Commits · 15a9fbc277a83635548130bb3c27ac8ed562d413 · Werner Sembach / AndroidSystemSEPolicy

Apr 10, 2018
- Adding labeling for vendor security patch prop am: 5cac1aa9 · 15a9fbc2
  Max Bires authored 6 years ago
  
  am: ad3602d2 Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
  15a9fbc2
- Adding labeling for vendor security patch prop · ad3602d2
  Max Bires authored 6 years ago
  
  am: 5cac1aa9 Change-Id: I889d985e3a012545d15e3dd0f06b002682671157
  ad3602d2
Apr 09, 2018
- Adding labeling for vendor security patch prop · 5cac1aa9
  Max Bires authored 6 years ago
  
  This will allow adb shell getprop ro.vendor.build.security_patch to properly return the correct build property, whereas previously it was offlimits due to lack of label. Test: adb shell getprop ro.vendor.build.security_patch successfully returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android .mk files Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
  5cac1aa9
- whitelist test failure that bypassed presubmit · c16e920d
  Jeff Vander Stoep authored 6 years ago
  
  am: 2ccd99a5 Change-Id: I0e4eacb9cce9c995bf773176638a46af0e92af0a
  c16e920d
- whitelist test failure that bypassed presubmit · 2ccd99a5
  Jeff Vander Stoep authored 6 years ago
  
  avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs" scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file Bug: 77816522 Test: build Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
  2ccd99a5
- Merge "hal_health: allow to write kernel logs." am: d4dd2f57 · ab2b079d
  Yifan Hong authored 6 years ago
  
  am: e714c3b8 Change-Id: Ibf8b80dcca07f9a038c71ae0483ee025b27392fd
  ab2b079d
- Merge "hal_health: allow to write kernel logs." · e714c3b8
  Yifan Hong authored 6 years ago
  
  am: d4dd2f57 Change-Id: I5d027abc4455689d52284b59ae4d0d5bf7479299
  e714c3b8
- Merge "hal_health: allow to write kernel logs." · d4dd2f57
  Treehugger Robot authored 6 years ago
  
  d4dd2f57
- Revert "Add /sys/kernel/memory_state_time to sysfs_power." am: 12e73685 · 817d1472
  Alan Stokes authored 6 years ago
  
  am: 21066890 Change-Id: I7fc2111bde48cc78b2cec9a9ca17101ac69d823a
  817d1472
- Revert "Add /sys/kernel/memory_state_time to sysfs_power." · 21066890
  Alan Stokes authored 6 years ago
  
  am: 12e73685 Change-Id: Id5a3a8583d61559a9db7fae1e37a8124737f9696
  21066890
- [automerger skipped] Merge "Add shell:fifo_file permission for audioserver" am: dceea502 · 4d5a7638
  Mikhail Naganov authored 6 years ago
  
  am: dcedd5d5 -s ours Change-Id: Ie0e347d32ab0b5053646558a0eafe4ff83b83d22
  4d5a7638
- Merge "Add shell:fifo_file permission for audioserver" · dcedd5d5
  Mikhail Naganov authored 6 years ago
  
  am: dceea502 Change-Id: Ib35f55b8c0fc949dd92a727ad8a3987e2b9560d5
  dcedd5d5
- Revert "Add /sys/kernel/memory_state_time to sysfs_power." · 12e73685
  Alan Stokes authored 6 years ago
  
  This reverts commit db83323a. Reason for revert: breaks some builds due to duplicate genfs entries Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a
  12e73685
- Merge "Add shell:fifo_file permission for audioserver" · dceea502
  Treehugger Robot authored 6 years ago
  
  dceea502
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." am: cd61bc19 · 398d8e3f
  Alan Stokes authored 6 years ago
  
  am: 77a437c4 Change-Id: I748e2369562efbc473678ed206219ec81b580bb3
  398d8e3f
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." · 77a437c4
  Alan Stokes authored 6 years ago
  
  am: cd61bc19 Change-Id: I6f61a5e8ca216ba997376cdea440c38cf6f71837
  77a437c4
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." · cd61bc19
  Alan Stokes authored 6 years ago
  
  cd61bc19
- Installd doesn't need to create cgroup files. am: 06bac37f · 57be2eda
  Alan Stokes authored 6 years ago
  
  am: ebb2eff9 Change-Id: Iadf3fb254ed32af3a4cc192278bc431f37fb3f86
  57be2eda
- Installd doesn't need to create cgroup files. · ebb2eff9
  Alan Stokes authored 6 years ago
  
  am: 06bac37f Change-Id: I0b31f5d430a820fb71dcd55036ab955a53c2fe6a
  ebb2eff9
- Installd doesn't need to create cgroup files. · 06bac37f
  Alan Stokes authored 6 years ago
  
  cgroupfs doesn't allow files to be created, so this can't be needed. Also remove redundant neverallow and dontaudit rules. These are now more broadly handled by domain.te. Bug: 74182216 Test: Denials remain silenced. Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f (cherry picked from commit 8e8c1093)
  06bac37f
- Add /sys/kernel/memory_state_time to sysfs_power. · db83323a
  Alan Stokes authored 7 years ago
  
  This allows system_server to access it for determining battery stats (see KernelMemoryBandwidthStats.java). batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 72643420 Bug: 73947096 Test: Denial is no longer present. Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7 (cherry picked from commit a8b3634d)
  db83323a
- Merge "Installd doesn't need to create cgroup files." into pi-dev · d3b70b8d
  Alan Stokes authored 6 years ago
  
  am: 956aba8f Change-Id: I18aaf1a24d9651ae16239e4ef50c90481d52ab3a
  d3b70b8d
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." into pi-dev · 9b02a9b6
  Alan Stokes authored 6 years ago
  
  am: 404bd982 Change-Id: Ic9e82e7b1becf03cdbd520f53c1d6bdd9919225d
  9b02a9b6
- Merge "Installd doesn't need to create cgroup files." into pi-dev · 956aba8f
  Alan Stokes authored 6 years ago
  
  956aba8f
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." into pi-dev · 404bd982
  Alan Stokes authored 6 years ago
  
  404bd982
Apr 07, 2018
- Merge "Add shell:fifo_file permission for audioserver" into pi-dev · 8ec0df96
  Mikhail Naganov authored 6 years ago
  
  am: 2a63d899 Change-Id: Ife3f656e0a535b695390a30fdcc11efb070dd2b4
  8ec0df96
- Merge "Add shell:fifo_file permission for audioserver" into pi-dev · 2a63d899
  TreeHugger Robot authored 6 years ago
  
  2a63d899
Apr 06, 2018

Add shell:fifo_file permission for audioserver · 05e12dba

Mikhail Naganov authored 6 years ago

Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
(cherry picked from commit c5815891)
Merged-In: I09bdb74c9ecc317ea090643635ca26165efa423a

05e12dba

Add shell:fifo_file permission for audioserver · c5815891

Mikhail Naganov authored 6 years ago

Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a

c5815891

Merge "hal_health: allow to write kernel logs." into pi-dev · 2a0e2ee0
Yifan Hong authored 6 years ago
```
am: 9370b51a

Change-Id: I7b8c01edd9eb5008bce130ab067b4c723b1bf9c8
```
2a0e2ee0
Merge "hal_health: allow to write kernel logs." into pi-dev · 9370b51a
Yifan Hong authored 6 years ago

9370b51a
[automerger skipped] Grant traced_probes search on directories. · 48bb95ec
Florian Mayer authored 6 years ago
```
am: 269c9665  -s ours

Change-Id: I5956213b7ed56576d3457d2ea9e9b75322870946
```
48bb95ec

hal_health: allow to write kernel logs. · 5ef48cf8

Yifan Hong authored 6 years ago

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

5ef48cf8

hal_health: allow to write kernel logs. · 306b2671

Yifan Hong authored 6 years ago

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

306b2671

Allowing incidentd to get stack traces from processes. · 2becbd1d
Kweku Adams authored 6 years ago
```
am: 0fa3d276

Change-Id: I8a3f6721850cd03c112542f673576912273433fa
```
2becbd1d
Grant traced_probes search on directories. am: ff146962 · ead446ed
Florian Mayer authored 6 years ago
```
am: 1b433165

Change-Id: Icfea6a7041a010be502d31b4082e8bf242abf3de
```
ead446ed
Grant traced_probes search on directories. · 1b433165
Florian Mayer authored 6 years ago
```
am: ff146962

Change-Id: Ia7fac0ce2f9818d94c9b9f55e1e42f7bdd8cf462
```
1b433165

Grant traced_probes search on directories. · 269c9665

Florian Mayer authored 6 years ago

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

cherry-picked from aosp/658243
Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1
Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1

269c9665

Grant traced_probes search on directories. · ff146962

Florian Mayer authored 6 years ago

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

ff146962

Installd doesn't need to create cgroup files. · 8e8c1093

Alan Stokes authored 6 years ago

cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

8e8c1093