Commits · 1b70d8961026d1fe29f4213909a603f6822c979a · Werner Sembach / AndroidSystemSEPolicy

Jun 03, 2017
- Merge "Add OWNERS in system/sepolicy" am: e77d9eea am: 05121724 · 1b70d896
  Chih-Hung Hsieh authored 7 years ago
  
  am: 7a31444a Change-Id: I71e33a0923e9f17c35b91172c81612d420a10c0b
  1b70d896
- Merge "Add OWNERS in system/sepolicy" am: e77d9eea · 7a31444a
  Chih-Hung Hsieh authored 7 years ago
  
  am: 05121724 Change-Id: I6c8f336aed4833d6c9f9765a8768bba4b496a40e
  7a31444a
- Merge "Add OWNERS in system/sepolicy" · 05121724
  Chih-Hung Hsieh authored 7 years ago
  
  am: e77d9eea Change-Id: I3e4c83d962b1a4c9fbfba83ffd0df5fc8d59c8fc
  05121724
- Merge "Add OWNERS in system/sepolicy" · e77d9eea
  Treehugger Robot authored 7 years ago
  
  e77d9eea
- Add OWNERS in system/sepolicy · bd83bdf8
  Chih-Hung Hsieh authored 7 years ago
  
  Owners are selected from top CL approvals or owners. They will be suggested to review/approve future CLs. Test: build/make/tools/checkowners.py -c -v OWNERS Change-Id: I3d7f4c06209c22dea0d824429d68997f7179985f
  bd83bdf8
- crash_dump_fallback: allow dumpstate:fd use. am: 17885f14 am: a3a8a3a0 · bef02a9e
  Josh Gao authored 7 years ago
  
  am: 8714f9e0 Change-Id: I669acdf32d54f9456268d3bfe43e1a114f3b96fd
  bef02a9e
- Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev · dbf8d028
  Josh Gao authored 7 years ago
  
  am: f378708c Change-Id: Ia51ea7ccf0974ed1bacfea950571c6e10ed2b1bf
  dbf8d028
- crash_dump_fallback: allow dumpstate:fd use. am: 17885f14 · 8714f9e0
  Josh Gao authored 7 years ago
  
  am: a3a8a3a0 Change-Id: I63084a04ffe9d88aa6aadf5fbb9b7baa98ff3e35
  8714f9e0
- Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev · f378708c
  Josh Gao authored 7 years ago
  
  f378708c
Jun 02, 2017

crash_dump_fallback: allow dumpstate:fd use. · a3a8a3a0
Josh Gao authored 7 years ago
```
am: 17885f14

Change-Id: I46546950720c4d3fa907f32a2af9ab42caa448ba
```
a3a8a3a0

crash_dump_fallback: allow dumpstate:fd use. · 2a00056a

Josh Gao authored 7 years ago

Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f14)

2a00056a

crash_dump_fallback: allow dumpstate:fd use. · 17885f14
Josh Gao authored 7 years ago
```
Bug: http://b/62297059
Test: mma
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
```
17885f14

Jun 01, 2017
- Merge "Add missing sepolicies for OemLock HAL." into oc-dev · 39a81fd5
  Andrew Scull authored 7 years ago
  
  am: 60e4fd9d Change-Id: I1628907aeb743c3cb0938e7993237206523fdeb5
  39a81fd5
- Merge "Add missing sepolicies for the Weaver HAL." into oc-dev · e8d4bec7
  Andrew Scull authored 7 years ago
  
  am: cd267450 Change-Id: I20479829d542df345275c0c2b4512788a30fba4c
  e8d4bec7
- Merge "Add missing sepolicies for OemLock HAL." into oc-dev · 60e4fd9d
  TreeHugger Robot authored 7 years ago
  
  60e4fd9d
- Merge "Add missing sepolicies for the Weaver HAL." into oc-dev · cd267450
  TreeHugger Robot authored 7 years ago
  
  cd267450
- resolve merge conflicts of e664e80a to oc-dev-plus-aosp · 911e236a
  Neil Fuller authored 7 years ago
  
  Test: I solemnly swear I tested this conflict resolution. Change-Id: Icadf7c72ad173c134d3e95bb5b93c2b54b1b703e
  911e236a
- Merge "allow modprobe to load signed kernel modules" into oc-dev · 06a4b61b
  Steve Muckle authored 7 years ago
  
  am: fc1d8d99 Change-Id: Id41f7097fd0a48739293d4f8f06f296d0f189684
  06a4b61b
- Merge "allow modprobe to load signed kernel modules" into oc-dev · fc1d8d99
  TreeHugger Robot authored 7 years ago
  
  fc1d8d99
- Allow bootctl HAL to access misc block device. · 7c4f46b5
  Andrew Scull authored 7 years ago
  
  am: b0d59450 Change-Id: If85613b84aecf43b0519bb933d925eb1829e3d5e
  7c4f46b5
- Merge "Enable the TimeZoneManagerService" am: 34b4b737 · e664e80a
  Neil Fuller authored 7 years ago
  
  am: 2ff75628 Change-Id: I66cf4111e4d17e698cea7c8dc44d3294ce20a4ac
  e664e80a
- Merge "Enable the TimeZoneManagerService" · 2ff75628
  Neil Fuller authored 7 years ago
  
  am: 34b4b737 Change-Id: If25147ce3439abd0ab4a3abc1e330b373e43d9cb
  2ff75628
- allow modprobe to load signed kernel modules · 53add31a
  Steve Muckle authored 7 years ago
  
  Modprobe requires this permission or the following denial will prevent loading of signed kernel modules: audit: type=1400 audit(27331649.656:4): avc: denied { search } for pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0 tclass=key permissive=0 Bug: 62256697 Test: Verified signed module loading on sailfish. Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
  53add31a
- Merge "Enable the TimeZoneManagerService" · 34b4b737
  Treehugger Robot authored 7 years ago
  
  View commits for tag android-o-preview-3 android-o-preview-3
  
  34b4b737
- Enable the TimeZoneManagerService · ca595e11
  Neil Fuller authored 8 years ago
  
  Add policy changes to enable a new service. The service is currently switched off in config, but this change is needed before it could be enabled. Bug: 31008728 Test: make droid Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6 Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
  ca595e11
May 31, 2017

Allow bootctl HAL to access misc block device. · b0d59450

Andrew Scull authored 7 years ago

This is sometimes used for communication with the bootloader.

Bug: 62052545
Test: Build
Change-Id: I3ae37793407719e55ab0830129aa569c9018f7da

b0d59450

Add missing sepolicies for OemLock HAL. · 475954da
Andrew Scull authored 7 years ago
```
Bug: 38232801
Test: Build

Change-Id: Iccc16430e7502bb317f95bb2a5e2f021d8239a00
```
475954da
Add missing sepolicies for the Weaver HAL. · a939c432
Andrew Scull authored 7 years ago
```
Bug: 38233550
Test: Build
Change-Id: I7c2105d5f215a60a611110640afff25fc3403559
```
a939c432
SEPolicy: Allow app / system_server to write to dumpstate pipes. am: a34781ae am: 32c7000e · bf7a5bd6
Narayan Kamath authored 7 years ago
```
am: b25e8823

Change-Id: I778011a48800ace4d865813b148efcdd88d166bb
```
bf7a5bd6
SEPolicy: Allow app / system_server to write to dumpstate pipes. am: a34781ae · b25e8823
Narayan Kamath authored 7 years ago
```
am: 32c7000e

Change-Id: I57d3af7a930f77be74feba88d9875c9b5b90ab7c
```
b25e8823
SEPolicy: Allow app / system_server to write to dumpstate pipes. · 32c7000e
Narayan Kamath authored 7 years ago
```
am: a34781ae

Change-Id: Ic4103ff418e69f000198bb588f0cfccc578ba324
```
32c7000e
Merge "SEPolicy: Changes for new stack dumping scheme." into oc-dev-plus-aosp · 6d9f42f0
TreeHugger Robot authored 7 years ago

6d9f42f0

SEPolicy: Allow app / system_server to write to dumpstate pipes. · a34781ae

Narayan Kamath authored 7 years ago

tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).

Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.

Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c

a34781ae

SEPolicy: Changes for new stack dumping scheme. am: e628cb5b am: 5e8fe834 · a7d87b94
Narayan Kamath authored 7 years ago
```
am: 51a01817  -s ours

Change-Id: I4ecaa2194614148b4b50245e6250bdde02206160
```
a7d87b94

SEPolicy: Changes for new stack dumping scheme. · f194aad2

Narayan Kamath authored 7 years ago

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f

f194aad2

SEPolicy: Changes for new stack dumping scheme. am: e628cb5b · 51a01817
Narayan Kamath authored 7 years ago
```
am: 5e8fe834

Change-Id: Ibfe717b42fc26da2ec7876143b8cf0445a20eaec
```
51a01817
SEPolicy: Changes for new stack dumping scheme. · 5e8fe834
Narayan Kamath authored 7 years ago
```
am: e628cb5b

Change-Id: If2ce6fbf2b897d58da78430a7bae0fd6fb6e5a49
```
5e8fe834

SEPolicy: Changes for new stack dumping scheme. · e628cb5b

Narayan Kamath authored 7 years ago

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

e628cb5b

May 30, 2017
- Allow ephemeral apps to find media.drm · 19e71b7b
  Chad Brubaker authored 7 years ago
  
  am: d2b3a454 Change-Id: I1ba8e73e1a004b654bc32dd6520b1e41ec3bc9cf
  19e71b7b
- Allow ephemeral apps to find media.drm · d2b3a454
  Chad Brubaker authored 7 years ago
  
  Bug: 62102558 Test: see b/62102558 Change-Id: If80d1270bcf6835e6d1a78e2176c3e139cebd174
  d2b3a454