PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23,430 Commits 17 Branches 0 Tags 42 MiB
f35884b84f
Commit Graph

23430 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Automerger Merge Worker
f35884b84f Allow apps to use mmap on fuse fds. am: 975215578f 
Change-Id: I5bc9dc24cb69563fd131991381dc8abc575fde8b
 2020-03-05 04:45:17 +00:00
Sudheer Shanka
975215578f Allow apps to use mmap on fuse fds. 
This is needed for the following denial:
type=1400 audit(0.0:124): avc: denied { map } for
comm=54696D652D6C696D69746564207465 path="/mnt/appfuse/10182_2/2"
dev="fuse" ino=2 scontext=u:r:untrusted_app:s0:c182,c256,c512,c768
tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

Bug: 150801745
Test: atest CtsBlobStoreTestCases:com.android.cts.blob.BlobStoreManagerTest#testOpenBlob -- --abi x86
Merged-In: Ib7ca64e11b24f8835874698df15a9a0fdce67454
Change-Id: I4dc4ce91da3513a2d1f08ada401741f6d5a090c3
 2020-03-04 17:21:18 -08:00
Automerger Merge Worker
3c777ae94c Merge "Allow gsid to callback system server for oneway method" am: 4e47834266 
Change-Id: Ia8f911d46f4b7bf8e98cb4fcfdbf6a41fa0bb131
 2020-03-04 09:34:59 +00:00
Howard Chen
4e47834266 Merge "Allow gsid to callback system server for oneway method" 2020-03-04 09:16:47 +00:00
Automerger Merge Worker
8c0a066211 Merge "vold: allow to set boottime prop" am: 94dc474264 
Change-Id: Ifaeadbf36f4486af3d566f9be774fecc4d8b9d32
 2020-03-03 00:47:32 +00:00
Jaegeuk Kim
94dc474264 Merge "vold: allow to set boottime prop" 2020-03-03 00:33:50 +00:00
Automerger Merge Worker
8b3a64da52 Merge "Add new apexd.status value of "activated"." am: f3f5163f0c 
Change-Id: I0e854139d1d43a30c4e7507fc6cd09ce3ead707f
 2020-03-02 10:33:47 +00:00
Oli Lan
f3f5163f0c Merge "Add new apexd.status value of "activated"." 2020-03-02 10:24:21 +00:00
Jaegeuk Kim
9c38162d28 vold: allow to set boottime prop 
Bug: 149595111
Bug: 149844577
Bug: 138909685
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I46b8828569dd008944685a1f0c45cbddc4870002
 2020-02-28 17:20:47 -08:00
Automerger Merge Worker
4d07ceb77c Whitelist prop persist.device_config.configuration. am: 1d9daf1c6e 
Change-Id: Ibcc0621551b4094a01122fa3e97e41dbb2814edd
 2020-02-28 18:12:35 +00:00
Hongyi Zhang
1d9daf1c6e Whitelist prop persist.device_config.configuration. 
For system prop flags from DeviceConfig namespace "Configuration".

Test: Build and run on local device
Bug: 149420506

Change-Id: If4196b4bf231e7c52f98b92cc0031a08dad06120
 2020-02-27 14:06:58 -08:00
Howard Chen
389bc7baec Allow gsid to callback system server for oneway method 
Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
    -n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
    -a android.os.image.action.START_INSTALL \
    -d file:///storage/emulated/0/Download/system.raw.gz \
    --el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
    --el KEY_USERDATA_SIZE 8589934592

Change-Id: I41c7b1278cfc103c90282b6a6781eab66fc9dcdb
 2020-02-27 16:32:25 +08:00
Automerger Merge Worker
b55baf51eb Merge "Add resize2fs to fsck_exec file context" am: aa6dba2770 
Change-Id: Iac634e675fd7c2d8091894177842b2eb9d5ab025
 2020-02-27 03:21:11 +00:00
Keun-young Park
aa6dba2770 Merge "Add resize2fs to fsck_exec file context" 2020-02-27 03:02:02 +00:00
Automerger Merge Worker
1398f17b5e Merge "app: allow PROT_EXEC on ashmem objects" am: e2d909ae89 
Change-Id: If7fccd01af17fbd097a12a47596b7199bb276ab0
 2020-02-26 18:54:21 +00:00
Jeffrey Vander Stoep
e2d909ae89 Merge "app: allow PROT_EXEC on ashmem objects" 2020-02-26 18:36:55 +00:00
Automerger Merge Worker
377443a04d Merge "Allow kernel to write to update_engine_data_file" am: cc62c64eea 
Change-Id: I22cde9f98a892947bc744b0345c6a755bf274632
 2020-02-25 19:16:42 +00:00
Tianjie Xu
cc62c64eea Merge "Allow kernel to write to update_engine_data_file" 2020-02-25 19:06:43 +00:00
Jeff Vander Stoep
789ebf03ba app: allow PROT_EXEC on ashmem objects 
This fixes a bug introduced in aosp/1143430 where the permission
should have been included for the newly introduced
ashmem_libcutils_device type.

Test: Build
Bug: 150193534
Change-Id: I5b1ed8d9548f9dab4ad9373f98e21614c07c3d38
 2020-02-25 20:00:39 +01:00
Keun young Park
e6e5f32ea0 Add resize2fs to fsck_exec file context 
- This allows init to access it.

Bug: 149039306
Test: Flash and confirm that file system can run resize2fs when metadata_csum is enabled.
Change-Id: Id91d8fb6800b254b12eaf93a0e8cb019b55d2702
 2020-02-25 08:37:35 -08:00
Automerger Merge Worker
3e54bef43f Merge "Update automotive display service rules" am: d36a0750e4 
Change-Id: Ia6ad5c66dd3a736f1af4d5d5cbe996487f3f7a20
 2020-02-25 15:58:35 +00:00
Changyeon Jo
d36a0750e4 Merge "Update automotive display service rules" 2020-02-25 15:38:00 +00:00
Automerger Merge Worker
3b590980df Merge "Allow dumpstate to dump NNAPI HAL log on userbuild" am: fb9ff8d5b6 
Change-Id: Ib617782e2a1e04546d3b4b39f7bf130e095b5762
 2020-02-25 11:10:36 +00:00
Stefano Galarraga
fb9ff8d5b6 Merge "Allow dumpstate to dump NNAPI HAL log on userbuild" 2020-02-25 10:47:38 +00:00
Automerger Merge Worker
e45d2de45f Merge "allow priv_apps to read from incremental_control_file" am: bb4a0467f8 
Change-Id: I98fa5f2bfaa72ec281e338c95abb1213ba5c534e
 2020-02-25 10:30:45 +00:00
Treehugger Robot
bb4a0467f8 Merge "allow priv_apps to read from incremental_control_file" 2020-02-25 10:16:56 +00:00
Automerger Merge Worker
886b1f54db Merge "traced_perf sepolicy tweaks" am: f173b14363 
Change-Id: Ia4fa23f9c76472ac214bc48342bcfc3c05ecc2f9
 2020-02-25 04:29:50 +00:00
Treehugger Robot
f173b14363 Merge "traced_perf sepolicy tweaks" 2020-02-25 04:18:25 +00:00
Changyeon Jo
17b38d526d Update automotive display service rules 
This change updates sepolicies for automotive display service to make it
available to the vendor processes.

Bug: 149017572
Test: m -j selinux_policy
Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b
Signed-off-by: Changyeon Jo <changyeon@google.com>
 2020-02-25 02:02:54 +00:00
Automerger Merge Worker
403c7c3a57 Merge "Use prefixes for binder cache SELinux properties." am: 749e119053 
Change-Id: Id67aea768d7f86a2cd409fd99dd25d0bbec8bb5f
 2020-02-25 00:41:36 +00:00
Collin Fijalkovich
749e119053 Merge "Use prefixes for binder cache SELinux properties." 2020-02-25 00:24:46 +00:00
Songchun Fan
82ea55def0 allow priv_apps to read from incremental_control_file 
Denial messages:

02-21 20:19:41.817  1439  1439 I Binder:1439_3: type=1400 audit(0.0:1851): avc: denied { read } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-21 20:19:41.817 20337 20337 I Binder:20337_2: type=1400 audit(0.0:1852): avc: denied { getattr } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending

Test: manual
Change-Id: Ie188f294ea2a6aff71a49a6f17679c3cf810b69d
 2020-02-24 18:26:47 +00:00
Ryan Savitski
008465e5ec traced_perf sepolicy tweaks 
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
  I've not caught any crashes in practice, but believe there's a
  possibility that the zygote forks while holding a non-whitelisted fd
  due to the signal handler.

Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
 2020-02-24 12:23:13 +00:00
Automerger Merge Worker
344aaa983c Merge "Adding sepolicy of tuner resource manager service" am: 1ddfce5fc6 
Change-Id: I93bf96159f411503e6421166b5875db65f05ae82
 2020-02-23 04:02:38 +00:00
Amy Zhang
1ddfce5fc6 Merge "Adding sepolicy of tuner resource manager service" 2020-02-23 03:49:51 +00:00
Automerger Merge Worker
59fd2e98be Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories" am: 0f6852b342 
Change-Id: Icad94a647c7872df7a8fc7431fccee46a0cdc305
 2020-02-22 04:17:25 +00:00
Roshan Pius
0f6852b342 Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories" 2020-02-22 03:56:55 +00:00
Automerger Merge Worker
02c9702fba Merge "cut down bpf related privileges" am: 09d4bb5aa1 
Change-Id: I6e6dc6ea1b4fb9cf79d6d5a74823a66acce3239a
 2020-02-22 03:13:09 +00:00
Maciej Żenczykowski
09d4bb5aa1 Merge "cut down bpf related privileges" 2020-02-22 02:54:32 +00:00
Maciej Żenczykowski
49c73b06a2 cut down bpf related privileges 
This is driven by 3 things:
  - netd no longer needs setattr, since this is now done by bpfloader
  - nothing should ever unpin maps or programs
  - generic cleanups and additional neverallows

Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I881cc8bf9fe062aaff709727406c5a51fc363c8e
 2020-02-22 02:14:58 +00:00
Amy
3791549dc4 Adding sepolicy of tuner resource manager service 
This is to allow adding the Tuner Resource Manager as a system service

Test: cuttlefish
Bug: 147380513
Change-Id: I3f61f2542c7fd934bb69dde08079f830196e2344
 2020-02-21 23:33:46 +00:00
Collin Fijalkovich
b1b15013e9 Use prefixes for binder cache SELinux properties. 
Adds a context for telephony related cache properties and changes
the bluetooth and system_server properties to match off of prefix
instead of exact string matches.

Test: Flashed phone with PowerManager caches enabled and verified
that the phone boots.

Change-Id: I9110192a12bb6222e49a8fb6b266d6067ef2ea92
 2020-02-21 15:25:46 -08:00
Roshan Pius
8f84cc32a8 sepolicy(wifi): Allow wifi service access to wifi apex directories 
Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
 2020-02-21 10:40:32 -08:00
Automerger Merge Worker
ba56249da9 sepolicy: policies for iorap.inode2filename am: e39f8d23ed 
Change-Id: I79ef1e3a84a94fc8c34233a4c58ff9abb4c97f12
 2020-02-21 16:27:14 +00:00
Automerger Merge Worker
76cd6f8ff8 Merge "Add adbd_prop, system_adbd_prop property types." am: b8c108e15f 
Change-Id: Ifa7434a88ab72902166587c892b9dc466573ffdc
 2020-02-21 00:41:57 +00:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename 
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
 2020-02-20 16:38:17 -08:00
Joshua Duong
b8c108e15f Merge "Add adbd_prop, system_adbd_prop property types." 2020-02-21 00:28:48 +00:00
Automerger Merge Worker
b7749f2b1e Merge "Allow installd to read /proc/filesystems." am: 65edd48fe4 
Change-Id: Ib8e23d67d81a464d37405fe409bd753cb3510681
 2020-02-20 18:20:31 +00:00
Martijn Coenen
65edd48fe4 Merge "Allow installd to read /proc/filesystems." 2020-02-20 18:03:31 +00:00
Joshua Duong
18988fcce3 Add adbd_prop, system_adbd_prop property types. 
service.adb.tls.port contains the adbd tcp port running the TLS server.
persist.sys.adb.wifi tells adbd when to enable the TLS server.

Bug: 149348431
Bug: 111434128

Test: Enable wireless debugging, check if TLS port information is
displayed in the Developer options > Wireless debuggging.
Change-Id: I5b5c5a3d064bc003f41386ede9051609fefec53e
 2020-02-20 07:52:34 -08:00