tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Roshan Pius	a976e64d89	sepolicy: Make wpa_supplicant a HIDL service Note: The existing rules allowing socket communication will be removed once we migrate over to HIDL completely. (cherry-pick of `2a9595ede2`) Bug: 34603782 Test: Able to connect to wifi networks. Test: Will be sending for full wifi integration tests (go/wifi-test-request) Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615	2017-03-07 01:34:28 +00:00
Nick Kralevich	596dd09fed	domain_deprecated.te: remove auditallow statements on user builds Make the policy smaller and less noisy on user builds by suppressing auditallow rules. Bug: 28760354 Test: policy compiles and device boots. No obvious problems. Change-Id: Iddf6f12f8ce8838e84b09b2f9f3f0c8b700543f5	2017-02-10 12:58:41 -08:00
Nick Kralevich	b59c201604	init.te: remove domain_deprecated auditallows have been in place for a while, and no obvious denials. Remove domain_deprecated from init.te While I'm here, clean up the formatting of the lines in domain_deprecated.te. Bug: 28760354 Test: policy compiles and device boots. No obvious problems. Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056	2017-02-10 12:06:46 -08:00
Jeff Vander Stoep	a1b4560088	Remove logspam Grant observed uses of permissions being audited in domain_deprecated. fsck avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir keystore avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir sdcardd avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file update_engine avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir vold avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: Marlin builds and boots, avc granted messages no longer observed. Bug: 35197529 Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424	2017-02-10 12:06:38 -08:00
Nick Kralevich	5ee3151a8e	exclude init from apk_data_file getattr Addresses the following auditallow spam: avc: granted { getattr } for comm="init" path="/data/app/com.sling-1/lib/x86/libavcodec-56.so" dev="mmcblk0p11" ino=32607 scontext=u:r:init:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file Test: policy compiles. Change-Id: I81775f8de93f0b4334279e9f5e19d27e6171616f	2017-02-10 02:33:25 -08:00
Josh Gao	cb3eb4eef9	Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed	2017-01-18 15:03:24 -08:00
Nick Kralevich	164af1039d	priv_app.te: remove domain_deprecated No denials collected. Bug: 28760354 Test: no denials collected. Test: device boots and no obvious problems Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec	2017-01-06 16:32:01 -08:00
Nick Kralevich	dd649da84b	domain_deprecated.te: remove /proc/net access Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a	2016-11-30 15:23:26 -08:00
Nick Kralevich	49e3588429	Add directory read permissions to certain domains. Addresses the following denials and auditallows: avc: denied { read } for pid=561 comm="hwservicemanage" name="hw" dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0" ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: granted { read open } for pid=735 comm="fingerprintd" path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: no denials on boot Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f	2016-11-28 17:03:41 +00:00
Nick Kralevich	06da58b9ab	Delete more from domain_deprecated.te No unexpected usages. Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: I43226fd0b8103afb1b25b1eb21445c04bc79954e	2016-11-25 17:14:45 -08:00
Nick Kralevich	f2de07529b	domain_deprecated.te: delete stale permissions auditallows have been in place for quite a while now, and nothing has triggered. Let's do some cleanup! Bug: 28760354 Test: device boots and no new denials Test: SELinux denials collection has seen no instances of these permissions Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f	2016-11-20 08:34:02 -08:00
Nick Kralevich	68f233648e	installd: r_dir_file(installd, system_file) Allow installd to read through files, directories, and symlinks on /system. This is needed to support installd using files in /system/app and /system/priv-app Addresses the following auditallow spam: avc: granted { getattr } for comm="installd" path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so" dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=lnk_file avc: granted { getattr } for comm="installd" path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so" dev="dm-0" ino=2305 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=lnk_file avc: granted { read open } for comm="installd" path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43" ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read open } for comm="installd" path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43" ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read open } for comm="installd" path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: policy compiles Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2	2016-11-07 16:18:38 -08:00
Nick Kralevich	2c8ea36ad8	Get rid of more auditallow spam Addresses the following audit messages: [ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr } for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2" ino=106324 scontext=u:r:init:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file [ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531176] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531465] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531827] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.713056] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir Bug: 32246161 Test: policy compiles Test: dumpstate no longer generates the audit messages above. Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4	2016-10-29 08:15:08 -07:00
Nick Kralevich	79a08e13bd	Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a	2016-10-28 11:46:00 -07:00
dcashman	cc39f63773	Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c	2016-10-06 13:09:06 -07:00

15 commits