Commits · e777112e18955aaf502b6d075809e177fd13a5b7 · Werner Sembach / AndroidSystemSEPolicy

Mar 30, 2017

Merge "runas: Grant access to seapp_contexts_file" into oc-dev · e777112e
Jeff Vander Stoep authored 8 years ago
```
am: f4739f40

Change-Id: Ie07e3ababe6836f6b5c2522c3a3255367d01b662
```
e777112e
Merge "runas: Grant access to seapp_contexts_file" into oc-dev · f4739f40
TreeHugger Robot authored 8 years ago

f4739f40
Merge "Further restrict access to Binder services from vendor" into oc-dev · ff61a10c
Alex Klyubin authored 8 years ago
```
am: b5081ea0

Change-Id: I3decd5c29ee797486d563393212cfc09666b77e1
```
ff61a10c
Merge "Further restrict access to Binder services from vendor" into oc-dev · b5081ea0
TreeHugger Robot authored 8 years ago

b5081ea0

runas: Grant access to seapp_contexts_file · 7d6185fe

Runas/libselinux needs access to seapp_contexts_file to determine
transitions into app domains.

Addresses:
avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts"
dev="rootfs" ino=9827 scontext=u:r:runas:s0
tcontext=u:object_r:seapp_contexts_file:s0 tclass=file

Bug: 36782586
Test: Marlin policy builds
Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f

7d6185fe

Disallow HAL access to Bluetooth data files am: 02d9d21d am: 6f700ae5 · 8f288f56
Myles Watson authored 8 years ago
```
am: a21b3b19

Change-Id: I3e0bb56e66f2e4dc2ac04288e96c79070a710490
```
8f288f56
Disallow HAL access to Bluetooth data files am: 02d9d21d · a21b3b19
Myles Watson authored 8 years ago
```
am: 6f700ae5

Change-Id: I6d58dcfa6037dc916d9ab5b995d2132e559783e1
```
a21b3b19
Disallow HAL access to Bluetooth data files · 6f700ae5
Myles Watson authored 8 years ago
```
am: 02d9d21d

Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7
```
6f700ae5
Merge "Disallow HAL access to Bluetooth data files" into oc-dev · 52ae8351
Myles Watson authored 8 years ago
```
am: ef2057a6

Change-Id: I1c706c034571de2470fdb4458ab7c1ea43e4f52e
```
52ae8351

Further restrict access to Binder services from vendor · 0052bc69

Alex Klyubin authored 8 years ago

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313

Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f

0052bc69

Merge "Disallow HAL access to Bluetooth data files" into oc-dev · ef2057a6
TreeHugger Robot authored 8 years ago

ef2057a6

Disallow HAL access to Bluetooth data files · 02d9d21d

Myles Watson authored 8 years ago

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66

02d9d21d

Merge "Allow MediaExtractor to create FileSource" into oc-dev · 91204e89
Andy Hung authored 8 years ago
```
am: 6c4c9bea

Change-Id: Ie6ab78d9c8f93ed00e3ec5923a9946d492199288
```
91204e89
Merge "Allow MediaExtractor to create FileSource" into oc-dev · 6c4c9bea
Andy Hung authored 8 years ago

6c4c9bea

Disallow HAL access to Bluetooth data files · 1317b4ca

Myles Watson authored 8 years ago

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

1317b4ca

Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · cc5da52f
Jiyong Park authored 8 years ago
```
am: 36c8f160

Change-Id: I4c39b013d9d8f296171dde6d0b0b3400074f3825
```
cc5da52f
Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · 36c8f160
TreeHugger Robot authored 8 years ago

36c8f160
Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · 134c7182
Ian Pedowitz authored 8 years ago
```
am: d7a2f60d

Change-Id: Ifc66292d55f1daea28069cbf63cd70bf96fee74d
```
134c7182
Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · d7a2f60d
Ian Pedowitz authored 8 years ago

d7a2f60d

Revert "Further restrict access to Binder services from vendor" · 43b48045

Ian Pedowitz authored 8 years ago

This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf

43b48045

Merge "Further restrict access to Binder services from vendor" into oc-dev · 3100873f
Alex Klyubin authored 8 years ago
```
am: c673770a

Change-Id: Icb5276a3b73419b4b0e3a9fea1af157d0e1ef882
```
3100873f
Merge "Further restrict access to Binder services from vendor" into oc-dev · c673770a
TreeHugger Robot authored 8 years ago

c673770a

Annotate rild with socket_between_core_and_vendor_violators · 57e9946f

Jiyong Park authored 8 years ago

Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7

57e9946f

Merge "Add media services to ephemeral_app" into oc-dev · 897473dc
Chad Brubaker authored 8 years ago
```
am: 3ad5c9e7

Change-Id: I41a829460d932c30e564060fceb9169a7443014f
```
897473dc
Merge "Add media services to ephemeral_app" into oc-dev · 3ad5c9e7
TreeHugger Robot authored 8 years ago

3ad5c9e7
Merge changes from topic 'ipsec-service' am: 32815389 am: eaa5e298 · a6dc0dc2
Nathan Harold authored 8 years ago
```
am: b78fd545

Change-Id: I227c5aee3e635922f39192bc9ce5a1ca5db46451
```
a6dc0dc2
Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b am: 75760e9d · d80511d3
Nathan Harold authored 8 years ago
```
am: a581c048

Change-Id: Ic71ef550af5cb26ca7d4db01fa78bd6c74b98ca5
```
d80511d3

Mar 29, 2017
- Merge changes from topic 'ipsec-service' am: 32815389 · b78fd545
  Nathan Harold authored 8 years ago
  
  am: eaa5e298 Change-Id: I232deac94123b1e07a20789cc247aa95bb9b3327
  b78fd545
- Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b · a581c048
  Nathan Harold authored 8 years ago
  
  am: 75760e9d Change-Id: I02cfb5b418c2edaeaa02831113205e0a73f92342
  a581c048
- Merge changes from topic 'ipsec-service' · eaa5e298
  Nathan Harold authored 8 years ago
  
  am: 32815389 Change-Id: Id6cc5e3c1dc6b098f893b566dcbf09fc29973162
  eaa5e298
- Update Common NetD SEPolicy to allow Netlink XFRM · 75760e9d
  Nathan Harold authored 8 years ago
  
  am: 7eb3dd3b Change-Id: Iafaa3fd315533c4cb49847d927d2c7cbae71bb51
  75760e9d
- Merge changes from topic 'ipsec-service' · 32815389
  Treehugger Robot authored 8 years ago
  
  * changes: Add IpSecService SEPolicy Update Common NetD SEPolicy to allow Netlink XFRM
  32815389
- Add media services to ephemeral_app · b93f0494
  Chad Brubaker authored 8 years ago
  
  Test: denials go away Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8
  b93f0494
- Merge changes from topic 'sefiles_relabel' into oc-dev · 719edb06
  Sandeep Patil authored 8 years ago
  
  am: 394539c5 Change-Id: Ibaa6911b4656ceb41167eab09eddfb3ca8c783f2
  719edb06
- sepolicy: explicitly label all sepolicy files · 7dcab748
  Sandeep Patil authored 8 years ago
  
  am: 136caa1b Change-Id: I35ffe4d2cd233582c9dc73f1c20602c1a1c953eb
  7dcab748
- seapp_context: explicitly label all seapp context files · 2515e1b1
  Sandeep Patil authored 8 years ago
  
  am: 1e149967 Change-Id: Ie6fe25279ff73d4b200463bd07116a40a2272382
  2515e1b1
- file_context: explicitly label all file context files · 07921191
  Sandeep Patil authored 8 years ago
  
  am: c9cf7361 Change-Id: Ib2588c6117fdaf79665f61d4c872c60fb6579613
  07921191
- service_contexts: label service_contexts explicitly · 5a6ab596
  Sandeep Patil authored 8 years ago
  
  am: 939d16b5 Change-Id: I1c351ee36100730bf98a3fe820d1f51f7b672ba5
  5a6ab596
- prop_context: correctly label all property_context files · b81943b6
  Sandeep Patil authored 8 years ago
  
  am: 54a42001 Change-Id: I8281fcee3729b0a48131a860381db2a2be5f8c84
  b81943b6
- Merge changes from topic 'sefiles_relabel' into oc-dev · 394539c5
  Sandeep Patil authored 8 years ago
  
  * changes: mac_permissions: explicitly label all mac_permissions files sepolicy: explicitly label all sepolicy files seapp_context: explicitly label all seapp context files file_context: explicitly label all file context files service_contexts: label service_contexts explicitly prop_context: correctly label all property_context files
  394539c5