Commits · 45630ee965124dbdc73f02b4be0f253839a5cba6 · Werner Sembach / AndroidSystemSEPolicy

Jan 18, 2017

Merge "1-arg variant of hal_impl_domain" am: fa120106 · 45630ee9
Alex Klyubin authored 8 years ago
```
am: 379ce55b

Change-Id: Ibbe9f31d2df586b12f5cda7d49ba655ede42f822
```
45630ee9
service_context: split into platform and non-platform components. am: a058b569 · 0b0d7168
Sandeep Patil authored 8 years ago
```
am: 88fe61cd

Change-Id: Ic18f5e03886e8e3049e9b8f2148e8dd040dd6b26
```
0b0d7168
Merge "1-arg variant of hal_impl_domain" · 379ce55b
Alex Klyubin authored 8 years ago
```
am: fa120106

Change-Id: Ie16d45133ca244b408098b11f23fa64d8d6a3fd2
```
379ce55b
service_context: split into platform and non-platform components. · 88fe61cd
Sandeep Patil authored 8 years ago
```
am: a058b569

Change-Id: If71062f721f57462d6238248e77b6189669847ab
```
88fe61cd
Merge "1-arg variant of hal_impl_domain" · fa120106
Alex Klyubin authored 8 years ago

fa120106

1-arg variant of hal_impl_domain · b68cee25

Alex Klyubin authored 8 years ago

This improves readability and consistency for HAL implementation
domains which have only one implementation.

Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386

b68cee25

service_context: split into platform and non-platform components. · a058b569

Sandeep Patil authored 8 years ago


Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>

a058b569

Jan 17, 2017

Group all HAL impls using haldomain attribute am: f41d89eb · bda2e5c7
Alex Klyubin authored 8 years ago
```
am: 06d17805

Change-Id: I29d2820e5be5f212b16c71df97a0ad58a03eb448
```
bda2e5c7
Group all HAL impls using haldomain attribute · 06d17805
Alex Klyubin authored 8 years ago
```
am: f41d89eb

Change-Id: I8f32e2e80fc7bfc08ce9fe3655968a8d7dfc94e8
```
06d17805

Group all HAL impls using haldomain attribute · f41d89eb

Alex Klyubin authored 8 years ago

This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6

f41d89eb

hal_audio: In binderized mode hal_audio needs access to IAllocator am: ddb52d82 · 49f86ce8
Mikhail Naganov authored 8 years ago
```
am: af57c85e

Change-Id: I171f0ef3e6f1f8d70de8ba5aeb8d82e7ca300636
```
49f86ce8
hal_audio: In binderized mode hal_audio needs access to IAllocator · af57c85e
Mikhail Naganov authored 8 years ago
```
am: ddb52d82

Change-Id: I724ff53a9709d53c02091838166092b5264eb23e
```
af57c85e

hal_audio: In binderized mode hal_audio needs access to IAllocator · ddb52d82

Mikhail Naganov authored 8 years ago

This is to ensure that hal_audio can access memory shared by
audioserver.

Bug: 34261005
Change-Id: I84103b0d4692fd10afc56846fb116fec6a7b3dc7

ddb52d82

Jan 14, 2017
- Merge "New SeLinux policy for fingerprint HIDL" am: 597a8a49 · d535e9c8
  Jim Miller authored 8 years ago
  
  am: 55c46c7c Change-Id: Ic6b3209dac49e9f149bf34f18d10a9081c6a0d7c
  d535e9c8
- Merge "New SeLinux policy for fingerprint HIDL" · 55c46c7c
  Jim Miller authored 8 years ago
  
  am: 597a8a49 Change-Id: I1a055e9dea9317b719ba6bb467679f2e51818755
  55c46c7c
- Merge "New SeLinux policy for fingerprint HIDL" · 597a8a49
  Treehugger Robot authored 8 years ago
  
  597a8a49
- Merge "hal_health: move system_file permissions to public/hal_health" am: 14658c93 · 8a1112de
  Sandeep Patil authored 8 years ago
  
  am: a76de201 Change-Id: Ia051957fe6a115e96161270f304c915b8d7b6b67
  8a1112de
- Merge "hal_health: move system_file permissions to public/hal_health" · a76de201
  Sandeep Patil authored 8 years ago
  
  am: 14658c93 Change-Id: I8a5ac00a41c1b66c8339b9a79d48c87af00800eb
  a76de201
- Merge "hal_health: move system_file permissions to public/hal_health" · 14658c93
  Treehugger Robot authored 8 years ago
  
  14658c93
Jan 13, 2017

New SeLinux policy for fingerprint HIDL · 54e0e5af

Jim Miller authored 8 years ago

Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6

54e0e5af

add selinux policy for GNSS hal am: 953c4396 · e64bb0e8
Hridya Valsaraju authored 8 years ago
```
am: 67c5cdfd

Change-Id: Ie9f8de8bac96b5b8088f58ac54c3e76dd90c40ee
```
e64bb0e8
add selinux policy for GNSS hal · 67c5cdfd
Hridya Valsaraju authored 8 years ago
```
am: 953c4396

Change-Id: Ia67c8271cfd6641a117415d439ce1c75b63e2580
```
67c5cdfd

add selinux policy for GNSS hal · 953c4396

Hridya Valsaraju authored 8 years ago

The following are the avc denials that are addressed:

avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0

avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0

avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug:31974439

Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.

Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5

953c4396

Auditing init and ueventd access to chr device files. am: 9e7a5b0a · a5f41c38
Max Bires authored 8 years ago
```
am: 845a8e80

Change-Id: Ida5c1667e23b991c803b6fe141e40fb510dc9746
```
a5f41c38
Auditing init and ueventd access to chr device files. · 845a8e80
Max Bires authored 8 years ago
```
am: 9e7a5b0a

Change-Id: Ice41f3c804a4dd0aad058e39a2a8a0bcff80eb5a
```
845a8e80

Auditing init and ueventd access to chr device files. · 9e7a5b0a

Max Bires authored 8 years ago

It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb

9e7a5b0a

Allow debuggerd to access native tests am: 926dc331 · d6af2cbd
Myles Watson authored 8 years ago
```
am: 82a8f40c

Change-Id: Ib4381b68788d5b8bd768d5a39cb4f914e51a1856
```
d6af2cbd
Allow debuggerd to access native tests · 82a8f40c
Myles Watson authored 8 years ago
```
am: 926dc331

Change-Id: I0ea98702d907e04d0fe1f3af242e0ec4a0712582
```
82a8f40c

Merge commit '' into... · 715b3112

Xin Li authored 8 years ago

Merge commit 'adf210d6' into nougat-mr1-cts-dev am: 48c63657 am: f9181a2e
am: 0cab2a17

Change-Id: If365e1a87d47a3c56c7214fe3eaa78bd8d303746

715b3112

Merge commit 'adf210d6' into nougat-mr1-cts-dev am: 48c63657 · 0cab2a17
Xin Li authored 8 years ago
```
am: f9181a2e

Change-Id: I46ffea21cccb896ef17d8434b009db263ba70e6e
```
0cab2a17
Merge commit 'adf210d6' into nougat-mr1-cts-dev · f9181a2e
Xin Li authored 8 years ago
```
am: 48c63657

Change-Id: I6e38561883d6a898cb0a719d10b6f2726a947354
```
f9181a2e

Merge commit '' into · 48c63657

Xin Li authored 8 years ago

nougat-mr1-cts-dev

(The change is already present as 320a0f54).

BUG: 33090058
Change-Id: I2451c334d3a1a42d2d5a46f8f6d22dc5d503f034

48c63657

Jan 12, 2017
- Allow debuggerd to access native tests · 926dc331
  Myles Watson authored 8 years ago
  
  Test: run a gtest in /data/nativetest/ with no permission denial Change-Id: Id644ed7dbea59becaf84b6073c9144711ad07c10
  926dc331
- Merge "Remove support for legacy f_adb interface." am: d5db9de5 · c9abee95
  Josh Gao authored 8 years ago
  
  am: 4749f6e8 Change-Id: I44bac7413170102a4bd35dfdc01d36f55e1f0b79
  c9abee95
- Merge "Remove support for legacy f_adb interface." · 4749f6e8
  Josh Gao authored 8 years ago
  
  am: d5db9de5 Change-Id: I47d4498737a339c3cc05296db19a79a591dbe0eb
  4749f6e8
- Merge "Remove support for legacy f_adb interface." · d5db9de5
  Josh Gao authored 8 years ago
  
  View commits for tag android-n-mr2-preview-1 android-n-mr2-preview-1
  
  d5db9de5
- Merge "Move ephemeral_app policy to private" am: 1b7512a1 · 379cb28b
  Alex Klyubin authored 8 years ago
  
  am: 398249a6 Change-Id: I00f2cd2807593b9ed6b1eec97d729908b641d083
  379cb28b
- Merge "Move ephemeral_app policy to private" · 398249a6
  Alex Klyubin authored 8 years ago
  
  am: 1b7512a1 Change-Id: I713efb431275bfc4307b43f35dbb44965ccc0a84
  398249a6
- Merge "Move ephemeral_app policy to private" · 1b7512a1
  Treehugger Robot authored 8 years ago
  
  1b7512a1
- hal_health: move system_file permissions to public/hal_health · 07c75b17
  Sandeep Patil authored 8 years ago
  
  Bug: 34231014 Test: Boot angler to ensure no additional denials are reported. Change-Id: Ic2372d55f7072c65e7ea17036a8eb40dc531d60e Signed-off-by: Sandeep Patil <sspatil@google.com>
  07c75b17