f7ec413844ad691c0c4863de4cc7a0719b12dc8e |
|
15-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denials caused by race with labeling. These denials seem to be caused by a race with the process that labels the files. While we work on fixing them, hide the denials. Bug: 68864350 Bug: 70180742 Test: Built policy. Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
/system/sepolicy/private/surfaceflinger.te
|
e49714542ee846a7b14c8edb78303ec94cb4836e |
|
19-Oct-2017 |
Jaekyun Seok <jaekyun@google.com> |
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
/system/sepolicy/private/surfaceflinger.te
|
9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 |
|
09-Nov-2017 |
Benjamin Gordon <bmgordon@google.com> |
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
/system/sepolicy/private/surfaceflinger.te
|
2d6942d397f446fe080d6c97c21235124900f7d5 |
|
17-Nov-2017 |
Vishnu Nair <vishnun@google.com> |
Add window trace files SELinux policy rules - Allow system_server to create and write to /data/misc/wmtrace/* - Allow surfaceflinger to create and write files from /data/misc/wmtrace/* - Allow dumpstate to read files from /data/misc/wmtrace/* permissions are restricted to userdebug or eng builds Bug: 64831661 Test: adb shell cmd window tracing start && adb shell cmd window tracing stop Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: ' Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c
/system/sepolicy/private/surfaceflinger.te
|
54a2cac5a21437e886ac666af4dcc48172d9986c |
|
02-Oct-2017 |
Tri Vo <trong@google.com> |
Remove surfaceflinger access to sysfs. Bug: 65643247 Test: SurfaceFlinger_test passes (except known failures) without selinux denials Change-Id: I6ce185f92e5ad64a172da7d7e12167d8da2ebed0
/system/sepolicy/private/surfaceflinger.te
|
91d398d802b4fbd33c2b88da9f56ecee8bdc363c |
|
26-Sep-2017 |
Dan Cashman <dcashman@google.com> |
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
/system/sepolicy/private/surfaceflinger.te
|
5b2ebd3b2562e41ad025d07865297a098d386ebb |
|
05-Sep-2017 |
Steven Moreland <smoreland@google.com> |
Revert "Add screencap domain." This reverts commit 9216a6adc9eee7bad33f0819f6dcc68a7dbbe6e8. Bug: 65206688 Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
/system/sepolicy/private/surfaceflinger.te
|
9216a6adc9eee7bad33f0819f6dcc68a7dbbe6e8 |
|
01-Aug-2017 |
Steven Moreland <smoreland@google.com> |
Add screencap domain. Only seeing this denial in permissive: allow shell screencap_exec:file getattr; Bug: 37565047 Test: adb shell screencap w/o root Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7 Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
/system/sepolicy/private/surfaceflinger.te
|
e8ab0020ba58978e8d7f8b1b77ae36da1f3bffa0 |
|
17-May-2017 |
Steven Moreland <smoreland@google.com> |
Add fwk_display_hwservice. This hidl service provides information about vsync and hotplug to vendor services which is required by at least some camera hal implementations. Test: VtsFwkDisplayServiceV1_0TargetTest Test: no denials Bug: 38311538 Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
/system/sepolicy/private/surfaceflinger.te
|
2dd9ae33f7827dd372c2c698f1aec457e5be8a9e |
|
24-Apr-2017 |
Luke Song <songwalker@google.com> |
Move sensord sepolicy Sensord move in ag/2106763 should be accompanied by corresponding sepolicy move of sensord-related files/declarations. Bug: 36996994 Test: Sailfish build shows no related permission errors Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
/system/sepolicy/private/surfaceflinger.te
|
41daa7f859be06a49e4770a1f1d33b0d3070fa5a |
|
01-May-2017 |
Alex Vakulenko <avakulenko@google.com> |
SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
/system/sepolicy/private/surfaceflinger.te
|
676003cf3aa1b42c9efb7f287a507ebc40b51548 |
|
28-Apr-2017 |
Chris Forbes <chrisforbes@google.com> |
allow surfaceflinger to use socket from adbd Fixes `adb shell cmd gpu vkjson`, which was previously failing due to surfaceflinger not being able to use the socket passed to it by adbd. Bug: b/37157136 Test: run above command, verified on marlin + bullhead Change-Id: I57fa7e99d5c3dc7bc7d033b83f8ce6032162d7d3
/system/sepolicy/private/surfaceflinger.te
|
53656c1742c126c92df178ee143dec5dcf93c88a |
|
14-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
/system/sepolicy/private/surfaceflinger.te
|
75ca48321558006ba0e8a5e5aae7ecf1fa874058 |
|
17-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
surfaceflinger and apps are clients of Configstore HAL This commit marks surfaceflinger and app domain (except isolated_app) as clients of Configstore HAL. This cleans up the policy and will make it easier to restrict access to HwBinder services later. Test: Play YouTube clip in YouTube app and YouTube web page in Chrome Test: Take an HDR+ photo, a normal photo, a video, and slow motion video in Google Camera app. Check that photos show up fine and that videos play back with sound. Test: Play movie using Google Play Movies Test: Google Maps app displays the Android's correct location Bug: 34454312 Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371
/system/sepolicy/private/surfaceflinger.te
|
f86d54f0d1310fe0003c212f75fd7f212257b873 |
|
03-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
No access to tee domain over Unix domain sockets The tee domain is a vendor domain. Thus it cannot be accessed by non-vendor components over Unix domain sockets. It appears that the rules granting this access are not needed. Test: Flash a clean build with this change. Confirm that bullhead, angler, sailfish, ryu, boot without new denials. Confirm that YouTube, Netflix, Google Play Movies play back videos without new denials. Bug: 36714625 Bug: 36715266 Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a
/system/sepolicy/private/surfaceflinger.te
|
f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/private/surfaceflinger.te
|
49274721b371a5bf76e3ea5a4ae0113b60018fbf |
|
20-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Move Graphics Allocator HAL IPC rules to proper location Every client of Graphics Allocator HAL needs permission to (Hw)Binder IPC into the HAL. Test: Device boots, no denials to do with hal_graphics_allocator (also, removing the binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server) leads to denials) Test: GUI works, YouTube works Bug: 34170079 Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
/system/sepolicy/private/surfaceflinger.te
|
9e6b24c6a5dc026924b2ab983d6644063585cd9c |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
/system/sepolicy/private/surfaceflinger.te
|
8bf3b7a8656372c1dcead6aedbf1a96d0a3bf1d9 |
|
10-Feb-2017 |
Jeff Vander Stoep <jeffv@google.com> |
surfaceflinger: grant access to vr_manager_service Addresses avc: denied { find } for service=vrmanager pid=472 uid=1000 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vr_manager_service:s0 tclass=service_manager Test: Marlin builds and boots. Denial no longer observed. Bug: 35258608 Bug: 35197529 Change-Id: I480dff3fdaf01f71e29e96f08350f705c6a23bba
/system/sepolicy/private/surfaceflinger.te
|
084faf025903795fe223a31d7e626d0439b459c2 |
|
10-Feb-2017 |
Nick Bray <ncbray@google.com> |
Add policies for new services. Bug: 30989383 Bug: 34731101 Test: manual Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb
/system/sepolicy/private/surfaceflinger.te
|
5d30beb1b234b31ccd6485d4bad5813103833794 |
|
07-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Move surfaceflinger policy to private This leaves only the existence of surfaceflinger domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with surfaceflinger_current except those created by other domains' allow rules referencing surfaceflinger domain from public and vendor policies. Bug: 31364497 Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
/system/sepolicy/private/surfaceflinger.te
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/private/surfaceflinger.te
|