Commits · c1753b7a14f53807d91f37f609ed0bd5323cf952 · Werner Sembach / AndroidSystemSEPolicy

Apr 03, 2018

Remove deprecated tagSocket() permissions · c1753b7a
Jeff Vander Stoep authored 6 years ago
```
am: 0d1e52a5

Change-Id: I82c95f1fa1494d6b380823c4fd4436081e62bea0
```
c1753b7a

Remove deprecated tagSocket() permissions · 0d1e52a5

tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb

0d1e52a5

Apr 02, 2018

Merge "Allow vendor_init_settable for persist.sys.sf.native_mode" · 27aa211d
Jaekyun Seok authored 6 years ago
```
am: f22c062c

Change-Id: I1c1a4c68adb49113ef6b6ff95326de8cb2ce8e25
```
27aa211d
Merge "Allow vendor_init_settable for persist.sys.sf.native_mode" · f22c062c
Treehugger Robot authored 6 years ago

f22c062c
Selinux: Fix perfprofd policy · bd81409f
Andreas Gampe authored 6 years ago
```
am: c8fe29ff

Change-Id: I70261798153c0151aa04f64064e58edb81e87805
```
bd81409f
Reland "Allow dexopt to follow /odm/lib(64) symlinks."" · ee92ff78
Jiyong Park authored 6 years ago
```
am: a6d9d6b6

Change-Id: If482dd99535d544fa39e287ed5787aa156dcac56
```
ee92ff78

Selinux: Fix perfprofd policy · c8fe29ff

Andreas Gampe authored 6 years ago

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

c8fe29ff

Allow vendor_init_settable for persist.sys.sf.native_mode · 0dc35873

Jaekyun Seok authored 6 years ago

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d

0dc35873

Reland "Allow dexopt to follow /odm/lib(64) symlinks."" · a6d9d6b6

Jiyong Park authored 6 years ago

This reverts commit 942500b9.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df

a6d9d6b6

Mar 31, 2018
- Merge "Update sepolicy to have system_server access stats_data" · 7718295a
  yro authored 6 years ago
  
  am: 8b11302e Change-Id: Iaed05ea224d163f69047ef9ffd4053e2abe03e6f
  7718295a
- Merge "Update sepolicy to have system_server access stats_data" · 8b11302e
  Treehugger Robot authored 6 years ago
  
  8b11302e
Mar 30, 2018
- Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" · 1bcbab21
  Yi Jin authored 6 years ago
  
  am: 855c6c16 Change-Id: I0da863030a919dbd4f6f9591edc0f74d88357b02
  1bcbab21
- Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" · 855c6c16
  Treehugger Robot authored 6 years ago
  
  855c6c16
- Update sepolicy to have system_server access stats_data · 36dd2a41
  yro authored 6 years ago
  
  Test: manually tested to prevent sepolicy violation Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
  36dd2a41
- Merge "Allow netutils_wrapper to use pinned bpf program" · 4a0c24ed
  Chenbo Feng authored 6 years ago
  
  am: 4fb1a145 Change-Id: Idc53868180280f2710d75dacb42918f6e27599a7
  4a0c24ed
- Merge "Allow netutils_wrapper to use pinned bpf program" · 4fb1a145
  Treehugger Robot authored 6 years ago
  
  4fb1a145
- Merge "Test frozen sepolicy has not diverged from prebuilts." · 654134a4
  Tri Vo authored 6 years ago
  
  am: 8cafb58a Change-Id: Iedffb50a6cdbc0fd84169f15e0fddb19b476aeff
  654134a4
- Allow incidentd to read LAST_KMSG only for userdebug builds · 76238cd4
  Yi Jin authored 6 years ago
  
  Bug: 73354384 Test: manual Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
  76238cd4
- Merge "Test frozen sepolicy has not diverged from prebuilts." · 8cafb58a
  Treehugger Robot authored 6 years ago
  
  8cafb58a
- SELinux changes for I/O tracing. · bf456fa7
  Florian Mayer authored 6 years ago
  
  am: 9fcf22bb Change-Id: Ic61e460916a6bd07c117367d240e8883f4ca1fa2
  bf456fa7
- Label /proc/sys/kernel/sched_schedstats. · c4201260
  Joel Galenson authored 6 years ago
  
  am: 4b625e4a Change-Id: Iee12d5e7573c0681b4adba682085ceb3cc26e0ee
  c4201260
- SELinux changes for I/O tracing. · 9fcf22bb
  Florian Mayer authored 7 years ago
  
  See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
  9fcf22bb
Mar 29, 2018

Test frozen sepolicy has not diverged from prebuilts. · 81198bb8

Tri Vo authored 7 years ago

This will test that system/sepolicy/{public/, private/} are identical to
prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0.

Bug: 74622750
Test: build policy
Test: correctly catches divergence from prebuilts for frozen policies

Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a

81198bb8

Label /proc/sys/kernel/sched_schedstats. · 4b625e4a

Joel Galenson authored 6 years ago

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413)

4b625e4a

Merge "Remove unused dalvik.vm.stack-trace-dir." · 6bf3198e
Elliott Hughes authored 6 years ago
```
am: 242399a1

Change-Id: I62e7477947cb7e8f7210aaeb0740c969cadfa8d7
```
6bf3198e
Merge "Remove unused dalvik.vm.stack-trace-dir." · 242399a1
Elliott Hughes authored 6 years ago

242399a1
Merge "Suppress harmless denials for file creation in cgroupfs." · 7d39a531
Alan Stokes authored 6 years ago
```
am: 9a76c280

Change-Id: I7a6b5de668d06fe709a0ae922623fcc76474de12
```
7d39a531
Merge "Suppress harmless denials for file creation in cgroupfs." · 9a76c280
Treehugger Robot authored 6 years ago

9a76c280
Merge "Test that /proc files have proc_type attribute." · ec35668f
Tri Vo authored 6 years ago
```
am: 2c36eb6d

Change-Id: If078058751c8a5f88a93012350a11159d8d6839b
```
ec35668f
Merge "Test that /proc files have proc_type attribute." · 2c36eb6d
Treehugger Robot authored 6 years ago

2c36eb6d
Merge "Improve neverallows on /proc and /sys" · 86b51f42
Jeff Vander Stoep authored 6 years ago
```
am: 4bdefb59

Change-Id: I175b06b26a82859425a853d270d61dcf021b37dc
```
86b51f42

Allow netutils_wrapper to use pinned bpf program · 2623ebcf

Chenbo Feng authored 6 years ago

The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.

Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be

2623ebcf

Suppress harmless denials for file creation in cgroupfs. · 832a7042

Alan Stokes authored 7 years ago

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d0)

832a7042

Merge "Improve neverallows on /proc and /sys" · 4bdefb59
Treehugger Robot authored 6 years ago

4bdefb59
Merge "Stop O_CREAT logspam in permissive mode." · 2d5129aa
Alan Stokes authored 6 years ago
```
am: 2446a665

Change-Id: I54c7013a909ef4dd35a47c616f32679cdc77f31d
```
2d5129aa
Merge "Stop O_CREAT logspam in permissive mode." · 2446a665
Treehugger Robot authored 6 years ago

2446a665
Merge "Hide some denials." · b1eb9dff
Joel Galenson authored 6 years ago
```
am: 9935362c

Change-Id: Id65a9b5932b3c076ffa8ec189efe5877b12663f4
```
b1eb9dff
Merge "Hide some denials." · 9935362c
Treehugger Robot authored 6 years ago

9935362c

Stop O_CREAT logspam in permissive mode. · 19425d3e

Alan Stokes authored 7 years ago

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb)

19425d3e

Test that /proc files have proc_type attribute. · 4c80c2ca
Tri Vo authored 6 years ago
```
Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy
```
4c80c2ca