Commits · adda76eabc90eb6f637e6d18de7e02843401cbbe · Werner Sembach / AndroidSystemSEPolicy

Nov 16, 2017
- Merge "Copy a dontaudit from init to vendor_init" am: 5984301a · adda76ea
  Tom Cherry authored 7 years ago
  
  am: 7bd0bde4 Change-Id: I6aa0562fdc8e0fb482c8c81fbb256f57dbe59387
  adda76ea
- Merge "Copy a dontaudit from init to vendor_init" · 7bd0bde4
  Tom Cherry authored 7 years ago
  
  am: 5984301a Change-Id: I7e6c4733471f5954a16f991adddda3657844b47d
  7bd0bde4
- Merge "Copy a dontaudit from init to vendor_init" · 5984301a
  Treehugger Robot authored 7 years ago
  
  5984301a
- Revert "Put pm.* property in new pm_prop context" am: 248b6dc6 · 0386eaed
  Calin Juravle authored 7 years ago
  
  am: e3cec841 Change-Id: Iefd431374378a736aa8e3a2f37b25cf026b3998f
  0386eaed
- Revert "Put pm.* property in new pm_prop context" · e3cec841
  Calin Juravle authored 7 years ago
  
  am: 248b6dc6 Change-Id: Ie2990b86b85fbe29565ca7957fbce6b6121abec1
  e3cec841
Nov 15, 2017

Copy a dontaudit from init to vendor_init · 63492cd6

Tom Cherry authored 7 years ago

Copy init's dontaudit for sysfs:dir write; to calm the below denials:

avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

Bug: 62875318
Test: use pixel + factory reset + vendor_init
Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89

63492cd6

Revert "Put pm.* property in new pm_prop context" · 248b6dc6

Calin Juravle authored 7 years ago

This reverts commit d1cf3a40.

Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.

Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06

248b6dc6

Merge "update_verifier: neverallow access to 'sysfs' label." am: aca97bcb · 0ca8b35f
Tri Vo authored 7 years ago
```
am: aff4f750

Change-Id: I2c6b101769806b987114e6787ecc158329490791
```
0ca8b35f
Merge "update_verifier: neverallow access to 'sysfs' label." · aff4f750
Tri Vo authored 7 years ago
```
am: aca97bcb

Change-Id: I5bb923eecb8fb757d31a8b612f85a49d69cefdab
```
aff4f750
Merge "update_verifier: neverallow access to 'sysfs' label." · aca97bcb
Tri Vo authored 7 years ago

aca97bcb
Merge "charger: read permissions to /sys/power/state" am: 07195bb6 · b44da22c
Tri Vo authored 7 years ago
```
am: a7c29d41

Change-Id: Ia29bb093294461bdea9b81bff3d208e16c49a36c
```
b44da22c
Merge "charger: read permissions to /sys/power/state" · a7c29d41
Tri Vo authored 7 years ago
```
am: 07195bb6

Change-Id: I76d6dbcba064919a21264f961ba5e331452fce5f
```
a7c29d41
Merge "charger: read permissions to /sys/power/state" · 07195bb6
Treehugger Robot authored 7 years ago

07195bb6
Merge "Add tracking bugs to crash_dump denials" am: 81e03cb4 · 27dcc1bd
Jeffrey Vander Stoep authored 7 years ago
```
am: ef4f4e9f

Change-Id: I6e267e3695d5625ba8fdec0cd5efdbb26b83a9b2
```
27dcc1bd
Merge "Add tracking bugs to crash_dump denials" · ef4f4e9f
Jeffrey Vander Stoep authored 7 years ago
```
am: 81e03cb4

Change-Id: I8ea9c5c110e0be90bd05a83b3ca94a823e73e847
```
ef4f4e9f
Merge "Add tracking bugs to crash_dump denials" · 81e03cb4
Jeffrey Vander Stoep authored 7 years ago

81e03cb4

update_verifier: neverallow access to 'sysfs' label. · 7dd4d906

Tri Vo authored 7 years ago

Bug: 65643247
Test: aosp_walleye-userdebug builds
Test: aosp_sailfish-userdebug builds
Change-Id: Iaebd368b84259783fbdc4778988bdb7ba0df300b

7dd4d906

Do not audit the fsetid capability for update engine am: 29fc85ee · f9a2a937
Tianjie Xu authored 7 years ago
```
am: 5488d400

Change-Id: Iefdf4d16645dabba5c4b0e98155faaa3380eac4b
```
f9a2a937

charger: read permissions to /sys/power/state · cb043a58

Tri Vo authored 7 years ago

Fixes these denials:
avc:  denied  { read } for  pid=585 comm="charger" name="state"
dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=585 comm="charger"
path="/sys/power/state" dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

Test: above denials not observed in charger mode.
Change-Id: I5660e63315fada7f24d6cfe2e0bd2b383b556670

cb043a58

Do not audit the fsetid capability for update engine · 5488d400
Tianjie Xu authored 7 years ago
```
am: 29fc85ee

Change-Id: I888a076a056c08491d1185478b04ffce64af7ff2
```
5488d400
Merge remote-tracking branch 'goog/stage-aosp-master' into HEAD · c69ba91b
Xin Li authored 7 years ago
```
Change-Id: I8b2636b9b6a1f2e664abc90bd453dbbf2a9f7a05
```
c69ba91b

Nov 14, 2017

Add tracking bugs to crash_dump denials · 41401f47

Jeff Vander Stoep authored 7 years ago

avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f

41401f47

Do not audit the fsetid capability for update engine · 29fc85ee

Tianjie Xu authored 7 years ago

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf

29fc85ee

Merge commit 'd9664064' into HEAD · c667a0ed
Xin Li authored 7 years ago
```
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
```
c667a0ed
Merge "Allow Instant/V2 apps to load code from /data/data" am: 7c662776 · 3d71c254
Chad Brubaker authored 7 years ago
```
am: ba87a9aa

Change-Id: I43873dab8be67bcf91eff7521f46f6bc5359793a
```
3d71c254
Merge "Allow Instant/V2 apps to load code from /data/data" · ba87a9aa
Chad Brubaker authored 7 years ago
```
am: 7c662776

Change-Id: I20f956cd6cfbd198dc8e72fb7d3bfeadeb2f09d5
```
ba87a9aa
Merge "Allow Instant/V2 apps to load code from /data/data" · 7c662776
Treehugger Robot authored 7 years ago

7c662776

Nov 13, 2017
- Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" am: 721b305e · e736118a
  Jeffrey Vander Stoep authored 7 years ago
  
  am: bdfb64cf Change-Id: Ie064e4c1cc517aabc5a95147ca36d6edf6e6a494
  e736118a
- Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · bdfb64cf
  Jeffrey Vander Stoep authored 7 years ago
  
  am: 721b305e Change-Id: I566f14f9938b9cbc0cfa0de4f3cae5e68abb0324
  bdfb64cf
- Merge "Revert "update_verifier: neverallow access to 'sysfs' label."" · 721b305e
  Jeffrey Vander Stoep authored 7 years ago
  
  721b305e
- Allow Instant/V2 apps to load code from /data/data · 7650669f
  Chad Brubaker authored 7 years ago
  
  This restriction causes issues with dynamite. Since untrusted_v2_app was about enforcing this constraint put installed v2 applications back into the normal untrusted_app domain. Bug: 64806320 Test: Manual test with app using dynamite module (cherrypicked from commit fe836817) Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7
  7650669f
- Revert "update_verifier: neverallow access to 'sysfs' label." · 23e58d19
  Tri Vo authored 7 years ago
  
  This reverts commit a61b99bb. Reason for revert: breaks aosp_walleye-userdebug Change-Id: I3246b8cac862b53fc76609df60b90149fbc8098d
  23e58d19
- Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." am: 4bf3b5e9 · 57578f57
  Steven Moreland authored 7 years ago
  
  am: 98827003 Change-Id: I6b117f659a1a2b7d890b8f771e6951b39f5100d2
  57578f57
- Merge "Add tracking bugs to denials" am: f5e53e0c · 9dc0c6b3
  Jeff Vander Stoep authored 7 years ago
  
  am: 50524539 Change-Id: I62855d053041c07261ec641b7057e2fdffadd1c9
  9dc0c6b3
- Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 98827003
  Steven Moreland authored 7 years ago
  
  am: 4bf3b5e9 Change-Id: I3b40cbef5fe2920917fa60f34ef29e6d4d8d3a01
  98827003
- Merge "Add tracking bugs to denials" · 50524539
  Jeff Vander Stoep authored 7 years ago
  
  am: f5e53e0c Change-Id: I6145175790865e685e522514d72e6ae9da72a8f8
  50524539
- Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble." · 4bf3b5e9
  Treehugger Robot authored 7 years ago
  
  4bf3b5e9
- Merge "Add tracking bugs to denials" · f5e53e0c
  Treehugger Robot authored 7 years ago
  
  f5e53e0c
- Merge "update_verifier: neverallow access to 'sysfs' label." am: c33b4355 · c3290e25
  Tri Vo authored 7 years ago
  
  am: a44f5b6d Change-Id: I992a0c77c80725621449644d62a372c6b951ead7
  c3290e25
- Merge "update_verifier: neverallow access to 'sysfs' label." · a44f5b6d
  Tri Vo authored 7 years ago
  
  am: c33b4355 Change-Id: If95fcf51c8e582a75e2ad68ab64e84bdf09a13ad
  a44f5b6d