tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Tom Cherry d5f0aba025 Add getpgid to system_service and init 
In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
(cherry picked from commit c59eb4d853)
2017-06-19 11:26:48 -07:00
..
adbd.te
asan_extract.te Partially revert "Sepolicy: Give asan_extract access to powerctl" 2017-05-15 10:20:32 -07:00
attributes Force expand all hal_* attributes 2017-05-25 14:43:31 -07:00
audioserver.te
blkid.te
blkid_untrusted.te
bluetooth.te
bootanim.te Allow hals to read hwservicemanager prop. am: d3ce5dc38c am: d437f0e09d 2017-03-23 03:53:11 +00:00
bootstat.te
bufferhubd.te SELinux policies for PDX services 2017-05-15 10:07:05 -07:00
cameraserver.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
charger.te
clatd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
cppreopts.te
crash_dump.te Revert "Add /dev/kmsg_debug." am: 9ac5d01faa am: 032c6d61a3 2017-05-26 15:26:49 +00:00
device.te Revert "Add /dev/kmsg_debug." 2017-05-26 00:32:07 +00:00
dex2oat.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
dhcp.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
display_service_server.te Add fwk_display_hwservice. 2017-05-17 11:00:28 -07:00
dnsmasq.te
domain.te Allow bootctl HAL to access misc block device. am: b0d59450ae 2017-06-01 18:59:29 +00:00
drmserver.te No access to tee domain over Unix domain sockets 2017-04-03 11:26:01 -07:00
dumpstate.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
e2fs.te allow init to run mke2fs tools to format partitions 2017-05-09 10:58:45 -07:00
ephemeral_app.te
file.te SEPolicy: Changes for new stack dumping scheme. 2017-05-31 10:01:48 +00:00
fingerprintd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
fsck.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
fsck_untrusted.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
gatekeeperd.te Fix sepolicy for Gatekeeper HAL 2017-03-20 07:39:33 -07:00
global_macros
hal_allocator.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_audio.te hal_audio: Allow writing dump info into pipes when capturing BR am: 9686cbcdbf am: 4aac6fdbac 2017-05-08 18:38:52 +00:00
hal_bluetooth.te Grant CAP_SYS_NICE to processes that need it. 2017-05-09 09:53:46 -07:00
hal_bootctl.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_camera.te hal_camera: remove video_device restriction 2017-05-16 09:42:09 -07:00
hal_configstore.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_contexthub.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_drm.te Merge "Allow DRM hal to access fd allocated by mediaserver" into oc-dev 2017-04-25 23:54:48 +00:00
hal_dumpstate.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_fingerprint.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_gatekeeper.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_gnss.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_graphics_allocator.te Grant CAP_SYS_NICE to processes that need it. 2017-05-09 09:53:46 -07:00
hal_graphics_composer.te Fix graphics composer denial. 2017-05-19 14:14:35 -07:00
hal_health.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_ir.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_keymaster.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_light.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_memtrack.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_neverallows.te Removing UDP access for hal_gnss 2017-05-18 13:55:51 -07:00
hal_nfc.te Remove access to sock_file for hal_nfc 2017-04-27 09:05:27 -07:00
hal_oemlock.te Add missing sepolicies for OemLock HAL. 2017-05-31 15:22:05 +01:00
hal_power.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_sensors.te Grant CAP_SYS_NICE to processes that need it. 2017-05-09 09:53:46 -07:00
hal_telephony.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_tetheroffload.te SE Policy for Tether Offload HAL 2017-05-23 23:00:23 +00:00
hal_thermal.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_tv_cec.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_tv_input.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_usb.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_vibrator.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_vr.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_weaver.te Add missing sepolicies for the Weaver HAL. 2017-05-31 15:17:11 +01:00
hal_wifi.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hal_wifi_offload.te SE Policy for Wifi Offload HAL 2017-05-18 09:49:55 -07:00
hal_wifi_supplicant.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
healthd.te Restrict access to hwservicemanager 2017-04-21 09:54:53 -07:00
hwservice.te Merge "Add missing sepolicies for OemLock HAL." into oc-dev 2017-06-01 22:05:18 +00:00
hwservicemanager.te Add hwservice_contexts and support for querying it. 2017-04-12 18:07:12 -07:00
idmap.te sepolicy: restrict /vendor/overlay from most coredomains 2017-04-06 13:28:16 -07:00
incident.te
incidentd.te
init.te Add getpgid to system_service and init 2017-06-19 11:26:48 -07:00
inputflinger.te
install_recovery.te Fix build time warning 2017-04-21 09:42:50 -07:00
installd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
ioctl_defines
ioctl_macros
isolated_app.te
kernel.te Revert "Split mediaprovider from priv_app." 2017-06-07 18:20:20 -07:00
keystore.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
lmkd.te
logd.te
logpersist.te
mdnsd.te
mediacodec.te SELinux policies for PDX services 2017-05-15 10:07:05 -07:00
mediadrmserver.te grant mediadrmserver permission to read dir from /system/* 2017-04-19 17:58:27 +00:00
mediaextractor.te MediaExtractor: Allow reading of app data files. 2017-05-24 14:18:38 -07:00
mediametrics.te allow media.metrics to write to file descriptor in /data 2017-04-04 10:30:50 -07:00
mediaserver.te Allow mediaserver to access fd allocated by hal_graphics_composer 2017-04-28 17:55:20 -07:00
modprobe.te Fix coredomain violation for modprobe 2017-06-05 08:09:18 -07:00
mtp.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
net.te
netd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
netutils_wrapper.te add netutils_wrappers 2017-04-14 22:57:27 -07:00
neverallow_macros Ban socket connections between core and vendor 2017-03-27 08:49:13 -07:00
nfc.te Remove unnecessary rules from NFC HAL clients 2017-03-22 16:22:33 -07:00
otapreopt_chroot.te
otapreopt_slot.te Sepolicy: Give otapreopt_slot read on A/B artifact links 2017-04-07 20:19:41 -07:00
performanced.te SELinux policies for PDX services 2017-05-15 10:07:05 -07:00
perfprofd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
platform_app.te
postinstall.te
postinstall_dexopt.te Sepolicy: Fix new access from the linker for postinstall 2017-04-28 17:34:41 -07:00
ppp.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
preopt2cachename.te
priv_app.te
profman.te Allow profman to analyze profiles for the secondary dex files 2017-03-15 18:47:13 -07:00
property.te Partially revert "Sepolicy: Give asan_extract access to powerctl" 2017-05-15 10:20:32 -07:00
racoon.te restore permissions to /vendor for non-treble devices 2017-04-14 10:01:14 -07:00
radio.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
recovery.te Update selinux policy for policyvers retrieval. 2017-05-25 16:30:21 -07:00
recovery_persist.te
recovery_refresh.te
rild.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
roles
runas.te Allow run-as to read/write unix_stream_sockets created by adbd. am: 1847a38b4a am: 2394619394 2017-06-06 23:35:04 +00:00
sdcardd.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
service.te DO NOT MERGE. Revert "Enable the TimeZoneManagerService" 2017-06-08 14:43:40 -07:00
servicemanager.te Assert ban on framework <-> vendor comms over VndBinder 2017-04-25 14:15:52 -07:00
sgdisk.te
shared_relro.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
shell.te Merge "Let shell and bugreport read logging related properties." into oc-dev 2017-04-21 18:20:36 +00:00
slideshow.te
su.te Make sure all public types are defined regardless of build variants 2017-04-21 12:34:12 -07:00
surfaceflinger.te
system_app.te
system_server.te
te_macros crash_dump_fallback: allow dumpstate:pipe_file write. am: 7aa085233a am: 7b19b08130 2017-06-06 00:43:51 +00:00
tee.te Move TEE rules to vendor image 2017-04-03 11:11:48 -07:00
tombstoned.te SEPolicy: Changes for new stack dumping scheme. 2017-05-31 10:01:48 +00:00
toolbox.te
tzdatacheck.te Allow the shell user to run tzdatacheck 2017-04-20 09:31:36 +00:00
ueventd.te Merge "Move domain_deprecated into private policy" into oc-dev am: 02a101a695 2017-05-16 21:49:16 +00:00
uncrypt.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
untrusted_app.te
untrusted_app_25.te untrusted_app: policy versioning based on targetSdkVersion 2017-02-14 13:30:12 -08:00
untrusted_v2_app.te Add new untrusted_v2_app domain 2017-02-21 12:39:55 -08:00
update_engine.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
update_engine_common.te Allow update_engine to kill postinstall process. 2017-03-22 21:01:08 -07:00
update_verifier.te Allow update_verifier to reboot the device 2017-04-04 21:07:48 +00:00
vdc.te Grant vdc access to kmsg 2017-03-31 20:48:36 +00:00
vendor_shell.te vendor_shell: add sepolicy for vendor shell 2017-04-14 09:38:51 -07:00
vendor_toolbox.te Allow init to run vendor toybox for modprobe 2017-05-24 15:01:20 -07:00
virtual_touchpad.te Allow vr_hwc and virtual_touchpad to query for permissions 2017-04-21 17:15:03 -04:00
vndservice.te Add default label and mapping for vendor services 2017-04-28 14:56:57 -07:00
vndservicemanager.te Initial sepolicy for vndservicemanager. 2017-03-23 00:20:43 +00:00
vold.te Move domain_deprecated into private policy 2017-05-15 13:37:59 -07:00
vr_hwc.te SELinux policies for PDX services 2017-05-10 16:39:19 -07:00
watchdogd.te
webview_zygote.te
wificond.te Allow wificond to find permission 2017-04-04 16:52:25 -07:00
zygote.te