summaryrefslogtreecommitdiff
path: root/sepolicy
AgeCommit message (Collapse)Author
2021-10-19Revert "Revert^2 "Add the 'bdev_type' attribute to all block devices""android-s-v2-preview-2android-s-v2-preview-1android-s-v2-beta-2android-s-v2-preview-1Bart Van Assche
This reverts commit c4af45caa3cdc91c236a59ae2058968732734c8c. Reason for revert: Restore this patch since it was not necessary to revert this patch. Bug: 202520796 Change-Id: Ieb3346ecc604f4365dcace125072c1927c7a647c
2021-10-19Revert^2 "Add the 'bdev_type' attribute to all block devices"Michał Brzeziński
a349fb7f9640f6160e3f9cbd718d5c6bfe932ff4 Change-Id: I23bf1aa53750c5b313bfb421ef008acbd40da313
2021-10-08Revert "Add the 'bdev_type' attribute to all block devices"Bart Van Assche
Revert this patch since the bdev_type and sysfs_block_type SELinux attributes are being removed. Bug: 202520796 Test: Untested. Change-Id: I1f1ca439b4b45b2691b482a93f8d550bf4544aca Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-08-13Add the 'bdev_type' attribute to all block devicesBart Van Assche
The following patch iterates over all block devices: https://android-review.googlesource.com/c/platform/system/core/+/1783847/9 The following patch grants 'init' and 'apexd' permission to iterate over all block devices: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947 The above SELinux policy change requires to add the 'bdev_type' attribute to all block devices. Hence this patch. Bug: 194450129 Test: Untested. Change-Id: Ibdeb66a892ded5e602c4cdead1183b087aeefc62 Signed-off-by: Bart Van Assche <bvanassche@google.com>
2020-12-15Fix selinux denialsInseob Kim
This removes rules causing build failure due to neverallow. Bug: 170082975 Test: m selinux_policy Test: selinux enforcement is disabled Change-Id: Ia85042c30d7b42f3da169cb32fb3c527d54f0e43
2020-10-21poplar: remove sepolicy/proc_net.teMaciej Żenczykowski
No longer needed after: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1468206/ public/file.te: add 'allow proc_net proc:filesystem associate' Bug: 145579144 Bug: 170265025 Test: treehugger will Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ia8f5876e1019f5ce88cbed60acdee7edf0475dee
2020-09-14Attach vendor_property_type to propertiesInseob Kim
We are going to enforce that each property has an explicit owner, such as system, vendor, or product. This attaches vendor_property_type to properties defined under vendor sepolicy directories. Bug: 159097992 Test: lunch poplar-userdebug; m selinux_policy Change-Id: I96a7c63aa97413b958a9395ff035aa1a203a7582
2020-01-24netd does not require and should not have SYS_ADMIN nor module loading privsandroid-r-preview-1Maciej Żenczykowski
Any required functionally should be built into the kernel. Test: NA Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ide42a95a36707a2fec3b641cbdcacfbc44a16d3d (cherry picked from commit c3199dc0cdc1a658fce75d11694c21fd990948a9)
2018-11-27Drop cpuctl_device type from sepolicyShawn Guo
Commit d918c8df783e ("Remove redundant cgroup type/labelings.") in project system/sepolicy/ removes cpuctl_device type and causes SELinux compilation on Poplar. device/linaro/poplar/sepolicy/untrusted_app.te:21:ERROR 'unknown type cpuctl_device' at token ';' on line 48537: tombstone_data_file }:dir { getattr read search }; usb_device checkpolicy: error(s) encountered while parsing configuration Let's drop cpuctl_device type from Poplar sepolicy to fix the error. Change-Id: Ia74b4a36ce10fef823d2b39f81db613f03753e90 Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
2018-10-24poplar: Fix SELinux compilation problemDmitry Shmidt
(or line 12493 of policy.conf) violated by allow vndservicemanager service_contexts_file:file { read getattr open }; libsepol.check_assertions: 1 neverallow failures occurred Test: make -j24 Change-Id: Id7fbbfc0ab99ef1386f49194dfa387a70caeef3e Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2018-08-22Fix sepolicy neverallow failures with hi_overlay_file and vendor_fileShawn Guo
Poplar build is broken as below due to the merge of "neverallow fwk access to /vendor" in system/sepolicy repository. libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow bootanim hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow surfaceflinger hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app vendor_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app hi_overlay_file:file { read getattr open }; libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app hi_overlay_file:file { read getattr open }; libsepol.check_assertions: 8 neverallow failures occurred Let's update Poplar sepolicy to fix the failures and get build pass. Change-Id: I6e47077e2bc36952f897cdace0b90caf2201838b
2018-07-16poplar: Cumulative patch from commit 6d860e7Dmitry Shmidt
6d860e7 (origin/master, origin/HEAD) poplar: use vendor prebuilt wifi files 2de4ee5 wifi: add capabilities for wpa_supplicant 46ac944 poplar: create an optee folder for OP-TEE files 9411998 poplar: move hiavplayer.rc into vendor folder e19a218 poplar: rename rootfs to vendor fdb3113 BoardConfig.mk: add printk.devkmsg=on to BOARD_KERNEL_CMDLINE da84bb1 init.poplar.rc: setprop service.adb.tcp.port 5555 ad56c8a Revert "WIP: temporarily disable bluetooth" 28e4d5e bt: add ro.boot.btmacaddr property and chmod of rtkbt_dev 363a2e4 wifi: enable wifi HAL support 958edb7 wifi: remove use of rtl8822bu module fe5024d audio: add include of <unistd.h> to fix usleep warnings 6e36a97 device.mk: add Launcher2 package 4673aee WIP: temporarily disable bluetooth 8b6fdda poplar: remove obsolete self-extractors b8b039f poplar: switch from add_lunch_combo to COMMON_LUNCH_CHOICES acd1ef6 poplar: enable full treble support d6df05c audio: update Android.mk for treble support d9a9261 audio: include <log/log.h> instead of <cutils/log.h> 1f6821d device.mk: use TARGET_COPY_OUT_VENDOR for feature declarations 9b9a1a7 device.mk: clean up newlines and backslash 29db545 device.mk: build soundtrigger package for audio support 3d4498f device.mk: add ro.config.build.name property fdb44d6 manifest: update manifest file for treble support d0cc662 ueventd.poplar.rc: add hi_gfx2d device node back ccc635e sepolicy: sync up selinux policy with Hisilicon development 2c391e5 sepoilcy: remove 'x' attribute from .te files 44c53b7 fstab.poplar: remove system and vendor mount 6b21fe2 fstab.poplar: use by-name symlinks instead of by-num 1e3bd67 poplar: add bt/wifi files and configurations 93bf7a1 device.mk: move BT section close to Wifi Bug: 110793466 Test: Manual Change-Id: If7db092bbed239ea83287fcf294b7d70c53e04b5 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 10:01:16 +0000