- Feb 06, 2017
-
-
Stephen Smalley authoredam: 8a003607 Change-Id: Ifdce40a385442a85f69d7e477c95ab540457f54b
-
Abodunrinwa Toki authored
am: 5470aefb Change-Id: I9d0adb605c5b38990f77ac21acb16ecc547fe433
-
-
Stephen Smalley authored
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> -
Abodunrinwa Toki authored
-
-
-
Josh Gao authored
* changes: crash_dump: dontaudit CAP_SYS_PTRACE denial. crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.
-
Chad Brubaker authored
am: 46e5a060 Change-Id: Id2ccc41a74a8465e6fc33429c13ca22253a53f12
-
Chad Brubaker authored
am: 4c40d734 Change-Id: I680e736766d371f6ac631cae26d11d85dc896e8f
-
Chad Brubaker authored
The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
-
Chad Brubaker authored
The rules for the two types were the same and /data/app-ephemeral is being removed. Remove these types. Test: Builds Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
-
- Feb 04, 2017
-
-
Abodunrinwa Toki authored
Bug: 34781862 Test: none Change-Id: Ie628dca592a68ed67a68dda2f3d3e0516e995c80
-
- Feb 03, 2017
-
-
-
Treehugger Robot authored
-
Tianjie Xu authored
am: 254ce3fb Change-Id: I5108f9113b5511fcda6331b5af860efcc7f8baba
-
Tianjie Xu authored
-
Max Bires authored
Test: Device boots Change-Id: I2fb0a03c9ed84710dc2db7b170c572a2eae45412
-
Tianjie Xu authored
Update_verifier will read dm-wrapped system/vendor partition. Therefore, change the sepolicy accordingly. Here's the denied message: update_verifier: type=1400 audit(0.0:131): avc: denied { read } for name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0 Bug: 34391662 Test: Read of /dev/block/dm-0 succeeds during boot time. Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1
-
- Feb 02, 2017
-
-
Jiyong Park authored
am: 9eff8526 Change-Id: I84fa34a4ec67329f5225208c2e223f8bd99ebde3
-
Jiyong Park authored
-
Eugene Susla authored
am: b598b47f Change-Id: I847241832a67346a58d2b6e1e4c53d57b7297be0
-
Eugene Susla authored
-
Jiyong Park authored
This change adds selinux policy for configstore@1.0 hal. Currently, only surfaceflinger has access to the HAL, but need to be widen. Bug: 34314793 Test: build & run Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964 Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964 (cherry picked from commit 5ff0f178)
-
-
Josh Gao authored
Bug: http://b/34853272 Test: debuggerd -b `pidof zygote` Change-Id: I0b18117754e77cfa94cf0b95aff32edb578b1a95
-
Josh Gao authored
Bug: http://b/34853272 Test: debuggerd -b `pidof system_server` Change-Id: I4c08efb9dfcc8610143f722ae0674578a2ed6869
-
- Feb 01, 2017
-
-
Max Bires authored
There are many character files that are unreachable to all processes under selinux policies. Ueventd and init were the only two domains that had access to these generic character files, but auditing proved there was no use for that access. In light of this, access is being completely revoked so that the device nodes can be removed, and a neverallow is being audited to prevent future regressions. Test: The device boots Bug: 33347297 Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
-
Mark Salyzyn authored
am: 542a4626 Change-Id: I169dbd05d71939e6a337e20a131caa7cbad3a977
-
Mark Salyzyn authored
-
Eugene Susla authored
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the system service works Bug: b/30932767 Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
-
Calin Juravle authored
am: 01ee59a7 Change-Id: I2d5889cd3faf16957ed329234ffd7b3bc6504203
-
- Jan 31, 2017
-
-
Calin Juravle authored
Since it was introduced it caused quite a few issues and it spams the SElinux logs unnecessary. The end goal of the audit was to whitelist the access to the interpreter. However that's unfeasible for now given the complexity. Test: devices boots and everything works as expected no more auditallow logs Bug: 29795519 Bug: 32871170 Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6 -
Alex Klyubin authored
am: 9e90f83e Change-Id: Idf1178328847bf597005c66c7652e4bda25c3bdd
-
Alex Klyubin authored
-
Mark Salyzyn authored
am: d33a9a19 Change-Id: I8f95628067641e773623603681f226dab4939f2a
-
Mark Salyzyn authored
The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
-
Mark Salyzyn authored
Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
-
Alex Klyubin authored
Default HAL implementations are built from the platform tree and get placed into the vendor image. The SELinux rules needed for these HAL implementations to operate thus need to reside on the vendor partition. Up to now, the only place to define such rules in the source tree was the system/sepolicy/public directory. These rules are placed into the vendor partition. Unfortunately, they are also placed into the system/root partition, which thus unnecessarily grants these rules to all HAL implementations of the specified service, default/in-process shims or not. This commit adds a new directory, system/sepolicy/vendor, whose rules are concatenated with the device-specific rules at build time. These rules are thus placed into the vendor partition and are not placed into the system/root partition. Test: No change to SELinux policy. Test: Rules placed into vendor directory end up in nonplat* artefacts, but not in plat* artefacts. Bug: 34715716 Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c -
-