Skip to content
Snippets Groups Projects
  1. Jun 23, 2017
    • Jeff Vander Stoep's avatar
      system_server is a client of configstore · 23e0a7f2
      Jeff Vander Stoep authored
      avc:  denied  { find } for
      interface=android.hardware.configstore::ISurfaceFlingerConfigs
      scontext=u:r:system_server:s0
      tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
      tclass=hwservice_manager permissive=0
      
      Bug: 35197529
      Test: Device boots without this denial
      Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1
      23e0a7f2
  2. Jun 19, 2017
    • Tom Cherry's avatar
      Add getpgid to system_service and init · d5f0aba0
      Tom Cherry authored
      In libprocessgroup, we want to only send signals once to processes,
      particularly for SIGTERM.  We must send the signal both to all
      processes within a POSIX process group and a cgroup.  To ensure that
      we do not duplicate the signals being sent, we check the processes in
      the cgroup to see if they're in the POSIX process groups that we're
      killing.  If they are, we skip sending a second signal.  This requires
      getpgid permissions, hence this SELinux change.
      
      avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
      avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
      avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
      avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
      avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
      avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
      avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
      avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
      
      Bug: 37853905
      Bug: 62418791
      Test: Boot, kill zygote, reboot
      Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
      (cherry picked from commit c59eb4d8)
      d5f0aba0
  3. May 31, 2017
    • Narayan Kamath's avatar
      SEPolicy: Allow app / system_server to write to dumpstate pipes. · a34781ae
      Narayan Kamath authored
      tombstoned allows dumpstate to install "intercepts" to java trace
      requests for a given process. When an "intercept" is installed, all
      trace output is redirected to a pipe provided by dumpstate instead
      of the default location (usually in /data/anr or /data/tombstone).
      
      Note that these processes are already granted "write" and "getattr"
      on dumpstate:fifo_file in order to communicate with dumpstate; this
      change adds "append" to the existing set of permissions.
      
      Bug: 32064548
      Test: manual
      Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c
      a34781ae
    • Narayan Kamath's avatar
      SEPolicy: Changes for new stack dumping scheme. · f194aad2
      Narayan Kamath authored
      Applications connect to tombstoned via a unix domain socket and request
      an open FD to which they can write their traces. This socket has a new
      label (tombstoned_java_trace_socket) and appdomain and system_server are
      given permissions to connect and write to it.
      
      Apps no longer need permissions to open files under /data/anr/ and
      these permissions will be withdrawn in a future change.
      
      Bug: 32064548
      Test: Manual
      
      (cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
      
      (cherry picked from commit 11bfcc1e)
      
      Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
      f194aad2
    • Narayan Kamath's avatar
      SEPolicy: Changes for new stack dumping scheme. · e628cb5b
      Narayan Kamath authored
      Applications connect to tombstoned via a unix domain socket and request
      an open FD to which they can write their traces. This socket has a new
      label (tombstoned_java_trace_socket) and appdomain and system_server are
      given permissions to connect and write to it.
      
      Apps no longer need permissions to open files under /data/anr/ and
      these permissions will be withdrawn in a future change.
      
      Bug: 32064548
      Test: Manual
      
      Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
      Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5
      e628cb5b
  4. May 30, 2017
    • Narayan Kamath's avatar
      SEPolicy: Changes for new stack dumping scheme. · 11bfcc1e
      Narayan Kamath authored
      Applications connect to tombstoned via a unix domain socket and request
      an open FD to which they can write their traces. This socket has a new
      label (tombstoned_java_trace_socket) and appdomain and system_server are
      given permissions to connect and write to it.
      
      Apps no longer need permissions to open files under /data/anr/ and
      these permissions will be withdrawn in a future change.
      
      Bug: 32064548
      Test: Manual
      
      (cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
      
      Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f
      11bfcc1e
  5. May 23, 2017
    • pkanwar's avatar
      SE Policy for Tether Offload HAL · c67fa9bf
      pkanwar authored
      Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
      HIDL binderized service.
      
      Bug: 38417260
      Test: New functionality. So we don't have any tests.
      Change-Id: I2c95b290523c55c081afa1bca091f368559c9125
      (cherry picked from commit 722249b3)
      c67fa9bf
    • pkanwar's avatar
      SE Policy for Tether Offload HAL · 722249b3
      pkanwar authored
      Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
      HIDL binderized service.
      
      Bug: 38417260
      Test: New functionality. So we don't have any tests.
      Change-Id: I2c95b290523c55c081afa1bca091f368559c9125
      722249b3
  6. May 22, 2017
  7. May 18, 2017
    • Sohani Rao's avatar
      SE Policy for Wifi Offload HAL · 325bf725
      Sohani Rao authored
      Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
      HIDL binderized service.
      Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
      and 66e27bf5
      
      Bug: 32842314
      Test: Unit tests, Mannual test to ensure Wifi can be brought up and
      connected to an AP, ensure that Offload HAL service is running and that
      that wificond can get the service handle by calling hwservicemanager.
      
      Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
      325bf725
  8. May 12, 2017
    • Andrew Scull's avatar
      SELinux policies for Weaver HAL. · 3c90eaf2
      Andrew Scull authored
      Bug: 35628284
      Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f
      Fix: 38233550
      Test: Build and boot
      Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f
      3c90eaf2
    • Andrew Scull's avatar
      SELinux policies for the OEM lock HAL. · 0e9b2207
      Andrew Scull authored
      Bug: 34766843
      Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6
      Fix: 38232801
      Test: Build and boot
      Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b
      0e9b2207
  9. May 04, 2017
  10. Apr 27, 2017
  11. Apr 26, 2017
    • Philip Cuadra's avatar
      Allow Bluetooth sys_nice and system_server setsched for Bluetooth HAL · 3c46d2ff
      Philip Cuadra authored
      Bluetooth needs the capability to set audio-related threads to be RT
      scheduled.  Grant it sys_nice.
      
      system_server needs to set priority for the Bluetooth HAL.  Allow it.
      
      Bug 37518404
      Test:  Play Bluetooth audio, confirm RT scheduling with systrace
      Merged-In: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
      Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
      
      (cherry picked from commit 6eee6eb2)
      3c46d2ff
  12. Apr 25, 2017
    • Philip Cuadra's avatar
      Allow Bluetooth sys_nice and system_server setsched for Bluetooth HAL · 6eee6eb2
      Philip Cuadra authored
      Bluetooth needs the capability to set audio-related threads to be RT
      scheduled.  Grant it sys_nice.
      
      system_server needs to set priority for the Bluetooth HAL.  Allow it.
      
      Bug 37518404
      Test:  Play Bluetooth audio, confirm RT scheduling with systrace
      Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
      6eee6eb2
  13. Apr 21, 2017
    • Daniel Nicoara's avatar
      Remove vr_wm service selinux policy · 0e43e4e6
      Daniel Nicoara authored
      vr_wm functionality is moved in VrCore, so remove this service.
      
      Bug: 37542947, 36506799
      Test: Ran on device and verified there are no permission errors while in
      VR
      Change-Id: I37fd34e96babec2a990600907f61da8c358ecc89
      0e43e4e6
    • Chia-I Wu's avatar
      Allow dumping hal_graphics_composer_server and fix watchdog · e4d21465
      Chia-I Wu authored
      Bug: 37152880
      Bug: 37554633
      Test: adb shell am hang --allow-restart
      Test: adb shell dumpstate
      Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295
      e4d21465
    • Alex Klyubin's avatar
      Restrict access to hwservicemanager · 53656c17
      Alex Klyubin authored
      This adds fine-grained policy about who can register and find which
      HwBinder services in hwservicemanager.
      
      Test: Play movie in Netflix and Google Play Movies
      Test: Play video in YouTube app and YouTube web page
      Test: In Google Camera app, take photo (HDR+ and conventional),
            record video (slow motion and normal), and check that photos
            look fine and videos play back with sound.
      Test: Cast screen to a Google Cast device
      Test: Get location fix in Google Maps
      Test: Make and receive a phone call, check that sound works both ways
            and that disconnecting the call frome either end works fine.
      Test: Run RsHelloCompute RenderScript demo app
      Test: Run fast subset of media CTS tests:
            make and install CtsMediaTestCases.apk
            adb shell am instrument -e size small \
                -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
      Test: Play music using Google Play music
      Test: Adjust screen brightness via the slider in Quick Settings
      Test: adb bugreport
      Test: Enroll in fingerprint screen unlock, unlock screen using
            fingerprint
      Test: Apply OTA update:
            Make some visible change, e.g., rename Settings app.
            make otatools && \
            make dist
            Ensure device has network connectivity
            ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
            Confirm the change is now live on the device
      Bug: 34454312
      (cherry picked from commit 632bc494)
      Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
      Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
      53656c17
  14. Apr 20, 2017
    • Alex Klyubin's avatar
      Restrict access to hwservicemanager · 632bc494
      Alex Klyubin authored
      This adds fine-grained policy about who can register and find which
      HwBinder services in hwservicemanager.
      
      Test: Play movie in Netflix and Google Play Movies
      Test: Play video in YouTube app and YouTube web page
      Test: In Google Camera app, take photo (HDR+ and conventional),
            record video (slow motion and normal), and check that photos
            look fine and videos play back with sound.
      Test: Cast screen to a Google Cast device
      Test: Get location fix in Google Maps
      Test: Make and receive a phone call, check that sound works both ways
            and that disconnecting the call frome either end works fine.
      Test: Run RsHelloCompute RenderScript demo app
      Test: Run fast subset of media CTS tests:
            make and install CtsMediaTestCases.apk
            adb shell am instrument -e size small \
                -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
      Test: Play music using Google Play music
      Test: Adjust screen brightness via the slider in Quick Settings
      Test: adb bugreport
      Test: Enroll in fingerprint screen unlock, unlock screen using
            fingerprint
      Test: Apply OTA update:
            Make some visible change, e.g., rename Settings app.
            make otatools && \
            make dist
            Ensure device has network connectivity
            ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
            Confirm the change is now live on the device
      Bug: 34454312
      Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
      632bc494
  15. Apr 19, 2017
    • Andreas Gampe's avatar
      Sepolicy: Fix asanwrapper · c848d37d
      Andreas Gampe authored
      Add asanwrapper support for system server under sanitization.
      
      Bug: 36138508
      Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
      Test: adb root && adb shell setprop wrap.system_server asanwrapper
      Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0
      c848d37d
    • Salvador Martinez's avatar
      Give system_server access to last reboot reason · f306d373
      Salvador Martinez authored
      system_server needs to be able to read the file
      last_reboot_reason to see if we need to show
      a thermal notification to the user. This change
      allows system_server to read, delete, and rename
      the file.
      
      Test: Manual
      Bug: 30994946
      Change-Id: Id73e18768f910c8de0bfc02f1b464e689f4b3955
      f306d373
  16. Apr 17, 2017
    • Alex Klyubin's avatar
      Apps and system_server are gralloc HAL clients · 5007c10a
      Alex Klyubin authored
      This commit marks system_server and app domains (except isolated_app)
      as clients of Graphics Allocator HAL. This makes the policy cleaner
      and prepares ground for restricting access to HwBinder services.
      
      Test: Play video in YouTube app and in Google Chrome YouTube web page
      Test: Using Google Camera app, take an HDR+ photo, a conventional
            photo, record a video with sound and a slow motion video with
            sound, then check that photos look good and videos play back
            fine, including sound.
      Bug: 34454312
      Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a
      5007c10a
  17. Apr 16, 2017
    • Martijn Coenen's avatar
      Remove mediacodec from binder violators. · fc80f480
      Martijn Coenen authored
      The new binder_call() lines had to be added
      because this change removes mediacodec from
      binderservicedomain (on full-treble), hence
      domains that could previously reach mediacodec
      with binder_call(domain, binderservicedomain)
      now need explicit calls instead.
      
      Test: Youtube, Netflix, Maps, Chrome, Music
      Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
      fc80f480
  18. Apr 14, 2017
    • Martijn Coenen's avatar
      Give apps, cameraserver, and system_server access to sync fences. · de2e79c5
      Martijn Coenen authored
      Since hal_graphics_composer_default is now no longer
      a member of binderservicedomain, these domains would
      no longer be able to use filedescriptors from it.
      
      Bug: 36569525
      Bug: 35706331
      Test: marlin boots, YouTube, Maps, Camera, video
      Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f
      de2e79c5
  19. Apr 12, 2017
    • Alex Klyubin's avatar
      Treble devices use binderized HALs · 22157e7a
      Alex Klyubin authored
      All HALs which are represented by hal_* attributes in SELinux policy
      are required to run in binderized mode on Treble devices. This commit
      thus makes the SELinux policy for Treble devices no longer associate
      domains in hal_x_client with hal_x attribute, which is what was
      granting domains hosting clients of hal_x the rules needed to run this
      HAL in-process. The result is that core components have now less
      access.
      
      This commit has no effect on non-Treble devices.
      
      Test: Device boots -- no new denials
      Test: Play movie using Google Play Movies and Netflix
      Test: Play YouTube clip in YouTube app and in Chrome
      Test: Unlock lock screen using fingerprint
      Test: Using Google Camera, take a photo, an HDR+ photo, record a
            video with sound, a slow motion video with sound. Photos and
            videos display/play back fine (incl. sound).
      Test: adb screencap
      Test: $ monitor
            take screenshot
      Test: In all tests, no deials to do with hal_*, except pre-existing
            denials to do with hal_gnss.
      Bug: 37160141
      Bug: 34274385
      Bug: 34170079
      Change-Id: I1ca91d43592b466114af13898f5909f41e59b521
      22157e7a
    • Jorge Lucangeli Obes's avatar
      system_server: Report dalvikcache_data_file execute violations. · 62a1b236
      Jorge Lucangeli Obes authored
      With build/core eaa9d88cf, system_server should not be loading code
      from /data. Add an auditallow rule to report violations.
      
      Bug: 37214733
      Test: Boot marlin, no SELinux audit lines for system_server.
      Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
      (cherry picked from commit 665128fa)
      62a1b236
  20. Apr 11, 2017
  21. Apr 10, 2017
  22. Apr 07, 2017
    • Donghyun Cho's avatar
      Add sepolicy for tv.cec · f81dd0c5
      Donghyun Cho authored
      Bug: 36562029
      Test: m -j40 and CEC functionality works well
      Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
      f81dd0c5
  23. Apr 06, 2017
    • Sandeep Patil's avatar
      sepolicy: restrict /vendor/overlay from most coredomains · 9075699a
      Sandeep Patil authored
      
      The change makes 'vendor_overlay_file' accessible only to few platform
      domains like idmap, system_server, zygote and appdomain.
      
      The overlay files contains RROs (runtime resource overlays)
      
      Bug: 36681210
      Test: Boot sailfish (treble device) from wiped flashall
      Test: Connect to wifi and launch chrome to load few websites.
      Test: Launch camera and record + playback video
      
      Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      9075699a
  24. Apr 05, 2017
    • Sandeep Patil's avatar
      sepolicy: relabel /vendor · 277a20eb
      Sandeep Patil authored
      
      The CL splits /vendor labeling from /system. Which was allowing all
      processes read, execute access to /vendor.
      
      Following directories will remain world readable
       /vendor/etc
       /vendor/lib(64)/hw/
      
      Following are currently world readable but their scope
      will be minimized to platform processes that require access
       /vendor/app
       /vendor/framework/
       /vendor/overlay
      
      Files labelled with 'same_process_hal_file' are allowed to be
      read + executed from by the world. This is for Same process HALs and
      their dependencies.
      
      Bug: 36527360
      Bug: 36832490
      Bug: 36681210
      Bug: 36680116
      Bug: 36690845
      Bug: 36697328
      Bug: 36696623
      Bug: 36806861
      Bug: 36656392
      Bug: 36696623
      Bug: 36792803
      
      All of the tests were done on sailfish, angler, bullhead, dragon
      Test: Boot and connect to wifi
      Test: Run chrome and load websites, play video in youtube, load maps w/
            current location, take pictures and record video in camera,
            playback recorded video.
      Test: Connect to BT headset and ensure BT audio playback works.
      Test: OTA sideload using recovery
      Test: CTS SELinuxHostTest pass
      
      Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      277a20eb
  25. Apr 04, 2017
    • Sohani Rao's avatar
      SE Policy for Wifi Offload HAL · 3dd460ba
      Sohani Rao authored
      Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
      HIDL binderized service.
      Cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
      
      Bug: 32842314
      Test: Unit tests, Mannual test to ensure Wifi can be brought up and
      connected to an AP, ensure that Offload HAL service is running and that
      that wificond can get the service handle by calling hwservicemanager.
      
      Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
      3dd460ba
    • Amit Mahajan's avatar
      rild does not communicate with BT/system_server/mediaserver over sockets · 8b080ee2
      Amit Mahajan authored
      Test: manual (verified no denials in basic telephony operations)
      Bug: 36613472
      Change-Id: I31274adee2cb6293102446cd2d6d547c50616836
      8b080ee2
  26. Mar 31, 2017
    • Shubang's avatar
      Add sepolicy for tv.input · c76e158c
      Shubang authored
      Test: build, flash; adb shell lshal
      Bug: 36562029
      Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
      c76e158c
    • Alex Klyubin's avatar
      Tighten restrictions on core <-> vendor socket comms · 2f6151ea
      Alex Klyubin authored
      This futher restricts neverallows for sockets which may be exposed as
      filesystem nodes. This is achieved by labelling all such sockets
      created by core/non-vendor domains using the new coredomain_socket
      attribute, and then adding neverallow rules targeting that attribute.
      
      This has now effect on what domains are permitted to do. This only
      changes neverallow rules.
      
      Test: mmm system/sepolicy
      Bug: 36577153
      
      (cherry picked from commit cf2ffdf0)
      
      Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
      2f6151ea
    • Alex Klyubin's avatar
      Tighten restrictions on core <-> vendor socket comms · cf2ffdf0
      Alex Klyubin authored
      This futher restricts neverallows for sockets which may be exposed as
      filesystem nodes. This is achieved by labelling all such sockets
      created by core/non-vendor domains using the new coredomain_socket
      attribute, and then adding neverallow rules targeting that attribute.
      
      This has now effect on what domains are permitted to do. This only
      changes neverallow rules.
      
      Test: mmm system/sepolicy
      Bug: 36577153
      Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
      cf2ffdf0
  27. Mar 29, 2017
    • Sandeep Patil's avatar
      mac_permissions: explicitly label all mac_permissions files · bb24f3ab
      Sandeep Patil authored
      
      *mac_permissions.xml files need to be explicitly labeled as they are now split
      cross system and vendor and won't have the generic world readable
      'system_file' or 'rootfs' label.
      
      Bug: 36003167
      Test: no new 'mac_perms_file' denials at boot complete on sailfish
      Test: successfully booted into recovery without denials and sideloaded
            OTA update.
      Test: Launch 'chrome' and succesfully load a website.
      Test: Launch Camera and take a picture.
      Test: Launch Camera and record a video, succesfully playback recorded
            video
      
      Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      bb24f3ab
Loading