Commits · bdac15aa887933f13fcdfff3669323d7a1717fb0 · CodeLinaro / public-release-test / platform / system / sepolicy

Jul 28, 2017

Allow untrusted apps to read apks · bdac15aa

Bug: 37281396
Test: cts-tradefed run cts-dev -m CtsContentTestCases --test=android.content.pm.cts.InstallSessionTransferTest
Change-Id: If2094057d1acfbbf007ae108225decd9ad70e459

bdac15aa

Merge "Fix selinux denials during bugreport" into oc-mr1-dev · 17533144
TreeHugger Robot authored 7 years ago

17533144

Fix selinux denials during bugreport · 6763d28e

Tim Kryger authored 7 years ago


avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0
avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0
avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0
avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0

Bug: 62410287
Bug: 35350306
Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02
Signed-off-by: Tim Kryger <tkryger@google.com>
(cherry picked from commit b7e1f2dd)

6763d28e

netd: relax binder neverallow rules for hwservices am: faaf86bc · e1be4a8c
Jeff Vander Stoep authored 7 years ago
```
am: 427a0c7b  -s ours

Change-Id: I2716725d186d6660b5a1390224fe5c06669d6485
```
e1be4a8c
netd: relax binder neverallow rules for hwservices · 427a0c7b
Jeff Vander Stoep authored 7 years ago
```
am: faaf86bc

Change-Id: I546b7be93591d638ad82978aca5f4823e7b6ab93
```
427a0c7b
Merge "netd: relax binder neverallow rules for hwservices" into oc-mr1-dev · c6fed228
Jeffrey Vander Stoep authored 7 years ago

c6fed228

Jul 27, 2017

netd: relax binder neverallow rules for hwservices · faaf86bc

Jeff Vander Stoep authored 7 years ago

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f
Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7

faaf86bc

netd: relax binder neverallow rules for hwservices · e98ab0cb

Jeff Vander Stoep authored 7 years ago

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
(cherry picked from commit 07c650eb)

e98ab0cb

Jul 26, 2017

Merge "bootanim: is a client of configstore HAL" into oc-mr1-dev · 3c5e3f94
TreeHugger Robot authored 7 years ago

3c5e3f94

bootanim: is a client of configstore HAL · b558da67

Jeff Vander Stoep authored 7 years ago

Addresses:
avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs pid=603
scontext=u:r:bootanim:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 64067152
Test: build
Change-Id: I0605ab8ba07a46a3dc6909307e6f0b2fde68a7ba

b558da67

Jul 25, 2017

Default sepolicy rules for initial upload of Neural Network API. · e9d07b9e

Michael Butler authored 7 years ago

Bug: 63905942
Test: mm -j40
Change-Id: I354ee863475aedd2dc9d2b436a00bcd82931456f
(cherry picked from commit 4fc5fb5e521347d65dc921f8c1fb751c66f9a92c)

e9d07b9e

Jul 20, 2017

crash_dump_fallback: allow writing to system_server pipes. · fde0e02a

Josh Gao authored 7 years ago

Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
(cherry picked from commit 3c9b9197)

fde0e02a

Jul 19, 2017

runas: grant access to seapp_contexts files am: -s ours am:... · f2230155

Jeff Vander Stoep authored 7 years ago

runas: grant access to seapp_contexts files am: dcec3ee9  -s ours am: 0da855ab  -s ours am: 18e75e3a  -s ours
am: faf0504a  -s ours

Change-Id: I8da56e4bda1a86b9631b5936378ad44f4036fec2

f2230155

runas: grant access to seapp_contexts files am: dcec3ee9 -s ours am: 0da855ab -s ours · faf0504a
Jeff Vander Stoep authored 7 years ago
```
am: 18e75e3a  -s ours

Change-Id: I22ef22f0146170e03a02b72f668e62067ad448af
```
faf0504a
runas: grant access to seapp_contexts files am: dcec3ee9 -s ours · 18e75e3a
Jeff Vander Stoep authored 7 years ago
```
am: 0da855ab  -s ours

Change-Id: Ib03ffbf671ea4e48eb3e1f6fb0045c2bc33570dc
```
18e75e3a
runas: grant access to seapp_contexts files · 0da855ab
Jeff Vander Stoep authored 7 years ago
```
am: dcec3ee9  -s ours

Change-Id: Id04fb68971510d089e4fcd53fa24b77a1e9cd760
```
0da855ab
Merge "Allow vendor domains to use the untrusted_app_all attribute" · 9cdb93c4
TreeHugger Robot authored 7 years ago

9cdb93c4

runas: grant access to seapp_contexts files · dcec3ee9

Jeff Vander Stoep authored 7 years ago

To be replaced by commit 1e149967
seapp_context: explicitly label all seapp context files

Test: build policy
Change-Id: I8d30bd1d50b9e4a55f878c25d134907d4458cf59
Merged-In: I0f0e937e56721d458e250d48ce62f80e3694900f

dcec3ee9

Do not expand hal_audio attribute am: 89f215e6 · 683fcf00
Jeff Vander Stoep authored 7 years ago
```
am: 3e6d842d

Change-Id: I42d9ebc6231932c6e5289ad2e9e4301c256f0036
```
683fcf00
Do not expand hal_audio attribute · 3e6d842d
Jeff Vander Stoep authored 7 years ago
```
am: 89f215e6

Change-Id: I6126315b398b2f66a5a7d9c98a8d9630c01314a7
```
3e6d842d

Do not expand hal_audio attribute · 89f215e6

Jeff Vander Stoep authored 7 years ago

Fixes:
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
Warning!  Type or attribute hal_audio used in neverallow undefined in
policy being checked.

hal_audio_client is not used in neverallows and was mistakenly marked
as expandattribute false instead of hal_audio. Fix this.

Bug: 63809360
Test: build policy
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    No more:
    Warning!  Type or attribute hal_audio used in neverallow
    undefined in policy being checked.

Change-Id: Iedf1b80f669f95537ed201cbdbb0626e7e32be81

89f215e6

Merge "hal_configstore: add neverallow restrictions" · c14ac433
TreeHugger Robot authored 7 years ago

c14ac433

Jul 18, 2017
- Merge "allow system_server to write to cameraserver's... · e073f400
  Max Bires authored 7 years ago
```
Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 am: 00d28684 am: 8926a408
am: d526583f

Change-Id: Id375d476c919186402451edd32b7c119a41d0e35
```
  e073f400
- Merge "allow system_server to write to cameraserver's... · d526583f
  Max Bires authored 7 years ago
```
Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 am: 00d28684
am: 8926a408

Change-Id: I88b8207da595bbae9d7791fc5b1446528b98f9b1
```
  d526583f
- Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 · 8926a408
  Max Bires authored 7 years ago
```
am: 00d28684

Change-Id: Ifcb82f3ae89e3033b85ca02b2ea9474ba0315569
```
  8926a408
- Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" · 00d28684
  Max Bires authored 7 years ago
```
am: 9f8773b4

Change-Id: I010337f7f5b81f4025a0d57e0e0b4fb8f4a90296
```
  00d28684
- Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" · 9f8773b4
  Treehugger Robot authored 7 years ago
  
  9f8773b4
- Merge "rm memcg type from ignore list." · 33a29625
  TreeHugger Robot authored 7 years ago
  
  33a29625
- Allow update_engine to read postinstall_mnt_dir am: 8f687053 am: 0bcb2030 am: b197b7c8 · 7bc0dca2
  Tianjie Xu authored 7 years ago
```
am: 0b2209bf

Change-Id: I2b8009c16046259a494dad10b005e3539fa24a85
```
  7bc0dca2
- Allow update_engine to read postinstall_mnt_dir am: 8f687053 am: 0bcb2030 · 0b2209bf
  Tianjie Xu authored 7 years ago
```
am: b197b7c8

Change-Id: I77d33dec14641856fba474c16b7b98815313a049
```
  0b2209bf
- Allow update_engine to read postinstall_mnt_dir am: 8f687053 · b197b7c8
  Tianjie Xu authored 7 years ago
```
am: 0bcb2030

Change-Id: I9937141ff425f437d46463bdb944e4524f8d8aa1
```
  b197b7c8
- Allow update_engine to read postinstall_mnt_dir · 0bcb2030
  Tianjie Xu authored 7 years ago
```
am: 8f687053

Change-Id: Ib0ba78601046e6574cbb44752ebc431791a62df6
```
  0bcb2030
- allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns · 655599a6
  Max Bires authored 7 years ago
```
This is needed for timerslack functionality which should be present in
most kernels going forward

Test: system_server can write to cameraserver files
Change-Id: I85797128b1467d92eb354364de8eb60f8e45c931
```
  655599a6
- rm memcg type from ignore list. · 9d0737a5
  Dan Cashman authored 7 years ago
```
This type was removed in commit: 93166cef
and no longer needs to be included in compatibility infrastructure.

Bug: 62573845
Test: None, prebuilt change.
Change-Id: I9dc05512c7fcb3ef4445c4c6b040809a1d595282
```
  9d0737a5
Jul 17, 2017
- Allow vendor domains to use the untrusted_app_all attribute · 39fe4c71
  Ranjith Kagathi Ananda authored 7 years ago
```
Remove restriction to restrict only domains in AOSP to use the
untrusted_app_all attribute

BUG=63167163
Test: Sanity check

Change-Id: I9e1b8605fad108f45f988d8198a9a1cadb8dfa5e
```
  39fe4c71
- Merge "Add sepolicy definitions.mk and create policy.conf function." · 5f8aabac
  TreeHugger Robot authored 7 years ago
  
  5f8aabac
Jul 16, 2017

Allow update_engine to read postinstall_mnt_dir · 8f687053

Tianjie Xu authored 7 years ago

The denial message:
update_engine: type=1400 audit(0.0:15213): avc: denied { getattr } for
path="/postinstall" dev="dm-0" ino=38 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

update_engine: type=1400 audit(0.0:15214): avc: denied { sys_rawio } for
capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

auditd  : type=1400 audit(0.0:15213): avc: denied { getattr } for
comm="update_engine" path="/postinstall" dev="dm-0" ino=38
scontext=u:r:update_engine:s0 tcontext=u:object_r:postinstall_mnt_dir:s0
tclass=dir permissive=0

update_engine: [0428/070905:ERROR:utils.cc(716)] Error stat'ing /postinstall: Permission denied

Bug: 37760573
Test: apply an update and UE reads postinstall_mnt_dir without denial.
Change-Id: I55506f5e8544233f60ccf7c1df846c9c93946a25

8f687053

Explicitly allow netd to take the iptables lock. am: 9273c1bb am: f692d2fd am: a0804de2 · 5f7b67f8
Lorenzo Colitti authored 7 years ago
```
am: 61b0d710

Change-Id: I3f3ecd781d085fabe9d733f44ae33e4412fc2288
```
5f7b67f8
Explicitly allow netd to take the iptables lock. am: 9273c1bb am: f692d2fd · 61b0d710
Lorenzo Colitti authored 7 years ago
```
am: a0804de2

Change-Id: I1c39dedf06bf0e791fc885c535c47ab410fa1905
```
61b0d710
Explicitly allow netd to take the iptables lock. am: 9273c1bb · a0804de2
Lorenzo Colitti authored 7 years ago
```
am: f692d2fd

Change-Id: Id32185a33372c762a149bf78f73330588af55685
```
a0804de2