| 597be44e9628eea56724e0ec576eebc2f0224d2a |
|
14-May-2018 |
Joel Galenson <jgalenson@google.com> |
Allow vendor_init to getattr vold_metadata_file.
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file. The rules above it still prevent it
from doing anything other than relabelto and getattr.
Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
/system/sepolicy/public/vold.te
|
| 5f79b334ff93cf89ab7c6f6c771ca0b5c7d0e2e5 |
|
20-Apr-2018 |
Paul Crowley <paulcrowley@google.com> |
Add metadata_file class for root of metadata folder.
Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
/system/sepolicy/public/vold.te
|
| d25ccabd24339938b6b3bb93cb3cb96b4aa55958 |
|
08-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
/system/sepolicy/public/vold.te
|
| d9a4e06ec59025a32a80b343ef8aa47eb7ddb308 |
|
01-Feb-2018 |
Paul Crowley <paulcrowley@google.com> |
Allow vendor_init and e2fs to enable metadata encryption
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26
/system/sepolicy/public/vold.te
|
| dcad0f04cfe423d490019d23528ed9fe1e54b047 |
|
23-Jan-2018 |
Tri Vo <trong@google.com> |
vold: clarify sysfs access
And remove a redundant rule.
Test: sesearch shows no changes to vold's sepolicy.
Change-Id: Icccc18696e98b999968ecbe0fb7862c35575a9b3
/system/sepolicy/public/vold.te
|
| e49714542ee846a7b14c8edb78303ec94cb4836e |
|
19-Oct-2017 |
Jaekyun Seok <jaekyun@google.com> |
Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
/system/sepolicy/public/vold.te
|
| 7ae939e84bff452beb0ba10c64983fb6f63e7712 |
|
08-Jan-2018 |
Luis Hector Chavez <lhchavez@google.com> |
Revert "Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid"
This reverts commit 640e595a68713d6d09eab4c436780498c46cdbcb. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
/system/sepolicy/public/vold.te
|
| 6a28b68d5479bb51035fb878f9bb3e7019d65180 |
|
21-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug
Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
/system/sepolicy/public/vold.te
|
| cd69bebf7646fd1fb9a2c378d7a3ccc80a00d450 |
|
21-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Fix CTS regressions"
This reverts commit ed876a5e969ce89d9887cc19a97aadbaf5118e4a.
Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
/system/sepolicy/public/vold.te
|
| ed876a5e969ce89d9887cc19a97aadbaf5118e4a |
|
21-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
/system/sepolicy/public/vold.te
|
| 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 |
|
09-Nov-2017 |
Benjamin Gordon <bmgordon@google.com> |
sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
/system/sepolicy/public/vold.te
|
| 640e595a68713d6d09eab4c436780498c46cdbcb |
|
02-Nov-2017 |
Luis Hector Chavez <lhchavez@google.com> |
Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
/system/sepolicy/public/vold.te
|
| 2f4a4b78582414b4e50defa430380865596eb869 |
|
17-Oct-2017 |
Paul Crowley <paulcrowley@google.com> |
vold_prepare_subdirs needs to recursively delete
Bug: 25861755
Test: Boot device, create user, create files, remove user, observe logs
Change-Id: I195514eb45a99c1093998786ab385338463269c0
Merged-In: I195514eb45a99c1093998786ab385338463269c0
(cherry picked from commit eb7340d94ed44b16cdb731590577a177e7046375)
/system/sepolicy/public/vold.te
|
| 5b962cfd7b2f41cf2b4bba4c6622cd4fe49e3a46 |
|
13-Oct-2017 |
Paul Crowley <paulcrowley@google.com> |
vold_prepare_subdirs sets policy in vold-created dirs.
Bug: 25861755
Test: Boot device, observe logs
Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900
Merged-In: I6c13430d42e9794003eb48e6ca219b874112b900
(cherry picked from commit 47f3ed09d222ee126cf2fe23b5fe15cd0b64520e)
/system/sepolicy/public/vold.te
|
| 5b4bea438a4bcb7dd49ab022b46884e3f683dc44 |
|
05-Oct-2017 |
Tao Bao <tbao@google.com> |
Create sysfs_dm label.
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
/system/sepolicy/public/vold.te
|
| aadf611ed9fea53f5b4fe18d361795258ff00c3c |
|
04-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
vold: temporarily re-grant access to default proc label
On Marlin/Sailfish, StorageManager tests in CTS are exposing a bug
where the /proc/<pid>/ns/mnt files for system_server are briefly
mislabeled as "proc" instead of "system_server". Resulting in the
tests failing. Temporarily re-granting access to the default label
until the labeling issue can be tracked down.
Repro steps:
cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
-t android.os.storage.cts.StorageManagerTest
Failures:
android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor
fail: java.lang.IllegalStateException: command '58 appfuse mount 10065
959 0' failed with '400 58 Command failed'
android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_async
fail: java.lang.IllegalStateException: command '59 appfuse mount 10065
959 1' failed with '400 59 Command failed'
android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_error
fail: java.lang.IllegalStateException: command '60 appfuse mount 10065
959 2' failed with '400 60 Command failed'
From the log:
10-04 20:41:22.972 595 604 E vold : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:22.967 604 604 W vold : type=1400 audit(0.0:90): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.051 604 604 W vold : type=1400 audit(0.0:91): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.054 595 604 E vold : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:23.081 604 604 W vold : type=1400 audit(0.0:92): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.086 595 604 E vold : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
sailfish:/ # ps -AZ | grep 959
u:r:system_server:s0 system 959 628 \
4557136 251500 SyS_epoll_wait 70e6df822c S system_server
The file labels appear to be correct when checked manually.
sailfish:/ # ls -lZ /proc/959/ns/
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 17:19 mnt -> mnt:[4026534249]
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 20:55 net -> net:[4026531906]
Bug: 67049235
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
-t android.os.storage.cts.StorageManagerTes
Change-Id: Id4d200856c02c023c6f516e3f3bfa060e100086c
/system/sepolicy/public/vold.te
|
| 91d398d802b4fbd33c2b88da9f56ecee8bdc363c |
|
26-Sep-2017 |
Dan Cashman <dcashman@google.com> |
Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
/system/sepolicy/public/vold.te
|
| f295758caeab2628d671d06d983088eaf25a493c |
|
30-Aug-2017 |
Peter Enderborg <peter.enderborg@sony.com> |
Restrict functions for vold
Raw sockets usually imply advanced parsers that might
have flaws. If vold need such odd thing, force it to have
that in a other domain like filesystem checks. Debug
features like ptrace does not belong to vold.
Bug: 64791922
Test: Manual
Change-Id: I75c62d13f998621f80b2049bce0505442862bf0b
/system/sepolicy/public/vold.te
|
| acb4871ff320f0e3c0745cc25fbc5cf78421960d |
|
30-Aug-2017 |
Peter Enderborg <peter.enderborg@sony.com> |
Only allow init to start vold
Hardening vold. Vold has much rights to system sensitive parts and
are started by init. Enforce this security.
Bug: 64791922
Test: Manual
Change-Id: I077d251d1eb7b7292e1a4a785093cb7bf5524a83
/system/sepolicy/public/vold.te
|
| 2cf7fba53988ed17c9ca2f407703e62a2aa16dd6 |
|
24-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecate: remove system_data_file access
am: 2b75437dc8
Change-Id: I0b90ed2e870640b6b7524207c2edfc8e5578fc6e
|
| 2b75437dc82b43d8e9c3cbda8bd92452968d6071 |
|
12-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
domain_deprecate: remove system_data_file access
scontext=installd
avc: granted { getattr } for comm="Binder:1153_7" path="/data/user/0"
dev="sda13" ino=1097730 scontext=u:r:installd:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file
scontext=runas
avc: granted { getattr } for comm="run-as" path="/data/user/0"
dev="sda35" ino=942082 scontext=u:r:runas:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file
scontext=vold
avc: granted { getattr } for comm="vold" path="/data/data" dev="sda45"
ino=12 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file
avc: granted { read } for comm="secdiscard"
name="3982c444973581d4.spblob" dev="sda45" ino=4620302
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
Bug: 28760354
Test: Build
Change-Id: Id16c43090675572af35f1ad9defd4c368abc906b
/system/sepolicy/public/vold.te
|
| 76aab82cb3a7560d3d78f93c7f2d00ed381192c4 |
|
15-May-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
/system/sepolicy/public/vold.te
|
| f627e5581c479013e067494c5af71adf13aa260a |
|
14-Apr-2017 |
Jeff Vander Stoep <jeffv@google.com> |
restore permissions to /vendor for non-treble devices
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.
Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
And potentially some other bugs that have yet to surface.
Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
/system/sepolicy/public/vold.te
|
| c9cf7361c1f5000834f125d287df8d2708b4d634 |
|
24-Mar-2017 |
Sandeep Patil <sspatil@google.com> |
file_context: explicitly label all file context files
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.
Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi \
arm64-v8a --module CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testAospFileContexts
Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/sepolicy/public/vold.te
|
| 3f724c95a86e6c08f23ff4f424b144cee81014dd |
|
26-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Grant kernel access to new "virtual_disk" file.
This is a special file that can be mounted as a loopback device to
exercise adoptable storage code on devices that don't have valid
physical media. For example, they may only support storage media
through a USB OTG port that is being used for an adb connection.
avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
Bug: 34903607
Change-Id: I84721ec0e9495189a7d850461875df1839826212
/system/sepolicy/public/vold.te
|
| a8e0f76c44af41cbdd5e452a976171ffe379d035 |
|
26-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Define policy for "loop-control" device.
Per loop(4), this device is the preferred way of allocating new
loop devices since Linux 3.1.
avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0
Bug: 34903607
Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503
/system/sepolicy/public/vold.te
|
| 2b291121b92f44971e702929d7ae4cc7d5e35078 |
|
04-Mar-2017 |
Calin Juravle <calin@google.com> |
SElinux: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.
Test: device boots, foreign dex markers are not created anymore
Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
/system/sepolicy/public/vold.te
|
| f7543d27b8371107ed69d9a1900c21954a77b6a4 |
|
23-Feb-2017 |
Alex Klyubin <klyubin@google.com> |
Switch Keymaster HAL policy to _client/_server
This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.
Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.
Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.
Test: Password-protected sailfish boots up and lock screen unlocks --
this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
Keymaster HAL interaction:
make cts cts-tradefed
cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsKeystoreTestCases
Bug: 34170079
Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
/system/sepolicy/public/vold.te
|
| a1b45600882032aab5b13381a636734f0a3f91f0 |
|
10-Feb-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove logspam
Grant observed uses of permissions being audited in domain_deprecated.
fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir
sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file
update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir
vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
/system/sepolicy/public/vold.te
|
| e8acd7695b96434cde84c8bc16b364d39856857d |
|
28-Jan-2017 |
Janis Danisevskis <jdanis@google.com> |
Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f3241ffbd96f5a0b24df602bd2559f3cf4)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
/system/sepolicy/public/vold.te
|
| 626f90c541add3560e5eb23cca6c2c9d6cebdcf4 |
|
20-Jan-2017 |
Max Bires <jbires@google.com> |
Adding a neverallow rule to prevent renaming of device and char files
This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.
Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
/system/sepolicy/public/vold.te
|
| 16c889c51f0667c7d063f959922b5c98bcebfd7a |
|
14-Dec-2016 |
Max <jbires@google.com> |
Removing file system remount permission from vold
There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.
Bug: 26901147
Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
/system/sepolicy/public/vold.te
|
| 314d8c5801a47523f18eb703205183f8fdd0068b |
|
30-Nov-2016 |
Max <jbires@google.com> |
Added an auditallow rule to track vold remounting filesystems.
Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow
Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
/system/sepolicy/public/vold.te
|
| ca04f9b3c489391f4026d5f688fe76a4aa0cd0cb |
|
17-Nov-2016 |
Max <jbires@google.com> |
Removed a duplicate rule.
Test: Device boots
Change-Id: I151c5fb6f56850eaa215e1a917ac9ad609dbdd4a
/system/sepolicy/public/vold.te
|
| cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/vold.te
|