Commits · 84edadca92139f86a44e0e0780e491135eee0285 · Werner Sembach / AndroidSystemSEPolicy

Mar 30, 2017
- Disallow HAL access to Bluetooth data files · 84edadca
  Myles Watson authored 7 years ago
  
  Devices that store their BT MAC address in /data/misc/bluedroid/ need to find another place for that file. Bug: 36602160 Test: Restart Bluetooth, check for selinux denials/files in /data/misc Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
  84edadca
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev am: 36c8f160 · 15403f6c
  Jiyong Park authored 7 years ago
  
  am: cc5da52f Change-Id: Ie05d021efd289bf14f86ac070fce74c81ac7bd57
  15403f6c
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · cc5da52f
  Jiyong Park authored 7 years ago
  
  am: 36c8f160 Change-Id: I4c39b013d9d8f296171dde6d0b0b3400074f3825
  cc5da52f
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · 36c8f160
  TreeHugger Robot authored 7 years ago
  
  36c8f160
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev am: d7a2f60d · dee8e4fd
  Ian Pedowitz authored 7 years ago
  
  am: 134c7182 Change-Id: I23e7aa2a87f34a4adc5fd5eac85710db6238d9db
  dee8e4fd
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · 134c7182
  Ian Pedowitz authored 7 years ago
  
  am: d7a2f60d Change-Id: Ifc66292d55f1daea28069cbf63cd70bf96fee74d
  134c7182
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · d7a2f60d
  Ian Pedowitz authored 7 years ago
  
  d7a2f60d
- Revert "Further restrict access to Binder services from vendor" · 43b48045
  Ian Pedowitz authored 7 years ago
  
  This reverts commit 5c09d123. Broke the build Bug: 35870313 Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40 Change-Id: I71c968be6e89462fd286be5663933552d478f8bf
  43b48045
- Merge "Further restrict access to Binder services from vendor" into oc-dev am: c673770a · 49358a58
  Alex Klyubin authored 7 years ago
  
  am: 3100873f Change-Id: Icc445d11ccc9606717d07317446c43a2ef731447
  49358a58
- Merge "Further restrict access to Binder services from vendor" into oc-dev · 3100873f
  Alex Klyubin authored 7 years ago
  
  am: c673770a Change-Id: Icb5276a3b73419b4b0e3a9fea1af157d0e1ef882
  3100873f
- Merge "Further restrict access to Binder services from vendor" into oc-dev · c673770a
  TreeHugger Robot authored 7 years ago
  
  c673770a
- Annotate rild with socket_between_core_and_vendor_violators · 57e9946f
  Jiyong Park authored 7 years ago
  
  Full treble targets cannot have sockets between framework and vendor processes. In theory, this should not affect aosp_arm64_ab where only framework binaries are built. However, /system/sepolicy has rild.te which is now vendor binary and this causes neverallow conflict when building aosp_arm64_ab. So, we just temporarily annotate the rild with socket_between_core_and_vendor_violators so that the neverallow conflict can be avoided. Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should not break. Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7
  57e9946f
- Merge "Add media services to ephemeral_app" into oc-dev am: 3ad5c9e7 · 51f91375
  Chad Brubaker authored 7 years ago
  
  am: 897473dc Change-Id: Ic481a4198f03ee242d04cfa11d885353b24cde4c
  51f91375
- Merge changes from topic 'ipsec-service' am: 32815389 am: eaa5e298 am: b78fd545 · 583122a8
  Nathan Harold authored 7 years ago
  
  am: a6dc0dc2 Change-Id: I0ac39078f058e970822deda9a3161c05b0dceaeb
  583122a8
- Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b am: 75760e9d am: a581c048 · d7785679
  Nathan Harold authored 7 years ago
  
  am: d80511d3 Change-Id: I329798f6f7885aa68323367a43da6c0a3daa3fb5
  d7785679
- Merge "Add media services to ephemeral_app" into oc-dev · 897473dc
  Chad Brubaker authored 7 years ago
  
  am: 3ad5c9e7 Change-Id: I41a829460d932c30e564060fceb9169a7443014f
  897473dc
- Merge "Add media services to ephemeral_app" into oc-dev · 3ad5c9e7
  TreeHugger Robot authored 7 years ago
  
  3ad5c9e7
- Merge changes from topic 'ipsec-service' am: 32815389 am: eaa5e298 · a6dc0dc2
  Nathan Harold authored 7 years ago
  
  am: b78fd545 Change-Id: I227c5aee3e635922f39192bc9ce5a1ca5db46451
  a6dc0dc2
- Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b am: 75760e9d · d80511d3
  Nathan Harold authored 7 years ago
  
  am: a581c048 Change-Id: Ic71ef550af5cb26ca7d4db01fa78bd6c74b98ca5
  d80511d3
Mar 29, 2017

Merge changes from topic 'ipsec-service' am: 32815389 · b78fd545
Nathan Harold authored 7 years ago
```
am: eaa5e298

Change-Id: I232deac94123b1e07a20789cc247aa95bb9b3327
```
b78fd545
Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b · a581c048
Nathan Harold authored 7 years ago
```
am: 75760e9d

Change-Id: I02cfb5b418c2edaeaa02831113205e0a73f92342
```
a581c048
Merge changes from topic 'ipsec-service' · eaa5e298
Nathan Harold authored 7 years ago
```
am: 32815389

Change-Id: Id6cc5e3c1dc6b098f893b566dcbf09fc29973162
```
eaa5e298
Update Common NetD SEPolicy to allow Netlink XFRM · 75760e9d
Nathan Harold authored 7 years ago
```
am: 7eb3dd3b

Change-Id: Iafaa3fd315533c4cb49847d927d2c7cbae71bb51
```
75760e9d
Merge changes from topic 'ipsec-service' · 32815389
Treehugger Robot authored 7 years ago
```
* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM
```
32815389
Add media services to ephemeral_app · b93f0494
Chad Brubaker authored 7 years ago
```
Test: denials go away
Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8
```
b93f0494
Merge changes from topic 'sefiles_relabel' into oc-dev am: 394539c5 · 7b753dec
Sandeep Patil authored 7 years ago
```
am: 719edb06

Change-Id: I162eaf1a4d61cbef00f531d779ee5a8282369b66
```
7b753dec
sepolicy: explicitly label all sepolicy files am: 136caa1b · 3d5c35f6
Sandeep Patil authored 7 years ago
```
am: 7dcab748

Change-Id: I0a9e49071e191903eeba44f145dd2b1c947662d4
```
3d5c35f6
seapp_context: explicitly label all seapp context files am: 1e149967 · 3b42777b
Sandeep Patil authored 7 years ago
```
am: 2515e1b1

Change-Id: I02b27169a707d5e4c2de8ef0183b1b782e90cf86
```
3b42777b
file_context: explicitly label all file context files am: c9cf7361 · 3ea659d5
Sandeep Patil authored 7 years ago
```
am: 07921191

Change-Id: I018a6d9bf84d75831a9d295a4c92184041134f33
```
3ea659d5
service_contexts: label service_contexts explicitly am: 939d16b5 · 2a4db0a2
Sandeep Patil authored 7 years ago
```
am: 5a6ab596

Change-Id: I48a064db0e9a579b0b1217c41c98ada3ff25ad93
```
2a4db0a2
prop_context: correctly label all property_context files am: 54a42001 · 08486323
Sandeep Patil authored 7 years ago
```
am: b81943b6

Change-Id: Ib1ac3f1b833b389710028d79a1e9ba6e13062efb
```
08486323
Merge changes from topic 'sefiles_relabel' into oc-dev · 719edb06
Sandeep Patil authored 7 years ago
```
am: 394539c5

Change-Id: Ibaa6911b4656ceb41167eab09eddfb3ca8c783f2
```
719edb06
sepolicy: explicitly label all sepolicy files · 7dcab748
Sandeep Patil authored 7 years ago
```
am: 136caa1b

Change-Id: I35ffe4d2cd233582c9dc73f1c20602c1a1c953eb
```
7dcab748
seapp_context: explicitly label all seapp context files · 2515e1b1
Sandeep Patil authored 7 years ago
```
am: 1e149967

Change-Id: Ie6fe25279ff73d4b200463bd07116a40a2272382
```
2515e1b1
file_context: explicitly label all file context files · 07921191
Sandeep Patil authored 7 years ago
```
am: c9cf7361

Change-Id: Ib2588c6117fdaf79665f61d4c872c60fb6579613
```
07921191
service_contexts: label service_contexts explicitly · 5a6ab596
Sandeep Patil authored 7 years ago
```
am: 939d16b5

Change-Id: I1c351ee36100730bf98a3fe820d1f51f7b672ba5
```
5a6ab596
prop_context: correctly label all property_context files · b81943b6
Sandeep Patil authored 7 years ago
```
am: 54a42001

Change-Id: I8281fcee3729b0a48131a860381db2a2be5f8c84
```
b81943b6

Merge changes from topic 'sefiles_relabel' into oc-dev · 394539c5

Sandeep Patil authored 7 years ago

* changes:
  mac_permissions: explicitly label all mac_permissions files
  sepolicy: explicitly label all sepolicy files
  seapp_context: explicitly label all seapp context files
  file_context: explicitly label all file context files
  service_contexts: label service_contexts explicitly
  prop_context: correctly label all property_context files

394539c5

Further restrict access to Binder services from vendor · 5c09d123

Alex Klyubin authored 7 years ago

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I949d62b3528cadb4bfe6f5985c25d1f497df0d5a

5c09d123

Merge "Loosen system app data neverallows" into oc-dev am: ad2e6166 · c0c035d7
Alex Klyubin authored 7 years ago
```
am: 0aa47bbf

Change-Id: Ib7a276a08b416c772eaf8fbc5d64f16cd08006da
```
c0c035d7