PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23,444 Commits 17 Branches 0 Tags 42 MiB
1a3ee382ec
Commit Graph

23444 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ken Chen
64f0be204b Define sepolicy for redirect-socket-calls feature 
Define two property_context.

1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.

2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.

Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
      libnetd_client can read both properties
      libnetd_client can't set both properties

Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
 2020-02-11 20:55:02 +08:00
Kenny Root
7ae220742c rebootescrow: allow dumpstate to call via binder 
Allow dumpstate to call into rebootescrow to request debug information.

Bug: 148763226
Test: adb bugreport
Change-Id: Ib336cab755998b1ddcd7848b3e544c2e0f09c1aa
 2020-02-10 21:28:32 -08:00
Automerger Merge Worker
b98676bc7a Merge "sepolicy: new prereboot_data_file type" am: e8b7cecad3 
Change-Id: I1250ca1cdd98f428438bb1e50d7c7c6fa5f0989e
 2020-02-11 03:08:56 +00:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Automerger Merge Worker
0d8788688f Merge "Update sepolicy to allow pushing atoms from surfaceflinger to statsd" am: c95ae9044d 
Change-Id: Iad64c0ba3034f8a9fec168a72bfe60962b767fe1
 2020-02-11 01:17:44 +00:00
Alec Mouri
c95ae9044d Merge "Update sepolicy to allow pushing atoms from surfaceflinger to statsd" 2020-02-11 01:01:20 +00:00
Automerger Merge Worker
6a18420ec5 Merge "Allow dumpstate access to /dev/binderfs/binder_logs" am: d13e12f9cc 
Change-Id: I6246c08580580833f6a50fa3c7803c2dc89dbcf5
 2020-02-11 00:49:42 +00:00
Treehugger Robot
d13e12f9cc Merge "Allow dumpstate access to /dev/binderfs/binder_logs" 2020-02-11 00:40:23 +00:00
Wei Wang
e55f2318d5 grant power hal client to access stable power hal service 
Bug: 147913776
Test: Build
Change-Id: Ibf0d6b7b5b4ac71994de53922d9ce685bdc5f704
 2020-02-10 16:32:35 -08:00
Automerger Merge Worker
456f93e9f3 Merge "Revert "Add sepolicy for persist.nfc"" am: a85454834d 
Change-Id: Ib46567f04860322a68802d132414ccb442d8a9f4
 2020-02-10 23:58:35 +00:00
Jon Spivack
a85454834d Merge "Revert "Add sepolicy for persist.nfc"" 2020-02-10 23:42:41 +00:00
Hridya Valsaraju
4ea5709bc4 Allow dumpstate access to /dev/binderfs/binder_logs 
These permissions allow dumpstate to access binder logs
from /dev/binderfs.
avc: denied { read } for name="binder_logs" dev="binder" ino=1048580
scontext=u:r:dumpstate:s0 tcontext=u:object_r:binderfs_logs:s0 tclass=dir permissive=0
avc: denied { read } for comm="dumpstate" name="failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { open } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { getattr } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1

Test: adb shell dumpstate
Bug: 136497735
Change-Id: I5ff7223e431aab9baa3527570fff2da71ab6feb0
 2020-02-10 12:47:35 -08:00
Jon Spivack
c7bc7ee309 Revert "Add sepolicy for persist.nfc" 
This reverts commit 34240604aa.

Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.

Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
 2020-02-10 19:08:31 +00:00
Alec Mouri
b254ff2d5b Update sepolicy to allow pushing atoms from surfaceflinger to statsd 
Bug: 148543048
Test: builds
Test: statsd_testdrive
Change-Id: I8ea6659d575fa2e7e5961dc1fea3219c238c9e41
 2020-02-10 09:50:53 -08:00
Automerger Merge Worker
92424b8323 Merge "property_contexts: add cache for getDisplayInfo." am: 8b02ee96f1 
Change-Id: Ib92ee6f92888cf08298140e1186a3bd425805c9d
 2020-02-10 17:40:21 +00:00
Automerger Merge Worker
250f731efd Merge "Add userspace_reboot_log_prop" am: 4119b07d1b 
Change-Id: Id2fc710764841f92d7640bfe306d7ab59784a69d
 2020-02-10 17:34:12 +00:00
Tim Murray
e61c1c98f6 property_contexts: add location cache 
Add support for isLocationEnabledForUser caching.

Test: location cache works
Bug: 140788621
Change-Id: Ic42da5ce770b21ff2304dec176b8761aed75ea20
 2020-02-10 09:33:44 -08:00
Treehugger Robot
8b02ee96f1 Merge "property_contexts: add cache for getDisplayInfo." 2020-02-10 17:29:04 +00:00
Nikita Ioffe
4119b07d1b Merge "Add userspace_reboot_log_prop" 2020-02-10 17:22:03 +00:00
Automerger Merge Worker
4d83a33d41 Merge "Reland: Rework platform version to hide codenames." am: d21ecebb27 
Change-Id: Ib58bd7a62f077e4efae7a6b40cba38507de52f47
 2020-02-10 16:22:30 +00:00
Treehugger Robot
d21ecebb27 Merge "Reland: Rework platform version to hide codenames." 2020-02-10 15:58:38 +00:00
Automerger Merge Worker
49e3bbdb1d Merge "Add sepolicy for persist.nfc" am: 036eb2518d 
Change-Id: I9394631e48401963ded6851257dada8bdc45311d
 2020-02-10 11:27:26 +00:00
Treehugger Robot
036eb2518d Merge "Add sepolicy for persist.nfc" 2020-02-10 11:15:36 +00:00
Automerger Merge Worker
814d38a94c Merge "Move some properties to system_vendor_config_prop" am: 219137d6ca 
Change-Id: Ic24749fb024fe713c7d2f5b63239e8e570fb31e3
 2020-02-09 01:59:19 +00:00
Treehugger Robot
219137d6ca Merge "Move some properties to system_vendor_config_prop" 2020-02-09 01:38:26 +00:00
Automerger Merge Worker
a97d499ebd Merge "Remove "ro." prefix from sdk extension props" am: 88ab8e9c75 
Change-Id: Iecf51b1e22a4fef84274eb723bc2d2fdb66513e9
 2020-02-08 11:43:59 +00:00
Anton Hansson
88ab8e9c75 Merge "Remove "ro." prefix from sdk extension props" 2020-02-08 11:26:57 +00:00
Inseob Kim
2597b513b3 Move some properties to system_vendor_config_prop 
system_vendor_config_prop defines a property contexts which can only be
set from vendor_init. It is one of the mostly used patterns of system
properties. This migrates some properties to help readability and
security.

Bug: 148125056
Test: system/sepolicy/build_policies.sh
Change-Id: I6b53ef520331b32417ad59f4daa04bdfc077f682
 2020-02-08 08:34:17 +09:00
Automerger Merge Worker
09162ab186 Merge "Add macros for vendor_init writeonce properties" am: d832c69a94 
Change-Id: I0f8d9f54170905023d799084bd7790f679eeedaf
 2020-02-07 22:36:39 +00:00
Treehugger Robot
d832c69a94 Merge "Add macros for vendor_init writeonce properties" 2020-02-07 22:17:42 +00:00
Automerger Merge Worker
8c020eec71 Merge "selinux rules for loading incremental module" am: 3cf7d1b5ee 
Change-Id: I7007b6fd0a63010334ae5079ecd0866101b82ecf
 2020-02-07 19:50:37 +00:00
Songchun Fan
3cf7d1b5ee Merge "selinux rules for loading incremental module" 2020-02-07 19:33:08 +00:00
Anton Hansson
3c7cc7a896 Remove "ro." prefix from sdk extension props 
It needs to be reset during userspace reboot, so isn't
readonly.

Bug: 148668435
Test: presubmit
Change-Id: If6b5f15eb7ade143a939c815bf8787659ceeb951
 2020-02-07 19:04:06 +00:00
Automerger Merge Worker
eaf6255fff Merge "Add TEST_MAPPING for pre-submit tests" am: 571dbd9e58 
Change-Id: I1066d87b9916399012f6febe6492ac3b1f249db6
 2020-02-07 18:55:19 +00:00
Treehugger Robot
571dbd9e58 Merge "Add TEST_MAPPING for pre-submit tests" 2020-02-07 18:36:09 +00:00
Automerger Merge Worker
6820031087 Merge "GpuService binder call StatsManagerService" am: 53114d6184 
Change-Id: Ie3937b46a5ada0dafb5021c1bf532db267eeb777
 2020-02-07 18:18:05 +00:00
Automerger Merge Worker
eeefd23830 Merge "Allow system server to add StatsHal" am: aac4b2f8c0 
Change-Id: I67718c87e2c9e526b1de6a6b6977ce6cf7c1803e
 2020-02-07 18:17:50 +00:00
Tim Murray
541ab34a0c property_contexts: add cache for getDisplayInfo. 
Test: getDisplayInfo works
Bug: 140788621
Change-Id: I131b9b34b9d2814ab2b2f95e5cef3635a67765e2
 2020-02-07 10:07:01 -08:00
Jeffrey Huang
53114d6184 Merge "GpuService binder call StatsManagerService" 2020-02-07 18:03:26 +00:00
Jeffrey Huang
aac4b2f8c0 Merge "Allow system server to add StatsHal" 2020-02-07 18:03:04 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module 
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
 2020-02-07 09:52:34 -08:00
Songchun Fan
020e3ab035 selinux rules for apk files installed with Incremental 
Apk files installed with Incremental are actually stored under the
/data/incremental directory.

Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.

Denial messages:

=== vold ===
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760   599   599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766  1431  1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923  1431  1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326  8839  8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1

02-04 15:32:02.386   591   591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1

=== system_app ===
02-04 14:22:45.793  5064  5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
 2020-02-07 16:34:42 +00:00
Automerger Merge Worker
2f146b705b Merge "Allow vold FS_IOC_{GET|SET}FLAGS ioctl." am: e7c8f0425d 
Change-Id: I88d91fc14a268bcad16a0c5b99ace5e006ad54a5
 2020-02-07 10:43:41 +00:00
Martijn Coenen
e7c8f0425d Merge "Allow vold FS_IOC_{GET|SET}FLAGS ioctl." 2020-02-07 10:29:14 +00:00
Automerger Merge Worker
b504189120 Merge "sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate" am: 3d44d91d0b 
Change-Id: I0892aba0f22011f86bba6a6c2251cd3129ee9038
 2020-02-07 03:30:36 +00:00
Treehugger Robot
3d44d91d0b Merge "sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate" 2020-02-07 03:11:52 +00:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type 
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
 2020-02-07 10:22:47 +08:00
Nikita Ioffe
44f5ffca15 Add userspace_reboot_log_prop 
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.

Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
 2020-02-07 01:57:55 +00:00
Jeffrey Huang
b481e320a1 GpuService binder call StatsManagerService 
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd

The binder call to statsd can be removed after the migration.

Test: m -j
Bug: 148641240
Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009
 2020-02-06 11:54:33 -08:00
Ady Abraham
5e81162741 sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate 
Add a new entry for use_content_detection_for_refresh_rate that will
eventually replace the deprecated use_smart_90_for_video

Change-Id: Iffe83fe0c7620f661228452495a02922f9662406
Test: play video and observe refresh rate
 2020-02-06 19:23:52 +00:00