tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Maciej enczykowski 532980fb0b selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli 
This is needed to resolve some race conditions between clatd startup and interface naming/numbering.

This resolves:
  type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket

Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
Merged-In: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
(cherry picked from commit 6450e0038b)
2019-05-07 10:29:15 +00:00
..
adbd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
apexd.te Sepolicy: Allow crash_dump to ptrace apexd in userdebug 2019-03-05 09:59:50 -08:00
app.te Allow bootstrap bionic only to init, ueventd, and apexd 2019-04-11 13:04:19 +09:00
app_zygote.te Properly Treble-ize tmpfs access 2019-01-26 17:30:41 +00:00
asan_extract.te Sync internal master and AOSP sepolicy. 2017-09-26 14:38:47 -07:00
ashmemd.te sepolicy for ashmemd 2019-02-05 21:38:14 +00:00
attributes Treble-ize sepolicy for fwk HIDL services. 2019-04-22 17:07:06 -07:00
audioserver.te Properly Treble-ize tmpfs access 2019-01-26 17:30:41 +00:00
blkid.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
blkid_untrusted.te Move blkid policy to private 2017-02-07 23:57:53 +00:00
bluetooth.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
bootanim.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
bootstat.te Allow zygote to write to statsd and refactor 2018-10-08 13:48:28 -07:00
bufferhubd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
camera_service_server.te Abstract use of cameraserver behind an attribute 2019-03-01 14:02:59 -08:00
cameraserver.te Abstract use of cameraserver behind an attribute 2019-03-01 14:02:59 -08:00
charger.te Move /sbin/charger to /system/bin/charger. 2019-03-14 09:44:03 -07:00
clatd.te Clatd: allow clatd use ioctl 2018-11-06 14:22:56 +09:00
crash_dump.te crash_dump: suppress denials on properties 2019-02-07 08:45:15 -08:00
device.te Add sepolicy for installing GSIs to external storage. 2019-03-27 17:12:51 -07:00
dhcp.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
display_service_server.te Add fwk_display_hwservice. 2017-05-17 11:00:28 -07:00
dnsmasq.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
domain.te Allow execmod for apps with targetSdkVersion=26-28 2019-04-02 13:07:27 -07:00
drmserver.te Remove coredomain /dev access no longer needed after Treble 2018-11-29 04:56:18 +00:00
dumpstate.te Merge "Allow signals to power/thermal HAL from dumpstate" into qt-dev 2019-04-24 20:18:26 +00:00
e2fs.te Allow e2fs more ioctls to device-mapper devices. 2019-02-05 18:05:50 -08:00
ephemeral_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
fastbootd.te super_block_device -> super_block_device_type 2019-03-28 18:08:19 +00:00
file.te Allow bootstrap bionic only to init, ueventd, and apexd 2019-04-11 13:04:19 +09:00
fingerprintd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
flags_health_check.te Fix typo in file name. 2019-02-14 16:09:44 +00:00
fsck.te fs_mgr: overlayfs support legacy devices (marlin) Part Deux 2019-02-15 15:56:16 +00:00
fsck_untrusted.te Sync internal master and AOSP sepolicy. 2017-09-27 18:55:47 -07:00
fwk_bufferhub.te Allow app to conntect to BufferHub service 2019-01-14 10:49:35 -08:00
gatekeeperd.te Allow gatekeeperd to read ro.gsid.image_running. 2019-02-19 21:08:22 +00:00
global_macros rs: add tests to ensure rs cannot abuse app data 2019-01-17 15:24:34 -08:00
gpuservice.te Game Driver: sepolicy update for plumbing GpuStats into GpuService 2019-02-08 18:15:17 -08:00
hal_allocator.te same_process_hal_file: access to individual coredomains 2018-10-26 18:03:01 +00:00
hal_atrace.te Add atrace HAL 1.0 sepolicy 2018-09-27 23:18:29 +00:00
hal_audio.te Add rules for accessing the related bluetooth_audio_hal_prop 2019-03-20 03:12:25 +00:00
hal_audiocontrol.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_authsecret.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_bluetooth.te Add rules for accessing the related bluetooth_audio_hal_prop 2019-03-20 03:12:25 +00:00
hal_bootctl.te add hal_bootctl to white-list of sys_rawio 2019-02-13 12:38:22 +00:00
hal_broadcastradio.te Allow radio server to client binder callback 2019-03-29 15:22:16 -07:00
hal_camera.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_cas.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_configstore.te Allow heap profiling everything except TCB on userdebug. 2018-11-28 22:01:58 +00:00
hal_confirmationui.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_contexthub.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_drm.te More granular vendor access to /system files. 2018-09-20 03:07:50 +00:00
hal_dumpstate.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_evs.te Updates hal_evs sepolicy 2019-03-03 17:35:06 +00:00
hal_face.te Added placeholder SELinux policy for the biometric face HAL. 2018-12-28 12:23:56 -08:00
hal_fingerprint.te Revert "Add placeholder iris and face policy for vold data directory" 2018-11-19 15:00:19 -08:00
hal_gatekeeper.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_gnss.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_graphics_allocator.te same_process_hal_file: access to individual coredomains 2018-10-26 18:03:01 +00:00
hal_graphics_composer.te Initial selinux policy support for memfd 2019-01-30 19:11:49 +00:00
hal_health.te Allow to getattr kmsg_device 2019-03-25 10:14:20 -07:00
hal_health_storage.te health.filesystem HAL renamed to health.storage 2018-09-20 04:12:45 +00:00
hal_input_classifier.te Permissions for InputClassifier HAL 2019-01-11 02:08:19 +00:00
hal_ir.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_keymaster.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_light.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_lowpan.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_memtrack.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_neuralnetworks.te Allow NNAPI HAL services access model files provided by privapp. 2019-04-24 21:14:32 -07:00
hal_neverallows.te Allow to use sockets from hal server for auto 2018-05-15 14:38:00 -07:00
hal_nfc.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_oemlock.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_omx.te add mediaswcodec service 2018-10-11 15:10:17 -07:00
hal_power.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_power_stats.te Add power.stats HAL 1.0 sepolicy 2018-12-11 00:11:08 +00:00
hal_secure_element.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_sensors.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_telephony.te Remove sepolicy for /dev/alarm. 2018-12-06 04:23:22 +00:00
hal_tetheroffload.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_thermal.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_tv_cec.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_tv_input.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_usb.te Allow hal_usb to call getsockopt on uevent socket 2018-12-03 18:37:25 +00:00
hal_usb_gadget.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_vehicle.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_vibrator.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_vr.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_weaver.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_wifi.te Allow dumpstate to dump wlan hal log on userbuild 2019-03-21 12:27:44 +08:00
hal_wifi_hostapd.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_wifi_offload.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
hal_wifi_supplicant.te hal_attribute_hwservice_client drop '_client' 2018-06-06 09:30:18 -07:00
healthd.te Hide denial seen during boot. 2019-02-06 12:49:26 -08:00
heapprofd.te Add userdebug selinux config for heapprofd. 2018-11-14 09:22:07 +00:00
hwservice.te Add selinux rules for HIDL ICameraServer. 2019-03-01 14:01:07 -08:00
hwservicemanager.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
idmap.te DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files 2019-04-25 11:05:07 +00:00
incident.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
incident_helper.te Selinux permissions for incidentd project 2018-01-23 19:08:49 +00:00
incidentd.te Add incident command and incidentd daemon se policy. 2017-02-07 15:52:07 -08:00
init.te Merge "Allow psi monitor users to setched kernel threads" into qt-dev 2019-05-02 14:48:56 +00:00
inputflinger.te SEPolicy for InputFlinger Service. 2018-11-16 21:52:01 +00:00
install_recovery.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
installd.te Allow installd to scan JARs in /vendor/framework. 2019-02-27 20:23:24 +00:00
ioctl_defines Allow fs-verity setup within system_server 2019-01-11 12:21:59 -08:00
ioctl_macros more ioctl work 2018-10-17 11:12:18 -07:00
iorapd.te iorapd: add tmpfs type 2019-01-26 12:55:13 -08:00
isolated_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
kernel.te Sepolicy: Move otapreopt_chroot to private 2019-03-18 10:54:42 -07:00
keystore.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
llkd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
lmkd.te Allow lmkd to setched kernel threads 2019-03-20 23:06:32 +00:00
logd.te Relabel /data/system/packages.list to new type. 2019-03-28 10:27:43 +00:00
logpersist.te Start partitioning off privapp_data_file from app_data_file 2018-08-02 16:29:02 -07:00
mdnsd.te Move mdnsd policy to private 2017-02-06 15:02:32 -08:00
mediadrmserver.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
mediaextractor.te SEPolicy updates for adding native flag namespace(media). 2019-01-31 10:06:32 -08:00
mediametrics.te Allow mediametrics to log records to statsd 2019-02-25 20:09:54 -08:00
mediaprovider.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
mediaserver.te Allow mediaserver to find "audio" service 2019-04-23 09:49:33 -07:00
mediaswcodec.te SEPolicy updates for adding native flag namespace(media). 2019-01-31 10:06:32 -08:00
modprobe.te modprobe: shouldn't load kernel modules from /system 2018-03-23 14:16:25 -07:00
mtp.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
net.te netdomain: allow node_bind for ping sockets 2019-01-14 16:59:03 +00:00
netd.te selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli 2019-05-07 10:29:15 +00:00
netutils_wrapper.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
network_stack.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
neverallow_macros Ban socket connections between core and vendor 2017-03-27 08:49:13 -07:00
nfc.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
perfetto.te Allow to signal perfetto from shell. 2018-12-13 10:46:42 +00:00
performanced.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
perfprofd.te same_process_hal_file: access to individual coredomains 2018-10-26 18:03:01 +00:00
platform_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
postinstall.te Allow postinstall scripts to trigger F2FS GC 2019-02-20 22:40:53 +00:00
ppp.te ppp: support using pppox_socket family 2019-05-06 14:11:02 -07:00
priv_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
profman.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
property.te Sepolicy: add dynamic_system_prop 2019-04-30 05:36:19 +00:00
property_contexts Make new vendor properties settable by vendor_init 2019-04-29 15:35:09 +01:00
racoon.te racoon: allow ioctl TUNSETIFF 2018-11-15 10:32:45 -08:00
radio.te Radio: allow to read kernel command line. 2019-02-12 23:36:51 +00:00
recovery.te recovery: Address the ioctl denials during wiping. 2019-01-15 16:08:09 -08:00
recovery_persist.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
recovery_refresh.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
roles
rs.te sepolicy: Add "rs" and "rs_exec" to public policy 2018-12-21 17:47:54 +00:00
rss_hwm_reset.te SELinux policy for rss_hwm_reset 2018-12-15 10:13:03 +00:00
runas.te Relabel /data/system/packages.list to new type. 2019-03-28 10:27:43 +00:00
runas_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
scheduler_service_server.te Treble-ize sepolicy for fwk HIDL services. 2019-04-22 17:07:06 -07:00
sdcardd.te Relabel /data/system/packages.list to new type. 2019-03-28 10:27:43 +00:00
secure_element.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
sensor_service_server.te Treble-ize sepolicy for fwk HIDL services. 2019-04-22 17:07:06 -07:00
service.te Merge "revert ipmemorystore selinux policy." am: f99aa3cb66 am: a2d7ab7f4b 2019-04-01 21:19:40 -07:00
servicemanager.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
sgdisk.te sgdisk: allow BLKRRPART 2018-11-02 14:26:23 -07:00
shared_relro.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
shell.te Sepolicy: add dynamic_system_prop 2019-04-30 05:36:19 +00:00
simpleperf_app_runner.te Relabel /data/system/packages.list to new type. 2019-03-28 10:27:43 +00:00
slideshow.te sepolicy: Add rules for non-init namespaces 2017-11-21 08:34:32 -07:00
stats_service_server.te Treble-ize sepolicy for fwk HIDL services. 2019-04-22 17:07:06 -07:00
statsd.te Treble-ize sepolicy for fwk HIDL services. 2019-04-22 17:07:06 -07:00
su.te Decouple system_suspend from hal attributes. 2019-02-26 18:10:28 -08:00
surfaceflinger.te Initial selinux policy support for memfd 2019-01-30 19:11:49 +00:00
swcodec_service_server.te add mediaswcodec service 2018-10-11 15:10:17 -07:00
system_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
system_server.te Initial selinux policy support for memfd 2019-01-30 19:11:49 +00:00
system_suspend_server.te Decouple system_suspend from hal attributes. 2019-02-26 18:10:28 -08:00
te_macros Allow profilable domains to use heapprofd fd and tmpfs. 2019-03-04 12:05:35 +00:00
tee.te Revert "Add placeholder iris and face policy for vold data directory" 2018-11-19 15:00:19 -08:00
tombstoned.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
toolbox.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
traced.te Allow iorapd to access perfetto 2019-01-23 22:43:47 +00:00
traced_probes.te Make traced_probes mlstrustedsubject. 2018-04-17 18:12:28 +00:00
traceur_app.te Add selinux rule to allow Traceur to enable the traced daemon. 2019-04-25 23:59:06 -07:00
tzdatacheck.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
ueventd.te Allow bootstrap bionic only to init, ueventd, and apexd 2019-04-11 13:04:19 +09:00
uncrypt.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
untrusted_app.te Remove unused *_tmpfs types 2019-01-30 21:54:40 +00:00
update_engine.te Allow to getattr kmsg_device 2019-03-25 10:14:20 -07:00
update_engine_common.te super_block_device -> super_block_device_type 2019-03-28 18:08:19 +00:00
update_verifier.te Allow to getattr kmsg_device 2019-03-25 10:14:20 -07:00
usbd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
vdc.te Allow to getattr kmsg_device 2019-03-25 10:14:20 -07:00
vendor_init.te Allow bootstrap bionic only to init, ueventd, and apexd 2019-04-11 13:04:19 +09:00
vendor_shell.te Allow shell to start vendor shell 2018-01-16 18:28:51 +00:00
vendor_toolbox.te Allow init to run vendor toybox for modprobe 2017-05-24 15:01:20 -07:00
virtual_touchpad.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
vndservice.te Add default label and mapping for vendor services 2017-04-28 14:56:57 -07:00
vndservicemanager.te Initial sepolicy for vndservicemanager. 2017-03-23 00:20:43 +00:00
vold.te sepolicy: add sepolicy rules for vold to write sysfs gc_urgent 2019-03-24 13:19:46 +08:00
vold_prepare_subdirs.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
vr_hwc.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
watchdogd.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
webview_zygote.te Properly Treble-ize tmpfs access 2019-01-26 17:30:41 +00:00
wificond.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
wpantund.te Introduce system_file_type 2018-09-27 12:52:09 -07:00
zygote.te Properly Treble-ize tmpfs access 2019-01-26 17:30:41 +00:00