| 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 |
|
09-Nov-2017 |
Benjamin Gordon <bmgordon@google.com> |
sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
/system/sepolicy/public/logd.te
|
| 87ed5e8dbf220fd36471bdfbd42bf692c0371fc1 |
|
13-Sep-2017 |
Tri Vo <trong@google.com> |
Explicitly label logd's dependencies in /proc.
labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to
proc_kmsg, and added a compat mapping.
Bug: 65643247
Test: device boots without selinux denials to the newly introduced proc_kmsg
Test: logd-unit-tests passes
Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
(partial CP of commit 528da6fe3a0dbe4ae15355dff0152ab5f55197da)
/system/sepolicy/public/logd.te
|
| 384ce66246ea60a56a10e0bebb3c33647bb03a51 |
|
13-Sep-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: add getEventTag command and service
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
/system/sepolicy/public/logd.te
|
| d33a9a194b1333113671a1353fab60d2df3478a5 |
|
08-Nov-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
/system/sepolicy/public/logd.te
|
| cb3eb4eef9733bbde2951a2a774392d0c8acc9fe |
|
19-Oct-2016 |
Josh Gao <jmgao@google.com> |
Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
/system/sepolicy/public/logd.te
|
| df125b90b456748f834df06e69d9e8aa05054c69 |
|
06-Dec-2016 |
Mark Salyzyn <salyzyn@google.com> |
init: only allowed to transition to logpersist or logd
Generate a compile time error if someone unexpectedly tries to
transition into logpersist or logd domain.
Test: compile
Bug: 30566487
Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
/system/sepolicy/public/logd.te
|
| da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2a |
|
10-Aug-2016 |
Mark Salyzyn <salyzyn@google.com> |
logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
userdebug logging
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
/system/sepolicy/public/logd.te
|
| 2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/public/logd.te
|
| cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 |
|
05-Dec-2016 |
Nick Kralevich <nnk@google.com> |
Prevent ptrace of logd on user builds
system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
doesn't want it's memory accessible by anyone else. Unfortunately,
setting DUMPABLE isn't sufficient against a root level process such with
ptrace. Only one such process exists, "debuggerd".
Block debuggerd from accessing logd's memory on user builds. Userdebug
and eng builds are unaffected. Add a neverallow rule (compile time
assertion + CTS test) to prevent regressions.
Bug: 32450474
Test: Policy compiles.
Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
/system/sepolicy/public/logd.te
|
| 31e9f39f59de397786aeda01b5634153d8c8d46e |
|
28-Nov-2016 |
Nick Kralevich <nnk@google.com> |
logd.te: Remove setting persist.sys. and sys.powerctl
As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this
functionality is no longer used.
Test: device boots and no obvious problems.
Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2
/system/sepolicy/public/logd.te
|
| cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/logd.te
|