Commits · f4bd8b30e3235308cbb7d1f7446ffca5f625c8eb · Werner Sembach / AndroidSystemSEPolicy

Feb 09, 2016

Sepolicy: Give zygote rights needed for A/B OTAs · f4bd8b30

Andreas Gampe authored 9 years ago

The zygote is reponsible for moving ART A/B OTA artifacts over to
the regular dalvik-cache.

Bug: 25612095
Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca

f4bd8b30

Feb 06, 2016
- Merge "Trim media related nfc permissions" · 66855fca
  Marco Nelissen authored 9 years ago
  
  66855fca
- Merge "Add SELinux label for app fuse." am: e3965aa2 · 4e6d20c7
  Daichi Hirono authored 9 years ago
  
  am: 52719ea5 * commit '52719ea5': Add SELinux label for app fuse.
  4e6d20c7
- Merge "Add SELinux label for app fuse." · 52719ea5
  Daichi Hirono authored 9 years ago
  
  am: e3965aa2 * commit 'e3965aa2': Add SELinux label for app fuse.
  52719ea5
- Merge "Add SELinux label for app fuse." · e3965aa2
  Daichi Hirono authored 9 years ago
  
  e3965aa2
- Trim media related nfc permissions · 710d0a71
  Marco Nelissen authored 9 years ago
  
  Change-Id: I5863c56a53419d2327ab62a7189034711cda7fcc
  710d0a71
Feb 05, 2016

Allow domain to read proc dirs. am: abf31acb · fb0c52ad
dcashman authored 9 years ago
```
am: eb3480b7

* commit 'eb3480b7':
  Allow domain to read proc dirs.
```
fb0c52ad
Replace "neverallow domain" by "neverallow *" am: 35a14514 · 78983522
Nick Kralevich authored 9 years ago
```
am: 8f611b6e

* commit '8f611b6e':
  Replace "neverallow domain" by "neverallow *"
```
78983522
Allow domain to read proc dirs. · eb3480b7
dcashman authored 9 years ago
```
am: abf31acb

* commit 'abf31acb':
  Allow domain to read proc dirs.
```
eb3480b7

Allow domain to read proc dirs. · abf31acb

dcashman authored 9 years ago

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

abf31acb

Merge "Trim down mediaextractor rules" · 8fe92600
Marco Nelissen authored 9 years ago

8fe92600
Replace "neverallow domain" by "neverallow *" · 8f611b6e
Nick Kralevich authored 9 years ago
```
am: 35a14514

* commit '35a14514':
  Replace "neverallow domain" by "neverallow *"
```
8f611b6e

Replace "neverallow domain" by "neverallow *" · 35a14514

Nick Kralevich authored 9 years ago

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

35a14514

Trim down mediaextractor rules · e31341ec
Marco Nelissen authored 9 years ago
```
Change-Id: I0cfc604676dc67701fdd5cdd1c143974d7200d07
```
e31341ec
Merge "Allow 'vdc' to be invoked with logwrapper." · 92b1c401
Daniel Cashman authored 9 years ago

92b1c401
Merge "audioserver: grant read perms to /proc" · e5968aa7
Jeffrey Vander Stoep authored 9 years ago

e5968aa7

Add SELinux label for app fuse. · e178ac5a

Daichi Hirono authored 9 years ago

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

e178ac5a

Merge "Selinux: introduce policy for OTA preopt" · 2902adf0
Jeffrey Vander Stoep authored 9 years ago

2902adf0

Selinux: introduce policy for OTA preopt · 47ebae1a

Andreas Gampe authored 9 years ago

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

47ebae1a

Feb 04, 2016

Allow 'vdc' to be invoked with logwrapper. · 3ade7cef

Jeff Sharkey authored 9 years ago

Currently vdc emits logs to stderr, which makes sense for command
line invocations, but when exec'ed they're silently dropped unless
the caller uses logwrapper.

avc: denied { read write } for path="/dev/pts/2" dev="devpts" ino=5 scontext=u:r:vdc:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 25796509
Change-Id: Ib92e0a7f580b1934a9853a83684f95b24bdc355c

3ade7cef

persist.mmc.* only set in init am: d1435604 · 613f451e
Mark Salyzyn authored 9 years ago
```
am: 47f95192

* commit '47f95192':
  persist.mmc.* only set in init
```
613f451e
persist.mmc.* only set in init · 47f95192
Mark Salyzyn authored 9 years ago
```
am: d1435604

* commit 'd1435604':
  persist.mmc.* only set in init
```
47f95192
persist.mmc.* only set in init · d1435604
Mark Salyzyn authored 9 years ago
```
Bug: 26976972
Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
```
d1435604
Merge "Fix SELinux warning when passing fuse FD from system server." am: 4c42a0dc · fd5b7428
Daichi Hirono authored 9 years ago
```
am: f9065c89

* commit 'f9065c89':
  Fix SELinux warning when passing fuse FD from system server.
```
fd5b7428
Merge "Fix SELinux warning when passing fuse FD from system server." · f9065c89
Daichi Hirono authored 9 years ago
```
am: 4c42a0dc

* commit '4c42a0dc':
  Fix SELinux warning when passing fuse FD from system server.
```
f9065c89
Merge "Fix SELinux warning when passing fuse FD from system server." · 4c42a0dc
Daichi Hirono authored 9 years ago

4c42a0dc

Feb 03, 2016

Fix SELinux warning when passing fuse FD from system server. · 59e3d7b4

Daichi Hirono authored 9 years ago

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

59e3d7b4

Feb 01, 2016

Allow platform app to get handle to voiceinteraction service. · c8b21438

dcashman authored 9 years ago

Address the following denial caused by systemui:
avc: denied { find } for service=voiceinteraction pid=10761 uid=10029 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0

Bug: 26842457
Change-Id: I8274d7f31a4390ccfb885389302e4fea9ce0e389

c8b21438

Merge "init: allow to access console-ramoops with newer kernels" am: 84fbd53a · c68c5019
Jeffrey Vander Stoep authored 9 years ago
```
am: fa335306

* commit 'fa335306':
  init: allow to access console-ramoops with newer kernels
```
c68c5019
Merge "init: allow to access console-ramoops with newer kernels" · fa335306
Jeffrey Vander Stoep authored 9 years ago
```
am: 84fbd53a

* commit '84fbd53a':
  init: allow to access console-ramoops with newer kernels
```
fa335306
Merge "init: allow to access console-ramoops with newer kernels" · 84fbd53a
Jeffrey Vander Stoep authored 9 years ago

84fbd53a

Jan 29, 2016
- Move staged backup content to a specific cache subdir · b8104a47
  Christopher Tate authored 9 years ago
  
  Also narrowly specify the domain for the local transport's bookkeeping. Bug 26834865 Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535
  b8104a47
- Merge "Add rules for original + processed wallpaper files" · 02bffbb8
  Chris Tate authored 9 years ago
  
  02bffbb8
Jan 28, 2016
- Add rules for original + processed wallpaper files · fdeeb59b
  Christopher Tate authored 9 years ago
  
  Bug 25454501 Change-Id: I31357e658ecdbcc69df47fbc2d22e4849dd1539b
  fdeeb59b
- Revert "selinux rules for codec process" · b1bf83fd
  Marco Nelissen authored 9 years ago
  
  This reverts commit 2afb217b. Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
  b1bf83fd
- Merge "mediaserver: grant perms from domain_deprecated" am: 3d8391e7 · c08eeee5
  Jeffrey Vander Stoep authored 9 years ago
  
  am: 15decd69 * commit '15decd69': mediaserver: grant perms from domain_deprecated
  c08eeee5
- Merge "logd: grant perms from domain_deprecated" am: 61e93860 · b89e0e13
  Jeffrey Vander Stoep authored 9 years ago
  
  am: e02124ff * commit 'e02124ff': logd: grant perms from domain_deprecated
  b89e0e13
- Merge "kernel: grant perms from domain_deprecated" am: e48ab784 · 1d7f1507
  Jeffrey Vander Stoep authored 9 years ago
  
  am: d9fcee9d * commit 'd9fcee9d': kernel: grant perms from domain_deprecated
  1d7f1507
- Merge "mediaserver: grant perms from domain_deprecated" · 15decd69
  Jeffrey Vander Stoep authored 9 years ago
  
  am: 3d8391e7 * commit '3d8391e7': mediaserver: grant perms from domain_deprecated
  15decd69
- Merge "logd: grant perms from domain_deprecated" · e02124ff
  Jeffrey Vander Stoep authored 9 years ago
  
  am: 61e93860 * commit '61e93860': logd: grant perms from domain_deprecated
  e02124ff