Commits · ea26683eb4c033150161ec59f1d9a05c3ea09d1c · Werner Sembach / AndroidSystemSEPolicy

Apr 06, 2017
- Sepolicy: Add ASAN-Extract · ea26683e
  Andreas Gampe authored 7 years ago
  
  am: 82071b68 Change-Id: Ia3bd034033f82aaed63b173e5205e7449e2743ef
  ea26683e
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 73747426
  Nathan Harold authored 7 years ago
  
  am: 516c9abf Change-Id: I59f1abcdb1f7184fc795c2164a5799e7ff7f4772
  73747426
- Update Common NetD SEPolicy to allow Netlink XFRM · ca7c99ed
  Nathan Harold authored 7 years ago
  
  am: 63a93156 Change-Id: I26a67ce475de966ec979cf4dfddd8b3210802552
  ca7c99ed
- Merge changes from topic 'ipsec-svc-pick' into oc-dev · 516c9abf
  Nathan Harold authored 7 years ago
  
  * changes: Add IpSecService SEPolicy Update Common NetD SEPolicy to allow Netlink XFRM
  516c9abf
Apr 05, 2017

Sepolicy: Add ASAN-Extract · 82071b68

Andreas Gampe authored 8 years ago

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b743050)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

82071b68

Merge "Remove unnecessary adbd permissions." into oc-dev · 67b66f99
Steven Moreland authored 7 years ago
```
am: 6821bb40

Change-Id: I90f1ae5f671cbf7bcdcab728dd0bfac673f95050
```
67b66f99
Merge "Remove unnecessary adbd permissions." into oc-dev · 6821bb40
TreeHugger Robot authored 7 years ago

6821bb40

Remove unnecessary adbd permissions. · 97848f05

Steven Moreland authored 7 years ago

Test: adbd_test (with and without adb root)
  Note: one test fails without root with and without this change
        because of an unrelated shell selinux denial.
Test: adb screencap, pull, and verify
Test: Android Studio screenshot
Bug: 36643190
Change-Id: Ib534240bc9bb3a1f32b8865ca66db988902a0f4a

97848f05

Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev · a2bc090b
Nick Kralevich authored 7 years ago
```
am: 6f108fd8

Change-Id: I98a793c05260b9f469902c17375693ef7c68b238
```
a2bc090b
Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev · 6f108fd8
Nick Kralevich authored 7 years ago

6f108fd8
Merge "Allow update_verifier to reboot the device" into oc-dev · 2b7497cb
Tianjie Xu authored 7 years ago
```
am: c0e6cb58

Change-Id: If2cc73c4f4b14fb46273b97aae151e735ccddaa0
```
2b7497cb
Merge "Allow update_verifier to reboot the device" into oc-dev · c0e6cb58
TreeHugger Robot authored 7 years ago

c0e6cb58

Fix lock logspam and remove domain_deprecated rule · 4a580cca

Nick Kralevich authored 7 years ago

Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f

4a580cca

Apr 04, 2017
- Merge "Remove hal_binderization_prop" into oc-dev · a8d690f8
  Steven Moreland authored 7 years ago
  
  am: ccbea503 Change-Id: I55fab2ec9b63c5d9393bd18d9c340030ee9f1cc5
  a8d690f8
- Merge "Remove hal_binderization_prop" into oc-dev · ccbea503
  TreeHugger Robot authored 7 years ago
  
  ccbea503
- Merge "Allow hal_sensors to use ashmem from android.hidl.allocator" into oc-dev · 56f8a1a7
  Yifan Hong authored 7 years ago
  
  am: abaf415c Change-Id: I89396424e62a09f8e111212b920fc0897b6a517e
  56f8a1a7
- Merge "Allow hal_sensors to use ashmem from android.hidl.allocator" into oc-dev · abaf415c
  TreeHugger Robot authored 7 years ago
  
  abaf415c
- Merge "tee no longer violates the socket comms ban" into oc-dev · 8e7b0763
  Alex Klyubin authored 7 years ago
  
  am: e311d669 Change-Id: Ibeb5854ca377048726b01288030a421e7f1a9bc2
  8e7b0763
- Merge "tee no longer violates the socket comms ban" into oc-dev · e311d669
  TreeHugger Robot authored 7 years ago
  
  e311d669
- Merge "allow media.metrics to write to file descriptor in /data" into oc-dev · 090d9bc4
  Ray Essick authored 7 years ago
  
  am: 72f6219f Change-Id: I93bd189fc07ee4386b1a1c14cf345ca739f9f64b
  090d9bc4
- Merge "allow media.metrics to write to file descriptor in /data" into oc-dev · 72f6219f
  Ray Essick authored 7 years ago
  
  72f6219f
- rild does not communicate with BT/system_server/mediaserver over sockets · c6171967
  Amit Mahajan authored 7 years ago
  
  am: 8b080ee2 Change-Id: Ieba9f9055b78d349c883ca1132336c318e490b17
  c6171967
- Merge "logcatd: introduce logcatd executable" am: b5b6e0c5 am: 8da8e872 · 30e0944f
  Mark Salyzyn authored 7 years ago
  
  am: 0dd37a3b Change-Id: I91a8cfce767c1b280bbea788038cc8a24363f662
  30e0944f
- Merge "logcatd: introduce logcatd executable" am: b5b6e0c5 · 0dd37a3b
  Mark Salyzyn authored 7 years ago
  
  am: 8da8e872 Change-Id: I84e2d4d81892ee48d0e3db3875c9dd0b49f3ce2d
  0dd37a3b
- Merge "logcatd: introduce logcatd executable" · 8da8e872
  Mark Salyzyn authored 7 years ago
  
  am: b5b6e0c5 Change-Id: Ie55c6153a4484921cf85bff0fc64e2b345715ae1
  8da8e872
- Merge "logcatd: introduce logcatd executable" · b5b6e0c5
  Treehugger Robot authored 7 years ago
  
  b5b6e0c5
- tee no longer violates the socket comms ban · 645abead
  Alex Klyubin authored 7 years ago
  
  SELinux policy no longer has allow rules which permit core/non-vendor domains to communicate with tee domain over sockets. This commit thus removes tee from the list of temporary exceptions for the socket communications prohibition. Test: mmm system/sepolicy Bug: 36714625 Bug: 36715266 Change-Id: Iccbd9ea0555b0c9f1cb6c5e0f5a6c0d3f8730b4d
  645abead
- Allow update_verifier to reboot the device · 6ca32e35
  Tianjie Xu authored 7 years ago
  
  Currently update_verifier only verifies the blocks when dm-verity is in 'enforcing' mode; and dm-verity will reboot the device upon detection of errors. However, sometimes the verity mode is not guaranteed to be correct. When mode is 'eio' for example, dm-verity will not trigger a reboot but rather fail the read. So update_verifier need to take the responsibility to reboot the device. Otherwise the device will continue to boot without setting the flag "isSlotMarkedSuccessful". Denial message: update_verifier: type=1400 audit(0.0:18): avc: denied { write } for name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 36260064 Test: powerctl property sets successfully Change-Id: I1260e60f2ef4db50573e515ba95c332512c8ae62 (cherry picked from commit 0d8c1e0a)
  6ca32e35
- rild does not communicate with BT/system_server/mediaserver over sockets · 8b080ee2
  Amit Mahajan authored 8 years ago
  
  Test: manual (verified no denials in basic telephony operations) Bug: 36613472 Change-Id: I31274adee2cb6293102446cd2d6d547c50616836
  8b080ee2
- Merge "No access to tee domain over Unix domain sockets" into oc-dev · 3a994615
  Alex Klyubin authored 7 years ago
  
  am: ea53e29f Change-Id: Ic6aa9fa02e28a6f35ad76a8387593ecd566929a7
  3a994615
- Merge "Allow update_verifier to reboot the device" am: fde87a96 am: 6429e000 · 0d8c1e0a
  Tianjie Xu authored 7 years ago
  
  am: 64c8aa96 Change-Id: I1260e60f2ef4db50573e515ba95c332512c8ae62
  0d8c1e0a
- Merge "Allow update_verifier to reboot the device" am: fde87a96 · 64c8aa96
  Tianjie Xu authored 7 years ago
  
  am: 6429e000 Change-Id: I14d24ef85a8409adaffe4073e3697d21a2c2f05f
  64c8aa96
- Merge "Allow update_verifier to reboot the device" · 6429e000
  Tianjie Xu authored 7 years ago
  
  am: fde87a96 Change-Id: Id1e696f18bd1091f4103c02b49e3fa2dd6fa8e1b
  6429e000
- Merge "No access to tee domain over Unix domain sockets" into oc-dev · ea53e29f
  Alex Klyubin authored 7 years ago
  
  ea53e29f
- Allow hal_sensors to use ashmem from android.hidl.allocator · d131f945
  Yifan Hong authored 7 years ago
  
  android.framework.sensorservice@1.0 pass a file descriptor from hidl_memory into android.hardware.sensors@1.0, hence requiring the latter to use the file descriptor. Test: VtsHalSensorManagerV1_0TargetTest under selinux enforcing mode Bug: 35219747 Change-Id: I0185c8af0714776842c90ebb687b684324b55cd8
  d131f945
- Merge "Allow update_verifier to reboot the device" · fde87a96
  Tianjie Xu authored 7 years ago
  
  fde87a96
- Merge "Remove hal_binderization_prop" am: 1871fc0a am: 2261cab6 · 7138973f
  Steven Moreland authored 7 years ago
  
  am: 484a277c Change-Id: Iaa779c0d07bc503e27d0d9b65816347e819daa8a
  7138973f
- Merge "Remove hal_binderization_prop" am: 1871fc0a · 484a277c
  Steven Moreland authored 7 years ago
  
  am: 2261cab6 Change-Id: Id44a7c591e8d7640c89e74cb9e88ce7849439c29
  484a277c
- Merge "Remove hal_binderization_prop" · 2261cab6
  Steven Moreland authored 7 years ago
  
  am: 1871fc0a Change-Id: I2d474b6d04d0fa2af7ad35d7af068e38477609ee
  2261cab6
- Merge "Remove hal_binderization_prop" · 1871fc0a
  Treehugger Robot authored 7 years ago
  
  1871fc0a