tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
dcashman	027ec20696	Mark batteryproperties service as app_api_service. Applications do not explicitly request handles to the batteryproperties service, but the BatteryManager obtains a reference to it and uses it for its underlying property queries. Mark it as an app_api_service so that all applications may use this API. Also remove the batterypropreg service label, as this does not appear to be used and may have been a duplication of batteryproperties. As a result, remove the healthd_service type and replace it with a more specific batteryproperties_service type. (cherry-picked from commit: `9ed71eff4b`) Bug: 27442760 Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9	2016-03-14 16:09:42 -07:00
Polina Bondarenko	d79d753ac2	Merge "Renamed hardwareproperties to hardware_properties" into nyc-dev	2016-03-14 17:41:58 +00:00
Polina Bondarenko	447fd30d21	Renamed hardwareproperties to hardware_properties Bug: 27531271 Change-Id: I3c5eee86d09696373ab155f93ba6c85da224cb51	2016-03-09 18:13:11 +01:00
Makoto Onuki	def5d16e3c	Merge "Add new system service "shortcut"." into nyc-dev	2016-03-07 23:08:43 +00:00
Makoto Onuki	7508224f61	Add new system service "shortcut". Bug 27325877 Change-Id: Idf2f9ae816e1f3d822a6286a4cf738c14e29a45e	2016-03-01 15:12:11 -08:00
Fyodor Kupolov	3d564e52ef	Add NetworkTimeUpdateService NetworkTimeUpdateService has been registered as a system service, so that its dump state can be included into bugreports. Bug: 23983739 Change-Id: I0d364009ba4630dcfd1d22c647195e33eedaa4e0	2016-02-26 17:21:47 -08:00
Daniel Sandler	0a5f3d4626	Merge "Allow access to the daydream ("dreams") service." into nyc-dev	2016-02-23 19:12:39 +00:00
Dan Sandler	00004ba1ff	Allow access to the daydream ("dreams") service. Bug: 26804329 Change-Id: I7b789c6fe8411e3a4a718da86d442a0f48c5c310	2016-02-23 13:19:14 -05:00
Lorenzo Colitti	a92c7fe3fb	Merge "Allow the framework to communicate with netd via a binder service" into nyc-dev	2016-02-23 08:39:02 +00:00
Tao Bao	11727c9912	Merge "Add recovery service." into nyc-dev	2016-02-22 19:24:25 +00:00
Tao Bao	45f8e4af03	Add recovery service. RecoverySystemService is separated from PowerManagerService as a dedicated system service to handle recovery related requests (such as invoking uncrypt to uncrypt an OTA package on /data or to set up / clear the bootloader control block (i.e. /misc) and etc). The matching CL in frameworks/base is in: Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560. Bug: 26830925 Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e (cherry picked from commit `65b5fde912`)	2016-02-22 10:39:18 -08:00
Lorenzo Colitti	24dcc8b1ce	Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af	2016-02-19 00:22:37 +09:00
Polina Bondarenko	8a6bbb1ffe	Allow gatekeeper to find hardwareproperties service. Bug: 26945055 Change-Id: I5745d02be9889f6a0e02de12bd8d8f2808de9ce0	2016-02-17 14:23:56 +01:00
Jeff Tinker	0d5bac13e1	Add mediadrm service Part of media security hardening This is an intermediate step toward moving mediadrm to a new service separate from mediaserver. This first step allows mediadrmservice to run based on the system property media.mediadrmservice.enable so it can be selectively enabled on devices that support using native_handles for secure buffers. bug: 22990512 Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2	2016-02-12 19:38:22 -08:00
dcashman	8f5a891ff8	Make voiceinteractionservice app_api_service. Address the following denial from 3rd party voice interaction test: SELinux : avc: denied { find } for service=voiceinteraction pid=30281 uid=10139 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0 Bug: 27105570 Change-Id: Ib87d364673cbc883df017bcda7fe1e854a76654f	2016-02-10 10:24:24 -08:00
Marco Nelissen	c3ba2e5130	selinux rules for codec process Bug: 22775369 Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b	2016-02-09 14:13:13 -08:00
Andreas Gampe	47ebae1a7a	Selinux: introduce policy for OTA preopt Add permissions to dex2oat, introduce otapreopt binary and otadexopt service. Bug: 25612095 Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7	2016-02-04 16:58:43 -08:00
Marco Nelissen	b1bf83fd79	Revert "selinux rules for codec process" This reverts commit `2afb217b68`. Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed	2016-01-28 13:51:28 -08:00
Chien-Yu Chen	4000cc33de	Merge "selinux: Update policies for cameraserver"	2016-01-28 02:04:43 +00:00
Daniel Cashman	8a7887470b	Merge "Reduce accessibility of voiceinteraction_service."	2016-01-27 19:30:58 +00:00
Chien-Yu Chen	e0378303b5	selinux: Update policies for cameraserver Update policies for cameraserver so it has the same permissions as mediaserver. Bug: 24511454 Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb	2016-01-27 11:29:11 -08:00
Marco Nelissen	87a79cf9dd	Merge "selinux rules for codec process"	2016-01-27 17:46:47 +00:00
dcashman	aedf223656	Reduce accessibility of voiceinteraction_service. The services under this label are not meant to be exposed to all apps. Currently only priv_app needs access. Bug: 26799206 Change-Id: I07c60752d6ba78f27f90bf5075bcab47eba90b55	2016-01-26 15:12:08 -08:00
Tao Bao	51523e59da	resolve merge conflicts of `42baca019b` to master. Change-Id: I7fe13cbe563dcd2f286696010f0a5034dfee0202	2016-01-25 21:03:36 -08:00
Tao Bao	dce317cf43	Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c	2016-01-25 16:42:38 -08:00
Marco Nelissen	2afb217b68	selinux rules for codec process Bug: 22775369 Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44	2016-01-22 14:43:14 -08:00
Marco Nelissen	b03831fe58	Add rules for running audio services in audioserver audioserver has the same rules as mediaserver so there is no loss of rights or permissions. media.log moves to audioserver. TBD: Pare down permissions. Bug: 24511453 Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d	2015-12-07 17:33:20 -08:00
Jeff Vander Stoep	9d8728dbf8	grant country_detector_service app_api_service attribute All apps should have access to the country_detector service. avc: denied { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager Bug: 25766732 Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f	2015-11-18 19:05:23 -08:00
Jeffrey Vander Stoep	0062aa1b81	Merge "grant country_detector_service app_api_service attribute" am: `29a1e43ecf` * commit '29a1e43ecfd5825f37fd736ffca1a650ff5a7738': grant country_detector_service app_api_service attribute	2015-11-18 23:57:03 +00:00
Jeff Vander Stoep	1e1d65a392	grant country_detector_service app_api_service attribute All apps should have access to the country_detector service. avc: denied { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager Bug: 25766732 Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f	2015-11-18 15:38:59 -08:00
Jeffrey Vander Stoep	7eb19e9d0e	Merge "grant deviceidle_service app_api_service attribute" am: `bcf31c786a` am: `e324735dde` am: `4e8c0a6207` * commit '4e8c0a620738fadf5b8bf96063befd71c88f4f75': grant deviceidle_service app_api_service attribute	2015-11-18 18:50:44 +00:00
Jeffrey Vander Stoep	e324735dde	Merge "grant deviceidle_service app_api_service attribute" am: `bcf31c786a` * commit 'bcf31c786a5d0a18c04972255fb246777f3a1004': grant deviceidle_service app_api_service attribute	2015-11-17 22:22:22 +00:00
Jeff Vander Stoep	692bdc4404	grant deviceidle_service app_api_service attribute avc: denied { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager Bug: 25734577 Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de	2015-11-17 13:10:46 -08:00
Marco Nelissen	0f754edf7b	Update selinux policies for mediaextractor process Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd	2015-10-27 12:58:04 -07:00
Anthony Hugh	d19b20c30c	Merge "Revert "Update sepolicy to allow ThermalObserver system service"" into cw-e-dev am: `753148a869` * commit '753148a8691b7b5d29ee0ebab400c1eb7b2a7c27': Revert "Update sepolicy to allow ThermalObserver system service"	2015-10-22 22:27:54 +00:00
Anthony Hugh	2d8c2d9779	Revert "Update sepolicy to allow ThermalObserver system service" This reverts commit `cda36e31d1`. This will be moved to a device specific file. BUG: 24555181 Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec	2015-10-22 21:58:51 +00:00
Jeff Vander Stoep	d77deee44f	am `7f09a945`: Policy for priv_app domain * commit '7f09a94596be98415d0546d927c8a4bc15867621': Policy for priv_app domain	2015-10-19 10:42:34 -07:00
Jeff Vander Stoep	7f09a94596	Policy for priv_app domain Verifier needs access to apk files. avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0 Give bluetooth_manager_service and trust_service the app_api_service attribute. avc: denied { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0 avc: denied { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0 Bug: 25066911 Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835	2015-10-19 10:35:20 -07:00
Jeff Vander Stoep	59bb0d4bc5	am `734e4d7c`: Give services app_api_service attribute * commit '734e4d7c5015a510ab20bfbc3c5a84667378764f': Give services app_api_service attribute	2015-10-18 09:15:25 -07:00
Jeff Vander Stoep	734e4d7c50	Give services app_api_service attribute avc: denied { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager avc: denied { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0 Bug: 25022496 Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496	2015-10-17 19:24:11 +00:00
Jeffrey Vander Stoep	6bbe728ce8	am `b1eced68`: Merge "grant webviewupdate_service app_api_service attribute" * commit 'b1eced68d2dc0823e70729db66b16463289986a8': grant webviewupdate_service app_api_service attribute	2015-10-16 15:02:08 -07:00
Jeff Vander Stoep	7813cc8de0	grant webviewupdate_service app_api_service attribute avc: denied { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0 Bug: 25018574 Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a	2015-10-16 14:53:11 -07:00
Bryce Lee	cda36e31d1	Update sepolicy to allow ThermalObserver system service Bug: 21445745 Change-Id: I59fd20f61a5e669e000f696f3738cc11071920aa	2015-09-24 19:38:31 -07:00
Jim Miller	5d78c07d4a	Merge "Add selinux policy for fingerprintd" into mnc-dev	2015-05-21 00:57:37 +00:00
Jim Miller	264eb6566a	Add selinux policy for fingerprintd Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef	2015-05-19 18:28:45 -07:00
Ruben Brunk	e1edbe9c97	camera: Add AIDL interface for CameraServiceProxy. - Update selinux policy for CameraServiceProxy. Bug: 21267484 Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10	2015-05-19 17:26:31 -07:00
dcashman	37137dafb1	Merge "Make deviceidle accessible as system_api_service." into mnc-dev	2015-04-29 19:39:45 +00:00
dcashman	31548db0f4	Make deviceidle accessible as system_api_service. deviceidle service should be accessible to all non third-party apps. Cherry-pick of commit: `7c1dced7d5` Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa	2015-04-29 12:36:13 -07:00
Alex Klyubin	ab5cf66873	Expand access to gatekeeperd. This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. (cherry picked from commit `effcac7d7e`) Bug: 20526234 Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13	2015-04-29 10:28:53 -07:00
dcashman	5321279463	Make persistent_data_block_service a system_api_service. Settings needs to be able to access it when opening developer options. Address the following denial: avc: denied { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager Bug: 20131472 Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b	2015-04-09 11:45:32 -07:00

1 2

67 commits