tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
13244 commits 1 branch 0 tags 50 MiB
Commit graph

13244 commits

This branch
This branch
All branches
Author SHA1 Message Date
Elliott Hughes
2b42fe4bf6 Add a /bin symlink for convenience. 
Bug: http://b/63142920
Test: `make dist`
Change-Id: Iae363fd5e7181941408d3d75cbf248e651bc8b49
 2017-12-07 16:55:15 +00:00
Treehugger Robot
0500c7e867 Merge "Commit 27.0 compat mapping file to master." 2017-12-07 06:20:35 +00:00
Dan Cashman
f26e39728e Commit 27.0 compat mapping file to master. 
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: Ie793eb4a35927cb494281df59ae0a63666bb6e76
 2017-12-06 20:30:26 -08:00
Treehugger Robot
f543ddb384 Merge "Revert "Renames nonplat_* to vendor_*"" 2017-12-07 04:02:29 +00:00
Treehugger Robot
bffa911d6b Merge "Commit 27.0 sepolicy prebuilts to master." 2017-12-07 01:52:56 +00:00
Bo Hu
283dd9ebb9 Revert "Renames nonplat_* to vendor_*" 
This reverts commit 8b562206bf.

Reason for revert: broke mac build

b/70273082

FAILED: out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil
/bin/bash -c "(out/host/darwin-x86/bin/version_policy -b out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -t out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil -n 10000.0 -o out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp ) && (grep -Fxv -f out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp > out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil ) && (out/host/darwin-x86/bin/secilc -m -M true -G -N -c 30 		out/target/product/generic_x86/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/10000.0.cil_intermediates/10000.0.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil -o /dev/null -f /dev/null )"
Parsing out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil
Parsing out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil
grep: out of memory

Change-Id: I14f0801fdd6b9be28e53dfcc0f352b844005db59
 2017-12-07 00:16:13 +00:00
Treehugger Robot
f691b12732 Merge "Sepolicy: Give perfprofd access to kernel notes" 2017-12-07 00:13:50 +00:00
Treehugger Robot
1d7fcdd59a Merge "Sepolicy: Label kernel notes" 2017-12-07 00:09:25 +00:00
Xin Li
91690c904c Merge "DO NOT MERGE: Merge Oreo MR1 into master" 2017-12-06 23:18:28 +00:00
Xin Li
4b836a8216 DO NOT MERGE: Merge Oreo MR1 into master 
Exempt-From-Owner-Approval: Changes already landed internally
Change-Id: I11a15296360fd68485402e33814e7e756925c6a8
 2017-12-06 14:24:58 -08:00
Andreas Gampe
365dd03cb1 Sepolicy: Give perfprofd access to kernel notes 
Simpleperf reads kernel notes.

Bug: 70275668
Test: m
Test: manual
Change-Id: I1a2403c959464586bd52f0398ece0f02e3980fc4
 2017-12-06 13:55:06 -08:00
Andreas Gampe
9213fe0217 Sepolicy: Label kernel notes 
Label /sys/kernel/notes.

Bug: 70275668
Test: m
Change-Id: Ieb666425d2db13f85225fb902fe06b0bf2335bef
 2017-12-06 13:55:06 -08:00
Treehugger Robot
61f5f287ba Merge "Sepolicy: Silence /data/local/tmp access of perfprofd" 2017-12-06 21:31:30 +00:00
Josh Gao
914a7fb95a crash_dump: allow reading from pipes. 
Bug: http://b/63989615
Test: mma
Change-Id: I41506ecb0400867230502181c1aad7e51ce16d70
 2017-12-06 11:05:54 -08:00
Tri Vo
3ed2877372 Merge "init: remove open, read, write access to 'sysfs' type." 
am: 9b2dc9cfbb

Change-Id: I1921ca6c85e74935686d10918f0b0fb616e78ace
 2017-12-06 19:05:42 +00:00
Treehugger Robot
9b2dc9cfbb Merge "init: remove open, read, write access to 'sysfs' type." 2017-12-06 18:51:09 +00:00
Andreas Gampe
ec5bcd70b0 Sepolicy: Silence /data/local/tmp access of perfprofd 
Until simpleperf does not optimistically try /data/local/tmp for
tmp storage, silence the denials.

Bug: 70232908
Test: m
Test: manual
Change-Id: Icbc230dbfbfa6493b4e494185c536a10e3b0ae7b
 2017-12-06 10:19:39 -08:00
Dan Cashman
805824884f Commit 27.0 sepolicy prebuilts to master. 
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
 2017-12-06 09:23:36 -08:00
Tri Vo
0e3235f45d init: remove open, read, write access to 'sysfs' type. 
Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 70040773
Bug: 65643247
Change-Id: I68e2e796f5599c9d281897759c8d8eef9363559a
Test: walleye boots with no denials from init to sysfs.
 2017-12-06 17:00:59 +00:00
kaichieh
b616688eda Renames nonplat_* to vendor_* 
am: 8b562206bf

Change-Id: I5df30ebf4f0ba450ff3da8e54c76da23af955105
 2017-12-06 10:11:42 +00:00
kaichieh
8b562206bf Renames nonplat_* to vendor_* 
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: I53a9715b2f9ddccd214f4cf9ef081ac426721612
 2017-12-06 12:57:19 +08:00
Jason Monk
4021886a4f Add selinux for slice service 
am: 07131ec803

Change-Id: Id52c9d602fd05e07d79b39b78c164015eab888b0
 2017-12-05 20:23:19 +00:00
Jaegeuk Kim
ba828ff741 make_f2fs: grant rw to vold 
am: c8e7a9f4a7

Change-Id: Ib7ea2f91d6a2099f76c0124097db2f389da9b95e
 2017-12-05 17:57:37 +00:00
Jason Monk
07131ec803 Add selinux for slice service 
Test: make/sync
Bug: 68751119
Change-Id: Ie3c60ff68b563cef07f20d15f298d6b62e9356bc
 2017-12-05 11:26:08 -05:00
Jaegeuk Kim
c8e7a9f4a7 make_f2fs: grant rw to vold 
This allows to format sdcard for adoptable storage.

Bug: 69641635
Change-Id: I8d471be657e2e8f4df56c94437239510ca65096e
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
 2017-12-04 18:41:03 -08:00
rickywai
2a57b35f91 Merge "Add network watchlist service SELinux policy rules" 
am: e2c271834b

Change-Id: If5386ad857ccffa44be29545283e3ee792503572
 2017-12-04 08:35:01 +00:00
rickywai
e2c271834b Merge "Add network watchlist service SELinux policy rules" 2017-12-04 08:30:49 +00:00
Andreas Gampe
ffaaed8026 Sepolicy: Fix perfprofd path 
am: 99e4f40246

Change-Id: I80eaf2eb1867d99137c1c7afd1708ebaf6a60e35
 2017-12-02 22:03:42 +00:00
Andreas Gampe
99e4f40246 Sepolicy: Fix perfprofd path 
Corresponds to commit 410cdebaf966746d6667d6d0dd4cee62262905e1 in
system/extras.

Bug: 32286026
Test: m
Change-Id: I1e0934aa5bf4649d598ec460128de6f02711597f
 2017-12-01 17:29:36 -08:00
Tri Vo
996487ceda Revert "init: remove open, read, write access to 'sysfs' type." 
am: 423d14bfa1

Change-Id: I0cdadf49d68b77c7c6b93738deea4a1e72bc41a3
 2017-12-01 22:59:14 +00:00
Tri Vo
423d14bfa1 Revert "init: remove open, read, write access to 'sysfs' type." 
This reverts commit c2241a8d16.

Reason for revert: build breakage b/70040773

Change-Id: I6af098ae20c4771a1070800d02c98e5783999a39
 2017-12-01 22:31:01 +00:00
Tri Vo
317d6b4da2 init: remove open, read, write access to 'sysfs' type. 
am: c2241a8d16

Change-Id: I4178c482a6b1241bedbadea1aa721c7b08ae8cb3
 2017-12-01 19:18:24 +00:00
Tri Vo
c2241a8d16 init: remove open, read, write access to 'sysfs' type. 
Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 65643247
Test: walleye boots with no denials from init to sysfs.

Change-Id: Ibc9a54a5f43f3d53ab7cbb0fdb9589959b31ebde
 2017-12-01 19:13:11 +00:00
Joel Galenson
54d044c12e Merge "Allow init to create /dev/event-log-tags." 
am: cea60d7eb5

Change-Id: I9c0195571c616525fe8daaefc76661d111a57917
 2017-12-01 16:52:07 +00:00
Treehugger Robot
cea60d7eb5 Merge "Allow init to create /dev/event-log-tags." 2017-12-01 16:47:10 +00:00
Joel Galenson
0975d73010 Allow init to create /dev/event-log-tags. 
Now that creating a symlink automatically sets its context,
init needs permission to create this file.

Bug: 69965807
Test: Booted device and tested wifi and camera.
Change-Id: I41f5ca8f4d877312c9b2a909001fe9cd80c3d458
 2017-11-30 15:38:19 -08:00
Calin Juravle
2b20a162fe Allow system server to getattr profile_data_files 
am: acbda50484

Change-Id: I9575610aeae0464661ad23d0eac696915cb0064e
 2017-11-30 23:25:13 +00:00
Ricky Wai
c63529735a Add network watchlist service SELinux policy rules 
Bug: 63908748
Test: built, flashed, able to boot
Change-Id: I3cfead1d687112b5f8cd485c8f84083c566fbce2
 2017-11-30 15:53:19 +00:00
Calin Juravle
acbda50484 Allow system server to getattr profile_data_files 
This is needed in order to get the stat-size of the files.

Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Change-Id: I1df0ba941e8f9ff13a23df4063acc3c4f1555c1b
 2017-11-29 18:35:35 -08:00
Connor O'Brien
f410c694c6 Merge "selinux: set proc_uid_time_in_state type for /proc/uid" 
am: 33ba9c54d1

Change-Id: I09d49857f0bffc37090c4429879fb5288cbc9b90
 2017-11-30 01:57:33 +00:00
Connor O'Brien
33ba9c54d1 Merge "selinux: set proc_uid_time_in_state type for /proc/uid" 2017-11-30 01:44:02 +00:00
Jeff Vander Stoep
08c68e1a26 Merge "Fix bug map entry" 
am: f838a3bc46

Change-Id: Ia2c73bd7b5524da7df7aa96c14dd60e30feecce2
 2017-11-30 01:02:38 +00:00
Treehugger Robot
f838a3bc46 Merge "Fix bug map entry" 2017-11-30 00:52:21 +00:00
Jeff Vander Stoep
53950b6595 Fix bug map entry 
Tclass was omitted for two entries.

Bug: 69928154
Bug: 69366875
Test: build
Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
 2017-11-29 14:48:41 -08:00
Connor O'Brien
ac3c61eb40 selinux: set proc_uid_time_in_state type for /proc/uid 
/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>
 2017-11-29 12:54:13 -08:00
Nicholas Sauer
bfdb55bec2 Merge "Make sepolicy-analyze for ATS." 
am: 4ebbe461aa  -s ours

Change-Id: I72f7b323551fc2151668203db725710231c836c5
 2017-11-29 04:28:41 +00:00
Nicholas Sauer
4ebbe461aa Merge "Make sepolicy-analyze for ATS." 2017-11-29 04:01:40 +00:00
Calin Juravle
8e4bedd40d Allow system server to open profiles 
am: 15da30b6ff

Change-Id: I6a06b84d6319680d73d38ec16ca6e142d79290d1
 2017-11-28 23:24:33 +00:00
Nicholas Sauer
b6d6db2706 Make sepolicy-analyze for ATS. 
bug: 69430536
Test: make ats-tradefed && ats-tradefed run ats -m
GtsSecurityHostTestCases

Merged-In: I617a7d08b1bf480f970bc8b4339fa6bbdc347311
Change-Id: I1d4af47662de5db4e5f7bba244e42930b6de164b
 2017-11-28 21:48:43 +00:00
Calin Juravle
15da30b6ff Allow system server to open profiles 
Allow system_server to open profile snapshots for read.
System server never reads the actual content. It passes the descriptor to
to privileged apps which acquire the permissions to inspect the profiles.

Test: installd_dexopt_test
Bug: 30934496
Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5
 2017-11-28 20:18:35 +00:00