Commits · 6a9c4d4c74ff48018ebf8136e768e44a50f3efae · Werner Sembach / AndroidSystemSEPolicy

Jun 22, 2016

update_verifier: Allow searching /dev/block. · 6a9c4d4c

Tao Bao authored 8 years ago

update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.

avc: denied { search } for name="block" dev="tmpfs" ino=15510 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" ino=15510 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0

Bug: 29569601
Test: Marlin boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f

6a9c4d4c

Merge "dumpstate: Change SELinux policy to allow reading /data/misc/profiles" into nyc-mr1-dev · 3baef130
David Brazdil authored 8 years ago

3baef130

Allow update_engine to suspend/resume postinstall. · 9640bcfa

Alex Deymo authored 8 years ago

update_engine launches the postinstall process and can suspend and
resume it by sending SIGSTOP and SIGCONT. This fixes the following
denials:

update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1
update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1

Bug: 28959137
TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall.

(cherry picked from commit 108b74a1)

Change-Id: Iec8e10fe0cfda5c0764d2e5ad90ea1c6dd13dab2

9640bcfa

Jun 20, 2016

dumpstate: Change SELinux policy to allow reading /data/misc/profiles · cf63957d

David Brazdil authored 8 years ago

This is needed in order to include profile files in bugreports.

Bug: 28610953
Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1

cf63957d

Jun 17, 2016
- allow radio to find nfc_service · 0989a531
  Hyejin authored 8 years ago
  
  am: 5143b6a2 Change-Id: Ifa04829e7c60adcae31795475d3f19bc519f2f82
  0989a531
Jun 16, 2016
- allow radio to find nfc_service · 5143b6a2
  Hyejin authored 8 years ago
  
  Addresses: avc: denied { find } for service=nfc pid=3355 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager BUG=29339762 Change-Id: I87479ef4607bd3e18a2fecb53909c4878e227e2b
  5143b6a2
- Merge \"Keep pre-existing sysfs write permissions.\" into nyc-dev · 9e0a64df
  dcashman authored 8 years ago
  
  am: b71cf12f Change-Id: I90e1d56ce61c3093333c6c2e570527f94e743b72
  9e0a64df
- Merge "Keep pre-existing sysfs write permissions." into nyc-dev · b71cf12f
  TreeHugger Robot authored 8 years ago
  
  b71cf12f
- Merge \"Revert \"dumpstate: Change SELinux policy to allow reading... · d7f20b1b
  David Brazdil authored 8 years ago
  
  Merge \"Revert \"dumpstate: Change SELinux policy to allow reading /data/misc/profiles\"\" into nyc-dev am: d261aa96 Change-Id: I94314c8e3277719295dd85c0a672dc1ab2a6b820
  d7f20b1b
- Merge "Revert "dumpstate: Change SELinux policy to allow reading /data/misc/profiles"" into nyc-dev · d261aa96
  David Brazdil authored 8 years ago
  
  d261aa96
- Revert "dumpstate: Change SELinux policy to allow reading /data/misc/profiles" · 50e3899f
  David Brazdil authored 8 years ago
  
  This reverts commit 70a31245. Bug: 28610953 Bug: 29395357 Change-Id: I8b531f488444457d329e43e0c298f2ed231378bf
  50e3899f
- Allow installd to delete the foreign-dex folder · 2f4f66cc
  Amith Yamasani authored 8 years ago
  
  am: a4e2aa13 Change-Id: I0af984f16893a9367769549967aea8cb5f30285f
  2f4f66cc
Jun 15, 2016

Allow installd to delete the foreign-dex folder · a4e2aa13

Amith Yamasani authored 8 years ago

Grant installd the policies to recursively delete
the foreign-dex folder when removing a user. Otherwise
the user cleanup will partially fail and cause a boot loop
when the userId is reused as some later point.

Bug: 29285673
Change-Id: I023f150cffbeb10b6014f48bca9eb0922c2d630a

a4e2aa13

Jun 14, 2016

Keep pre-existing sysfs write permissions. · 17cfd3fc

dcashman authored 8 years ago

Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them. Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849

17cfd3fc

Add SIOCGSTAMP SIOCGSTAMPNS to unpriv_sock_ioctls · 30eddd7f
Nick Kralevich authored 8 years ago
```
am: 92e79e22

Change-Id: I120a8a0a73ec37adee5771f7ffcc7be695b4c141
```
30eddd7f

Add SIOCGSTAMP SIOCGSTAMPNS to unpriv_sock_ioctls · 92e79e22

Nick Kralevich authored 8 years ago

Per "man socket":

  SIOCGSTAMP
  Return a struct timeval with the receive timestamp of the last packet
  passed to the user. This is useful for accurate round trip time
  measurements. See setitimer(2) for a description of struct timeval.
  This ioctl should only be used if the socket option SO_TIMESTAMP is
  not set on the socket. Otherwise, it returns the timestamp of the last
  packet that was received while SO_TIMESTAMP was not set, or it fails
  if no such packet has been received, (i.e., ioctl(2) returns -1 with
  errno set to ENOENT).

Addresses the following denial:

avc: denied { ioctl } for comm=6E6574776F726B5F74687265616420
path="socket:[42934]" dev="sockfs" ino=42934 ioctlcmd=8906
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=0

Bug: 29333189
Change-Id: I916a695fa362cf1cf6759629c7f6101e9f657e7d

92e79e22

Jun 13, 2016
- Merge \"Allow access to sysfs usb nodes.\" into nyc-dev · ce6ac697
  dcashman authored 8 years ago
  
  am: 43151dd4 Change-Id: I9116f2820891a266ddf163ac28b6f45721d044ad
  ce6ac697
- Merge "Allow access to sysfs usb nodes." into nyc-dev · 43151dd4
  TreeHugger Robot authored 8 years ago
  
  43151dd4
Jun 10, 2016

reduce mediaserver permissions · b590d49b
Marco Nelissen authored 8 years ago
```
am: f8f4d3e1

Change-Id: If2975c226b86c11595f5c41a964783f7e9caa171
```
b590d49b

reduce mediaserver permissions · f8f4d3e1

Marco Nelissen authored 8 years ago

It no longer needs access to audio and camera

Bug: 22775369
Change-Id: I1de1f0e3504b214d6943733bf60eb83654b71048

f8f4d3e1

Allow access to sysfs usb nodes. · b144ebab

dcashman authored 8 years ago

Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

b144ebab

Jun 09, 2016

Merge "Allow update_engine to write BCB." into nyc-mr1-dev · 9931a075
TreeHugger Robot authored 8 years ago

9931a075
allow radio to find cameraserver_service for video calls · 48cb87ad
Jeff Vander Stoep authored 8 years ago
```
am: c878a025

Change-Id: I386059682c8fbbfec7ad9ad009a296bc4454869c
```
48cb87ad

allow radio to find cameraserver_service for video calls · 2770feb1

Jeff Vander Stoep authored 8 years ago

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

2770feb1

Allow update_engine to write BCB. · fd867489

Alex Deymo authored 8 years ago

update_engine can trigger a factory-reset when the update to an older
version or an incompatible version requires it.

Bug: 28700985
TEST=Updated a device with a factory-reset required and the BCB was
written.

(cherry picked from commit 15105ce7)

Change-Id: I7d2efc0e7f164d618cbb3fe190882e4fa8a89bac

fd867489

allow radio to find cameraserver_service for video calls · c878a025

Jeff Vander Stoep authored 8 years ago

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

c878a025

Jun 08, 2016
- Merge \"dumpstate: Change SELinux policy to allow reading /data/misc/profiles\" into nyc-dev · 77a44a26
  David Brazdil authored 8 years ago
  
  am: f31a55c0 Change-Id: Ia9e780d8360c3cb1e43081d6aa053eefefd881ab
  77a44a26
- Merge "dumpstate: Change SELinux policy to allow reading /data/misc/profiles" into nyc-dev · f31a55c0
  David Brazdil authored 8 years ago
  
  f31a55c0
- dumpstate: Change SELinux policy to allow reading /data/misc/profiles · 70a31245
  David Brazdil authored 8 years ago
  
  This is needed in order to include profile files in bugreports. Bug: 28610953 Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1
  70a31245
Jun 07, 2016

Regression for log.tag properties · 2fd6fdb9

Mark Salyzyn authored 8 years ago

am: 44c98bb7

* commit '44c98bb7':
  Regression for log.tag properties

Change-Id: I9a386fb3d5f24491b1870d29ad82f545c350f32c

2fd6fdb9

Regression for log.tag properties · 44c98bb7

Mark Salyzyn authored 8 years ago

Allow log.tag and persist.log.tag as log_tag_prop

Bug: 28942894
Change-Id: I05766b99b9535a79a39adc55cad004decd52956e

44c98bb7

Jun 06, 2016
- Merge "Add ota_package_file label for OTA packages." into nyc-mr1-dev · ca821889
  Tao Bao authored 8 years ago
  
  ca821889
- Merge "Sepolicy: Add search rights for A/B dexopt" into nyc-mr1-dev · 9072d0dd
  TreeHugger Robot authored 8 years ago
  
  9072d0dd
- Sepolicy: Add search rights for A/B dexopt · 8cac2586
  Andreas Gampe authored 8 years ago
  
  More read rights are required now. Bug: 25612095 Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42
  8cac2586
- Enable profman pretty printing · 2d4a12cb
  David Sehr authored 8 years ago
  
  am: bb8a352f * commit 'bb8a352f': Enable profman pretty printing Change-Id: I4b074239ccd92992330647be359f081570eead1d
  2d4a12cb
- Enable profman pretty printing · bb8a352f
  David Sehr authored 8 years ago
  
  Bug: 28748264 Change-Id: I848c448e43d48d245d998ff22547bc67a640ab96
  bb8a352f
- Add ota_package_file label for OTA packages. · 6c3f2831
  Tao Bao authored 8 years ago
  
  Allow priv_app, uncrypt, update_engine to access the OTA packages at /data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks the existence of the folder, and downloads the package there if present. Bug: 28944800 Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
  6c3f2831
- Merge "sepolicy: broaden system_server access to foreign_dex_data_file." into nyc-dev · a6f1e6c5
  Narayan Kamath authored 8 years ago
  
  am: ed413a82 * commit 'ed413a82': sepolicy: broaden system_server access to foreign_dex_data_file. Change-Id: If6ef21fdca0da453a6bbf2093c2704a3e72c9bcf
  a6f1e6c5
- Merge "sepolicy: broaden system_server access to foreign_dex_data_file." into nyc-dev · ed413a82
  Narayan Kamath authored 8 years ago
  
  ed413a82
Jun 03, 2016

Merge "Allow shell to set log.tag.* properties" into nyc-dev · dd579f9c

Jeff Vander Stoep authored 8 years ago

am: a34afee0

* commit 'a34afee0':
  Allow shell to set log.tag.* properties

Change-Id: Ic716c9b5b90883c2be5a7ec2a88aa0cfbb31ce5e

dd579f9c