9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 |
|
09-Nov-2017 |
Benjamin Gordon <bmgordon@google.com> |
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
/system/sepolicy/public/logd.te
|
87ed5e8dbf220fd36471bdfbd42bf692c0371fc1 |
|
13-Sep-2017 |
Tri Vo <trong@google.com> |
Explicitly label logd's dependencies in /proc. labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to proc_kmsg, and added a compat mapping. Bug: 65643247 Test: device boots without selinux denials to the newly introduced proc_kmsg Test: logd-unit-tests passes Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e (partial CP of commit 528da6fe3a0dbe4ae15355dff0152ab5f55197da)
/system/sepolicy/public/logd.te
|
384ce66246ea60a56a10e0bebb3c33647bb03a51 |
|
13-Sep-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
/system/sepolicy/public/logd.te
|
d33a9a194b1333113671a1353fab60d2df3478a5 |
|
08-Nov-2016 |
Mark Salyzyn <salyzyn@google.com> |
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
/system/sepolicy/public/logd.te
|
cb3eb4eef9733bbde2951a2a774392d0c8acc9fe |
|
19-Oct-2016 |
Josh Gao <jmgao@google.com> |
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
/system/sepolicy/public/logd.te
|
df125b90b456748f834df06e69d9e8aa05054c69 |
|
06-Dec-2016 |
Mark Salyzyn <salyzyn@google.com> |
init: only allowed to transition to logpersist or logd Generate a compile time error if someone unexpectedly tries to transition into logpersist or logd domain. Test: compile Bug: 30566487 Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
/system/sepolicy/public/logd.te
|
da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2a |
|
10-Aug-2016 |
Mark Salyzyn <salyzyn@google.com> |
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
/system/sepolicy/public/logd.te
|
2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/public/logd.te
|
cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 |
|
05-Dec-2016 |
Nick Kralevich <nnk@google.com> |
Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
/system/sepolicy/public/logd.te
|
31e9f39f59de397786aeda01b5634153d8c8d46e |
|
28-Nov-2016 |
Nick Kralevich <nnk@google.com> |
logd.te: Remove setting persist.sys. and sys.powerctl As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this functionality is no longer used. Test: device boots and no obvious problems. Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2
/system/sepolicy/public/logd.te
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/logd.te
|