Commits · 722249b3e83dba446a93ace95d211f874c424737 · Werner Sembach / AndroidSystemSEPolicy

May 23, 2017

SE Policy for Tether Offload HAL · 722249b3

pkanwar authored 7 years ago

Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
HIDL binderized service.

Bug: 38417260
Test: New functionality. So we don't have any tests.
Change-Id: I2c95b290523c55c081afa1bca091f368559c9125

722249b3

May 17, 2017

Merge "sepolicy: allow apps to execute libs embedded inside vendor apk" into oc-dev am: a82c3d57 · 003a9b54
Jiyong Park authored 7 years ago
```
am: 524b0650

Change-Id: I893d97b9a6383ef1914bfbda43606dfaad6554e4
```
003a9b54
Merge "sepolicy: allow apps to execute libs embedded inside vendor apk" into oc-dev · 524b0650
Jiyong Park authored 7 years ago
```
am: a82c3d57

Change-Id: I332b2e50b5057016ad6b530f7660c95bd53af4b7
```
524b0650
Merge "sepolicy: allow apps to execute libs embedded inside vendor apk" into oc-dev · a82c3d57
TreeHugger Robot authored 7 years ago

a82c3d57

sepolicy: allow apps to execute libs embedded inside vendor apk · 86539031

Jiyong Park authored 7 years ago

Currently, some jni libs in /vendor/lib are allowed to be executed
in java process by labelling them as same_process_hal_file. This is
wrong because those jni libs are not in fact same process HALs.

After b/37481404, those jni libs for vendor apks are embedded inside the
apk just like downloaded apks.

In order to make this possible, appdomain is allowed to execute
vendor_app_file. Note that allowing this is not a Treble violation because
vendor_app_file is Java and JNI code only. Native libraries in
/vendor/lib are still prevented from being loaded in apps except for
those are labeled as same_process_hal_file AND are loaded via the
'sphal' namespace.

Bug: 37481404
Test: Phone application does not crash.
Change-Id: Ifaece2f05d0b20e28c4b1c0847f5ea0bb28ade02

86539031

May 16, 2017
- Merge "Move domain_deprecated into private policy" into oc-dev am: 02a101a6 · 093bcd99
  Jeff Vander Stoep authored 7 years ago
  
  am: 35e09523 Change-Id: I728d32563d123fafd7c316f5ea5764a463876757
  093bcd99
- Merge "Move domain_deprecated into private policy" into oc-dev · 35e09523
  Jeff Vander Stoep authored 7 years ago
  
  am: 02a101a6 Change-Id: I0140009cfbf316489db4994b414ac079776ead21
  35e09523
- Merge "Move domain_deprecated into private policy" into oc-dev · 02a101a6
  TreeHugger Robot authored 7 years ago
  
  02a101a6
- Merge "hal_camera: remove video_device restriction" into oc-dev am: 125a5a0c · 0e2f85fc
  Jeff Vander Stoep authored 7 years ago
  
  am: 270e70be Change-Id: Iaf1c21761a7daa9a73b88434d543a9306e0cbe61
  0e2f85fc
- Merge "hal_camera: remove video_device restriction" into oc-dev · 270e70be
  Jeff Vander Stoep authored 7 years ago
  
  am: 125a5a0c Change-Id: I3b9bd0d3790523045db45bb1cb4a439220b7ede0
  270e70be
- Merge "hal_camera: remove video_device restriction" into oc-dev · 125a5a0c
  TreeHugger Robot authored 7 years ago
  
  125a5a0c
- Merge "SELinux policies for Weaver HAL." into oc-dev am: 21e6ab12 · e121c695
  Andrew Scull authored 7 years ago
  
  am: 36ad79b0 -s ours Change-Id: I9c32de4e471ccbe29dd9f81b0215fbbbf4f944d4
  e121c695
- Merge "SELinux policies for the OEM lock HAL." into oc-dev am: f2760f79 · cc45e920
  Andrew Scull authored 7 years ago
  
  am: ac4498fa -s ours Change-Id: Id9f254a4b6a15b6763a3fe5f6c0f62d7b10f3ec8
  cc45e920
- Merge "SELinux policies for Weaver HAL." into oc-dev · 36ad79b0
  Andrew Scull authored 7 years ago
  
  am: 21e6ab12 Change-Id: Ia07eb71f1c8cdd7329bdfb3315e9b2e3337b2ee0
  36ad79b0
- Merge "SELinux policies for the OEM lock HAL." into oc-dev · ac4498fa
  Andrew Scull authored 7 years ago
  
  am: f2760f79 Change-Id: Iac53bd00513b53476d9156440fd4937afcf0bd54
  ac4498fa
- Merge "SELinux policies for Weaver HAL." into oc-dev · 21e6ab12
  TreeHugger Robot authored 7 years ago
  
  21e6ab12
- Merge "SELinux policies for the OEM lock HAL." into oc-dev · f2760f79
  TreeHugger Robot authored 7 years ago
  
  f2760f79
- hal_camera: remove video_device restriction · a1c94c8d
  Jeff Vander Stoep authored 7 years ago
  
  Disallowing other HALs access to video_device does not appear to be enforceable. (cherry picked from commit c26dd18a) Bug: 37669506 Test: build policy. Neverallow rules are build time test and do not impact the policy binary. Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a
  a1c94c8d
- Merge "Revert "Revert "O is API 26""" into oc-dev am: 0f406a7a · d95ded6f
  Ian Pedowitz authored 7 years ago
  
  am: ed4841ce Change-Id: I04a5cd25af698a06101d202e2815bf5f3f39856e
  d95ded6f
- Merge "Revert "Revert "O is API 26""" into oc-dev · ed4841ce
  Ian Pedowitz authored 7 years ago
  
  am: 0f406a7a Change-Id: I39ba184fe5b89a6cace60a4ea31f42e3e9940fce
  ed4841ce
- Merge "Revert "Revert "O is API 26""" into oc-dev · 0f406a7a
  Ian Pedowitz authored 7 years ago
  
  0f406a7a
May 15, 2017

Merge "Partially revert "Sepolicy: Give asan_extract access to powerctl"" · f7b0f110
TreeHugger Robot authored 7 years ago

f7b0f110

Move domain_deprecated into private policy · 76aab82c

Jeff Vander Stoep authored 7 years ago

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

76aab82c

SELinux policies for PDX services am: c4055f0d am: 1a6fabea am: a06236a0 -s ours · 6f66418e
Alex Vakulenko authored 7 years ago
```
am: ffb5b3f9

Change-Id: I53aac064a2743064be1bff1087eeda445d3abbf9
```
6f66418e
SELinux policies for PDX services am: c4055f0d am: 1a6fabea · ffb5b3f9
Alex Vakulenko authored 7 years ago
```
am: a06236a0  -s ours

Change-Id: I78b6f59d35d5510f91bc3fb64818b13d50148850
```
ffb5b3f9
SELinux policies for PDX services am: c4055f0d · a06236a0
Alex Vakulenko authored 7 years ago
```
am: 1a6fabea

Change-Id: I3b1a74f387cbf7388feb17f87f749964816df302
```
a06236a0
SELinux policies for PDX services · 1a6fabea
Alex Vakulenko authored 7 years ago
```
am: c4055f0d

Change-Id: I4f307d49476c1e84d8dd17d02f383d7c10a959fc
```
1a6fabea

Partially revert "Sepolicy: Give asan_extract access to powerctl" · f66fbab2

Dan Cashman authored 7 years ago

This is a partial revert of commit 82672089.
The previous commit removed a public type, which is a version-incompatible
change to the SELinux vendor API.  Since the 2017 devices are meant to be
launching with the previous version, this is unacceptable.  Revert the
version-incompatible parts of the change, but keep the other parts to enable
existing system functionality to persist and become part of MR1.  Leave TODOs
to remove the other parts when a version bump is acceptable.

Bug: 38241921
Test: Policy builds and device boots with ASAN enabled.
Change-Id: I0dd3673b8ed7fb86abd79cd04982396000e986f1

f66fbab2

SELinux policies for PDX services · c4055f0d

Alex Vakulenko authored 7 years ago

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

c4055f0d

May 13, 2017
- Move sensord sepolicy am: 2dd9ae33 · f8af70be
  Luke Song authored 7 years ago
  
  am: 9639c5a8 Change-Id: Ia45f76ea09566cab4d36aa8f3a039ba4ebcf6f0c
  f8af70be
- Move sensord sepolicy · 9639c5a8
  Luke Song authored 7 years ago
  
  am: 2dd9ae33 Change-Id: Ia17bae012b678ba604a4f869baf9b29027879ff5
  9639c5a8
May 12, 2017
- SELinux policies for Weaver HAL. · 3c90eaf2
  Andrew Scull authored 7 years ago
  
  Bug: 35628284 Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f Fix: 38233550 Test: Build and boot Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f
  3c90eaf2
- SELinux policies for the OEM lock HAL. · 0e9b2207
  Andrew Scull authored 7 years ago
  
  Bug: 34766843 Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6 Fix: 38232801 Test: Build and boot Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b
  0e9b2207
- Merge "Revert "remove /dev/log"" am: fcfda81b am: 7469d816 am: 2c029ee1 · 7d7fc64c
  Tom Cherry authored 7 years ago
  
  am: 8465372b Change-Id: I8bdc88c5984e4848d94b73f0bb3824f5a11fa981
  7d7fc64c
- Merge "Allow shell access on /dev/uhid node" am: 216b377d am: c1e8f825 am: 45c4b142 · 13ddbad5
  Siarhei Vishniakou authored 7 years ago
  
  am: 295a27a3 Change-Id: I8f3048b4e57a7970a3b31b2878d0dca522ab71de
  13ddbad5
- Merge "Revert "remove /dev/log"" am: fcfda81b am: 7469d816 · 8465372b
  Tom Cherry authored 7 years ago
  
  am: 2c029ee1 Change-Id: I4ad2e5a08336f44ca8786be35e46ac7d705cb26f
  8465372b
- Merge "Revert "remove /dev/log"" am: fcfda81b · 2c029ee1
  Tom Cherry authored 7 years ago
  
  am: 7469d816 Change-Id: Ie36c6266cc3387bba02974fb65614c75c8bd1425
  2c029ee1
- Merge "Revert "remove /dev/log"" · 7469d816
  Tom Cherry authored 7 years ago
  
  am: fcfda81b Change-Id: Iefe805a99749c29865b7f871cd4fc3fe11e1e536
  7469d816
- Merge "Allow shell access on /dev/uhid node" am: 216b377d am: c1e8f825 · 295a27a3
  Siarhei Vishniakou authored 7 years ago
  
  am: 45c4b142 Change-Id: I6cb948d50f22f162d4b647259d12143cff7b61de
  295a27a3
- Merge "Revert "remove /dev/log"" · fcfda81b
  Treehugger Robot authored 7 years ago
  
  fcfda81b