Commits · 1da7ed23b99404c381b4f30ac3dba37b2001dda6 · Werner Sembach / AndroidSystemSEPolicy

Jun 15, 2017
- Merge "Exempt ASAN from selinux build-checks." · 1da7ed23
  TreeHugger Robot authored 7 years ago
  
  1da7ed23
- Exempt ASAN from selinux build-checks. · ccdd6e11
  Dan Cashman authored 7 years ago
  
  ASAN makes use of shenanigans that violate our policy best-practices. This is by design. Exempt them from these tests to get it building again. Bug: 37740897 Test: Builds with ASAN enabled. Change-Id: Iffde28c2741466da5862b2dfe1fffa2c0d93caeb
  ccdd6e11
- Merge "Add getpgid to system_service and init" am: 2122f1fe am: 04306859 am: 24d0cad3 · 4aa1869b
  Tom Cherry authored 7 years ago
  
  am: c6382177 Change-Id: I88f49a55da787aa355431b65cbada05924d2c152
  4aa1869b
- Merge "Add getpgid to system_service and init" am: 2122f1fe am: 04306859 · c6382177
  Tom Cherry authored 7 years ago
  
  am: 24d0cad3 Change-Id: Ieffac9d2e5ff8500534cf9935eff9918989c2fb4
  c6382177
- Merge "Add getpgid to system_service and init" am: 2122f1fe · 24d0cad3
  Tom Cherry authored 7 years ago
  
  am: 04306859 Change-Id: I3eb542cced980ce94425110d8dc8e58aeb122607
  24d0cad3
- Merge "Add getpgid to system_service and init" · 04306859
  Tom Cherry authored 7 years ago
  
  am: 2122f1fe Change-Id: I05f0b28b9e6622477fe2fa4b041ea03c5744f82c
  04306859
- Merge "Add getpgid to system_service and init" · 2122f1fe
  Tom Cherry authored 7 years ago
  
  2122f1fe
- Merge "Properly give some files the debugfs_tracing context only in debug mode." · d824301c
  TreeHugger Robot authored 7 years ago
  
  d824301c
Jun 14, 2017

Merge "Add debug selinux permission to write saved_cmdlines_size. am:... · ad6668f9

Carmen Jackson authored 7 years ago

Merge "Add debug selinux permission to write saved_cmdlines_size. am: e9381d5e am: d651e0b7" into oc-dr1-dev-plus-aosp
am: 1c21d4bf -s ours

Change-Id: I61071789474228aa6cc0f59b9ecfb9a859f0ae48

ad6668f9

Add debug selinux permission to write saved_cmdlines_size. am: e9381d5e am: e180a613 · 64ce7fee
Carmen Jackson authored 7 years ago
```
am: 7683d565  -s ours

Change-Id: I47c3530675ce5c55edc09bca749c7a897404d033
```
64ce7fee
Merge "Add debug selinux permission to write saved_cmdlines_size. am:... · 1c21d4bf
Android Build Merger (Role) authored 7 years ago
```
Merge "Add debug selinux permission to write saved_cmdlines_size. am: e9381d5e am: d651e0b7" into oc-dr1-dev-plus-aosp
```
1c21d4bf
Add debug selinux permission to write saved_cmdlines_size. am: e9381d5e · 7683d565
Carmen Jackson authored 7 years ago
```
am: e180a613

Change-Id: Iaa5b2f434ebf712884d5823caf87e93de317e14e
```
7683d565
Add debug selinux permission to write saved_cmdlines_size. am: e9381d5e · 24f24c41
Carmen Jackson authored 7 years ago
```
am: d651e0b7

Change-Id: I99c911d119c300e7035a111a24b0d900f435fca8
```
24f24c41
Add debug selinux permission to write saved_cmdlines_size. · d651e0b7
Carmen Jackson authored 7 years ago
```
am: e9381d5e

Change-Id: I784011fc804dd43f431be62804761b100846dfbf
```
d651e0b7
Add debug selinux permission to write saved_cmdlines_size. · e180a613
Carmen Jackson authored 7 years ago
```
am: e9381d5e

Change-Id: Ic2192d5128543f28d2f91c4aedabab08b01669e5
```
e180a613

Properly give some files the debugfs_tracing context only in debug mode. · 92fdd895

Joel Galenson authored 7 years ago

One of my previous commits removed this, so I am now restoring it.

This commit also contains a bit of cleanup from previous commits by
removing some unneeded types.

It also fixes traceur by porting ag/2409144 to master.

Bug: 62413700, 62547086
Test: Built, flashed, and booted Marlin.  Verified that the files have
the correct context.  Verified that atrace and traceur work.

Change-Id: I76fa0e9060aff554687d57ab3976c8704a4068f0

92fdd895

Merge "recovery: clean up audit logspam" · 365b9b0d
TreeHugger Robot authored 7 years ago

365b9b0d

Add debug selinux permission to write saved_cmdlines_size. · e9381d5e

Carmen Jackson authored 7 years ago

Now that we're expected to use this when taking traces, we need to add
this permission so that Traceur can also access this file.

Test: Used Traceur and saw the traces appear in the bugreports
directory, as expected.
Bug: 62493544

Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82
Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53
(this merged-in is not the same change; it's a conflicting change in
master)

e9381d5e

recovery: clean up audit logspam · ea1d6e7d

Jeff Vander Stoep authored 7 years ago

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3

ea1d6e7d

Merge "Assert filesystem types must have their associated attr" · b8ad31d2
TreeHugger Robot authored 7 years ago

b8ad31d2
Merge "sepolicy: fix support for lmkd" · 84ae2d24
Robert Benea authored 7 years ago

84ae2d24
SELinux policy for secure persistent netd storage am: abb1ba65 am: 5ee87b00 am: 14a3cb28 · c1acc983
Joel Scherpelz authored 7 years ago
```
am: 733609da

Change-Id: I248cfa3b85774569123a3b3f7e8d3c068005b7fc
```
c1acc983
SELinux policy for secure persistent netd storage am: abb1ba65 am: 5ee87b00 · 733609da
Joel Scherpelz authored 7 years ago
```
am: 14a3cb28

Change-Id: Ib3b7dc9a8a702a32330ccb31f22cf746df8764fb
```
733609da
SELinux policy for secure persistent netd storage am: abb1ba65 · 14a3cb28
Joel Scherpelz authored 7 years ago
```
am: 5ee87b00

Change-Id: Id2dc995f88a60fe865387453234e3630a9975381
```
14a3cb28
SELinux policy for secure persistent netd storage · 5ee87b00
Joel Scherpelz authored 7 years ago
```
am: abb1ba65

Change-Id: I7765bfd350deb50847e83a1d3b5d7399206b4b9d
```
5ee87b00

sepolicy: fix support for lmkd · 86cb5215

Tim Murray authored 8 years ago

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: I47b4e79260bcd2967d85d8151c83e624d432f409

86cb5215

Merge "Revert "sepolicy: fix support for lmkd"" · 655baa54
Robert Benea authored 7 years ago

655baa54
Revert "sepolicy: fix support for lmkd" · 9b1e0d10
Robert Benea authored 7 years ago
```
This reverts commit 527f64e6.

Change-Id: Ibc48af53431a8f7c7211999dcb571f492fb5ddb4
```
9b1e0d10

Jun 13, 2017

Assert filesystem types must have their associated attr · 11d096fc

Jeff Vander Stoep authored 7 years ago

Test that:
- File types on /sys have attr sysfs_type
- File types on /sys/kernel/debug have attr debugfs_type
- File types on /data have attr data_file_type

Test: build policy
Change-Id: Ie4f1f1c7e5345da0999082962f084fdac6b85428

11d096fc

Merge "Files on /data must have the data_file_type attr" · dfa6d753
TreeHugger Robot authored 7 years ago

dfa6d753

Add getpgid to system_service and init · c59eb4d8

Tom Cherry authored 7 years ago

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM. We must send the signal both to all
processes within a POSIX process group and a cgroup. To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing. If they are, we skip sending a second signal. This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570

c59eb4d8

Build split file_contexts for recovery am: b236eb6c am: 5c383688 · a9f437b4
Jeff Vander Stoep authored 7 years ago
```
am: b3bdba4d

Change-Id: I4d3a71a1ffd2004e3ac85d89686d24e00c112d6e
```
a9f437b4
Build split file_contexts for recovery am: b236eb6c am: 77fe1de7 · 6d2b07cd
Jeff Vander Stoep authored 7 years ago
```
am: 78c58c79

Change-Id: I93ab700661ddad141f2ff9973187bb5b72ffad78
```
6d2b07cd
Build split file_contexts for recovery am: b236eb6c · b3bdba4d
Jeff Vander Stoep authored 7 years ago
```
am: 5c383688

Change-Id: Iaf28a1b178427e5b2bd13f45485cc3504464f6fc
```
b3bdba4d
Build split file_contexts for recovery am: b236eb6c · 78c58c79
Jeff Vander Stoep authored 7 years ago
```
am: 77fe1de7

Change-Id: I71b4bca350a9a29dd45dfafe8c3d1938cb54a46f
```
78c58c79
Build split file_contexts for recovery · 5c383688
Jeff Vander Stoep authored 7 years ago
```
am: b236eb6c

Change-Id: I87eb8bad11fc9c011289b8d97219835a08d18cd1
```
5c383688
Build split file_contexts for recovery · 77fe1de7
Jeff Vander Stoep authored 7 years ago
```
am: b236eb6c

Change-Id: I60a92781a5b923889e627d73e8922aca2607b67b
```
77fe1de7
Merge "Add mapping compatibility file for sepolicy api lvl 26.0" · 8d2b904e
Daniel Cashman authored 7 years ago

8d2b904e

Build split file_contexts for recovery · b236eb6c

Jeff Vander Stoep authored 7 years ago

[    7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)

Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
    and recovery modes

Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35

b236eb6c

Add mapping compatibility file for sepolicy api lvl 26.0 · 5e4e0d7f

Dan Cashman authored 7 years ago

commit: 5c6a227e added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.

Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f

5e4e0d7f