Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Mar 23, 2017
  3. Mar 22, 2017
    • Nick Kralevich's avatar
      app.te: prevent locks of files on /system · 92c44a57
      Nick Kralevich authored 
      Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
      92c44a57
  5. Mar 21, 2017
    • Chad Brubaker's avatar
      Disallow access to proc_net for ephemeral_app · c4a938e7
      Chad Brubaker authored 
      Test: Boots, runs
Bug: 32713782
Change-Id: Ia58db3c4c0159482f08e72ef638f3e1736095918
      c4a938e7
    • Jiyong Park's avatar
      Allow app to access configstore HAL · ed4625f3
      Jiyong Park authored 
      Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.

Letting apps have direct access to this HAL is OK because: 

(1) the API of this HAL does not make clients provide any sensitive 
information to the HAL, which makes it impossible for the HAL to 
disclose sensitive information of its clients when the HAL is 
compromised, 

(2) we will require that this HAL is binderized (i.e., does not run 
inside the process of its clients), 

(3) we will require that this HAL runs in a tight seccomp sandbox 
(this HAL doesn't need much access, if at all) and,

(4) we'll restrict the HALs powers via neverallows.

Test: apps can use configstore hal.

Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9
      ed4625f3
  7. Mar 16, 2017
  9. Mar 07, 2017
    • Calin Juravle's avatar
      SElinux: Clean up code related to foreign dex use · 2b291121
      Calin Juravle authored 
      We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
      2b291121
  11. Mar 05, 2017
    • Yin-Chia Yeh's avatar
      Camera: hal_camera FD access update · 6824dfd7
      Yin-Chia Yeh authored 
      Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
      6824dfd7
  13. Feb 23, 2017
  15. Feb 21, 2017
    • Chad Brubaker's avatar
      Add new untrusted_v2_app domain · a782a816
      Chad Brubaker authored 
      untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
      a782a816
  17. Feb 11, 2017
  19. Feb 09, 2017
  21. Feb 06, 2017
    • Stephen Smalley's avatar
      Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. · 4921085d
      Stephen Smalley authored 
      
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      4921085d
  23. Jan 31, 2017
    • Calin Juravle's avatar
      Remove SElinux audit to libart_file · 01ee59a7
      Calin Juravle authored 
      Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
      01ee59a7
  25. Jan 26, 2017
    • Alex Klyubin's avatar
      Move appdomain policy to private · 8429a331
      Alex Klyubin authored 
      This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497

Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
      8429a331
  27. Dec 06, 2016
    • dcashman's avatar
      sepolicy: add version_policy tool and version non-platform policy. · 2e00e637
      dcashman authored 
      In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
      2e00e637