Commits · 6fdedf5fc052dcb8e02d71d60e3f84761d7b84b3 · Werner Sembach / AndroidSystemSEPolicy

Apr 16, 2017
- Merge "Remove mediacodec from binder violators." into oc-dev am: f69d535c · 6fdedf5f
  Martijn Coenen authored 7 years ago
  
  am: b76c352e Change-Id: Ifc70c644ac582f2b3fb65a8f44a893e6626ee01f
  6fdedf5f
- Merge "Add vendor_executes_system_violators attribute" into oc-dev am: 80cab7de · 52b73858
  Sandeep Patil authored 7 years ago
  
  am: 7eac10c7 Change-Id: Idfebcf45797a9feed9fb529a104d0b7e40e5ec28
  52b73858
- Merge "Remove mediacodec from binder violators." into oc-dev · b76c352e
  Martijn Coenen authored 7 years ago
  
  am: f69d535c Change-Id: I19a518a9f84d17fdd7d3f7b8613d85785948187f
  b76c352e
- Merge "Remove mediacodec from binder violators." into oc-dev · f69d535c
  TreeHugger Robot authored 7 years ago
  
  f69d535c
- Merge "Add vendor_executes_system_violators attribute" into oc-dev · 7eac10c7
  Sandeep Patil authored 7 years ago
  
  am: 80cab7de Change-Id: Iba1cf44b3e7c965b8ea7033b80a25393730512e9
  7eac10c7
- Merge "Add vendor_executes_system_violators attribute" into oc-dev · 80cab7de
  TreeHugger Robot authored 7 years ago
  
  80cab7de
- Remove mediacodec from binder violators. · fc80f480
  Martijn Coenen authored 7 years ago
  
  The new binder_call() lines had to be added because this change removes mediacodec from binderservicedomain (on full-treble), hence domains that could previously reach mediacodec with binder_call(domain, binderservicedomain) now need explicit calls instead. Test: Youtube, Netflix, Maps, Chrome, Music Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
  fc80f480
- label hal_wifi_offload to be vendor type · 66e27bf5
  Sandeep Patil authored 7 years ago
  
  Bug: 36463595 Test: make -j48 sepolicy Change-Id: Id8e66e3e08ceb1301c36824af93410aa84def8d3 Signed-off-by: Sandeep Patil <sspatil@google.com>
  66e27bf5
- Merge "Allow mediacodec access to sync fences." into oc-dev am: e506cda3 · 627f286d
  Martijn Coenen authored 7 years ago
  
  am: 6cc5334a Change-Id: Ic465169a0ac0c04a2114a4268caae3b82a7b6706
  627f286d
- Merge "Allow mediacodec access to sync fences." into oc-dev · 6cc5334a
  Martijn Coenen authored 7 years ago
  
  am: e506cda3 Change-Id: I9df35ecb00db0ed5d3a1430e64056e09579ab0a5
  6cc5334a
- Merge "Allow mediacodec access to sync fences." into oc-dev · e506cda3
  Martijn Coenen authored 7 years ago
  
  e506cda3
Apr 15, 2017

Merge "add netutils_wrappers" into oc-dev am: acb66317 · 2ad88481
Sandeep Patil authored 7 years ago
```
am: 6a4b6c68

Change-Id: Ie9c93a313215652d22fa2bc93aeb2a468916e008
```
2ad88481
Merge "add netutils_wrappers" into oc-dev · 6a4b6c68
Sandeep Patil authored 7 years ago
```
am: acb66317

Change-Id: Ib10b8c031066507b72361e302204646d3c9f9814
```
6a4b6c68
Merge "add netutils_wrappers" into oc-dev · acb66317
TreeHugger Robot authored 7 years ago

acb66317
Allow mediacodec access to sync fences. · b4d701bf
Martijn Coenen authored 7 years ago
```
Test: WIP
Change-Id: I678b0d0e9750b25628b86060574fd516d3749cdf
```
b4d701bf
secilc: expand generated attributes on non-treble devices am: 748cae86 · 33070fb9
Jeff Vander Stoep authored 7 years ago
```
am: 405e7283

Change-Id: I6045f5edf0ef32d3001eb76a8437a2b92790cca3
```
33070fb9
secilc: expand generated attributes on non-treble devices · 405e7283
Jeff Vander Stoep authored 7 years ago
```
am: 748cae86

Change-Id: Ia9c8f25a66ba8cf8528e80b3ce4c151f10574a6d
```
405e7283

Add vendor_executes_system_violators attribute · b99676ee

Sandeep Patil authored 7 years ago


Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish

Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
          --skip-device-info --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a

Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>

b99676ee

add netutils_wrappers · c6d89024

Sandeep Patil authored 7 years ago


Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi

Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>

c6d89024

secilc: expand generated attributes on non-treble devices · 748cae86

Jeff Vander Stoep authored 7 years ago

Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f

748cae86

Give apps, cameraserver, and system_server access to sync fences. am: de2e79c5 · 34f00ee2
Martijn Coenen authored 7 years ago
```
am: d6ceae5a

Change-Id: I03753dbba73acf23e557e8abdebbd45df310a9fe
```
34f00ee2
Give apps, cameraserver, and system_server access to sync fences. · d6ceae5a
Martijn Coenen authored 7 years ago
```
am: de2e79c5

Change-Id: Icc632129142cba968ca05206690adfef445f62c7
```
d6ceae5a

Merge "Allow recovery to read thermal info on sailfish" am: am:... · 94e595d6

Tianjie Xu authored 7 years ago

Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba am: afa8120a am: 16118451
am: d5c8c6b6

Change-Id: I5b20d4028cc1a1f9d1b3d7b9bf84109198e64781

94e595d6

Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba am: afa8120a · d5c8c6b6
Tianjie Xu authored 7 years ago
```
am: 16118451

Change-Id: I55938593a2dd5f284dd2332a3685a737acbe1aec
```
d5c8c6b6
Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba · 16118451
Tianjie Xu authored 7 years ago
```
am: afa8120a

Change-Id: Ie7c760c3952650b5b7b60f956a0a5934a64e399f
```
16118451
Merge "Allow recovery to read thermal info on sailfish" · afa8120a
Tianjie Xu authored 7 years ago
```
am: 5ab5cfba

Change-Id: I1fd254e6991d4d7f9afa6e36b26cc879c73fa6da
```
afa8120a
Merge "Allow recovery to read thermal info on sailfish" · 5ab5cfba
Treehugger Robot authored 7 years ago

5ab5cfba

Apr 14, 2017

Give apps, cameraserver, and system_server access to sync fences. · de2e79c5

Martijn Coenen authored 7 years ago

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

de2e79c5

Allow recovery to read thermal info on sailfish · b4e4565d

Tianjie Xu authored 7 years ago

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
Change-Id: Ib4e89ba48cdc383318e5f3b7b15f542434e43564

b4e4565d

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev am: e9e11a79 · 03e92f14
Sandeep Patil authored 7 years ago
```
am: ff2febc0

Change-Id: Iccca8a3c2add3eecf9f8dbb1fad4ff9e3c03b534
```
03e92f14
Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev am: a8c0b2d9 · f84aa486
Iliyan Malchev authored 7 years ago
```
am: b4aa5da9

Change-Id: Iebe2b6c646916d3ea5ef7de7a57266f39a64938f
```
f84aa486
Merge changes from topic 'add_vendor_shell_toybox' into oc-dev · ff2febc0
Sandeep Patil authored 7 years ago
```
am: e9e11a79

Change-Id: I4afe3e0fbd9fd17d19f2e498162c9f68234a8fb5
```
ff2febc0
Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev · b4aa5da9
Iliyan Malchev authored 7 years ago
```
am: a8c0b2d9

Change-Id: If0bae6172f3f7e5c05b4745dc7a00b890b4905e5
```
b4aa5da9

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev · e9e11a79

TreeHugger Robot authored 7 years ago

* changes:
  suppress audit logs from rild's access to core domain through system()
  sepolicy: auditallow vendor components to execute files from /system
  vendor_shell: add sepolicy for vendor shell
  toolbox: add sepolicy for vendor toybox
  Do not allow priv_apps to scan all exec files

e9e11a79

Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev · a8c0b2d9
TreeHugger Robot authored 7 years ago

a8c0b2d9
Remove unnecessary attributes am: 20c2d4e9 · fd060ab6
Alex Klyubin authored 7 years ago
```
am: b83fc712

Change-Id: I9236e4f3cb9456e5280c38ebc6338e23a5f5b9b7
```
fd060ab6
Remove unnecessary attributes · b83fc712
Alex Klyubin authored 7 years ago
```
am: 20c2d4e9

Change-Id: I0a6aeb383854eb7df3b701ff2a080cb5a12398db
```
b83fc712

Transition mediacodec to /dev/hwbinder and /dev/vndbinder · 56cdcd48

Iliyan Malchev authored 7 years ago


This change disables /dev/binder access to and by mediacodec on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin
Change-Id: I1e30a6c56950728f36351c41b2859221753fd91a
Signed-off-by: Iliyan Malchev <malchev@google.com>

56cdcd48

Merge "SE Linux policies for OemLockService" into oc-dev am: 31c55240 · e89907e5
Andrew Scull authored 7 years ago
```
am: a95cf663

Change-Id: Ia1273a45798a0ae8a038ad90c8187f81960d6681
```
e89907e5

Remove unnecessary attributes · 20c2d4e9

Alex Klyubin authored 7 years ago

Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a959)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0

20c2d4e9