Commits · f44002b37849f18a2d571738fa2789c618efd37f · Werner Sembach / AndroidSystemSEPolicy

Jun 07, 2017

Remove dumpstate selinux spam from logs · f44002b3

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b

f44002b3

Jun 06, 2017

Move sysfs cpu hotplug labeling to genfs_contexts · e5fe6a33

Jeff Vander Stoep authored 7 years ago

On Marlin ~120 ms of time is spent relabeling /sys/devices/system/cpu
every time we come out of suspend. Moving from file_contexts to
genfs_contexts as the labeling mechanism knocks this down to ~3 ms.

Bug: 32938130
Test: build and boot Marlin. Verify that files in
    /sys/devices/system/cpu have the proper label before and after
    suspend.

Change-Id: Ie71ea7e3dd5df250cabe4ba9600afbf67e69f720

e5fe6a33

Jun 04, 2017

tests/policy.py code cleanup · ffd57494

Jeff Vander Stoep authored 7 years ago

Consolidate ctypes boilerplate code, and other cleanup.

Change-Id: I06c1d6acc9511f2f6d491c8ca2d4b630fd4120fd
Test: build policy

ffd57494

Jun 03, 2017
- Merge "Add OWNERS in system/sepolicy" am: e77d9eea am: 05121724 am: 7a31444a · 0c3f6490
  Chih-Hung Hsieh authored 7 years ago
  
  am: 1b70d896 Change-Id: I9aaf78ffb28b8319e2011400f45f34ef93322cb3
  0c3f6490
- Merge changes from topic 'coredomain_compile_test' · abb8793b
  TreeHugger Robot authored 7 years ago
  
  * changes: Run Treble sepolicy tests at build time Fix coredomain violation for modprobe
  abb8793b
- Merge "Add OWNERS in system/sepolicy" am: e77d9eea am: 05121724 · 1b70d896
  Chih-Hung Hsieh authored 7 years ago
  
  am: 7a31444a Change-Id: I71e33a0923e9f17c35b91172c81612d420a10c0b
  1b70d896
- Merge "Add OWNERS in system/sepolicy" am: e77d9eea · 7a31444a
  Chih-Hung Hsieh authored 7 years ago
  
  am: 05121724 Change-Id: I6c8f336aed4833d6c9f9765a8768bba4b496a40e
  7a31444a
- Merge "Add OWNERS in system/sepolicy" · 05121724
  Chih-Hung Hsieh authored 7 years ago
  
  am: e77d9eea Change-Id: I3e4c83d962b1a4c9fbfba83ffd0df5fc8d59c8fc
  05121724
- Merge "Add OWNERS in system/sepolicy" · e77d9eea
  Treehugger Robot authored 7 years ago
  
  e77d9eea
- Add OWNERS in system/sepolicy · bd83bdf8
  Chih-Hung Hsieh authored 7 years ago
  
  Owners are selected from top CL approvals or owners. They will be suggested to review/approve future CLs. Test: build/make/tools/checkowners.py -c -v OWNERS Change-Id: I3d7f4c06209c22dea0d824429d68997f7179985f
  bd83bdf8
- crash_dump_fallback: allow dumpstate:fd use. am: 17885f14 am: a3a8a3a0 am: 8714f9e0 · 08a04202
  Josh Gao authored 7 years ago
  
  am: bef02a9e Change-Id: Ibf9d8b3ec662bebc625cefe9380ef33c345b95fb
  08a04202
- crash_dump_fallback: allow dumpstate:fd use. am: 17885f14 am: a3a8a3a0 · bef02a9e
  Josh Gao authored 7 years ago
  
  am: 8714f9e0 Change-Id: I669acdf32d54f9456268d3bfe43e1a114f3b96fd
  bef02a9e
- Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev am: f378708c · a1cb00cc
  Josh Gao authored 7 years ago
  
  am: dbf8d028 Change-Id: Ic7504601de554becfefe1639b5f891079d24ff65
  a1cb00cc
- Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev · dbf8d028
  Josh Gao authored 7 years ago
  
  am: f378708c Change-Id: Ia51ea7ccf0974ed1bacfea950571c6e10ed2b1bf
  dbf8d028
- crash_dump_fallback: allow dumpstate:fd use. am: 17885f14 · 8714f9e0
  Josh Gao authored 7 years ago
  
  am: a3a8a3a0 Change-Id: I63084a04ffe9d88aa6aadf5fbb9b7baa98ff3e35
  8714f9e0
- Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev · f378708c
  Josh Gao authored 7 years ago
  
  f378708c
Jun 02, 2017

crash_dump_fallback: allow dumpstate:fd use. · a3a8a3a0
Josh Gao authored 7 years ago
```
am: 17885f14

Change-Id: I46546950720c4d3fa907f32a2af9ab42caa448ba
```
a3a8a3a0

Run Treble sepolicy tests at build time · e1ddc6df

Jeff Vander Stoep authored 7 years ago

Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544

e1ddc6df

Fix coredomain violation for modprobe · 9e366a0e

Sandeep Patil authored 7 years ago


modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>

9e366a0e

crash_dump_fallback: allow dumpstate:fd use. · 2a00056a

Josh Gao authored 7 years ago

Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f14)

2a00056a

crash_dump_fallback: allow dumpstate:fd use. · 17885f14
Josh Gao authored 7 years ago
```
Bug: http://b/62297059
Test: mma
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
```
17885f14

Jun 01, 2017
- Merge "Add missing sepolicies for OemLock HAL." into oc-dev am: 60e4fd9d · f387ecf3
  Andrew Scull authored 7 years ago
  
  am: 39a81fd5 Change-Id: I0e7a02ff77ef0e6490a481229e042145c9dfb89a
  f387ecf3
- Merge "Add missing sepolicies for the Weaver HAL." into oc-dev am: cd267450 · 69367b37
  Andrew Scull authored 7 years ago
  
  am: e8d4bec7 Change-Id: I14ea238856a8401427b02747ebb2c5750cc5e85f
  69367b37
- Merge "Add missing sepolicies for OemLock HAL." into oc-dev · 39a81fd5
  Andrew Scull authored 7 years ago
  
  am: 60e4fd9d Change-Id: I1628907aeb743c3cb0938e7993237206523fdeb5
  39a81fd5
- Merge "Add missing sepolicies for the Weaver HAL." into oc-dev · e8d4bec7
  Andrew Scull authored 7 years ago
  
  am: cd267450 Change-Id: I20479829d542df345275c0c2b4512788a30fba4c
  e8d4bec7
- Merge "Add missing sepolicies for OemLock HAL." into oc-dev · 60e4fd9d
  TreeHugger Robot authored 7 years ago
  
  60e4fd9d
- Merge "Add missing sepolicies for the Weaver HAL." into oc-dev · cd267450
  TreeHugger Robot authored 7 years ago
  
  cd267450
- resolve merge conflicts of e664e80a to oc-dev-plus-aosp · 8cb67753
  Neil Fuller authored 7 years ago
  
  am: 911e236a -s ours Change-Id: I0a1cf351e40f81c1ee26bc5b722f99ae4e242b7e
  8cb67753
- resolve merge conflicts of e664e80a to oc-dev-plus-aosp · 911e236a
  Neil Fuller authored 7 years ago
  
  Test: I solemnly swear I tested this conflict resolution. Change-Id: Icadf7c72ad173c134d3e95bb5b93c2b54b1b703e
  911e236a
- Merge "allow modprobe to load signed kernel modules" into oc-dev am: fc1d8d99 · f64e4df3
  Steve Muckle authored 7 years ago
  
  am: 06a4b61b Change-Id: I50d8c90eaba6161e839ceb9fc87a41540e15eead
  f64e4df3
- Merge "allow modprobe to load signed kernel modules" into oc-dev · 06a4b61b
  Steve Muckle authored 7 years ago
  
  am: fc1d8d99 Change-Id: Id41f7097fd0a48739293d4f8f06f296d0f189684
  06a4b61b
- Merge "allow modprobe to load signed kernel modules" into oc-dev · fc1d8d99
  TreeHugger Robot authored 7 years ago
  
  fc1d8d99
- Allow bootctl HAL to access misc block device. am: b0d59450 · b17b7637
  Andrew Scull authored 7 years ago
  
  am: 7c4f46b5 Change-Id: I88aa64b8847456f66310d632ee86929a76dfaf7b
  b17b7637
- Allow bootctl HAL to access misc block device. · 7c4f46b5
  Andrew Scull authored 7 years ago
  
  am: b0d59450 Change-Id: If85613b84aecf43b0519bb933d925eb1829e3d5e
  7c4f46b5
- Merge "Enable the TimeZoneManagerService" am: 34b4b737 · e664e80a
  Neil Fuller authored 7 years ago
  
  am: 2ff75628 Change-Id: I66cf4111e4d17e698cea7c8dc44d3294ce20a4ac
  e664e80a
- Merge "Enable the TimeZoneManagerService" · 2ff75628
  Neil Fuller authored 7 years ago
  
  am: 34b4b737 Change-Id: If25147ce3439abd0ab4a3abc1e330b373e43d9cb
  2ff75628
- allow modprobe to load signed kernel modules · 53add31a
  Steve Muckle authored 7 years ago
  
  Modprobe requires this permission or the following denial will prevent loading of signed kernel modules: audit: type=1400 audit(27331649.656:4): avc: denied { search } for pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0 tclass=key permissive=0 Bug: 62256697 Test: Verified signed module loading on sailfish. Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
  53add31a
- Merge "Enable the TimeZoneManagerService" · 34b4b737
  Treehugger Robot authored 7 years ago
  
  View commits for tag android-o-preview-3 android-o-preview-3
  
  34b4b737
- Enable the TimeZoneManagerService · ca595e11
  Neil Fuller authored 8 years ago
  
  Add policy changes to enable a new service. The service is currently switched off in config, but this change is needed before it could be enabled. Bug: 31008728 Test: make droid Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6 Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
  ca595e11
- Merge "Enable the TimeZoneManagerService" · 0a0b6a60
  TreeHugger Robot authored 7 years ago
  
  0a0b6a60