tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
4780 commits 1 branch 0 tags 50 MiB
Commit graph

182 commits

Author SHA1 Message Date
dcashman
0d525e66be am a9bfc888: Merge "Expand rtc_device label to match all rtc class drivers." 
* commit 'a9bfc888143150126363b9b9676d6197965da66f':
  Expand rtc_device label to match all rtc class drivers.
 2015-05-21 18:51:42 +00:00
dcashman
1b4b3b918b Expand rtc_device label to match all rtc class drivers. 
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

Change-Id: I50d15aa62e87509e940acd168474433803b2115d
 2015-05-21 10:35:57 -07:00
Jim Miller
523397621b am 5d78c07d: Merge "Add selinux policy for fingerprintd" into mnc-dev 
* commit '5d78c07d4a463ec5ed0403850be718de670c9e97':
  Add selinux policy for fingerprintd
 2015-05-21 12:22:19 +00:00
Jim Miller
264eb6566a Add selinux policy for fingerprintd 
Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
 2015-05-19 18:28:45 -07:00
dcashman
53d3b99c5d resolved conflicts for merge of c7594898 to mnc-dev-plus-aosp 
Change-Id: I81937479a0cb37d4e781e076c2e5ff6551cbf822
 2015-05-18 15:15:15 -07:00
dcashman
807d8d0249 Label /dev/rtc0 as rtc_device. 
Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898db)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
 2015-05-18 14:18:11 -07:00
dcashman
c7594898db Label /dev/rtc0 as rtc_device. 
Grant access to system_server, as it is used by AlarmManagerService.

Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015
 2015-05-18 14:01:37 -07:00
Jeff Sharkey
cf010b55e1 am e5acc38f: Merge "drop_caches label, vold scratch space on expanded." into mnc-dev 
* commit 'e5acc38f09e4375c8cb9fced716e3242505d2400':
  drop_caches label, vold scratch space on expanded.
 2015-05-15 22:22:34 +00:00
Jeff Sharkey
c960596cc3 drop_caches label, vold scratch space on expanded. 
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
 2015-05-14 20:55:33 -07:00
Nick Kralevich
8cc7ea7216 am 540be83b: Merge "Label /oem files" 
* commit '540be83b82a395147388b54a8c8197d84cd255ab':
  Label /oem files
 2015-05-07 21:10:25 +00:00
Nick Kralevich
415f0ba73c Label /oem files 
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.

Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.

Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.

(cherrypicked from commit 2025fd1476)

Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
 2015-05-07 13:49:42 -07:00
Nick Kralevich
15b68e7281 am 1212235f: Don\'t label simpleperf system_file 
* commit '1212235ff4693f2140a9724bc52032e25afcabef':
  Don't label simpleperf system_file
 2015-05-07 16:15:26 +00:00
Nick Kralevich
2025fd1476 Label /oem files 
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.

Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.

Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.

Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
 2015-05-06 16:33:56 -07:00
Dehao Chen
34a468fad2 Update sepolicy to add label for /data/misc/perfprofd. 
Bug: 19483574
(cherry picked from commit 7d66f783c2)

Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48
 2015-05-06 15:26:03 -07:00
Nick Kralevich
1212235ff4 Don't label simpleperf system_file 
The default label for files on /system is already system_file. No
need to explicitly specify it.

Change-Id: If0c92a0da4119a0d8f83b4a3e05101cfcdb9a82d
 2015-05-06 15:19:52 -07:00
Than McIntosh
38d0247da0 New sepolicy for perfprofd, simpleperf. 
Bug: http://b/19483574

(cherry picked from commit 0fdd364e89)

Change-Id: If29946a5d7f92522f3bbb807cea5f9f1b42a6513
 2015-05-06 15:16:42 -07:00
Dehao Chen
7d66f783c2 Update sepolicy to add label for /data/misc/perfprofd. 
Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
 2015-05-06 14:45:44 -07:00
Than McIntosh
0fdd364e89 New sepolicy for perfprofd, simpleperf. 
Bug: http://b/19483574

Change-Id: I594f04004cccd2cbfadbd0f9d1bbb9815a2ea59d
 2015-05-04 13:49:15 -04:00
Elliott Hughes
9b8505b1e7 am a331c593: am 5aac86dc: Revert "Revert "SELinux policy changes for re-execing init."" 
* commit 'a331c593d1ed9ad5da8e68626a59b3a33a225531':
  Revert "Revert "SELinux policy changes for re-execing init.""
 2015-04-24 21:09:36 +00:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init."" 
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
 2015-04-24 12:28:12 -07:00
Nick Kralevich
ad7719c5f2 am 6b82aaeb: am 6d97d9b8: Merge "Revert "SELinux policy changes for re-execing init."" 
* commit '6b82aaeb58be7455b39542526a54097fd63e9f63':
  Revert "SELinux policy changes for re-execing init."
 2015-04-24 17:49:00 +00:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init." 
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
 2015-04-24 16:59:43 +00:00
Elliott Hughes
25ed8fa373 am f17bbab7: am ecd57731: Merge "SELinux policy changes for re-execing init." 
* commit 'f17bbab747e5f8a8121601053f7cddacc3666035':
  SELinux policy changes for re-execing init.
 2015-04-24 03:46:32 +00:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init. 
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
 2015-04-23 17:12:18 -07:00
Nick Kralevich
b77f78eb8e am 268425b7: am 934cf6ea: Merge "gatekeeperd: use more specific label for /data file" 
* commit '268425b7cd9af73d1fc9a7c10cb9423cd1b5da1e':
  gatekeeperd: use more specific label for /data file
 2015-04-20 16:04:54 +00:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file 
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
 2015-04-17 17:56:31 -07:00
Vinit Deshpande
721f3e3650 am fcdd354..fcdd354 from mirror-m-wireless-internal-release 
fcdd354 Add permission for Bluetooth Sim Access Profile

Change-Id: I9b40b17be0c9bf08ca48ad34d3718d421ec6466e
 2015-04-14 16:07:12 -07:00
Casper Bonde
fcdd354653 Add permission for Bluetooth Sim Access Profile 
Added permission to SAP socket used to access the the RIL daemon

Change-Id: Ifbfb764f0b8731e81fb3157955aa4fda6120d846
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
 2015-04-12 22:18:31 -07:00
Neil Fuller
e647578502 Add rules for /system/bin/tzdatacheck 
Bug: 19941636
Change-Id: I7cc61e058424c856da88f11ff9b259f34cb39dc7
 2015-04-09 09:29:12 +01:00
Nick Kralevich
8a06c07724 Allow system_server to collect app heapdumps (debug builds only) 
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
 2015-04-07 16:40:44 -07:00
Jeff Sharkey
73d9c2a97b Initial policy for expanded storage. 
Expanded storage supports a subset of the features of the internal
data partition.  Mirror that policy for consistency.  vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
 2015-04-06 17:59:44 -07:00
Andres Morales
e207986ea0 SELinux permissions for gatekeeper TEE proxy 
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
 2015-04-06 16:46:58 -07:00
Fyodor Kupolov
b87a4b16d2 Support for storing OAT files in app directory 
oat dir inside apk_tmp_file should be labeled as dalvikcache_data_file.

Bug: 19550105
Change-Id: Ie928b5f47bfc42167bf86fdf10d6913ef25d145d
 2015-04-02 14:32:43 -07:00
Jeff Sharkey
4423ecdb09 Directory for vold to store private data. 
Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
 2015-04-01 09:28:09 -07:00
Jeff Sharkey
f063f461a9 Updated policy for external storage. 
An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
 2015-03-30 17:07:42 -07:00
Paul Lawrence
38af1da107 Adding e4crypt support 
Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
 2015-03-27 14:47:30 -07:00
Tom Cherry
d2522cb396 add /odm to file_contexts 
/odm has the same permissions as /system/... for devices with a
separate odm partition

Bug: 19609718
Change-Id: I6dd83d43c5fd8682248e79d11b0ca676030eadf0
 2015-03-19 12:29:32 -07:00
Nick Kralevich
a191398812 Add new "procrank" SELinux domain. 
/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.

Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
 2015-03-19 09:35:31 -07:00
Mark Salyzyn
61d665af16 logd: allow access to system files 
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'

Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
 2015-03-11 23:00:37 +00:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart 
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
 2015-02-24 01:02:20 +08:00
Mark Salyzyn
34d32ea164 selinux: add pstore 
Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.

Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
 2015-01-14 12:34:20 -08:00
Elliott Hughes
367ef9684d toybox and toolbox should be considered equivalent. 
When toolbox completely disappears, we can worry about whether we want
to rename this context.

Change-Id: I359b6b2b21bb9452352e700f6ac37c137200ac77
 2014-12-17 16:03:01 -08:00
Nick Kralevich
f457e57db0 am 7adc8cfe: Allow adbd to write to /data/adb 
* commit '7adc8cfee367abc5cd17a21868b6b0bdb7b06eed':
  Allow adbd to write to /data/adb
 2014-11-05 20:49:27 +00:00
Nick Kralevich
7adc8cfee3 Allow adbd to write to /data/adb 
adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877dbc1)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f
 2014-11-05 10:18:31 -08:00
Nick Kralevich
22b4eb7083 am ca62a8b7: allow coredump functionality 
* commit 'ca62a8b72be35de3781c1f8f16600cfeca874ef5':
  allow coredump functionality
 2014-10-31 22:22:47 +00:00
Nick Kralevich
ca62a8b72b allow coredump functionality 
(cherrypick of commit d7e004ebf9)

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba
 2014-10-31 15:16:29 -07:00
Nick Kralevich
d7e004ebf9 allow coredump functionality 
Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba
 2014-10-31 20:19:26 +00:00
Bill Yi
e269b48c69 Merge commit 'd0b1a44e5fba8284f1698d60aa25ed93221e8da5' into HEAD 2014-10-22 08:46:59 -07:00
Nick Kralevich
973877dbc1 Allow adbd to write to /data/adb 
adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: Ia5af09045e9f72a95325b429c30a5ae78e104bdc
 2014-10-21 16:15:52 +00:00
Nick Kralevich
61027bc5ef am 57a17d14: add support for fsck.f2fs 
* commit '57a17d143405c400bc03b134af5af10959c53d76':
  add support for fsck.f2fs
 2014-10-20 18:52:04 +00:00