Cross Reference: /external/sepolicy/drmserver.te

History log of /external/sepolicy/drmserver.te
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
ebfd9f87197f4a39bbc2a5e4f6c6dffc28be36d7	11-Oct-2014	Nick Kralevich <nnk@google.com>	allow oemfs:dir search mediaserver and drmserver both have permission to read oemfs related files. However, there are no search permissions on the directory, so the files would be unreachable. Grant search permissions on the oemfs directory, so that the files within that directory can be read. Bug: 17954291 Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db /external/sepolicy/drmserver.te
0a20b57f884d0bd9a3dd7821c1e77cec1f13ad4c	16-Sep-2014	Vineeta Srivastava <vsrivastava@google.com>	Added sepolicy for oem customization. Bug: 16635599 Change-Id: I69f9089dde1fe68762a38f4d97ddee2c20aaaa9d /external/sepolicy/drmserver.te
bf696327246833c9aba55a645e6c433e9f321e27	18-Jul-2014	Riley Spahn <rileyspahn@google.com>	DO NOT MERGE: Remove service_manager audit_allows. Remove the audit_allow rules from lmp-dev because we will not be tightening any further so these logs will not be useful. Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9 /external/sepolicy/drmserver.te
4a24475b9d8aa9de9c3e991cf8e484830f28ce9d	18-Jul-2014	Riley Spahn <rileyspahn@google.com>	Further refined service_manager auditallow statements. Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. (cherry picked from commit 603bc2050959dd353154bf33fa0c2b0612da9c6e) Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f /external/sepolicy/drmserver.te
344fc109e9787f91946ac852bb513c796aab38f6	07-Jul-2014	Riley Spahn <rileyspahn@google.com>	Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. (cherry picked from commit b8511e0d98880a683c276589ab7d8d7666b7f8c1) Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15 /external/sepolicy/drmserver.te
f90c41f6e8d5c1266e154f46586a2ceb260f1be6	06-Jun-2014	Riley Spahn <rileyspahn@google.com>	Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d /external/sepolicy/drmserver.te
3fbc536dfd5afbce5ef45f18d0afb3516089ed88	27-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow reading of radio data files passed over binder. Addresses denials such as: avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file This does not allow write denials such as: avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file Need to understand whether write access is in fact required. Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
721f1adf53be30eda7668d09ba271cc21aeb4fa1	13-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow drmserver and mediaserver to read apk files. Required to support passing resources via open apk files over Binder. Resolves denials such as: avc: denied { read } for pid=31457 comm="SoundPoolThread" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:mediaserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file avc: denied { read } for pid=31439 comm="Binder_2" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:drmserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file We do not allow open as it is not required (i.e. the files are passed as open files over Binder or local socket and opened by the client). Change-Id: Ib0941df1e9aac8d20621a356d2d212b98471abbc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
dc88dca115791053d00354785be37a38259b3781	12-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Get rid of separate platform_app_data_file type. The original concept was to allow separation between /data/data/<pkgdir> files of "platform" apps (signed by one of the four build keys) and untrusted apps. But we had to allow read/write to support passing of open files via Binder or local socket for compatibilty, and it seems that direct open by pathname is in fact used in Android as well, only passing the pathname via Binder or local socket. So there is no real benefit to keeping it as a separate type. Retain a type alias for platform_app_data_file to app_data_file until restorecon /data/data support is in place to provide compatibility. Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
1601132086b054adc70e7f8f38ed24574c90bc37	24-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
48b18832c476f0bd8fcb8ee3e308258392f36aaf	04-Feb-2014	Robert Craig <rpcraig@tycho.ncsc.mil>	Introduce asec_public_file type. This new type will allow us to write finer-grained policy concerning asec containers. Some files of these containers need to be world readable. Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/drmserver.te
1a1ad959aebb823e60e8a1dc55dfc312eebe2529	04-Feb-2014	Nick Kralevich <nnk@google.com>	Revert "Move tlcd_sock policy over to manta." This doesn't compile on non-manta devices because of a missing drmserver_socket declaration. external/sepolicy/mediaserver.te":68:ERROR 'unknown type drmserver_socket' at token ';' on line 6764: #line 68 allow mediaserver drmserver_socket:sock_file write; checkpolicy: error(s) encountered while parsing configuration make: * [out/target/product/flo/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 make: * Waiting for unfinished jobs.... This reverts commit 8cd400d3c4a5a9eb9bd8b0392260200bd23e6548. Change-Id: Ib8f07b57008b9ed1165b945057502779e806f0f8 /external/sepolicy/drmserver.te
8cd400d3c4a5a9eb9bd8b0392260200bd23e6548	16-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Move tlcd_sock policy over to manta. Change-Id: I7d5a5f964133177e7d466b9759fcf6300fec345d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
7cbe44f2444b27bc81499bc0c8af362080b66c3b	31-Jan-2014	Nick Kralevich <nnk@google.com>	drmserver: allow looking in efs_file directories We can read any efs_files, but can't look in the directory containing them. Allow it. Without this patch, high resolution movie playback is broken. Addresses the following denial: [ 276.780046] type=1400 audit(1391105234.431:5): avc: denied { search } for pid=125 comm="drmserver" name="/" dev="mmcblk0p1" ino=2 scontext=u:r:drmserver:s0 tcontext=u:object_r:efs_file:s0 tclass=dir Bug: 12819852 Change-Id: Ie9d13a224cef5e229de1bdb78d605841ed387a21 /external/sepolicy/drmserver.te
5eca63f14dbeb6962b275d091fd5e5f3ff9ef183	04-Jan-2014	Nick Kralevich <nnk@google.com>	Make drmserver enforcing. Change-Id: I7c1d2fc7b4d5a962f872d5f032b6d9e31efe7a24 /external/sepolicy/drmserver.te
e11935d9e3eec5ef894e562ae67c9c45c09c8958	16-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow drmserver to unlink old socket file. Change-Id: I35728c4f058fa9aeb51a7960395759590e20b083 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
623975fa5aece708032aaf29689d73e1f3a615e7	11-Jan-2014	Nick Kralevich <nnk@google.com>	Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858 /external/sepolicy/drmserver.te
37339c763e9082573fcc86e14a6fb9d2d4b9d20c	06-Jan-2014	Nick Kralevich <nnk@google.com>	fix mediaserver selinux denials. mediaserver needs the ability to read media_rw_data_file files. Allow it. Similarly, this is also needed for drmserver. Addresses the following denials: <5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Allow anyone who has access to video_device:chr_file to also have read access to video_device:dir. Otherwise, the chracter devices may not be reachable. Bug: 12416198 Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074 /external/sepolicy/drmserver.te
3b2684887e900f9e0e246f9faa575b0d8a8a3fa0	29-Oct-2013	Stephen Smalley <sds@tycho.nsa.gov>	Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
353c72e3b0b4d7d729af20f0c9a13c976baa8753	21-Oct-2013	Nick Kralevich <nnk@google.com>	Move unconfined domains out of permissive mode. This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245 /external/sepolicy/drmserver.te
77d4731e9d30c8971e076e2469d6957619019921	18-May-2013	repo sync <gcondra@google.com>	Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 /external/sepolicy/drmserver.te
50e37b93ac97631dcac6961285b92af5026557af	15-May-2013	repo sync <gcondra@google.com>	Move domains into per-domain permissive mode. Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1 /external/sepolicy/drmserver.te
d381b97e13c5bdc888d7af20b1b1a6dd04784cf5	04-Apr-2013	Geremy Condra <gcondra@google.com>	Give the drmserver the ability to connect to the tee. Bug: 8539042 Change-Id: I6a9c3247688f49bed4a1637c728e77c2e865afd2 /external/sepolicy/drmserver.te
207c709e3a9bfc53c365de3102d75bf4cfb7f2e9	04-Apr-2013	Geremy Condra <gcondra@google.com>	Allow drmserver to interact with apk_data_file sock_files. Bug: 8539042 Change-Id: I255930759ce0612f6ec9b931bfe545342ef808fc /external/sepolicy/drmserver.te
03d436a4735dff1f2351475b24f706b6df51038f	04-Apr-2013	Geremy Condra <gcondra@google.com>	Give drmserver the ability to interact with apk_data_file dirs. Bug: 8539042 Change-Id: I87165fd83b1abef9eb7bf4c403714150aaefed6e /external/sepolicy/drmserver.te
8ee49795e39c3a58a58c98ceed4cb0295c1693dd	04-Apr-2013	Geremy Condra <gcondra@google.com>	Allow drmserver to read the wv keys. Bug: 8539042 Change-Id: I31e7a3ae6ba783b78c3b38756966950a20f2f2aa /external/sepolicy/drmserver.te
e69552ba2d76174d443d1b8457295e4d72f2a986	26-Mar-2013	Geremy Condra <gcondra@google.com>	Revert "Revert "Various minor policy fixes based on CTS."" This reverts commit ba84bf1dec64d745b6efc516799b2c722a672cd9 Hidden dependency resolved. Change-Id: I9f0844f643abfda8405db2c722a36c847882c392 /external/sepolicy/drmserver.te
ba84bf1dec64d745b6efc516799b2c722a672cd9	22-Mar-2013	Geremy Condra <gcondra@google.com>	Revert "Various minor policy fixes based on CTS." This reverts commit 8a814a7604afd20f12c9ff3dcdae7d10e9b75f84 Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad /external/sepolicy/drmserver.te
8a814a7604afd20f12c9ff3dcdae7d10e9b75f84	12-Mar-2013	Stephen Smalley <sds@tycho.nsa.gov>	Various minor policy fixes based on CTS. Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/drmserver.te
c195ec31485766d065d3e3101268d5ce727ff4c0	07-Mar-2013	William Roberts <w.roberts@sta.samsung.com>	Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5 /external/sepolicy/drmserver.te
e07b8a56b9ce87733024797018543c7faf7e6aa2	13-Aug-2012	rpcraig <rpcraig@tycho.ncsc.mil>	Trusted Execution Environment policy. /external/sepolicy/drmserver.te
abd977a79ec0a1f90cf236339e080775491b9919	10-Aug-2012	rpcraig <rpcraig@tycho.ncsc.mil>	Additions for grouper/JB /external/sepolicy/drmserver.te
c83d0087e457787fc0441d959a20d56fc5200048	07-Mar-2012	Stephen Smalley <sds@tycho.nsa.gov>	Policy changes to support running the latest CTS. /external/sepolicy/drmserver.te
2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35	04-Jan-2012	Stephen Smalley <sds@tycho.nsa.gov>	SE Android policy. /external/sepolicy/drmserver.te