Commits · eb5843635b448646341be7b2a11cd168c030eda9 · CodeLinaro / public-release-test / platform / system / sepolicy

Apr 13, 2018

Make persist.sys.sf.native_mode an integer · eb584363
Chia-I Wu authored 6 years ago
```
am: 9047a4de

Change-Id: I92c96aee077c2e3e6b84a6382d003fa7a1dc0b44
```
eb584363

Make persist.sys.sf.native_mode an integer · 9047a4de

Chia-I Wu authored 6 years ago

This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1

9047a4de

Allow vendor_init to write to misc_block_device · 4af9448a
Tom Cherry authored 6 years ago
```
am: db465285

Change-Id: Icd5639ebae411b2c6e6acaf0db143794351dcb1c
```
4af9448a

Allow vendor_init to write to misc_block_device · db465285

Tom Cherry authored 6 years ago

Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.

Bug: 77881566
Test: build
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56

db465285

Whitelist vendor-init-settable bluetooth_prop and wifi_prop · 21026c55
Jaekyun Seok authored 6 years ago
```
am: 224921d1

Change-Id: I9ea2472151f97653fabbecfad13c0299f30f671b
```
21026c55

Whitelist vendor-init-settable bluetooth_prop and wifi_prop · 224921d1

Jaekyun Seok authored 6 years ago

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5

224921d1

Apr 12, 2018
- Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete" · 4a1af197
  Jaekyun Seok authored 6 years ago
```
am: 362f7d6b

Change-Id: I16cb153698c0c924bc0f2051acf9c06c1384e517
```
  4a1af197
- Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete" · 362f7d6b
  Treehugger Robot authored 6 years ago
  
  362f7d6b
- Merge "priv_app: remove more logspam" · a3d199dd
  Jeff Vander Stoep authored 6 years ago
```
am: 45c72ddf

Change-Id: Iad601fb52e9e145b1a2729a37867de40556d9d3a
```
  a3d199dd
- Merge "priv_app: remove more logspam" · 45c72ddf
  Treehugger Robot authored 6 years ago
  
  45c72ddf
- Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete · c1384ba0
  Jaekyun Seok authored 6 years ago
```
Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
Merged-In: I2d8bc91c305e665ed9c69459e51204117afb3eee
(cherry picked from commit ac2e4cce)
```
  c1384ba0
- Merge "hal_tetheroffload: move hwservice mapping to core policy" · e63f0e9c
  Jeff Vander Stoep authored 6 years ago
```
am: e0163411

Change-Id: I32f6cd37506d4e6f6feb73c6d1b2eabcdb4988b3
```
  e63f0e9c
- Merge "hal_tetheroffload: move hwservice mapping to core policy" · e0163411
  Treehugger Robot authored 6 years ago
  
  e0163411
Apr 11, 2018

hal_tetheroffload: move hwservice mapping to core policy · c41f5b84

Jeff Vander Stoep authored 6 years ago

Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea7)

c41f5b84

Merge changes If2413c30,Ic5d7c961 · 1382984c
Jeff Vander Stoep authored 6 years ago
```
am: 45b4704e

Change-Id: I29d90373b7cc4350244c81f9a5b24c31453d987d
```
1382984c
Merge changes If2413c30,Ic5d7c961 · 45b4704e
Treehugger Robot authored 6 years ago
```
* changes:
  Suppress spurious denial
  Suppress spurious denial
```
45b4704e

Suppress spurious denial · 7e5ec2bc

Jeff Vander Stoep authored 6 years ago

Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)

7e5ec2bc

Suppress spurious denial · f7a7f7d1

Jeff Vander Stoep authored 6 years ago

Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c9)

f7a7f7d1

Merge "Add internal types to 27.0[.ignore].cil." · 26776b03
Tri Vo authored 6 years ago
```
am: be79c7b2

Change-Id: Iac6379199a0f0a0680bd0ddda32644333fbaef74
```
26776b03
Merge "Add internal types to 27.0[.ignore].cil." · be79c7b2
Treehugger Robot authored 6 years ago

be79c7b2

Apr 10, 2018

Merge "Hide sys_rawio SELinux denials." · 97e41802
Joel Galenson authored 6 years ago
```
am: 6cdc9a82

Change-Id: I3fdc8fa4f4486ccfadf785ff82e147ad47123c37
```
97e41802
Merge "Hide sys_rawio SELinux denials." · 6cdc9a82
Treehugger Robot authored 6 years ago

6cdc9a82
Merge "Widen crash_dump dontaudit." · b5f3e88e
Joel Galenson authored 6 years ago
```
am: 354a2530

Change-Id: Iae854d7e794e9616cd1878e8096473cf9bbe0680
```
b5f3e88e

priv_app: remove more logspam · 9dc1d538

Jeff Vander Stoep authored 6 years ago

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e)

9dc1d538

Merge "Widen crash_dump dontaudit." · 354a2530
Treehugger Robot authored 6 years ago

354a2530

Add internal types to 27.0[.ignore].cil. · fad493bf

Tri Vo authored 7 years ago

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd6520)

fad493bf

Hide sys_rawio SELinux denials. · bf4afae1

Joel Galenson authored 6 years ago

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a

bf4afae1

Merge "Expose filesystem read events in SELinux policy." · bf685274
Florian Mayer authored 6 years ago
```
am: 589226df

Change-Id: I5e6efda7d87fcffed4733058ae2fab3ff1cdaecd
```
bf685274
Merge "Expose filesystem read events in SELinux policy." · 589226df
Florian Mayer authored 6 years ago

589226df
Adding labeling for vendor security patch prop · ad3602d2
Max Bires authored 6 years ago
```
am: 5cac1aa9

Change-Id: I889d985e3a012545d15e3dd0f06b002682671157
```
ad3602d2

Expose filesystem read events in SELinux policy. · 7ad383f1

Florian Mayer authored 6 years ago

Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298

7ad383f1

Widen crash_dump dontaudit. · a3b3bdbb

Joel Galenson authored 6 years ago

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac

a3b3bdbb

Apr 09, 2018
- Adding labeling for vendor security patch prop · 5cac1aa9
  Max Bires authored 6 years ago
```
This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
```
  5cac1aa9
- Merge "hal_health: allow to write kernel logs." · e714c3b8
  Yifan Hong authored 6 years ago
```
am: d4dd2f57

Change-Id: I5d027abc4455689d52284b59ae4d0d5bf7479299
```
  e714c3b8
- Merge "hal_health: allow to write kernel logs." · d4dd2f57
  Treehugger Robot authored 6 years ago
  
  d4dd2f57
- Revert "Add /sys/kernel/memory_state_time to sysfs_power." · 21066890
  Alan Stokes authored 6 years ago
```
am: 12e73685

Change-Id: Id5a3a8583d61559a9db7fae1e37a8124737f9696
```
  21066890
- Merge "Add shell:fifo_file permission for audioserver" · dcedd5d5
  Mikhail Naganov authored 6 years ago
```
am: dceea502

Change-Id: Ib35f55b8c0fc949dd92a727ad8a3987e2b9560d5
```
  dcedd5d5
- Revert "Add /sys/kernel/memory_state_time to sysfs_power." · 12e73685
  Alan Stokes authored 6 years ago
```
This reverts commit db83323a.

Reason for revert: breaks some builds due to duplicate genfs entries

Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a
```
  12e73685
- Merge "Add shell:fifo_file permission for audioserver" · dceea502
  Treehugger Robot authored 6 years ago
  
  dceea502
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." · 77a437c4
  Alan Stokes authored 6 years ago
```
am: cd61bc19

Change-Id: I6f61a5e8ca216ba997376cdea440c38cf6f71837
```
  77a437c4