tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
4938 commits 1 branch 0 tags 50 MiB
Commit graph

4938 commits

This branch
This branch
All branches
Author SHA1 Message Date
Elliott Hughes
25ed8fa373 am f17bbab7: am ecd57731: Merge "SELinux policy changes for re-execing init." 
* commit 'f17bbab747e5f8a8121601053f7cddacc3666035':
  SELinux policy changes for re-execing init.
 2015-04-24 03:46:32 +00:00
Nick Kralevich
2d425de9f4 am b1b5e662: am caefbd71: allow adbd to set sys.usb.ffs.ready 
* commit 'b1b5e662ffbbaf2fe473c336954ef9d4a835f5f6':
  allow adbd to set sys.usb.ffs.ready
 2015-04-24 03:46:32 +00:00
Elliott Hughes
f17bbab747 am ecd57731: Merge "SELinux policy changes for re-execing init." 
* commit 'ecd577313ee07b37a2de4e132c227a1f387c05b3':
  SELinux policy changes for re-execing init.
 2015-04-24 03:24:40 +00:00
Nick Kralevich
b1b5e662ff am caefbd71: allow adbd to set sys.usb.ffs.ready 
* commit 'caefbd71c5593fbfbb32ca7fba8d6d157a8dfad6':
  allow adbd to set sys.usb.ffs.ready
 2015-04-24 03:24:39 +00:00
Elliott Hughes
ecd577313e Merge "SELinux policy changes for re-execing init." 2015-04-24 03:10:15 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready 
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
 2015-04-23 19:45:21 -07:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init. 
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
 2015-04-23 17:12:18 -07:00
Nick Kralevich
b77f78eb8e am 268425b7: am 934cf6ea: Merge "gatekeeperd: use more specific label for /data file" 
* commit '268425b7cd9af73d1fc9a7c10cb9423cd1b5da1e':
  gatekeeperd: use more specific label for /data file
 2015-04-20 16:04:54 +00:00
Nick Kralevich
268425b7cd am 934cf6ea: Merge "gatekeeperd: use more specific label for /data file" 
* commit '934cf6eaf05571ecd91bf4509545a044322bd54c':
  gatekeeperd: use more specific label for /data file
 2015-04-20 15:44:52 +00:00
Nick Kralevich
934cf6eaf0 Merge "gatekeeperd: use more specific label for /data file" 2015-04-20 15:24:00 +00:00
Jeff Sharkey
57ed97652a am 479a536a: am e98cda25: Grant apps write access to returned vfat FDs. 
* commit '479a536ac011ab09be0d58558747e62399c65d5e':
  Grant apps write access to returned vfat FDs.
 2015-04-18 22:22:13 +00:00
Jeff Sharkey
479a536ac0 am e98cda25: Grant apps write access to returned vfat FDs. 
* commit 'e98cda25e152e82b7a30ddfff63d69301cb90d60':
  Grant apps write access to returned vfat FDs.
 2015-04-18 22:05:02 +00:00
Jeff Sharkey
205882cf5b am bb0385e2: am c9036fb1: Grant platform apps access to /mnt/media_rw. 
* commit 'bb0385e248a8af2c6995d01ae45464ea95334dbd':
  Grant platform apps access to /mnt/media_rw.
 2015-04-18 21:49:17 +00:00
Jeff Sharkey
e98cda25e1 Grant apps write access to returned vfat FDs. 
Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9
 2015-04-18 14:34:52 -07:00
Jeff Sharkey
bb0385e248 am c9036fb1: Grant platform apps access to /mnt/media_rw. 
* commit 'c9036fb1c1d6a16c6686ada777e01cc1bf63d6fe':
  Grant platform apps access to /mnt/media_rw.
 2015-04-18 21:33:16 +00:00
Jeff Sharkey
c9036fb1c1 Grant platform apps access to /mnt/media_rw. 
Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
 2015-04-18 14:14:15 -07:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file 
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
 2015-04-17 17:56:31 -07:00
Andres Morales
f4414dbc2a am ab2ff479: am 6db824a7: Merge "New rules for SID access" 
* commit 'ab2ff4796030d4ea4aa84fc7943cb90a95387550':
  New rules for SID access
 2015-04-18 00:00:25 +00:00
Andres Morales
ab2ff47960 am 6db824a7: Merge "New rules for SID access" 
* commit '6db824a7d909df2235ab6893a07aa9859ec99570':
  New rules for SID access
 2015-04-17 23:37:47 +00:00
Andres Morales
6db824a7d9 Merge "New rules for SID access" 2015-04-17 23:16:46 +00:00
Andres Morales
b348f8f55d New rules for SID access 
Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
 2015-04-17 10:41:09 -07:00
Nick Kralevich
17286c0b0d am f06090af: am 490a7a8a: Merge "neverallow shell file_type:file link" 
* commit 'f06090af59dd2b1c6349ae68daafce027c1aec95':
  neverallow shell file_type:file link
 2015-04-16 16:51:51 +00:00
Nick Kralevich
76ce37d76c am d18f1482: am 85416e06: su.te: add filesystem dontaudit rule 
* commit 'd18f1482015fc08a92dff8710c6213eedeb2f25c':
  su.te: add filesystem dontaudit rule
 2015-04-16 16:51:50 +00:00
Nick Kralevich
f06090af59 am 490a7a8a: Merge "neverallow shell file_type:file link" 
* commit '490a7a8abfb1a8084c3c7281f7b880b02ad0b21a':
  neverallow shell file_type:file link
 2015-04-16 16:29:25 +00:00
Nick Kralevich
d18f148201 am 85416e06: su.te: add filesystem dontaudit rule 
* commit '85416e06a522b12874ce0db7a90639b221f00625':
  su.te: add filesystem dontaudit rule
 2015-04-16 16:29:25 +00:00
Nick Kralevich
490a7a8abf Merge "neverallow shell file_type:file link" 2015-04-16 16:09:29 +00:00
Nick Kralevich
e0c8da253c neverallow shell file_type:file link 
Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
 2015-04-16 08:43:10 -07:00
Nick Kralevich
85416e06a5 su.te: add filesystem dontaudit rule 
Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e
 2015-04-16 08:38:46 -07:00
Vinit Deshpande
92d44c4160 Merge "am fcdd354..fcdd354 from mirror-m-wireless-internal-release" 2015-04-16 02:37:31 +00:00
Nick Kralevich
fd47d02131 Merge "Remove recovery from mknod neverallow rule" 2015-04-15 15:18:03 +00:00
Nick Kralevich
98a2f7feda Remove recovery from mknod neverallow rule 
This was only used on grouper, which is now EOLd.

Change-Id: Idb65930bb214fdb3339b18fae94ffb3f6ac391c5
 2015-04-14 18:58:26 -07:00
Vinit Deshpande
721f3e3650 am fcdd354..fcdd354 from mirror-m-wireless-internal-release 
fcdd354 Add permission for Bluetooth Sim Access Profile

Change-Id: I9b40b17be0c9bf08ca48ad34d3718d421ec6466e
 2015-04-14 16:07:12 -07:00
dcashman
4d9c99d1ab am 38885bc4: am e96c3abe: Add neverallow for mounting on proc 
* commit '38885bc47a68898f96a05f1656d111ce59fbd993':
  Add neverallow for mounting on proc
 2015-04-14 19:21:47 +00:00
dcashman
38885bc47a am e96c3abe: Add neverallow for mounting on proc 
* commit 'e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1':
  Add neverallow for mounting on proc
 2015-04-14 19:02:31 +00:00
dcashman
e96c3abe2e Add neverallow for mounting on proc 
Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25
 2015-04-14 11:29:20 -07:00
Andres Morales
7e26f157ce am 2e9e13d4: am dd156fc3: Allow gatekeeperd to use keystore 
* commit '2e9e13d468f9da057b13bf06b4ad34833281a6e9':
  Allow gatekeeperd to use keystore
 2015-04-13 20:09:09 +00:00
Andres Morales
2e9e13d468 am dd156fc3: Allow gatekeeperd to use keystore 
* commit 'dd156fc377c2892752fb5b38c5cca4c3e7484054':
  Allow gatekeeperd to use keystore
 2015-04-13 19:48:46 +00:00
Andres Morales
dd156fc377 Allow gatekeeperd to use keystore 
needs to call addAuthToken

Change-Id: If519df61448f19dfafab254668c17eea6c161ea4
 2015-04-13 12:26:02 -07:00
Neil Fuller
ae4b79cefd am 69d3b897: am 4127a4c8: Merge "Add rules for /system/bin/tzdatacheck" 
* commit '69d3b89756465122f7afe859447161d660c57791':
  Add rules for /system/bin/tzdatacheck
 2015-04-13 12:18:36 +00:00
Neil Fuller
69d3b89756 am 4127a4c8: Merge "Add rules for /system/bin/tzdatacheck" 
* commit '4127a4c890e84f1fd8f22b8baecc2519b25b8701':
  Add rules for /system/bin/tzdatacheck
 2015-04-13 11:58:52 +00:00
Neil Fuller
4127a4c890 Merge "Add rules for /system/bin/tzdatacheck" 2015-04-13 11:41:24 +00:00
Casper Bonde
fcdd354653 Add permission for Bluetooth Sim Access Profile 
Added permission to SAP socket used to access the the RIL daemon

Change-Id: Ifbfb764f0b8731e81fb3157955aa4fda6120d846
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
 2015-04-12 22:18:31 -07:00
Jeff Sharkey
1f19864968 am 6b6d51cf: am 5e5b0065: Merge "Allow sdcard daemon to run above expanded storage." 
* commit '6b6d51cf06b535e46d6787c0251d91cbd2497602':
  Allow sdcard daemon to run above expanded storage.
 2015-04-13 00:21:19 +00:00
Jeff Sharkey
6b6d51cf06 am 5e5b0065: Merge "Allow sdcard daemon to run above expanded storage." 
* commit '5e5b0065e958e91ed8d286b8c2861f428909f0ec':
  Allow sdcard daemon to run above expanded storage.
 2015-04-12 18:19:59 +00:00
Jeff Sharkey
5e5b0065e9 Merge "Allow sdcard daemon to run above expanded storage." 2015-04-12 18:00:25 +00:00
Jeff Sharkey
3acec6fa17 Allow sdcard daemon to run above expanded storage. 
We have a /media directory on expanded storage that behaves just
like internal storage, and has a FUSE daemon running above it.

avc: denied { search } for name="expand" dev="tmpfs" ino=3130 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0

Bug: 19993667
Change-Id: I771ecb8f2808c48ccf4139ac9cfc2a48a2332fec
 2015-04-11 22:21:50 -07:00
Nick Kralevich
4c2bb84168 am c53f3437: am fdc56c5f: genfs_contexts: provide a label for binfmt_misc 
* commit 'c53f343747e190662df9e43ad301aba83d4eb25d':
  genfs_contexts: provide a label for binfmt_misc
 2015-04-11 16:20:53 +00:00
Nick Kralevich
c53f343747 am fdc56c5f: genfs_contexts: provide a label for binfmt_misc 
* commit 'fdc56c5ffec126b5d5ee257b816cfc6633667ace':
  genfs_contexts: provide a label for binfmt_misc
 2015-04-11 16:00:28 +00:00
Nick Kralevich
fdc56c5ffe genfs_contexts: provide a label for binfmt_misc 
Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.

Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95
 2015-04-10 17:42:49 -07:00
Jeff Sharkey
61ecf06e0d am 39e0b820: am e32c7b2e: Merge "Allow installd to move around private app data." 
* commit '39e0b8206ad91a0899018009eea178508ddb1f1a':
  Allow installd to move around private app data.
 2015-04-10 21:32:04 +00:00