Commits · cb18d37d221f0c51cdf9b31ca2d0c355319de347 · Werner Sembach / AndroidSystemSEPolicy

Apr 06, 2017
- Merge "Add reverse-attribute mapping to sepolicy-analyze." into oc-dev am: 38416182 · cb18d37d
  Dan Cashman authored 7 years ago
  
  am: c01e5a13 Change-Id: I700030a34443305af955a6153921447024a90d4f
  cb18d37d
- Merge "Add reverse-attribute mapping to sepolicy-analyze." into oc-dev · c01e5a13
  Dan Cashman authored 7 years ago
  
  am: 38416182 Change-Id: I9e08b187ccad4f4263de54aae1248b1691aa7d08
  c01e5a13
- Merge "Add reverse-attribute mapping to sepolicy-analyze." into oc-dev · 38416182
  TreeHugger Robot authored 7 years ago
  
  38416182
- Merge "Add new classes and types for (hw|vnd)servicemanager." into oc-dev am: 133a9c41 · d790d245
  Martijn Coenen authored 7 years ago
  
  am: 3dca6eb2 Change-Id: I84eb61aad4ac9a27fd804abaae3830c6a8ced97b
  d790d245
- Merge "Add new classes and types for (hw|vnd)servicemanager." into oc-dev · 3dca6eb2
  Martijn Coenen authored 7 years ago
  
  am: 133a9c41 Change-Id: I2991bcea9893c2b9cd2b320e4ef1b071126f133e
  3dca6eb2
- Merge "logcatd: introduce logcatd executable" into oc-dev am: dd9ba982 · d0e3c491
  Mark Salyzyn authored 7 years ago
  
  am: 9c6a2447 Change-Id: I18cf57e51df23efe6be2bcedcc46437bda2f77ed
  d0e3c491
- Merge "Move mapping_sepolicy.cil to /system partition." into oc-dev am: a902511f · b1bdb555
  Dan Cashman authored 7 years ago
  
  am: bc9e17bb Change-Id: I4a5643d0725b76afeb191ba121556a1e95fc3771
  b1bdb555
- Merge "Add new classes and types for (hw|vnd)servicemanager." into oc-dev · 133a9c41
  Martijn Coenen authored 7 years ago
  
  133a9c41
- Merge "logcatd: introduce logcatd executable" into oc-dev · 9c6a2447
  Mark Salyzyn authored 7 years ago
  
  am: dd9ba982 Change-Id: I5f0a5d7e8dd238f2f105bfac101897c1fda7aa44
  9c6a2447
- Merge "logcatd: introduce logcatd executable" into oc-dev · dd9ba982
  Mark Salyzyn authored 7 years ago
  
  dd9ba982
- Merge "Move mapping_sepolicy.cil to /system partition." into oc-dev · bc9e17bb
  Dan Cashman authored 7 years ago
  
  am: a902511f Change-Id: Idb05d766da22a1f52252e27f632af49928779987
  bc9e17bb
- Merge "Move mapping_sepolicy.cil to /system partition." into oc-dev · a902511f
  TreeHugger Robot authored 7 years ago
  
  a902511f
- Merge "Allow wificond to find permission" into oc-dev am: 705a3d0b · b00ceab6
  Ningyuan Wang authored 7 years ago
  
  am: 84674b7e Change-Id: I17c3df373607889b0ce1fa9cbda16346298e3ca9
  b00ceab6
- Add new classes and types for (hw|vnd)servicemanager. · bc6d88d2
  Martijn Coenen authored 7 years ago
  
  Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
  bc6d88d2
- Merge "Allow wificond to find permission" into oc-dev · 84674b7e
  Ningyuan Wang authored 7 years ago
  
  am: 705a3d0b Change-Id: I3b934fc0fb674051c8227b2a6f405e454ff9fa42
  84674b7e
- Merge "Allow wificond to find permission" into oc-dev · 705a3d0b
  Ningyuan Wang authored 7 years ago
  
  705a3d0b
- Move mapping_sepolicy.cil to /system partition. · 0e9c47c0
  Dan Cashman authored 7 years ago
  
  This is a necessary first step to finalizing the SELinux policy build process. The mapping_sepolicy.cil file is required to provide backward compatibility with the indicated vendor-targeted version. This still needs to be extended to provide N mapping files and corresponding SHA256 outputs, one for each of the N previous platform versions with which we're backward-compatible. Bug: 36783775 Test: boot device with matching sha256 and non-matching and verify that device boots and uses either precompiled or compiled policy as needed. Also verify that mapping_sepolicy.cil has moved. Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
  0e9c47c0
- Add reverse-attribute mapping to sepolicy-analyze. · 3a68bd16
  Dan Cashman authored 7 years ago
  
  sepolicy-analyze allows users to see all types that have a given attribute, but not the reverse case: all attributes of a given type. Add a '--reverse' option which enables this, but keeps the previous interface. Usage: sepolicy-analyze sepolicy attribute -r init Bug: 36508258 Test: Build and run against current policy. (cherry picked from commit d444ebed) Change-Id: I9813ebf61d50fb5abbc8e52be4cf62751979bbd4
  3a68bd16
- logcatd: introduce logcatd executable · 36f2eb20
  Mark Salyzyn authored 7 years ago
  
  logcatd is the same as logcat, except that the -L flag, if supplied, runs once, then the command re-runs itself without the -L flag with the same argument set. By introducing a logcatd daemon executable we can solve the problem of the longish reads from pstore that sometimes occur when the system is excessively busy spinning in a foreground task starving this daemon as we absorb the delay in an init service, rather than in an init exec. This would not have been efficiently possible without the introduction of liblogcat. Test: gTest logcat-unit-tests Test: Manual check logpersist operations Bug: 28788401 Bug: 30041146 Bug: 30612424 Bug: 35326290 Change-Id: I3454bad666c66663f59ae03bcd72e0fe8426bb0a
  36f2eb20
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev am: 7c3dbfeb · 195d569c
  Alex Klyubin authored 7 years ago
  
  am: ec9209be Change-Id: I4162ad407b058de775089b003f6a9227db379154
  195d569c
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev · ec9209be
  Alex Klyubin authored 7 years ago
  
  am: 7c3dbfeb Change-Id: I5480d47059b876ceffdf029ea14f6480516b43ef
  ec9209be
- Merge "Wifi Keystore HAL is not a HAL" into oc-dev · 7c3dbfeb
  Alex Klyubin authored 7 years ago
  
  7c3dbfeb
- Merge "hwservicemanager is not a HAL" into oc-dev am: cfcffa9a · 482fb3a0
  Alex Klyubin authored 7 years ago
  
  am: 0f7e68bf Change-Id: I9120edc34036ab7f347d0ae27d99dc62aebab5c5
  482fb3a0
- Merge "hwservicemanager is not a HAL" into oc-dev · 0f7e68bf
  Alex Klyubin authored 7 years ago
  
  am: cfcffa9a Change-Id: I5979d4ea8a54944a7762cee2db04a078d0bd66bd
  0f7e68bf
- Merge "hwservicemanager is not a HAL" into oc-dev · cfcffa9a
  TreeHugger Robot authored 7 years ago
  
  cfcffa9a
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev am: 37792cec · 9954cb61
  Sandeep Patil authored 7 years ago
  
  am: 6d2e29c1 Change-Id: I130f42e045695b3c08d25f4ba287a35c4687d8c1
  9954cb61
- Sepolicy: Add ASAN-Extract am: 82071b68 · d0b1a96b
  Andreas Gampe authored 7 years ago
  
  am: ea26683e -s ours Change-Id: Id2a557022bfee400839784f2ae8623cea53fced9
  d0b1a96b
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev · 6d2e29c1
  Sandeep Patil authored 7 years ago
  
  am: 37792cec Change-Id: I469f6de852f10515148ef824c85ff2febf31322e
  6d2e29c1
- Sepolicy: Add ASAN-Extract · ea26683e
  Andreas Gampe authored 7 years ago
  
  am: 82071b68 Change-Id: Ia3bd034033f82aaed63b173e5205e7449e2743ef
  ea26683e
- Merge changes from topic 'vendor-ocdev-relabel' into oc-dev · 37792cec
  TreeHugger Robot authored 7 years ago
  
  * changes: sepolicy: relabel /vendor Sepolicy: Add ASAN-Extract
  37792cec
- Merge changes from topic 'ipsec-svc-pick' into oc-dev am: 516c9abf · 964272b1
  Nathan Harold authored 7 years ago
  
  am: 73747426 Change-Id: I6520c8c1c89ce0ce6c6165822e63c672290c9ad0
  964272b1
- Update Common NetD SEPolicy to allow Netlink XFRM am: 63a93156 · 98df8577
  Nathan Harold authored 7 years ago
  
  am: ca7c99ed Change-Id: I01ebaeb50ce10a1114ffc9a30999640bc86ff368
  98df8577
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 73747426
  Nathan Harold authored 7 years ago
  
  am: 516c9abf Change-Id: I59f1abcdb1f7184fc795c2164a5799e7ff7f4772
  73747426
- Update Common NetD SEPolicy to allow Netlink XFRM · ca7c99ed
  Nathan Harold authored 7 years ago
  
  am: 63a93156 Change-Id: I26a67ce475de966ec979cf4dfddd8b3210802552
  ca7c99ed
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 516c9abf
  Nathan Harold authored 7 years ago
  
  * changes: Add IpSecService SEPolicy Update Common NetD SEPolicy to allow Netlink XFRM
  516c9abf
Apr 05, 2017

Sandeep Patil authored 7 years ago


The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

277a20eb

Sepolicy: Add ASAN-Extract · 82071b68

Andreas Gampe authored 8 years ago

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b743050)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

82071b68

Merge "Remove unnecessary adbd permissions." into oc-dev am: 6821bb40 · 360f9460
Steven Moreland authored 7 years ago
```
am: 67b66f99

Change-Id: I0bc8e8e3c29a312a7ac9d07154aaab0dc1965809
```
360f9460
Merge "Remove unnecessary adbd permissions." into oc-dev · 67b66f99
Steven Moreland authored 7 years ago
```
am: 6821bb40

Change-Id: I90f1ae5f671cbf7bcdcab728dd0bfac673f95050
```
67b66f99
Merge "Remove unnecessary adbd permissions." into oc-dev · 6821bb40
TreeHugger Robot authored 7 years ago

6821bb40