tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
14678 commits 1 branch 0 tags 50 MiB
Commit graph

14678 commits

This branch
This branch
All branches
Author SHA1 Message Date
Joel Galenson
e7cad6cdc2 Hide denial for wpa_supplicant writing to /data/misc/wifi. 
It should instead write to /data/vendor/wifi.

Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
(cherry picked from commit cc9b30a1cd)
 2018-03-12 13:24:52 -07:00
TreeHugger Robot
732240b041 Merge "/odm is another vendor partition other than /vendor" into pi-dev 2018-03-12 05:07:32 +00:00
TreeHugger Robot
cb4e3b77ca Merge "Revert "Move rild from public to vendor."" into pi-dev 2018-03-12 00:01:17 +00:00
Jeffrey Vander Stoep
016f0a58a9 Revert "Move rild from public to vendor." 
This reverts commit eeda6c6106.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1
 2018-03-11 20:46:50 +00:00
TreeHugger Robot
910f63f9ee Merge "Move rild from public to vendor." into pi-dev 2018-03-09 22:42:30 +00:00
TreeHugger Robot
37925fdbc5 Merge "Allow public-readable to persist.rcs.supported" into pi-dev 2018-03-08 22:25:29 +00:00
Amit Mahajan
eeda6c6106 Move rild from public to vendor. 
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
 2018-03-08 12:50:13 -08:00
TreeHugger Robot
11d8cd5dce Merge "Use user policy when checking neverallow rules." into pi-dev 2018-03-08 17:54:28 +00:00
TreeHugger Robot
178d0adbfc Merge "Add secure_element_device" into pi-dev 2018-03-08 17:53:28 +00:00
Jaekyun Seok
9ddba296c8 Allow public-readable to persist.rcs.supported 
For now, persist.rcs.supported has only vendor-init-settable, but it
turned out that the property should be read by vendor components in
some devices including 2018 Pixels.

Bug: 74266614
Test: succeeded building and tested on a blueline device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true

Change-Id: I926eb4316c178a39693300fe983176acfb9cabec
 2018-03-09 00:34:48 +09:00
Jiyong Park
e64edff159 /odm is another vendor partition other than /vendor 
Sub directories under /odm (or /vendor/odm when there isn't an odm
partition) are labeled so that artifacts under the sub directories are
treated the same as their counterpart in the vendor partition.

For example, /odm/app/* is labeled as vendor_app_file just like
/vendor/app/*.

Bug: 71366495
Test: m -j

Merged-In: I72a14fd55672cd2867edd88ced9828ea49726694
Change-Id: I72a14fd55672cd2867edd88ced9828ea49726694
(cherry picked from commit 2f1015512d)
 2018-03-08 10:09:16 +09:00
Jong Wook Kim
5c51354c8c Merge "sepolicy(hostapd): Allow socket based control iface" into pi-dev 2018-03-08 00:34:39 +00:00
Joel Galenson
053cb34130 Use user policy when checking neverallow rules. 
When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.

Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant.  This restores that one and
adds it to the neverallow check.

Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.

Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae
 2018-03-07 15:41:19 -08:00
TreeHugger Robot
7b74a8445c Merge "Enabling incidentd to get top and ps data." into pi-dev 2018-03-07 21:56:20 +00:00
Ruchi Kandoi
e0e2342e16 Add secure_element_device 
Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
(cherry picked from commit ea3cf0007e)
 2018-03-07 13:54:21 -08:00
Kweku Adams
bcf8b11566 Enabling incidentd to get top and ps data. 
Bug: 72177715
Bug: 72384374
Test: flash device and make sure incidentd is getting data without SELinux denials
Change-Id: I684fe014e19c936017a466ec2d6cd2e1f03022c0
(cherry picked from commit 06ac7dba37)
 2018-03-07 11:43:30 -08:00
TreeHugger Robot
763770f611 Merge "Track platform_app SELinux denial." into pi-dev 2018-03-07 19:22:54 +00:00
Joel Galenson
f3f93eaf1d Clean up bug_map. 
Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
 2018-03-07 08:35:41 -08:00
Joel Galenson
2995e996b9 Track platform_app SELinux denial. 
This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
 2018-03-07 08:26:08 -08:00
Chenbo Feng
6cd70c2f00 Fix sepolicy for bpf object 
With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d
 2018-03-07 14:51:18 +09:00
Daichi Ueura
e029085840 sepolicy(hostapd): Allow socket based control iface 
Update sepolicy permission to allow hostapd to setup
socket for socket based control interface.

Sepolicy denial for accessing /data/vendor/wifi/hostapd/ctrl:
02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:36):
avc: denied { create } for name="ctrl"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:37):
avc: denied { setattr } for name="ctrl" dev="sda35" ino=131410
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:38):
avc: denied { create } for name="wlan0"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:39):
avc: denied { setattr } for name="wlan0" dev="sda35" ino=131411
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

Bug: 73419160
Test: Manual check that softAp works
Change-Id: I2e733e168feceeab2d557f7704832c143e352375
 2018-03-05 20:12:47 +00:00
Jerry Zhang
a6b8414b66 Add functionfs access to system_server. am: 1d40154575 am: caf0139b3d 
am: 66adf0cd34

Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b
 2018-03-02 03:05:03 +00:00
Jerry Zhang
66adf0cd34 Add functionfs access to system_server. am: 1d40154575 
am: caf0139b3d

Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1
 2018-03-02 02:59:30 +00:00
Jerry Zhang
caf0139b3d Add functionfs access to system_server. 
am: 1d40154575

Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e
 2018-03-02 02:53:56 +00:00
Ryan Longair
4eb92dc15d [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 am: ac6dcce007 am: a401c9f9ca am: 0bba3d4495 -s ours am: a0fac58513 -s ours 
am: 8ded6f4292  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8
 2018-03-01 22:30:08 +00:00
Ryan Longair
8ded6f4292 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 am: ac6dcce007 am: a401c9f9ca am: 0bba3d4495 -s ours 
am: a0fac58513  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3
 2018-03-01 22:24:33 +00:00
Ryan Longair
7a23c8baae Fix sepolicy-analyze makefile so it is included in STS builds am: b7602d760f 
am: 1ee556ed4a  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f
 2018-03-01 22:20:05 +00:00
Ryan Longair
a0fac58513 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 am: ac6dcce007 am: a401c9f9ca 
am: 0bba3d4495  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d
 2018-03-01 22:19:30 +00:00
Ryan Longair
0bba3d4495 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 am: ac6dcce007 
am: a401c9f9ca

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e
 2018-03-01 22:14:57 +00:00
Ryan Longair
1ee556ed4a Fix sepolicy-analyze makefile so it is included in STS builds 
am: b7602d760f

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81
 2018-03-01 22:14:52 +00:00
Jerry Zhang
1d40154575 Add functionfs access to system_server. 
UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
 2018-03-01 12:07:15 -08:00
Ryan Longair
b7602d760f Fix sepolicy-analyze makefile so it is included in STS builds 
Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
 2018-03-01 18:07:37 +00:00
Ryan Longair
50fec5f819 Fix sepolicy-analyze makefile so it is included in STS builds 
Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
 2018-03-01 10:07:11 -08:00
Android Build Merger (Role)
a401c9f9ca [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 am: ac6dcce007 
Change-Id: I8b2fd267b39b579bf34f23822698cda23c31e77e
 2018-03-01 17:42:56 +00:00
Android Build Merger (Role)
ac6dcce007 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 am: 89455f2ec5 
Change-Id: Ic7c0f37773c22bd11e9b48e07bc46766d053da58
 2018-03-01 17:42:55 +00:00
Android Build Merger (Role)
89455f2ec5 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 am: e9a260bb77 
Change-Id: Id65e91d0c3bdced074a6aa99902fcdfc0d97628c
 2018-03-01 17:42:54 +00:00
Android Build Merger (Role)
e9a260bb77 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 am: fa412d2db7 
Change-Id: I5ae440fe30e214250bf66ea023104ab383700a54
 2018-03-01 17:42:53 +00:00
Android Build Merger (Role)
fa412d2db7 [automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f9411 
Change-Id: I9a4944f131547c11329167bc327c0de2c08e1f20
 2018-03-01 17:42:52 +00:00
Ryan Longair
7dab0f9411 Fix sepolicy-analyze makefile so it is included in STS builds 
Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
 2018-03-01 17:42:50 +00:00
Alan Stokes
f2a23efcd9 Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae73 am: 324e6ef541 
am: 0d12c356fd

Change-Id: I245c2914f51f317758148123dc1368c326f562f1
 2018-03-01 17:03:54 +00:00
Alan Stokes
0d12c356fd Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae73 
am: 324e6ef541

Change-Id: I6ed15ce344d61eab4d81928b09020d7fb0fb757a
 2018-03-01 16:51:51 +00:00
Alan Stokes
324e6ef541 Allow hal_vibrator access to sysfs_vibrator files. 
am: 17d008ae73

Change-Id: Ib6305067a4f3bf30df918c63a049b7d689f9c255
 2018-03-01 16:46:16 +00:00
Alan Stokes
17d008ae73 Allow hal_vibrator access to sysfs_vibrator files. 
We already grant rw file access, but without dir search it's not much
use.

denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0

Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66
 2018-03-01 14:30:52 +00:00
huans
f32e00e0d0 Add shell:fifo_file permission for cameraserver am: a6acef9a9e am: 42756b7628 
am: 5083087127

Change-Id: I23c9f800c4faab0d03a9d239bbb2d0a61b6263ab
 2018-03-01 02:39:22 +00:00
huans
5083087127 Add shell:fifo_file permission for cameraserver am: a6acef9a9e 
am: 42756b7628

Change-Id: Ia8e879b894c75a28461bd90e86888703c20a604a
 2018-03-01 02:34:20 +00:00
huans
42756b7628 Add shell:fifo_file permission for cameraserver 
am: a6acef9a9e

Change-Id: I4a6816ae90ced3afb04f8d40afb2267f3a2994cf
 2018-03-01 02:29:45 +00:00
huans
a6acef9a9e Add shell:fifo_file permission for cameraserver 
Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2
 2018-02-28 16:12:40 -08:00
Jeff Vander Stoep
cb33022b26 Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b83a am: 7a22490cb7 
am: 426f78ca04

Change-Id: I4f1983feed32c668d723932c61a6f51692c61f53
 2018-02-28 20:59:51 +00:00
Jeff Vander Stoep
426f78ca04 Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b83a 
am: 7a22490cb7

Change-Id: I3e6731b04314f9c54c016c1c7584242cdd12e75f
 2018-02-28 20:46:44 +00:00
Jeff Vander Stoep
7a22490cb7 Merge "kernel: exempt from vendor_file restrictions" 
am: 609aa6b83a

Change-Id: I261753961c59527061254f0b1c7adca50a7c2bce
 2018-02-28 20:40:11 +00:00