tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5426 commits 1 branch 0 tags 50 MiB
Commit graph

5426 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeff Vander Stoep
94ee59bc4a audit mtp sync permission 
Determine if the following rule can be removed:

allow kernel untrusted_app:fd use

Bug: 25331459
Change-Id: I4ef9f376d7fc1d2bdfba69b2fb3e24d49ac136ad
 2015-10-28 08:57:40 -07:00
Nick Kralevich
27743c0ffe Update text relocation neverallow assertions am: 89424bf947 
am: 984b0030a1

* commit '984b0030a1e26ecfc5451845e3a3dfe03c72a30e':
  Update text relocation neverallow assertions
 2015-10-28 01:25:23 +00:00
Nick Kralevich
984b0030a1 Update text relocation neverallow assertions 
am: 89424bf947

* commit '89424bf9470931df90afa4f6d141b3696ad5a632':
  Update text relocation neverallow assertions
 2015-10-28 01:21:01 +00:00
Nick Kralevich
89424bf947 Update text relocation neverallow assertions 
1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.

2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.

Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3
 2015-10-27 17:15:34 -07:00
Bruce Beare
4516643186 Define the i2C device policy am: 59019fd72a 
am: 5a3132bbeb

* commit '5a3132bbeb16107e637890b6abc7ccc1cf648771':
  Define the i2C device policy
 2015-10-28 00:05:06 +00:00
Bruce Beare
5a3132bbeb Define the i2C device policy 
am: 59019fd72a

* commit '59019fd72a46bb4d1fa4e14e15122f56841f2e0d':
  Define the i2C device policy
 2015-10-27 23:54:11 +00:00
Bruce Beare
59019fd72a Define the i2C device policy 
Change-Id: I93d9cfea2f2148bb042d1cb8af3649524ad31034
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
 2015-10-27 16:40:54 -07:00
Jeff Vander Stoep
fa6169ade8 Fix MTP sync am: 9ba8ade5d2 
am: 34d81d9152

* commit '34d81d9152cd2adc8758f84aca0e36bac64e99c0':
  Fix MTP sync
 2015-10-27 04:01:25 +00:00
Jeff Vander Stoep
34d81d9152 Fix MTP sync 
am: 9ba8ade5d2

* commit '9ba8ade5d2b24bd1f9083e8a51e7d586e609e28a':
  Fix MTP sync
 2015-10-27 03:58:36 +00:00
Jeff Vander Stoep
9ba8ade5d2 Fix MTP sync 
Address the following denial:
avc: denied { use } for path="/storage/emulated/0/305512.pdf" dev="fuse"
ino=239 scontext=u:r:kernel:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=fd
permissive=0

Bug: 25068662
Change-Id: Ic29d9569ff387dfd411363db751c3642572c8e85
 2015-10-26 20:32:49 -07:00
Jeff Vander Stoep
ad32785689 audit untrusted_app access to mtp_device am: 7b8f9f153e 
am: 775dda1fb3

* commit '775dda1fb3641e3ea2be4124a9a77cb236648d6f':
  audit untrusted_app access to mtp_device
 2015-10-23 18:12:32 +00:00
Jeff Vander Stoep
4b1c3de99a Temporarily downgrade to policy version number am: 0fc831c3b0 
am: 312c2511f7

* commit '312c2511f7dfbebf110f1372db55d811bc1ad29f':
  Temporarily downgrade to policy version number
 2015-10-23 18:12:28 +00:00
Jeff Vander Stoep
775dda1fb3 audit untrusted_app access to mtp_device 
am: 7b8f9f153e

* commit '7b8f9f153edf7c8bbefe3d472c86419d8048e5dd':
  audit untrusted_app access to mtp_device
 2015-10-23 18:05:09 +00:00
Jeff Vander Stoep
312c2511f7 Temporarily downgrade to policy version number 
am: 0fc831c3b0

* commit '0fc831c3b0b8d9a4e10d0931131a0eed06cd4275':
  Temporarily downgrade to policy version number
 2015-10-23 18:05:05 +00:00
Jeff Vander Stoep
7b8f9f153e audit untrusted_app access to mtp_device 
android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.

Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
 2015-10-23 18:03:01 +00:00
Jeff Vander Stoep
0fc831c3b0 Temporarily downgrade to policy version number 
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
 2015-10-23 10:16:00 -07:00
Anthony Hugh
d19b20c30c Merge "Revert "Update sepolicy to allow ThermalObserver system service"" into cw-e-dev 
am: 753148a869

* commit '753148a8691b7b5d29ee0ebab400c1eb7b2a7c27':
  Revert "Update sepolicy to allow ThermalObserver system service"
 2015-10-22 22:27:54 +00:00
Anthony Hugh
753148a869 Merge "Revert "Update sepolicy to allow ThermalObserver system service"" into cw-e-dev 2015-10-22 22:22:44 +00:00
Anthony Hugh
2d8c2d9779 Revert "Update sepolicy to allow ThermalObserver system service" 
This reverts commit cda36e31d1.
This will be moved to a device specific file.

BUG: 24555181

Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec
 2015-10-22 21:58:51 +00:00
Bill Yi
4acb1b20c0 Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD am: 7d20f40879 am: a8bbe96d8b am: 5eac92174c 
am: 4bb2bdc1b0

* commit '4bb2bdc1b01f04f824bf13dafb66411e48aa2275':
 2015-10-21 17:18:59 +00:00
Bill Yi
4bb2bdc1b0 Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD am: 7d20f40879 am: a8bbe96d8b 
am: 5eac92174c

* commit '5eac92174c8a036e088337c1c44f1ea84ab59b0f':
 2015-10-21 17:01:14 +00:00
Bill Yi
5eac92174c Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD am: 7d20f40879 
am: a8bbe96d8b

* commit 'a8bbe96d8b3fc76bd36e7f6582b79c94a7ecaa80':
 2015-10-21 16:52:44 +00:00
Bill Yi
a8bbe96d8b Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD 
am: 7d20f40879

* commit '7d20f40879d1cdcc39dc6e876371020c258d5a86':
 2015-10-21 16:46:48 +00:00
Bill Yi
7d20f40879 Merge remote-tracking branch 'goog/mnc-cts-release' into HEAD 2015-10-21 09:33:42 -07:00
Jeffrey Vander Stoep
ded068b5a8 am beb002ce: am 1b52ad6b: Merge "grant priv_app access to /dev/mtp_usb" 
* commit 'beb002cef031d5c7eba68bc8fe10e936c94873b4':
  grant priv_app access to /dev/mtp_usb
 2015-10-19 21:39:41 +00:00
Jeffrey Vander Stoep
beb002cef0 am 1b52ad6b: Merge "grant priv_app access to /dev/mtp_usb" 
* commit '1b52ad6be1263a6165536b681e239105e7dfa135':
  grant priv_app access to /dev/mtp_usb
 2015-10-19 14:33:51 -07:00
Jeffrey Vander Stoep
1b52ad6be1 Merge "grant priv_app access to /dev/mtp_usb" 2015-10-19 21:31:05 +00:00
Nick Kralevich
2736e7d6f9 am 40367ad8: Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev am: 6ab438dc8b 
* commit '40367ad87e084f78e310b33963aa3da4309442e8':
  untrusted_apps: Allow untrusted apps to find healthd_service.
 2015-10-19 21:08:41 +00:00
Nick Kralevich
40367ad87e Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev 
am: 6ab438dc8b

* commit '6ab438dc8b4c8b661c8209ecfb66b626b8bdc532':
  untrusted_apps: Allow untrusted apps to find healthd_service.
 2015-10-19 20:59:28 +00:00
Nick Kralevich
6ab438dc8b Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev 2015-10-19 20:42:33 +00:00
Ruchi Kandoi
ac8b5750b0 untrusted_apps: Allow untrusted apps to find healthd_service. 
This allows apps to find the healthd service which is used to query
battery properties.

Bug: 24759218
Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2015-10-19 13:33:23 -07:00
Jeff Vander Stoep
bcbb32e763 grant priv_app access to /dev/mtp_usb 
android.process.media needs access to mtp_usb when MTP is enabled.

Bug: 25074672
Change-Id: Ic48a3ba8e4395104b0b957f7a9bad69f0e5ee38e
 2015-10-19 13:07:15 -07:00
Jeff Vander Stoep
5d7bd5849a am 5f34265c: am a910a287: Remove untrusted_app access to tmp apk files 
* commit '5f34265c5af472042c338780a39145661cca0e09':
  Remove untrusted_app access to tmp apk files
 2015-10-19 19:09:37 +00:00
Jeff Vander Stoep
3912943b98 am e9aaae4f: resolved conflicts for f1203bf0 to stage-aosp-master 
* commit 'e9aaae4ffbe6f549aa724891affb176b2f7b465e':
  Remove untrusted_app access to cache
 2015-10-19 19:04:08 +00:00
Jeff Vander Stoep
5f34265c5a am a910a287: Remove untrusted_app access to tmp apk files 
* commit 'a910a287d81bf5e9885af9e5be60ed444964a86a':
  Remove untrusted_app access to tmp apk files
 2015-10-19 12:02:56 -07:00
Jeff Vander Stoep
e9aaae4ffb resolved conflicts for f1203bf0 to stage-aosp-master 
Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251
 2015-10-19 11:39:59 -07:00
Jeff Vander Stoep
a910a287d8 Remove untrusted_app access to tmp apk files 
Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
 2015-10-19 18:19:31 +00:00
Jeffrey Vander Stoep
f1203bf05f Merge "Remove untrusted_app access to cache" 2015-10-19 18:06:38 +00:00
Jeff Vander Stoep
408e8da507 am d77deee4: am 7f09a945: Policy for priv_app domain 
* commit 'd77deee44fc4d3f0c60f5ed9ab15ba166375c381':
  Policy for priv_app domain
 2015-10-19 17:47:10 +00:00
Jeff Vander Stoep
d77deee44f am 7f09a945: Policy for priv_app domain 
* commit '7f09a94596be98415d0546d927c8a4bc15867621':
  Policy for priv_app domain
 2015-10-19 10:42:34 -07:00
Jeff Vander Stoep
7f09a94596 Policy for priv_app domain 
Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835
 2015-10-19 10:35:20 -07:00
Jeff Vander Stoep
b8985782c6 am 59bb0d4b: am 734e4d7c: Give services app_api_service attribute 
* commit '59bb0d4bc5316044721d3c16be90d3d9f21e3957':
  Give services app_api_service attribute
 2015-10-18 16:21:20 +00:00
Jeff Vander Stoep
59bb0d4bc5 am 734e4d7c: Give services app_api_service attribute 
* commit '734e4d7c5015a510ab20bfbc3c5a84667378764f':
  Give services app_api_service attribute
 2015-10-18 09:15:25 -07:00
Jeff Vander Stoep
734e4d7c50 Give services app_api_service attribute 
avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496
 2015-10-17 19:24:11 +00:00
Jeffrey Vander Stoep
3588221547 am 6bbe728c: am b1eced68: Merge "grant webviewupdate_service app_api_service attribute" 
* commit '6bbe728ce8780d3c0e3fabed6fd5c927160a2610':
  grant webviewupdate_service app_api_service attribute
 2015-10-16 22:08:38 +00:00
Jeffrey Vander Stoep
6bbe728ce8 am b1eced68: Merge "grant webviewupdate_service app_api_service attribute" 
* commit 'b1eced68d2dc0823e70729db66b16463289986a8':
  grant webviewupdate_service app_api_service attribute
 2015-10-16 15:02:08 -07:00
Jeffrey Vander Stoep
b1eced68d2 Merge "grant webviewupdate_service app_api_service attribute" 2015-10-16 21:56:59 +00:00
Jeff Vander Stoep
7813cc8de0 grant webviewupdate_service app_api_service attribute 
avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a
 2015-10-16 14:53:11 -07:00
Jeff Vander Stoep
68748c2166 Remove untrusted_app access to cache 
neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
 2015-10-16 14:51:55 -07:00
Jeffrey Vander Stoep
08faa8e03b am b663e28b: am 63613805: Merge "Privileged apps require access to cache" 
* commit 'b663e28b14d1b39c18228eaa59a2b45c8e88a697':
  Privileged apps require access to cache
 2015-10-16 00:17:47 +00:00