Commits · d3b70b8d9889c91ad6aff2942946e19d3172669b · Werner Sembach / AndroidSystemSEPolicy

Apr 09, 2018
- Merge "Installd doesn't need to create cgroup files." into pi-dev · d3b70b8d
  Alan Stokes authored 6 years ago
  
  am: 956aba8f Change-Id: I18aaf1a24d9651ae16239e4ef50c90481d52ab3a
  d3b70b8d
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." into pi-dev · 9b02a9b6
  Alan Stokes authored 6 years ago
  
  am: 404bd982 Change-Id: Ic9e82e7b1becf03cdbd520f53c1d6bdd9919225d
  9b02a9b6
- Merge "Installd doesn't need to create cgroup files." into pi-dev · 956aba8f
  Alan Stokes authored 6 years ago
  
  956aba8f
- Merge "Add /sys/kernel/memory_state_time to sysfs_power." into pi-dev · 404bd982
  Alan Stokes authored 6 years ago
  
  404bd982
Apr 07, 2018
- Merge "Add shell:fifo_file permission for audioserver" into pi-dev · 8ec0df96
  Mikhail Naganov authored 6 years ago
  
  am: 2a63d899 Change-Id: Ife3f656e0a535b695390a30fdcc11efb070dd2b4
  8ec0df96
- Merge "Add shell:fifo_file permission for audioserver" into pi-dev · 2a63d899
  TreeHugger Robot authored 6 years ago
  
  2a63d899
Apr 06, 2018

Add shell:fifo_file permission for audioserver · c5815891

Mikhail Naganov authored 6 years ago

Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a

c5815891

Merge "hal_health: allow to write kernel logs." into pi-dev · 2a0e2ee0
Yifan Hong authored 6 years ago
```
am: 9370b51a

Change-Id: I7b8c01edd9eb5008bce130ab067b4c723b1bf9c8
```
2a0e2ee0
Merge "hal_health: allow to write kernel logs." into pi-dev · 9370b51a
Yifan Hong authored 6 years ago

9370b51a
[automerger skipped] Grant traced_probes search on directories. · 48bb95ec
Florian Mayer authored 6 years ago
```
am: 269c9665  -s ours

Change-Id: I5956213b7ed56576d3457d2ea9e9b75322870946
```
48bb95ec

hal_health: allow to write kernel logs. · 306b2671

Yifan Hong authored 6 years ago

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

306b2671

Allowing incidentd to get stack traces from processes. · 2becbd1d
Kweku Adams authored 6 years ago
```
am: 0fa3d276

Change-Id: I8a3f6721850cd03c112542f673576912273433fa
```
2becbd1d
Grant traced_probes search on directories. am: ff146962 · ead446ed
Florian Mayer authored 6 years ago
```
am: 1b433165

Change-Id: Icfea6a7041a010be502d31b4082e8bf242abf3de
```
ead446ed
Grant traced_probes search on directories. · 1b433165
Florian Mayer authored 6 years ago
```
am: ff146962

Change-Id: Ia7fac0ce2f9818d94c9b9f55e1e42f7bdd8cf462
```
1b433165

Grant traced_probes search on directories. · 269c9665

Florian Mayer authored 6 years ago

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

cherry-picked from aosp/658243
Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1
Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1

269c9665

Grant traced_probes search on directories. · ff146962

Florian Mayer authored 6 years ago

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

ff146962

Installd doesn't need to create cgroup files. · 8e8c1093

Alan Stokes authored 6 years ago

cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

8e8c1093

Add /sys/kernel/memory_state_time to sysfs_power. · a8b3634d

Alan Stokes authored 7 years ago

This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

a8b3634d

Apr 05, 2018
- Allowing incidentd to get stack traces from processes. · 0fa3d276
  Kweku Adams authored 7 years ago
  
  Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912 (cherry picked from commit 985db6d8)
  0fa3d276
- Merge "Track storaged SELinux denial." am: 04529dc6 · 0a888095
  Joel Galenson authored 6 years ago
  
  am: 46e4c189 Change-Id: Ieb549d5211f6906a8a65715d64f645ddd44155cb
  0a888095
- Merge "Track storaged SELinux denial." · 46e4c189
  Joel Galenson authored 6 years ago
  
  am: 04529dc6 Change-Id: I630f9fe7b662cdb87094eb90a7bf24d62a0b4876
  46e4c189
- Merge "Track storaged SELinux denial." · 04529dc6
  Treehugger Robot authored 6 years ago
  
  04529dc6
- Track storaged SELinux denial. · c6b5a96b
  Joel Galenson authored 6 years ago
  
  This should help fix presubmit tests. Bug: 77634061 Test: Built policy. Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c
  c6b5a96b
- priv_app: remove more logspam · 97b66cb5
  Jeff Vander Stoep authored 6 years ago
  
  am: 558cdf1e Change-Id: I998cb4d7b507c39ddd027a9e24646303c4765512
  97b66cb5
- Merge "Wifi HAL SIOCSIFHWADDR sepolicy" am: c9dd7149 · f08328b0
  Jong Wook Kim authored 6 years ago
  
  am: 62861f86 Change-Id: Ia6eefc0d79c77ba363faccb42fb3e8d9e7f9ce24
  f08328b0
- Merge "Wifi HAL SIOCSIFHWADDR sepolicy" · 62861f86
  Jong Wook Kim authored 6 years ago
  
  am: c9dd7149 Change-Id: Ideee1c776e572f0e8d90eb340f1d2e58b1182a4c
  62861f86
- Merge "Wifi HAL SIOCSIFHWADDR sepolicy" · c9dd7149
  Jong Wook Kim authored 6 years ago
  
  c9dd7149
- Remove direct qtaguid access from platform/system apps am: f3220aa6 · e53b335d
  Jeff Vander Stoep authored 6 years ago
  
  am: e505a35d Change-Id: I7183822e3930dc6ef1b995027d784831b74aaf9f
  e53b335d
- shell: move shell qtaguid perms to shell.te am: 9d28625f · 0f59d0b1
  Jeff Vander Stoep authored 6 years ago
  
  am: 7a99df89 Change-Id: I577f211e913fd5ad2150a54d6931a810ec58cb43
  0f59d0b1
- Remove direct qtaguid access from platform/system apps · e505a35d
  Jeff Vander Stoep authored 6 years ago
  
  am: f3220aa6 Change-Id: Ibf50ab24fa12e07fc44e89420bba99d5665156d9
  e505a35d
- shell: move shell qtaguid perms to shell.te · 7a99df89
  Jeff Vander Stoep authored 6 years ago
  
  am: 9d28625f Change-Id: Iadb2f23c577f3641ed9785891c97a000d757957a
  7a99df89
Apr 04, 2018

priv_app: remove more logspam · 558cdf1e

Jeff Vander Stoep authored 6 years ago

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e

558cdf1e

Remove direct qtaguid access from platform/system apps · f3220aa6

Jeff Vander Stoep authored 6 years ago

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

f3220aa6

shell: move shell qtaguid perms to shell.te · 9d28625f

Jeff Vander Stoep authored 6 years ago

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

9d28625f

Allowing incidentd to get stack traces from processes. am: 985db6d8 · 49733255
Kweku Adams authored 6 years ago
```
am: 5f98693a

Change-Id: Iaeaaeb8195e2ffcbf148b1764d57d4e1c7da6f4f
```
49733255
Allowing incidentd to get stack traces from processes. · 5f98693a
Kweku Adams authored 6 years ago
```
am: 985db6d8

Change-Id: I1c05fb2469df71f5572aaf8ed88333dc3c92d3c5
```
5f98693a

Allowing incidentd to get stack traces from processes. · 985db6d8

Kweku Adams authored 7 years ago

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

985db6d8

[automerger skipped] Merge "Reland "Allow dexopt to follow /odm/lib(64) symlinks.""" into pi-dev · 7b0e2f1b
Jiyong Park authored 6 years ago
```
am: 3c0b8c01  -s ours

Change-Id: I1a3b2f22453bf846f0d68d13aa72c57822c336a8
```
7b0e2f1b
Merge "Allow dumpstate to trace drm hals" into pi-dev · 41cc2b05
Jeff Tinker authored 6 years ago
```
am: f7d49787

Change-Id: Ia141cdcd71b7f76a566ce2f9d0cf720d90693af2
```
41cc2b05
Merge "Reland "Allow dexopt to follow /odm/lib(64) symlinks.""" into pi-dev · 3c0b8c01
TreeHugger Robot authored 6 years ago

3c0b8c01