Commits · 252e871dd210c4351c022b5df122243177d2b8cf · CodeLinaro / public-release-test / platform / system / sepolicy

Apr 12, 2018
- Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete · 252e871d
  Jaekyun Seok authored 6 years ago
```
am: ac2e4cce

Change-Id: I595507e45f563ae0ecfb07e842f446a34b3e3446
```
  252e871d
- Merge "hal_tetheroffload: move hwservice mapping to core policy" am: e0163411 · 2d39f54c
  Jeff Vander Stoep authored 6 years ago
```
am: e63f0e9c

Change-Id: Ib6b1721b59b6df2944584a3236076885c9218930
```
  2d39f54c
- Merge "hal_tetheroffload: move hwservice mapping to core policy" · e63f0e9c
  Jeff Vander Stoep authored 6 years ago
```
am: e0163411

Change-Id: I32f6cd37506d4e6f6feb73c6d1b2eabcdb4988b3
```
  e63f0e9c
- Merge "hal_tetheroffload: move hwservice mapping to core policy" · e0163411
  Treehugger Robot authored 6 years ago
  
  e0163411
Apr 11, 2018

Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete · ac2e4cce
Jaekyun Seok authored 6 years ago
```
Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
```
ac2e4cce
Merge changes If2413c30,Ic5d7c961 am: 45b4704e · 8f126091
Jeff Vander Stoep authored 6 years ago
```
am: 1382984c

Change-Id: Icc3cd3d88873627f93cb59f69083b0c68f1a51ea
```
8f126091

hal_tetheroffload: move hwservice mapping to core policy · c41f5b84

Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea7)

c41f5b84

Merge changes If2413c30,Ic5d7c961 · 1382984c
Jeff Vander Stoep authored 6 years ago
```
am: 45b4704e

Change-Id: I29d90373b7cc4350244c81f9a5b24c31453d987d
```
1382984c
Merge "Widen crash_dump dontaudit." into pi-dev · 3c7c4182
Joel Galenson authored 6 years ago
```
am: 2e532d40

Change-Id: I7cd5f36005f7e5c26384525a038b54dac87294bd
```
3c7c4182
Merge changes If2413c30,Ic5d7c961 · 45b4704e
Treehugger Robot authored 6 years ago
```
* changes:
  Suppress spurious denial
  Suppress spurious denial
```
45b4704e
Merge "Hide sys_rawio SELinux denials." into pi-dev · 93d12b83
Joel Galenson authored 6 years ago
```
am: 106a5b31

Change-Id: Icebdaa72e68c6ac79cc05caf53cab612addb335f
```
93d12b83
Merge "Widen crash_dump dontaudit." into pi-dev · 2e532d40
TreeHugger Robot authored 6 years ago

2e532d40
Merge "Hide sys_rawio SELinux denials." into pi-dev · 106a5b31
TreeHugger Robot authored 6 years ago

106a5b31

Suppress spurious denial · 7e5ec2bc

Jeff Vander Stoep authored 6 years ago

Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)

7e5ec2bc

Suppress spurious denial · f7a7f7d1

Jeff Vander Stoep authored 6 years ago

Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c9)

f7a7f7d1

Merge "Adding ability for priv apps to read traceur fd" am: 8966b8e5 · 0cd168c7
Max Bires authored 6 years ago
```
am: a949ddb5

Change-Id: Ife6c721b66c23ddd8cfcf94a1f45b9491a272252
```
0cd168c7

Widen crash_dump dontaudit. · a01e9313

Joel Galenson authored 6 years ago

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Bug: 77908066
Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
(cherry picked from commit a3b3bdbb)

a01e9313

Hide sys_rawio SELinux denials. · e477c781

Joel Galenson authored 6 years ago

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
(cherry picked from commit bf4afae1)

e477c781

[automerger skipped] Merge "Add internal types to 27.0[.ignore].cil." am: be79c7b2 · a5df96cf
Tri Vo authored 6 years ago
```
am: 26776b03  -s ours

Change-Id: Ia9ec9e2a510a495bd9b339b33f4c4c1b5735d91b
```
a5df96cf
Merge "Add internal types to 27.0[.ignore].cil." · 26776b03
Tri Vo authored 6 years ago
```
am: be79c7b2

Change-Id: Iac6379199a0f0a0680bd0ddda32644333fbaef74
```
26776b03
Merge "Add internal types to 27.0[.ignore].cil." · be79c7b2
Treehugger Robot authored 6 years ago

be79c7b2

Apr 10, 2018

Merge "Hide sys_rawio SELinux denials." am: 6cdc9a82 · d1c93612
Joel Galenson authored 6 years ago
```
am: 97e41802

Change-Id: I07a20906f2c536e573198219e4d3d567ea715144
```
d1c93612
Merge "Hide sys_rawio SELinux denials." · 97e41802
Joel Galenson authored 6 years ago
```
am: 6cdc9a82

Change-Id: I3fdc8fa4f4486ccfadf785ff82e147ad47123c37
```
97e41802

Merge "Adding ability for priv apps to read traceur fd" · a949ddb5

Max Bires authored 7 years ago

am: 8966b8e5

Bug: 74435522
Test: traceur can share to betterbug
Change-Id: Ic24196b6a4050696d92f18a6879c569ccf5eaec7
(cherry picked from commit f66fd522)

a949ddb5

Merge "Hide sys_rawio SELinux denials." · 6cdc9a82
Treehugger Robot authored 6 years ago

6cdc9a82
Merge "Widen crash_dump dontaudit." am: 354a2530 · fc29b9ba
Joel Galenson authored 6 years ago
```
am: b5f3e88e

Change-Id: Ia52abf98b65da8309e014ac5fd3c642511e6f189
```
fc29b9ba
Merge "Widen crash_dump dontaudit." · b5f3e88e
Joel Galenson authored 6 years ago
```
am: 354a2530

Change-Id: Iae854d7e794e9616cd1878e8096473cf9bbe0680
```
b5f3e88e
Merge "Widen crash_dump dontaudit." · 354a2530
Treehugger Robot authored 6 years ago

354a2530

Add internal types to 27.0[.ignore].cil. · fad493bf

Tri Vo authored 7 years ago

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd6520)

fad493bf

Hide sys_rawio SELinux denials. · bf4afae1

Joel Galenson authored 6 years ago

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a

bf4afae1

Merge "Expose filesystem read events in SELinux policy." am: 589226df · ddba04d0
Florian Mayer authored 6 years ago
```
am: bf685274

Change-Id: I2d17d76e68d60454ca53f4448a71fc619bbd5cd7
```
ddba04d0
Merge "Expose filesystem read events in SELinux policy." · bf685274
Florian Mayer authored 6 years ago
```
am: 589226df

Change-Id: I5e6efda7d87fcffed4733058ae2fab3ff1cdaecd
```
bf685274
Merge "Expose filesystem read events in SELinux policy." · 589226df
Florian Mayer authored 6 years ago

589226df
Adding labeling for vendor security patch prop am: 5cac1aa9 · 15a9fbc2
Max Bires authored 6 years ago
```
am: ad3602d2

Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
```
15a9fbc2
Adding labeling for vendor security patch prop · ad3602d2
Max Bires authored 6 years ago
```
am: 5cac1aa9

Change-Id: I889d985e3a012545d15e3dd0f06b002682671157
```
ad3602d2

Expose filesystem read events in SELinux policy. · 7ad383f1

Florian Mayer authored 6 years ago

Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298

7ad383f1

Widen crash_dump dontaudit. · a3b3bdbb

Joel Galenson authored 6 years ago

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac

a3b3bdbb

Apr 09, 2018

Adding labeling for vendor security patch prop · 5cac1aa9

Max Bires authored 7 years ago

This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49

5cac1aa9

whitelist test failure that bypassed presubmit · c16e920d
Jeff Vander Stoep authored 6 years ago
```
am: 2ccd99a5

Change-Id: I0e4eacb9cce9c995bf773176638a46af0e92af0a
```
c16e920d

whitelist test failure that bypassed presubmit · 2ccd99a5

Jeff Vander Stoep authored 6 years ago

avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd

2ccd99a5