Commits · 64cad7bb94d7f3cb5b0049e1e1e2affc504cb26d · Werner Sembach / AndroidSystemSEPolicy

Jul 11, 2017
- resolve merge conflicts of 72b26547 to stage-aosp-master am: 7f2fb741 am: feb28130 · 64cad7bb
  Jeff Vander Stoep authored 7 years ago
  
  am: 366be191 -s ours Change-Id: I1ed0ac5e1836c3f995f13082e5f144e8dc477d03
  64cad7bb
- resolve merge conflicts of 72b26547 to stage-aosp-master am: 7f2fb741 · 366be191
  Jeff Vander Stoep authored 7 years ago
  
  am: feb28130 Change-Id: I8f436b73a2ce7ffca91c192df35c827447253de3
  366be191
- resolve merge conflicts of 72b26547 to stage-aosp-master · feb28130
  Jeff Vander Stoep authored 7 years ago
  
  am: 7f2fb741 Change-Id: I38c91b9f3fc127313918bbd74199013ae7910f2b
  feb28130
- resolve merge conflicts of 72b26547 to stage-aosp-master · 7f2fb741
  Jeff Vander Stoep authored 7 years ago
  
  Test: build Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11
  7f2fb741
Jul 10, 2017

Merge "Make sure platform policy builds with compatible versions." · f62baff1
TreeHugger Robot authored 7 years ago

f62baff1
domain_deprecated: remove cache access am: 790f4c7e am: 3ca77476 am: 664743bd · 2cf2e5f3
Jeff Vander Stoep authored 7 years ago
```
am: 0ba84942  -s ours

Change-Id: Ie42095397a6173d0d0ce91c007bfe3298f64bbfe
```
2cf2e5f3
domain_deprecated: remove cache access am: 790f4c7e am: 3ca77476 · 0ba84942
Jeff Vander Stoep authored 7 years ago
```
am: 664743bd

Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb
```
0ba84942
domain_deprecated: remove cache access am: 790f4c7e · 664743bd
Jeff Vander Stoep authored 7 years ago
```
am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e
```
664743bd
domain_deprecated: remove cache access · 3ca77476
Jeff Vander Stoep authored 7 years ago
```
am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d
```
3ca77476

domain_deprecated: remove cgroup access · 72b26547

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

72b26547

domain_deprecated: remove cache access · 790f4c7e

Jeff Vander Stoep authored 7 years ago

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

790f4c7e

Make sure platform policy builds with compatible versions. · b04df6e3

Dan Cashman authored 7 years ago

Platform SELinux policy may be updated without a corresponding
update to non-platform policy.  This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.

Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it.  Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.

Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file.  Removed private type with no effect.  Removed
public type without corresponding mapping entry causes build to fail.

Change-Id: I7994ed651352e2da632fc91e598f819b64c05753

b04df6e3

Merge "domain_deprecated: remove cgroup access" · 90a27de1
TreeHugger Robot authored 7 years ago

90a27de1
Merge "domain_deprecated: remove cache access" · bb114374
TreeHugger Robot authored 7 years ago

bb114374
domain_deprecated: remove access to /proc/meminfo am: 3e5bb807 am: 5fbb120b am: f9da0cba · 4a0e44d3
Jeff Vander Stoep authored 7 years ago
```
am: 7add3d05  -s ours

Change-Id: I1fe69ed4c6d15720a2f64bc81a4d40b3d9582853
```
4a0e44d3
Merge "Update 26.0 prebuilts." · e3aab4c8
TreeHugger Robot authored 7 years ago

e3aab4c8
domain_deprecated: remove access to /proc/meminfo am: 3e5bb807 am: 5fbb120b · 7add3d05
Jeff Vander Stoep authored 7 years ago
```
am: f9da0cba

Change-Id: I18e469059df1e8704f6358a12b012932a39303cd
```
7add3d05
Merge "Split mediaprovider from priv_app." · eea658fd
TreeHugger Robot authored 7 years ago

eea658fd
domain_deprecated: remove access to /proc/meminfo am: 3e5bb807 · f9da0cba
Jeff Vander Stoep authored 7 years ago
```
am: 5fbb120b

Change-Id: Idf655a43a2258b56f8c8b1282dd6c430d7771cf6
```
f9da0cba
domain_deprecated: remove access to /proc/meminfo · 5fbb120b
Jeff Vander Stoep authored 7 years ago
```
am: 3e5bb807

Change-Id: I01f99884b0f8b06fa4938a606345c33918d8b295
```
5fbb120b

Split mediaprovider from priv_app. · 5637587d

Dan Cashman authored 7 years ago

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

5637587d

domain_deprecated: remove cgroup access · caca97a5

Jeff Vander Stoep authored 7 years ago

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
(cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)

caca97a5

domain_deprecated: remove cache access · 1c54ec45

Jeff Vander Stoep authored 7 years ago

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.

Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e
(cherry picked from commit 5fd60597d7d04c1861e7d8f3938384efb0384386)

1c54ec45

domain_deprecated: remove access to /proc/meminfo · d017316f

Jeff Vander Stoep authored 7 years ago

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
(cherry picked from commit 3e5bb807)

d017316f

domain_deprecated: remove access to /proc/meminfo · 3e5bb807

Jeff Vander Stoep authored 7 years ago

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8

3e5bb807

dumpstate: remove domain_deprecated attribute am: 90ae4f6b am: 77285737 am: d5d98a4d · 278146f2
Jeff Vander Stoep authored 7 years ago
```
am: fcfeb3e0

Change-Id: Ib50c35e368764f7acb87e23c1a0091ad7eeb1fd4
```
278146f2
Remove dumpstate selinux spam from logs am: f4ce8f6c am: 4e6f67fb am: 55efefc3 · 9473980a
Jeff Vander Stoep authored 7 years ago
```
am: e0e2b35b

Change-Id: I607a7bddad8d3d02b9df3d5a4fb826a716a1a967
```
9473980a
dumpstate: remove domain_deprecated attribute am: 90ae4f6b am: 77285737 · fcfeb3e0
Jeff Vander Stoep authored 7 years ago
```
am: d5d98a4d

Change-Id: I1dbcbcbb940fdcf94e2634f43d933c91bb13ce41
```
fcfeb3e0
Remove dumpstate selinux spam from logs am: f4ce8f6c am: 4e6f67fb · e0e2b35b
Jeff Vander Stoep authored 7 years ago
```
am: 55efefc3

Change-Id: Ib67a9685e41019a290c903dc5b733d405ddddf61
```
e0e2b35b
dumpstate: remove domain_deprecated attribute am: 90ae4f6b · d5d98a4d
Jeff Vander Stoep authored 7 years ago
```
am: 77285737

Change-Id: I19c2b7107293fbe903cd6601f36b85aa3d099f80
```
d5d98a4d
Remove dumpstate selinux spam from logs am: f4ce8f6c · 55efefc3
Jeff Vander Stoep authored 7 years ago
```
am: 4e6f67fb

Change-Id: Ia3fe7f33ca0dc2f18040d3128ce84f0878fc8d63
```
55efefc3
dumpstate: remove domain_deprecated attribute · 77285737
Jeff Vander Stoep authored 7 years ago
```
am: 90ae4f6b

Change-Id: Ia793ed369cc05c123fb013fd10e8b19f006d92ff
```
77285737
Remove dumpstate selinux spam from logs · 4e6f67fb
Jeff Vander Stoep authored 7 years ago
```
am: f4ce8f6c

Change-Id: Ie0bc01a5b8acc6b79a3a31d5807f46f1e1df8c6c
```
4e6f67fb

dumpstate: remove domain_deprecated attribute · 90ae4f6b

Jeff Vander Stoep authored 7 years ago

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263

90ae4f6b

Remove dumpstate selinux spam from logs · f4ce8f6c

Jeff Vander Stoep authored 7 years ago

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b3)

f4ce8f6c

Jul 07, 2017

Record hal_tetheroffload_service for compatibility. · 4d9f41d7

Dan Cashman authored 7 years ago

Commit: e58a8de5 added a new type
which has no analogue in 26.0.  Record it as such.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1

4d9f41d7

Record memcg_device type for compat. · d0900526

Dan Cashman authored 7 years ago

Commit: 86cb5215 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4

d0900526

Record new broadcast_service type. · 255a4a72

Dan Cashman authored 7 years ago

Commit: 38f0928f added a type for a
new system service.  This service did not exist previously, so mark
the type as not needing any compat entry.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd

255a4a72

Record new cas hwservice type. · 629c58b2

Dan Cashman authored 7 years ago

Commit: 78e595de added a new hwservice,
which replaced a previous system service.  This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659

629c58b2

Update 26.0 prebuilts. · 30a29946

Dan Cashman authored 7 years ago

Bug: 37896931
Test: none, just update prebuilt.
Change-Id: Id940d1c2bc46deab1eb49bacebbb41069e2034e4

30a29946