| 90fcf5eab26ca1a5ad6e30a2c7b9bc5422f64481 |
|
01-Sep-2017 |
Steven Moreland <smoreland@google.com> |
Revert "Add screencap domain."
This reverts commit f27bba93d1559c22c0c07f8e0bec4e4e5945e230.
Bug: 65206688
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
(cherry picked from commit 60e538377a4694c748bc2c8ac268c773f7889b9c)
/system/sepolicy/private/shell.te
|
| f27bba93d1559c22c0c07f8e0bec4e4e5945e230 |
|
01-Aug-2017 |
Steven Moreland <smoreland@google.com> |
Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;
Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
/system/sepolicy/private/shell.te
|
| 92fdd8954f80ef1a269f703b377ff827a43623a2 |
|
13-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Properly give some files the debugfs_tracing context only in debug mode.
One of my previous commits removed this, so I am now restoring it.
This commit also contains a bit of cleanup from previous commits by
removing some unneeded types.
It also fixes traceur by porting ag/2409144 to master.
Bug: 62413700, 62547086
Test: Built, flashed, and booted Marlin. Verified that the files have
the correct context. Verified that atrace and traceur work.
Change-Id: I76fa0e9060aff554687d57ab3976c8704a4068f0
/system/sepolicy/private/shell.te
|
| 7fa51593c890d01472f7545968d24377626bf32f |
|
07-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts.
This should improve performance, as file_contexts is slower than
genfs_contexts.
Bug: 62413700
Test: Built, flashed, and booted Marlin. Verified that some of the
files have the correct context.
Change-Id: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
/system/sepolicy/private/shell.te
|
| 295a27a31cd6736d644b7a797ef5fe80a5ca0598 |
|
12-May-2017 |
Siarhei Vishniakou <svv@google.com> |
Merge "Allow shell access on /dev/uhid node" am: 216b377d78 am: c1e8f82545
am: 45c4b14245
Change-Id: I6cb948d50f22f162d4b647259d12143cff7b61de
|
| 2a7f57102850ecb9264a8965dbe802fd4b038bc1 |
|
11-May-2017 |
Siarhei Vishniakou <svv@google.com> |
Allow shell access on /dev/uhid node
Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.
Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.
Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478
/system/sepolicy/private/shell.te
|
| d868e839a213af696b2c3d73b352d619495ff725 |
|
09-May-2017 |
Yifan Hong <elsk@google.com> |
Merge "Allow adbd and shell to read /proc/config.gz" into oc-dev
am: e1074f8bfc
Change-Id: I4854065d0fd85782076ef96aeed137170e2e7a32
|
| 19a87733c59b53b7dec898a2d456be2e283ec100 |
|
08-May-2017 |
Yifan Hong <elsk@google.com> |
Allow adbd and shell to read /proc/config.gz
for CTS device info collection purposes.
Bug: 28656227
Test: m cts -j && cts-tradefed run cts -m Gesture --test
android.gesture.cts.GestureTest#testGetStrokes
Change-Id: I8caf3580fb05fb489dc5abb917c8cb78cb089fb7
/system/sepolicy/private/shell.te
|
| c4df0d71d23545ba8a862c508fb201eb3378274e |
|
08-May-2017 |
Nick Kralevich <nnk@google.com> |
Merge "Further restrict SELinux API access" am: 076677330d am: b49bc8212a
am: 1ffa6f80da
Change-Id: I4e1669df2067738858c2d7a1e79e0a153cfeef5b
|
| 14e2e9261fec015ab6fa66f2bc67439f13c45b8d |
|
08-May-2017 |
Nick Kralevich <nnk@google.com> |
Further restrict SELinux API access
Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.
Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.
Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
/system/sepolicy/private/shell.te
|
| 25788df11580805a1d1dd082f7a50cbada31bbf0 |
|
14-Apr-2017 |
Carmen Jackson <carmenjackson@google.com> |
Add selinux rules for additional file contexts in userdebug
These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.
Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.
Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd
/system/sepolicy/private/shell.te
|
| a239f30fd62e750ab079784323c150fa539c793a |
|
23-Mar-2017 |
Jin Qian <jinqian@google.com> |
storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
/system/sepolicy/private/shell.te
|
| af3eaf0d20afcec549aab34fc0cde3376177fb71 |
|
23-Mar-2017 |
Jin Qian <jinqian@google.com> |
storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
/system/sepolicy/private/shell.te
|
| f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/private/shell.te
|
| 4cae28d43c32d66a343d7efe5677495855970a90 |
|
12-Feb-2017 |
Nick Kralevich <nnk@google.com> |
tracefs: avoid overly generic regexes
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
/system/sepolicy/private/shell.te
|
| 3e8dbf01ef3a5e2c53a27ab6b068d22c1a8fe02f |
|
08-Dec-2016 |
dcashman <dcashman@google.com> |
Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
/system/sepolicy/private/shell.te
|
| 2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/private/shell.te
|