- Dec 05, 2017
-
-
android-build-prod (mdb) authored
Change-Id: Iac291d8654fa7a624e59c8110e518ae60ae61a9f
-
- Nov 30, 2017
-
-
Chad Brubaker authored
This restriction causes issues with dynamite. Since untrusted_v2_app was about enforcing this constraint put installed v2 applications back into the normal untrusted_app domain. CP from commit fe836817 & adapts for 8.0 Bug: 64806320 Bug: 69057841 Test: make cts Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7
-
- Jul 30, 2017
-
-
android-build-team Robot authored
release-request-19a01df8-c865-44eb-b62e-053635f9998d-for-git_oc-vts-release-4229236 snap-temp-L82900000087353736 Change-Id: I73c27dd639b84ec5538b4fe2baf14fcc4c8ff4b3
-
- Jul 27, 2017
-
-
Jeff Vander Stoep authored
Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7
-
- Jun 26, 2017
-
-
Jeff Vander Stoep authored
Due to the massively increased number of attributes in SELinux policy as part of the treble changes, we have had to remove attributes from policy for performance reasons. Unfortunately, some attributes are required to be in policy to ensure that our neverallow rules are being properly enforced. Usually this is not a problem, since neverallow rules indicate that an attribute should be kept, but this is not currently the case when the attribute is part of a negation in a group. This is particularly problematic with treble since some attributes may exist for HALs that have no implementation, and thus no types. In particular, this has caused an issue with the neverallows added in our macros. Add an extraneous neverallow rule to each of those auto-generated neverallow rules to make sure that they are not removed from policy, until the policy compiler is fixed to avoid this. Also add corresponding rules for other types which have been removed due to no corresponding rules. Bug: 62658302 Bug: 62999603 Test: Build Marlin policy. Test: verify attribute exists in policy using sepolicy-analyze. sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \ attribute hal_tetheroffload_server Test: CTS neverallow tests pass. cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249
-
- Jun 22, 2017
-
-
TreeHugger Robot authored
-
- Jun 21, 2017
-
-
TreeHugger Robot authored
-
Sandeep Patil authored
This reverts commit 57e9946f. Bug: 62616897 Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should not break. Signed-off-by: Sandeep Patil <sspatil@google.com>
-
Jeff Vander Stoep authored
The tetheroffload hal must be able to use network sockets as part of its job. Bug: 62870833 Test: neverallow-only change builds. Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7
-
Dan Cashman authored
Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
-
- Jun 20, 2017
-
-
Yabin Cui authored
This is to Allow commands like `adb shell run-as ...`. Bug: http://b/62358246 Test: run commands manually. Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2 (cherry picked from commit 1847a38b)
-
- Jun 16, 2017
-
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Daniel Rosenberg authored
This adds parellel rules to the ones added for media_rw_data_file to allow apps to access vfat under sdcardfs. This should be reverted if sdcardfs is modified to alter the secontext it used for access to the lower filesystem Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65 Bug: 62584229 Test: Run android.appsecurity.cts.ExternalStorageHostTest with an external card formated as vfat Signed-off-by: Daniel Rosenberg <drosen@google.com>
-
Dan Cashman authored
Due to the massively increased number of attributes in SELinux policy as part of the treble changes, we have had to remove attributes from policy for performance reasons. Unfortunately, some attributes are required to be in policy to ensure that our neverallow rules are being properly enforced. Usually this is not a problem, since neverallow rules indicate that an attribute should be kept, but this is not currently the case when the attribute is part of a negation in a group. This is particularly problematic with treble since some attributes may exist for HALs that have no implementation, and thus no types. In particular, this has caused an issue with the neverallows added in our macros. Add an extraneous neverallow rule to each of those auto-generated neverallow rules to make sure that they are not removed from policy, until the policy compiler is fixed to avoid this. Also add corresponding rules for other types which have been removed due to no corresponding rules. Bug: 62591065 Bug: 62658302 Test: Attributes present in policy and CTS passes. sepolicy-analyze also works on platform-only policy. Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
-
Sandeep Patil authored
* changes: build: run neverallow checks on platform sepolicy radio: disalllow radio and rild socket for treble devices
-
- Jun 14, 2017
-
-
Carmen Jackson authored
Now that we're expected to use this when taking traces, we need to add this permission so that Traceur can also access this file. Test: Used Traceur and saw the traces appear in the bugreports directory, as expected. Bug: 62493544 Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82 Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53 (this merged-in is not the same change; it's a conflicting change in master)
-
Sandeep Patil authored
This will prevent us from breaking our own neverallow rules in the platform sepolicy regardless of vendor policy adding exceptions to the neverallow rules using "*_violators" attributes Bug: 62616897 Bug: 62343727 Test: Build policy for sailfish Test: Build policy with radio to rild socket rule enabled for all and ensure the build fails Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809 Signed-off-by: Sandeep Patil <sspatil@google.com>
-
Sandeep Patil authored
This violates the socket comms ban between coredomain (radio) and non coredomain (rild) in the platform policy. Bug: 62616897 Bug: 62343727 Test: Build and boot sailfish Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43 Signed-off-by: Sandeep Patil <sspatil@google.com>
-
- Jun 13, 2017
-
-
Jeff Vander Stoep authored
[ 7.674739] selinux: selinux_android_file_context: Error getting file context handle (No such file or directory) Bug: 62564629 Test: build and flash marlin. Successfully switch between regular and recovery modes Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
-
- Jun 10, 2017
-
-
Jeff Vander Stoep authored
This change is primarily to fix CTS which checks file ordering of file_contexts. Having two separate means of loading file_contexts has resulted in ordering variations. Previously the binary file_contexts was preferred since it loaded faster. However with the move to libpcre2, there is no difference in loading time between text and binary file_contexts. This leaves us with build system complexity with no benefit. Thus removing this unnecessary difference between devices. Bug: 38502071 Test: build and boot non-Treble Bullhead, run CTS tests below Test: build and boot Treble Marlin, run CTS tests below Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testAospFileContexts Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testValidFileContexts Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
-
- Jun 06, 2017
-
-
TreeHugger Robot authored
-
Josh Gao authored
It appears that selinux requires the write permission to receive a writable pipe from dumpstate, for unclear reasons. Add the permission for now. Bug: http://b/62297059 Test: dumpstate Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad (cherry picked from commit 7aa08523)
-
Jeff Vander Stoep authored
On Marlin ~120 ms of time is spent relabeling /sys/devices/system/cpu every time we come out of suspend. Moving from file_contexts to genfs_contexts as the labeling mechanism knocks this down to ~3 ms. Bug: 32938130 Test: build and boot Marlin. Verify that files in /sys/devices/system/cpu have the proper label before and after suspend. Change-Id: Ie71ea7e3dd5df250cabe4ba9600afbf67e69f720
-
- Jun 05, 2017
-
-
Jeff Vander Stoep authored
Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df)
-
Sandeep Patil authored
modprobe domain was allowed to launch vendor toolbox even if its a coredomain. That violates the treble separation. Fix that by creating a separate 'vendor_modprobe' domain that init is allowed to transition to through vendor_toolbox. Bug: 37008075 Test: Build and boot sailfish Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2 Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit 9e366a0e)
-
Jeff Vander Stoep authored
With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf)
-
- Jun 03, 2017
-
-
Josh Gao authored
-
- Jun 02, 2017
-
-
Josh Gao authored
Bug: http://b/62297059 Test: mma Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc (cherry picked from commit 17885f14)
-
- Jun 01, 2017
-
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Steve Muckle authored
Modprobe requires this permission or the following denial will prevent loading of signed kernel modules: audit: type=1400 audit(27331649.656:4): avc: denied { search } for pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0 tclass=key permissive=0 Bug: 62256697 Test: Verified signed module loading on sailfish. Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
-
- May 31, 2017
-
-
Andrew Scull authored
This is sometimes used for communication with the bootloader. Bug: 62052545 Test: Build Change-Id: I3ae37793407719e55ab0830129aa569c9018f7da
-
Andrew Scull authored
Bug: 38232801 Test: Build Change-Id: Iccc16430e7502bb317f95bb2a5e2f021d8239a00
-
Andrew Scull authored
Bug: 38233550 Test: Build Change-Id: I7c2105d5f215a60a611110640afff25fc3403559
-
- May 30, 2017
-
-
Chad Brubaker authored
Bug: 62102558 Test: see b/62102558 Change-Id: If80d1270bcf6835e6d1a78e2176c3e139cebd174
-
- May 26, 2017
-
-
TreeHugger Robot authored
* changes: Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
-
- May 25, 2017
-
-
Andy Hung authored
-
TreeHugger Robot authored
-