Commits · b00ceab6760a7f76c48699b8de241f4838047317 · Werner Sembach / AndroidSystemSEPolicy

Apr 06, 2017
- Merge "Allow wificond to find permission" into oc-dev am: 705a3d0b · b00ceab6
  Ningyuan Wang authored 7 years ago
  
  am: 84674b7e Change-Id: I17c3df373607889b0ce1fa9cbda16346298e3ca9
  b00ceab6
- Merge "Allow wificond to find permission" into oc-dev · 84674b7e
  Ningyuan Wang authored 7 years ago
  
  am: 705a3d0b Change-Id: I3b934fc0fb674051c8227b2a6f405e454ff9fa42
  84674b7e
- Merge "Allow wificond to find permission" into oc-dev · 705a3d0b
  Ningyuan Wang authored 7 years ago
  
  705a3d0b
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev am: 7c3dbfeb · 195d569c
  Alex Klyubin authored 7 years ago
  
  am: ec9209be Change-Id: I4162ad407b058de775089b003f6a9227db379154
  195d569c
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev · ec9209be
  Alex Klyubin authored 7 years ago
  
  am: 7c3dbfeb Change-Id: I5480d47059b876ceffdf029ea14f6480516b43ef
  ec9209be
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev · 7c3dbfeb
  Alex Klyubin authored 7 years ago
  
  7c3dbfeb
- Merge "hwservicemanager is not a HAL" into oc-dev am: cfcffa9a · 482fb3a0
  Alex Klyubin authored 7 years ago
  
  am: 0f7e68bf Change-Id: I9120edc34036ab7f347d0ae27d99dc62aebab5c5
  482fb3a0
- Merge "hwservicemanager is not a HAL" into oc-dev · 0f7e68bf
  Alex Klyubin authored 7 years ago
  
  am: cfcffa9a Change-Id: I5979d4ea8a54944a7762cee2db04a078d0bd66bd
  0f7e68bf
- Merge "hwservicemanager is not a HAL" into oc-dev · cfcffa9a
  TreeHugger Robot authored 7 years ago
  
  cfcffa9a
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev am: 37792cec · 9954cb61
  Sandeep Patil authored 7 years ago
  
  am: 6d2e29c1 Change-Id: I130f42e045695b3c08d25f4ba287a35c4687d8c1
  9954cb61
- Sepolicy: Add ASAN-Extract am: 82071b68 · d0b1a96b
  Andreas Gampe authored 7 years ago
  
  am: ea26683e -s ours Change-Id: Id2a557022bfee400839784f2ae8623cea53fced9
  d0b1a96b
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev · 6d2e29c1
  Sandeep Patil authored 7 years ago
  
  am: 37792cec Change-Id: I469f6de852f10515148ef824c85ff2febf31322e
  6d2e29c1
- Sepolicy: Add ASAN-Extract · ea26683e
  Andreas Gampe authored 7 years ago
  
  am: 82071b68 Change-Id: Ia3bd034033f82aaed63b173e5205e7449e2743ef
  ea26683e
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev · 37792cec
  TreeHugger Robot authored 7 years ago
  
  * changes: sepolicy: relabel /vendor Sepolicy: Add ASAN-Extract
  37792cec
- Merge changes from topic 'ipsec-svc-pick' into oc-dev am: 516c9abf · 964272b1
  Nathan Harold authored 7 years ago
  
  am: 73747426 Change-Id: I6520c8c1c89ce0ce6c6165822e63c672290c9ad0
  964272b1
- Update Common NetD SEPolicy to allow Netlink XFRM am: 63a93156 · 98df8577
  Nathan Harold authored 7 years ago
  
  am: ca7c99ed Change-Id: I01ebaeb50ce10a1114ffc9a30999640bc86ff368
  98df8577
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 73747426
  Nathan Harold authored 7 years ago
  
  am: 516c9abf Change-Id: I59f1abcdb1f7184fc795c2164a5799e7ff7f4772
  73747426
- Update Common NetD SEPolicy to allow Netlink XFRM · ca7c99ed
  Nathan Harold authored 7 years ago
  
  am: 63a93156 Change-Id: I26a67ce475de966ec979cf4dfddd8b3210802552
  ca7c99ed
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 516c9abf
  Nathan Harold authored 7 years ago
  
  * changes: Add IpSecService SEPolicy Update Common NetD SEPolicy to allow Netlink XFRM
  516c9abf
Apr 05, 2017

Sandeep Patil authored 7 years ago


The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

277a20eb

Sepolicy: Add ASAN-Extract · 82071b68

Andreas Gampe authored 8 years ago

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b743050)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

82071b68

Merge "Remove unnecessary adbd permissions." into oc-dev am: 6821bb40 · 360f9460
Steven Moreland authored 7 years ago
```
am: 67b66f99

Change-Id: I0bc8e8e3c29a312a7ac9d07154aaab0dc1965809
```
360f9460
Merge "Remove unnecessary adbd permissions." into oc-dev · 67b66f99
Steven Moreland authored 7 years ago
```
am: 6821bb40

Change-Id: I90f1ae5f671cbf7bcdcab728dd0bfac673f95050
```
67b66f99
Merge "Remove unnecessary adbd permissions." into oc-dev · 6821bb40
TreeHugger Robot authored 7 years ago

6821bb40

Remove unnecessary adbd permissions. · 97848f05

Steven Moreland authored 7 years ago

Test: adbd_test (with and without adb root)
  Note: one test fails without root with and without this change
        because of an unrelated shell selinux denial.
Test: adb screencap, pull, and verify
Test: Android Studio screenshot
Bug: 36643190
Change-Id: Ib534240bc9bb3a1f32b8865ca66db988902a0f4a

97848f05

Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev am: 6f108fd8 · f3ecd2be
Nick Kralevich authored 7 years ago
```
am: a2bc090b

Change-Id: I4e765f5c2adb3cc40253fde80f89bd40f02c53e4
```
f3ecd2be
Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev · a2bc090b
Nick Kralevich authored 7 years ago
```
am: 6f108fd8

Change-Id: I98a793c05260b9f469902c17375693ef7c68b238
```
a2bc090b
Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev · 6f108fd8
Nick Kralevich authored 7 years ago

6f108fd8
Merge "Allow update_verifier to reboot the device" into oc-dev am: c0e6cb58 · 954cd472
Tianjie Xu authored 7 years ago
```
am: 2b7497cb

Change-Id: I816467bfef3499d80b8561e8c02e4dd06d1e1f02
```
954cd472
Merge "Allow update_verifier to reboot the device" into oc-dev · 2b7497cb
Tianjie Xu authored 7 years ago
```
am: c0e6cb58

Change-Id: If2cc73c4f4b14fb46273b97aae151e735ccddaa0
```
2b7497cb
Merge "Allow update_verifier to reboot the device" into oc-dev · c0e6cb58
TreeHugger Robot authored 7 years ago

c0e6cb58

Fix lock logspam and remove domain_deprecated rule · 4a580cca

Nick Kralevich authored 7 years ago

Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f

4a580cca

Merge "Remove hal_binderization_prop" into oc-dev am: ccbea503 · 3d65d250
Steven Moreland authored 7 years ago
```
am: a8d690f8

Change-Id: I2c6b178f6f05f67f32fb1f47845ea5993ea3d638
```
3d65d250

Apr 04, 2017
- Merge "Remove hal_binderization_prop" into oc-dev · a8d690f8
  Steven Moreland authored 7 years ago
  
  am: ccbea503 Change-Id: I55fab2ec9b63c5d9393bd18d9c340030ee9f1cc5
  a8d690f8
- Allow wificond to find permission · 9282ef6b
  Ningyuan Wang authored 7 years ago
  
  This is used for wificond to check if it is allowed to dump logs. Bug: 31336376 Test: compile, manual test Change-Id: I8a1b681255398f9a1f2cf79fd0891e58283aa747
  9282ef6b
- Merge "Remove hal_binderization_prop" into oc-dev · ccbea503
  TreeHugger Robot authored 7 years ago
  
  ccbea503
- Merge "Allow hal_sensors to use ashmem from android.hidl.allocator" into oc-dev am: abaf415c · 16261399
  Yifan Hong authored 7 years ago
  
  am: 56f8a1a7 Change-Id: I71034e92a0d9f982756611675b60eeacca5cd8ff
  16261399
- Merge "Allow hal_sensors to use ashmem from android.hidl.allocator" into oc-dev · 56f8a1a7
  Yifan Hong authored 7 years ago
  
  am: abaf415c Change-Id: I89396424e62a09f8e111212b920fc0897b6a517e
  56f8a1a7
- Merge "tee no longer violates the socket comms ban" into oc-dev am: e311d669 · c4e4eef7
  Alex Klyubin authored 7 years ago
  
  am: 8e7b0763 Change-Id: I90e02a9387f4efa001454be7c4351e10c92ae7f9
  c4e4eef7
- Merge "Allow hal_sensors to use ashmem from android.hidl.allocator" into oc-dev · abaf415c
  TreeHugger Robot authored 7 years ago
  
  abaf415c