Commits · 143e9655ee000c13d9fea0abbb2aca4f88eb9b15 · Werner Sembach / AndroidSystemSEPolicy

Sep 26, 2017
- Merge "RESTRICT AUTOMERGE: lowpan: Add neverallow rule for lowpan_device" into oc-mr1-iot-dev · 143e9655
  TreeHugger Robot authored 7 years ago
  
  143e9655
- Preserve hal_cas_server attribute · 08928d51
  Jeff Vander Stoep authored 7 years ago
  
  am: 6b8088ba Change-Id: Id33c3e7f23b84fa10bad8c2ee7bf7c44265acc25
  08928d51
Sep 25, 2017

Preserve hal_cas_server attribute · 6b8088ba

It's used in CTS neverallow tests.

Addresses:
Warning!  Type or attribute hal_cas_server used in neverallow
undefined in policy being checked.

Bug: 66910049
Test: build
Change-Id: Ia185f266fc1e3cb87c39939fdd45d02efa6c2c94
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

6b8088ba

Remove domain_deprecated audit logging · c5869f50
Jeff Vander Stoep authored 7 years ago
```
am: 5d8b059f

Change-Id: I511ddcdb2f8bec7b52985e25b0c9d4c8d763cf21
```
c5869f50

Sep 23, 2017

Remove domain_deprecated audit logging · 5d8b059f

Jeff Vander Stoep authored 7 years ago

These are no longer necessary as domain_deprecated has been
removed in AOSP master.

Bug: 66749762
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I01878a4410f8cb3c97ff96c67845dfaa7b0051ce

5d8b059f

Sep 20, 2017
- RESTRICT AUTOMERGE: lowpan: Add neverallow rule for lowpan_device · 0b6ad3d9
  Robert Quattlebaum authored 7 years ago
  
  Bug: b/64090883 Change-Id: I566a380db2f8f4d886252eee26181e37a4fb0d61
  0b6ad3d9
- Merge changes I4f6c7e4e,I7aa23c31 into oc-mr1-iot-dev · fbdf2940
  Robert Quattlebaum authored 7 years ago
  
  * changes: RESTRICT AUTOMERGE: lowpan: Add wpantund to SEPolicy RESTRICT AUTOMERGE: lowpan: Added support for LoWPAN Service and android.hardware.lowpan
  fbdf2940
Sep 19, 2017
- RESTRICT AUTOMERGE: lowpan: Add wpantund to SEPolicy · 32d5bfbd
  Robert Quattlebaum authored 7 years ago
  
  Bug: b/64399219 Test: Manual Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
  32d5bfbd
- RESTRICT AUTOMERGE: lowpan: Added support for LoWPAN Service and android.hardware.lowpan · 401433ca
  Robert Quattlebaum authored 7 years ago
  
  Bug: b/64090883 Bug: b/33073713 Test: Manual Change-Id: I7aa23c31b1fccae56c1a0e0bd4cfe370aeb911dd
  401433ca
Sep 18, 2017

Allow sensor hal to use wakelock · 8c5a6814
Peng Xu authored 7 years ago
```
am: 4c4b433c

Change-Id: Ibb136df8fadd90013455cd8ff476ed28551f40e2
```
8c5a6814

Allow sensor hal to use wakelock · 4c4b433c

Peng Xu authored 7 years ago

Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
Merged-In: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9

4c4b433c

Sep 16, 2017
- do not expand hal_cas attribute · 5330c746
  Jeff Vander Stoep authored 7 years ago
  
  am: aa5f37da Change-Id: I2bf881164990b2517b81d3bf3b6560537dc94636
  5330c746
Sep 15, 2017

do not expand hal_cas attribute · aa5f37da

Jeff Vander Stoep authored 7 years ago

Addresses:
junit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule:
neverallow {   domain   -adbd   -dumpstate   -hal_drm -hal_cas -init
-mediadrmserver   -recovery   -shell   -system_server }
serialno_prop:file { getattr open read ioctl lock map };
Warning!  Type or attribute hal_cas used in neverallow undefined in
policy being checked.
libsepol.report_failure: neverallow violated by allow mediaextractor
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow mediacodec
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow hal_cas_default
serialno_prop:file { ioctl read getattr lock map open };
libsepol.check_assertions: 3 neverallow failures occurred

Bug: 65681219
Test: build
Change-Id: I2a6445d6372ee4e768cc2cea2140c6de97707a74
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

aa5f37da

Sep 11, 2017
- Allow sepolicies granting bootanim exec on /oem. am: 6a1e6a9c am: 6fea1f4f · 7522dce0
  Ed Coyne authored 7 years ago
  
  am: 99ee8b97 Change-Id: I56484d6fe14ecdb3028c6dfa29ee0c590d1e617c (cherry picked from commit 544a7317)
  7522dce0
Sep 01, 2017
- Merge "Give media.metrics service access to uid/pkg info" into oc-mr1-dev · 19cf5173
  Ray Essick authored 7 years ago
  
  am: 123cf237 Change-Id: Ic6b60c2168b9f5b75cbeaeebee2acd5310df489d
  19cf5173
- Merge "Give media.metrics service access to uid/pkg info" into oc-mr1-dev · 123cf237
  Ray Essick authored 7 years ago
  
  123cf237
- Merge "cgroup: allow associate to tmpfs" into oc-mr1-dev · 94b55a56
  Jeff Vander Stoep authored 7 years ago
  
  am: 15f9d052 Change-Id: I0c1390ade37884ff86a8089d25c9cce794b31877
  94b55a56
- Merge "Allow lmkd read memcg stats." into oc-mr1-dev · 3c6cf01c
  Robert Benea authored 7 years ago
  
  am: ba4d04e0 Change-Id: I54773febe86aeb79eba33494f5481762f2698584
  3c6cf01c
- Merge "cgroup: allow associate to tmpfs" into oc-mr1-dev · 15f9d052
  TreeHugger Robot authored 7 years ago
  
  15f9d052
- Merge "Allow lmkd read memcg stats." into oc-mr1-dev · ba4d04e0
  TreeHugger Robot authored 7 years ago
  
  ba4d04e0
- Revert "Add screencap domain." · 74e4018f
  Steven Moreland authored 7 years ago
  
  am: 60e53837 Change-Id: I43de8298c9dac061ca6fbd81e17fb4b8eed904c3
  74e4018f
- Revert "Permissions for screencap saving files to /sdcard/" · ce72b526
  Steven Moreland authored 7 years ago
  
  am: f606a51e Change-Id: Id385d64ac63bee08c1457f0a003718ecb03546ea
  ce72b526
- Revert "Add permissions for screencap for dumpstate." · 10a48665
  Steven Moreland authored 7 years ago
  
  am: 9c571765 Change-Id: I6ea1d962cf03ee18102e22d29df59749afc3d5bd
  10a48665
- cgroup: allow associate to tmpfs · 3f4e3181
  Jeff Vander Stoep authored 7 years ago
  
  Allows groups to be mounted at /dev/memcg Addresses: avc: denied { associate } for comm="init" name="memcg" scontext=u:object_r:cgroup:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0 Bug: 64067152 Test: build Change-Id: Ic8f641e841fe09c8f7fd487ed67cf0ab4860a1cc
  3f4e3181
- Allow lmkd read memcg stats. · 3a163a34
  Robert Benea authored 7 years ago
  
  Currently lmkd is not able to read memcg info. The mem/swap usage info are used by lmkd to ugrade medium pressure events to critical level. Test: tested on gobo Bug: 65180281 Change-Id: I19d0eb53d5e754c176ffeda1b5d07049e6af8570
  3a163a34
- Revert "Add screencap domain." · 60e53837
  Steven Moreland authored 7 years ago
  
  This reverts commit f27bba93. Bug: 65206688 Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
  60e53837
- Revert "Permissions for screencap saving files to /sdcard/" · f606a51e
  Steven Moreland authored 7 years ago
  
  This reverts commit c12c7349. Bug: 65206688 Change-Id: Ia2a04906f8585bf295b8c75e0b3d09490afb5d24
  f606a51e
- Revert "Add permissions for screencap for dumpstate." · 9c571765
  Steven Moreland authored 7 years ago
  
  This reverts commit b5dd44b1. Bug: 65206688 Change-Id: I00431ae7834a562e34e8959446d84a0077834091
  9c571765
- Add permissions for screencap for dumpstate. · 39162d86
  Steven Moreland authored 7 years ago
  
  am: b5dd44b1 Change-Id: I8343f7bd5caa8d51fde608464b4a98e7fd99ae62
  39162d86
Aug 31, 2017

Add permissions for screencap for dumpstate. · b5dd44b1

Steven Moreland authored 7 years ago

screencap domain needs additional permissions for
dumpstate to dump screenshots.

Test: adb shell cmd activity bug-report
Bug: 65206688
Change-Id: I824f345fd90d286454d570576c5888d7719c4c5c

b5dd44b1

Permissions for screencap saving files to /sdcard/ · 7d60f385
Steven Moreland authored 7 years ago
```
am: c12c7349

Change-Id: I254f296e81225510d909d8bab8e20e648b2d18df
```
7d60f385

Give media.metrics service access to uid/pkg info · 9b0924e1

Ray Essick authored 7 years ago

relax the sepolicy for media.metrics to allow access to
package manager for uid->packagename mapping functionality.

Bug: 65027506
Test: read output of 'dumpsys media.metrics'
Change-Id: I0d25af16c06dc65154cfda854e28ab70ada097c4

9b0924e1

Permissions for screencap saving files to /sdcard/ · c12c7349

Steven Moreland authored 7 years ago

Before screencap was in its own domain, it was able to do
this by using all of shell's permissions.

The following denials are caused (along with times from running the below test command)
when screencap is invoked to write a file onto the sdcard:
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:23): avc: denied { read } for name="primary" dev="tmpfs" ino=19547 scontext=u:r:screencap:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:24): avc: denied { search } for name="/" dev="tmpfs" ino=19529 scontext=u:r:screencap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:25): avc: denied { search } for name="user" dev="tmpfs" ino=19535 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:26): avc: denied { read } for name="primary" dev="tmpfs" ino=31198 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:27): avc: denied { search } for name="/" dev="sdcardfs" ino=1310722 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:28): avc: denied { write } for name="image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:29): avc: denied { open } for path="/storage/emulated/0/image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:30): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:31): avc: denied { execute } for name="sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:32): avc: denied { read open } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:33): avc: denied { execute_no_trans } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582 4990 4990 I sh : type=1400 audit(0.0:34): avc: denied { getattr } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.586 4990 4990 I sh : type=1400 audit(0.0:35): avc: denied { ioctl } for path="socket:[57515]" dev="sockfs" ino=57515 ioctlcmd=5401 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.586 4990 4990 I sh : type=1400 audit(0.0:36): avc: denied { getattr } for path="socket:[57515]" dev="sockfs" ino=57515 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.589 4991 4991 I sh : type=1400 audit(0.0:37): avc: denied { execute_no_trans } for path="/system/bin/am" dev="dm-0" ino=1178 scontext=u:r:screencap:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:38): avc: denied { call } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:39): avc: denied { use } for path="/dev/null" dev="tmpfs" ino=19514 scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=fd permissive=1
08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:40): avc: denied { transfer } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.741 575 575 E SELinux : avc: denied { find } for service=activity pid=4992 uid=2000 scontext=u:r:screencap:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
08-30 21:03:32.749 837 837 I Binder:837_9: type=1400 audit(0.0:41): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=binder permissive=1

If /data/media/ is deleted, the following denials also occur:
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:43): avc: denied { search } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:44): avc: denied { read open } for path="/data/media/0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:48): avc: denied { write } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:49): avc: denied { add_name } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:50): avc: denied { create } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:51): avc: denied { setattr } for name="image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:53): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 01:04:29.741 6625 6625 W screencap: type=1400 audit(0.0:23): avc: denied { write } for name="0" dev="sdcardfs" ino=655364 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0

Test: adb shell screencap -p /sdcard/phone.png
Bug: 65206688
Change-Id: I808429b25fa3118fef7931050ab757c9bcd61881

c12c7349

Aug 29, 2017

Merge "Fix typo in servicemanager policy." into oc-mr1-dev · 43b46467
Martijn Coenen authored 7 years ago
```
am: 4d3df312

Change-Id: Ia5490934824eb2ff4c99d6143b3e15012f4dc82e
```
43b46467
Merge "Fix typo in servicemanager policy." into oc-mr1-dev · 4d3df312
TreeHugger Robot authored 7 years ago

4d3df312
Merge "Move Broadcast Radio HAL to a separate binary." into oc-mr1-dev · af806996
Tomasz Wasilczyk authored 7 years ago
```
am: 4f6e5b98

Change-Id: I9b9142f1bc2a467c365481f4f34b5a308b93de5d
```
af806996
Merge "Move Broadcast Radio HAL to a separate binary." into oc-mr1-dev · 4f6e5b98
Tomasz Wasilczyk authored 7 years ago

4f6e5b98
Merge "Allow all domains to stat symlinks in sysfs" into oc-mr1-dev · 74e1bc2e
Jeff Vander Stoep authored 7 years ago
```
am: e14d6a98

Change-Id: Ie5fcb6dcdcc67f13907fa404fe9124a6e9113326
```
74e1bc2e
Merge "Allow all domains to stat symlinks in sysfs" into oc-mr1-dev · e14d6a98
TreeHugger Robot authored 7 years ago

e14d6a98

Allow all domains to stat symlinks in sysfs · 17e97257

Jeff Vander Stoep authored 7 years ago

This is needed to retain app's previous access to
/sys/devices/system/cpu. When these files were previously
labeled in file_contexts, symlinks were labeled as
sysfs_devices_system_cpu. When labeling was moved to genfs_contexts
symlinks all have the default sysfs label.

avc: denied { getattr } for comm="main"
path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589
Bug: 64270911
Test: build aosp_marlin
(cherry picked from commit 8d021a94)

17e97257