Commits · cf2ffdf0d86f485dfff05a2f13819997bfd462e1 · CodeLinaro / public-release-test / platform / system / sepolicy

Mar 31, 2017

Tighten restrictions on core <-> vendor socket comms · cf2ffdf0

Alex Klyubin authored 7 years ago

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I633163cf67d60677c4725b754e01097dd5790aed

cf2ffdf0

Mar 30, 2017
- Merge "update sepolicy for gralloc HAL" into oc-dev am: ea0a3027 · 6953b867
  Mathias Agopian authored 7 years ago
```
am: 1eb656f0

Change-Id: I88aa508e35a59924715acb6d77e37344e41b55fe
```
  6953b867
- Merge "update sepolicy for gralloc HAL" into oc-dev · 1eb656f0
  Mathias Agopian authored 7 years ago
```
am: ea0a3027

Change-Id: I20ec1ec4f217d3c6622f5bc263c268ba343bf493
```
  1eb656f0
- Merge "update sepolicy for gralloc HAL" into oc-dev · ea0a3027
  TreeHugger Robot authored 7 years ago
  
  ea0a3027
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev am: f4739f40 · 00da0661
  Jeff Vander Stoep authored 7 years ago
```
am: e777112e

Change-Id: I893aff73fa2beb83bee0e17aec849ac49d03c639
```
  00da0661
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev · e777112e
  Jeff Vander Stoep authored 7 years ago
```
am: f4739f40

Change-Id: Ie07e3ababe6836f6b5c2522c3a3255367d01b662
```
  e777112e
- Merge "runas: Grant access to seapp_contexts_file" into oc-dev · f4739f40
  TreeHugger Robot authored 7 years ago
  
  f4739f40
- Merge "Further restrict access to Binder services from vendor" into oc-dev am: b5081ea0 · 770e6b7c
  Alex Klyubin authored 7 years ago
```
am: ff61a10c

Change-Id: Ie0c415ee9e79628f0048ff30d0daffbd89420f74
```
  770e6b7c
- Merge "Further restrict access to Binder services from vendor" into oc-dev · ff61a10c
  Alex Klyubin authored 7 years ago
```
am: b5081ea0

Change-Id: I3decd5c29ee797486d563393212cfc09666b77e1
```
  ff61a10c
- Merge "Further restrict access to Binder services from vendor" into oc-dev · b5081ea0
  TreeHugger Robot authored 7 years ago
  
  b5081ea0
- update sepolicy for gralloc HAL · 9901ff7c
  Mathias Agopian authored 8 years ago
```
the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d
```
  9901ff7c
- Disallow HAL access to Bluetooth data files am: 02d9d21d am: 6f700ae5 am: a21b3b19 · 9994cb58
  Myles Watson authored 7 years ago
```
am: 8f288f56

Change-Id: Ic1ff068363790a030eb15776fda5b32704b9a465
```
  9994cb58
- runas: Grant access to seapp_contexts_file · 7d6185fe
  Jeff Vander Stoep authored 7 years ago
```
Runas/libselinux needs access to seapp_contexts_file to determine
transitions into app domains.

Addresses:
avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts"
dev="rootfs" ino=9827 scontext=u:r:runas:s0
tcontext=u:object_r:seapp_contexts_file:s0 tclass=file

Bug: 36782586
Test: Marlin policy builds
Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f
```
  7d6185fe
- Disallow HAL access to Bluetooth data files am: 02d9d21d am: 6f700ae5 · 8f288f56
  Myles Watson authored 7 years ago
```
am: a21b3b19

Change-Id: I3e0bb56e66f2e4dc2ac04288e96c79070a710490
```
  8f288f56
- Disallow HAL access to Bluetooth data files am: 02d9d21d · a21b3b19
  Myles Watson authored 7 years ago
```
am: 6f700ae5

Change-Id: I6d58dcfa6037dc916d9ab5b995d2132e559783e1
```
  a21b3b19
- Disallow HAL access to Bluetooth data files · 6f700ae5
  Myles Watson authored 7 years ago
```
am: 02d9d21d

Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7
```
  6f700ae5
- Merge "Disallow HAL access to Bluetooth data files" into oc-dev am: ef2057a6 · 0630c450
  Myles Watson authored 7 years ago
```
am: 52ae8351

Change-Id: I7a84acb504ffb803e3e782d0c5b2d4daf7565e8f
```
  0630c450
- Merge "Disallow HAL access to Bluetooth data files" into oc-dev · 52ae8351
  Myles Watson authored 7 years ago
```
am: ef2057a6

Change-Id: I1c706c034571de2470fdb4458ab7c1ea43e4f52e
```
  52ae8351
- Further restrict access to Binder services from vendor · 0052bc69
  Alex Klyubin authored 8 years ago
```
This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313

Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f
```
  0052bc69
- Merge "Disallow HAL access to Bluetooth data files" into oc-dev · ef2057a6
  TreeHugger Robot authored 7 years ago
  
  ef2057a6
- Merge "Allow MediaExtractor to create FileSource" into oc-dev am: 6c4c9bea · a0e310dc
  Andy Hung authored 7 years ago
```
am: 91204e89

Change-Id: I54869120bda54b1584ff628a94a9aecac409d053
```
  a0e310dc
- Disallow HAL access to Bluetooth data files · 02d9d21d
  Myles Watson authored 8 years ago
```
Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66
```
  02d9d21d
- Merge "Allow MediaExtractor to create FileSource" into oc-dev · 91204e89
  Andy Hung authored 7 years ago
```
am: 6c4c9bea

Change-Id: Ie6ab78d9c8f93ed00e3ec5923a9946d492199288
```
  91204e89
- Merge "Allow MediaExtractor to create FileSource" into oc-dev · 6c4c9bea
  Andy Hung authored 7 years ago
  
  6c4c9bea
- Disallow HAL access to Bluetooth data files · 1317b4ca
  Myles Watson authored 8 years ago
```
Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
```
  1317b4ca
- Disallow HAL access to Bluetooth data files · 84edadca
  Myles Watson authored 8 years ago
```
Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
```
  84edadca
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev am: 36c8f160 · 15403f6c
  Jiyong Park authored 7 years ago
```
am: cc5da52f

Change-Id: Ie05d021efd289bf14f86ac070fce74c81ac7bd57
```
  15403f6c
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · cc5da52f
  Jiyong Park authored 7 years ago
```
am: 36c8f160

Change-Id: I4c39b013d9d8f296171dde6d0b0b3400074f3825
```
  cc5da52f
- Merge "Annotate rild with socket_between_core_and_vendor_violators" into oc-dev · 36c8f160
  TreeHugger Robot authored 7 years ago
  
  36c8f160
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev am: d7a2f60d · dee8e4fd
  Ian Pedowitz authored 7 years ago
```
am: 134c7182

Change-Id: I23e7aa2a87f34a4adc5fd5eac85710db6238d9db
```
  dee8e4fd
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · 134c7182
  Ian Pedowitz authored 7 years ago
```
am: d7a2f60d

Change-Id: Ifc66292d55f1daea28069cbf63cd70bf96fee74d
```
  134c7182
- Merge "Revert "Further restrict access to Binder services from vendor"" into oc-dev · d7a2f60d
  Ian Pedowitz authored 7 years ago
  
  d7a2f60d
- Revert "Further restrict access to Binder services from vendor" · 43b48045
  Ian Pedowitz authored 7 years ago
```
This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf
```
  43b48045
- Merge "Further restrict access to Binder services from vendor" into oc-dev am: c673770a · 49358a58
  Alex Klyubin authored 7 years ago
```
am: 3100873f

Change-Id: Icc445d11ccc9606717d07317446c43a2ef731447
```
  49358a58
- Merge "Further restrict access to Binder services from vendor" into oc-dev · 3100873f
  Alex Klyubin authored 8 years ago
```
am: c673770a

Change-Id: Icb5276a3b73419b4b0e3a9fea1af157d0e1ef882
```
  3100873f
- Merge "Further restrict access to Binder services from vendor" into oc-dev · c673770a
  TreeHugger Robot authored 8 years ago
  
  c673770a
- Annotate rild with socket_between_core_and_vendor_violators · 57e9946f
  Jiyong Park authored 8 years ago
```
Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7
```
  57e9946f
- Merge "Add media services to ephemeral_app" into oc-dev am: 3ad5c9e7 · 51f91375
  Chad Brubaker authored 8 years ago
```
am: 897473dc

Change-Id: Ic481a4198f03ee242d04cfa11d885353b24cde4c
```
  51f91375
- Merge changes from topic 'ipsec-service' am: 32815389 am: eaa5e298 am: b78fd545 · 583122a8
  Nathan Harold authored 8 years ago
```
am: a6dc0dc2

Change-Id: I0ac39078f058e970822deda9a3161c05b0dceaeb
```
  583122a8
- Update Common NetD SEPolicy to allow Netlink XFRM am: 7eb3dd3b am: 75760e9d am: a581c048 · d7785679
  Nathan Harold authored 8 years ago
```
am: d80511d3

Change-Id: I329798f6f7885aa68323367a43da6c0a3daa3fb5
```
  d7785679