Commits · cf376fd464dc542135d59e44303c2d821418dd78 · CodeLinaro / public-release-test / platform / system / sepolicy

Jul 12, 2017
- domain_deprecated: remove system_file rules · cf376fd4
  Jeff Vander Stoep authored 7 years ago
```
Logs indicate that these rules have already been moved to the
domains that need them.

Bug: 28760354
Test: build
Change-Id: I588a1e7ea7ef984907b79a5a391efb2dcd6e6431
(cherry picked from commit 78b016ee80e48a874511b5bbd6842a2062e049e9)
```
  cf376fd4
- domain_deprecated: remove rootfs rules am: 90d2772a am: a987158d am: 43881923 · 405473f7
  Jeff Vander Stoep authored 7 years ago
```
am: 2cf0a1b4

Change-Id: I99e6f1f875cd86ba72ff02ea3734fa608c711caa
```
  405473f7
- domain_deprecated: remove rootfs rules am: 90d2772a am: a987158d · 2cf0a1b4
  Jeff Vander Stoep authored 7 years ago
```
am: 43881923

Change-Id: Idef73c24efc037903f6c93bf28f560c0960e0d67
```
  2cf0a1b4
- domain_deprecated: remove rootfs rules am: 90d2772a · 43881923
  Jeff Vander Stoep authored 7 years ago
```
am: a987158d

Change-Id: Ibd3d41c2c33c43fe18e89ca91639e8a4227fdc2e
```
  43881923
- domain_deprecated: remove rootfs rules · a987158d
  Jeff Vander Stoep authored 7 years ago
```
am: 90d2772a

Change-Id: I354fac8e2de0f7c3d09341d291b7989dad1e0726
```
  a987158d
- Merge "ueventd: Grant write access to all files in /sys" into oc-dr1-dev am: f6be4b66 · dc671680
  Jeff Vander Stoep authored 7 years ago
```
am: 36bcc901

Change-Id: I0aafa7c4750c96e4dc872602a748b4bf211ee6e1
```
  dc671680
- Merge "ueventd: Grant write access to all files in /sys" into oc-dr1-dev · 36bcc901
  Jeff Vander Stoep authored 7 years ago
```
am: f6be4b66

Change-Id: I75c575577e7a7c99c140b092d3b490bd086de2db
```
  36bcc901
- Merge "ueventd: Grant write access to all files in /sys" into oc-dr1-dev · f6be4b66
  TreeHugger Robot authored 7 years ago
  
  f6be4b66
- domain_deprecated: remove rootfs rules · 90d2772a
  Jeff Vander Stoep authored 7 years ago
```
Observed audited access to rootfs moved to individual domains in
commit a12aad45

Bug: 28760354
Test: build
Change-Id: Ie5e991d66668e70df69f21334032be6d574bf5c8
```
  90d2772a
- Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret."... · 723a3a9b
  Lorenzo Colitti authored 7 years ago
```
Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." am: c501c345 am: 98229375 am: f1d85fc1
am: 8358215d

Change-Id: I782b305fc548faac35520a0e7413d77115fe8dd3
```
  723a3a9b
- Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret."... · 8358215d
  Lorenzo Colitti authored 7 years ago
```
Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." am: c501c345 am: 98229375
am: f1d85fc1

Change-Id: I818d200c6e95d7f28fae70ca6dfc3ea994f91239
```
  8358215d
- Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." am: c501c345 · f1d85fc1
  Lorenzo Colitti authored 7 years ago
```
am: 98229375

Change-Id: I5e41b34370f507214d3dcdcedf16f3c29be77f65
```
  f1d85fc1
- Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." · 98229375
  Lorenzo Colitti authored 7 years ago
```
am: c501c345

Change-Id: I1b62a13240b49654fe8667909d23989d4651b37a
```
  98229375
- Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." · c501c345
  Lorenzo Colitti authored 7 years ago
  
  c501c345
- Merge changes I1234326d,Idffcf784 · 591f9f23
  Lorenzo Colitti authored 7 years ago
```
* changes:
  Temporarily remove netd_stable_secret_prop from compat infra.
  Temporarily revert the SELinux policy for persist.netd.stable_secret.
```
  591f9f23
Jul 11, 2017

resolve merge conflicts of to master · 93166cef

Robert Benea authored 7 years ago

Test: I solemnly swear I tested this conflict resolution.
Change-Id: Icf1e8ad95c40f497c731fa03dfd09d8b2c132aca

93166cef

Merge "sepolicy: fix support for lmkd" am: 6116489c am: 458b4593 · 0040d6f0
Robert Benea authored 7 years ago
```
am: ae342662

Change-Id: I610841f42f3cbb57d2b8d5df5758191a351d10fc
```
0040d6f0
Merge "sepolicy: fix support for lmkd" am: 6116489c · ae342662
Robert Benea authored 7 years ago
```
am: 458b4593

Change-Id: Ieb0afbe6fb97da294fe44c075643c62ce24efbdc
```
ae342662
Merge "sepolicy: fix support for lmkd" · 458b4593
Robert Benea authored 7 years ago
```
am: 6116489c

Change-Id: Ie97e5fba4b46293888ad34c54fa0673909653651
```
458b4593
Merge "sepolicy: fix support for lmkd" · 6116489c
Robert Benea authored 7 years ago

6116489c

ueventd: Grant write access to all files in /sys · 5bf94caf

Jeff Vander Stoep authored 7 years ago

Ueventd needs write access to all files in /sys to generate uevents.

Bug: 63147833
Test: build. Verify no ueventd denials in the logs.
Change-Id: I89d33aab158dd192e761f14eff8afa1c71594bca

5bf94caf

domain_deprecated: remove rootfs access am: a12aad45 am: 7297ea2a am: 1f284f4b · 148de9f5
Jeff Vander Stoep authored 7 years ago
```
am: 53b987aa

Change-Id: I3813dfca0efb4c933881b9f5ddddb5bc033c4cf1
```
148de9f5
domain_deprecated: remove rootfs access am: a12aad45 am: 7297ea2a · 53b987aa
Jeff Vander Stoep authored 7 years ago
```
am: 1f284f4b

Change-Id: Ic767b5bc0320faed4733be10ff09103dccf4e929
```
53b987aa
domain_deprecated: remove rootfs access am: a12aad45 · 1f284f4b
Jeff Vander Stoep authored 7 years ago
```
am: 7297ea2a

Change-Id: I37c6c64905e01ff4bf8d7a72c05fac3912dea793
```
1f284f4b
domain_deprecated: remove rootfs access · 7297ea2a
Jeff Vander Stoep authored 7 years ago
```
am: a12aad45

Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937
```
7297ea2a

Temporarily remove netd_stable_secret_prop from compat infra. · 777c8ee0

Lorenzo Colitti authored 7 years ago

This will allow removing the netd_stable_secret_prop from common
policy in master. It will be re-added after the wahoo-specific
sepolicy for netd_stable_secret_prop lands in oc-dr1-dev, is
automerged to master, and then is reverted in master.

This reverts commit ebea2b45.

Bug: 17613910
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I1234326d2fe6446e7e09ba9e97187518fa9bce33

777c8ee0

Temporarily revert the SELinux policy for persist.netd.stable_secret. · 9fa11b77

Lorenzo Colitti authored 7 years ago

This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:

1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
   in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
   net_stable_secret_vendor_prop) and applying it to
   persist.netd.stable_secret results in the device not booting
   due to attempting to apply two different contexts to the same
   property.

Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.

Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.

This reverts commit abb1ba65.

Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709

9fa11b77

domain_deprecated: remove rootfs access · a12aad45

Jeff Vander Stoep authored 7 years ago

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665

a12aad45

sepolicy: fix support for lmkd · e62cf5e5

Robert Benea authored 7 years ago

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug: 36588803
Change-Id: I1f46b438050d95cebd2fcc495938192305fc9fc9

e62cf5e5

resolve merge conflicts of 72b26547 to stage-aosp-master am: 7f2fb741 am: feb28130 · 64cad7bb
Jeff Vander Stoep authored 7 years ago
```
am: 366be191  -s ours

Change-Id: I1ed0ac5e1836c3f995f13082e5f144e8dc477d03
```
64cad7bb
resolve merge conflicts of 72b26547 to stage-aosp-master am: 7f2fb741 · 366be191
Jeff Vander Stoep authored 7 years ago
```
am: feb28130

Change-Id: I8f436b73a2ce7ffca91c192df35c827447253de3
```
366be191
resolve merge conflicts of 72b26547 to stage-aosp-master · feb28130
Jeff Vander Stoep authored 7 years ago
```
am: 7f2fb741

Change-Id: I38c91b9f3fc127313918bbd74199013ae7910f2b
```
feb28130
resolve merge conflicts of 72b26547 to stage-aosp-master · 7f2fb741
Jeff Vander Stoep authored 7 years ago
```
Test: build
Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11
```
7f2fb741

Jul 10, 2017

Merge "Make sure platform policy builds with compatible versions." · f62baff1
TreeHugger Robot authored 7 years ago

f62baff1
domain_deprecated: remove cache access am: 790f4c7e am: 3ca77476 am: 664743bd · 2cf2e5f3
Jeff Vander Stoep authored 7 years ago
```
am: 0ba84942  -s ours

Change-Id: Ie42095397a6173d0d0ce91c007bfe3298f64bbfe
```
2cf2e5f3
domain_deprecated: remove cache access am: 790f4c7e am: 3ca77476 · 0ba84942
Jeff Vander Stoep authored 7 years ago
```
am: 664743bd

Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb
```
0ba84942
domain_deprecated: remove cache access am: 790f4c7e · 664743bd
Jeff Vander Stoep authored 7 years ago
```
am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e
```
664743bd
domain_deprecated: remove cache access · 3ca77476
Jeff Vander Stoep authored 7 years ago
```
am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d
```
3ca77476

domain_deprecated: remove cgroup access · 72b26547

Jeff Vander Stoep authored 7 years ago

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

72b26547

domain_deprecated: remove cache access · 790f4c7e

Jeff Vander Stoep authored 7 years ago

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

790f4c7e