tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5550 commits 1 branch 0 tags 50 MiB
Commit graph

5550 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeffrey Vander Stoep
1b52ad6be1 Merge "grant priv_app access to /dev/mtp_usb" 2015-10-19 21:31:05 +00:00
Nick Kralevich
2736e7d6f9 am 40367ad8: Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev am: 6ab438dc8b 
* commit '40367ad87e084f78e310b33963aa3da4309442e8':
  untrusted_apps: Allow untrusted apps to find healthd_service.
 2015-10-19 21:08:41 +00:00
Nick Kralevich
40367ad87e Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev 
am: 6ab438dc8b

* commit '6ab438dc8b4c8b661c8209ecfb66b626b8bdc532':
  untrusted_apps: Allow untrusted apps to find healthd_service.
 2015-10-19 20:59:28 +00:00
Nick Kralevich
6ab438dc8b Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev 2015-10-19 20:42:33 +00:00
Ruchi Kandoi
ac8b5750b0 untrusted_apps: Allow untrusted apps to find healthd_service. 
This allows apps to find the healthd service which is used to query
battery properties.

Bug: 24759218
Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2015-10-19 13:33:23 -07:00
Jeff Vander Stoep
bcbb32e763 grant priv_app access to /dev/mtp_usb 
android.process.media needs access to mtp_usb when MTP is enabled.

Bug: 25074672
Change-Id: Ic48a3ba8e4395104b0b957f7a9bad69f0e5ee38e
 2015-10-19 13:07:15 -07:00
Jeff Vander Stoep
5d7bd5849a am 5f34265c: am a910a287: Remove untrusted_app access to tmp apk files 
* commit '5f34265c5af472042c338780a39145661cca0e09':
  Remove untrusted_app access to tmp apk files
 2015-10-19 19:09:37 +00:00
Jeff Vander Stoep
3912943b98 am e9aaae4f: resolved conflicts for f1203bf0 to stage-aosp-master 
* commit 'e9aaae4ffbe6f549aa724891affb176b2f7b465e':
  Remove untrusted_app access to cache
 2015-10-19 19:04:08 +00:00
Jeff Vander Stoep
5f34265c5a am a910a287: Remove untrusted_app access to tmp apk files 
* commit 'a910a287d81bf5e9885af9e5be60ed444964a86a':
  Remove untrusted_app access to tmp apk files
 2015-10-19 12:02:56 -07:00
Jeff Vander Stoep
e9aaae4ffb resolved conflicts for f1203bf0 to stage-aosp-master 
Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251
 2015-10-19 11:39:59 -07:00
Jeff Vander Stoep
a910a287d8 Remove untrusted_app access to tmp apk files 
Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
 2015-10-19 18:19:31 +00:00
Jeffrey Vander Stoep
f1203bf05f Merge "Remove untrusted_app access to cache" 2015-10-19 18:06:38 +00:00
Jeff Vander Stoep
408e8da507 am d77deee4: am 7f09a945: Policy for priv_app domain 
* commit 'd77deee44fc4d3f0c60f5ed9ab15ba166375c381':
  Policy for priv_app domain
 2015-10-19 17:47:10 +00:00
Jeff Vander Stoep
d77deee44f am 7f09a945: Policy for priv_app domain 
* commit '7f09a94596be98415d0546d927c8a4bc15867621':
  Policy for priv_app domain
 2015-10-19 10:42:34 -07:00
Jeff Vander Stoep
7f09a94596 Policy for priv_app domain 
Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835
 2015-10-19 10:35:20 -07:00
Jeff Vander Stoep
b8985782c6 am 59bb0d4b: am 734e4d7c: Give services app_api_service attribute 
* commit '59bb0d4bc5316044721d3c16be90d3d9f21e3957':
  Give services app_api_service attribute
 2015-10-18 16:21:20 +00:00
Jeff Vander Stoep
59bb0d4bc5 am 734e4d7c: Give services app_api_service attribute 
* commit '734e4d7c5015a510ab20bfbc3c5a84667378764f':
  Give services app_api_service attribute
 2015-10-18 09:15:25 -07:00
Jeff Vander Stoep
734e4d7c50 Give services app_api_service attribute 
avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496
 2015-10-17 19:24:11 +00:00
Jeffrey Vander Stoep
3588221547 am 6bbe728c: am b1eced68: Merge "grant webviewupdate_service app_api_service attribute" 
* commit '6bbe728ce8780d3c0e3fabed6fd5c927160a2610':
  grant webviewupdate_service app_api_service attribute
 2015-10-16 22:08:38 +00:00
Jeffrey Vander Stoep
6bbe728ce8 am b1eced68: Merge "grant webviewupdate_service app_api_service attribute" 
* commit 'b1eced68d2dc0823e70729db66b16463289986a8':
  grant webviewupdate_service app_api_service attribute
 2015-10-16 15:02:08 -07:00
Jeffrey Vander Stoep
b1eced68d2 Merge "grant webviewupdate_service app_api_service attribute" 2015-10-16 21:56:59 +00:00
Jeff Vander Stoep
7813cc8de0 grant webviewupdate_service app_api_service attribute 
avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a
 2015-10-16 14:53:11 -07:00
Jeff Vander Stoep
68748c2166 Remove untrusted_app access to cache 
neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
 2015-10-16 14:51:55 -07:00
Jeffrey Vander Stoep
08faa8e03b am b663e28b: am 63613805: Merge "Privileged apps require access to cache" 
* commit 'b663e28b14d1b39c18228eaa59a2b45c8e88a697':
  Privileged apps require access to cache
 2015-10-16 00:17:47 +00:00
Jeffrey Vander Stoep
b663e28b14 am 63613805: Merge "Privileged apps require access to cache" 
* commit '636138054cf0d60c6b99282aedacd8cb96b54ece':
  Privileged apps require access to cache
 2015-10-16 00:11:24 +00:00
Jeffrey Vander Stoep
636138054c Merge "Privileged apps require access to cache" 2015-10-16 00:05:26 +00:00
Jeff Vander Stoep
879df83384 Privileged apps require access to cache 
gmscore uses cache for updates

Bug: 24977552
Change-Id: I45a713fcfc70b71a2de712e77b64fb9feab67dd7
 2015-10-15 15:17:01 -07:00
Nick Kralevich
132a1b1ad3 am 911cacc0: am 745b4406: bluetooth.te: Relax bluetooth neverallow rule. 
* commit '911cacc014d78c6be0cb2ff8301290317359712c':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-15 22:07:17 +00:00
Nick Kralevich
911cacc014 am 745b4406: bluetooth.te: Relax bluetooth neverallow rule. 
* commit '745b440641ee2a06eefe7397f4c8dcdc2ca8e74a':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-15 22:00:34 +00:00
Nick Kralevich
745b440641 bluetooth.te: Relax bluetooth neverallow rule. 
Bug: 24866874

(cherry picked from commit 33a779fecb)

Change-Id: I0a9d4a30859b384cb3621c80568ef9da06ad44f6
 2015-10-15 14:18:52 -07:00
Nick Kralevich
f3487000f8 am 1423005a: am 43cd0cce: allow shell self:process ptrace; 
* commit '1423005a4dac7ea5e9caaebbb00b432c9d37b260':
  allow shell self:process ptrace;
 2015-10-15 21:13:19 +00:00
Nick Kralevich
1423005a4d am 43cd0cce: allow shell self:process ptrace; 
* commit '43cd0ccefc568699a9aaea797ea18455be65fdf5':
  allow shell self:process ptrace;
 2015-10-15 21:07:08 +00:00
Nick Kralevich
43cd0ccefc allow shell self:process ptrace; 
Allow the non-privileged adb shell user to run strace. Without
this patch, the command "strace /system/bin/ls" fails with the
following error:

  shell@android:/ $ strace /system/bin/ls
  strace: ptrace(PTRACE_TRACEME, ...): Permission denied
  +++ exited with 1 +++

Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee
 2015-10-15 13:38:12 -07:00
Jeffrey Vander Stoep
8f91b293a0 am b6229837: am 1d2eaf92: Merge "Allow bluetooth to find the drmservice" 
* commit 'b62298375d6615244e2be2763da445929675d078':
  Allow bluetooth to find the drmservice
 2015-10-15 17:17:50 +00:00
Jeffrey Vander Stoep
b62298375d am 1d2eaf92: Merge "Allow bluetooth to find the drmservice" 
* commit '1d2eaf92c3dfd187fa7fff687ebfe49389fe46cb':
  Allow bluetooth to find the drmservice
 2015-10-15 17:11:29 +00:00
Jeffrey Vander Stoep
1d2eaf92c3 Merge "Allow bluetooth to find the drmservice" 2015-10-15 17:08:45 +00:00
Nick Kralevich
f00774cd5b am 4cf4ce3e: am 9fcc949f: am 63af426a: bluetooth.te: Relax bluetooth neverallow rule. am: 33a779fecb 
* commit '4cf4ce3e89fef5d76e04cc319a3d8047e272fa91':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-14 22:58:28 +00:00
Nick Kralevich
4cf4ce3e89 am 9fcc949f: am 63af426a: bluetooth.te: Relax bluetooth neverallow rule. am: 33a779fecb 
* commit '9fcc949f3ca6c2a6d968f3bde57c8ce89f5d9bc6':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-14 22:48:11 +00:00
Nick Kralevich
9fcc949f3c am 63af426a: bluetooth.te: Relax bluetooth neverallow rule. am: 33a779fecb 
* commit '63af426a6ebc5c340a7144164f7458b35002d6f5':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-14 22:42:37 +00:00
Nick Kralevich
63af426a6e bluetooth.te: Relax bluetooth neverallow rule. 
am: 33a779fecb

* commit '33a779fecbdaa87756922adc690b4e38382d8e5f':
  bluetooth.te: Relax bluetooth neverallow rule.
 2015-10-14 22:37:38 +00:00
Nick Kralevich
33a779fecb bluetooth.te: Relax bluetooth neverallow rule. 
Bug: 24866874
Change-Id: Ic13ad4d3292fe8284e5771a28abaebb0ec9590f0
 2015-10-14 15:11:35 -07:00
Jeffrey Vander Stoep
b3af06305c am d62fac7d: Merge "Remove permissions for untrusted_app" 
* commit 'd62fac7d0989f242204bc24622f392dbe110fd7e':
  Remove permissions for untrusted_app
 2015-10-14 21:38:33 +00:00
Jeff Vander Stoep
be002324dc am ee9c0b5f: Add priv_app domain to global seapp_context 
* commit 'ee9c0b5fb6d0c66756e1890711fe0afdacc7ea0c':
  Add priv_app domain to global seapp_context
 2015-10-14 21:38:32 +00:00
Jeffrey Vander Stoep
d62fac7d09 Merge "Remove permissions for untrusted_app" 2015-10-14 21:34:00 +00:00
Jeff Vander Stoep
0d186fcf89 Remove permissions for untrusted_app 
Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.

Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
 2015-10-14 14:29:30 -07:00
Jeff Vander Stoep
ee9c0b5fb6 Add priv_app domain to global seapp_context 
Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
 2015-10-14 21:23:54 +00:00
Nick Kralevich
82434224db am 26cdf1e0: Merge "neverallow: domain:file execute and entrypoint" 
* commit '26cdf1e09033c9c489867852094e7c7f53b118f5':
  neverallow: domain:file execute and entrypoint
 2015-10-14 20:31:15 +00:00
Nick Kralevich
26cdf1e090 Merge "neverallow: domain:file execute and entrypoint" 2015-10-14 20:23:39 +00:00
Nick Kralevich
56c91f70b2 am 82bdd796: system_server: (eng builds) remove JIT capabilities 
* commit '82bdd796e1265bd0e4b0497e9bed1d0cafc9883b':
  system_server: (eng builds) remove JIT capabilities
 2015-10-14 20:03:20 +00:00
Nick Kralevich
82bdd796e1 system_server: (eng builds) remove JIT capabilities 
23cde8776b removed JIT capabilities
from system_server for user and userdebug builds. Remove the capability
from eng builds to be consistent across build types.

Add a neverallow rule (compile time assertion + CTS test) to verify
this doesn't regress on our devices or partner devices.

Bug: 23468805
Bug: 24915206
Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b
 2015-10-14 09:41:47 -07:00