| 148de9f5a8dc2ca5455b243d454ff31cbe0d560f |
|
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecated: remove rootfs access am: a12aad45b6 am: 7297ea2a55 am: 1f284f4b65
am: 53b987aaea
Change-Id: I3813dfca0efb4c933881b9f5ddddb5bc033c4cf1
|
| 53b987aaea2ce82c38ac3a552404b649485eec50 |
|
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecated: remove rootfs access am: a12aad45b6 am: 7297ea2a55
am: 1f284f4b65
Change-Id: Ic767b5bc0320faed4733be10ff09103dccf4e929
|
| 7297ea2a55ee548537debd17ecfac175b0f93b4f |
|
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecated: remove rootfs access
am: a12aad45b6
Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937
|
| a12aad45b68da1d3da096659a2b22b5e95c1f6b9 |
|
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecated: remove rootfs access
Grant audited permissions collected in logs.
tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
/system/sepolicy/private/platform_app.te
|
| 724e825a6221db05eca52dbac69db6e5bf55690f |
|
28-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "cas: add CAS hal and switch to use hwservice"
|
| e226b96e7ca404619b6cc8868756ceb4a4fca862 |
|
27-Jun-2017 |
Neil Fuller <nfuller@google.com> |
Revert "DO NOT MERGE. Revert "Enable the TimeZoneManagerService""
This reinstates the selinux changes for the timezone service that
were reverted on oc-dr1-dev and undesirably merged down to master.
This reverts commit 96c619c826418155e1bfe2c0c3f447a040f2feb0.
Test: make
Bug: 31008728
Change-Id: Ief2129c409de09b2782881a6556d918af59badd9
/system/sepolicy/private/platform_app.te
|
| 78e595deabc477b6363c5c24f0556472055b99dd |
|
17-May-2017 |
Chong Zhang <chz@google.com> |
cas: add CAS hal and switch to use hwservice
bug: 22804304
Change-Id: I7162905d698943d127aa52804396e4765498d028
/system/sepolicy/private/platform_app.te
|
| 96c619c826418155e1bfe2c0c3f447a040f2feb0 |
|
08-Jun-2017 |
Dan Cashman <dcashman@google.com> |
DO NOT MERGE. Revert "Enable the TimeZoneManagerService"
This reverts commit 50889ce0eb4dda1d777b90321ddce3f8046b740d.
Bug: 62427402
Test: Build and boot.
Change-Id: I32eae7997c901981d3228b61f33322a7c2c84301
/system/sepolicy/private/platform_app.te
|
| 911e236ae44b60fb0d2f799f3563752a095cd331 |
|
01-Jun-2017 |
Neil Fuller <nfuller@google.com> |
resolve merge conflicts of e664e80a to oc-dev-plus-aosp
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Icadf7c72ad173c134d3e95bb5b93c2b54b1b703e
|
| ca595e1163a8de33fb0d0152d285453c4409e2c5 |
|
11-Jan-2017 |
Neil Fuller <nfuller@google.com> |
Enable the TimeZoneManagerService
Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.
Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
/system/sepolicy/private/platform_app.te
|
| 50889ce0eb4dda1d777b90321ddce3f8046b740d |
|
11-Jan-2017 |
Neil Fuller <nfuller@google.com> |
Enable the TimeZoneManagerService
Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.
Bug: 31008728
Test: make droid
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
/system/sepolicy/private/platform_app.te
|
| 45766d4178e443b29fee8cd9c8917847ea3a4cf1 |
|
26-Apr-2017 |
Nick Kralevich <nnk@google.com> |
relax fuse_device neverallow rules
The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.
Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
/system/sepolicy/private/platform_app.te
|
| f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/private/platform_app.te
|
| b238fe666212ce86fe3fe1521e9692a361a53047 |
|
14-Mar-2017 |
Fyodor Kupolov <fkupolov@google.com> |
Split preloads into media_file and data_file
Untrusted apps should only access /data/preloads/media and demo directory.
Bug: 36197686
Test: Verified retail mode.
Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
/system/sepolicy/private/platform_app.te
|
| 7291641803f204f5ba3ebdbe700f9510419810a3 |
|
01-Nov-2016 |
Chong Zhang <chz@google.com> |
MediaCAS: adding media.cas to service
Also allow media.extractor to use media.cas for descrambling.
bug: 22804304
Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d
/system/sepolicy/private/platform_app.te
|
| 4c40d7344ce20872a4cabf2117b90f31d29d1ad2 |
|
25-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.
Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
/system/sepolicy/private/platform_app.te
|
| d33a9a194b1333113671a1353fab60d2df3478a5 |
|
08-Nov-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
/system/sepolicy/private/platform_app.te
|
| 391854000a1331742a244b10cfd43b574bea4aea |
|
24-Jan-2017 |
Ray Essick <essick@google.com> |
rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
/system/sepolicy/private/platform_app.te
|
| c42d134e076908c83d9a599cfa1655eb4323773b |
|
09-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Move platform_app policy to private
This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from platform_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
/system/sepolicy/private/platform_app.te
|
| b56e6ef89438c5699919f06f10b08f0e5f6ec2a5 |
|
10-Dec-2016 |
Nick Kralevich <nnk@google.com> |
Whitespace fix
Because I'm nitpicky.
Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
/system/sepolicy/private/platform_app.te
|
| 3e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02f |
|
08-Dec-2016 |
dcashman <dcashman@google.com> |
Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
/system/sepolicy/private/platform_app.te
|
| 2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/private/platform_app.te
|