Commits · 7bd0bde4eaa66c4bcf8aee1bac5d2949e451d9d5 · Werner Sembach / AndroidSystemSEPolicy

Nov 16, 2017
- Merge "Copy a dontaudit from init to vendor_init" · 7bd0bde4
  Tom Cherry authored 7 years ago
  
  am: 5984301a Change-Id: I7e6c4733471f5954a16f991adddda3657844b47d
  7bd0bde4
- Merge "Copy a dontaudit from init to vendor_init" · 5984301a
  Treehugger Robot authored 7 years ago
  
  5984301a
- Revert "Put pm.* property in new pm_prop context" · e3cec841
  Calin Juravle authored 7 years ago
  
  am: 248b6dc6 Change-Id: Ie2990b86b85fbe29565ca7957fbce6b6121abec1
  e3cec841
Nov 15, 2017

Copy a dontaudit from init to vendor_init · 63492cd6

Tom Cherry authored 7 years ago

Copy init's dontaudit for sysfs:dir write; to calm the below denials:

avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

Bug: 62875318
Test: use pixel + factory reset + vendor_init
Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89

63492cd6

Revert "Put pm.* property in new pm_prop context" · 248b6dc6

Calin Juravle authored 7 years ago

This reverts commit d1cf3a40.

Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.

Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06

248b6dc6

Merge "update_verifier: neverallow access to 'sysfs' label." · aff4f750
Tri Vo authored 7 years ago
```
am: aca97bcb

Change-Id: I5bb923eecb8fb757d31a8b612f85a49d69cefdab
```
aff4f750
Merge "update_verifier: neverallow access to 'sysfs' label." · aca97bcb
Tri Vo authored 7 years ago

aca97bcb
Merge "charger: read permissions to /sys/power/state" · a7c29d41
Tri Vo authored 7 years ago
```
am: 07195bb6

Change-Id: I76d6dbcba064919a21264f961ba5e331452fce5f
```
a7c29d41
Merge "charger: read permissions to /sys/power/state" · 07195bb6
Treehugger Robot authored 7 years ago

07195bb6
Merge "Add tracking bugs to crash_dump denials" · ef4f4e9f
Jeffrey Vander Stoep authored 7 years ago
```
am: 81e03cb4

Change-Id: I8ea9c5c110e0be90bd05a83b3ca94a823e73e847
```
ef4f4e9f
Merge "Add tracking bugs to crash_dump denials" · 81e03cb4
Jeffrey Vander Stoep authored 7 years ago

81e03cb4

update_verifier: neverallow access to 'sysfs' label. · 7dd4d906

Tri Vo authored 7 years ago

Bug: 65643247
Test: aosp_walleye-userdebug builds
Test: aosp_sailfish-userdebug builds
Change-Id: Iaebd368b84259783fbdc4778988bdb7ba0df300b

7dd4d906

charger: read permissions to /sys/power/state · cb043a58

Tri Vo authored 7 years ago

Fixes these denials:
avc:  denied  { read } for  pid=585 comm="charger" name="state"
dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=585 comm="charger"
path="/sys/power/state" dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

Test: above denials not observed in charger mode.
Change-Id: I5660e63315fada7f24d6cfe2e0bd2b383b556670

cb043a58

Do not audit the fsetid capability for update engine · 5488d400
Tianjie Xu authored 7 years ago
```
am: 29fc85ee

Change-Id: I888a076a056c08491d1185478b04ffce64af7ff2
```
5488d400

Nov 14, 2017

Add tracking bugs to crash_dump denials · 41401f47

Jeff Vander Stoep authored 7 years ago

avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f

41401f47

Do not audit the fsetid capability for update engine · 29fc85ee

Tianjie Xu authored 7 years ago

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf

29fc85ee

Merge commit 'd9664064' into HEAD · c667a0ed
Xin Li authored 7 years ago
```
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
```
c667a0ed
Merge "Allow Instant/V2 apps to load code from /data/data" · ba87a9aa
Chad Brubaker authored 7 years ago
```
am: 7c662776

Change-Id: I20f956cd6cfbd198dc8e72fb7d3bfeadeb2f09d5
```
ba87a9aa
Merge "Allow Instant/V2 apps to load code from /data/data" · 7c662776
Treehugger Robot authored 7 years ago

7c662776

Nov 13, 2017

Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · bdfb64cf
Jeffrey Vander Stoep authored 7 years ago
```
am: 721b305e

Change-Id: I566f14f9938b9cbc0cfa0de4f3cae5e68abb0324
```
bdfb64cf
Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · 721b305e
Jeffrey Vander Stoep authored 7 years ago

721b305e

Allow Instant/V2 apps to load code from /data/data · 7650669f

Chad Brubaker authored 7 years ago

This restriction causes issues with dynamite.

Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.

Bug: 64806320
Test: Manual test with app using dynamite module

(cherrypicked from commit fe836817)

Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7

7650669f

Revert "update_verifier: neverallow access to 'sysfs' label." · 23e58d19

Tri Vo authored 7 years ago

This reverts commit a61b99bb.

Reason for revert: breaks aosp_walleye-userdebug

Change-Id: I3246b8cac862b53fc76609df60b90149fbc8098d

23e58d19

Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 98827003
Steven Moreland authored 7 years ago
```
am: 4bf3b5e9

Change-Id: I3b40cbef5fe2920917fa60f34ef29e6d4d8d3a01
```
98827003
Merge "Add tracking bugs to denials" · 50524539
Jeff Vander Stoep authored 7 years ago
```
am: f5e53e0c

Change-Id: I6145175790865e685e522514d72e6ae9da72a8f8
```
50524539
Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 4bf3b5e9
Treehugger Robot authored 7 years ago

4bf3b5e9
Merge "Add tracking bugs to denials" · f5e53e0c
Treehugger Robot authored 7 years ago

f5e53e0c
Merge "update_verifier: neverallow access to 'sysfs' label." · a44f5b6d
Tri Vo authored 7 years ago
```
am: c33b4355

Change-Id: If95fcf51c8e582a75e2ad68ab64e84bdf09a13ad
```
a44f5b6d
Merge "update_verifier: neverallow access to 'sysfs' label." · c33b4355
Treehugger Robot authored 7 years ago

c33b4355
Merge "hal_camera: Don't allow access to /data/misc/camera" · 1830ea45
Eino-Ville Talvala authored 7 years ago
```
am: a228505a

Change-Id: I8707e63a45a5a3941d2360d233cf1d5b8f2e5683
```
1830ea45
Merge "hal_camera: Don't allow access to /data/misc/camera" · a228505a
Treehugger Robot authored 7 years ago

a228505a

update_verifier: neverallow access to 'sysfs' label. · a61b99bb

Tri Vo authored 7 years ago

Bug: 65643247
Test: walleye-userdebug builds
Change-Id: I12d8239ca85bb68eab76a2d0001a722fea3045c5

a61b99bb

Add tracking bugs to denials · 29666d12

Jeff Vander Stoep authored 7 years ago

These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.

Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability

Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16

29666d12

Nov 10, 2017
- hal_camera: Don't allow access to /data/misc/camera · 815affc8
  Eino-Ville Talvala authored 7 years ago
  
  HALs are supposed to only access /data/vendor/* Test: Camera CTS/ITS on walleye Bug: 36601397 Change-Id: I8f586938127b5a9acaace4d5b8c3fc42ab13e0cf (cherry picked from commit d7241d62)
  815affc8
- Merge "Allow update_engine to access /data/misc/update_engine_log" · 39ec2bb6
  Tianjie Xu authored 7 years ago
  
  am: 07ff6107 Change-Id: Ibed551e4ee539326d87fcd38ed5a0641f49a238f
  39ec2bb6
- Merge "Allow update_engine to access /data/misc/update_engine_log" · 07ff6107
  Tianjie Xu authored 7 years ago
  
  07ff6107
- sepolicy: allow netd to write to qtaguid file · 0ae4509c
  Chenbo Feng authored 7 years ago
  
  am: 185941aa Change-Id: Ib52fb4ba1d269f7bb10bac5c9ab6caef1b59e3cd
  0ae4509c
- Use PRODUCT_SEPOLICY_SPLIT for full Treble. · 763697d4
  Steven Moreland authored 7 years ago
  
  PRODUCT_FULL_TREBLE is being broken up into smaller, more manageable components. Bug: 62019611 Test: manual Change-Id: I9b65f120851d9ea134a0059a417f0282777717fc
  763697d4
Nov 09, 2017

Merge changes from topic "cki_proc_init" · cec8b2cd
Tri Vo authored 7 years ago
```
am: aa93dad6

Change-Id: I341b2a69e99c01242cbed24adfc5f51dd7ef78b5
```
cec8b2cd

sepolicy: allow netd to write to qtaguid file · 185941aa

Chenbo Feng authored 7 years ago

Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b

185941aa