Commits · 6cd70c2f00fb29d96515ef4baaec9c6fd539826b · Werner Sembach / AndroidSystemSEPolicy

Mar 07, 2018

Chenbo Feng authored 7 years ago

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

6cd70c2f

Mar 02, 2018
- Add functionfs access to system_server. am: 1d401545 am: caf0139b · a6b8414b
  Jerry Zhang authored 7 years ago
  
  am: 66adf0cd Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b
  a6b8414b
- Add functionfs access to system_server. am: 1d401545 · 66adf0cd
  Jerry Zhang authored 7 years ago
  
  am: caf0139b Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1
  66adf0cd
- Add functionfs access to system_server. · caf0139b
  Jerry Zhang authored 7 years ago
  
  am: 1d401545 Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e
  caf0139b
Mar 01, 2018

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 4eb92dc1

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours am: a0fac585  -s ours
am: 8ded6f42  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8

4eb92dc1

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 8ded6f42

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours
am: a0fac585  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3

8ded6f42

Fix sepolicy-analyze makefile so it is included in STS builds am: b7602d76 · 7a23c8ba
Ryan Longair authored 7 years ago
```
am: 1ee556ed  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f
```
7a23c8ba

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a0fac585

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9
am: 0bba3d44  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d

a0fac585

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 0bba3d44

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0
am: a401c9f9

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e

0bba3d44

Fix sepolicy-analyze makefile so it is included in STS builds · 1ee556ed
Ryan Longair authored 7 years ago
```
am: b7602d76

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81
```
1ee556ed

Add functionfs access to system_server. · 1d401545

Jerry Zhang authored 7 years ago

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

1d401545

Fix sepolicy-analyze makefile so it is included in STS builds · b7602d76

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

b7602d76

Fix sepolicy-analyze makefile so it is included in STS builds · 50fec5f8

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

50fec5f8

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a401c9f9

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0

Change-Id: I8b2fd267b39b579bf34f23822698cda23c31e77e

a401c9f9

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · ac6dcce0

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e

Change-Id: Ic7c0f37773c22bd11e9b48e07bc46766d053da58

ac6dcce0

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 89455f2e

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb

Change-Id: Id65e91d0c3bdced074a6aa99902fcdfc0d97628c

89455f2e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · e9a260bb

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d

Change-Id: I5ae440fe30e214250bf66ea023104ab383700a54

e9a260bb

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 · fa412d2d
Android Build Merger (Role) authored 7 years ago
```
Change-Id: I9a4944f131547c11329167bc327c0de2c08e1f20
```
fa412d2d

Fix sepolicy-analyze makefile so it is included in STS builds · 7dab0f94

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

7dab0f94

Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae am: 324e6ef5 · f2a23efc
Alan Stokes authored 7 years ago
```
am: 0d12c356

Change-Id: I245c2914f51f317758148123dc1368c326f562f1
```
f2a23efc
Allow hal_vibrator access to sysfs_vibrator files. am: 17d008ae · 0d12c356
Alan Stokes authored 7 years ago
```
am: 324e6ef5

Change-Id: I6ed15ce344d61eab4d81928b09020d7fb0fb757a
```
0d12c356
Allow hal_vibrator access to sysfs_vibrator files. · 324e6ef5
Alan Stokes authored 7 years ago
```
am: 17d008ae

Change-Id: Ib6305067a4f3bf30df918c63a049b7d689f9c255
```
324e6ef5

Allow hal_vibrator access to sysfs_vibrator files. · 17d008ae

Alan Stokes authored 7 years ago

We already grant rw file access, but without dir search it's not much
use.

denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0

Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66

17d008ae

Add shell:fifo_file permission for cameraserver am: a6acef9a am: 42756b76 · f32e00e0
huans authored 7 years ago
```
am: 50830871

Change-Id: I23c9f800c4faab0d03a9d239bbb2d0a61b6263ab
```
f32e00e0
Add shell:fifo_file permission for cameraserver am: a6acef9a · 50830871
huans authored 7 years ago
```
am: 42756b76

Change-Id: Ia8e879b894c75a28461bd90e86888703c20a604a
```
50830871
Add shell:fifo_file permission for cameraserver · 42756b76
huans authored 7 years ago
```
am: a6acef9a

Change-Id: I4a6816ae90ced3afb04f8d40afb2267f3a2994cf
```
42756b76

Add shell:fifo_file permission for cameraserver · a6acef9a

huans authored 7 years ago

Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2

a6acef9a

Feb 28, 2018
- Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b8 am: 7a22490c · cb33022b
  Jeff Vander Stoep authored 7 years ago
  
  am: 426f78ca Change-Id: I4f1983feed32c668d723932c61a6f51692c61f53
  cb33022b
- Merge "kernel: exempt from vendor_file restrictions" am: 609aa6b8 · 426f78ca
  Jeff Vander Stoep authored 7 years ago
  
  am: 7a22490c Change-Id: I3e6731b04314f9c54c016c1c7584242cdd12e75f
  426f78ca
- Merge "kernel: exempt from vendor_file restrictions" · 7a22490c
  Jeff Vander Stoep authored 7 years ago
  
  am: 609aa6b8 Change-Id: I261753961c59527061254f0b1c7adca50a7c2bce
  7a22490c
- Merge "kernel: exempt from vendor_file restrictions" · 609aa6b8
  Treehugger Robot authored 7 years ago
  
  609aa6b8
- Merge "system_server: grant read access to vendor/framework" am: 5b1c3b69 am: d69acbbf · a5b5ab26
  Jeff Vander Stoep authored 7 years ago
  
  am: e39ba338 Change-Id: I56e9182157c8de6c3135ae8a33962bca46c405dd
  a5b5ab26
- Merge "system_server: grant read access to vendor/framework" am: 5b1c3b69 · e39ba338
  Jeff Vander Stoep authored 7 years ago
  
  am: d69acbbf Change-Id: Id2e01070d5669362b78f4adc865c4ff358711e60
  e39ba338
- audio: Enable vndbinder use from hal_audio am: ebc7b434 am: 5d3e4f0c · a9d3fd90
  Haynes Mathew George authored 7 years ago
  
  am: 142bb78c Change-Id: I1e721f2bfb59d2510769b7ddae9c22d5c8ae7dba
  a9d3fd90
- Merge "system_server: grant read access to vendor/framework" · d69acbbf
  Jeff Vander Stoep authored 7 years ago
  
  am: 5b1c3b69 Change-Id: I8808fd94c8130a551803b2ed184c325d3dad86cb
  d69acbbf
- audio: Enable vndbinder use from hal_audio am: ebc7b434 · 142bb78c
  Haynes Mathew George authored 7 years ago
  
  am: 5d3e4f0c Change-Id: I56412b40f7f306ac32b588aba8de9a48a4f16c00
  142bb78c
- audio: Enable vndbinder use from hal_audio · 5d3e4f0c
  Haynes Mathew George authored 7 years ago
  
  am: ebc7b434 Change-Id: If7f94440e35ad5a009ac6fa9d1cda3cb4fc17825
  5d3e4f0c
- Merge "system_server: grant read access to vendor/framework" · 5b1c3b69
  Treehugger Robot authored 7 years ago
  
  5b1c3b69
- kernel: exempt from vendor_file restrictions · 1242c940
  Jeff Vander Stoep authored 7 years ago
  
  The kernel is unusual in that it's both a core process, but vendor provided. Exempt it from the restriction against accessing files from on /vendor. Also, rework the neverallow rule so that it disallows opening/modifying files, but allows reading files passed over IPC. Bug: 68213100 Test: build (this is a build-time test) Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446
  1242c940
- system_server: grant read access to vendor/framework · 9e33565c
  Jeff Vander Stoep authored 7 years ago
  
  avc: denied { getattr } for path="/vendor/framework" scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir Bug: 68826235 Test: boot Taimen, verify denials no longer occur. Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88
  9e33565c