tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Alex Klyubin 446279a6b9 Preserve treble-only flag for CTS neverallows 
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
2017-04-07 12:22:10 -07:00
..
adbd.te Move adbd policy to private 2017-02-07 09:55:05 -08:00
asan_extract.te Sepolicy: Add ASAN-Extract 2017-04-05 13:09:29 -07:00
attributes Add new classes and types for (hw|vnd)servicemanager. 2017-04-06 11:02:23 -07:00
audioserver.te Move audioserver policy to private 2017-02-07 10:47:18 -08:00
blkid.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
blkid_untrusted.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
bluetooth.te Move bluetooth policy to private 2017-02-06 15:29:10 -08:00
bootanim.te Allow hals to read hwservicemanager prop. am: d3ce5dc38c am: d437f0e09d 2017-03-23 03:53:11 +00:00
bootstat.te logd: restrict access to /dev/event-log-tags 2017-01-31 15:50:15 +00:00
bufferhubd.te Allow hals to read hwservicemanager prop. 2017-03-23 01:50:50 +00:00
cameraserver.te Remove unnecessary binder_call from cameraserver 2017-03-21 12:39:13 -07:00
charger.te healthd: create SEPolicy for 'charger' and reduce healthd's scope 2016-12-15 18:17:13 -08:00
clatd.te
cppreopts.te
crash_dump.te sepolicy: relabel /vendor 2017-04-05 13:58:32 -07:00
device.te Define policy for "loop-control" device. 2017-03-25 21:39:03 -06:00
dex2oat.te sepolicy: restrict access for /vendor/framework. 2017-04-06 13:28:16 -07:00
dhcp.te Ban core components from accessing vendor data types 2017-04-01 07:16:40 -07:00
dnsmasq.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
domain.te sepolicy: fix comments around 'domain' access to search in /vendor 2017-04-06 13:28:16 -07:00
domain_deprecated.te Fix lock logspam and remove domain_deprecated rule 2017-04-04 18:37:28 -07:00
drmserver.te No access to tee domain over Unix domain sockets 2017-04-03 11:26:01 -07:00
dumpstate.te VR: Add sepolicy for VR HWC service 2017-03-31 10:25:53 -04:00
ephemeral_app.te Move ephemeral_app policy to private 2017-01-09 15:34:27 -08:00
file.te sepolicy: relabel /vendor 2017-04-05 13:58:32 -07:00
fingerprintd.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
fsck.te fsck: allow stat access on /dev/block files 2017-02-17 12:47:25 -08:00
fsck_untrusted.te fsck: allow stat access on /dev/block files 2017-02-17 12:47:25 -08:00
gatekeeperd.te Fix sepolicy for Gatekeeper HAL 2017-03-20 07:39:33 -07:00
global_macros Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. 2017-02-06 14:24:41 -05:00
hal_allocator.te Mark all clients of Allocator HAL 2017-03-24 13:54:43 -07:00
hal_audio.te Mark all clients of Allocator HAL 2017-03-24 13:54:43 -07:00
hal_bluetooth.te Disallow HAL access to Bluetooth data files 2017-03-30 16:00:23 +00:00
hal_bootctl.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
hal_camera.te Switch Allocator HAL policy to _client/_server 2017-03-20 22:18:12 +00:00
hal_contexthub.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_drm.te No access to tee domain over Unix domain sockets 2017-04-03 11:26:01 -07:00
hal_dumpstate.te dumpstate: allow HALs to read /proc/interrupts 2017-03-22 13:26:03 -07:00
hal_fingerprint.te Switch Fingerprint HAL policy to _client/_server 2017-02-21 16:11:25 -08:00
hal_gatekeeper.te Fix sepolicy for Gatekeeper HAL 2017-03-20 07:39:33 -07:00
hal_gnss.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_graphics_allocator.te Move Graphics Allocator HAL IPC rules to proper location 2017-03-20 15:02:20 -07:00
hal_graphics_composer.te Allow hwcomposer to change scheduling policy 2017-02-13 09:02:04 -08:00
hal_health.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_ir.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_keymaster.te No access to tee domain over Unix domain sockets 2017-04-03 11:26:01 -07:00
hal_light.te hal_light: add permission to sys/class/leds. 2017-01-20 00:17:11 +00:00
hal_neverallows.te Enforce one HAL per domain. 2017-03-21 12:16:31 -07:00
hal_nfc.te Remove unnecessary rules from NFC HAL clients 2017-03-22 16:22:33 -07:00
hal_sensors.te Allow hal_sensors to use ashmem from android.hidl.allocator 2017-04-04 13:49:20 -07:00
hal_telephony.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_thermal.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_tv_input.te Add sepolicy for tv.input 2017-03-31 13:44:50 -07:00
hal_usb.te sepolicy for usb hal 2017-01-27 00:05:19 +00:00
hal_vibrator.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_vr.te haldomain: add hwbinder_use 2017-01-18 09:47:50 -08:00
hal_wifi.te sepolicy: Allow hal_wifi to set wlan driver status prop 2017-03-03 09:32:03 -08:00
hal_wifi_supplicant.te sepolicy: Add new wifi keystore HAL 2017-03-29 14:07:36 -07:00
healthd.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hwservicemanager.te hwservicemanager is not a HAL 2017-04-04 13:47:40 -07:00
idmap.te sepolicy: restrict /vendor/overlay from most coredomains 2017-04-06 13:28:16 -07:00
incident.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
incidentd.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
init.te sepolicy: relabel /vendor 2017-04-05 13:58:32 -07:00
inputflinger.te te_macros: introduce add_service() macro 2017-01-26 04:43:16 +00:00
install_recovery.te install_recovery.te: remove domain_deprecated 2017-01-09 16:47:36 +00:00
installd.te sepolicy: restrict /vendor/app from most coredomains 2017-04-06 13:28:12 -07:00
ioctl_defines
ioctl_macros Add TCSETS to unpriv_tty_ioctls 2016-12-07 15:59:34 -08:00
isolated_app.te Move isolated_app policy to private 2017-01-05 16:06:54 -08:00
kernel.te file_context: explicitly label all file context files 2017-03-29 10:17:21 -07:00
keystore.te Wifi Keystore HAL is not a HAL 2017-04-04 15:04:05 -07:00
lmkd.te more ephemeral_app cleanup 2017-01-20 14:35:17 +00:00
logd.te logd: add getEventTag command and service 2017-01-31 15:50:42 +00:00
logpersist.te logpersist: do not permit dynamic transition to domain 2016-12-29 09:29:36 -08:00
mdnsd.te Move mdnsd policy to private 2017-02-06 15:02:32 -08:00
mediacodec.te update sepolicy for gralloc HAL 2017-03-30 14:43:35 -07:00
mediadrmserver.te MediaCAS: adding media.cas to service 2017-02-28 12:31:45 -08:00
mediaextractor.te Allow MediaExtractor to create FileSource 2017-03-29 17:54:49 +00:00
mediametrics.te allow media.metrics to write to file descriptor in /data 2017-04-04 10:30:50 -07:00
mediaserver.te rild does not communicate with BT/system_server/mediaserver over sockets 2017-04-04 14:04:49 -07:00
modprobe.te enabled /sbin/modprobe for recovery mode 2017-03-16 01:19:58 +00:00
mtp.te
net.te Move netdomain policy to private 2017-02-06 15:02:00 -08:00
netd.te Merge changes from topic 'ipsec-svc-pick' into oc-dev 2017-04-06 01:34:37 +00:00
neverallow_macros Ban socket connections between core and vendor 2017-03-27 08:49:13 -07:00
nfc.te Remove unnecessary rules from NFC HAL clients 2017-03-22 16:22:33 -07:00
otapreopt_chroot.te
otapreopt_slot.te Sepolicy: Allow getattr for otapreopt_slot 2017-03-17 10:05:31 -07:00
performanced.te Add SELinux policies for vr_window_manager 2017-02-15 14:56:49 -08:00
perfprofd.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
platform_app.te Move platform_app policy to private 2017-01-09 14:52:59 -08:00
postinstall.te
postinstall_dexopt.te Sepolicy: Allow postinstall to read links 2017-03-17 10:08:52 -07:00
ppp.te ppp: Allow specific ioctls on mtp:socket. 2017-03-17 17:09:19 -04:00
preopt2cachename.te
priv_app.te Move priv_app policy to private 2017-01-05 15:44:32 -08:00
profman.te Allow profman to analyze profiles for the secondary dex files 2017-03-15 18:47:13 -07:00
property.te Sepolicy: Add ASAN-Extract 2017-04-05 13:09:29 -07:00
racoon.te remove setuid SELinux capability for racoon. 2017-02-22 03:31:23 +00:00
radio.te Ban socket connections between core and vendor 2017-03-27 08:49:13 -07:00
recovery.te file_context: explicitly label all file context files 2017-03-29 10:17:21 -07:00
recovery_persist.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
recovery_refresh.te sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
rild.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
roles sepolicy: add version_policy tool and version non-platform policy. 2016-12-06 08:56:02 -08:00
runas.te runas: Grant access to seapp_contexts_file 2017-03-30 13:21:49 -07:00
sdcardd.te Remove logspam 2017-02-10 12:06:38 -08:00
sensord.te Allow hals to read hwservicemanager prop. 2017-03-23 01:50:50 +00:00
service.te Merge changes from topic 'ipsec-svc-pick' into oc-dev 2017-04-06 01:34:37 +00:00
servicemanager.te Add target for vndservice_contexts. 2017-04-03 15:39:42 -07:00
sgdisk.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
shared_relro.te Restore app_domain macro and move to private use. 2016-12-08 14:42:43 -08:00
shell.te Remove hal_binderization_prop 2017-04-04 10:24:36 -07:00
slideshow.te
su.te Introduce crash_dump debugging helper. 2017-01-18 15:03:24 -08:00
surfaceflinger.te Move surfaceflinger policy to private 2017-02-07 10:06:12 -08:00
system_app.te Move system_app policy to private 2017-01-05 17:20:28 -08:00
system_server.te Move system_server policy to private 2017-02-07 20:24:05 +00:00
te_macros Preserve treble-only flag for CTS neverallows 2017-04-07 12:22:10 -07:00
tee.te Move TEE rules to vendor image 2017-04-03 11:11:48 -07:00
tombstoned.te tombstoned: temporarily allow write to anr_data_file. 2017-01-23 12:54:03 -08:00
toolbox.te
tzdatacheck.te remove more domain_deprecated 2016-12-09 19:57:43 -08:00
ueventd.te sepolicy: relabel /vendor 2017-04-05 13:58:32 -07:00
uncrypt.te
untrusted_app.te Move untrusted_app policy to private 2017-01-05 14:39:52 -08:00
untrusted_app_25.te untrusted_app: policy versioning based on targetSdkVersion 2017-02-14 13:30:12 -08:00
untrusted_v2_app.te Add new untrusted_v2_app domain 2017-02-21 12:39:55 -08:00
update_engine.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
update_engine_common.te Allow update_engine to kill postinstall process. 2017-03-22 21:01:08 -07:00
update_verifier.te Allow update_verifier to reboot the device 2017-04-04 21:07:48 +00:00
vdc.te Grant vdc access to kmsg 2017-03-31 20:48:36 +00:00
virtual_touchpad.te Add SELinux policies for vr_window_manager 2017-02-15 14:56:49 -08:00
vndservicemanager.te Initial sepolicy for vndservicemanager. 2017-03-23 00:20:43 +00:00
vold.te file_context: explicitly label all file context files 2017-03-29 10:17:21 -07:00
vr_hwc.te VR: Add sepolicy for VR HWC service 2017-03-31 10:25:53 -04:00
vr_wm.te VR: Add sepolicy for VR HWC service 2017-03-31 10:25:53 -04:00
watchdogd.te
webview_zygote.te Move webview_zygote policy to private 2017-01-27 17:01:43 +00:00
wificond.te Allow wificond to find permission 2017-04-04 16:52:25 -07:00
zygote.te Move zygote policy to private 2017-01-26 13:31:16 -08:00