| f7ec413844ad691c0c4863de4cc7a0719b12dc8e |
|
15-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denials caused by race with labeling.
These denials seem to be caused by a race with the process that labels
the files. While we work on fixing them, hide the denials.
Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
/system/sepolicy/private/surfaceflinger.te
|
| e49714542ee846a7b14c8edb78303ec94cb4836e |
|
19-Oct-2017 |
Jaekyun Seok <jaekyun@google.com> |
Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
/system/sepolicy/private/surfaceflinger.te
|
| 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 |
|
09-Nov-2017 |
Benjamin Gordon <bmgordon@google.com> |
sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
/system/sepolicy/private/surfaceflinger.te
|
| 2d6942d397f446fe080d6c97c21235124900f7d5 |
|
17-Nov-2017 |
Vishnu Nair <vishnun@google.com> |
Add window trace files SELinux policy rules
- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds
Bug: 64831661
Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '
Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c
/system/sepolicy/private/surfaceflinger.te
|
| 54a2cac5a21437e886ac666af4dcc48172d9986c |
|
02-Oct-2017 |
Tri Vo <trong@google.com> |
Remove surfaceflinger access to sysfs.
Bug: 65643247
Test: SurfaceFlinger_test passes (except known failures) without selinux
denials
Change-Id: I6ce185f92e5ad64a172da7d7e12167d8da2ebed0
/system/sepolicy/private/surfaceflinger.te
|
| 91d398d802b4fbd33c2b88da9f56ecee8bdc363c |
|
26-Sep-2017 |
Dan Cashman <dcashman@google.com> |
Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
/system/sepolicy/private/surfaceflinger.te
|
| 5b2ebd3b2562e41ad025d07865297a098d386ebb |
|
05-Sep-2017 |
Steven Moreland <smoreland@google.com> |
Revert "Add screencap domain."
This reverts commit 9216a6adc9eee7bad33f0819f6dcc68a7dbbe6e8.
Bug: 65206688
Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
/system/sepolicy/private/surfaceflinger.te
|
| 9216a6adc9eee7bad33f0819f6dcc68a7dbbe6e8 |
|
01-Aug-2017 |
Steven Moreland <smoreland@google.com> |
Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;
Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
/system/sepolicy/private/surfaceflinger.te
|
| e8ab0020ba58978e8d7f8b1b77ae36da1f3bffa0 |
|
17-May-2017 |
Steven Moreland <smoreland@google.com> |
Add fwk_display_hwservice.
This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.
Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
/system/sepolicy/private/surfaceflinger.te
|
| 2dd9ae33f7827dd372c2c698f1aec457e5be8a9e |
|
24-Apr-2017 |
Luke Song <songwalker@google.com> |
Move sensord sepolicy
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.
Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
/system/sepolicy/private/surfaceflinger.te
|
| 41daa7f859be06a49e4770a1f1d33b0d3070fa5a |
|
01-May-2017 |
Alex Vakulenko <avakulenko@google.com> |
SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
/system/sepolicy/private/surfaceflinger.te
|
| 676003cf3aa1b42c9efb7f287a507ebc40b51548 |
|
28-Apr-2017 |
Chris Forbes <chrisforbes@google.com> |
allow surfaceflinger to use socket from adbd
Fixes `adb shell cmd gpu vkjson`, which was previously failing due to
surfaceflinger not being able to use the socket passed to it by adbd.
Bug: b/37157136
Test: run above command, verified on marlin + bullhead
Change-Id: I57fa7e99d5c3dc7bc7d033b83f8ce6032162d7d3
/system/sepolicy/private/surfaceflinger.te
|
| 53656c1742c126c92df178ee143dec5dcf93c88a |
|
14-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
/system/sepolicy/private/surfaceflinger.te
|
| 75ca48321558006ba0e8a5e5aae7ecf1fa874058 |
|
17-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
surfaceflinger and apps are clients of Configstore HAL
This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.
Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
video in Google Camera app. Check that photos show up fine and
that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371
/system/sepolicy/private/surfaceflinger.te
|
| f86d54f0d1310fe0003c212f75fd7f212257b873 |
|
03-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
No access to tee domain over Unix domain sockets
The tee domain is a vendor domain. Thus it cannot be accessed by
non-vendor components over Unix domain sockets.
It appears that the rules granting this access are not needed.
Test: Flash a clean build with this change. Confirm that bullhead,
angler, sailfish, ryu, boot without new denials.
Confirm that YouTube, Netflix, Google Play Movies play back
videos without new denials.
Bug: 36714625
Bug: 36715266
Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a
/system/sepolicy/private/surfaceflinger.te
|
| f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/private/surfaceflinger.te
|
| 49274721b371a5bf76e3ea5a4ae0113b60018fbf |
|
20-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Move Graphics Allocator HAL IPC rules to proper location
Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.
Test: Device boots, no denials to do with hal_graphics_allocator
(also, removing the binder_call(hal_graphics_allocator_client,
hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079
Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
/system/sepolicy/private/surfaceflinger.te
|
| 9e6b24c6a5dc026924b2ab983d6644063585cd9c |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.
The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
waiting for update_engine folks to answer a couple of questions
which will let me refactor the policy of this HAL.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
/system/sepolicy/private/surfaceflinger.te
|
| 8bf3b7a8656372c1dcead6aedbf1a96d0a3bf1d9 |
|
10-Feb-2017 |
Jeff Vander Stoep <jeffv@google.com> |
surfaceflinger: grant access to vr_manager_service
Addresses
avc: denied { find } for service=vrmanager pid=472 uid=1000
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vr_manager_service:s0
tclass=service_manager
Test: Marlin builds and boots. Denial no longer observed.
Bug: 35258608
Bug: 35197529
Change-Id: I480dff3fdaf01f71e29e96f08350f705c6a23bba
/system/sepolicy/private/surfaceflinger.te
|
| 084faf025903795fe223a31d7e626d0439b459c2 |
|
10-Feb-2017 |
Nick Bray <ncbray@google.com> |
Add policies for new services.
Bug: 30989383
Bug: 34731101
Test: manual
Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb
/system/sepolicy/private/surfaceflinger.te
|
| 5d30beb1b234b31ccd6485d4bad5813103833794 |
|
07-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Move surfaceflinger policy to private
This leaves only the existence of surfaceflinger domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
surfaceflinger_current except those created by other domains'
allow rules referencing surfaceflinger domain from public and
vendor policies.
Bug: 31364497
Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
/system/sepolicy/private/surfaceflinger.te
|
| cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/private/surfaceflinger.te
|