Commits · a7c29d410422f344f088968cf29ede0a76bca49f · Werner Sembach / AndroidSystemSEPolicy

Nov 15, 2017

Merge "charger: read permissions to /sys/power/state" · a7c29d41
Tri Vo authored 7 years ago
```
am: 07195bb6

Change-Id: I76d6dbcba064919a21264f961ba5e331452fce5f
```
a7c29d41
Merge "charger: read permissions to /sys/power/state" · 07195bb6
Treehugger Robot authored 7 years ago

07195bb6
Merge "Add tracking bugs to crash_dump denials" · ef4f4e9f
Jeffrey Vander Stoep authored 7 years ago
```
am: 81e03cb4

Change-Id: I8ea9c5c110e0be90bd05a83b3ca94a823e73e847
```
ef4f4e9f
Merge "Add tracking bugs to crash_dump denials" · 81e03cb4
Jeffrey Vander Stoep authored 7 years ago

81e03cb4

charger: read permissions to /sys/power/state · cb043a58

Tri Vo authored 7 years ago

Fixes these denials:
avc:  denied  { read } for  pid=585 comm="charger" name="state"
dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=585 comm="charger"
path="/sys/power/state" dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

Test: above denials not observed in charger mode.
Change-Id: I5660e63315fada7f24d6cfe2e0bd2b383b556670

cb043a58

Do not audit the fsetid capability for update engine · 5488d400
Tianjie Xu authored 7 years ago
```
am: 29fc85ee

Change-Id: I888a076a056c08491d1185478b04ffce64af7ff2
```
5488d400

Nov 14, 2017

Add tracking bugs to crash_dump denials · 41401f47

Jeff Vander Stoep authored 7 years ago

avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f

41401f47

Do not audit the fsetid capability for update engine · 29fc85ee

Tianjie Xu authored 7 years ago

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf

29fc85ee

Merge commit 'd9664064' into HEAD · c667a0ed
Xin Li authored 7 years ago
```
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
```
c667a0ed
Merge "Allow Instant/V2 apps to load code from /data/data" · ba87a9aa
Chad Brubaker authored 7 years ago
```
am: 7c662776

Change-Id: I20f956cd6cfbd198dc8e72fb7d3bfeadeb2f09d5
```
ba87a9aa
Merge "Allow Instant/V2 apps to load code from /data/data" · 7c662776
Treehugger Robot authored 7 years ago

7c662776

Nov 13, 2017

Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · bdfb64cf
Jeffrey Vander Stoep authored 7 years ago
```
am: 721b305e

Change-Id: I566f14f9938b9cbc0cfa0de4f3cae5e68abb0324
```
bdfb64cf
Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · 721b305e
Jeffrey Vander Stoep authored 7 years ago

721b305e

Allow Instant/V2 apps to load code from /data/data · 7650669f

Chad Brubaker authored 7 years ago

This restriction causes issues with dynamite.

Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.

Bug: 64806320
Test: Manual test with app using dynamite module

(cherrypicked from commit fe836817)

Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7

7650669f

Revert "update_verifier: neverallow access to 'sysfs' label." · 23e58d19

Tri Vo authored 7 years ago

This reverts commit a61b99bb.

Reason for revert: breaks aosp_walleye-userdebug

Change-Id: I3246b8cac862b53fc76609df60b90149fbc8098d

23e58d19

Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 98827003
Steven Moreland authored 7 years ago
```
am: 4bf3b5e9

Change-Id: I3b40cbef5fe2920917fa60f34ef29e6d4d8d3a01
```
98827003
Merge "Add tracking bugs to denials" · 50524539
Jeff Vander Stoep authored 7 years ago
```
am: f5e53e0c

Change-Id: I6145175790865e685e522514d72e6ae9da72a8f8
```
50524539
Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 4bf3b5e9
Treehugger Robot authored 7 years ago

4bf3b5e9
Merge "Add tracking bugs to denials" · f5e53e0c
Treehugger Robot authored 7 years ago

f5e53e0c
Merge "update_verifier: neverallow access to 'sysfs' label." · a44f5b6d
Tri Vo authored 7 years ago
```
am: c33b4355

Change-Id: If95fcf51c8e582a75e2ad68ab64e84bdf09a13ad
```
a44f5b6d
Merge "update_verifier: neverallow access to 'sysfs' label." · c33b4355
Treehugger Robot authored 7 years ago

c33b4355
Merge "hal_camera: Don't allow access to /data/misc/camera" · 1830ea45
Eino-Ville Talvala authored 7 years ago
```
am: a228505a

Change-Id: I8707e63a45a5a3941d2360d233cf1d5b8f2e5683
```
1830ea45
Merge "hal_camera: Don't allow access to /data/misc/camera" · a228505a
Treehugger Robot authored 7 years ago

a228505a

update_verifier: neverallow access to 'sysfs' label. · a61b99bb

Tri Vo authored 7 years ago

Bug: 65643247
Test: walleye-userdebug builds
Change-Id: I12d8239ca85bb68eab76a2d0001a722fea3045c5

a61b99bb

Add tracking bugs to denials · 29666d12

Jeff Vander Stoep authored 7 years ago

These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.

Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability

Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16

29666d12

Nov 10, 2017
- hal_camera: Don't allow access to /data/misc/camera · 815affc8
  Eino-Ville Talvala authored 7 years ago
  
  HALs are supposed to only access /data/vendor/* Test: Camera CTS/ITS on walleye Bug: 36601397 Change-Id: I8f586938127b5a9acaace4d5b8c3fc42ab13e0cf (cherry picked from commit d7241d62)
  815affc8
- Merge "Allow update_engine to access /data/misc/update_engine_log" · 39ec2bb6
  Tianjie Xu authored 7 years ago
  
  am: 07ff6107 Change-Id: Ibed551e4ee539326d87fcd38ed5a0641f49a238f
  39ec2bb6
- Merge "Allow update_engine to access /data/misc/update_engine_log" · 07ff6107
  Tianjie Xu authored 7 years ago
  
  07ff6107
- sepolicy: allow netd to write to qtaguid file · 0ae4509c
  Chenbo Feng authored 7 years ago
  
  am: 185941aa Change-Id: Ib52fb4ba1d269f7bb10bac5c9ab6caef1b59e3cd
  0ae4509c
- Use PRODUCT_SEPOLICY_SPLIT for full Treble. · 763697d4
  Steven Moreland authored 7 years ago
  
  PRODUCT_FULL_TREBLE is being broken up into smaller, more manageable components. Bug: 62019611 Test: manual Change-Id: I9b65f120851d9ea134a0059a417f0282777717fc
  763697d4
Nov 09, 2017

Merge changes from topic "cki_proc_init" · cec8b2cd
Tri Vo authored 7 years ago
```
am: aa93dad6

Change-Id: I341b2a69e99c01242cbed24adfc5f51dd7ef78b5
```
cec8b2cd

sepolicy: allow netd to write to qtaguid file · 185941aa

Chenbo Feng authored 7 years ago

Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b

185941aa

Allow update_engine to access /data/misc/update_engine_log · 6fe014f8

Hakan Kvist authored 7 years ago

Add label update_engine_log_data_file for log files created by
update engine in directory /data/misc/update_engine_log.

Bug: 65568605
Test: manual
Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9

6fe014f8

Merge changes from topic "cki_proc_init" · aa93dad6

Tri Vo authored 7 years ago

* changes:
  init: label /proc dependencies and remove access to proc
  init: refactor access to proc_* labels.

aa93dad6

Suppress mediaprover access to certain cache dirs · c009efae
Jeff Vander Stoep authored 7 years ago
```
am: 182dbeb6

Change-Id: I451582dd6b1a0f6b565132b87b37fbdacc7ea32a
```
c009efae

Suppress mediaprover access to certain cache dirs · 182dbeb6

Jeff Vander Stoep authored 7 years ago

avc: denied { getattr } for comm="sAsyncHandlerTh"
path="/data/cache/recovery" dev="sda13" ino=7086082
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
avc: denied { getattr } for path="/data/cache/backup"
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_private_backup_file:s0 tclass=dir

Bug: 63038506
Bug: 35197529
Test: build police
Change-Id: I51624c255e622bf712d41ca1bbf190ec3e4fefae
(cherry picked from commit fcf1b2083935bd298a2ece8d6d0c18712865a04b)

182dbeb6

Allow vendor apps to use surfaceflinger_service · 2e369131
Jeff Vander Stoep authored 7 years ago
```
am: 63f46773

Change-Id: I3ff43e1f579654b41ad7132efda8f486e1091f5c
```
2e369131

Allow vendor apps to use surfaceflinger_service · 63f46773

Jeff Vander Stoep authored 7 years ago

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

63f46773

Merge "wifi_supplicant: refactor permissions" · 94965d59
Jeff Vander Stoep authored 7 years ago
```
am: b43a1c84

Change-Id: I693dbe61b33633a31fda4e75b3abba69820ac2d4
```
94965d59
Merge "wifi_supplicant: refactor permissions" · b43a1c84
Treehugger Robot authored 7 years ago

b43a1c84