Commits · 4cafae77a4ac9e9b34410714787b68523dcd5345 · CodeLinaro / public-release-test / platform / system / sepolicy

May 14, 2018

Allow to use sockets from hal server for auto · 4cafae77

Pavel Maltsev authored 6 years ago

Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9

4cafae77

May 03, 2018
- Merge "Allow wpa_supplicant to write to files in /proc/net." into pi-dev · fa3934c9
  android-build-team Robot authored 6 years ago
  
  fa3934c9
- Merge "Allow auto HAL clients to access hw services" into pi-dev · 53c6578f
  Pavel Maltsev authored 6 years ago
  
  53c6578f
- Allow wpa_supplicant to write to files in /proc/net. · 2818b902
  Alan Stokes authored 6 years ago
```
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.

Bug: 77903086
Test: Device boots, denial not seen, wifi works

(cherry picked from commit 72ed6152)

Change-Id: Ia781e7c56f6e8e77e654cd28ca34de09180e2213
Merged-In: Ia55c4af1fcee75ada0e67a162fdb92ecc0089312
```
  2818b902
- Merge "Never expand proc_type attribute" into pi-dev · d8d7a3f7
  android-build-team Robot authored 6 years ago
  
  d8d7a3f7
May 02, 2018

Never expand proc_type attribute · db621841

Jeff Vander Stoep authored 6 years ago

It's used in build-time tests and in CTS.

Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
(cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)

db621841

Merge "Add ro.oem.key1 to SELinux policy." into pi-dev · b12ca61e
Andrew Sapperstein authored 6 years ago

b12ca61e
Merge changes Ic3f85992,I33f47db7 into pi-dev · 9d4573c4
android-build-team Robot authored 6 years ago
```
* changes:
  Sepolicy: Modify postinstall_dexopt
  Sepolicy: Modify postinstall_dexopt
```
9d4573c4

Add ro.oem.key1 to SELinux policy. · 99bfd8ef

Andrew Sapperstein authored 6 years ago

vendor-init-settable|public-readable

Change-Id: I8262cc03150931080c0982350cd990ee8f5422bc
Fixes: 78636965
Test: adb shell getprop ro.oem.key1

99bfd8ef

Allow auto HAL clients to access hw services · 368ae61f

Pavel Maltsev authored 6 years ago

Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I39dd17d20acc8d380f36e207679b8b1eba63a72e

368ae61f

Update prebuilts/api/28.0/public/property_contexts · 21b1015d

Jaekyun Seok authored 6 years ago

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: Ie098b839a050058424673f0d8961b7a194a2caab

21b1015d

May 01, 2018

Allow vendor-init-settable for properties used in Android TV · d097ff95

Jaekyun Seok authored 6 years ago

The following properties will be whitelisted.
- ro.hdmi.device_type, ro.hdmi.wake_on_hotplug and
persist.sys.hdmi.keep_awake for hdmi
- ro.sf.disable_triple_buffer for SurfaceFlinger
- media.stagefright.cache-params and persist.sys.media.avsync for
nuplayer

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
Merged-In: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
(cherry picked from commit 18aaaad9)

d097ff95

Merge "Revert "Allow auto HAL clients to access hw services"" into pi-dev · 811113e8
Pavel Maltsev authored 6 years ago

811113e8

Revert "Allow auto HAL clients to access hw services" · 87ac80b8

Pavel Maltsev authored 6 years ago

This reverts commit aa38ce72.

Reason for revert: broken build

Change-Id: Ib6ca328576ef180fd1150ae6d6b3f90e928a07ac

87ac80b8

Merge "Allow auto HAL clients to access hw services" into pi-dev · 20d4069a
android-build-team Robot authored 6 years ago

20d4069a

Sepolicy: Modify postinstall_dexopt · 8cbe6743

Andreas Gampe authored 6 years ago

Update prebuilts for API 28.

Bug: 77958490
Test: m
Test: manual
Change-Id: Ic3f8599266ff8fffdff1492a5600a10f6fecbe88

8cbe6743

Sepolicy: Modify postinstall_dexopt · b5c92718

Andreas Gampe authored 6 years ago

Grant fsetid as it was done for installd. Suppress write to
profile files.

(cherry picked from commit 006e160b)

Bug: 77958490
Test: m
Test: manual
Merged-In: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62

b5c92718

Fixing build as SEPolicy changed during merge of P-Finalization · c170107a

Ian Pedowitz authored 6 years ago

Bug: 77589980
Test: diff -r system/sepolicy/public system/sepolicy/prebuilts/api/28.0/public is empty
Change-Id: I5ecb003e893d87e36e096208e505ad1264c288aa

c170107a

Merge "SEPolicy Prebuilts for P" into pi-dev · 94c1113c
Ian Pedowitz authored 6 years ago

94c1113c
Merge "Allow profman to resolve symlinks on dirs" into pi-dev · fc865e4b
android-build-team Robot authored 6 years ago

fc865e4b

Apr 30, 2018

SEPolicy Prebuilts for P · 763dcc31

Ian Pedowitz authored 6 years ago

Bug: 77589980
Test: Build
Change-Id: I5395314006f42dd3c925fed554c04d182ddde2c5

763dcc31

Allow profman to resolve symlinks on dirs · 9e80bfc8

Calin Juravle authored 6 years ago

When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323
Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54

9e80bfc8

Merge "Adding labeling for vendor security patch prop am: 5cac1aa9 am: ad3602d2 " into pi-dev · bbb500d7
android-build-team Robot authored 6 years ago

bbb500d7

Apr 29, 2018

Allow auto HAL clients to access hw services · aa38ce72

Pavel Maltsev authored 6 years ago

Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I5d78eaf53f7df32837f113c14786f483955a8ac2

aa38ce72

Apr 27, 2018
- Merge "Move automotive HALs sepolicy to system/" into pi-dev · 26ee5a85
  android-build-team Robot authored 6 years ago
  
  26ee5a85
- Merge "Adding ability for keystore to find dropbox" into pi-dev · e5059b17
  android-build-team Robot authored 6 years ago
  
  e5059b17
- Merge "Make persist.sys.sf.native_mode an integer" into pi-dev · 146222ed
  Chia-I Wu authored 6 years ago
  
  146222ed
Apr 26, 2018

Allow vold_prepare_subdirs to delete more files. · 0fe31e04

Paul Crowley authored 6 years ago

Bug: 78591623
Test: Create a new user with a fingerprint. Reboot. Delete that user.
    Check for denials, files left over in /data/*_{c,d}e/10
Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf

0fe31e04

Adding ability for keystore to find dropbox · d2d91e60

Max Bires authored 6 years ago

This will allow the logging in keystore to actually work.

Bug: 36549319
Test: keystore dropbox logging is successful
Change-Id: Ic135fa9624c289c54187e946affbd0caacef13c1
(cherry picked from commit 2e69afc0)

d2d91e60

Adding labeling for vendor security patch prop am: · 30d80f0c

Max Bires authored 6 years ago

am: ad3602d2

Test: Vendor security patch prop is properly labeled
Bug: 76428542
Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
Merged-In: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
(cherry picked from commit 15a9fbc2)

30d80f0c

Apr 25, 2018
- Make persist.sys.sf.native_mode an integer · f16afc09
  Chia-I Wu authored 6 years ago
```
This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1
Merged-In: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1
```
  f16afc09
- Merge "Track otapreopt_chroot postinstall_file SELinux denial." into pi-dev · 1818b112
  TreeHugger Robot authored 6 years ago
  
  1818b112
Apr 24, 2018
- Merge "searchpolicy depends on FcSort" into pi-dev · 0e430da4
  TreeHugger Robot authored 6 years ago
  
  0e430da4
- Track otapreopt_chroot postinstall_file SELinux denial. · 81f4377a
  Joel Galenson authored 6 years ago
```
Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0
(cherry picked from commit 5c87b879)
```
  81f4377a
- Merge "Allow dumpstate to be used as a lazy HAL." into pi-dev · faef020c
  TreeHugger Robot authored 6 years ago
  
  faef020c
- searchpolicy depends on FcSort · cc541a80
  Jeff Vander Stoep authored 6 years ago
```
Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
```
  cc541a80
- Merge "Add metadata_file class for root of metadata folder." into pi-dev · 1fb3bfba
  Paul Crowley authored 6 years ago
  
  1fb3bfba
- Allow dumpstate to be used as a lazy HAL. · 0b1797b8
  Steven Moreland authored 6 years ago
```
hwservicemanager lost the permission to tell init to
start the dumpstate HAL when dumpstate was given this
permission exclusively.

Bug: 77489941 # problem introduced
Bug: 78509314 # converting dumpstate to lazy hals

Test: convert an instance of dumpstate into a lazy HAL,
    run bugreport, see denial, then add permission, and
    see bugreport start to work again.

Change-Id: I033701d8306200bebc0f250afe3d08f9e6ab98a1
```
  0b1797b8
- Merge "Remove some priv_app logspam." into pi-dev · 95758f47
  TreeHugger Robot authored 6 years ago
  
  95758f47
- Merge "Allow dumpstate to kill dumpstate vendor HAL in timeout case" into pi-dev · d45dfbff
  Wei Wang authored 6 years ago
  
  d45dfbff