tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
6143 commits 1 branch 0 tags 50 MiB
Commit graph

6143 commits

This branch
This branch
All branches
Author SHA1 Message Date
dcashman
fb0c52ad4e Allow domain to read proc dirs. am: abf31acb01 
am: eb3480b70f

* commit 'eb3480b70fdf0d9ea539b0834dd7d39443fc55e4':
  Allow domain to read proc dirs.
 2016-02-05 23:44:07 +00:00
Nick Kralevich
7898352245 Replace "neverallow domain" by "neverallow *" am: 35a1451430 
am: 8f611b6eda

* commit '8f611b6edaedc317af63035df0ccca31a5a69c14':
  Replace "neverallow domain" by "neverallow *"
 2016-02-05 23:44:02 +00:00
dcashman
eb3480b70f Allow domain to read proc dirs. 
am: abf31acb01

* commit 'abf31acb01f85ade4b97b05f9893d270b915b7b6':
  Allow domain to read proc dirs.
 2016-02-05 23:22:49 +00:00
dcashman
abf31acb01 Allow domain to read proc dirs. 
Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc.  Many processes try
to read proc dirs, though.  Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
 2016-02-05 15:16:51 -08:00
Marco Nelissen
8fe9260066 Merge "Trim down mediaextractor rules" 2016-02-05 23:08:39 +00:00
Nick Kralevich
8f611b6eda Replace "neverallow domain" by "neverallow *" 
am: 35a1451430

* commit '35a145143076ceee50f387025d8cb3c62e62569e':
  Replace "neverallow domain" by "neverallow *"
 2016-02-05 23:04:43 +00:00
Nick Kralevich
35a1451430 Replace "neverallow domain" by "neverallow *" 
Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
 2016-02-05 14:54:04 -08:00
Marco Nelissen
e31341ece1 Trim down mediaextractor rules 
Change-Id: I0cfc604676dc67701fdd5cdd1c143974d7200d07
 2016-02-05 13:31:17 -08:00
Daniel Cashman
92b1c40137 Merge "Allow 'vdc' to be invoked with logwrapper." 2016-02-05 20:59:43 +00:00
Jeffrey Vander Stoep
e5968aa719 Merge "audioserver: grant read perms to /proc" 2016-02-05 16:47:37 +00:00
Jeffrey Vander Stoep
2902adf037 Merge "Selinux: introduce policy for OTA preopt" 2016-02-05 03:18:16 +00:00
Andreas Gampe
47ebae1a7a Selinux: introduce policy for OTA preopt 
Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7
 2016-02-04 16:58:43 -08:00
Jeff Sharkey
3ade7cefde Allow 'vdc' to be invoked with logwrapper. 
Currently vdc emits logs to stderr, which makes sense for command
line invocations, but when exec'ed they're silently dropped unless
the caller uses logwrapper.

avc: denied { read write } for path="/dev/pts/2" dev="devpts" ino=5 scontext=u:r:vdc:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 25796509
Change-Id: Ib92e0a7f580b1934a9853a83684f95b24bdc355c
 2016-02-04 15:25:18 -07:00
Mark Salyzyn
613f451ee7 persist.mmc.* only set in init am: d143560445 
am: 47f95192b2

* commit '47f95192b2eb08ecb9d1801edd8a5f19e6ed3dd0':
  persist.mmc.* only set in init
 2016-02-04 19:17:42 +00:00
Mark Salyzyn
47f95192b2 persist.mmc.* only set in init 
am: d143560445

* commit 'd1435604455e5e274c88f6ee0308c7881cddaf20':
  persist.mmc.* only set in init
 2016-02-04 19:14:00 +00:00
Mark Salyzyn
d143560445 persist.mmc.* only set in init 
Bug: 26976972
Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
 2016-02-04 11:03:10 -08:00
Daichi Hirono
fd5b742850 Merge "Fix SELinux warning when passing fuse FD from system server." am: 4c42a0dcc0 
am: f9065c89e6

* commit 'f9065c89e6ac9cf601e1e580959b57a31cd256ca':
  Fix SELinux warning when passing fuse FD from system server.
 2016-02-04 03:40:00 +00:00
Daichi Hirono
f9065c89e6 Merge "Fix SELinux warning when passing fuse FD from system server." 
am: 4c42a0dcc0

* commit '4c42a0dcc087c1d188620aa4c6f9afe4e66ba902':
  Fix SELinux warning when passing fuse FD from system server.
 2016-02-04 03:38:11 +00:00
Daichi Hirono
4c42a0dcc0 Merge "Fix SELinux warning when passing fuse FD from system server." 2016-02-04 03:34:01 +00:00
Daichi Hirono
59e3d7b42d Fix SELinux warning when passing fuse FD from system server. 
Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd
 2016-02-03 18:15:33 +09:00
dcashman
c8b21438c6 Allow platform app to get handle to voiceinteraction service. 
Address the following denial caused by systemui:
avc:  denied  { find } for service=voiceinteraction pid=10761 uid=10029 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0

Bug: 26842457
Change-Id: I8274d7f31a4390ccfb885389302e4fea9ce0e389
 2016-02-01 13:09:56 -08:00
Jeffrey Vander Stoep
c68c5019d5 Merge "init: allow to access console-ramoops with newer kernels" am: 84fbd53a1b 
am: fa3353065d

* commit 'fa3353065d2cc095bb613a54e3d3c8570b412f49':
  init: allow to access console-ramoops with newer kernels
 2016-02-01 19:40:04 +00:00
Jeffrey Vander Stoep
fa3353065d Merge "init: allow to access console-ramoops with newer kernels" 
am: 84fbd53a1b

* commit '84fbd53a1b39dbec2703b56f92d6fe2612c4a4a4':
  init: allow to access console-ramoops with newer kernels
 2016-02-01 19:20:59 +00:00
Jeffrey Vander Stoep
84fbd53a1b Merge "init: allow to access console-ramoops with newer kernels" 2016-02-01 19:15:15 +00:00
Christopher Tate
b8104a47dd Move staged backup content to a specific cache subdir 
Also narrowly specify the domain for the local transport's bookkeeping.

Bug 26834865

Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535
 2016-01-29 14:05:35 -08:00
Chris Tate
02bffbb8dc Merge "Add rules for original + processed wallpaper files" 2016-01-29 00:38:36 +00:00
Christopher Tate
fdeeb59bdb Add rules for original + processed wallpaper files 
Bug 25454501

Change-Id: I31357e658ecdbcc69df47fbc2d22e4849dd1539b
 2016-01-28 13:52:09 -08:00
Marco Nelissen
b1bf83fd79 Revert "selinux rules for codec process" 
This reverts commit 2afb217b68.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
 2016-01-28 13:51:28 -08:00
Jeffrey Vander Stoep
c08eeee540 Merge "mediaserver: grant perms from domain_deprecated" am: 3d8391e759 
am: 15decd6955

* commit '15decd6955093683a9d78cc2983d7ea49f20bba2':
  mediaserver: grant perms from domain_deprecated
 2016-01-28 15:40:30 +00:00
Jeffrey Vander Stoep
b89e0e1316 Merge "logd: grant perms from domain_deprecated" am: 61e9386030 
am: e02124ff0a

* commit 'e02124ff0a7aa1bbfbc9dcf78b1dc2e3c1481936':
  logd: grant perms from domain_deprecated
 2016-01-28 15:40:27 +00:00
Jeffrey Vander Stoep
1d7f15070f Merge "kernel: grant perms from domain_deprecated" am: e48ab7848d 
am: d9fcee9ddc

* commit 'd9fcee9ddca74ec3a6cce9dedb5932d8180fb10c':
  kernel: grant perms from domain_deprecated
 2016-01-28 15:40:23 +00:00
Jeffrey Vander Stoep
15decd6955 Merge "mediaserver: grant perms from domain_deprecated" 
am: 3d8391e759

* commit '3d8391e759fd3ffe70f10fc77e252fe71c902836':
  mediaserver: grant perms from domain_deprecated
 2016-01-28 15:38:17 +00:00
Jeffrey Vander Stoep
e02124ff0a Merge "logd: grant perms from domain_deprecated" 
am: 61e9386030

* commit '61e9386030d67a14030d7191a19838ed7d06e076':
  logd: grant perms from domain_deprecated
 2016-01-28 15:38:13 +00:00
Jeffrey Vander Stoep
d9fcee9ddc Merge "kernel: grant perms from domain_deprecated" 
am: e48ab7848d

* commit 'e48ab7848dac5fecfe64fcabeef786156eeae261':
  kernel: grant perms from domain_deprecated
 2016-01-28 15:38:10 +00:00
Jeffrey Vander Stoep
3d8391e759 Merge "mediaserver: grant perms from domain_deprecated" 2016-01-28 15:35:17 +00:00
Jeffrey Vander Stoep
61e9386030 Merge "logd: grant perms from domain_deprecated" 2016-01-28 15:34:28 +00:00
Jeffrey Vander Stoep
e48ab7848d Merge "kernel: grant perms from domain_deprecated" 2016-01-28 15:34:06 +00:00
dcashman
4cfa4decc1 Allow apps to check attrs of /cache am: 0e591bd256 
am: a38af1a903

* commit 'a38af1a903f038ee08490db898c2416885f859db':
  Allow apps to check attrs of /cache
 2016-01-28 04:22:24 +00:00
Jeff Vander Stoep
72e78bfcac mediaserver: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7
 2016-01-27 19:33:42 -08:00
Jeff Vander Stoep
2f3979a778 logd: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02
 2016-01-27 19:25:52 -08:00
Jeff Vander Stoep
bc2b76b06b kernel: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
 2016-01-27 19:18:01 -08:00
dcashman
a38af1a903 Allow apps to check attrs of /cache 
am: 0e591bd256

* commit '0e591bd256233add2c06c306bc17f5ebd71fe088':
  Allow apps to check attrs of /cache
 2016-01-28 02:18:17 +00:00
Chien-Yu Chen
4000cc33de Merge "selinux: Update policies for cameraserver" 2016-01-28 02:04:43 +00:00
Jeffrey Vander Stoep
739f31f09d Merge "vold: grant perms from domain_deprecated" am: 1cf93217fa 
am: 9001f6f892

* commit '9001f6f892a8a9eb73dd27c040ab6398ec238fe5':
  vold: grant perms from domain_deprecated
 2016-01-27 23:53:08 +00:00
Jeffrey Vander Stoep
9001f6f892 Merge "vold: grant perms from domain_deprecated" 
am: 1cf93217fa

* commit '1cf93217fa578b3439b37b7f5a3b5045a97ec5d4':
  vold: grant perms from domain_deprecated
 2016-01-27 23:49:33 +00:00
dcashman
0e591bd256 Allow apps to check attrs of /cache 
Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6
 2016-01-27 15:49:11 -08:00
Jeffrey Vander Stoep
1cf93217fa Merge "vold: grant perms from domain_deprecated" 2016-01-27 23:44:48 +00:00
Jeffrey Vander Stoep
e618841de3 Merge "healthd: grant perms from domain_deprecated" am: f33507dfc5 
am: e329140391

* commit 'e329140391790f1aa0ac7ed6a35903d7f8b445d9':
  healthd: grant perms from domain_deprecated
 2016-01-27 21:05:08 +00:00
Daniel Cashman
fb10981c45 Merge "remove access_kmsg macro, because it to be more explicit." am: fea9ad7c29 
am: 07ae9d5db4

* commit '07ae9d5db41814a6748e8f125ef8205bc2eb4221':
  remove access_kmsg macro, because it to be more explicit.
 2016-01-27 21:05:04 +00:00
Jeffrey Vander Stoep
e329140391 Merge "healthd: grant perms from domain_deprecated" 
am: f33507dfc5

* commit 'f33507dfc588692e01fac148d6f151f2dbac8b04':
  healthd: grant perms from domain_deprecated
 2016-01-27 20:51:20 +00:00