| 5637587d37aa56407bf2ab708230dbecb54e3a95 |
|
10-Jul-2017 |
Dan Cashman <dcashman@google.com> |
Split mediaprovider from priv_app.
This CL was accidentally reverted a second time by commit:
cb5129f9de195251aaab764b0bf343fb8da5700e. Submit it for the third,
and final, time.
Bug: 62102757
Test: Builds and boots.
/system/sepolicy/private/priv_app.te
|
| 724e825a6221db05eca52dbac69db6e5bf55690f |
|
28-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "cas: add CAS hal and switch to use hwservice"
|
| 78e595deabc477b6363c5c24f0556472055b99dd |
|
17-May-2017 |
Chong Zhang <chz@google.com> |
cas: add CAS hal and switch to use hwservice
bug: 22804304
Change-Id: I7162905d698943d127aa52804396e4765498d028
/system/sepolicy/private/priv_app.te
|
| 6e88ebf4b951910df28c0f0e487c7fdccf42bae7 |
|
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Suppress safetynet denials
Clean up ~50 denials such as:
avc: denied { getattr } for comm="highpool[2]" path="/system/bin/bufferhubd" dev="dm-0" ino=1029 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:bufferhubd_exec:s0 tclass=file
avc: denied { getattr } for comm="highpool[3]" path="/system/bin/cppreopts.sh" dev="dm-0" ino=2166 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cppreopts_exec:s0 tclass=file
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/system/bin/fsck.f2fs" dev="dm-0" ino=1055 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:fsck_exec:s0 tclass=file
Bug: 62602225
Bug: 62485981
Test: build policy
Change-Id: I5fbc84fb6c97c325344ac95ffb09fb0cfcb90b95
/system/sepolicy/private/priv_app.te
|
| cb5129f9de195251aaab764b0bf343fb8da5700e |
|
02-Jun-2017 |
Jerry Zhang <zhangjerry@google.com> |
Revert "Split mediaprovider from priv_app."
This reverts commit c147b592b88ae1e7268be64d5e3234c1829e0581.
The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.
Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005
/system/sepolicy/private/priv_app.te
|
| 5b3494ebc3d9d957c00ea6040bde8549ad428a3a |
|
25-May-2017 |
Yifan Hong <elsk@google.com> |
Update selinux policy for policyvers retrieval.
Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792
/system/sepolicy/private/priv_app.te
|
| 7f0c18b44f2ddcb48d04aedea57181d2601ecda2 |
|
19-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "Allow access to /proc/config.gz for priv_app and recovery" into oc-dev
am: 456fa27918
Change-Id: I440a08708ee39cd1c9f69432ca63e3b256e4f189
|
| 04654427f1e3a81f1a5c9810f2fffd642ad803eb |
|
19-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
Allow access to /proc/config.gz for priv_app and recovery
Bug: 37485771
Test: sideloaded OTA through recovery on sailfish
Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/private/priv_app.te
|
| 204da471881a09af86f44c6c0429d14def826df8 |
|
18-Apr-2017 |
Jerry Zhang <zhangjerry@google.com> |
Merge commit '24d3a1cc3fd0705d4dc8c7484e55c7107dc8b928' into manual_merge_24d3a1cc
Change-Id: Iafa4abcff36fe75e031fc6b6c2108a7617d34b97
|
| 9f152d98eaab9f85993a638394f280abc98e0d79 |
|
11-Apr-2017 |
Jerry Zhang <zhangjerry@google.com> |
Split mediaprovider as a separate domain from priv_app
MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.
Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases
Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
/system/sepolicy/private/priv_app.te
|
| e9e11a795b29eaca86e8f900d093baa0711eabd6 |
|
14-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic 'add_vendor_shell_toybox' into oc-dev
* changes:
suppress audit logs from rild's access to core domain through system()
sepolicy: auditallow vendor components to execute files from /system
vendor_shell: add sepolicy for vendor shell
toolbox: add sepolicy for vendor toybox
Do not allow priv_apps to scan all exec files
|
| 31c55240a83bd7975a3df3928a1adb29a397c987 |
|
14-Apr-2017 |
Andrew Scull <ascull@google.com> |
Merge "SE Linux policies for OemLockService" into oc-dev
|
| 0b9432023d7e29b802cfc41be259de3554b26efb |
|
13-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
Do not allow priv_apps to scan all exec files
Bug: 36463595
Test: sailfish boots without new denials
Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)
/system/sepolicy/private/priv_app.te
|
| 3101d4a7141d3d50d028506426f3925b3e129fc9 |
|
13-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow GMSCore to call dumpsys storaged" into oc-dev
|
| 00a1789c793ff775b6f6d762a09e65fce6da937b |
|
13-Apr-2017 |
Jin Qian <jinqian@google.com> |
Allow GMSCore to call dumpsys storaged
Test: trigger dumpsys storaged from GMScore
Bug: 37284569
Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
/system/sepolicy/private/priv_app.te
|
| a0c7f01299c41157d123da0792fbf9ce2a26f9d3 |
|
11-Apr-2017 |
Shawn Willden <swillden@google.com> |
Add keystore_key:attest_unique_id to priv_app.
Only privileged apps are supposed to be able to get unique IDs from
attestation.
Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
/system/sepolicy/private/priv_app.te
|
| 3717424d284cab9dcadccbc1dee30e8fc7136383 |
|
17-Feb-2017 |
Andrew Scull <ascull@google.com> |
SE Linux policies for OemLockService
Bug: 34766843
Test: gts-tradefed run gts -m GtsBootloaderServiceTestCases -t \
com.google.android.bootloader.gts.BootloaderServiceTest
Change-Id: I8b939e0dbe8351a54f20c303921f606c3462c17d
/system/sepolicy/private/priv_app.te
|
| f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/private/priv_app.te
|
| b238fe666212ce86fe3fe1521e9692a361a53047 |
|
14-Mar-2017 |
Fyodor Kupolov <fkupolov@google.com> |
Split preloads into media_file and data_file
Untrusted apps should only access /data/preloads/media and demo directory.
Bug: 36197686
Test: Verified retail mode.
Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
/system/sepolicy/private/priv_app.te
|
| 7291641803f204f5ba3ebdbe700f9510419810a3 |
|
01-Nov-2016 |
Chong Zhang <chz@google.com> |
MediaCAS: adding media.cas to service
Also allow media.extractor to use media.cas for descrambling.
bug: 22804304
Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d
/system/sepolicy/private/priv_app.te
|
| d33a9a194b1333113671a1353fab60d2df3478a5 |
|
08-Nov-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
/system/sepolicy/private/priv_app.te
|
| 391854000a1331742a244b10cfd43b574bea4aea |
|
24-Jan-2017 |
Ray Essick <essick@google.com> |
rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
/system/sepolicy/private/priv_app.te
|
| 21cb045bd5f8715cdad13bc4f242b0e2028bc56d |
|
24-Jan-2017 |
Nick Kralevich <nnk@google.com> |
priv_app: allow reading /cache symlink
Addresses the following denial:
avc: denied { read } for name="cache" dev="dm-0" ino=2755
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0
tclass=lnk_file permissive=0
which occurs when a priv-app attempts to follow the /cache symlink. This
symlink occurs on devices which don't have a /cache partition, but
rather symlink /cache to /data/cache.
Bug: 34644911
Test: Policy compiles.
Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
/system/sepolicy/private/priv_app.te
|
| 41e3ee4655092bce0e2c55dd33fe7eb472ec2c0a |
|
08-Jan-2017 |
Daniel Micay <danielmicay@gmail.com> |
priv_app: rm redundant app_data_file r_file_perms
This is already provided in app.te via create_file_perms for
notdevfile_class_set.
Change-Id: I89ed3537fd1e167571fe259bd4804f8fcc937b95
/system/sepolicy/private/priv_app.te
|
| 164af1039dbb9463dedeef6e7e31257e7c8d2085 |
|
07-Jan-2017 |
Nick Kralevich <nnk@google.com> |
priv_app.te: remove domain_deprecated
No denials collected.
Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec
/system/sepolicy/private/priv_app.te
|
| 92295ef8bd28d65cf14a9121fcf9837e77cddc81 |
|
06-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Move priv_app policy to private
This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from priv_app_current
attribute (as expected) except for
allow priv_app_current update_engine_current:binder transfer;
which is caused by public update_engine.te rules and will go
away once update_engine rules go private.
Bug: 31364497
Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
/system/sepolicy/private/priv_app.te
|
| 3e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02f |
|
08-Dec-2016 |
dcashman <dcashman@google.com> |
Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
/system/sepolicy/private/priv_app.te
|
| 2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/private/priv_app.te
|