Commits · 0e479700b51943684017e8dca06b031f779eb109 · Werner Sembach / AndroidSystemSEPolicy

Jul 05, 2017
- Revert "allow recovery to run mke2fs tools" · 0e479700
  Jin Qian authored 7 years ago
  
  This reverts commit 7e577318.
  0e479700
Jun 26, 2017
- Merge "Update sepolicy 26.0 prebuilts again, again." · 518d138c
  TreeHugger Robot authored 7 years ago
  
  518d138c
- Merge "Let vold execute mke2fs." · e2e3c978
  Jeff Sharkey authored 7 years ago
  
  e2e3c978
Jun 23, 2017

Jeff Sharkey authored 7 years ago

When adopting SD cards, vold partitions and formats those devices;
this had been working fine with the older make_ext4fs utility, but
newer devices are switching over to mke2fs, which has a different
SELinux label.

avc: denied { execute } for name="mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { getattr } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 36757864, 37436961
Change-Id: Ifb96dfca076ea58650eb32f89e850f20ae2ac102

5b2b0472

Merge "system_server is a client of configstore" into oc-dr1-dev am: 25578a30 · b1948add
Jeff Vander Stoep authored 7 years ago
```
am: 0d8b9830

Change-Id: I55cbe59bf1be98555ea2a13e42c949477761e1da
```
b1948add
Merge "system_server is a client of configstore" into oc-dr1-dev · 0d8b9830
Jeff Vander Stoep authored 7 years ago
```
am: 25578a30

Change-Id: I1d49bdbd662e4037843a2c6af4954a4a926c8543
```
0d8b9830
Merge "system_server is a client of configstore" into oc-dr1-dev · 25578a30
TreeHugger Robot authored 7 years ago

25578a30

system_server is a client of configstore · 23e0a7f2

Jeff Vander Stoep authored 7 years ago

avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs
scontext=u:r:system_server:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 35197529
Test: Device boots without this denial
Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1

23e0a7f2

Jun 22, 2017
- Merge "Add SEPolicy for new Java-based Broadcast Radio service." · b8874e8c
  Tomasz Wasilczyk authored 7 years ago
  
  b8874e8c
- Merge "Fix SELinux "could not set" errors." · 91e166bb
  TreeHugger Robot authored 7 years ago
  
  91e166bb
- Merge "Add rules for vfat for sdcardfs" am: b9bba83a am: f26d79c5 am: 4e65fed1 · a1d4d05d
  Daniel Rosenberg authored 7 years ago
  
  am: 3f7f66b0 Change-Id: I3fc0cac7fdeab40bfa61f465a6d01d1d8c0c8d01
  a1d4d05d
- Update sepolicy 26.0 prebuilts again, again. · 55c77504
  Dan Cashman authored 7 years ago
  
  Bug: 37896931 Test: none, just prebuilt update. Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d
  55c77504
- Merge "Add rules for vfat for sdcardfs" am: b9bba83a am: f26d79c5 · 3f7f66b0
  Daniel Rosenberg authored 7 years ago
  
  am: 4e65fed1 Change-Id: I9fd1ef32fde011d00e96555501f7665baf99fc26
  3f7f66b0
- Merge "Add rules for vfat for sdcardfs" am: b9bba83a · 4e65fed1
  Daniel Rosenberg authored 7 years ago
  
  am: f26d79c5 Change-Id: I0c1a79082955faeebe8cf70bb408928479117aad
  4e65fed1
- Merge "Add rules for vfat for sdcardfs" · f26d79c5
  Daniel Rosenberg authored 7 years ago
  
  am: b9bba83a Change-Id: I2fb029b770d53bacbe8dd11a69cee5e70b6ef2e9
  f26d79c5
- Merge "Add rules for vfat for sdcardfs" · b9bba83a
  Treehugger Robot authored 7 years ago
  
  b9bba83a
- Fix SELinux "could not set" errors. · ec22dad6
  Joel Galenson authored 7 years ago
  
  A previous commit reverted us back to using file_contexts instead of genfs_contexts but did not remove the new genfs_contexts rules, which caused this problem. Bug: 62901680 Test: Verified that the errors do not apepar and that wifi and traceur work. Change-Id: Ic0078dc3a2a9d3d35a10599239fdf9fa478f1e2b
  ec22dad6
- Merge "Revert "Remove neverallow preventing hwservice access for apps."" · 1b5504b2
  TreeHugger Robot authored 7 years ago
  
  1b5504b2
- Merge "Add sepolicy for hal_wifi to access /proc/modules" am: 6acd70b9 am:... · f707bda8
  Tomonori Nanbu authored 7 years ago
  
  Merge "Add sepolicy for hal_wifi to access /proc/modules" am: 6acd70b9 am: ded0b58d am: 9d86e622 am: b9621bba Change-Id: I001be0f05e59e55dcedb159ec86a5bf386fa89c7
  f707bda8
- Merge "Add sepolicy for hal_wifi to access /proc/modules" am: 6acd70b9 am: ded0b58d · b9621bba
  Tomonori Nanbu authored 7 years ago
  
  am: 9d86e622 Change-Id: Ib83f52f4dae096d42dedf17898cf20d8c3923f2e
  b9621bba
- Merge "Add sepolicy for hal_wifi to access /proc/modules" am: 6acd70b9 · 9d86e622
  Tomonori Nanbu authored 7 years ago
  
  am: ded0b58d Change-Id: I574e60486bb12214e33a8e9aabf7794d4ebc0b1a
  9d86e622
- Merge "Add sepolicy for hal_wifi to access /proc/modules" · ded0b58d
  Tomonori Nanbu authored 7 years ago
  
  am: 6acd70b9 Change-Id: Ia4a4ffdf43cb1641785e18f9aad7ca96b5d45ab9
  ded0b58d
- Merge "Add sepolicy for hal_wifi to access /proc/modules" · 6acd70b9
  Treehugger Robot authored 7 years ago
  
  6acd70b9
- Add SEPolicy for new Java-based Broadcast Radio service. · 38f0928f
  Tomasz Wasilczyk authored 7 years ago
  
  Bug: b/36863239 Test: manual Change-Id: I7e929926efbb1570ea9723ef3810a511c71dc11a
  38f0928f
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators""... · 0d477e3d
  Sandeep Patil authored 7 years ago
  
  Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev am: 0e0ed156 am: 65ffb065 am: bc6271bc Change-Id: I2915ce7ffa3f11d07c26a32b2d9b2d463a3c21f4
  0d477e3d
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators""... · 63475b08
  Sandeep Patil authored 7 years ago
  
  Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev am: 0e0ed156 am: ed27bec5 am: 9f5801de Change-Id: I5861f5464762ddea8c6a39cb3968d73017d9767d
  63475b08
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators""... · bc6271bc
  Sandeep Patil authored 7 years ago
  
  Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev am: 0e0ed156 am: 65ffb065 Change-Id: I4b3f0207400200d19f8e055ec35d518f0951d235
  bc6271bc
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators""... · 9f5801de
  Sandeep Patil authored 7 years ago
  
  Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev am: 0e0ed156 am: ed27bec5 Change-Id: Idac884677a3304144801a4929651c1ba1199a8b8
  9f5801de
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev · ed27bec5
  Sandeep Patil authored 7 years ago
  
  am: 0e0ed156 Change-Id: I8ec0c46355507e8c1a7d10c53805eb350ebbe6a5
  ed27bec5
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev · 65ffb065
  Sandeep Patil authored 7 years ago
  
  am: 0e0ed156 Change-Id: Ic73d84dacc95d5b902dc6c9530b98e53d71574f1
  65ffb065
- Merge "Revert "Annotate rild with socket_between_core_and_vendor_violators"" into oc-dev · 0e0ed156
  TreeHugger Robot authored 7 years ago
  
  0e0ed156
- Add rules for vfat for sdcardfs · 8a65aeca
  Daniel Rosenberg authored 7 years ago
  
  This adds parellel rules to the ones added for media_rw_data_file to allow apps to access vfat under sdcardfs. This should be reverted if sdcardfs is modified to alter the secontext it used for access to the lower filesystem Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65 Bug: 62584229 Test: Run android.appsecurity.cts.ExternalStorageHostTest with an external card formated as vfat Signed-off-by: Daniel Rosenberg <drosen@google.com>
  8a65aeca
Jun 21, 2017
- Revert "Remove neverallow preventing hwservice access for apps." · ceed7204
  Dan Cashman authored 7 years ago
  
  This reverts commit 3e307a4d. Test: Builds - neverallow change only. Bug: 62806062 Change-Id: Id3aa1b425cf48fc8586890c9850a74594584922d
  ceed7204
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev... · 8bc3ab47
  Jeff Vander Stoep authored 7 years ago
  
  Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev am: 6351c374 am: 319d7099 am: b24567f4 Change-Id: Ib51077433505dfb09c9a4519235ab3b51f22d149
  8bc3ab47
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev... · fa50e80b
  Jeff Vander Stoep authored 7 years ago
  
  Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev am: 6351c374 am: d9301ac6 am: aae5c4c8 Change-Id: Id94e113b5a5621b39420294eec1e7fd9e1bc1c42
  fa50e80b
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev am: 6351c374 · b24567f4
  Jeff Vander Stoep authored 7 years ago
  
  am: 319d7099 Change-Id: Ifcb3c7111dbb840041d1244caa6afebfbeb1cde7
  b24567f4
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev am: 6351c374 · aae5c4c8
  Jeff Vander Stoep authored 7 years ago
  
  am: d9301ac6 Change-Id: I4b272a59a7e48e1f0f15ddd1acb7e8f6b836ca40
  aae5c4c8
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev · d9301ac6
  Jeff Vander Stoep authored 7 years ago
  
  am: 6351c374 Change-Id: I6e661aa37702c36e9003dcf41dbed4b754122c87
  d9301ac6
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev · 319d7099
  Jeff Vander Stoep authored 7 years ago
  
  am: 6351c374 Change-Id: I16cbe7b654532367829a0df2dcfa929c38e547fd
  319d7099
- Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev · 6351c374
  TreeHugger Robot authored 7 years ago
  
  6351c374