Commits · 1b433165e4975eed3a49a8b56e9232bf030b9737 · Werner Sembach / AndroidSystemSEPolicy

Apr 06, 2018

Grant traced_probes search on directories. · 1b433165
Florian Mayer authored 6 years ago
```
am: ff146962

Change-Id: Ia7fac0ce2f9818d94c9b9f55e1e42f7bdd8cf462
```
1b433165

Grant traced_probes search on directories. · ff146962

Florian Mayer authored 6 years ago

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

ff146962

Apr 05, 2018
- Merge "Track storaged SELinux denial." · 46e4c189
  Joel Galenson authored 6 years ago
  
  am: 04529dc6 Change-Id: I630f9fe7b662cdb87094eb90a7bf24d62a0b4876
  46e4c189
- Merge "Track storaged SELinux denial." · 04529dc6
  Treehugger Robot authored 6 years ago
  
  04529dc6
- Track storaged SELinux denial. · c6b5a96b
  Joel Galenson authored 6 years ago
  
  This should help fix presubmit tests. Bug: 77634061 Test: Built policy. Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c
  c6b5a96b
- Merge "Wifi HAL SIOCSIFHWADDR sepolicy" · 62861f86
  Jong Wook Kim authored 6 years ago
  
  am: c9dd7149 Change-Id: Ideee1c776e572f0e8d90eb340f1d2e58b1182a4c
  62861f86
- Merge "Wifi HAL SIOCSIFHWADDR sepolicy" · c9dd7149
  Jong Wook Kim authored 6 years ago
  
  c9dd7149
- Remove direct qtaguid access from platform/system apps · e505a35d
  Jeff Vander Stoep authored 6 years ago
  
  am: f3220aa6 Change-Id: Ibf50ab24fa12e07fc44e89420bba99d5665156d9
  e505a35d
- shell: move shell qtaguid perms to shell.te · 7a99df89
  Jeff Vander Stoep authored 6 years ago
  
  am: 9d28625f Change-Id: Iadb2f23c577f3641ed9785891c97a000d757957a
  7a99df89
Apr 04, 2018

Remove direct qtaguid access from platform/system apps · f3220aa6

Jeff Vander Stoep authored 6 years ago

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

f3220aa6

shell: move shell qtaguid perms to shell.te · 9d28625f

Jeff Vander Stoep authored 6 years ago

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

9d28625f

Allowing incidentd to get stack traces from processes. · 5f98693a
Kweku Adams authored 6 years ago
```
am: 985db6d8

Change-Id: I1c05fb2469df71f5572aaf8ed88333dc3c92d3c5
```
5f98693a

Allowing incidentd to get stack traces from processes. · 985db6d8

Kweku Adams authored 7 years ago

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

985db6d8

Merge "Rename qtaguid_proc to conform to name conventions" · d093691c
Jeff Vander Stoep authored 6 years ago
```
am: 38a84cf8

Change-Id: I76cbd596ac70b065c288b30855db956fd456b5f6
```
d093691c
Merge "Rename qtaguid_proc to conform to name conventions" · 38a84cf8
Treehugger Robot authored 6 years ago

38a84cf8

Apr 03, 2018

Merge "Block SDK 28 app from using proc/net/xt_qtaguid" · c9f91a8c
Chenbo Feng authored 6 years ago
```
am: c69cbe55

Change-Id: I741c90bf96d43b6ab5227696ac24d8891cf5dc97
```
c9f91a8c
Merge "Block SDK 28 app from using proc/net/xt_qtaguid" · c69cbe55
Treehugger Robot authored 6 years ago

c69cbe55
Allow getsockopt and setsockopt for Encap Sockets · 9f33cad7
Nathan Harold authored 6 years ago
```
am: 252b0153

Change-Id: I1800da081c5f164c35a470978053514f67c016da
```
9f33cad7

Allow getsockopt and setsockopt for Encap Sockets · 252b0153

Nathan Harold authored 7 years ago

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

252b0153

Rename qtaguid_proc to conform to name conventions · bdf2a9c4
Jeff Vander Stoep authored 6 years ago
```
Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
```
bdf2a9c4

Block SDK 28 app from using proc/net/xt_qtaguid · c411ff70

Chenbo Feng authored 7 years ago

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f843)

c411ff70

Add untrusted_app_27 · 950388f0
Jeff Vander Stoep authored 6 years ago
```
am: 3aa7ca56

Change-Id: I964ce5b658d73b7ccfbc7b1d86ca11b1c7ad8459
```
950388f0

Add untrusted_app_27 · 3aa7ca56

Jeff Vander Stoep authored 6 years ago

This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9)

3aa7ca56

Remove deprecated tagSocket() permissions · c1753b7a
Jeff Vander Stoep authored 6 years ago
```
am: 0d1e52a5

Change-Id: I82c95f1fa1494d6b380823c4fd4436081e62bea0
```
c1753b7a

Remove deprecated tagSocket() permissions · 0d1e52a5

Jeff Vander Stoep authored 6 years ago

tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb

0d1e52a5

Apr 02, 2018

Merge "Allow vendor_init_settable for persist.sys.sf.native_mode" · 27aa211d
Jaekyun Seok authored 6 years ago
```
am: f22c062c

Change-Id: I1c1a4c68adb49113ef6b6ff95326de8cb2ce8e25
```
27aa211d
Merge "Allow vendor_init_settable for persist.sys.sf.native_mode" · f22c062c
Treehugger Robot authored 6 years ago

f22c062c
Selinux: Fix perfprofd policy · bd81409f
Andreas Gampe authored 6 years ago
```
am: c8fe29ff

Change-Id: I70261798153c0151aa04f64064e58edb81e87805
```
bd81409f
Reland "Allow dexopt to follow /odm/lib(64) symlinks."" · ee92ff78
Jiyong Park authored 6 years ago
```
am: a6d9d6b6

Change-Id: If482dd99535d544fa39e287ed5787aa156dcac56
```
ee92ff78

Selinux: Fix perfprofd policy · c8fe29ff

Andreas Gampe authored 7 years ago

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

c8fe29ff

Allow vendor_init_settable for persist.sys.sf.native_mode · 0dc35873

Jaekyun Seok authored 6 years ago

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d

0dc35873

Reland "Allow dexopt to follow /odm/lib(64) symlinks."" · a6d9d6b6

Jiyong Park authored 6 years ago

This reverts commit 942500b9.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df

a6d9d6b6

Mar 31, 2018
- Merge "Update sepolicy to have system_server access stats_data" · 7718295a
  yro authored 7 years ago
  
  am: 8b11302e Change-Id: Iaed05ea224d163f69047ef9ffd4053e2abe03e6f
  7718295a
- Merge "Update sepolicy to have system_server access stats_data" · 8b11302e
  Treehugger Robot authored 7 years ago
  
  8b11302e
Mar 30, 2018
- Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" · 1bcbab21
  Yi Jin authored 7 years ago
  
  am: 855c6c16 Change-Id: I0da863030a919dbd4f6f9591edc0f74d88357b02
  1bcbab21
- Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" · 855c6c16
  Treehugger Robot authored 7 years ago
  
  855c6c16
- Update sepolicy to have system_server access stats_data · 36dd2a41
  yro authored 7 years ago
  
  Test: manually tested to prevent sepolicy violation Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
  36dd2a41
- Merge "Allow netutils_wrapper to use pinned bpf program" · 4a0c24ed
  Chenbo Feng authored 7 years ago
  
  am: 4fb1a145 Change-Id: Idc53868180280f2710d75dacb42918f6e27599a7
  4a0c24ed
- Merge "Allow netutils_wrapper to use pinned bpf program" · 4fb1a145
  Treehugger Robot authored 7 years ago
  
  4fb1a145
- Merge "Test frozen sepolicy has not diverged from prebuilts." · 654134a4
  Tri Vo authored 7 years ago
  
  am: 8cafb58a Change-Id: Iedffb50a6cdbc0fd84169f15e0fddb19b476aeff
  654134a4