Commits · 0b74305011e70bc58490720709e86aac6eb7700f · Werner Sembach / AndroidSystemSEPolicy

Apr 01, 2017

Andreas Gampe authored 8 years ago

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

0b743050

Mar 31, 2017
- Merge "Grant vdc access to kmsg" am: 6b92e26a am: 58cb5787 am: bb51a941 · 29cb3275
  Tom Cherry authored 7 years ago
  
  am: 3ccbea52 Change-Id: Ib402849b6efff93fd763d7b2bddf470c79067c47
  29cb3275
- Merge "Refactor sanitized library on-disk layout - SELinux." am: a2e9664c ... · 2d899372
  Vishwath Mohan authored 7 years ago
  
  Merge "Refactor sanitized library on-disk layout - SELinux." am: a2e9664c am: ebe26cbb am: ba0c430b am: 91b0903c Change-Id: I3315811aa97328a00ae123ac7ea9b454ebaa8ba6
  2d899372
- Merge "Further lock down access to services from ephemeral apps" into oc-dev am: 5af76fca · 1f73510d
  Chad Brubaker authored 7 years ago
  
  am: d14187d6 Change-Id: I16abf8a56c0a3e4dc0fe8a6bbd585286fa2b273e
  1f73510d
- Merge "Grant vdc access to kmsg" am: 6b92e26a am: 58cb5787 · 3ccbea52
  Tom Cherry authored 7 years ago
  
  am: bb51a941 Change-Id: Ibeacdffdbcd24e0a34617ef1f259764242db2d3e
  3ccbea52
- Merge "Refactor sanitized library on-disk layout - SELinux." am: a2e9664c am: ebe26cbb · 91b0903c
  Vishwath Mohan authored 7 years ago
  
  am: ba0c430b Change-Id: I81611c73460132d34d9bc4c30df6d99b3f0d97a4
  91b0903c
- Merge "Further lock down access to services from ephemeral apps" into oc-dev · d14187d6
  Chad Brubaker authored 7 years ago
  
  am: 5af76fca Change-Id: I705f9a6cc45c6c8829d148d2c2ba333ba23759ac
  d14187d6
- Merge "Grant vdc access to kmsg" am: 6b92e26a · bb51a941
  Tom Cherry authored 7 years ago
  
  am: 58cb5787 Change-Id: I219d6074cf3ff7253ef74ebc6d8aa5372d296243
  bb51a941
- Merge "Refactor sanitized library on-disk layout - SELinux." am: a2e9664c · ba0c430b
  Vishwath Mohan authored 7 years ago
  
  am: ebe26cbb Change-Id: If6ca7b2337a0b80b6fe2c0163e9a8bec2e7d6829
  ba0c430b
- Merge "Grant vdc access to kmsg" · 58cb5787
  Tom Cherry authored 7 years ago
  
  am: 6b92e26a Change-Id: Ie76aa1f95e72b6183c13be4f9dc86481a2d63077
  58cb5787
- Merge "Refactor sanitized library on-disk layout - SELinux." · ebe26cbb
  Vishwath Mohan authored 7 years ago
  
  am: a2e9664c Change-Id: I184d353b6ca0c8e5b712da11b4de777e04a5b79f
  ebe26cbb
- Merge "Grant vdc access to kmsg" · 6b92e26a
  Tom Cherry authored 7 years ago
  
  6b92e26a
- Merge "Further lock down access to services from ephemeral apps" into oc-dev · 5af76fca
  Chad Brubaker authored 7 years ago
  
  5af76fca
- Merge "Refactor sanitized library on-disk layout - SELinux." · a2e9664c
  Treehugger Robot authored 7 years ago
  
  a2e9664c
- Merge "Tighten restrictions on core <-> vendor socket comms" · 4862343a
  Alex Klyubin authored 7 years ago
  
  4862343a
- Merge "storaged: allow shell to call dumpsys storaged" am: eca32251 am: f81e48b6 am: fc8bbd7e · 9a92cf8c
  Jin Qian authored 7 years ago
  
  am: 7ba028a6 Change-Id: Ic545bb7a00acc0bf0b106ec67d05715f40e3bdd2
  9a92cf8c
- Merge "storaged: allow shell to call dumpsys storaged" am: eca32251 am: f81e48b6 · 7ba028a6
  Jin Qian authored 7 years ago
  
  am: fc8bbd7e Change-Id: I1f7323f857093bc793bd03f956c64626170e503f
  7ba028a6
- Merge "storaged: allow shell to call dumpsys storaged" am: eca32251 · fc8bbd7e
  Jin Qian authored 7 years ago
  
  am: f81e48b6 Change-Id: Ied9a916f080a85d41165cb9e427ad8e696e695ed
  fc8bbd7e
- Merge "storaged: allow shell to call dumpsys storaged" · f81e48b6
  Jin Qian authored 7 years ago
  
  am: eca32251 Change-Id: I22930eb5a18047b235b6d1028a3fc49e5a6b0989
  f81e48b6
- Merge "storaged: allow shell to call dumpsys storaged" · eca32251
  Treehugger Robot authored 7 years ago
  
  eca32251
- Tighten restrictions on core <-> vendor socket comms · cf2ffdf0
  Alex Klyubin authored 7 years ago
  
  This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
  cf2ffdf0
Mar 30, 2017
- Merge "update sepolicy for gralloc HAL" into oc-dev am: ea0a3027 · 6953b867
  Mathias Agopian authored 7 years ago
  
  am: 1eb656f0 Change-Id: I88aa508e35a59924715acb6d77e37344e41b55fe
  6953b867
- Merge "update sepolicy for gralloc HAL" into oc-dev · 1eb656f0
  Mathias Agopian authored 7 years ago
  
  am: ea0a3027 Change-Id: I20ec1ec4f217d3c6622f5bc263c268ba343bf493
  1eb656f0
- Merge "update sepolicy for gralloc HAL" into oc-dev · ea0a3027
  TreeHugger Robot authored 7 years ago
  
  ea0a3027
- Further lock down access to services from ephemeral apps · 7d01a99a
  Chad Brubaker authored 7 years ago
  
  This removes access to * contexthub_service * device_policy_service * ethernet_service * fingerprint_service * shortcut_service * trust_service * usb_service Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.EphemeralTest Bug: 33349998 Change-Id: Iad9302041d7674ae6ebeb1c559c64d13df62c304
  7d01a99a
- storaged: allow shell to call dumpsys storaged · af3eaf0d
  Jin Qian authored 8 years ago
  
  Test: adb kill-server && adb shell dumpsys storaged Bug: 36492915 Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
  af3eaf0d
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev am: f4739f40 · 00da0661
  Jeff Vander Stoep authored 7 years ago
  
  am: e777112e Change-Id: I893aff73fa2beb83bee0e17aec849ac49d03c639
  00da0661
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev · e777112e
  Jeff Vander Stoep authored 7 years ago
  
  am: f4739f40 Change-Id: Ie07e3ababe6836f6b5c2522c3a3255367d01b662
  e777112e
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev · f4739f40
  TreeHugger Robot authored 7 years ago
  
  f4739f40
- Merge "Further restrict access to Binder services from vendor" into oc-dev am: b5081ea0 · 770e6b7c
  Alex Klyubin authored 7 years ago
  
  am: ff61a10c Change-Id: Ie0c415ee9e79628f0048ff30d0daffbd89420f74
  770e6b7c
- Merge "Further restrict access to Binder services from vendor" into oc-dev · ff61a10c
  Alex Klyubin authored 7 years ago
  
  am: b5081ea0 Change-Id: I3decd5c29ee797486d563393212cfc09666b77e1
  ff61a10c
- Merge "Further restrict access to Binder services from vendor" into oc-dev · b5081ea0
  TreeHugger Robot authored 7 years ago
  
  b5081ea0
- update sepolicy for gralloc HAL · 9901ff7c
  Mathias Agopian authored 7 years ago
  
  the list to update was determined by looking at who currently has access to surfaceflinger for ipc and FD use. Test: try some media stuff Bug: 36333314 Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d
  9901ff7c
- Disallow HAL access to Bluetooth data files am: 02d9d21d am: 6f700ae5 am: a21b3b19 · 9994cb58
  Myles Watson authored 7 years ago
  
  am: 8f288f56 Change-Id: Ic1ff068363790a030eb15776fda5b32704b9a465
  9994cb58
- runas: Grant access to seapp_contexts_file · 7d6185fe
  Jeff Vander Stoep authored 7 years ago
  
  Runas/libselinux needs access to seapp_contexts_file to determine transitions into app domains. Addresses: avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts" dev="rootfs" ino=9827 scontext=u:r:runas:s0 tcontext=u:object_r:seapp_contexts_file:s0 tclass=file Bug: 36782586 Test: Marlin policy builds Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f
  7d6185fe
- Disallow HAL access to Bluetooth data files am: 02d9d21d am: 6f700ae5 · 8f288f56
  Myles Watson authored 7 years ago
  
  am: a21b3b19 Change-Id: I3e0bb56e66f2e4dc2ac04288e96c79070a710490
  8f288f56
- Disallow HAL access to Bluetooth data files am: 02d9d21d · a21b3b19
  Myles Watson authored 7 years ago
  
  am: 6f700ae5 Change-Id: I6d58dcfa6037dc916d9ab5b995d2132e559783e1
  a21b3b19
- Disallow HAL access to Bluetooth data files · 6f700ae5
  Myles Watson authored 7 years ago
  
  am: 02d9d21d Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7
  6f700ae5
- Merge "Disallow HAL access to Bluetooth data files" into oc-dev am: ef2057a6 · 0630c450
  Myles Watson authored 7 years ago
  
  am: 52ae8351 Change-Id: I7a84acb504ffb803e3e782d0c5b2d4daf7565e8f
  0630c450
- Merge "Disallow HAL access to Bluetooth data files" into oc-dev · 52ae8351
  Myles Watson authored 7 years ago
  
  am: ef2057a6 Change-Id: I1c706c034571de2470fdb4458ab7c1ea43e4f52e
  52ae8351