tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
6122 commits 1 branch 0 tags 50 MiB
Commit graph

6122 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeffrey Vander Stoep
299e1d5a85 Merge "zygote: grant perms from domain_deprecated" 
am: 4115beae63

* commit '4115beae6375b3b7c1cb777d342e0e7cd6028995':
  zygote: grant perms from domain_deprecated
 2016-01-27 18:13:20 +00:00
Jeffrey Vander Stoep
4115beae63 Merge "zygote: grant perms from domain_deprecated" 2016-01-27 18:08:01 +00:00
Jeffrey Vander Stoep
01afbb4c61 Merge "autoplay_app: cgroup write perms moved to domain" 2016-01-27 18:07:55 +00:00
Jeff Vander Stoep
e52fff83a1 zygote: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048
 2016-01-27 09:57:25 -08:00
Marco Nelissen
87a79cf9dd Merge "selinux rules for codec process" 2016-01-27 17:46:47 +00:00
Jeff Vander Stoep
00fdd71185 autoplay_app: cgroup write perms moved to domain 
Remove from autoplay

Change-Id: Ic9f019f69e5f2dff5e2b8d03d39052486660d791
 2016-01-27 09:27:16 -08:00
Narayan Kamath
3acd7eb8e7 Merge "Revert "Remove domain_deprecated from sdcard domains"" am: c4121add28 
am: 2e97539602

* commit '2e975396026fe074b074f126309e5f4a88702a2c':
  Revert "Remove domain_deprecated from sdcard domains"
 2016-01-27 15:45:11 +00:00
Narayan Kamath
2e97539602 Merge "Revert "Remove domain_deprecated from sdcard domains"" 
am: c4121add28

* commit 'c4121add28c75ab12d634d2aa7570417ebb4e043':
  Revert "Remove domain_deprecated from sdcard domains"
 2016-01-27 15:43:26 +00:00
Sylvain Chouleur
9a28f90d6a init: allow to access console-ramoops with newer kernels 
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
 2016-01-27 16:42:31 +01:00
Narayan Kamath
c4121add28 Merge "Revert "Remove domain_deprecated from sdcard domains"" 2016-01-27 15:39:28 +00:00
Narayan Kamath
f4d7eef731 Revert "Remove domain_deprecated from sdcard domains" 
This reverts commit 0c7bc58e91.

bug: 26807309

Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
 2016-01-27 15:39:05 +00:00
Jeff Vander Stoep
448952b617 domain: grant write perms to cgroups am: be0616baf0 
am: 7676d3d985

* commit '7676d3d9854879830c8bc78c80ede981e937044c':
  domain: grant write perms to cgroups
 2016-01-27 03:35:14 +00:00
Jeff Vander Stoep
7676d3d985 domain: grant write perms to cgroups 
am: be0616baf0

* commit 'be0616baf0c0caf8e1c8a4fdc9b488839f6af27d':
  domain: grant write perms to cgroups
 2016-01-27 03:33:26 +00:00
Jeff Vander Stoep
be0616baf0 domain: grant write perms to cgroups 
Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
 2016-01-27 03:00:50 +00:00
dcashman
e458f9abd4 Restore untrusted_app proc_net access. am: 5833e3f5ca 
am: a321dde852

* commit 'a321dde852731f320e24f93347f39278bcf0b58b':
  Restore untrusted_app proc_net access.
 2016-01-27 01:26:57 +00:00
dcashman
a321dde852 Restore untrusted_app proc_net access. 
am: 5833e3f5ca

* commit '5833e3f5ca04e88629e3bd76331fa0ab42d568f4':
  Restore untrusted_app proc_net access.
 2016-01-27 01:25:05 +00:00
dcashman
5833e3f5ca Restore untrusted_app proc_net access. 
Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
 2016-01-26 16:56:24 -08:00
SimHyunYong
001b10bdff remove access_kmsg macro, because it to be more explicit. 
This macro does not give us anything to it.

Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
 2016-01-27 08:56:30 +09:00
SimHyunYong
f7f49b80a3 Using r_dir_file macro in domain.te am: 093ea6fb9a 
am: fa46a7375b

* commit 'fa46a7375bf36ea5dcc08cfdb92cbc463a2d471c':
  Using r_dir_file macro in domain.te
 2016-01-26 23:48:42 +00:00
SimHyunYong
fa46a7375b Using r_dir_file macro in domain.te 
am: 093ea6fb9a

* commit '093ea6fb9a284acbce10641f8743de24abd70734':
  Using r_dir_file macro in domain.te
 2016-01-26 23:46:45 +00:00
dcashman
aedf223656 Reduce accessibility of voiceinteraction_service. 
The services under this label are not meant to be exposed to all apps.
Currently only priv_app needs access.

Bug: 26799206
Change-Id: I07c60752d6ba78f27f90bf5075bcab47eba90b55
 2016-01-26 15:12:08 -08:00
Jeffrey Vander Stoep
e449446548 Merge "Remove domain_deprecated from sdcard domains" am: cdae042a07 
am: dd55b44d08

* commit 'dd55b44d08d6e4be36f110c35bc69c8309c0161e':
  Remove domain_deprecated from sdcard domains
 2016-01-26 23:02:58 +00:00
Jeffrey Vander Stoep
dd55b44d08 Merge "Remove domain_deprecated from sdcard domains" 
am: cdae042a07

* commit 'cdae042a07cda569f2366cb8f6b0b036f0a8c634':
  Remove domain_deprecated from sdcard domains
 2016-01-26 22:56:07 +00:00
SimHyunYong
093ea6fb9a Using r_dir_file macro in domain.te 
r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f
 2016-01-27 07:54:47 +09:00
Jeffrey Vander Stoep
cdae042a07 Merge "Remove domain_deprecated from sdcard domains" 2016-01-26 22:44:14 +00:00
James Hawkins
327da659be Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." am: ae29dea8b7 
am: c119fab939

* commit 'c119fab9392cc8a7d95d88417ff8a1c2a521566f':
  bootstat: Fix the SELinux policy after removing domain_deprecated.
 2016-01-26 21:54:59 +00:00
Jeff Vander Stoep
59e47dd5de resolve merge conflicts of ef9a0be598 to master. 
Change-Id: I65d7c0bb306f61dfe0ad2a5581f28dbc2942a1eb
 2016-01-26 13:38:03 -08:00
James Hawkins
c119fab939 Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." 
am: ae29dea8b7

* commit 'ae29dea8b7580478bd18f4354adeff38b1de1476':
  bootstat: Fix the SELinux policy after removing domain_deprecated.
 2016-01-26 21:31:19 +00:00
James Hawkins
ae29dea8b7 Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." 2016-01-26 21:26:37 +00:00
Arunesh Mishra
7a17cf5c95 Merge "Allow "soundtrigger" system service to run." 2016-01-26 21:16:37 +00:00
SimHyunYong
ef9a0be598 Delete policy it is alread included in binder_call macros. 
am: 7171232c02

* commit '7171232c02d27e777ad2267f1a8b5246b3aabc8d':
  Delete policy it is alread included in binder_call macros.
 2016-01-26 20:08:55 +00:00
Arunesh Mishra
400266bfae Allow "soundtrigger" system service to run. 
In the same process as voiceinteraction.

Please see related CL ag/852049

Bug: 22860713
Change-Id: I43ebfdba2aafb151dd7db0814570027e1164508a
 2016-01-26 11:27:46 -08:00
James Hawkins
2e8d71c3be bootstat: Fix the SELinux policy after removing domain_deprecated. 
* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804
 2016-01-26 18:52:58 +00:00
SimHyunYong
7171232c02 Delete policy it is alread included in binder_call macros. 
define(`binder_call', `
allow $1 $2:binder { call transfer };
allow $2 $1:binder transfer;
allow $1 $2:fd use;
')

binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)

it is alread include these policy.. so I can delete these policy!
allow surfaceflinger appdomain:fd use;
allow surfaceflinger bootanim:fd use;
 2016-01-26 16:33:44 +09:00
Jeffrey Vander Stoep
912be4319e Merge "Delete duplicated policy, it is already include in app.te." am: 0220b345b3 
am: c37b0c330f

* commit 'c37b0c330fb08b59351b097cf52816b0a9b20f11':
  Delete duplicated policy, it is already include in app.te.
 2016-01-26 06:24:22 +00:00
Jeffrey Vander Stoep
c37b0c330f Merge "Delete duplicated policy, it is already include in app.te." 
am: 0220b345b3

* commit '0220b345b39fa7781e3a352ecf84f45bc29016ab':
  Delete duplicated policy, it is already include in app.te.
 2016-01-26 06:22:11 +00:00
Jeffrey Vander Stoep
0220b345b3 Merge "Delete duplicated policy, it is already include in app.te." 2016-01-26 06:17:32 +00:00
Tao Bao
51523e59da resolve merge conflicts of 42baca019b to master. 
Change-Id: I7fe13cbe563dcd2f286696010f0a5034dfee0202
 2016-01-25 21:03:36 -08:00
Tao Bao
42baca019b Merge "Allow update_engine to use Binder IPC." 
am: 6899e0a38b

* commit '6899e0a38b14047f561493e87341b72dfbf3fe8a':
  Allow update_engine to use Binder IPC.
 2016-01-26 04:52:53 +00:00
Tao Bao
6899e0a38b Merge "Allow update_engine to use Binder IPC." 2016-01-26 04:33:51 +00:00
SimHyunYong
5ba9af2390 Delete duplicated policy, it is already include in app.te. 
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
 2016-01-26 11:13:29 +09:00
dcashman
d357760531 Add adbd socket perms to system_server. am: b037a6c94b 
am: c37fa20383

* commit 'c37fa2038327c8879e297b6fa9b76ba45ddcf67c':
  Add adbd socket perms to system_server.
 2016-01-26 01:44:45 +00:00
dcashman
c37fa20383 Add adbd socket perms to system_server. 
am: b037a6c94b

* commit 'b037a6c94b357c9a85d13dde548f5799c592c6ac':
  Add adbd socket perms to system_server.
 2016-01-26 01:42:44 +00:00
Tao Bao
dce317cf43 Allow update_engine to use Binder IPC. 
Register service with servicemanager and name the context.

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
 2016-01-25 16:42:38 -08:00
dcashman
b037a6c94b Add adbd socket perms to system_server. 
Commit 2fdeab3789 added ability to debug
over adbd for zygote-spawned apps, required by removal of domain_deprecated
from untrusted_app.  This functionality is a core debugabble component
of the android runtime, so it is needed by system_server as well.

Bug: 26458796
Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a
 2016-01-25 16:09:01 -08:00
Jeff Vander Stoep
dfd82ecbbf app: connect to adbd am: 2fdeab3789 
am: 97ebf96aba

* commit '97ebf96aba44f9cf14b975051b240bade5841053':
  app: connect to adbd
 2016-01-25 23:29:18 +00:00
Jeff Vander Stoep
97ebf96aba app: connect to adbd 
am: 2fdeab3789

* commit '2fdeab3789ec6e5ec6f7424abf41a9aaa73564b0':
  app: connect to adbd
 2016-01-25 23:27:33 +00:00
Jeff Vander Stoep
2fdeab3789 app: connect to adbd 
Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
 2016-01-25 15:20:05 -08:00
Jeff Vander Stoep
042d37c3a4 domain: allow dir search in selinuxfs am: 45517a7547 
am: cfa5d76fb8

* commit 'cfa5d76fb8c9ec4d68d1664c540ebe2f03e09d49':
  domain: allow dir search in selinuxfs
 2016-01-25 18:31:12 +00:00
Jeff Vander Stoep
cfa5d76fb8 domain: allow dir search in selinuxfs 
am: 45517a7547

* commit '45517a7547de0a9f0c13b5907c243456ec61bf04':
  domain: allow dir search in selinuxfs
 2016-01-25 18:28:59 +00:00