Tom Cherry
e5e5e0416b
Merge "Use property_info_checker instead of checkfc and fc_sort for properties"
...
am: 060586362b
2018-01-06 18:02:01 +00:00
Tom Cherry
060586362b
Merge "Use property_info_checker instead of checkfc and fc_sort for properties"
2018-01-05 20:32:23 +00:00
Etan Cohen
10d3c77f05
[RTT] Update Wi-Fi RTT service name
...
am: a8d9191fb7
2018-01-05 17:50:34 +00:00
Etan Cohen
a8d9191fb7
[RTT] Update Wi-Fi RTT service name
...
Finalize Wi-Fi RTT service name per API review.
Note: CL 1 of 2 - adding new entry here, will remove
old entry in next CL.
Bug: 65108607
Test: integration tests
Change-Id: I065ce9d570510180fa8c8f09e1025ac795706405
2018-01-05 15:56:58 +00:00
Chen Xu
38fb5d4802
Merge "Setting up SELinux policy for carrier id"
...
am: fd9f7de71e
2018-01-04 22:06:52 +00:00
Chen Xu
fd9f7de71e
Merge "Setting up SELinux policy for carrier id"
2018-01-04 21:56:13 +00:00
Joel Galenson
f810a0269e
Merge "Revert "Update neverallow exception.""
...
am: 70c21a6205
2018-01-04 21:18:29 +00:00
Joel Galenson
70c21a6205
Merge "Revert "Update neverallow exception.""
2018-01-04 21:11:00 +00:00
Joel Galenson
9db566f0c5
Revert "Update neverallow exception."
...
This reverts commit b40eb255a7
2018-01-04 21:03:05 +00:00
Joel Galenson
9519f1b9d3
Merge "Update neverallow exception."
...
am: 2de29263c4
2018-01-04 20:08:33 +00:00
Treehugger Robot
2de29263c4
Merge "Update neverallow exception."
2018-01-04 20:03:09 +00:00
fionaxu
2cb8729614
Setting up SELinux policy for carrier id
...
Bug: 64131637
Test: Manual
Change-Id: I0170c5eb465aa663582e3974348380a8f0c9b27f
2018-01-04 19:15:45 +00:00
Tom Cherry
f68b4c67d7
Use property_info_checker instead of checkfc and fc_sort for properties
...
1) fc_sort is not needed as there is no reason to sort system
properties, so this is removed and replaced with a simply copy
2) Use the new property_info_checker instead of checkfc for
validating property information. This supports exact match
properties and will be extended to verify property schemas in the
future.
Bug: 36001741
Test: verify bullhead's property contexts correct
Test: verify faulty property contexts result in failures
Change-Id: Id9bbf401f385206e6907449a510e3111424ce59e
2018-01-04 09:49:39 -08:00
Joel Galenson
b40eb255a7
Update neverallow exception.
...
After offline discussions, we decided that this was the proper
exception to the neverallow rule.
Test: Built policy.
Change-Id: Ic1603bfdd803151ccfb79f90195b83b616acc873
2018-01-04 09:36:58 -08:00
Jeff Tinker
f5468cd454
Merge "Allow default drm hal to access allocator hal"
...
am: 0eb0a7bb5b
2018-01-04 04:18:47 +00:00
Treehugger Robot
0eb0a7bb5b
Merge "Allow default drm hal to access allocator hal"
2018-01-04 04:12:19 +00:00
Jeff Tinker
e1a7190f51
Allow default drm hal to access allocator hal
...
This fixes failing vts drm tests
bug:67675811
Test:vts-tradefed run commandAndExit vts -m VtsHalDrmV1_0Target
Change-Id: I2f7e1c97e8c70fc312ca3c2c901f0a9607b05e83
2018-01-03 23:44:05 +00:00
Shawn Willden
2ea1f6fda5
Merge "Add file context for keymaster 4.0 service."
...
am: 4dd97a0bb8
2018-01-03 21:18:20 +00:00
Treehugger Robot
4dd97a0bb8
Merge "Add file context for keymaster 4.0 service."
2018-01-03 21:08:58 +00:00
Jeff Vander Stoep
7fb132ff88
Merge "Fix permission typo"
...
am: 41b8271f22
2018-01-03 19:59:58 +00:00
Treehugger Robot
41b8271f22
Merge "Fix permission typo"
2018-01-03 19:43:32 +00:00
Shawn Willden
219c66c1f0
Add file context for keymaster 4.0 service.
...
Test: Boot the device
Change-Id: Ia468941e78803edebe311c73f424a41ac1faeaee
2018-01-03 10:56:06 -07:00
Jeff Vander Stoep
42d82b42ff
Fix permission typo
...
zygote->webview_zygote.
Forgot to ammend local change.
Test: webview_zygote denials are gone.
Change-Id: I02869812feafd127b39e567c28e7278133770e97
2018-01-03 08:46:05 -08:00
Jeff Vander Stoep
6df91b7217
Merge "init: allow read of /sys/devices/virtual/block/zram"
...
am: 05916fca32
2018-01-03 02:38:11 +00:00
Treehugger Robot
05916fca32
Merge "init: allow read of /sys/devices/virtual/block/zram"
2018-01-03 02:34:30 +00:00
Jeff Vander Stoep
8fdecd8d30
Merge "webview_zygote: allow listing dirs in /system"
...
am: db68967551
2018-01-03 00:39:59 +00:00
Treehugger Robot
db68967551
Merge "webview_zygote: allow listing dirs in /system"
2018-01-03 00:33:37 +00:00
Jeff Vander Stoep
99c65df3ed
init: allow read of /sys/devices/virtual/block/zram
...
Commit erroneously 55039509
2018-01-03 00:26:57 +00:00
Chenbo Feng
b243094e85
sepolicy: Allow system server to r/w the bpf maps
...
am: 756dd574d5
2018-01-02 22:01:44 +00:00
Chenbo Feng
7daa05f138
sepolicy: New sepolicy classes and rules about bpf object
...
am: 08f92f9c01
2018-01-02 22:01:37 +00:00
Chenbo Feng
956e099ec6
sepolicy: Allow mount cgroupv2 and bpf fs
...
am: 254ad0da3a
2018-01-02 22:01:31 +00:00
Jeff Vander Stoep
3588ddd06d
webview_zygote: allow listing dirs in /system
...
For consistency with zygote, allow webview_zygote to list directories
in /system.
Test: Boot Taimen. Verify webiew_zygote denials during boot.
Bug: 70857705
Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59
2018-01-02 13:15:16 -08:00
Chenbo Feng
756dd574d5
sepolicy: Allow system server to r/w the bpf maps
...
The system server is responsible for providing the network traffic
stats to Apps and services. Allow it to directly reading the eBPF maps
that stored these information can make the process of getting traffic
stats simplier.
Test: No selinux rule violation of system server reading netd bpf object
Bug: 30950746
Change-Id: I6d9438d1ed7c9bab45a708f5d2a85eb22f5e8170
2018-01-02 11:52:33 -08:00
Chenbo Feng
08f92f9c01
sepolicy: New sepolicy classes and rules about bpf object
...
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.
Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2018-01-02 11:52:33 -08:00
Chenbo Feng
254ad0da3a
sepolicy: Allow mount cgroupv2 and bpf fs
...
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
2018-01-02 11:52:33 -08:00
Ricky Wai
56a9edb19e
Add Network Watchlist data file selinux policy(Used in ConfigUpdater)
...
am: ff3b957e63
2018-01-02 18:22:13 +00:00
Ricky Wai
ff3b957e63
Add Network Watchlist data file selinux policy(Used in ConfigUpdater)
...
Bug: 63908748
Test: Able to boot
Change-Id: I14d8856d7aac7be9d1f26ecf5bfff69ea5ee9607
2018-01-02 18:16:46 +00:00
Andreas Gampe
d695693d86
Merge "Sepolicy: Introduce perfprofd binder service"
...
am: 2f39276e3f
2018-01-02 15:59:27 +00:00
Treehugger Robot
2f39276e3f
Merge "Sepolicy: Introduce perfprofd binder service"
2018-01-02 15:55:29 +00:00
Tri Vo
b6f04b57bf
Merge "system_server: search permission to all of sysfs."
...
am: 8d07a8d595
2017-12-30 04:59:09 +00:00
Treehugger Robot
8d07a8d595
Merge "system_server: search permission to all of sysfs."
2017-12-30 04:56:53 +00:00
Andreas Gampe
aa9711f82b
Sepolicy: Introduce perfprofd binder service
...
Add policy for the perfprofd binder service.
For now, only allow su to talk to it.
Test: m
Change-Id: I690f75460bf513cb326314cce633fa25453515d6
2017-12-28 17:31:21 -08:00
Steven Moreland
f3bf89c682
Merge "Remove sys/class/leds permissions from dumpstate."
...
am: 0b6856f59b
2017-12-22 21:52:13 +00:00
Treehugger Robot
0b6856f59b
Merge "Remove sys/class/leds permissions from dumpstate."
2017-12-22 21:47:01 +00:00
Steven Moreland
a00b74196e
Remove sys/class/leds permissions from dumpstate.
...
These are device specific.
Bug: 70846424
Test: bugreport
Change-Id: Ic22c972f1b09988a8eccf0823dd0d87fc0c0a1f7
2017-12-22 21:46:34 +00:00
Tri Vo
ce8bc8b00e
system_server: search permission to all of sysfs.
...
This will allow system_server to perfom path resolution on paths like:
/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc
Fixes this denial:
avc: denied { search } for pid=947 comm=system_server
name=800f000.qcom,spmi dev=sysfs ino=19891
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir permissive=0 b/68003344
Bug: 68003344
Test: walleye boots without the denial above.
Change-Id: Ib282395124c7f2f554681fcc713b9afe189f441c
2017-12-21 22:35:27 +00:00
Joel Galenson
ea3942f0a7
Merge "Disallow most coredomains from accessing vendor_files on Treble."
...
am: 6168a12ea9
2017-12-21 19:03:24 +00:00
Treehugger Robot
6168a12ea9
Merge "Disallow most coredomains from accessing vendor_files on Treble."
2017-12-21 17:07:20 +00:00
Tri Vo
ef3865076b
system_server: remove access to /sys/class/leds.
...
am: 89a7b21541
2017-12-20 21:22:10 +00:00
Tri Vo
89a7b21541
system_server: remove access to /sys/class/leds.
...
Removing legacy rules. system_server now depends on Lights HAL (which
has its own domain) instead of /sys/class/leds.
Bug: 70846424
Test: sailfish boots; screen, flashlight work fine.
Change-Id: I6f116a599cab26ae71e45f462b33328bc8d43db5
2017-12-20 18:51:26 +00:00
