| c0f8f2f82a9526be7c7835f2ef9501948fd5b4ed |
|
30-May-2018 |
Jiyong Park <jiyong@google.com> |
add extended_core_property_type
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
/system/sepolicy/public/attributes
|
| cdb1624c27e51ee85b6a4ea6ebd529bd0e07648f |
|
02-May-2018 |
Tom Cherry <tomcherry@google.com> |
neverallow coredomain from writing vendor properties
System properties can be abused to get around Treble requirements of
having a clean system/vendor split. This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.
Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
/system/sepolicy/public/attributes
|
| 4cafae77a4ac9e9b34410714787b68523dcd5345 |
|
04-May-2018 |
Pavel Maltsev <pavelm@google.com> |
Allow to use sockets from hal server for auto
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build
Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
--skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
-t android.security.cts.SELinuxHostTest
Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
/system/sepolicy/public/attributes
|
| d8d7a3f7cccba9ab7dc345f68eb99b905808bff3 |
|
03-May-2018 |
android-build-team Robot <android-build-team-robot@google.com> |
Merge "Never expand proc_type attribute" into pi-dev
|
| db6218417c6ceb8ee61f6d1e7cc0410f2c516e95 |
|
01-May-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Never expand proc_type attribute
It's used in build-time tests and in CTS.
Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
(cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)
/system/sepolicy/public/attributes
|
| 394dbe34a0dc7519acb9948175ba63ee18bedbed |
|
10-Apr-2018 |
Pavel Maltsev <pavelm@google.com> |
Move automotive HALs sepolicy to system/
Bug: 70637118
Test: build, flash and boot bat_land and owl automotive builds
Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
/system/sepolicy/public/attributes
|
| 62e6850a2be1954148e5282cb773ea22cca4b214 |
|
16-Feb-2018 |
Tri Vo <trong@google.com> |
proc_type attribute for files under /proc.
With this attribute it will be easier to reference /proc files.
Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
(cherry picked from commit 41bf08e592fd3ef8e3dcc9a9eccc99e6a7753e8a)
/system/sepolicy/public/attributes
|
| 325aec5c3fc49975eccddae2c2c58e0386c357cf |
|
07-Feb-2018 |
Tri Vo <trong@google.com> |
Merge changes from topic "27_mapping" am: 4e9b1c6bf6 am: dc357d0c7e
am: 4d4daa3f9e
Change-Id: Ic96937efe156d8338f121981afaf4281e62542cd
|
| 284a18ae52678daa1134f140598e40531b1bd63f |
|
01-Feb-2018 |
Tri Vo <trong@google.com> |
Temporary fix to avoid expandattribute value conflicts.
Bug: 69390067
Bug: 72757373
Test: build sepolicy
Change-Id: I44aeb547ff7ab7042eddfa780df8cbb7dcec71b4
/system/sepolicy/public/attributes
|
| 64f35fa01eec7c63f176084af66906249d21ab60 |
|
10-Jan-2018 |
Andrew Scull <ascull@google.com> |
authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5f8bdc391c61a22d01278de70c26eb9e8)
/system/sepolicy/public/attributes
|
| ccf965e9ca37b4bf063c9c573cb4900d70d9025c |
|
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.
Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.
Test: build sepolicy for all targets in master (this is a build time
test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
/system/sepolicy/public/attributes
|
| 1c57b81c1ecbf02297638356adbed0d586a3f2a2 |
|
30-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "SE Policy for Secure Element app and Secure Element HAL" am: 6a60cb3e69 am: f285f2db4b
am: 4757882300
Change-Id: I36147d7f0359cef7f80ee36086150936bed2e672
|
| 8a2b4a783e5c9f4a342b7b0923fa1089842566e5 |
|
04-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
/system/sepolicy/public/attributes
|
| 77a2d71fc2694ca2f914c93bb532e1193a0f8b22 |
|
25-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Test that /data is properly labeled"
|
| f5ea7ab181165e920ec65cc35580a555fdfd2399 |
|
24-Jan-2018 |
Janis Danisevskis <jdanis@google.com> |
Added default policy for Confirmation UI HAL am: 97c56bdd78 am: 5029fe7236
am: a2f243dc35
Change-Id: I670465743596b35c37a4ca591e5a8f4848222bb9
|
| 97c56bdd78629cb3a57acdbd27d977f1cc6eed4b |
|
09-Jan-2018 |
Janis Danisevskis <jdanis@google.com> |
Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.
Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
/system/sepolicy/public/attributes
|
| bdd454792d52719f3b8b1fe8c3fd08cb13a393f1 |
|
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.
Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.
Test: build sepolicy for all targets in master (this is a build time
test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
/system/sepolicy/public/attributes
|
| 8d11ef5a370d7c4dc7624daec54c19c67b2f1dae |
|
23-Jan-2018 |
Andrew Scull <ascull@google.com> |
Merge "authsecret HAL policies."
|
| 7bee33e665af49747e45de5440b9de454da1ba86 |
|
08-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
/system/sepolicy/public/attributes
|
| 9b0788945221ab99817b7e883e7b7be1fe8c9940 |
|
08-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
/system/sepolicy/public/attributes
|
| 2724e81c9ea6adbd7e92009fcc53c1cbe133b2b0 |
|
18-Jan-2018 |
Roshan Pius <rpius@google.com> |
Merge "sepolicy(hostapd): Add a HIDL interface for hostapd"
|
| 282dbf7bbbe1d5541c769038e2800ee9dd3eda21 |
|
21-Dec-2017 |
Tri Vo <trong@google.com> |
Introduce system_executes_vendor_violators attribute.
We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.
Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
/system/sepolicy/public/attributes
|
| 5bca3e860d34b3aff070a38bfd39caa74cade443 |
|
23-Dec-2017 |
Roshan Pius <rpius@google.com> |
sepolicy(hostapd): Add a HIDL interface for hostapd
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.
Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
/system/sepolicy/public/attributes
|
| d2315bdf6a9f08a725125bc7e0e78e48332c537b |
|
12-Jan-2018 |
Tri Vo <trong@google.com> |
Revert "Coredomain can't execute vendor code."
This reverts commit 07dd2c9e89ec6b588a1842a3d1ef0a305e175257.
Reason for revert: albacore build broken
Change-Id: I551b1d8c008f01fb815e42b59d397feb9672b8e6
/system/sepolicy/public/attributes
|
| 07dd2c9e89ec6b588a1842a3d1ef0a305e175257 |
|
21-Dec-2017 |
Tri Vo <trong@google.com> |
Coredomain can't execute vendor code.
Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
/system/sepolicy/public/attributes
|
| 1aedf4b5f8bdc391c61a22d01278de70c26eb9e8 |
|
10-Jan-2018 |
Andrew Scull <ascull@google.com> |
authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
/system/sepolicy/public/attributes
|
| 2ae575b08018bcdddaa0ca44ef14f484fd360c53 |
|
17-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Start tracking platform/vendor data access violations
As part of Treble, enforce that the communication between platform
and vendor components use the official hw binder APIs. Prevent sharing
of data by file path. Platform and vendor components may share
files, but only via FD passed over hw binder.
This change adds the violators attribute that will be used to mark
violating domains that need to be fixed.
Bug: 34980020
Test: build
Change-Id: Id9acfbbc86bfd6fd0633b8164a37ce94d25ffa2c
/system/sepolicy/public/attributes
|
| 91d398d802b4fbd33c2b88da9f56ecee8bdc363c |
|
26-Sep-2017 |
Dan Cashman <dcashman@google.com> |
Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
/system/sepolicy/public/attributes
|
| 26ff5eb6b9dadf9d217a21d3d63498e9967c5df4 |
|
08-Aug-2017 |
Tomasz Wasilczyk <twasilczyk@google.com> |
Move Broadcast Radio HAL to a separate binary.
Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d85a353af56799c4e48583adfa7ff4e0d)
/system/sepolicy/public/attributes
|
| 3e307a4de570a64437e3071ae398ed291ba82098 |
|
21-Jun-2017 |
Dan Cashman <dcashman@google.com> |
Remove neverallow preventing hwservice access for apps.
Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP. As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app. This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition. Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.
Bug: 62806062
Test: neverallow-only change builds. Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
/system/sepolicy/public/attributes
|
| c67fa9bfb4dfa5d183fc13339fc3e037abde6587 |
|
22-May-2017 |
pkanwar <pkanwar@google.com> |
SE Policy for Tether Offload HAL
Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
HIDL binderized service.
Bug: 38417260
Test: New functionality. So we don't have any tests.
Change-Id: I2c95b290523c55c081afa1bca091f368559c9125
(cherry picked from commit 722249b3e83dba446a93ace95d211f874c424737)
/system/sepolicy/public/attributes
|
| 325bf7259227b15a6b356051d90d5a89ad739a4d |
|
01-Mar-2017 |
Sohani Rao <sohanirao@google.com> |
SE Policy for Wifi Offload HAL
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf502246c8e8870b7b3e2573a8c87e89fe1
Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.
Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
/system/sepolicy/public/attributes
|
| e8ab0020ba58978e8d7f8b1b77ae36da1f3bffa0 |
|
17-May-2017 |
Steven Moreland <smoreland@google.com> |
Add fwk_display_hwservice.
This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.
Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
/system/sepolicy/public/attributes
|
| 02a101a6950c372fbd49e35ce25286f360c18b1b |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Move domain_deprecated into private policy" into oc-dev
|
| 21e6ab1230acb4b7b58a449a378cc31b6fe72a79 |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "SELinux policies for Weaver HAL." into oc-dev
|
| f2760f794db7e9f72f2fee490041ee9cf95bd69b |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "SELinux policies for the OEM lock HAL." into oc-dev
|
| 76aab82cb3a7560d3d78f93c7f2d00ed381192c4 |
|
15-May-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
/system/sepolicy/public/attributes
|
| 3c90eaf2095858798b68dd68953f8d550d90905c |
|
12-May-2017 |
Andrew Scull <ascull@google.com> |
SELinux policies for Weaver HAL.
Bug: 35628284
Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f
Fix: 38233550
Test: Build and boot
Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f
/system/sepolicy/public/attributes
|
| 0e9b22078bf3c49e61fd887cf86d081d4681d9e0 |
|
12-May-2017 |
Andrew Scull <ascull@google.com> |
SELinux policies for the OEM lock HAL.
Bug: 34766843
Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6
Fix: 38232801
Test: Build and boot
Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b
/system/sepolicy/public/attributes
|
| 2dd9ae33f7827dd372c2c698f1aec457e5be8a9e |
|
24-Apr-2017 |
Luke Song <songwalker@google.com> |
Move sensord sepolicy
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.
Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
/system/sepolicy/public/attributes
|
| 41daa7f859be06a49e4770a1f1d33b0d3070fa5a |
|
01-May-2017 |
Alex Vakulenko <avakulenko@google.com> |
SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
/system/sepolicy/public/attributes
|
| 2a7f4fb069a574fb9bd34acbf27ba86cd804005b |
|
22-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Assert apps can access only approved HwBinder services
App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
currently does not expose caller UID information and, even if it
did, many HwBinder services either operate at a layer below that of
apps (e.g., HALs) or must not rely on app identity for
authorization. Thus, to be safe, the default assumption is that
a HwBinder service treats all its clients as equally authorized to
perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
higher incidence rate of security issues than system/core
components and have access to lower layes of the stack (all the way
down to hardware) thus increasing opportunities for bypassing the
Android security model.
HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.
Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.
This commit thus introduces these two categories of HwBinder services
in neverallow rules.
Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
/system/sepolicy/public/attributes
|
| b99676eece98d8fa732dc64dabca4dd2cbbbcac5 |
|
15-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
Add vendor_executes_system_violators attribute
Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish
Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
--skip-device-info --skip-preconditions --skip-connectivity-check \
--abi arm64-v8a
Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
| 20c2d4e98c2cbe01133665e7292fcd1e295bbd4f |
|
13-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020
(cherry picked from commit 3cc6a95944529aa1700b120206c6d0fb0b0b85e3)
Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0
/system/sepolicy/public/attributes
|
| 976fb16bc14dfefe12f56e23a677dce99a091b14 |
|
12-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add sepolicy for tv.cec" into oc-dev
|
| f81dd0c57886815b384fe209bdfa70f7b786957a |
|
05-Apr-2017 |
Donghyun Cho <donghyun@google.com> |
Add sepolicy for tv.cec
Bug: 36562029
Test: m -j40 and CEC functionality works well
Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
/system/sepolicy/public/attributes
|
| bc6d88d2da12aa9cf43442d928f296c573a345b3 |
|
06-Apr-2017 |
Martijn Coenen <maco@google.com> |
Add new classes and types for (hw|vnd)servicemanager.
Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
/system/sepolicy/public/attributes
|
| 7c3dbfeb69a345f1aaf545a018e6cbf6dc2c3f61 |
|
06-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Merge "Wifi Keystore HAL is not a HAL" into oc-dev
|
| 277a20ebecda8f9d12a10c4f8eb52dbf04c30e43 |
|
02-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.
Following directories will remain world readable
/vendor/etc
/vendor/lib(64)/hw/
Following are currently world readable but their scope
will be minimized to platform processes that require access
/vendor/app
/vendor/framework/
/vendor/overlay
Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.
Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803
All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
| 9a14704f62488795f896793339ab0d5a62757483 |
|
04-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
/system/sepolicy/public/attributes
|
| 29f273ce6a607df655c9f458d51ca49eb3eda79d |
|
04-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Add new wifi keystore HAL" into oc-dev
|
| a1c06508986ae12746f6f94ade5facbfbbb8478a |
|
03-Apr-2017 |
Shubang Lu <shubang@google.com> |
Merge "Add sepolicy for tv.input" into oc-dev
|
| 814edf8c904e65a3b5aa6f8961335806d088cbf2 |
|
01-Apr-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Ban core components from accessing vendor data types" into oc-dev
|
| 50563c03671902c76f03554b317f3fa068509611 |
|
30-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban core components from accessing vendor data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.
This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.
A temporary exemption is granted to domains that currently rely on
access.
(cherry picked from commit cd97e71084b026b201f8d5a0bc08c283f8d673cd)
Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
/system/sepolicy/public/attributes
|
| c76e158c2717a386c3a98b1756892ecf9ed30460 |
|
30-Mar-2017 |
Shubang <shubang@google.com> |
Add sepolicy for tv.input
Test: build, flash; adb shell lshal
Bug: 36562029
Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
/system/sepolicy/public/attributes
|
| 2f6151ea445f9fab01296bf740c6714a371313b0 |
|
31-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
/system/sepolicy/public/attributes
|
| 9af7c95f86bf46e2a337d7d851ebb502a192e6a1 |
|
29-Mar-2017 |
Roshan Pius <rpius@google.com> |
sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.
Denials addressed:
03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key
Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
/system/sepolicy/public/attributes
|
| 4a478c47f464f0f49f8802b3f49d03744450ac15 |
|
28-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban vendor components access to core data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.
This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.
Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
/system/sepolicy/public/attributes
|
| 2746ae6822820ce8d3c74c510203a3a0c6ab543d |
|
25-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Ban socket connections between core and vendor
On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.
This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"socket_between_core_and_vendor_violators" attribute. The attribute
is needed because the types corresponding to violators are not
exposed to the public policy where the neverallow rules are.
Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
/system/sepolicy/public/attributes
|
| f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/public/attributes
|
| 08d6f566491f476b1d7e68895e455da1566498e2 |
|
18-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Allocator HAL policy to _client/_server
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.
Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).
Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
/system/sepolicy/public/attributes
|
| 09d13e734d651e8cb92187f477e3cdc485128311 |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
/system/sepolicy/public/attributes
|
| 9e6b24c6a5dc026924b2ab983d6644063585cd9c |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.
The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
waiting for update_engine folks to answer a couple of questions
which will let me refactor the policy of this HAL.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
/system/sepolicy/public/attributes
|
| 41518bec2508c85eb8797980321d3912b4598261 |
|
13-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Sensors HAL policy to _client/_server
This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.
Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.
Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.
P. S. This commit also removes
allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.
Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
and that the app can register to listen for updates for sensors
and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
/system/sepolicy/public/attributes
|
| a976e64d89575fb93b9fb1ca47c6aefc496e91b9 |
|
19-Feb-2017 |
Roshan Pius <rpius@google.com> |
sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we migrate over to HIDL completely.
(cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0)
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
/system/sepolicy/public/attributes
|
| 6237d8b787adc5d685e8ce2eb983182add58aadb |
|
28-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
/system/sepolicy/public/attributes
|
| f7543d27b8371107ed69d9a1900c21954a77b6a4 |
|
23-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Keymaster HAL policy to _client/_server
This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.
Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.
Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.
Test: Password-protected sailfish boots up and lock screen unlocks --
this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
Keymaster HAL interaction:
make cts cts-tradefed
cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsKeystoreTestCases
Bug: 34170079
Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
/system/sepolicy/public/attributes
|
| 1d2a1476ae7907ced46ecae750879547ee75c048 |
|
23-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
/system/sepolicy/public/attributes
|
| 47174e3b9f8b4c065d4477114cd9a2ee0c31b98e |
|
22-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Dumpstate HAL policy to _client/_server
This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.
Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.
Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.
Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079
Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27
/system/sepolicy/public/attributes
|
| f98650e4abbb3b258a3fab24de83c0e849c0ecb7 |
|
22-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.
Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.
NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.
Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079
Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
/system/sepolicy/public/attributes
|
| 9b718c409ff75490f3bdb3511e02376d1cc7a94b |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch DRM HAL policy to _client/_server
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.
Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.
Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.
Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
/system/sepolicy/public/attributes
|
| 168435fe0368f60ed693043e63fcb3370a95c8b8 |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Bluetooth HAL policy to _client/_server
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.
Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.
Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
/system/sepolicy/public/attributes
|
| 3a8426bf890aa77ca2da4a000a298f860b9e530f |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Camera HAL policy to _client/_server
This switches Camera HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Camera HAL.
Domains which are clients of Camera HAL, such as cameraserver domain,
are granted rules targeting hal_camera only when the Camera HAL runs
in passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_camera are
not granted to client domains.
Domains which offer a binderized implementation of Camera HAL, such
as hal_camera_default domain, are always granted rules targeting
hal_camera.
Test: Take non-HDR photo using Google Camera app
Test: Take HDR photo using Google Camera app
Test: Record video using Google Camera app
Bug: 34170079
Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
/system/sepolicy/public/attributes
|
| ac2b4cd2cb69b9182725e536f395b64db258d4b8 |
|
13-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Use _client and _server for Audio HAL policy
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
against the hal_foo attribute. This policy is granted to domains
which offer the Foo HAL service over HwBinder and, if Foo HAL runs
in the so-called passthrough mode (inside the process of each
client), also granted to all domains which are clients of Foo HAL.
hal_foo is there to avoid duplicating the rules for hal_foo_client
and hal_foo_server to cover the passthrough/in-process Foo HAL and
binderized/out-of-process Foo HAL cases.
A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.
This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
/system/sepolicy/public/attributes
|
| bacb6d79360f3591680b215177602dcdc3181bf3 |
|
13-Feb-2017 |
Jeff Vander Stoep <jeffv@google.com> |
untrusted_app: policy versioning based on targetSdkVersion
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.
Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.
Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
/system/sepolicy/public/attributes
|
| ebec1aa2b74906e49b388cedb9ab61114b6ac854 |
|
19-Jan-2017 |
Jiyong Park <jiyong@google.com> |
configstore: add selinux policy for configstore@1.0 hal
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.
Bug: 34314793
Test: build & run
Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba077594e80d9777bbe7a13d25d2484d)
/system/sepolicy/public/attributes
|
| e8acd7695b96434cde84c8bc16b364d39856857d |
|
28-Jan-2017 |
Janis Danisevskis <jdanis@google.com> |
Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f3241ffbd96f5a0b24df602bd2559f3cf4)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
/system/sepolicy/public/attributes
|
| ae206f162372e5f8ce674c28f0be545098316e37 |
|
13-Jan-2017 |
Badhri Jagan Sridharan <Badhri@google.com> |
sepolicy for usb hal
Bug: 31015010
cherry-pick from b6e4d4bdf12e8a61414596d3d23c5016ae0d6477
Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
/system/sepolicy/public/attributes
|
| c86f42b9a75a65e7b4651dd68d919a35dc30cf79 |
|
01-Jan-2017 |
Jeff Tinker <jtinker@google.com> |
Add sepolicy for drm HALs
bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
/system/sepolicy/public/attributes
|
| e1ff7e88598b00f798f10f6e951133efa055d5e5 |
|
20-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Sort hal_* declarations alphabetically
Test: No change to SELinux policy
Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18
/system/sepolicy/public/attributes
|
| 9c43a3ff103d36499fdac136d113ed2de5f9cc70 |
|
22-Dec-2016 |
Eino-Ville Talvala <etalvala@google.com> |
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice
Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
/system/sepolicy/public/attributes
|
| f41d89eb249ca1f9fce41d86852047f924b1714e |
|
11-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Group all HAL impls using haldomain attribute
This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.
This follows the pattern used for appdomain, netdomain and
bluetoothdomain.
Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
/system/sepolicy/public/attributes
|
| 54e0e5af8f4f0b4fd46cb1a015af079f6859e638 |
|
16-Dec-2016 |
Jim Miller <jaggies@google.com> |
New SeLinux policy for fingerprint HIDL
Move from fingerprintd to new fingerprint_hal and update SeLinux policy.
Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
/system/sepolicy/public/attributes
|
| 953c439643df097b5aa0dfeb75999e3f1e87f2ff |
|
09-Dec-2016 |
Hridya Valsaraju <hridya@google.com> |
add selinux policy for GNSS hal
The following are the avc denials that are addressed:
avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0
avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0
avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0
avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
Bug:31974439
Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.
Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
/system/sepolicy/public/attributes
|
| be27f92a3e3a8ece1d5819e3cfd9a4cb2c47c96e |
|
12-Oct-2016 |
Andre Eisenbach <eisenbach@google.com> |
Add selinux policy for Bluetooth HAL
Bug: 31972505
Test: VTS test passes, Bluetooth starts/stops
Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
/system/sepolicy/public/attributes
|
| a9ce208680b3a9c1ddcf9bfce886909b66297964 |
|
20-Oct-2016 |
Alexey Polyudov <apolyudov@google.com> |
gatekeeper HAL service: add security policy
Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
/system/sepolicy/public/attributes
|
| c9d46d4ff27afa05d8c0c26bd949de1a303cc7bc |
|
29-Nov-2016 |
Ashutosh Joshi <ashutoshj@google.com> |
Add sepolicy for sensors
Adding sepoilcy for sensors.
Test: Sensors work.
Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255
/system/sepolicy/public/attributes
|
| e8d0bdae215b0818e22d1620c93ad3b5f6bca78b |
|
29-Nov-2016 |
Ashutosh Joshi <ashutoshj@google.com> |
Add sepolicy for contexthub HAL
Adding sepolicty for contexthub service.
Test: GTS tests pass.
Change-Id: I2576b8028d12a31151d7b7869679b853eb16c75e
/system/sepolicy/public/attributes
|
| c2b594dbaded51b3ddb814950c12a95b7c945749 |
|
08-Dec-2016 |
Amit Mahajan <amitmahajan@google.com> |
SEPolicy changes for BT SAP hal.
Test: Verified that WIP telephony and BT SAP CLs work fine with this change
https://android-review.googlesource.com/#/q/topic:%22Basic+radio+service+and+client%22+(status:open+OR+status:merged)
https://android-review.googlesource.com/#/q/topic:%22SAP+HAL%22+(status:open+OR+status:merged)
Bug: 32020264
Change-Id: If15820d43e324d80e35808a292ee811f98d499cc
/system/sepolicy/public/attributes
|
| c82cf89f5fffee907639f89ebb80df5dd5607f31 |
|
16-Dec-2016 |
Sandeep Patil <sspatil@google.com> |
hal_health: express the sepolicy as attribute
Bug: http://b/32905206
Test: Boot sailfish and no new selinux failures observed in logs
Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
| d86a30a273386171a7e58e2411d8a57365af34a3 |
|
01-Dec-2016 |
Steven Moreland <smoreland@google.com> |
Add hal_dumpstate attribute.
- Also allow dumpstate to talk to hal_dumpstate.
Bug: 31982882
Test: compiles
Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
/system/sepolicy/public/attributes
|
| 29eed9faea88ec3ac27ab17e451d8a29ac85f81d |
|
13-Dec-2016 |
Steven Moreland <smoreland@google.com> |
All hal policies expressed as attributes.
Bug: 32123421
Bug: 32905206
Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
/system/sepolicy/public/attributes
|
| a95c52e347618d5f6797e01ad460094a90800a27 |
|
06-Dec-2016 |
Connor O'Brien <connoro@google.com> |
Add sepolicy for consumerir HIDL HAL
Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>
/system/sepolicy/public/attributes
|
| 3319d5ee16d6b90f1ce5137e9f650e4c38c975b3 |
|
15-Nov-2016 |
dcashman <dcashman@google.com> |
Move hal_light to attribute.
HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented. This policy should be represented as an attribute that all
processes implementing the HAL can include.
Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
/system/sepolicy/public/attributes
|
| cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/attributes
|