Commits · 47e2f081095716fad009ba115eb1bf7b21afd26f · Werner Sembach / AndroidSystemSEPolicy

Dec 14, 2016

Merge "Do not allow new additions to core_property_type" am: d57dd813 am: f13dcbb4 · 47e2f081
Nick Kralevich authored 8 years ago
```
am: 5bfa8509

Change-Id: Idb6a5e42bff4bab0781db7bad1a497e9b2c169e5
```
47e2f081
Merge "Do not allow new additions to core_property_type" am: d57dd813 · 5bfa8509
Nick Kralevich authored 8 years ago
```
am: f13dcbb4

Change-Id: Ife8946bdd99b4121b6ad80a21c345d9ee0af1777
```
5bfa8509
Merge "Do not allow new additions to core_property_type" · f13dcbb4
Nick Kralevich authored 8 years ago
```
am: d57dd813

Change-Id: I5e911f7d301ba8421184b80f485e043178f225fb
```
f13dcbb4
Merge "Do not allow new additions to core_property_type" · d57dd813
Treehugger Robot authored 8 years ago

d57dd813
Removing file system remount permission from vold am: 16c889c5 am: 37f17c5b · 5b6e4ecc
Max authored 8 years ago
```
am: 2d5426ae

Change-Id: Iae51b513b88597b8837c869e93c67a58f52db2b1
```
5b6e4ecc
Removing file system remount permission from vold am: 16c889c5 · 2d5426ae
Max authored 8 years ago
```
am: 37f17c5b

Change-Id: I9f2147b904b48cfc6f6f898056e8ae3acd6d7aea
```
2d5426ae
Removing file system remount permission from vold · 37f17c5b
Max authored 8 years ago
```
am: 16c889c5

Change-Id: Icfa43cb11246de34f6f8f3c96726bec67680c5ff
```
37f17c5b

Do not allow new additions to core_property_type · d310df20

Nick Kralevich authored 8 years ago

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2

d310df20

Dec 13, 2016
- Add sepolicy for consumerir HIDL HAL am: a95c52e3 am: 7724c229 · c540824b
  Connor O'Brien authored 8 years ago
  
  am: 5f50fd90 Change-Id: I643d05381fd866f43717dc37b55ad5beb589a2bc
  c540824b
- Add sepolicy for consumerir HIDL HAL am: a95c52e3 · 5f50fd90
  Connor O'Brien authored 8 years ago
  
  am: 7724c229 Change-Id: I6e4ad94ec694f96c4685f33be090ce479a87b0fd
  5f50fd90
- Removing file system remount permission from vold · 16c889c5
  Max authored 8 years ago
  
  There is no reason for vold to have this permission, and a proper auditallow rule has been used and monitored to ensure that nothing on android uses this permission. Bug: 26901147 Test: Phone boots Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
  16c889c5
- Add sepolicy for consumerir HIDL HAL · 7724c229
  Connor O'Brien authored 8 years ago
  
  am: a95c52e3 Change-Id: Ibf4f702d4b7d1f86baa7550b8b76bb3b30aa81ca
  7724c229
- Merge "Split policy for on-device compilation." am: 1282df7c am: c94b1491 · 19a74f4e
  dcashman authored 8 years ago
  
  am: c00252cd Change-Id: I8d9e6337a1ec2a961a2694ad45ebde0c8b828123
  19a74f4e
- Add sepolicy for consumerir HIDL HAL · a95c52e3
  Connor O'Brien authored 8 years ago
  
  Test: logging confirms service runs on boot Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce Signed-off-by: Connor O'Brien <connoro@google.com>
  a95c52e3
- Merge "Split policy for on-device compilation." am: 1282df7c · c00252cd
  dcashman authored 8 years ago
  
  am: c94b1491 Change-Id: I4b127cc0ba7190d1d036c8e9f6cfefbc3ab8afc4
  c00252cd
- Merge "Split policy for on-device compilation." · c94b1491
  dcashman authored 8 years ago
  
  am: 1282df7c Change-Id: I6f2fd95e1eeae204eed2c81a9b73bfe59ebe1cb7
  c94b1491
- Merge "Split policy for on-device compilation." · 1282df7c
  Treehugger Robot authored 8 years ago
  
  1282df7c
- Split policy for on-device compilation. · 1faa644c
  dcashman authored 8 years ago
  
  Simulate platform and non-platform split by sending the split files to the device to be compiled by init. Bug: 31363362 Test: Policy builds on-device and boots. sediff shows no difference. Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
  1faa644c
- Partially revert "mediaprovider" SELinux domain. am: 52da39d9 am: a018b183 · cf308055
  Jeff Sharkey authored 8 years ago
  
  am: 2bb33d81 Change-Id: I418745d1eb9f855a727dab2873a7aa2e52b7e3dd
  cf308055
- Partially revert "mediaprovider" SELinux domain. am: 52da39d9 · 2bb33d81
  Jeff Sharkey authored 8 years ago
  
  am: a018b183 Change-Id: I34dfe5ee2a0e320276b69bc2ac407c46954e6237
  2bb33d81
- Partially revert "mediaprovider" SELinux domain. · a018b183
  Jeff Sharkey authored 8 years ago
  
  am: 52da39d9 Change-Id: I7ebc5532d1047726472d9078ceba0fd755130593
  a018b183
- Partially revert "mediaprovider" SELinux domain. · 52da39d9
  Jeff Sharkey authored 8 years ago
  
  The new domain wasn't fully tested, and it caused many regressions on the daily build. Revert back to using "priv_app" domain until we can fully test and re-land the new domain. Temporarily add the USB functionfs capabilities to priv_app domain to keep remainder of MtpService changes working; 33574909 is tracking removing that from the priv_app domain. Test: builds, boots, verified UI and downloads Bug: 33569176, 33568261, 33574909 Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
  52da39d9
- Merge changes I1a468e7c,I4d0d8896 am: 0a807828 am: 7bd89fbc · 204644b8
  Roshan Pius authored 8 years ago
  
  am: 5dacc9cb Change-Id: I8bb9ef7f143f408a55c26ca5ba1d3699af49f3f7
  204644b8
- hal_wifi: Allow HAL to reload wifi firmware am: 85e3e7d6 am: 84b299d2 · 078c4466
  Roshan Pius authored 8 years ago
  
  am: e2cebbee Change-Id: I0edbcbf847ea08466a4e8bc0c3fb23c88c991e5e
  078c4466
- hal_wifi: Allow system_server to access wifi HIDL services am: 02ed21e8 am: 7f1b8ad8 · 9a8bdb07
  Roshan Pius authored 8 years ago
  
  am: 3a78d30b Change-Id: Ie058e8370da10aa8124b6e2017a23a8f18804f80
  9a8bdb07
- Merge changes I1a468e7c,I4d0d8896 am: 0a807828 · 5dacc9cb
  Roshan Pius authored 8 years ago
  
  am: 7bd89fbc Change-Id: I57c4e27a7df0a9da8056f03d410952b0c54402a1
  5dacc9cb
- hal_wifi: Allow HAL to reload wifi firmware am: 85e3e7d6 · e2cebbee
  Roshan Pius authored 8 years ago
  
  am: 84b299d2 Change-Id: I9f7a7c57926eb6f51ace0da458a0ac8d9316e9b2
  e2cebbee
- hal_wifi: Allow system_server to access wifi HIDL services am: 02ed21e8 · 3a78d30b
  Roshan Pius authored 8 years ago
  
  am: 7f1b8ad8 Change-Id: I651a93f9363fbe73d47912fcb6c856f76bae5359
  3a78d30b
- Merge changes I1a468e7c,I4d0d8896 · 7bd89fbc
  Roshan Pius authored 8 years ago
  
  am: 0a807828 Change-Id: I77fd598970f1f4ab8c5b469405b6d3140b1b8dfd
  7bd89fbc
- hal_wifi: Allow HAL to reload wifi firmware · 84b299d2
  Roshan Pius authored 8 years ago
  
  am: 85e3e7d6 Change-Id: I875f2ac6a830fec679b8f2ea4fc22a65faed4a6e
  84b299d2
- hal_wifi: Allow system_server to access wifi HIDL services · 7f1b8ad8
  Roshan Pius authored 8 years ago
  
  am: 02ed21e8 Change-Id: Ibc02afe12c386abaaa1c96ea025a1bf720f30280
  7f1b8ad8
- Merge "Move MediaProvider to its own domain, add new MtpServer permissions"... · 50a046ea
  Jerry Zhang authored 8 years ago
  
  Merge "Move MediaProvider to its own domain, add new MtpServer permissions" am: 35aa81ad am: be818286 am: a8063522 Change-Id: I46dd432a3b26b978b1f5774c206f75ae1c2e6096
  50a046ea
- Merge "Move MediaProvider to its own domain, add new MtpServer permissions" am: 35aa81ad · a8063522
  Jerry Zhang authored 8 years ago
  
  am: be818286 Change-Id: I4471da7b5c31bc3deace4d57e66bdb11f16da7a5
  a8063522
- Merge changes I1a468e7c,I4d0d8896 · 0a807828
  Treehugger Robot authored 8 years ago
  
  * changes: hal_wifi: Allow HAL to reload wifi firmware hal_wifi: Allow system_server to access wifi HIDL services
  0a807828
- Merge "Move MediaProvider to its own domain, add new MtpServer permissions" · be818286
  Jerry Zhang authored 8 years ago
  
  am: 35aa81ad Change-Id: Ica2ee9f242334f90d100e2a0e64b01663f3b9cc2
  be818286
- Merge "Move MediaProvider to its own domain, add new MtpServer permissions" · 35aa81ad
  Jerry Zhang authored 8 years ago
  
  35aa81ad
Dec 12, 2016

isolated_app.te: Give permissions for using sdcardfs am: 02bf4aad am: e7bacff2 · 52c36410
Daniel Rosenberg authored 8 years ago
```
am: c69bb0fe

Change-Id: I895a471d89491f31d51cde5ab17a16a9ada5b808
```
52c36410
isolated_app.te: Give permissions for using sdcardfs am: 02bf4aad · c69bb0fe
Daniel Rosenberg authored 8 years ago
```
am: e7bacff2

Change-Id: Ie6a0335e4c4c80dcb410681654ab7ae1aad1ee8d
```
c69bb0fe
isolated_app.te: Give permissions for using sdcardfs · e7bacff2
Daniel Rosenberg authored 8 years ago
```
am: 02bf4aad

Change-Id: Ic17d83f2b937c756275e81d8f4b654b00d958ef2
```
e7bacff2

isolated_app.te: Give permissions for using sdcardfs · 02bf4aad

Daniel Rosenberg authored 8 years ago

Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf

02bf4aad