c0f8f2f82a9526be7c7835f2ef9501948fd5b4ed |
|
30-May-2018 |
Jiyong Park <jiyong@google.com> |
add extended_core_property_type The attribute is used to capture system properties added from outside of AOSP (e.g. by OEM), but are not device-specific and thus are used only inside the system partition. Access to the the system properties from outside of the system partition is prevented by the neverallow rule. Bug: 80382020 Bug: 78598545 Test: m -j selinux_policy Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
/system/sepolicy/public/attributes
|
cdb1624c27e51ee85b6a4ea6ebd529bd0e07648f |
|
02-May-2018 |
Tom Cherry <tomcherry@google.com> |
neverallow coredomain from writing vendor properties System properties can be abused to get around Treble requirements of having a clean system/vendor split. This CL seeks to prevent that by neverallowing coredomain from writing vendor properties. Bug: 78598545 Test: build 2017/2018 Pixels Test: build aosp_arm64 Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
/system/sepolicy/public/attributes
|
4cafae77a4ac9e9b34410714787b68523dcd5345 |
|
04-May-2018 |
Pavel Maltsev <pavelm@google.com> |
Allow to use sockets from hal server for auto Add an exemption to neverallow rule to use sockets from HAL servers only for automotive build Bug: 78901167 Test: assign this attribute to hal_vehicle_default and try to open socket from HAL implementation Test: verify that new CTS test will fail for non-automotive build with this attribute buing used Test: make cts && cts-tradefed run singleCommand cts --skip-device-info --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
/system/sepolicy/public/attributes
|
d8d7a3f7cccba9ab7dc345f68eb99b905808bff3 |
|
03-May-2018 |
android-build-team Robot <android-build-team-robot@google.com> |
Merge "Never expand proc_type attribute" into pi-dev
|
db6218417c6ceb8ee61f6d1e7cc0410f2c516e95 |
|
01-May-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Never expand proc_type attribute It's used in build-time tests and in CTS. Bug: 78898770 Test: build user-build Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b (cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)
/system/sepolicy/public/attributes
|
394dbe34a0dc7519acb9948175ba63ee18bedbed |
|
10-Apr-2018 |
Pavel Maltsev <pavelm@google.com> |
Move automotive HALs sepolicy to system/ Bug: 70637118 Test: build, flash and boot bat_land and owl automotive builds Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
/system/sepolicy/public/attributes
|
62e6850a2be1954148e5282cb773ea22cca4b214 |
|
16-Feb-2018 |
Tri Vo <trong@google.com> |
proc_type attribute for files under /proc. With this attribute it will be easier to reference /proc files. Bug: 74182216 Test: policy builds Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c (cherry picked from commit 41bf08e592fd3ef8e3dcc9a9eccc99e6a7753e8a)
/system/sepolicy/public/attributes
|
325aec5c3fc49975eccddae2c2c58e0386c357cf |
|
07-Feb-2018 |
Tri Vo <trong@google.com> |
Merge changes from topic "27_mapping" am: 4e9b1c6bf6 am: dc357d0c7e am: 4d4daa3f9e Change-Id: Ic96937efe156d8338f121981afaf4281e62542cd
|
284a18ae52678daa1134f140598e40531b1bd63f |
|
01-Feb-2018 |
Tri Vo <trong@google.com> |
Temporary fix to avoid expandattribute value conflicts. Bug: 69390067 Bug: 72757373 Test: build sepolicy Change-Id: I44aeb547ff7ab7042eddfa780df8cbb7dcec71b4
/system/sepolicy/public/attributes
|
64f35fa01eec7c63f176084af66906249d21ab60 |
|
10-Jan-2018 |
Andrew Scull <ascull@google.com> |
authsecret HAL policies. Bug: 71527305 Test: compile and boot Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a (cherry picked from commit 1aedf4b5f8bdc391c61a22d01278de70c26eb9e8)
/system/sepolicy/public/attributes
|
ccf965e9ca37b4bf063c9c573cb4900d70d9025c |
|
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Test that /data is properly labeled Data outside of /data/vendor should have the core_data_file_type. Exempt data_between_core_and_vendor for some types. Ensure core_data_file_type and coredomain_socket do not get expanded to their underlying types. Test: build sepolicy for all targets in master (this is a build time test) Bug: 34980020 Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a (cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
/system/sepolicy/public/attributes
|
1c57b81c1ecbf02297638356adbed0d586a3f2a2 |
|
30-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "SE Policy for Secure Element app and Secure Element HAL" am: 6a60cb3e69 am: f285f2db4b am: 4757882300 Change-Id: I36147d7f0359cef7f80ee36086150936bed2e672
|
8a2b4a783e5c9f4a342b7b0923fa1089842566e5 |
|
04-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
SE Policy for Secure Element app and Secure Element HAL Test: App startup on boot Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
/system/sepolicy/public/attributes
|
77a2d71fc2694ca2f914c93bb532e1193a0f8b22 |
|
25-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Test that /data is properly labeled"
|
f5ea7ab181165e920ec65cc35580a555fdfd2399 |
|
24-Jan-2018 |
Janis Danisevskis <jdanis@google.com> |
Added default policy for Confirmation UI HAL am: 97c56bdd78 am: 5029fe7236 am: a2f243dc35 Change-Id: I670465743596b35c37a4ca591e5a8f4848222bb9
|
97c56bdd78629cb3a57acdbd27d977f1cc6eed4b |
|
09-Jan-2018 |
Janis Danisevskis <jdanis@google.com> |
Added default policy for Confirmation UI HAL Bug: 63928580 Test: Manually tested. Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
/system/sepolicy/public/attributes
|
bdd454792d52719f3b8b1fe8c3fd08cb13a393f1 |
|
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Test that /data is properly labeled Data outside of /data/vendor should have the core_data_file_type. Exempt data_between_core_and_vendor for some types. Ensure core_data_file_type and coredomain_socket do not get expanded to their underlying types. Test: build sepolicy for all targets in master (this is a build time test) Bug: 34980020 Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
/system/sepolicy/public/attributes
|
8d11ef5a370d7c4dc7624daec54c19c67b2f1dae |
|
23-Jan-2018 |
Andrew Scull <ascull@google.com> |
Merge "authsecret HAL policies."
|
7bee33e665af49747e45de5440b9de454da1ba86 |
|
08-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
hal_usb_gadget sepolicy Bug: 63669128 Test: Checked for avc denail messages. Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
/system/sepolicy/public/attributes
|
9b0788945221ab99817b7e883e7b7be1fe8c9940 |
|
08-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
hal_usb_gadget sepolicy Bug: 63669128 Test: Checked for avc denail messages. Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
/system/sepolicy/public/attributes
|
2724e81c9ea6adbd7e92009fcc53c1cbe133b2b0 |
|
18-Jan-2018 |
Roshan Pius <rpius@google.com> |
Merge "sepolicy(hostapd): Add a HIDL interface for hostapd"
|
282dbf7bbbe1d5541c769038e2800ee9dd3eda21 |
|
21-Dec-2017 |
Tri Vo <trong@google.com> |
Introduce system_executes_vendor_violators attribute. We use this attribute to annotate coredomains that execute vendor code in a Treble-violating way. Bug: 62041836 Test: sepolicy builds Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
/system/sepolicy/public/attributes
|
5bca3e860d34b3aff070a38bfd39caa74cade443 |
|
23-Dec-2017 |
Roshan Pius <rpius@google.com> |
sepolicy(hostapd): Add a HIDL interface for hostapd Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
/system/sepolicy/public/attributes
|
d2315bdf6a9f08a725125bc7e0e78e48332c537b |
|
12-Jan-2018 |
Tri Vo <trong@google.com> |
Revert "Coredomain can't execute vendor code." This reverts commit 07dd2c9e89ec6b588a1842a3d1ef0a305e175257. Reason for revert: albacore build broken Change-Id: I551b1d8c008f01fb815e42b59d397feb9672b8e6
/system/sepolicy/public/attributes
|
07dd2c9e89ec6b588a1842a3d1ef0a305e175257 |
|
21-Dec-2017 |
Tri Vo <trong@google.com> |
Coredomain can't execute vendor code. Bug: 62041836 Test: sepolicy builds Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
/system/sepolicy/public/attributes
|
1aedf4b5f8bdc391c61a22d01278de70c26eb9e8 |
|
10-Jan-2018 |
Andrew Scull <ascull@google.com> |
authsecret HAL policies. Bug: 71527305 Test: compile and boot Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
/system/sepolicy/public/attributes
|
2ae575b08018bcdddaa0ca44ef14f484fd360c53 |
|
17-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Start tracking platform/vendor data access violations As part of Treble, enforce that the communication between platform and vendor components use the official hw binder APIs. Prevent sharing of data by file path. Platform and vendor components may share files, but only via FD passed over hw binder. This change adds the violators attribute that will be used to mark violating domains that need to be fixed. Bug: 34980020 Test: build Change-Id: Id9acfbbc86bfd6fd0633b8164a37ce94d25ffa2c
/system/sepolicy/public/attributes
|
91d398d802b4fbd33c2b88da9f56ecee8bdc363c |
|
26-Sep-2017 |
Dan Cashman <dcashman@google.com> |
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
/system/sepolicy/public/attributes
|
26ff5eb6b9dadf9d217a21d3d63498e9967c5df4 |
|
08-Aug-2017 |
Tomasz Wasilczyk <twasilczyk@google.com> |
Move Broadcast Radio HAL to a separate binary. Bug: 63600413 Test: VTS, instrumentation, audit2allow Test: after cherry-pick - it builds Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e (cherry picked from commit 567b947d85a353af56799c4e48583adfa7ff4e0d)
/system/sepolicy/public/attributes
|
3e307a4de570a64437e3071ae398ed291ba82098 |
|
21-Jun-2017 |
Dan Cashman <dcashman@google.com> |
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
/system/sepolicy/public/attributes
|
c67fa9bfb4dfa5d183fc13339fc3e037abde6587 |
|
22-May-2017 |
pkanwar <pkanwar@google.com> |
SE Policy for Tether Offload HAL Update SE Policy to allow calls to and callbacks for the Tether Offload HAL HIDL binderized service. Bug: 38417260 Test: New functionality. So we don't have any tests. Change-Id: I2c95b290523c55c081afa1bca091f368559c9125 (cherry picked from commit 722249b3e83dba446a93ace95d211f874c424737)
/system/sepolicy/public/attributes
|
325bf7259227b15a6b356051d90d5a89ad739a4d |
|
01-Mar-2017 |
Sohani Rao <sohanirao@google.com> |
SE Policy for Wifi Offload HAL Update SE Policy to allow calls to and callbacks from Wifi Offload HAL HIDL binderized service. Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987 and 66e27bf502246c8e8870b7b3e2573a8c87e89fe1 Bug: 32842314 Test: Unit tests, Mannual test to ensure Wifi can be brought up and connected to an AP, ensure that Offload HAL service is running and that that wificond can get the service handle by calling hwservicemanager. Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
/system/sepolicy/public/attributes
|
e8ab0020ba58978e8d7f8b1b77ae36da1f3bffa0 |
|
17-May-2017 |
Steven Moreland <smoreland@google.com> |
Add fwk_display_hwservice. This hidl service provides information about vsync and hotplug to vendor services which is required by at least some camera hal implementations. Test: VtsFwkDisplayServiceV1_0TargetTest Test: no denials Bug: 38311538 Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
/system/sepolicy/public/attributes
|
02a101a6950c372fbd49e35ce25286f360c18b1b |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Move domain_deprecated into private policy" into oc-dev
|
21e6ab1230acb4b7b58a449a378cc31b6fe72a79 |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "SELinux policies for Weaver HAL." into oc-dev
|
f2760f794db7e9f72f2fee490041ee9cf95bd69b |
|
16-May-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "SELinux policies for the OEM lock HAL." into oc-dev
|
76aab82cb3a7560d3d78f93c7f2d00ed381192c4 |
|
15-May-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
/system/sepolicy/public/attributes
|
3c90eaf2095858798b68dd68953f8d550d90905c |
|
12-May-2017 |
Andrew Scull <ascull@google.com> |
SELinux policies for Weaver HAL. Bug: 35628284 Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f Fix: 38233550 Test: Build and boot Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f
/system/sepolicy/public/attributes
|
0e9b22078bf3c49e61fd887cf86d081d4681d9e0 |
|
12-May-2017 |
Andrew Scull <ascull@google.com> |
SELinux policies for the OEM lock HAL. Bug: 34766843 Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6 Fix: 38232801 Test: Build and boot Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b
/system/sepolicy/public/attributes
|
2dd9ae33f7827dd372c2c698f1aec457e5be8a9e |
|
24-Apr-2017 |
Luke Song <songwalker@google.com> |
Move sensord sepolicy Sensord move in ag/2106763 should be accompanied by corresponding sepolicy move of sensord-related files/declarations. Bug: 36996994 Test: Sailfish build shows no related permission errors Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
/system/sepolicy/public/attributes
|
41daa7f859be06a49e4770a1f1d33b0d3070fa5a |
|
01-May-2017 |
Alex Vakulenko <avakulenko@google.com> |
SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
/system/sepolicy/public/attributes
|
2a7f4fb069a574fb9bd34acbf27ba86cd804005b |
|
22-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
/system/sepolicy/public/attributes
|
b99676eece98d8fa732dc64dabca4dd2cbbbcac5 |
|
15-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
Add vendor_executes_system_violators attribute Temporary attribute (checked against in CTS) to point out vendor processes that run /system executables. These are currently only down to 2-3 of them that are related to telephony on sailfish Bug: 36463595 Test: Build succeeds for sailfish Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \ --skip-device-info --skip-preconditions --skip-connectivity-check \ --abi arm64-v8a Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
20c2d4e98c2cbe01133665e7292fcd1e295bbd4f |
|
13-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Remove unnecessary attributes Test: mmm system/sepolicy Bug: 34980020 (cherry picked from commit 3cc6a95944529aa1700b120206c6d0fb0b0b85e3) Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0
/system/sepolicy/public/attributes
|
976fb16bc14dfefe12f56e23a677dce99a091b14 |
|
12-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add sepolicy for tv.cec" into oc-dev
|
f81dd0c57886815b384fe209bdfa70f7b786957a |
|
05-Apr-2017 |
Donghyun Cho <donghyun@google.com> |
Add sepolicy for tv.cec Bug: 36562029 Test: m -j40 and CEC functionality works well Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8
/system/sepolicy/public/attributes
|
bc6d88d2da12aa9cf43442d928f296c573a345b3 |
|
06-Apr-2017 |
Martijn Coenen <maco@google.com> |
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
/system/sepolicy/public/attributes
|
7c3dbfeb69a345f1aaf545a018e6cbf6dc2c3f61 |
|
06-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Merge "Wifi Keystore HAL is not a HAL" into oc-dev
|
277a20ebecda8f9d12a10c4f8eb52dbf04c30e43 |
|
02-Apr-2017 |
Sandeep Patil <sspatil@google.com> |
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
9a14704f62488795f896793339ab0d5a62757483 |
|
04-Apr-2017 |
Alex Klyubin <klyubin@google.com> |
Wifi Keystore HAL is not a HAL Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
/system/sepolicy/public/attributes
|
29f273ce6a607df655c9f458d51ca49eb3eda79d |
|
04-Apr-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Add new wifi keystore HAL" into oc-dev
|
a1c06508986ae12746f6f94ade5facbfbbb8478a |
|
03-Apr-2017 |
Shubang Lu <shubang@google.com> |
Merge "Add sepolicy for tv.input" into oc-dev
|
814edf8c904e65a3b5aa6f8961335806d088cbf2 |
|
01-Apr-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Ban core components from accessing vendor data types" into oc-dev
|
50563c03671902c76f03554b317f3fa068509611 |
|
30-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban core components from accessing vendor data types Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open FD such as ioctl/stat/read/write/append. This commit asserts that core components marked with attribute coredomain may only access core data types marked with attribute core_data_file_type. A temporary exemption is granted to domains that currently rely on access. (cherry picked from commit cd97e71084b026b201f8d5a0bc08c283f8d673cd) Bug: 34980020 Test: build Marlin policy Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
/system/sepolicy/public/attributes
|
c76e158c2717a386c3a98b1756892ecf9ed30460 |
|
30-Mar-2017 |
Shubang <shubang@google.com> |
Add sepolicy for tv.input Test: build, flash; adb shell lshal Bug: 36562029 Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2
/system/sepolicy/public/attributes
|
2f6151ea445f9fab01296bf740c6714a371313b0 |
|
31-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Tighten restrictions on core <-> vendor socket comms This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 (cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1) Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
/system/sepolicy/public/attributes
|
9af7c95f86bf46e2a337d7d851ebb502a192e6a1 |
|
29-Mar-2017 |
Roshan Pius <rpius@google.com> |
sepolicy: Add new wifi keystore HAL Moving the wpa_supplicant interaction from the binder keystore service to the new wifi keystore HAL. Denials addressed: 03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0 tcontext=u:r:keystore:s0 tclass=keystore_key Bug: 34603782 Test: Able to connect to wifi passpoint networks. Denials no longer seen. Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
/system/sepolicy/public/attributes
|
4a478c47f464f0f49f8802b3f49d03744450ac15 |
|
28-Mar-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban vendor components access to core data types Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open file: stat/read/write/append. This commit marks core data types as core_data_file_type and bans access to non-core domains with an exemption for apps. A temporary exemption is also granted to domains that currently rely on access with TODOs and bug number for each exemption. Bug: 34980020 Test: Build and boot Marlin. Make phone call, watch youtube video. No new denials observed. Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
/system/sepolicy/public/attributes
|
2746ae6822820ce8d3c74c510203a3a0c6ab543d |
|
25-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Ban socket connections between core and vendor On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and vendor domain are not permitted to connect to each other's sockets. There are two main exceptions: (1) apps are permitted to talk to other apps over Unix domain sockets (this is public API in Android framework), and (2) domains with network access (netdomain) are permitted to connect to netd. This commit thus: * adds neverallow rules restricting socket connection establishment, * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "socket_between_core_and_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Bug: 36613996 Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
/system/sepolicy/public/attributes
|
f5446eb1486816c00136b2b5f0a3cc4a01706000 |
|
23-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
/system/sepolicy/public/attributes
|
08d6f566491f476b1d7e68895e455da1566498e2 |
|
18-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Allocator HAL policy to _client/_server This switches Allocator HAL policy to the design which enables us to identify all SELinux domains which host HALs and all domains which are clients of HALs. Allocator HAL is special in the sense that it's assumed to be always binderized. As a result, rules in Camera HAL target hal_allocator_server rather than hal_allocator (which would be the server and any client, if the Allocator HAL runs in passthrough mode). Test: Device boots up, no new denials Test: YouTube video plays back Test: Take photo using Google Camera app, recover a video, record a slow motion video Bug: 34170079 Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
/system/sepolicy/public/attributes
|
09d13e734d651e8cb92187f477e3cdc485128311 |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
/system/sepolicy/public/attributes
|
9e6b24c6a5dc026924b2ab983d6644063585cd9c |
|
17-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
/system/sepolicy/public/attributes
|
41518bec2508c85eb8797980321d3912b4598261 |
|
13-Mar-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Sensors HAL policy to _client/_server This switches Sensors HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Sensors HAL. Domains which are clients of Sensors HAL, such as system_server, are granted rules targeting hal_sensors only when the Sensors HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_sensors are not granted to client domains. Domains which offer a binderized implementation of Sensors HAL, such as hal_sensors_default domain, are always granted rules targeting hal_sensors. P. S. This commit also removes allow system_server sensors_device:chr_file rw_file_perms because this is device-specific and thus not needed in device-agnostic policy. The device-specific policy of the affected devices already has this rule. Test: Device boots, no new denials Test: adb shell dumpsys sensorservice lists tons of sensors Test: Proprietary sensors test app indicates that there are sensors and that the app can register to listen for updates for sensors and that such updates arrive to the app. Bug: 34170079 Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
/system/sepolicy/public/attributes
|
a976e64d89575fb93b9fb1ca47c6aefc496e91b9 |
|
19-Feb-2017 |
Roshan Pius <rpius@google.com> |
sepolicy: Make wpa_supplicant a HIDL service Note: The existing rules allowing socket communication will be removed once we migrate over to HIDL completely. (cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0) Bug: 34603782 Test: Able to connect to wifi networks. Test: Will be sending for full wifi integration tests (go/wifi-test-request) Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
/system/sepolicy/public/attributes
|
6237d8b787adc5d685e8ce2eb983182add58aadb |
|
28-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Start locking down access to services from ephemeral apps This starts with the reduction in the number of services that ephemeral apps can access. Prior to this commit, ephemeral apps were permitted to access most of the service_manager services accessible by conventional apps. This commit reduces this set by removing access from ephemeral apps to: * gatekeeper_service, * sec_key_att_app_id_provider_service, * wallpaper_service, * wifiaware_service, * wifip2p_service, * wifi_service. Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine. Bug: 33349998 Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
/system/sepolicy/public/attributes
|
f7543d27b8371107ed69d9a1900c21954a77b6a4 |
|
23-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Keymaster HAL policy to _client/_server This switches Keymaster HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Keymaster HAL. Domains which are clients of Keymaster HAL, such as keystore and vold domains, are granted rules targeting hal_keymaster only when the Keymaster HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_keymaster are not granted to client domains. Domains which offer a binderized implementation of Keymaster HAL, such as hal_keymaster_default domain, are always granted rules targeting hal_keymaster. Test: Password-protected sailfish boots up and lock screen unlocks -- this exercises vold -> Keymaster HAL interaction Test: All Android Keystore CTS tests pass -- this exercises keystore -> Keymaster HAL interaction: make cts cts-tradefed cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsKeystoreTestCases Bug: 34170079 Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
/system/sepolicy/public/attributes
|
1d2a1476ae7907ced46ecae750879547ee75c048 |
|
23-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Wi-Fi HAL policy to _client/_server This switches Wi-Fi HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Wi-Fi HAL. Domains which are clients of Wi-Fi HAL, such as system_server domain, are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_wifi are not granted to client domains. Domains which offer a binderized implementation of Wi-Fi HAL, such as hal_wifi_default domain, are always granted rules targeting hal_wifi. Test: Setup Wizard (incl. adding a Google Account) completes fine with Wi-Fi connectivity only Test: Toggle Wi-Fi off, on, off, on Test: Use System UI to see list of WLANs and connect to one which does not require a password, and to one which requries a PSK Test: ip6.me loads fine in Chrome over Wi-Fi Bug: 34170079 Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
/system/sepolicy/public/attributes
|
47174e3b9f8b4c065d4477114cd9a2ee0c31b98e |
|
22-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Dumpstate HAL policy to _client/_server This switches Dumpstate HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Dumpstate HAL. Domains which are clients of Dumpstate HAL, such as dumpstate domain, are granted rules targeting hal_dumpstate only when the Dumpstate HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_dumpstate are not granted to client domains. Domains which offer a binderized implementation of Dumpstate HAL, such as hal_dumpstate_default domain, are always granted rules targeting hal_dumpstate. Test: adb bugreport Test: Take bugreport through system UI Bug: 34170079 Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27
/system/sepolicy/public/attributes
|
f98650e4abbb3b258a3fab24de83c0e849c0ecb7 |
|
22-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Fingerprint HAL policy to _client/_server This switches Fingerprint HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Fingerprint HAL, such as system_server domain, are granted rules targeting hal_fingerprint only when the Fingerprint HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_fingerprint are not granted to client domains. Domains which offer a binderized implementation of Fingerprint HAL, such as hal_fingerprint_default domain, are always granted rules targeting hal_fingerprint. NOTE: This commit also removes unnecessary allow rules from Fingerprint HAL, such access to servicemanager (not hwservicemanager) and access to keystore daemon over Binder IPC. Fingerprint HAL does not use this functionality anyway and shouldn't use it either. Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks with fingerprint or PIN Test: Disable PIN (and thus fingerprint) secure lock screen Test: make FingerprintDialog, install, make a fake purchase Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass Bug: 34170079 Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
/system/sepolicy/public/attributes
|
9b718c409ff75490f3bdb3511e02376d1cc7a94b |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch DRM HAL policy to _client/_server This switches DRM HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of DRM HAL. Domains which are clients of DRM HAL, such as mediadrmserver domain, are granted rules targeting hal_drm only when the DRM HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_drm are not granted to client domains. Domains which offer a binderized implementation of DRM HAL, such as hal_drm_default domain, are always granted rules targeting hal_drm. Test: Play movie using Google Play Movies Test: Play movie using Netflix Bug: 34170079 Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
/system/sepolicy/public/attributes
|
168435fe0368f60ed693043e63fcb3370a95c8b8 |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Bluetooth HAL policy to _client/_server This switches Bluetooth HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Bluetooth HAL, such as bluetooth domain, are granted rules targeting hal_bluetooth only when the Bluetooth HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bluetooth are not granted to client domains. Domains which offer a binderized implementation of Bluetooth HAL, such as hal_bluetooth_default domain, are always granted rules targeting hal_bluetooth. Test: Toggle Bluetooth off and on Test: Pair with another Android, and transfer a file to that Android over Bluetooth Test: Pair with a Bluetooth speaker, play music through that speaker over Bluetooth Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test Bug: 34170079 Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
/system/sepolicy/public/attributes
|
3a8426bf890aa77ca2da4a000a298f860b9e530f |
|
17-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Camera HAL policy to _client/_server This switches Camera HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Camera HAL. Domains which are clients of Camera HAL, such as cameraserver domain, are granted rules targeting hal_camera only when the Camera HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_camera are not granted to client domains. Domains which offer a binderized implementation of Camera HAL, such as hal_camera_default domain, are always granted rules targeting hal_camera. Test: Take non-HDR photo using Google Camera app Test: Take HDR photo using Google Camera app Test: Record video using Google Camera app Bug: 34170079 Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
/system/sepolicy/public/attributes
|
ac2b4cd2cb69b9182725e536f395b64db258d4b8 |
|
13-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
/system/sepolicy/public/attributes
|
bacb6d79360f3591680b215177602dcdc3181bf3 |
|
13-Feb-2017 |
Jeff Vander Stoep <jeffv@google.com> |
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
/system/sepolicy/public/attributes
|
ebec1aa2b74906e49b388cedb9ab61114b6ac854 |
|
19-Jan-2017 |
Jiyong Park <jiyong@google.com> |
configstore: add selinux policy for configstore@1.0 hal This change adds selinux policy for configstore@1.0 hal. Currently, only surfaceflinger has access to the HAL, but need to be widen. Bug: 34314793 Test: build & run Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964 Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964 (cherry picked from commit 5ff0f178ba077594e80d9777bbe7a13d25d2484d)
/system/sepolicy/public/attributes
|
e8acd7695b96434cde84c8bc16b364d39856857d |
|
28-Jan-2017 |
Janis Danisevskis <jdanis@google.com> |
Preliminary policy for hal_keymaster (TREBLE) This adds the premissions required for android.hardware.keymaster@2.0-service to access the keymaster TA as well as for keystore and vold to lookup and use android.hardware.keymaster@2.0-service. IT DOES NOT remove the privileges from keystore and vold to access the keymaster TA directly. Test: Run keystore CTS tests Bug: 32020919 (cherry picked from commit 5090d6f3241ffbd96f5a0b24df602bd2559f3cf4) Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
/system/sepolicy/public/attributes
|
ae206f162372e5f8ce674c28f0be545098316e37 |
|
13-Jan-2017 |
Badhri Jagan Sridharan <Badhri@google.com> |
sepolicy for usb hal Bug: 31015010 cherry-pick from b6e4d4bdf12e8a61414596d3d23c5016ae0d6477 Test: checked for selinux denial msgs in the dmesg logs. Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
/system/sepolicy/public/attributes
|
c86f42b9a75a65e7b4651dd68d919a35dc30cf79 |
|
01-Jan-2017 |
Jeff Tinker <jtinker@google.com> |
Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
/system/sepolicy/public/attributes
|
e1ff7e88598b00f798f10f6e951133efa055d5e5 |
|
20-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Sort hal_* declarations alphabetically Test: No change to SELinux policy Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18
/system/sepolicy/public/attributes
|
9c43a3ff103d36499fdac136d113ed2de5f9cc70 |
|
22-Dec-2016 |
Eino-Ville Talvala <etalvala@google.com> |
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
/system/sepolicy/public/attributes
|
f41d89eb249ca1f9fce41d86852047f924b1714e |
|
11-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Group all HAL impls using haldomain attribute This marks all HAL domain implementations with the haldomain attribute so that rules can be written which apply to all HAL implementations. This follows the pattern used for appdomain, netdomain and bluetoothdomain. Test: No change to policy according to sesearch. Bug: 34180936 Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
/system/sepolicy/public/attributes
|
54e0e5af8f4f0b4fd46cb1a015af079f6859e638 |
|
16-Dec-2016 |
Jim Miller <jaggies@google.com> |
New SeLinux policy for fingerprint HIDL Move from fingerprintd to new fingerprint_hal and update SeLinux policy. Test: Boot with no errors related to fingerprint sepolicy Bug: 33199080 Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
/system/sepolicy/public/attributes
|
953c439643df097b5aa0dfeb75999e3f1e87f2ff |
|
09-Dec-2016 |
Hridya Valsaraju <hridya@google.com> |
add selinux policy for GNSS hal The following are the avc denials that are addressed: avc: denied { call } for pid=889 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_gnss_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug:31974439 Test: Checked that there no more related avc denial messages related to the GNSS HAL in dmesg. Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
/system/sepolicy/public/attributes
|
be27f92a3e3a8ece1d5819e3cfd9a4cb2c47c96e |
|
12-Oct-2016 |
Andre Eisenbach <eisenbach@google.com> |
Add selinux policy for Bluetooth HAL Bug: 31972505 Test: VTS test passes, Bluetooth starts/stops Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
/system/sepolicy/public/attributes
|
a9ce208680b3a9c1ddcf9bfce886909b66297964 |
|
20-Oct-2016 |
Alexey Polyudov <apolyudov@google.com> |
gatekeeper HAL service: add security policy Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c Signed-off-by: Alexey Polyudov <apolyudov@google.com>
/system/sepolicy/public/attributes
|
c9d46d4ff27afa05d8c0c26bd949de1a303cc7bc |
|
29-Nov-2016 |
Ashutosh Joshi <ashutoshj@google.com> |
Add sepolicy for sensors Adding sepoilcy for sensors. Test: Sensors work. Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255
/system/sepolicy/public/attributes
|
e8d0bdae215b0818e22d1620c93ad3b5f6bca78b |
|
29-Nov-2016 |
Ashutosh Joshi <ashutoshj@google.com> |
Add sepolicy for contexthub HAL Adding sepolicty for contexthub service. Test: GTS tests pass. Change-Id: I2576b8028d12a31151d7b7869679b853eb16c75e
/system/sepolicy/public/attributes
|
c2b594dbaded51b3ddb814950c12a95b7c945749 |
|
08-Dec-2016 |
Amit Mahajan <amitmahajan@google.com> |
SEPolicy changes for BT SAP hal. Test: Verified that WIP telephony and BT SAP CLs work fine with this change https://android-review.googlesource.com/#/q/topic:%22Basic+radio+service+and+client%22+(status:open+OR+status:merged) https://android-review.googlesource.com/#/q/topic:%22SAP+HAL%22+(status:open+OR+status:merged) Bug: 32020264 Change-Id: If15820d43e324d80e35808a292ee811f98d499cc
/system/sepolicy/public/attributes
|
c82cf89f5fffee907639f89ebb80df5dd5607f31 |
|
16-Dec-2016 |
Sandeep Patil <sspatil@google.com> |
hal_health: express the sepolicy as attribute Bug: http://b/32905206 Test: Boot sailfish and no new selinux failures observed in logs Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9 Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/attributes
|
d86a30a273386171a7e58e2411d8a57365af34a3 |
|
01-Dec-2016 |
Steven Moreland <smoreland@google.com> |
Add hal_dumpstate attribute. - Also allow dumpstate to talk to hal_dumpstate. Bug: 31982882 Test: compiles Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
/system/sepolicy/public/attributes
|
29eed9faea88ec3ac27ab17e451d8a29ac85f81d |
|
13-Dec-2016 |
Steven Moreland <smoreland@google.com> |
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
/system/sepolicy/public/attributes
|
a95c52e347618d5f6797e01ad460094a90800a27 |
|
06-Dec-2016 |
Connor O'Brien <connoro@google.com> |
Add sepolicy for consumerir HIDL HAL Test: logging confirms service runs on boot Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce Signed-off-by: Connor O'Brien <connoro@google.com>
/system/sepolicy/public/attributes
|
3319d5ee16d6b90f1ce5137e9f650e4c38c975b3 |
|
15-Nov-2016 |
dcashman <dcashman@google.com> |
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
/system/sepolicy/public/attributes
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/attributes
|