hw services" 
This reverts commit aa38ce7279.

Reason for revert: broken build

Change-Id: Ib6ca328576ef180fd1150ae6d6b3f90e928a07ac
 2018-05-01 20:05:41 +00:00
android-build-team Robot
20d4069aea Merge "Allow auto HAL clients to access hw services" into pi-dev 2018-05-01 18:59:54 +00:00
Andreas Gampe
8cbe674345 Sepolicy: Modify postinstall_dexopt 
Update prebuilts for API 28.

Bug: 77958490
Test: m
Test: manual
Change-Id: Ic3f8599266ff8fffdff1492a5600a10f6fecbe88
 2018-05-01 10:47:35 -07:00
Andreas Gampe
b5c927184f Sepolicy: Modify postinstall_dexopt 
Grant fsetid as it was done for installd. Suppress write to
profile files.

(cherry picked from commit 006e160b1a)

Bug: 77958490
Test: m
Test: manual
Merged-In: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
 2018-05-01 10:47:21 -07:00
Ian Pedowitz
c170107ae0 Fixing build as SEPolicy changed during merge of P-Finalization 
Bug: 77589980
Test: diff -r system/sepolicy/public system/sepolicy/prebuilts/api/28.0/public is empty
Change-Id: I5ecb003e893d87e36e096208e505ad1264c288aa
 2018-04-30 18:36:35 -07:00
Ian Pedowitz
94c1113cc8 Merge "SEPolicy Prebuilts for P" into pi-dev 2018-05-01 01:07:49 +00:00
android-build-team Robot
fc865e4b8e Merge "Allow profman to resolve symlinks on dirs" into pi-dev 2018-05-01 00:34:17 +00:00
Ian Pedowitz
763dcc3175 SEPolicy Prebuilts for P 
Bug: 77589980
Test: Build
Change-Id: I5395314006f42dd3c925fed554c04d182ddde2c5
 2018-04-30 15:09:29 -07:00
Calin Juravle
9e80bfc880 Allow profman to resolve symlinks on dirs 
When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323
Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54
 2018-04-30 14:56:34 -07:00
android-build-team Robot
bbb500d705 Merge "Adding labeling for vendor security patch prop am: 5cac1aa99c am: ad3602d262" into pi-dev 2018-04-30 20:42:38 +00:00
Pavel Maltsev
aa38ce7279 Allow auto HAL clients to access hw services 
Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I5d78eaf53f7df32837f113c14786f483955a8ac2
 2018-04-29 12:56:33 -07:00
android-build-team Robot
26ee5a8590 Merge "Move automotive HALs sepolicy to system/" into pi-dev 2018-04-27 22:11:56 +00:00
android-build-team Robot
e5059b176f Merge "Adding ability for keystore to find dropbox" into pi-dev 2018-04-27 20:31:30 +00:00
Chia-I Wu
146222ed08 Merge "Make persist.sys.sf.native_mode an integer" into pi-dev 2018-04-27 15:47:41 +00:00
Paul Crowley
0fe31e04ea Allow vold_prepare_subdirs to delete more files. 
Bug: 78591623
Test: Create a new user with a fingerprint. Reboot. Delete that user.
    Check for denials, files left over in /data/*_{c,d}e/10
Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
 2018-04-26 16:02:06 -07:00
Max Bires
d2d91e60de Adding ability for keystore to find dropbox 
This will allow the logging in keystore to actually work.

Bug: 36549319
Test: keystore dropbox logging is successful
Change-Id: Ic135fa9624c289c54187e946affbd0caacef13c1
(cherry picked from commit 2e69afc079)
 2018-04-26 16:14:24 +00:00
Max Bires
30d80f0c1c Adding labeling for vendor security patch prop am: 5cac1aa99c 
am: ad3602d262

Test: Vendor security patch prop is properly labeled
Bug: 76428542
Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
Merged-In: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
(cherry picked from commit 15a9fbc277)
 2018-04-26 01:36:23 +00:00
Chia-I Wu
f16afc094d Make persist.sys.sf.native_mode an integer 
This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1
Merged-In: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1
 2018-04-25 11:35:51 -07:00
TreeHugger Robot
1818b11242 Merge "Track otapreopt_chroot postinstall_file SELinux denial." into pi-dev 2018-04-25 03:22:47 +00:00
TreeHugger Robot
0e430da4f9 Merge "searchpolicy depends on FcSort" into pi-dev 2018-04-24 21:08:38 +00:00
Joel Galenson
81f4377aba Track otapreopt_chroot postinstall_file SELinux denial. 
Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0
(cherry picked from commit 5c87b8797b)
 2018-04-24 12:22:33 -07:00
TreeHugger Robot
faef020c89 Merge "Allow dumpstate to be used as a lazy HAL." into pi-dev 2018-04-24 18:14:51 +00:00
Jeff Vander Stoep
cc541a80c3 searchpolicy depends on FcSort 
Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
 2018-04-24 11:03:22 -07:00
Paul Crowley
1fb3bfba78 Merge "Add metadata_file class for root of metadata folder." into pi-dev 2018-04-24 17:32:52 +00:00
Steven Moreland
0b1797b852 Allow dumpstate to be used as a lazy HAL. 
hwservicemanager lost the permission to tell init to
start the dumpstate HAL when dumpstate was given this
permission exclusively.

Bug: 77489941 # problem introduced
Bug: 78509314 # converting dumpstate to lazy hals

Test: convert an instance of dumpstate into a lazy HAL,
    run bugreport, see denial, then add permission, and
    see bugreport start to work again.

Change-Id: I033701d8306200bebc0f250afe3d08f9e6ab98a1
 2018-04-24 09:38:15 -07:00
TreeHugger Robot
95758f47ee Merge "Remove some priv_app logspam." into pi-dev 2018-04-24 15:44:55 +00:00
Wei Wang
d45dfbff95 Merge "Allow dumpstate to kill dumpstate vendor HAL in timeout case" into pi-dev 2018-04-24 04:24:04 +00:00
Pavel Maltsev
394dbe34a0 Move automotive HALs sepolicy to system/ 
Bug: 70637118
Test: build, flash and boot bat_land and owl automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
 2018-04-23 15:46:41 -07:00
Howard Ro
bcbd8198c4 Merge "Allow radio to write to statsd" into pi-dev 2018-04-23 22:23:02 +00:00
TreeHugger Robot
1501463bd0 Merge "Track radio SELinux denial." into pi-dev 2018-04-23 22:18:04 +00:00
Wei Wang
60d1767459 Allow dumpstate to kill dumpstate vendor HAL in timeout case 
Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
    dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
    dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
 2018-04-23 14:41:25 -07:00
Joel Galenson
b26bc7d642 Track radio SELinux denial. 
This should help fix presubmit tests.

Bug: 78456764
Test: Built policy.
Change-Id: I7ec5afa83417770731d309d5a57b8a94afa24453
(cherry picked from commit 8c0d460907)
 2018-04-23 11:12:17 -07:00
Lalit Maganti
00c8e3d95a sepolicy: allow shell to read/write traced prop 
This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

(cherry picked from commit 673b4db777)

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
 2018-04-23 16:18:34 +00:00
yro
af8fb9f739 Allow radio to write to statsd 
The corresponding change in aosp is made at aosp/669146

Violation:
04-23 10:51:03.926  2103  2103 W m.android.phone: type=1400 audit(0.0:8): avc: denied { write } for name="statsdw" dev="tmpfs" ino=22538 scontext=u:r:radio:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0

Bug: 78318738
Test: manual
Change-Id: I8aa70b07281df8a732f2f99d4d323961e425feea
 2018-04-23 08:38:34 -07:00
TreeHugger Robot
51baefaf2c Merge "Setting up sepolicies for statsd planB of listening to its own socket" into pi-dev 2018-04-21 02:29:55 +00:00
Joel Galenson
f5cfaa098e Remove some priv_app logspam. 
avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0

Bug: 72749888
Test: Boot without seeing the denial.
Change-Id: Iaf3559928473c68066e6a42ba71655a683861901
(cherry picked from commit 9ec59f6cb9)
 2018-04-20 15:48:39 -07:00
TreeHugger Robot
1050e7e82f Merge "vendor_init: allow stat() of /data dir" into pi-dev 2018-04-20 21:41:28 +00:00
Petri Gynther
683a60bd43 A2DP offload: switch to new properties 
Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a
Merged-In: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a
 2018-04-20 14:11:11 -07:00
yro
93c16bda16 Setting up sepolicies for statsd planB of listening to its own socket 
Test: manual
Bug: 78318738

Change-Id: Ifa1cbbfdbb5acb713dfeb1d4bf98d1e116e5a89b
 2018-04-20 13:57:54 -07:00
Tianjie Xu
1affab2200 Merge "Allow dumpstate to read the update_engine logs" into pi-dev 2018-04-20 20:09:00 +00:00
Jeff Vander Stoep
6f8d2628b3 vendor_init: allow stat() of /data dir 
avc: denied { getattr } for path="/data" scontext=u:r:vendor_init:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

Bug: 78345561
Test: build/boot device. Denial is gone.
Change-Id: Ie858f1fe65aeb1845b00a5143c345e81aa2ec632
 2018-04-20 12:51:44 -07:00
Paul Crowley
5f79b334ff Add metadata_file class for root of metadata folder. 
Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
 2018-04-20 11:14:49 -07:00
Tianjie Xu
4af699ae3e Allow dumpstate to read the update_engine logs 
Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
(cherry picked from commit 7d47427997)
 2018-04-20 10:40:51 -07:00
TreeHugger Robot
5faa0c2af7 Merge "Neverallow unexpected domains to access bluetooth_prop and wifi_prop" into pi-dev 2018-04-20 05:07:56 +00:00