Commits · 2e69afc079a175070279674be78aacbe4434c367 · CodeLinaro / public-release-test / platform / system / sepolicy

Apr 05, 2018

Adding ability for keystore to find dropbox · 2e69afc0

Max Bires authored 6 years ago

This will allow the logging in keystore to actually work.

Test: keystore dropbox logging is successful
Change-Id: Ic135fa9624c289c54187e946affbd0caacef13c1

2e69afc0

Mar 07, 2018

Merge "Revert "perfetto: allow traced_probes to execute atrace"" am: cbd85e53 am: c5a3dce4 · 0895f944
Primiano Tucci authored 7 years ago
```
am: df63c4d2

Change-Id: I62f081894eee5d503efe9f8348b5e66271239691
```
0895f944
Merge "Revert "perfetto: allow traced_probes to execute atrace"" am: cbd85e53 · df63c4d2
Primiano Tucci authored 7 years ago
```
am: c5a3dce4

Change-Id: I09b2208bea366d4a853381269424ccca2d9cf14d
```
df63c4d2
Merge "Revert "perfetto: allow traced_probes to execute atrace"" · c5a3dce4
Primiano Tucci authored 7 years ago
```
am: cbd85e53

Change-Id: I4878b4f977f7b6b436ce1ccb9c9f609ee9a3483b
```
c5a3dce4

Revert "perfetto: allow traced_probes to execute atrace" · d13be399

Primiano Tucci authored 7 years ago

This reverts commit 54a86e2b.

Reason for revert: Broke user builds, see go/twqpd

system/sepolicy/private/traced_probes.te:46:ERROR 'unknown type atrace' at token ';' on line 34879:
allow atrace traced_probes:fd use;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

Change-Id: I24440e1928700530b63b70b658c63046cdcdc5de
Merged-In: I24440e1928700530b63b70b658c63046cdcdc5de

d13be399

Merge "Revert "perfetto: allow traced_probes to execute atrace"" · cbd85e53
Primiano Tucci authored 7 years ago

cbd85e53

Revert "perfetto: allow traced_probes to execute atrace" · 70f8f329

Primiano Tucci authored 7 years ago

This reverts commit 54a86e2b.

Reason for revert: Broke user builds, see go/twqpd

system/sepolicy/private/traced_probes.te:46:ERROR 'unknown type atrace' at token ';' on line 34879:
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
allow atrace traced_probes:fd use;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

Change-Id: I24440e1928700530b63b70b658c63046cdcdc5de

70f8f329

Fix sepolicy for bpf object am: 6cd70c2f · 90893f9c
Chenbo Feng authored 7 years ago
```
am: d1025109

Change-Id: Idb3f0c04611fced37a5601cd0b32389641785056
```
90893f9c
Fix sepolicy for bpf object · d1025109
Chenbo Feng authored 7 years ago
```
am: 6cd70c2f

Change-Id: I59e0a65ed2153982dd05f83de947678149d92ddb
```
d1025109
Merge "perfetto: allow traced_probes to execute atrace" am: 3538fc3d am: c547dcb8 · 2c5c57e2
Primiano Tucci authored 7 years ago
```
am: 097ff093

Change-Id: Iddc4f025032b54b77085ec00c47a09786cb9ce76
```
2c5c57e2
Merge "perfetto: allow traced_probes to execute atrace" am: 3538fc3d · 097ff093
Primiano Tucci authored 7 years ago
```
am: c547dcb8

Change-Id: I5fd0b13725071fc0c7581e60538b0136b478cb98
```
097ff093
Merge "perfetto: allow traced_probes to execute atrace" · c547dcb8
Primiano Tucci authored 7 years ago
```
am: 3538fc3d

Change-Id: Ie366724d55d2c3cb910acd5c491f00ad328e1ee5
```
c547dcb8
Merge "perfetto: allow traced_probes to execute atrace" · 3538fc3d
Treehugger Robot authored 7 years ago

3538fc3d
Add ADB system service am: 0b79a179 am: 5a27a7ad · dc7925d4
Kenny Root authored 7 years ago
```
am: 98e2df56

Change-Id: I77dd6a791e731c10936080f6be8501c1fb0815cd
```
dc7925d4
Add ADB system service am: 0b79a179 · 98e2df56
Kenny Root authored 7 years ago
```
am: 5a27a7ad

Change-Id: Iac4e90efaea8bbf42176dcbccbaac78369ed90c7
```
98e2df56
Add ADB system service · 5a27a7ad
Kenny Root authored 7 years ago
```
am: 0b79a179

Change-Id: I0e3f94884d8c920b0305f353ff6be6575f069fac
```
5a27a7ad

Fix sepolicy for bpf object · 6cd70c2f

Chenbo Feng authored 7 years ago

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

6cd70c2f

Fix sepolicy for bpf object am: bfa95fcd am: 585b3bcf · 5f4de67d
Chenbo Feng authored 7 years ago
```
am: cbaad76d

Change-Id: I62c082e6691544cea974a80d5f56164d44c4e496
```
5f4de67d

Add ADB system service · 0b79a179

Kenny Root authored 7 years ago

ADB is being separated from USB service since it's not tied to the USB
transport. This duplicates the usb_service's settings to adb_service for
this purpose.

Bug: 63820489
Test: make
Change-Id: Idbcfbe470d7568f9cba51f0c8d4a8ee9503db93d

0b79a179

Fix sepolicy for bpf object am: bfa95fcd · cbaad76d
Chenbo Feng authored 7 years ago
```
am: 585b3bcf

Change-Id: I214e9ab30d322398757761da46879ab3685f5fdb
```
cbaad76d
Fix sepolicy for bpf object · 585b3bcf
Chenbo Feng authored 7 years ago
```
am: bfa95fcd

Change-Id: I7e6cf042e2e16cff73525fdd6ef754b2d07944cf
```
585b3bcf

Mar 06, 2018

Fix sepolicy for bpf object · bfa95fcd

Chenbo Feng authored 7 years ago

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

bfa95fcd

Mar 02, 2018

Ensure taking a bugreport generates no denials. · daf1cdfa

Joel Galenson authored 7 years ago

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9

daf1cdfa

perfetto: allow traced_probes to execute atrace · 54a86e2b

Primiano Tucci authored 7 years ago

This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

Change-Id: I2b0a66dcb519cb296e1d0e6e3f15a425dc809089
Bug: 73340039

54a86e2b

Add functionfs access to system_server. am: 1d401545 am: caf0139b · a6b8414b
Jerry Zhang authored 7 years ago
```
am: 66adf0cd

Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b
```
a6b8414b
Add functionfs access to system_server. am: 1d401545 · 66adf0cd
Jerry Zhang authored 7 years ago
```
am: caf0139b

Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1
```
66adf0cd
Add functionfs access to system_server. · caf0139b
Jerry Zhang authored 7 years ago
```
am: 1d401545

Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e
```
caf0139b

Mar 01, 2018

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 4eb92dc1

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours am: a0fac585  -s ours
am: 8ded6f42  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8

4eb92dc1

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 8ded6f42

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours
am: a0fac585  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3

8ded6f42

Fix sepolicy-analyze makefile so it is included in STS builds am: b7602d76 · 7a23c8ba
Ryan Longair authored 7 years ago
```
am: 1ee556ed  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f
```
7a23c8ba

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a0fac585

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9
am: 0bba3d44  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d

a0fac585

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 0bba3d44

Ryan Longair authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0
am: a401c9f9

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e

0bba3d44

Fix sepolicy-analyze makefile so it is included in STS builds · 1ee556ed
Ryan Longair authored 7 years ago
```
am: b7602d76

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81
```
1ee556ed

Add functionfs access to system_server. · 1d401545

Jerry Zhang authored 7 years ago

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

1d401545

Fix sepolicy-analyze makefile so it is included in STS builds · b7602d76

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

b7602d76

Fix sepolicy-analyze makefile so it is included in STS builds · 50fec5f8

Ryan Longair authored 7 years ago

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

50fec5f8

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · a401c9f9

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0

Change-Id: I8b2fd267b39b579bf34f23822698cda23c31e77e

a401c9f9

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · ac6dcce0

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e

Change-Id: Ic7c0f37773c22bd11e9b48e07bc46766d053da58

ac6dcce0

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · 89455f2e

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb

Change-Id: Id65e91d0c3bdced074a6aa99902fcdfc0d97628c

89455f2e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am:... · e9a260bb

Android Build Merger (Role) authored 7 years ago

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d

Change-Id: I5ae440fe30e214250bf66ea023104ab383700a54

e9a260bb