Commits · 31a2de9bffa6418f743d5fbefb277cb6dae36495 · Werner Sembach / AndroidSystemSEPolicy

Mar 07, 2016

Allow applications to read cgroup objects. · 31a2de9b

Ruben Brunk authored 9 years ago

- Required to query cpusets information.

Bug: 22855417
Bug: 27381794
Bug: 27498731

Change-Id: I6d192aad2135d99a6c9cdaf97696b0822bd21897

31a2de9b

Mar 02, 2016
- Merge "delete obsolete aliases" into nyc-dev · b6480a5e
  Nick Kralevich authored 9 years ago
  
  b6480a5e
- Merge "Add NetworkTimeUpdateService" into nyc-dev · 79bb5d8f
  Fyodor Kupolov authored 9 years ago
  
  79bb5d8f
- delete obsolete aliases · c321186e
  Nick Kralevich authored 9 years ago
  
  no longer used nor desired. Change-Id: Iac447fb2291371caa4a8ec255db114d9f7ccdddb
  c321186e
- Allow netd to check permissions. · 5f376c1f
  Lorenzo Colitti authored 9 years ago
  
  Bug: 27239233 Change-Id: I82e3451542f08de67ad950223be90e37a2d3e899
  5f376c1f
- Revert "Revert "netd: restrict netd binder access to system_server"" · 9119f12e
  Lorenzo Colitti authored 9 years ago
  
  This reverts commit b5594c27. Bug: 27239233 Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2
  9119f12e
- Merge "Revert "netd: restrict netd binder access to system_server"" into nyc-dev · f723f5f9
  Lorenzo Colitti authored 9 years ago
  
  f723f5f9
- Revert "netd: restrict netd binder access to system_server" · b5594c27
  Lorenzo Colitti authored 9 years ago
  
  This reverts commit 54457959. Change-Id: Idfa0254e66f9517cc26af3c37441b47cbb984bca
  b5594c27
- Allow Phone to write cached ringtones. · 8c09b65d
  Jeff Sharkey authored 9 years ago
  
  avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0 Bug: 27366059 Change-Id: I120a69ac4f58c64db6f169ae4f9942ce357b0b1f
  8c09b65d
Mar 01, 2016

Add SElinux policies to allow foreign dex usage tracking. · 837bc42f

Calin Juravle authored 9 years ago

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

837bc42f

Feb 29, 2016

Allow bluetooth access to the tun device. · ba12da95

Nick Kralevich authored 9 years ago

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347ee)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497

ba12da95

Feb 28, 2016

Merge "mediacodec: grant access to surfaceflinger" into nyc-dev · 50bcd148
Marco Nelissen authored 9 years ago

50bcd148

mediacodec: grant access to surfaceflinger · 6c53b23d

Marco Nelissen authored 9 years ago

avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:mediacodec:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 26990688
Change-Id: Ie7c5f6d879c286375eb52ef4c6b84726aa4f1ba2

6c53b23d

Feb 27, 2016

Don't allow permissive SELinux domains on user builds. · 3df1fda5

Nick Kralevich authored 9 years ago

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768

(cherry picked from commit bca98efa)

Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73

3df1fda5

Merge "Allow mediadrmserver to access media files" into nyc-dev · a395f875
Jeff Tinker authored 9 years ago

a395f875
Allow mediadrmserver to access media files · 05aa151c
Jeff Tinker authored 9 years ago
```
bug: 26782004
Change-Id: Ie3d9289d15446efa160550185a2d565e3be2980f
```
05aa151c

Add NetworkTimeUpdateService · 3d564e52

Fyodor Kupolov authored 9 years ago

NetworkTimeUpdateService has been registered as a system service, so that
its dump state can be included into bugreports.

Bug: 23983739
Change-Id: I0d364009ba4630dcfd1d22c647195e33eedaa4e0

3d564e52

Feb 26, 2016
- cameraserver: flip to enforcing mode · 3872ee39
  Jeff Vander Stoep authored 9 years ago
  
  Bug: 26982110 Change-Id: I551f8cc926886de0feaf065da46d3cf5bdf5cfb5
  3872ee39
Feb 25, 2016
- Merge "netd: restrict netd binder access to system_server" into nyc-dev · 47f8e1f0
  Jeffrey Vander Stoep authored 9 years ago
  
  47f8e1f0
Feb 24, 2016
- Merge "Add missing selinux permissions for mediacodec" into nyc-dev · e0323c63
  Marco Nelissen authored 9 years ago
  
  e0323c63
- Add missing selinux permissions for mediacodec · ebf79f88
  Marco Nelissen authored 9 years ago
  
  Bug: 27305063 Change-Id: Ie9ac3fb971dbb989d7b26421e076139d3f48a916
  ebf79f88
- netd: restrict netd binder access to system_server · 54457959
  Jeff Vander Stoep authored 9 years ago
  
  neverallow access to other domains. Bug: 27239233 Change-Id: I503d1be7308d0229db1cbe52cd511f7f40afa987
  54457959
- Merge "Restore audio tee sink" into nyc-dev · a33fbb3c
  Glenn Kasten authored 9 years ago
  
  a33fbb3c
- Merge "audioserver: Build up least privileged policy" into nyc-dev · bb7154da
  Jeffrey Vander Stoep authored 9 years ago
  
  bb7154da
- Merge "Label /proc/meminfo." into nyc-dev · edbe1a98
  Daniel Cashman authored 9 years ago
  
  edbe1a98
- Merge "Rename the netd service from "android.net.INetd" to "netd"." into nyc-dev · 84cc52c5
  Lorenzo Colitti authored 9 years ago
  
  84cc52c5
- Label /proc/meminfo. · 971aeeda
  dcashman authored 9 years ago
  
  Address the following denial: m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file Bug: 22032619 Chromium Bug: 586021 Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1
  971aeeda
- Restore audio tee sink · 962e3a6a
  Glenn Kasten authored 9 years ago
  
  Bug: 27323882 Change-Id: Idf3977d74817c4f90f9e993d2e1e5302cc56f41d
  962e3a6a
Feb 23, 2016
- audioserver: Build up least privileged policy · 23eef195
  Jeff Vander Stoep authored 9 years ago
  
  Remove all permissions not observed during testing. Remove domain_deprecated Bug: 27064332 Change-Id: Ie154af70aaf255721b46d29357e48d5337020b4b
  23eef195
- Merge "Enable recovery to read batteryinfo." into nyc-dev · 91fc6632
  Yabin Cui authored 9 years ago
  
  91fc6632
- Merge "Offer to cache ringtones in system DE storage." into nyc-dev · 6fb97cd5
  Jeff Sharkey authored 9 years ago
  
  6fb97cd5
- Offer to cache ringtones in system DE storage. · 62bb52c4
  Jeff Sharkey authored 9 years ago
  
  Ringtones often live on shared media, which is now encrypted with CE keys and not available until after the user is unlocked. To improve the user experience while locked, cache the default ringtone, notification sound, and alarm sound in a DE storage area. Also fix bug where wallpaper_file wasn't getting data_file_type. Bug: 26730753 Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d
  62bb52c4
- Merge "Allow access to the daydream ("dreams") service." into nyc-dev · 0a5f3d46
  Daniel Sandler authored 9 years ago
  
  0a5f3d46
- Enable recovery to read batteryinfo. · 1ca0670c
  Yabin Cui authored 9 years ago
  
  Bug: 26879394 Change-Id: I09ac9027ca343e00488dedab8df1687fd32bb255 (cherry picked from commit 6b843bcf)
  1ca0670c
- Allow access to the daydream ("dreams") service. · 00004ba1
  Dan Sandler authored 9 years ago
  
  Bug: 26804329 Change-Id: I7b789c6fe8411e3a4a718da86d442a0f48c5c310
  00004ba1
- Rename the netd service from "android.net.INetd" to "netd". · 62343fe2
  Lorenzo Colitti authored 9 years ago
  
  Bug: 27239233 Change-Id: Icc9d14008d2ff6334a8ec66805f7289aedd5d97d
  62343fe2
- Merge "Allow the framework to communicate with netd via a binder service" into nyc-dev · a92c7fe3
  Lorenzo Colitti authored 9 years ago
  
  a92c7fe3
- Merge "Permit bluetooth to run DhcpClient" into nyc-dev · 12aac021
  Erik Kline authored 9 years ago
  
  12aac021
Feb 22, 2016
- Allow logd.auditd to reboot to safe mode · f40afcb1
  Sami Tolvanen authored 9 years ago
  
  Bug: 26902605 Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7 (cherry picked from commit 9c168711)
  f40afcb1
- Merge "ioctls: move commonly used tty ioctls to macro" into nyc-dev · 60185758
  Jeffrey Vander Stoep authored 9 years ago
  
  60185758