Commits · 2464a492b4d47ccca9c4e2041e1811746baeb355 · CodeLinaro / public-release-test / platform / system / sepolicy

Dec 01, 2016
- Merge "Added an auditallow rule to track vold remounting filesystems." · 2464a492
  Max authored 8 years ago
```
am: 685ef6b8

Change-Id: I8b1a5415261fcb6b939152ce2fe3b58b0353d1bd
```
  2464a492
- Merge "Added an auditallow rule to track vold remounting filesystems." · 685ef6b8
  Treehugger Robot authored 8 years ago
  
  685ef6b8
- domain_deprecated.te: remove /proc/net access · 1780a627
  Nick Kralevich authored 8 years ago
```
am: dd649da8

Change-Id: I648e8b2869b4b2d95255575e257f07f11153865d
```
  1780a627
Nov 30, 2016

domain_deprecated.te: remove /proc/net access · dd649da8

Nick Kralevich authored 8 years ago

Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.

Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a

dd649da8

dumpstate: talk to vibrator hal · 7aa5caf8
Steven Moreland authored 8 years ago
```
am: 839c7ded

Change-Id: Ibbbc3e8e51cbe6a5e2f1e5be7839a1cc3341b33c
```
7aa5caf8

Added an auditallow rule to track vold remounting filesystems. · 314d8c58

Max authored 8 years ago

Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow

Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5

314d8c58

Nov 29, 2016
- dumpstate: talk to vibrator hal · 839c7ded
  Steven Moreland authored 8 years ago
```
Bug: 33067126
Test: Dumpstate vibrator works.
Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
```
  839c7ded
- Merge "Allow sdcardd to remount sdcardfs" · e3836841
  Daniel Rosenberg authored 8 years ago
```
am: 7b6dbd73

Change-Id: I5ba0baabf29c67d6de10b673ae9948fdab7b78bd
```
  e3836841
- Merge "Allow sdcardd to remount sdcardfs" · 7b6dbd73
  Treehugger Robot authored 8 years ago
  
  7b6dbd73
- Merge "Add permissions for hal_boot" · 3e2fed1a
  Connor O'Brien authored 8 years ago
```
am: 280ba8b7

Change-Id: I40ea119e77002f6d71a1b0125c9420c24fc54d49
```
  3e2fed1a
- Merge "Add permissions for hal_boot" · 280ba8b7
  Connor O'Brien authored 8 years ago
  
  280ba8b7
- Allow sdcardd to remount sdcardfs · df59b9f9
  Daniel Rosenberg authored 8 years ago
```
Sdcardfs now supports bind mounts and remounts
instead of needing several separate mounts

bug: 30954918
Test: Enable Sdcardfs, verify mounts
Change-Id: Id94713752a08ceeb6aea7d3c29a29d3293a9b0c8
```
  df59b9f9
Nov 28, 2016

Merge "zygote: drop braces on single item rule" · 191e8b3b
William Roberts authored 8 years ago
```
am: a8340521

Change-Id: I0dc7cdaacd65f027f8615e5201f9357001e5b40b
```
191e8b3b
Merge "zygote: drop braces on single item rule" · a8340521
Treehugger Robot authored 8 years ago

a8340521
Add directory read permissions to certain domains. · d9bd9e69
Nick Kralevich authored 8 years ago
```
am: 49e35884

Change-Id: Ib96dbc7f6467e55d595426242c59b9551e9ae75f
```
d9bd9e69

Add directory read permissions to certain domains. · 49e35884

Nick Kralevich authored 8 years ago

Addresses the following denials and auditallows:

avc: denied { read } for pid=561 comm="hwservicemanage" name="hw"
dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0"
ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: granted { read open } for pid=735 comm="fingerprintd"
path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0
tcontext=u:object_r:system_file:s0 tclass=dir

Test: no denials on boot
Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f

49e35884

Merge "system_server: Delete system_file:file execute_no_trans;" · 3f77c683
Nick Kralevich authored 8 years ago
```
am: 8fe7b8d2

Change-Id: I904920227113f9b8e43182a4b3ba22b191cceb64
```
3f77c683
Merge "Remove domain_deprecated from some domains." · 97aff6ae
Nick Kralevich authored 8 years ago
```
am: 2affae65

Change-Id: I9f5c692674c60b526b0ed7ac2bc46610b9e3c5ab
```
97aff6ae
Merge "Delete more from domain_deprecated.te" · f42128af
Nick Kralevich authored 8 years ago
```
am: fae2794e

Change-Id: Iba87329c6ae3de6ad95868a9237eec83fd76da05
```
f42128af
Merge "system_server: Delete system_file:file execute_no_trans;" · 8fe7b8d2
Treehugger Robot authored 8 years ago

8fe7b8d2
Merge "Remove domain_deprecated from some domains." · 2affae65
Treehugger Robot authored 8 years ago

2affae65
Merge "Delete more from domain_deprecated.te" · fae2794e
Treehugger Robot authored 8 years ago

fae2794e

zygote: drop braces on single item rule · 96385a75

William Roberts authored 8 years ago


commit 221938cb
introduces a fix that uses braces around a single item.
This is not within the normal style of no brace around
a single item. Drop the braces.

Change-Id: Ibeee1e682c0face97f18d5e5177be13834485676
Signed-off-by: William Roberts <william.c.roberts@intel.com>

96385a75

Merge "Remove "eng" macro" · 067bdcfb
Nick Kralevich authored 8 years ago
```
am: 03e74a20

Change-Id: I168746eb6e2fded35d2da632731d4300522e0afd
```
067bdcfb
logd.te: Remove setting persist.sys. and sys.powerctl · 73ea3605
Nick Kralevich authored 8 years ago
```
am: 31e9f39f

Change-Id: I763244982b9e104f3a2ef68a81609db0b5ca9f39
```
73ea3605
Merge "Remove "eng" macro" · 03e74a20
Treehugger Robot authored 8 years ago

03e74a20

Remove "eng" macro · d070b671

Nick Kralevich authored 8 years ago

Never used.

Test: policy compiles.
Change-Id: I0ce6c46bb05925a4b3eda83531b28f873b0c9b99

d070b671

Nov 27, 2016

logd.te: Remove setting persist.sys. and sys.powerctl · 31e9f39f

Nick Kralevich authored 8 years ago

As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this
functionality is no longer used.

Test: device boots and no obvious problems.
Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2

31e9f39f

Nov 26, 2016

Remove domain_deprecated from some domains. · 0fa81a27

Nick Kralevich authored 8 years ago

No denials showing up in collected audit logs.

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508

0fa81a27

Delete more from domain_deprecated.te · 06da58b9

Nick Kralevich authored 8 years ago

No unexpected usages.

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I43226fd0b8103afb1b25b1eb21445c04bc79954e

06da58b9

Merge "Move to ioctl whitelisting for /dev/pts/* files" · 80659f55
Nick Kralevich authored 8 years ago
```
am: d1228f2e

Change-Id: Ic825465ad7cf20ebe26cb1f0a4e6077bf3648ce9
```
80659f55
Merge "Move to ioctl whitelisting for /dev/pts/* files" · d1228f2e
Treehugger Robot authored 8 years ago

d1228f2e

system_server: Delete system_file:file execute_no_trans; · 55e86a3a

Nick Kralevich authored 8 years ago

auditallow has been in place since Apr 2016
(f84b7981) and no SELinux denials have
been generated / collected. Remove unused functionality.

Test: Device boots with no problems.
Test: no SELinux denials of this type collected.
Bug: 28035297
Change-Id: I52414832abb5780a1645a4df723c6f0c758eb5e6

55e86a3a

Nov 23, 2016

Move to ioctl whitelisting for /dev/pts/* files · 07c3a5a5

Nick Kralevich authored 8 years ago

In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf

07c3a5a5

Merge "label /bugreports" · 97494e4a
Nick Kralevich authored 8 years ago
```
am: e6a20295

Change-Id: Ib769255c5c35ffbc47cd81c9592046b0a6282379
```
97494e4a
Merge "label /bugreports" · e6a20295
Treehugger Robot authored 8 years ago

e6a20295

Nov 22, 2016

Merge "recovery.te: Allow writing to sysfs_devices_system_cpu." · 0733c206
Tao Bao authored 8 years ago
```
am: 94d76c87

Change-Id: I3d4343c5c1bc210253e24de8aeec192e331ffebb
```
0733c206
Merge "recovery.te: Allow writing to sysfs_devices_system_cpu." · 94d76c87
Treehugger Robot authored 8 years ago

94d76c87
neverallow some /proc file reads · a824fa33
Nick Kralevich authored 8 years ago
```
am: 0b7506ff

Change-Id: I8093d316ef2f0e5839073b88351bca4eace75b7b
```
a824fa33

recovery.te: Allow writing to sysfs_devices_system_cpu. · ee7960c0

Tao Bao authored 8 years ago

recovery (update_binary) may need to set up cpufreq during an update.

avc:  denied  { write } for  pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0

Bug: 32463933
Test: Build a recovery image and apply an OTA package that writes to
      /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.

Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5

ee7960c0