Commits · 148578a623330941011a3a9ac00f1b30fe80ba6b · Werner Sembach / AndroidSystemSEPolicy

Jun 19, 2017

Update 26.0 SELinux prebuilts. · 148578a6

Dan Cashman authored 7 years ago

More changes went into oc-dev after the freeze-date.  Reflect them.

Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483

148578a6

Jun 16, 2017
- Merge "Suppress safetynet denials" into oc-dr1-dev am: 1468f85f · 8a3aae5c
  Jeff Vander Stoep authored 7 years ago
  
  am: 3c7156b5 Change-Id: I20743966a8eedb8a5168356d6af3907234431e31
  8a3aae5c
- Merge "Add rules for vfat for sdcardfs" into oc-dev am: 58d0d1e4 am: 29713c8d · b304e960
  Daniel Rosenberg authored 7 years ago
  
  am: 581069bf Change-Id: I58f7e0c44e68908101cb874789994885ed9a15e9
  b304e960
- Merge "Add rules for vfat for sdcardfs" into oc-dev am: 58d0d1e4 am: 39c4f76b · 8d89f81c
  Daniel Rosenberg authored 7 years ago
  
  am: 77ea7ccb Change-Id: I6ce8f52e97f0198cf712a60fd6af1e77090ec338
  8d89f81c
- Merge "Suppress safetynet denials" into oc-dr1-dev · 3c7156b5
  Jeff Vander Stoep authored 7 years ago
  
  am: 1468f85f Change-Id: Idd803017a8087ac9e9221c0ca6ac5893391db6de
  3c7156b5
- Merge "Add rules for vfat for sdcardfs" into oc-dev am: 58d0d1e4 · 581069bf
  Daniel Rosenberg authored 7 years ago
  
  am: 29713c8d Change-Id: I7089b62f8c54e24af47263325e085f092231f29d
  581069bf
- Merge "Suppress safetynet denials" into oc-dr1-dev · 1468f85f
  TreeHugger Robot authored 7 years ago
  
  1468f85f
- Merge "Add rules for vfat for sdcardfs" into oc-dev am: 58d0d1e4 · 77ea7ccb
  Daniel Rosenberg authored 7 years ago
  
  am: 39c4f76b Change-Id: I54b821fa20f428eaad1c8ab934a7e479664a6038
  77ea7ccb
- Merge "Add rules for vfat for sdcardfs" into oc-dev · 39c4f76b
  Daniel Rosenberg authored 7 years ago
  
  am: 58d0d1e4 Change-Id: I1a2207be3509ec5bc7797b906e15da16099190ad
  39c4f76b
- Merge "Add rules for vfat for sdcardfs" into oc-dev · 29713c8d
  Daniel Rosenberg authored 7 years ago
  
  am: 58d0d1e4 Change-Id: Ia53beb365c39d501c9d6cd53a4cb72dec14b610b
  29713c8d
- Merge "Add rules for vfat for sdcardfs" into oc-dev · 58d0d1e4
  TreeHugger Robot authored 7 years ago
  
  58d0d1e4
- Merge "Allow only system_server to read uid_time_in_state" · 9babe8f1
  Andres Oportus authored 7 years ago
  
  9babe8f1
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into... · 518e1e85
  Dan Cashman authored 7 years ago
  
  Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev am: b5aeaf6d am: 2f2fd365 am: 04d9f833 Change-Id: I0eaf6ae7cd00f3f53efd2243ffe15a1bb4e97442
  518e1e85
- Merge "DO NOT MERGE. Restore property to match oc-dev." into oc-dr1-dev am: d4faa3ce · acbbe43c
  Dan Cashman authored 7 years ago
  
  am: dbd2b320 Change-Id: I1d4a04a8d79325f4dd7f06b995956e254668303b
  acbbe43c
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into... · 9ba4e8f8
  Dan Cashman authored 7 years ago
  
  Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev am: b5aeaf6d am: 6f94efaf am: 3b2bf73d Change-Id: I666e91ca83ad916b04c325d4f75570d550fc0c61
  9ba4e8f8
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev am: b5aeaf6d · 04d9f833
  Dan Cashman authored 7 years ago
  
  am: 2f2fd365 Change-Id: Ice4004ddb745f5936fc430f7ff44d1df3236687a
  04d9f833
- Merge "DO NOT MERGE. Restore property to match oc-dev." into oc-dr1-dev · dbd2b320
  Dan Cashman authored 7 years ago
  
  am: d4faa3ce Change-Id: I1791a5758eae1907dc0f15c2eeba36a0ad6577ce
  dbd2b320
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev am: b5aeaf6d · 3b2bf73d
  Dan Cashman authored 7 years ago
  
  am: 6f94efaf Change-Id: I1aceeeb61ca9e558dd32b3ef33e07b6a551387e6
  3b2bf73d
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev · 2f2fd365
  Dan Cashman authored 7 years ago
  
  am: b5aeaf6d Change-Id: Ib0ac9cf10c7cb9fd2462e0036307e2552d19b93b
  2f2fd365
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev · 6f94efaf
  Dan Cashman authored 7 years ago
  
  am: b5aeaf6d Change-Id: Ibcf17f7bbea4923abc5d1713227568bb35c6674b
  6f94efaf
- Merge "DO NOT MERGE. Restore property to match oc-dev." into oc-dr1-dev · d4faa3ce
  TreeHugger Robot authored 7 years ago
  
  d4faa3ce
- Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev · b5aeaf6d
  TreeHugger Robot authored 7 years ago
  
  b5aeaf6d
- Add rules for vfat for sdcardfs · 260a4485
  Daniel Rosenberg authored 7 years ago
  
  This adds parellel rules to the ones added for media_rw_data_file to allow apps to access vfat under sdcardfs. This should be reverted if sdcardfs is modified to alter the secontext it used for access to the lower filesystem Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65 Bug: 62584229 Test: Run android.appsecurity.cts.ExternalStorageHostTest with an external card formated as vfat Signed-off-by: Daniel Rosenberg <drosen@google.com>
  260a4485
- Allow only system_server to read uid_time_in_state · 4dc88795
  Andres Oportus authored 7 years ago
  
  Bug: 62706738 Bug: 34133340 Test: Check that uid_time_in_state can't be read from the shell without root permissions and that "dumpsys batterystats --checkin| grep ctf" shows frequency data (system_server was able to read uid_time_in_state) Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
  4dc88795
- Add extraneous neverallow rule to enforce attribute inclusion. · 939b50ff
  Dan Cashman authored 7 years ago
  
  Due to the massively increased number of attributes in SELinux policy as part of the treble changes, we have had to remove attributes from policy for performance reasons. Unfortunately, some attributes are required to be in policy to ensure that our neverallow rules are being properly enforced. Usually this is not a problem, since neverallow rules indicate that an attribute should be kept, but this is not currently the case when the attribute is part of a negation in a group. This is particularly problematic with treble since some attributes may exist for HALs that have no implementation, and thus no types. In particular, this has caused an issue with the neverallows added in our macros. Add an extraneous neverallow rule to each of those auto-generated neverallow rules to make sure that they are not removed from policy, until the policy compiler is fixed to avoid this. Also add corresponding rules for other types which have been removed due to no corresponding rules. Bug: 62591065 Bug: 62658302 Test: Attributes present in policy and CTS passes. sepolicy-analyze also works on platform-only policy. Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
  939b50ff
- Merge changes from topic 'am-a2bbd4d08b064a12884b60ef5f323817' into oc-dr1-dev-plus-aosp · e1fc9b0a
  Sandeep Patil authored 7 years ago
  
  am: 8e955869 Change-Id: I7ccc82bc5590b099eee3a329bdd7a63fde7a8e0b
  e1fc9b0a
- Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b318 am: 760674da · 3034b777
  Sandeep Patil authored 7 years ago
  
  am: e729505e Change-Id: Icedeefca21d21654af5e4fa2c7ddce389f1a96ea
  3034b777
- radio: disalllow radio and rild socket for treble devices am: d3381cd9 am: 8aa283fe · c7f88c7b
  Sandeep Patil authored 7 years ago
  
  am: ac8d43b3 Change-Id: I1a26e30fe47cabd7966afd2824d5bd2f584fb627
  c7f88c7b
- Merge changes from topic 'am-a2bbd4d08b064a12884b60ef5f323817' into oc-dr1-dev-plus-aosp · 8e955869
  Android Build Merger (Role) authored 7 years ago
  
  * changes: Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b318 am: 97a4c1c9 radio: disalllow radio and rild socket for treble devices am: d3381cd9 am: 516d8555
  8e955869
- Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b318 · e729505e
  Sandeep Patil authored 7 years ago
  
  am: 760674da Change-Id: Ibf3d635255104966af4d0b3004cee8babeffc4f9
  e729505e
- Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b318 · 75a8dbad
  Sandeep Patil authored 7 years ago
  
  am: 97a4c1c9 Change-Id: I7397ec9386f7f2afdbd44186e2e81ecac1ac48b1
  75a8dbad
- radio: disalllow radio and rild socket for treble devices am: d3381cd9 · 92f9b1e7
  Sandeep Patil authored 7 years ago
  
  am: 516d8555 Change-Id: I30aae50a7e5f9d5c354fa9b459451b0f111d94de
  92f9b1e7
- radio: disalllow radio and rild socket for treble devices am: d3381cd9 · ac8d43b3
  Sandeep Patil authored 7 years ago
  
  am: 8aa283fe Change-Id: I7593dd0f7f2888fb5b2aa5a20b258d3a370146fe
  ac8d43b3
- Merge changes from topic 'fix-neverallow-violation' into oc-dev · 760674da
  Sandeep Patil authored 7 years ago
  
  am: 3692b318 Change-Id: Ide1a5455e2b279ac1532bbdb88e852dba3ee2b28
  760674da
- Merge changes from topic 'fix-neverallow-violation' into oc-dev · 97a4c1c9
  Sandeep Patil authored 7 years ago
  
  am: 3692b318 Change-Id: I8affb6f117f842ebdf083ec24083e190dde0082a
  97a4c1c9
- radio: disalllow radio and rild socket for treble devices · 516d8555
  Sandeep Patil authored 7 years ago
  
  am: d3381cd9 Change-Id: I33215b5c9d894823f3928742a8712ef42d803156
  516d8555
- radio: disalllow radio and rild socket for treble devices · 8aa283fe
  Sandeep Patil authored 7 years ago
  
  am: d3381cd9 Change-Id: Iaabe00cb6e919b4e35896c0d9ef1770aee3b2363
  8aa283fe
- Merge changes from topic 'fix-neverallow-violation' into oc-dev · 3692b318
  Sandeep Patil authored 7 years ago
  
  * changes: build: run neverallow checks on platform sepolicy radio: disalllow radio and rild socket for treble devices
  3692b318
Jun 15, 2017

Merge "Exempt ASAN from selinux build-checks." · 1da7ed23
TreeHugger Robot authored 7 years ago

1da7ed23

DO NOT MERGE. Restore property to match oc-dev. · 9d448b91

Dan Cashman authored 7 years ago

CTS checks to make sure that the _contexts files on a device have
a superset of the AOSP entries.  This was removed due to concurrent
master and DR development.  Restore the entry to allow CTS to pass.

Bug: 38241921
Bug: 62348859
Test: Policy builds and is identical to oc-dev for prop ctxts.
Change-Id: I87ccbee7aadee57b8e46ede73280810362b618c0

9d448b91