Commits · 50889ce0eb4dda1d777b90321ddce3f8046b740d · Werner Sembach / AndroidSystemSEPolicy

May 31, 2017

Enable the TimeZoneManagerService · 50889ce0

Neil Fuller authored 8 years ago

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

50889ce0

Merge "SEPolicy: Changes for new stack dumping scheme." into oc-dev-plus-aosp · 66911735
Narayan Kamath authored 7 years ago
```
am: 6d9f42f0

Change-Id: I1894493c01399348bf0d83679bc119d00acc149e
```
66911735
Merge "SEPolicy: Changes for new stack dumping scheme." into oc-dev-plus-aosp · 6d9f42f0
TreeHugger Robot authored 7 years ago

6d9f42f0

SEPolicy: Changes for new stack dumping scheme. am: am: ... · f112055f

Narayan Kamath authored 7 years ago

SEPolicy: Changes for new stack dumping scheme. am: e628cb5b am: 5e8fe834 am: 51a01817  -s ours
am: a7d87b94  -s ours

Change-Id: I8c2250afc39882dc3ee0b9888e3fb2e1d872cb8a

f112055f

SEPolicy: Changes for new stack dumping scheme. am: e628cb5b am: 5e8fe834 · a7d87b94
Narayan Kamath authored 7 years ago
```
am: 51a01817  -s ours

Change-Id: I4ecaa2194614148b4b50245e6250bdde02206160
```
a7d87b94

SEPolicy: Changes for new stack dumping scheme. · f194aad2

Narayan Kamath authored 7 years ago

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f

f194aad2

SEPolicy: Changes for new stack dumping scheme. am: e628cb5b · 51a01817
Narayan Kamath authored 7 years ago
```
am: 5e8fe834

Change-Id: Ibfe717b42fc26da2ec7876143b8cf0445a20eaec
```
51a01817
SEPolicy: Changes for new stack dumping scheme. · 5e8fe834
Narayan Kamath authored 7 years ago
```
am: e628cb5b

Change-Id: If2ce6fbf2b897d58da78430a7bae0fd6fb6e5a49
```
5e8fe834

SEPolicy: Changes for new stack dumping scheme. · e628cb5b

Narayan Kamath authored 7 years ago

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

e628cb5b

Merge "SEPolicy: Changes for new stack dumping scheme." · 3bacfe92
Narayan Kamath authored 7 years ago

3bacfe92

May 30, 2017

Allow ephemeral apps to find media.drm am: d2b3a454 · 1e3c61c3
Chad Brubaker authored 7 years ago
```
am: 19e71b7b

Change-Id: Ife8931f2543dc6339e16faabef66879c1e184390
```
1e3c61c3
Allow ephemeral apps to find media.drm · 19e71b7b
Chad Brubaker authored 7 years ago
```
am: d2b3a454

Change-Id: I1ba8e73e1a004b654bc32dd6520b1e41ec3bc9cf
```
19e71b7b
Allow ephemeral apps to find media.drm · d2b3a454
Chad Brubaker authored 7 years ago
```
Bug: 62102558
Test: see b/62102558
Change-Id: If80d1270bcf6835e6d1a78e2176c3e139cebd174
```
d2b3a454

SEPolicy: Changes for new stack dumping scheme. · 11bfcc1e

Narayan Kamath authored 7 years ago

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f

11bfcc1e

May 27, 2017
- Merge "Allows nfc to access vr_manager_service" am: c3f4afef am: f23230c8 am: e95974b0 · 4aa02d17
  Ruchi Kandoi authored 7 years ago
  
  am: cd591483 Change-Id: If3b128bcc0dbeb043f9476c28334d83912ed53e4
  4aa02d17
- Merge "Allows nfc to access vr_manager_service" am: c3f4afef am: f23230c8 · cd591483
  Ruchi Kandoi authored 7 years ago
  
  am: e95974b0 Change-Id: I29eeb3ec90a67fe4377fe10f0884608a5fa52ea9
  cd591483
- Merge "Allows nfc to access vr_manager_service" am: c3f4afef · e95974b0
  Ruchi Kandoi authored 7 years ago
  
  am: f23230c8 Change-Id: I2214556e60abce3bf0801bc01d86e8c481e44c38
  e95974b0
- Merge "Allows nfc to access vr_manager_service" · f23230c8
  Ruchi Kandoi authored 7 years ago
  
  am: c3f4afef Change-Id: I8810383b62d3c678c289867a0e17732242ee6679
  f23230c8
- Merge "Allows nfc to access vr_manager_service" · c3f4afef
  Treehugger Robot authored 7 years ago
  
  c3f4afef
May 26, 2017
- Merge "Force expand all hal_* attributes" · 53a11215
  TreeHugger Robot authored 7 years ago
  
  53a11215
- Merge "Update selinux policy for policyvers retrieval." · ca69bb23
  Yifan Hong authored 7 years ago
  
  ca69bb23
- Revert "Add /dev/kmsg_debug." am: 9ac5d01f am: 032c6d61 am: 75b99632 · 77d7c5d1
  Josh Gao authored 7 years ago
  
  am: e589330e Change-Id: I532d4b0ca606663a324dda1e65ce18175e808e7e
  77d7c5d1
- Revert "Add /dev/kmsg_debug." am: 9ac5d01f am: 032c6d61 · e589330e
  Josh Gao authored 7 years ago
  
  am: 75b99632 Change-Id: I272e173f63c6f30bfe5994e15fc4b0bf558535da
  e589330e
- Revert "Add /dev/kmsg_debug." am: 9ac5d01f · 75b99632
  Josh Gao authored 7 years ago
  
  am: 032c6d61 Change-Id: Ibc245f943ad12afbc71f0d13be915120d2388529
  75b99632
- Revert "Add /dev/kmsg_debug." · 032c6d61
  Josh Gao authored 7 years ago
  
  am: 9ac5d01f Change-Id: I31b6b74e498efd2a6f6795f91d6a39a000886061
  032c6d61
- Merge changes I397ca4e7,I38efe224 into oc-dev am: 33d7e90b · 8ce4b1fb
  Dan Cashman authored 7 years ago
  
  am: 11b239f0 -s ours Change-Id: Ifabe749bffbc196782476129fdc34bd746f64b47
  8ce4b1fb
- Merge changes I397ca4e7,I38efe224 into oc-dev · 11b239f0
  Dan Cashman authored 7 years ago
  
  am: 33d7e90b Change-Id: I72b51db1d65df6a82b396187e982df1e4336c6be
  11b239f0
- Merge changes I397ca4e7,I38efe224 into oc-dev · 33d7e90b
  TreeHugger Robot authored 7 years ago
  
  * changes: Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
  33d7e90b
- Revert "Add /dev/kmsg_debug." · 9ac5d01f
  Josh Gao authored 7 years ago
  
  This reverts commit a015186f. Bug: http://b/62101480 Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46
  9ac5d01f
May 25, 2017

Update selinux policy for policyvers retrieval. · 5b3494eb
Yifan Hong authored 7 years ago
```
Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792
```
5b3494eb

Allows nfc to access vr_manager_service · f5a2353a

Ruchi Kandoi authored 7 years ago


SELinux : avc:  denied  { find } for service=vrmanager pid=2364 uid=1027
scontext=u:r:nfc:s0 tcontext=u:object_r:vr_manager_service:s0
tclass=service_manager permissive=0

Test: manual
Bug: 35889571
Change-Id: If95bb5c286def99a0439b36a31b52fa9dfd4a2f4
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

f5a2353a

Merge "MediaExtractor: Allow reading of app data files." into oc-dev am: 62022c71 · c9d3827b
Andy Hung authored 7 years ago
```
am: a9a3df31

Change-Id: I83c5170513890c90b576d6a07f4e7d73a400bae2
```
c9d3827b
Merge "MediaExtractor: Allow reading of app data files." into oc-dev · a9a3df31
Andy Hung authored 7 years ago
```
am: 62022c71

Change-Id: I3f7438d9883bf25c41674965b963c788df2c69ef
```
a9a3df31

Force expand all hal_* attributes · fb889f23

Jeff Vander Stoep authored 7 years ago

Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.

This change cuts down on the number of attributes associate with
system_server from 19 to 8. The total number of attributes is
reduced from 159 to 64.

Bug: 36508258
Test: build and boot Marlin
Change-Id: I8cdb6fb783ded869e88c5a9868fd7c8f838190f9

fb889f23

Merge "MediaExtractor: Allow reading of app data files." into oc-dev · 62022c71
Andy Hung authored 7 years ago

62022c71
Merge "Allow init to run vendor toybox for modprobe" into oc-dev am: d5a2f3e2 · 8da4bf51
Sandeep Patil authored 7 years ago
```
am: 3abc81ce

Change-Id: If6350ea61bd6447af7913a7b474e719e0f7707d3
```
8da4bf51
Merge "Allow init to run vendor toybox for modprobe" into oc-dev · 3abc81ce
Sandeep Patil authored 7 years ago
```
am: d5a2f3e2

Change-Id: Ie35b0b80c929066186c35d31b8f8d803f374d969
```
3abc81ce
Merge "Allow init to run vendor toybox for modprobe" into oc-dev · d5a2f3e2
TreeHugger Robot authored 7 years ago

d5a2f3e2
Merge "Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir." · d1d6b39d
TreeHugger Robot authored 7 years ago

d1d6b39d

Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. · 51455fe9

Dan Cashman authored 7 years ago

These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy.  There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files.  Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06)

51455fe9