Commits · 4cffd854469680d8149b2dafffb6b7f75df7ebb4 · Werner Sembach / AndroidSystemSEPolicy

Jul 20, 2016
- Merge \"logd: Add setpcap for Minijail use.\" · 4cffd854
  Jorge Lucangeli Obes authored 8 years ago
  
  am: 23d703ee Change-Id: I98383d496812ced491a892c1ffb29527d77c63a9
  4cffd854
- Merge "logd: Add setpcap for Minijail use." · 23d703ee
  Treehugger Robot authored 8 years ago
  
  23d703ee
- logd: Add setpcap for Minijail use. · b6287b1e
  Jorge Lucangeli Obes authored 8 years ago
  
  Bug: 30156807 Change-Id: Ie9faf72d35579fa69b4397bdffc8d674f040736c
  b6287b1e
- resolve merge conflicts of 56ed8a4d to stage-aosp-master · 2c4718fc
  Jeff Vander Stoep authored 8 years ago
  
  Change-Id: Ic549f8c8060a17981302f2af75debf34595475bb
  2c4718fc
- Merge changes I86958ebc,I0449575a · 56ed8a4d
  Treehugger Robot authored 8 years ago
  
  * changes: adbd: allow reading apk_data_file adbd: allow reading rootfs dir
  56ed8a4d
Jul 19, 2016

adbd: allow reading apk_data_file · d743ddea

avc: denied { search } for comm=73657276696365203139 name="app" dev="sda35" ino=770049 scontext=u:r:adbd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0

Bug: 30000600
Change-Id: I86958ebcca815ee1779f85fb425592493f40101a

d743ddea

adbd: allow reading rootfs dir · 7fcb3a61
Jeff Vander Stoep authored 8 years ago
```
Bug: 30213958
Change-Id: I0449575a5ec6cc4997bc36a13676474505a4190f
```
7fcb3a61

Jul 18, 2016
- Merge \"service_contexts: strip blank lines and comments\" · 7d9487c9
  William Roberts authored 8 years ago
  
  am: afad0c35 Change-Id: Id4a4937cc3b7c2ddd6d363144e6fafc90be60498
  7d9487c9
- Merge "service_contexts: strip blank lines and comments" · afad0c35
  Treehugger Robot authored 8 years ago
  
  afad0c35
Jul 15, 2016

Merge \"property_contexts: strip blank lines and comments\" · a584f2f6
William Roberts authored 8 years ago
```
am: ee69a2e7

Change-Id: If61f5720180243ec1b5aa9e16d66c95c37f49b88
```
a584f2f6
Merge "property_contexts: strip blank lines and comments" · ee69a2e7
Treehugger Robot authored 8 years ago

ee69a2e7
Grant untrusted_app dir access to asec_apk_file. · e0585ca8
dcashman authored 8 years ago
```
am: 83348b0b

Change-Id: Ia19aeffe64e733deb695206dcbd8cb824c9db222
```
e0585ca8

Grant untrusted_app dir access to asec_apk_file. · 83348b0b

dcashman authored 8 years ago

untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs.  This is used for
forward locked apps.

Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0

(cherry-pick of internal commit: addd3c9f)

Bug: 30082229
Change-Id: I87758f1daee19197d9299bca261f0324e01af5e0

83348b0b

Jul 11, 2016
- Merge \"init.te: allow writting to /proc/sys/vm/overcommit_memory\" · 47b12481
  Yongqin Liu authored 8 years ago
  
  am: 87f2ca2d Change-Id: Ia0ebfddad770c09ded5fecd2273f78d560507e9f
  47b12481
- Merge "init.te: allow writting to /proc/sys/vm/overcommit_memory" · 87f2ca2d
  Jeffrey Vander Stoep authored 8 years ago
  
  View commit 87f2ca2d 4 tags
  
  87f2ca2d
Jul 08, 2016
- Merge \"lmkd: grant read access to all of /sys\" · a86ae374
  Jeff Vander Stoep authored 8 years ago
  
  am: ad03e7db Change-Id: I1fa0ced9c61bacc1b577ccee9c5a47459066d45f
  a86ae374
- Merge "lmkd: grant read access to all of /sys" · ad03e7db
  Treehugger Robot authored 8 years ago
  
  ad03e7db
- resolve merge conflicts of 91e7ac92 to stage-aosp-master · 43c1d482
  Mark Salyzyn authored 8 years ago
  
  Change-Id: I874557582d244956a5a7a4305c00ac2f0c190a88
  43c1d482
- logcatd: trampoline persist.logd.logpersistd to logd.logpersistd · 91e7ac92
  Mark Salyzyn authored 8 years ago
  
  Bug: 28936216 Change-Id: I90dc7ca296dc5c9b6d13e7920ebb864981a112b5
  91e7ac92
Jul 07, 2016

init.te: allow writting to /proc/sys/vm/overcommit_memory · b34480dc

Yongqin Liu authored 8 years ago


Since there is "write /proc/sys/vm/overcommit_memory 1" line in init.rc

Change-Id: I5899d2802e7fa56b438a06d4cadb4eb6827bfe16
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

b34480dc

Jul 01, 2016

service_contexts: strip blank lines and comments · c9fce3fa

William Roberts authored 8 years ago


Strip whitespace and comments from service_context files
to reduce size. On an aosp_x86_64 build it saves 36 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I3cb4effad1d1b404bf53605a3793e3070cb95651
Signed-off-by: William Roberts <william.c.roberts@intel.com>

c9fce3fa

property_contexts: strip blank lines and comments · 371918c1

William Roberts authored 8 years ago


Strip whitespace and comments from property_context files
to reduce size. On an aosp_x86_64 build it saves 851 bytes.

However, on builds with more synclines and comments, further
space savings can be realized.

Change-Id: I43caf1deaab53d4753c835918898c8982f477ef0
Signed-off-by: William Roberts <william.c.roberts@intel.com>

371918c1

Jun 28, 2016

Merge commit '2931f84c ' into HEAD · 92b58b81
Bill Yi authored 8 years ago

92b58b81
domain: allow reading /proc/sys/vm/overcommit_memory · 17d3d23d
Jeff Vander Stoep authored 8 years ago
```
am: bc1986fb

Change-Id: I7707dfb170b31df7e344bf695c124e84a5049b11
```
17d3d23d

domain: allow reading /proc/sys/vm/overcommit_memory · bc1986fb

Jeff Vander Stoep authored 8 years ago

Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a

bc1986fb

Jun 23, 2016

Merge \"lmkd: grant read access to all of /sys\" into nyc-dev · 2931f84c
Jeff Vander Stoep authored 8 years ago
```
am: d0feed89

Change-Id: Ic9bff29ec7fedafe6ff20ed8ef80d68394352ef1
```
2931f84c
Merge "lmkd: grant read access to all of /sys" into nyc-dev · d0feed89
TreeHugger Robot authored 8 years ago

View commit d0feed89 3 tags

d0feed89

lmkd: grant read access to all of /sys · 11c79b20

Jeff Vander Stoep authored 8 years ago

avc: denied { search } for pid=394 comm="lmkd" name="lowmemorykiller" dev="sysfs" ino=7541 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=dir permissive=0

(Cherry picked from commit 30a3ee4c)

Bug: 29558514
Change-Id: Iaae907a92976af2a9dcb58be5643b8614dcde174

11c79b20

lmkd: grant read access to all of /sys · 30a3ee4c

Jeff Vander Stoep authored 8 years ago

avc: denied { search } for pid=394 comm="lmkd" name="lowmemorykiller" dev="sysfs" ino=7541 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=dir permissive=0

Bug: 29558514
Change-Id: Iaae907a92976af2a9dcb58be5643b8614dcde174

30a3ee4c

Jun 22, 2016
- Grant access to net_raw and net_admin to dumpstate. · b5565726
  Felipe Leme authored 8 years ago
  
  am: 42aaf5a0 Change-Id: I6d8d76687f6ffbbd849424286d90d6cad6a65993
  b5565726
- Merge \\"Grant access to net_raw and net_admin to dumpstate.\\" am: 797f32b2 · d6094bd0
  Felipe Leme authored 8 years ago
  
  am: fafcf5a1 Change-Id: Ifa88db9920a8cc1645c6fa0f313dba9f79b76260
  d6094bd0
- Merge \"Grant access to net_raw and net_admin to dumpstate.\" · fafcf5a1
  Felipe Leme authored 8 years ago
  
  am: 797f32b2 Change-Id: Idcd263089437c91a9b70373430c32551228db61f
  fafcf5a1
- Merge "Grant access to net_raw and net_admin to dumpstate." · 797f32b2
  Treehugger Robot authored 8 years ago
  
  797f32b2
- Allow update_engine to suspend/resume postinstall. am: 108b74a1 · cbc534af
  Alex Deymo authored 8 years ago
  
  am: 9a38deff Change-Id: Idfb80b6247f734f1ec42da269ee5f19d92e15e64
  cbc534af
- Allow update_engine to suspend/resume postinstall. · 9a38deff
  Alex Deymo authored 8 years ago
  
  am: 108b74a1 Change-Id: I3c236c3d430176ceed724eae114af5c43f66f16f
  9a38deff
Jun 21, 2016

Allow update_engine to suspend/resume postinstall. · 108b74a1

Alex Deymo authored 8 years ago

update_engine launches the postinstall process and can suspend and
resume it by sending SIGSTOP and SIGCONT. This fixes the following
denials:

update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1
update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1

Bug: 28959137
TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall.

Change-Id: I9890ad0ff7fe04bae1a54fa07c61aafca8de8e66

108b74a1

Grant access to net_raw and net_admin to dumpstate. · 42aaf5a0

Felipe Leme authored 8 years ago

Cherrypicked from AOSP
(commit 51fdddaf).

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb

42aaf5a0

Jun 20, 2016

Grant access to net_raw and net_admin to dumpstate. · 51fdddaf

Felipe Leme authored 8 years ago

These capabilities are required so it can run iptables, otherwise it
will cause failures such as:

06-20 16:19:02.650 5524 5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0
06-20 16:56:57.119 5070 5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb

51fdddaf

Jun 17, 2016
- allow radio to find nfc_service · 7d0ca881
  Hyejin authored 8 years ago
  
  am: 5143b6a2 Change-Id: I3e9c1bb011816a484d35469e4849db1c75eea14f
  7d0ca881
Jun 16, 2016

allow radio to find nfc_service · 5143b6a2

Hyejin authored 8 years ago

Addresses:
avc:  denied  { find } for service=nfc pid=3355 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

BUG=29339762
Change-Id: I87479ef4607bd3e18a2fecb53909c4878e227e2b

5143b6a2