Commits · 5c482cc9ca8e89c7d2ad75fbf00bbbe262b2bb9c · Werner Sembach / AndroidSystemSEPolicy

Nov 01, 2016
- Sepolicy for light hal. am: 1ec710c8 · 5c482cc9
  Steven Moreland authored 8 years ago
  
  am: cdd1bd76 Change-Id: If79af8ceb4f899a9fa70af88c4471895538d7a2b
  5c482cc9
- Sepolicy for light hal. · cdd1bd76
  Steven Moreland authored 8 years ago
  
  am: 1ec710c8 Change-Id: Idec0f4922dac7b12a909e83ce963806de78653b7
  cdd1bd76
- Allow new settings system service. am: 11877133 · 29bebdb9
  Dianne Hackborn authored 8 years ago
  
  am: 33619e31 Change-Id: Ic8c3fa7aa355c3cea5885f8370adb2835835a4c4
  29bebdb9
- Sepolicy for light hal. · 1ec710c8
  Steven Moreland authored 8 years ago
  
  Bug: 32022100 Test: end to end Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7
  1ec710c8
- Allow new settings system service. · 33619e31
  Dianne Hackborn authored 8 years ago
  
  am: 11877133 Change-Id: I379cb009d5a47f3c52a69cca1a80321a9e9859b5
  33619e31
- Merge "Added permissions for the dumpstate service." am: ae9d3c0c · 9446ec97
  Felipe Leme authored 8 years ago
  
  am: 517a9ed1 Change-Id: If4a5669d399aa99e424b7052a9b8c643cebbdb07
  9446ec97
- Merge "Added permissions for the dumpstate service." · 517a9ed1
  Felipe Leme authored 8 years ago
  
  am: ae9d3c0c Change-Id: Ic15a4bfac6fd0bad7325eaae311150b057e4da0d
  517a9ed1
- Allow new settings system service. · 11877133
  Dianne Hackborn authored 8 years ago
  
  Test: N/A Change-Id: Ib3c85118bf752152f5ca75ec13371073fc2873cc
  11877133
- Merge "Added permissions for the dumpstate service." · ae9d3c0c
  Treehugger Robot authored 8 years ago
  
  ae9d3c0c
- Merge "init: Allow SETPCAP for dropping bounding set." am: 02c83835 · 5296552b
  Jorge Lucangeli Obes authored 8 years ago
  
  am: 52dd15a0 Change-Id: Icb50ed3ad8554069a6ac168ed03a6233c867a677
  5296552b
- Merge "init: Allow SETPCAP for dropping bounding set." · 52dd15a0
  Jorge Lucangeli Obes authored 8 years ago
  
  am: 02c83835 Change-Id: Ia923906119e34aa64c8a81fa53b8b53b4dc4af46
  52dd15a0
- Merge "init: Allow SETPCAP for dropping bounding set." · 02c83835
  Treehugger Robot authored 8 years ago
  
  02c83835
- init: Allow SETPCAP for dropping bounding set. · 847bfa4a
  Jorge Lucangeli Obes authored 8 years ago
  
  This is required for https://android-review.googlesource.com/#/c/295748 so that init can drop the capability bounding set for services. Bug: 32438163 Test: With 295748 and a test service using ambient capabilities. Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
  847bfa4a
- Added permissions for the dumpstate service. · b5f5931e
  Felipe Leme authored 8 years ago
  
  - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
  b5f5931e
Oct 31, 2016
- Merge "system_server: allow appendable file descriptors" am: 184851a2 · e3f33e98
  Nick Kralevich authored 8 years ago
  
  am: a9aac6a9 Change-Id: Ibe204614130145bd084db378635c8134d5efb3a3
  e3f33e98
- Merge "Get rid of more auditallow spam" am: 82b9182e · ce35d133
  Nick Kralevich authored 8 years ago
  
  am: fa418650 Change-Id: I640fccd3e01ebcfb096f8f408cffc47a6c0a24d6
  ce35d133
- Merge "system_server: allow appendable file descriptors" · a9aac6a9
  Nick Kralevich authored 8 years ago
  
  am: 184851a2 Change-Id: Iea91ab9bd1cc9c45cb1efdc0db0d42d4cda9630d
  a9aac6a9
- Merge "Get rid of more auditallow spam" · fa418650
  Nick Kralevich authored 8 years ago
  
  am: 82b9182e Change-Id: I3dc912af723af37c9fdee2118e0621ed74704f2e
  fa418650
- Merge "system_server: allow appendable file descriptors" · 184851a2
  Treehugger Robot authored 8 years ago
  
  184851a2
- Merge "Get rid of more auditallow spam" · 82b9182e
  Treehugger Robot authored 8 years ago
  
  82b9182e
- kernel.te: tighten entrypoint / execute_no_trans neverallow am: 02cfce49 · 02e44d0e
  Nick Kralevich authored 8 years ago
  
  am: 74b84259 Change-Id: I23b54c3f1d4b335b073096980bb27b34cb3ebaa2
  02e44d0e
- kernel.te: tighten entrypoint / execute_no_trans neverallow · 74b84259
  Nick Kralevich authored 8 years ago
  
  am: 02cfce49 Change-Id: I68d9a9a44eb6e11a3d9471a46c307e66afe42c35
  74b84259
- kernel.te: tighten entrypoint / execute_no_trans neverallow · 02cfce49
  Nick Kralevich authored 8 years ago
  
  The kernel domain exists solely on boot, and is used by kernel threads. Because of the way the system starts, there is never an entrypoint for that domain, not even a file on rootfs. So tighten up the neverallow restriction. Remove an obsolete comment. The *.rc files no longer have a setcon statement, and the transition from the kernel domain to init occurs because init re-execs itself. The statement no longer applies. Test: bullhead policy compiles. Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
  02cfce49
Oct 29, 2016

system_server: allow appendable file descriptors · 8044129f

Nick Kralevich authored 8 years ago

system_server is currently allowed write (but not open) access to
various app file descriptor types, to allow it to perform write
operations on file descriptors passed to it from Android processes.
However, system_server was not allowed to handle file descriptors
open only for append operations.

Write operations are a superset of that allowed by appendable
operations, so it makes no sense to deny system_server the use of
appendable file descriptors. Allow it for app data types, as well as a
few other types (for robustness).

Addresses the following denial generated when adb bugreport is run:

  type=1400 audit(0.0:12): avc: denied { append } for
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt"
  dev="dm-2" ino=384984 scontext=u:r:system_server:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 32246161
Test: policy compiles
Test: No more append denials when running adb shell am bug-report --progress
Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487

8044129f

Get rid of more auditallow spam · 2c8ea36a

Nick Kralevich authored 8 years ago

Addresses the following audit messages:

[    7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

[   65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4

2c8ea36a

Oct 28, 2016

Merge changes I5bbbcad3,Ifa4630ed am: ece32729 · 5955b137
Roshan Pius authored 8 years ago
```
am: a70008f6

Change-Id: I6d00064ce9563f0c7b9d1b67547886a06539e6e5
```
5955b137
wifi_hal: Rename to 'hal_wifi' am: 8224596a · 4522d482
Roshan Pius authored 8 years ago
```
am: e1d1b3dc

Change-Id: Ie917024c1e5cf58f511ed420048b2a015e81e4df
```
4522d482
wpa: Add permissions for hwbinder am: 6caeac7b · 97ad8ac9
Roshan Pius authored 8 years ago
```
am: 35ac63ba

Change-Id: I0269d804303569522102f8680dc1ed070458d2c2
```
97ad8ac9
Merge changes I5bbbcad3,Ifa4630ed · a70008f6
Roshan Pius authored 8 years ago
```
am: ece32729

Change-Id: I2deabd99fda505fd185dcb2a3fc6246413803b6d
```
a70008f6
wifi_hal: Rename to 'hal_wifi' · e1d1b3dc
Roshan Pius authored 8 years ago
```
am: 8224596a

Change-Id: Ie52222c18d95aebe320a664fdbca2c47547f30d8
```
e1d1b3dc
wpa: Add permissions for hwbinder · 35ac63ba
Roshan Pius authored 8 years ago
```
am: 6caeac7b

Change-Id: I45bf2358586a6bb1dc5b17646c360c9065b17c23
```
35ac63ba
Merge changes I5bbbcad3,Ifa4630ed · ece32729
Treehugger Robot authored 8 years ago
```
* changes:
  wifi_hal: Rename to 'hal_wifi'
  wpa: Add permissions for hwbinder
```
ece32729
Get rid of auditallow spam. am: 79a08e13 · 4a5db591
Nick Kralevich authored 8 years ago
```
am: 6f2f72c2

Change-Id: I5b34bf53d9fe3b48ff1fb8f2d08c8897a8d28dd8
```
4a5db591
Get rid of auditallow spam. · 6f2f72c2
Nick Kralevich authored 8 years ago
```
am: 79a08e13

Change-Id: Iee32c3aab31156606142101a0f85a10383cdf712
```
6f2f72c2

Get rid of auditallow spam. · 79a08e13

Nick Kralevich authored 8 years ago

Fixes the following SELinux messages when running adb bugreport:

avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

[  169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a

79a08e13

wifi_hal: Rename to 'hal_wifi' · 8224596a

Roshan Pius authored 8 years ago

Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813

8224596a

Merge "domain: neverallow on setfcap" am: e112faea · eecdbb83
William Roberts authored 8 years ago
```
am: 14742b0f

Change-Id: I42974e68c2b1bfb57034df20e6bb8fab600eaa19
```
eecdbb83
Merge "domain: neverallow on setfcap" · 14742b0f
William Roberts authored 8 years ago
```
am: e112faea

Change-Id: I57d5ed15ae69613145a9ef4efc9e16ec72ad420b
```
14742b0f

Oct 27, 2016

Merge "domain: neverallow on setfcap" · e112faea
Treehugger Robot authored 8 years ago

e112faea

domain: neverallow on setfcap · c3f1da99

William Roberts authored 8 years ago


Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>

c3f1da99