Commits · 3e1a8911507ddb34afee26a8b726a87de503b0a4 · Werner Sembach / AndroidSystemSEPolicy

Aug 01, 2017

Allow nfc application to set nfc property · 3e1a8911
Ruchi Kandoi authored 7 years ago
```
am: 0393dafd

Change-Id: Ib8773a6973da28cfa161fbe34f701c191cab6f80
```
3e1a8911

Allow nfc application to set nfc property · 0393dafd

Ruchi Kandoi authored 7 years ago

type=1400 audit(1501520483.066:14): avc: denied { write } for pid=3330
comm=4173796E635461736B202331 name="property_service" dev="tmpfs"
ino=10749 scontext=u:r:nfc:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Test: No sepolicy denials
Bug: 64010793
Change-Id: I8d73e8e19cd4d0a8c61f1f184820c53e5cc2b6d6
(cherry picked from commit df964950)

0393dafd

Jul 31, 2017
- Merge "Add system_net_netd_hwservice." into oc-dr1-dev · 49460e93
  Niranjan Pendharkar authored 7 years ago
  
  am: 23b986ce Change-Id: I15b6b70c8383316adcb3699de996a8a6b66db8b2
  49460e93
- Merge "Add system_net_netd_hwservice." into oc-dr1-dev · 23b986ce
  TreeHugger Robot authored 7 years ago
  
  23b986ce
Jul 29, 2017
- system_server: allow writing to timerslack_ns am: 5c41d40e am: 4e960188 · c29fd93c
  Jeff Vander Stoep authored 7 years ago
  
  am: f1876d58 Change-Id: I9b878eace2de33a483f648376f005277ef9283c6
  c29fd93c
- system_server: allow writing to timerslack_ns am: 5c41d40e · f1876d58
  Jeff Vander Stoep authored 7 years ago
  
  am: 4e960188 Change-Id: I5dcc335c9bc9a1546709bef874c499b9d8eff03c
  f1876d58
- system_server: allow writing to timerslack_ns · 4e960188
  Jeff Vander Stoep authored 7 years ago
  
  am: 5c41d40e Change-Id: I6a60af407a6a95e3d48818de28619dc5ba44284f
  4e960188
Jul 28, 2017

system_server: allow writing to timerslack_ns · 5c41d40e

Jeff Vander Stoep authored 7 years ago

The only file in /proc/<pid>/ that is world writeable is
/proc/<pid>/timerslack_ns so granting selinux write permission to
a process's /proc/<pid>/ file only allows writing to timerslack_ns
(unless the process is running as system UID).

Addresses denials such as:
avc: denied { write } for comm="Binder:1117_2" name="timerslack_ns"
dev="proc" ino=27908 scontext=u:r:system_server:s0
tcontext=u:r:priv_app:s0 tclass=file permissive=1

Bug: 30675296
Test: build
Change-Id: I2cee8ce73a0dc05d771881c36da2fde5411859fb

5c41d40e

Merge "domain_deprecated is dead" am: f1b06df3 am: d22cbc8f · dd92ece4
Jeff Vander Stoep authored 7 years ago
```
am: 45074160

Change-Id: I0335754c8b2c93817d9447f4847cdedb111a6594
```
dd92ece4
Merge "domain_deprecated is dead" am: f1b06df3 · 45074160
Jeff Vander Stoep authored 7 years ago
```
am: d22cbc8f

Change-Id: I9ce4b77de5cb1e19428732824ae5ab528ac64a04
```
45074160
Merge "domain_deprecated is dead" · d22cbc8f
Jeff Vander Stoep authored 7 years ago
```
am: f1b06df3

Change-Id: I0d98e192600c94f983d7b0347715e2ba6a8b8dab
```
d22cbc8f
Merge "domain_deprecated is dead" · f1b06df3
Treehugger Robot authored 7 years ago

f1b06df3

domain_deprecated is dead · b5da252e

Jeff Vander Stoep authored 7 years ago

long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a

b5da252e

Merge "Add missing comment from my previous merge in ." into... · d015ea75

Joel Galenson authored 7 years ago

Merge "Add missing comment from my previous merge in 47966cec." into stage-aosp-master am: 55f0ecb7
am: 05928953

Change-Id: Ia89eaaa654e9421f895e20916ebdec0099f30042

d015ea75

Merge "Add missing comment from my previous merge in 47966cec." into stage-aosp-master · 05928953
Joel Galenson authored 7 years ago
```
am: 55f0ecb7

Change-Id: I8d46aa5e2b38de80ef0cd0d8028c8b2d13809b15
```
05928953
Merge "Add missing comment from my previous merge in 47966cec ." into stage-aosp-master · 55f0ecb7
TreeHugger Robot authored 7 years ago

55f0ecb7

Add system_net_netd_hwservice. · 5aef6a94

Niranjan Pendharkar authored 7 years ago

This hidl service provides functionality for oem networking
configuration to vendor services which is required by
at least some vendor radio modules.

Test: VtsHalNetNetdV1_0TargetTest, netd_integration_test, netd_unit_test
Test: no denials
Bug: 36682246
Change-Id: I86ac9082166b406b2fc814972375ba737460ad7b

5aef6a94

Merge "Fix selinux denials during bugreport" am: bfbe96ac am: 4ebe609a · 6ae6fdbd
Tim Kryger authored 7 years ago
```
am: 770d5f7e

Change-Id: I8e04c8b85aa2e7d6c9f7bb545cfa6de0afdaa422
```
6ae6fdbd
Merge "Fix selinux denials during bugreport" am: bfbe96ac · 770d5f7e
Tim Kryger authored 7 years ago
```
am: 4ebe609a

Change-Id: I96a2b977bf125006e2453537670d1c3030872aee
```
770d5f7e
Merge "Fix selinux denials during bugreport" · 4ebe609a
Tim Kryger authored 7 years ago
```
am: bfbe96ac

Change-Id: I12a2ed20022edf9da528f0ab5941cc5df8e418ab
```
4ebe609a
Merge "Fix selinux denials during bugreport" · bfbe96ac
Tim Kryger authored 7 years ago

bfbe96ac
netd: relax binder neverallow rules for hwservices am: faaf86bc -s ours · 5720f54f
Jeff Vander Stoep authored 7 years ago
```
am: 7cb39b2b  -s ours

Change-Id: Ie6f611872338b24d7a3ceb1e47c1178e35ddf880
```
5720f54f
netd: relax binder neverallow rules for hwservices am: faaf86bc · 873724e0
Jeff Vander Stoep authored 7 years ago
```
am: 427a0c7b  -s ours

Change-Id: I0a169fa4aecf078f35b8f18144e6634ef5fa49de
```
873724e0
netd: relax binder neverallow rules for hwservices · 427a0c7b
Jeff Vander Stoep authored 7 years ago
```
am: faaf86bc

Change-Id: I546b7be93591d638ad82978aca5f4823e7b6ab93
```
427a0c7b
netd: relax binder neverallow rules for hwservices · 7cb39b2b
Jeff Vander Stoep authored 7 years ago
```
am: faaf86bc  -s ours

Change-Id: I6ac64581e0e879c4ad077eaab748ecf33dd3a73a
```
7cb39b2b

Jul 27, 2017

domain_deprecated: remove sysfs rules am: 275f6dd5 am: 8e589af6 · adf6e309
Jeff Vander Stoep authored 7 years ago
```
am: e934bee6

Change-Id: I9943ee2240a108031b10f7e5123a8b239ef872bf
```
adf6e309
domain_deprecated: remove sysfs rules am: 275f6dd5 · e934bee6
Jeff Vander Stoep authored 7 years ago
```
am: 8e589af6

Change-Id: I5d9f0e7908d62aa4a0c3e5d626ad40dd281c50b0
```
e934bee6
domain_deprecated: remove sysfs rules · 8e589af6
Jeff Vander Stoep authored 7 years ago
```
am: 275f6dd5

Change-Id: I02b2eb1a5bbd0cf3a4bbeffbe70e442ba4cf8ee6
```
8e589af6
Merge "netd: relax binder neverallow rules for hwservices" am: 4fc64f2f am: d7989e8b · 2562e322
Jeffrey Vander Stoep authored 7 years ago
```
am: e3ebb591

Change-Id: Ib9588de643e54cada696392b1957bd78325e857b
```
2562e322

Fix selinux denials during bugreport · b7e1f2dd

Tim Kryger authored 7 years ago

avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0
avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0
avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0
avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0

Bug: 62410287
Bug: 35350306
Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02
Signed-off-by: Tim Kryger <tkryger@google.com>

b7e1f2dd

domain_deprecated: remove sysfs rules · 275f6dd5

Jeff Vander Stoep authored 7 years ago

Clean up the remaining granted permissions in domain_deprecated.

avc: granted { read open } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17591 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { getattr } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/compatible"
dev="sysfs" ino=17583 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file

vc: granted { read open } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab" dev="sysfs"
ino=17258 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17259 scontext=u:r:update_engine:s0
tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: Id318ce84894c1001361923f5205de093a15c1e6a

275f6dd5

Merge "netd: relax binder neverallow rules for hwservices" am: 4fc64f2f · e3ebb591
Jeffrey Vander Stoep authored 7 years ago
```
am: d7989e8b

Change-Id: I1e148607abab46b1733bfeafa3faef6e250ecc47
```
e3ebb591
Merge "netd: relax binder neverallow rules for hwservices" · d7989e8b
Jeffrey Vander Stoep authored 7 years ago
```
am: 4fc64f2f

Change-Id: I7dd6ea7bb5d767afb98a39e56214dd05d4585c93
```
d7989e8b
Merge "netd: relax binder neverallow rules for hwservices" · 4fc64f2f
Jeffrey Vander Stoep authored 7 years ago

4fc64f2f

resolve merge conflicts of to oc-dr1-dev-plus-aosp · 1dd3a55e

Joel Galenson authored 7 years ago

Test: I solemnly swear I tested this conflict resolution.

Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: Id19f3f30daa4bff64db75d8d4a48a8f077bfc75d

1dd3a55e

Add missing comment from my previous merge in 47966cec. · 87e51162
Joel Galenson authored 7 years ago
```
Test: Built.
Change-Id: Ia5f5b52e10e9411cd87901053675d9e77a622529
```
87e51162
resolve merge conflicts of 27c0aa7a to stage-aosp-master · f265ffe3
Joel Galenson authored 7 years ago
```
am: 47966cec

Change-Id: If294b49998475d4cdfb4435d720a494f10325ab8
```
f265ffe3

resolve merge conflicts of to stage-aosp-master · 47966cec

Joel Galenson authored 7 years ago

Test: I solemnly swear I tested this conflict resolution.

Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I1f087fe5e7a71761a16673331619f52998473b44

47966cec

netd: relax binder neverallow rules for hwservices · faaf86bc

Jeff Vander Stoep authored 7 years ago

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f
Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7

faaf86bc

netd: relax binder neverallow rules for hwservices · 07c650eb

Jeff Vander Stoep authored 7 years ago

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f

07c650eb