Commits · 178d0adbfcce67f5eb6cbd3863f3d1146d37fe64 · Werner Sembach / AndroidSystemSEPolicy

Mar 08, 2018
- Merge "Add secure_element_device" into pi-dev · 178d0adb
  TreeHugger Robot authored 7 years ago
  
  178d0adb
- Merge "sepolicy(hostapd): Allow socket based control iface" into pi-dev · 5c51354c
  Jong Wook Kim authored 7 years ago
  
  5c51354c
Mar 07, 2018

Merge "Enabling incidentd to get top and ps data." into pi-dev · 7b74a844
TreeHugger Robot authored 7 years ago

7b74a844

Ruchi Kandoi authored 7 years ago

Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
(cherry picked from commit ea3cf000)

e0e2342e

Enabling incidentd to get top and ps data. · bcf8b115

Kweku Adams authored 7 years ago

Bug: 72177715
Bug: 72384374
Test: flash device and make sure incidentd is getting data without SELinux denials
Change-Id: I684fe014e19c936017a466ec2d6cd2e1f03022c0
(cherry picked from commit 06ac7dba)

bcf8b115

Merge "Track platform_app SELinux denial." into pi-dev · 763770f6
TreeHugger Robot authored 7 years ago

763770f6

Clean up bug_map. · f3f93eaf

Joel Galenson authored 7 years ago

Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef

f3f93eaf

Track platform_app SELinux denial. · 2995e996

Joel Galenson authored 7 years ago

This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7

2995e996

Fix sepolicy for bpf object · 6cd70c2f

Chenbo Feng authored 7 years ago

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

6cd70c2f

Mar 05, 2018

sepolicy(hostapd): Allow socket based control iface · e0290858

Daichi Ueura authored 7 years ago

Update sepolicy permission to allow hostapd to setup
socket for socket based control interface.

Sepolicy denial for accessing /data/vendor/wifi/hostapd/ctrl:
02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:36):
avc: denied { create } for name="ctrl"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:37):
avc: denied { setattr } for name="ctrl" dev="sda35" ino=131410
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:38):
avc: denied { create } for name="wlan0"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:39):
avc: denied { setattr } for name="wlan0" dev="sda35" ino=131411
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

Bug: 73419160
Test: Manual check that softAp works
Change-Id: I2e733e168feceeab2d557f7704832c143e352375

e0290858

Mar 02, 2018
- Add functionfs access to system_server. am: 1d401545 am: caf0139b · a6b8414b
  Jerry Zhang authored 7 years ago
  
  am: 66adf0cd Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b
  a6b8414b
- Add functionfs access to system_server. am: 1d401545 · 66adf0cd
  Jerry Zhang authored 7 years ago
  
  am: caf0139b Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1
  66adf0cd
- Add functionfs access to system_server. · caf0139b
  Jerry Zhang authored 7 years ago
  
  am: 1d401545 Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e
  caf0139b
Mar 01, 2018

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 4eb92dc1

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours am: a0fac585  -s ours
am: 8ded6f42  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8

4eb92dc1

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 8ded6f42

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours
am: a0fac585  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3

8ded6f42

Fix sepolicy-analyze makefile so it is included in STS builds am: b7602d76 · 7a23c8ba
Ryan Longair authored 7 years ago
```
am: 1ee556ed  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f
```
7a23c8ba

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a0fac585

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9
am: 0bba3d44  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d

a0fac585

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 0bba3d44

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0
am: a401c9f9

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e

0bba3d44

Fix sepolicy-analyze makefile so it is included in STS builds · 1ee556ed
Ryan Longair authored 7 years ago
```
am: b7602d76

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81
```
1ee556ed

Add functionfs access to system_server. · 1d401545

Jerry Zhang authored 7 years ago

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

1d401545

Fix sepolicy-analyze makefile so it is included in STS builds · b7602d76

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

b7602d76

Fix sepolicy-analyze makefile so it is included in STS builds · 50fec5f8

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

50fec5f8

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a401c9f9

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0

Change-Id: I8b2fd267b39b579bf34f23822698cda23c31e77e

a401c9f9

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · ac6dcce0

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e

Change-Id: Ic7c0f37773c22bd11e9b48e07bc46766d053da58

ac6dcce0

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 89455f2e

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb

Change-Id: Id65e91d0c3bdced074a6aa99902fcdfc0d97628c

89455f2e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · e9a260bb

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d

Change-Id: I5ae440fe30e214250bf66ea023104ab383700a54

e9a260bb

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 · fa412d2d
Android Build Merger (Role) authored 7 years ago
```
Change-Id: I9a4944f131547c11329167bc327c0de2c08e1f20
```
fa412d2d

Fix sepolicy-analyze makefile so it is included in STS builds · 7dab0f94

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

7dab0f94

Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae am: 324e6ef5 · f2a23efc
Alan Stokes authored 7 years ago
```
am: 0d12c356

Change-Id: I245c2914f51f317758148123dc1368c326f562f1
```
f2a23efc
Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae · 0d12c356
Alan Stokes authored 7 years ago
```
am: 324e6ef5

Change-Id: I6ed15ce344d61eab4d81928b09020d7fb0fb757a
```
0d12c356
Allow hal_vibrator access to sysfs_vibrator files. · 324e6ef5
Alan Stokes authored 7 years ago
```
am: 17d008ae

Change-Id: Ib6305067a4f3bf30df918c63a049b7d689f9c255
```
324e6ef5

Allow hal_vibrator access to sysfs_vibrator files. · 17d008ae

Alan Stokes authored 7 years ago

We already grant rw file access, but without dir search it's not much
use.

denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0

Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66

17d008ae

Add shell:fifo_file permission for cameraserver am: a6acef9a am: 42756b76 · f32e00e0
huans authored 7 years ago
```
am: 50830871

Change-Id: I23c9f800c4faab0d03a9d239bbb2d0a61b6263ab
```
f32e00e0
Add shell:fifo_file permission for cameraserver am: a6acef9a · 50830871
huans authored 7 years ago
```
am: 42756b76

Change-Id: Ia8e879b894c75a28461bd90e86888703c20a604a
```
50830871
Add shell:fifo_file permission for cameraserver · 42756b76
huans authored 7 years ago
```
am: a6acef9a

Change-Id: I4a6816ae90ced3afb04f8d40afb2267f3a2994cf
```
42756b76

Add shell:fifo_file permission for cameraserver · a6acef9a

huans authored 7 years ago

Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2

a6acef9a

Feb 28, 2018
- Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b8 am: 7a22490c · cb33022b
  Jeff Vander Stoep authored 7 years ago
  
  am: 426f78ca Change-Id: I4f1983feed32c668d723932c61a6f51692c61f53
  cb33022b
- Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b8 · 426f78ca
  Jeff Vander Stoep authored 7 years ago
  
  am: 7a22490c Change-Id: I3e6731b04314f9c54c016c1c7584242cdd12e75f
  426f78ca
- Merge "kernel: exempt from vendor_file restrictions" · 7a22490c
  Jeff Vander Stoep authored 7 years ago
  
  am: 609aa6b8 Change-Id: I261753961c59527061254f0b1c7adca50a7c2bce
  7a22490c
- Merge "kernel: exempt from vendor_file restrictions" · 609aa6b8
  Treehugger Robot authored 7 years ago
  
  609aa6b8