Commits · d767983435c70a9d389626422b9602a59632b0dc · Werner Sembach / AndroidSystemSEPolicy

Nov 17, 2017

Merge "shell: neverallow access to 'proc' label." am: 6faa3a1a am: 51251212 · d7679834
Tri Vo authored 7 years ago
```
am: feabf294

Change-Id: Id66b3cd36f5b7306de3684714b22a4ff51842e6f
```
d7679834
Merge "shell: neverallow access to 'proc' label." am: 6faa3a1a · feabf294
Tri Vo authored 7 years ago
```
am: 51251212

Change-Id: Ie3194b1314cef76240ff518ac2b86e094b9baa81
```
feabf294
Merge "shell: neverallow access to 'proc' label." · 51251212
Tri Vo authored 7 years ago
```
am: 6faa3a1a

Change-Id: Ica1a165a67f4db803e69757009a14145bb17c5b9
```
51251212
Merge "shell: neverallow access to 'proc' label." · 6faa3a1a
Tri Vo authored 7 years ago

6faa3a1a
Merge "Allow netd to read the /dev/xt_qtaguid" am: cd753d11 am: a6966554 · 1262e5fa
Chenbo Feng authored 7 years ago
```
am: 997fcf16

Change-Id: Ic4fe495fb1064d32b4bac28242c53dae06e7ed70
```
1262e5fa
Merge "Allow netd to read the /dev/xt_qtaguid" am: cd753d11 · 997fcf16
Chenbo Feng authored 7 years ago
```
am: a6966554

Change-Id: I8c09069290ffe1827212206b81616e9302bfe7ea
```
997fcf16
Merge "Allow netd to read the /dev/xt_qtaguid" · a6966554
Chenbo Feng authored 7 years ago
```
am: cd753d11

Change-Id: I01a332c51aa4a5c62e5b2bb4ba13565b48c46b88
```
a6966554
Merge "Allow netd to read the /dev/xt_qtaguid" · cd753d11
Treehugger Robot authored 7 years ago

cd753d11
Merge "Add window trace files SELinux policy rules" am: 97c86514 am: dcd0baf6 · 219d62c1
Vishnu Nair authored 7 years ago
```
am: 51871966

Change-Id: Id7363e8c5e6bc6a41bb74e0536eb80577189107d
```
219d62c1
Merge "Add window trace files SELinux policy rules" am: 97c86514 · 51871966
Vishnu Nair authored 7 years ago
```
am: dcd0baf6

Change-Id: I07782169b7a9b4ad05d8915e43599c0ae158fb2b
```
51871966
Merge "Add window trace files SELinux policy rules" · dcd0baf6
Vishnu Nair authored 7 years ago
```
am: 97c86514

Change-Id: I170162843b04280105c76d4e5d7a8d3f89583588
```
dcd0baf6
Merge "Add window trace files SELinux policy rules" · 97c86514
Treehugger Robot authored 7 years ago

97c86514

shell: neverallow access to 'proc' label. · c4ef3630

Tri Vo authored 7 years ago

Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153

c4ef3630

Merge "mediaserver: remove access to 'sysfs' type." am: 499fd010 am: 92652912 · 92a4cb2e
Tri Vo authored 7 years ago
```
am: 80f63e0b

Change-Id: I93aa25bf35797a98fee8368711ef736614dcb0a4
```
92a4cb2e
Merge "mediaserver: remove access to 'sysfs' type." am: 499fd010 · 80f63e0b
Tri Vo authored 7 years ago
```
am: 92652912

Change-Id: Id419994de8b6ca9dc29e0cb3a3c0d05cd07b982a
```
80f63e0b
Merge "mediaserver: remove access to 'sysfs' type." · 92652912
Tri Vo authored 7 years ago
```
am: 499fd010

Change-Id: Ifdf2102a4305b3aa51607e78a1c6ce529b45d382
```
92652912
Merge "mediaserver: remove access to 'sysfs' type." · 499fd010
Tri Vo authored 7 years ago

499fd010
Merge "system_server: access to /proc/sys/fs/pipe-max-size" am: 25576730 am: 1bd4443a · a0875812
Tri Vo authored 7 years ago
```
am: 00057abc

Change-Id: I6d6b75701e35b35501935162670f906f9c757d4b
```
a0875812
Merge "system_server: access to /proc/sys/fs/pipe-max-size" am: 25576730 · 00057abc
Tri Vo authored 7 years ago
```
am: 1bd4443a

Change-Id: Ia72d55f0a38fb9415166d5cf03cd67b2e9e2162c
```
00057abc
Merge "system_server: access to /proc/sys/fs/pipe-max-size" · 1bd4443a
Tri Vo authored 7 years ago
```
am: 25576730

Change-Id: I97842c1a293bc68daa11adffec29514a9afbb868
```
1bd4443a

Add window trace files SELinux policy rules · 2d6942d3

Vishnu Nair authored 7 years ago

- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c

2d6942d3

Merge "system_server: access to /proc/sys/fs/pipe-max-size" · 25576730
Treehugger Robot authored 7 years ago

25576730

mediaserver: remove access to 'sysfs' type. · 2ea12cd3

Tri Vo authored 7 years ago

Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f

2ea12cd3

Nov 16, 2017
- Remove unused permissions from tee am: 13c69b89 am: f6aa0695 · f384658a
  Jeff Vander Stoep authored 7 years ago
  
  am: c31c9096 Change-Id: I63b9ef7dc9ef200bdf4c520c6c93649655e63d33
  f384658a
- Remove unused permissions from tee am: 13c69b89 · c31c9096
  Jeff Vander Stoep authored 7 years ago
  
  am: f6aa0695 Change-Id: I109c44d4ebbb08aa5eb78e4d8a3b8ac106411dc2
  c31c9096
- Remove unused permissions from tee · f6aa0695
  Jeff Vander Stoep authored 7 years ago
  
  am: 13c69b89 Change-Id: I81e8cc02afa5b87419a4e70ab46a70ca43b85c43
  f6aa0695
- system_server: access to /proc/sys/fs/pipe-max-size · e7f4934d
  Tri Vo authored 7 years ago
  
  Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give system_server access to it. Addresses this denial: avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 69175449 Bug: 69324398 Test: sailfish boots Test: adb bugreport Test: craft an unresponsive app, trigger ANR, make sure traces are dumped into /data/anr Above denial from system_server not observed, no denials to proc_pipe_conf observed. Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
  e7f4934d
- Remove unused permissions from tee · 13c69b89
  Jeff Vander Stoep authored 7 years ago
  
  Only getattr and read are necessary for lnk_file. Open violates a new neverallow for separating system and vendor data. Bug: 34980020 Test: Enroll fingerprint on Taimen Change-Id: I9434afbd5b4ecc1ead9f0ba47c7582fb5a6c6bf0
  13c69b89
- Merge "Revert "Revert "Put pm.* property in new pm_prop context""" am: 0d7e5047 am: 0181d23f · 2b669ed3
  Nicolas Geoffray authored 7 years ago
  
  am: fa7f3a9d Change-Id: Id56db24bfb5821d7a7255b8646fb2dfcf22271d9
  2b669ed3
- Merge "Revert "Revert "Put pm.* property in new pm_prop context""" am: 0d7e5047 · fa7f3a9d
  Nicolas Geoffray authored 7 years ago
  
  am: 0181d23f Change-Id: I7c75b607ce60eb60f8b0bfb58ed8a190940a8239
  fa7f3a9d
- Merge "Revert "Revert "Put pm.* property in new pm_prop context""" · 0181d23f
  Nicolas Geoffray authored 7 years ago
  
  am: 0d7e5047 Change-Id: I29fd343005136d580763eff843fa94e8e3318c06
  0181d23f
- Merge "Revert "Revert "Put pm.* property in new pm_prop context""" · 0d7e5047
  Nicolas Geoffray authored 7 years ago
  
  0d7e5047
- Merge "Copy a dontaudit from init to vendor_init" am: 5984301a am: 7bd0bde4 · cd64d3f3
  Tom Cherry authored 7 years ago
  
  am: adda76ea Change-Id: I38aa8d944a3d27c21dc4cc9aee3a72b501da5946
  cd64d3f3
- Merge "Copy a dontaudit from init to vendor_init" am: 5984301a · adda76ea
  Tom Cherry authored 7 years ago
  
  am: 7bd0bde4 Change-Id: I6aa0562fdc8e0fb482c8c81fbb256f57dbe59387
  adda76ea
- Revert "Revert "Put pm.* property in new pm_prop context"" · 5316548f
  Calin Juravle authored 7 years ago
  
  This reverts commit 248b6dc6. Reason for revert: The dashboard complains that devices don't boot after this revert. Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48
  5316548f
- Merge "Copy a dontaudit from init to vendor_init" · 7bd0bde4
  Tom Cherry authored 7 years ago
  
  am: 5984301a Change-Id: I7e6c4733471f5954a16f991adddda3657844b47d
  7bd0bde4
- Merge "Copy a dontaudit from init to vendor_init" · 5984301a
  Treehugger Robot authored 7 years ago
  
  5984301a
- Revert "Put pm.* property in new pm_prop context" am: 248b6dc6 am: e3cec841 · 09770bda
  Calin Juravle authored 7 years ago
  
  am: 0386eaed Change-Id: I7b2aec9510271d509759eb4822ba8d97993af2ff
  09770bda
- Revert "Put pm.* property in new pm_prop context" am: 248b6dc6 · 0386eaed
  Calin Juravle authored 7 years ago
  
  am: e3cec841 Change-Id: Iefd431374378a736aa8e3a2f37b25cf026b3998f
  0386eaed
- Revert "Put pm.* property in new pm_prop context" · e3cec841
  Calin Juravle authored 7 years ago
  
  am: 248b6dc6 Change-Id: Ie2990b86b85fbe29565ca7957fbce6b6121abec1
  e3cec841