Jeffrey Vander Stoep
409b38bcba
Merge "zygote: grant perms from domain_deprecated" am: eecaa0b5f9
...
am: fde8ca5383
* commit 'fde8ca5383038775ce9ea36ea505acffaabde309':
zygote: grant perms from domain_deprecated
2016-01-27 20:41:52 +00:00
Jeffrey Vander Stoep
fde8ca5383
Merge "zygote: grant perms from domain_deprecated"
...
am: eecaa0b5f9
* commit 'eecaa0b5f9d83bb86b66d5ad7feacb5c4d6d83f7':
zygote: grant perms from domain_deprecated
2016-01-27 20:40:08 +00:00
Jeffrey Vander Stoep
eecaa0b5f9
Merge "zygote: grant perms from domain_deprecated"
2016-01-27 20:35:12 +00:00
Jeff Vander Stoep
9306072c97
vold: grant perms from domain_deprecated
...
In preparation of removing permissions from domain_deprecated.
Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
2016-01-27 12:24:26 -08:00
Daniel Cashman
8a7887470b
Merge "Reduce accessibility of voiceinteraction_service."
2016-01-27 19:30:58 +00:00
Chien-Yu Chen
e0378303b5
selinux: Update policies for cameraserver
...
Update policies for cameraserver so it has the same permissions
as mediaserver.
Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
2016-01-27 11:29:11 -08:00
Jeff Vander Stoep
12401b8d18
healthd: grant perms from domain_deprecated
...
In preparation of removing permissions from domain_deprecated.
Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e
2016-01-27 11:20:52 -08:00
Jeff Vander Stoep
cee6a0e748
zygote: grant perms from domain_deprecated
...
In preparation of removing permissions from domain_deprecated.
Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
2016-01-27 10:55:03 -08:00
dcashman
b61d07a269
Allow sdcardd tmpfs read access. am: db559a348e
...
am: 555f14c2ed
* commit '555f14c2ed5c80561e17229fcad22499f52462bf':
Allow sdcardd tmpfs read access.
2016-01-27 18:53:05 +00:00
dcashman
555f14c2ed
Allow sdcardd tmpfs read access.
...
am: db559a348e
* commit 'db559a348ed23f3cc2a214de456524129c048d66':
Allow sdcardd tmpfs read access.
2016-01-27 18:50:31 +00:00
Jeffrey Vander Stoep
7116c1bbc2
Merge "Revert "zygote: grant perms from domain_deprecated"" am: 98f60e5c74
...
am: 7d3e54674f
* commit '7d3e54674f50a11ea8bb0b6fdd1f636f6a35f75d':
Revert "zygote: grant perms from domain_deprecated"
2016-01-27 18:45:34 +00:00
Jeffrey Vander Stoep
7d3e54674f
Merge "Revert "zygote: grant perms from domain_deprecated""
...
am: 98f60e5c74
* commit '98f60e5c742d32ed878ca420636cd86d4bf64272':
Revert "zygote: grant perms from domain_deprecated"
2016-01-27 18:43:46 +00:00
dcashman
db559a348e
Allow sdcardd tmpfs read access.
...
Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
vold: EmulatedVolume calls sdcard to mount on /storage/emulated.
Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee
2016-01-27 10:42:54 -08:00
Jeffrey Vander Stoep
b9b07da098
Revert "zygote: grant perms from domain_deprecated"
...
This reverts commit e52fff83a1
.
Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
2016-01-27 10:42:44 -08:00
Jeffrey Vander Stoep
98f60e5c74
Merge "Revert "zygote: grant perms from domain_deprecated""
2016-01-27 18:39:42 +00:00
Jeffrey Vander Stoep
b898360e27
Revert "zygote: grant perms from domain_deprecated"
...
This reverts commit e52fff83a1
.
Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
2016-01-27 18:39:28 +00:00
Jeffrey Vander Stoep
21eede46ae
Merge "zygote: grant perms from domain_deprecated" am: 4115beae63
...
am: 299e1d5a85
* commit '299e1d5a85edb3fc3bf7845779a27a91de864b30':
zygote: grant perms from domain_deprecated
2016-01-27 18:15:08 +00:00
Jeffrey Vander Stoep
299e1d5a85
Merge "zygote: grant perms from domain_deprecated"
...
am: 4115beae63
* commit '4115beae6375b3b7c1cb777d342e0e7cd6028995':
zygote: grant perms from domain_deprecated
2016-01-27 18:13:20 +00:00
Jeffrey Vander Stoep
4115beae63
Merge "zygote: grant perms from domain_deprecated"
2016-01-27 18:08:01 +00:00
Jeffrey Vander Stoep
01afbb4c61
Merge "autoplay_app: cgroup write perms moved to domain"
2016-01-27 18:07:55 +00:00
Jeff Vander Stoep
e52fff83a1
zygote: grant perms from domain_deprecated
...
In preparation of removing permissions from domain_deprecated.
Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048
2016-01-27 09:57:25 -08:00
Marco Nelissen
87a79cf9dd
Merge "selinux rules for codec process"
2016-01-27 17:46:47 +00:00
Jeff Vander Stoep
a3266be968
audioserver: grant read perms to /proc
...
In preparation of removing permissions from domain_deprecated.
Addresses:
avc: denied { read } for name="irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/asound/irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/asound/irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file
Change-Id: Iaa8843bb4e8b19d001520fcd45d35e666bf48271
2016-01-27 09:37:36 -08:00
Jeff Vander Stoep
00fdd71185
autoplay_app: cgroup write perms moved to domain
...
Remove from autoplay
Change-Id: Ic9f019f69e5f2dff5e2b8d03d39052486660d791
2016-01-27 09:27:16 -08:00
Narayan Kamath
3acd7eb8e7
Merge "Revert "Remove domain_deprecated from sdcard domains"" am: c4121add28
...
am: 2e97539602
* commit '2e975396026fe074b074f126309e5f4a88702a2c':
Revert "Remove domain_deprecated from sdcard domains"
2016-01-27 15:45:11 +00:00
Narayan Kamath
2e97539602
Merge "Revert "Remove domain_deprecated from sdcard domains""
...
am: c4121add28
* commit 'c4121add28c75ab12d634d2aa7570417ebb4e043':
Revert "Remove domain_deprecated from sdcard domains"
2016-01-27 15:43:26 +00:00
Sylvain Chouleur
9a28f90d6a
init: allow to access console-ramoops with newer kernels
...
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.
sepolicy must be adapted to this new requirement.
Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
2016-01-27 16:42:31 +01:00
Narayan Kamath
c4121add28
Merge "Revert "Remove domain_deprecated from sdcard domains""
2016-01-27 15:39:28 +00:00
Narayan Kamath
f4d7eef731
Revert "Remove domain_deprecated from sdcard domains"
...
This reverts commit 0c7bc58e91
.
bug: 26807309
Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
2016-01-27 15:39:05 +00:00
Jeff Vander Stoep
448952b617
domain: grant write perms to cgroups am: be0616baf0
...
am: 7676d3d985
* commit '7676d3d9854879830c8bc78c80ede981e937044c':
domain: grant write perms to cgroups
2016-01-27 03:35:14 +00:00
Jeff Vander Stoep
7676d3d985
domain: grant write perms to cgroups
...
am: be0616baf0
* commit 'be0616baf0c0caf8e1c8a4fdc9b488839f6af27d':
domain: grant write perms to cgroups
2016-01-27 03:33:26 +00:00
Jeff Vander Stoep
be0616baf0
domain: grant write perms to cgroups
...
Was moved to domain_deprecated. Move back to domain.
Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.
Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
2016-01-27 03:00:50 +00:00
dcashman
e458f9abd4
Restore untrusted_app proc_net access. am: 5833e3f5ca
...
am: a321dde852
* commit 'a321dde852731f320e24f93347f39278bcf0b58b':
Restore untrusted_app proc_net access.
2016-01-27 01:26:57 +00:00
dcashman
a321dde852
Restore untrusted_app proc_net access.
...
am: 5833e3f5ca
* commit '5833e3f5ca04e88629e3bd76331fa0ab42d568f4':
Restore untrusted_app proc_net access.
2016-01-27 01:25:05 +00:00
dcashman
5833e3f5ca
Restore untrusted_app proc_net access.
...
Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0
Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
2016-01-26 16:56:24 -08:00
SimHyunYong
001b10bdff
remove access_kmsg macro, because it to be more explicit.
...
This macro does not give us anything to it.
Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
2016-01-27 08:56:30 +09:00
SimHyunYong
f7f49b80a3
Using r_dir_file macro in domain.te am: 093ea6fb9a
...
am: fa46a7375b
* commit 'fa46a7375bf36ea5dcc08cfdb92cbc463a2d471c':
Using r_dir_file macro in domain.te
2016-01-26 23:48:42 +00:00
SimHyunYong
fa46a7375b
Using r_dir_file macro in domain.te
...
am: 093ea6fb9a
* commit '093ea6fb9a284acbce10641f8743de24abd70734':
Using r_dir_file macro in domain.te
2016-01-26 23:46:45 +00:00
dcashman
aedf223656
Reduce accessibility of voiceinteraction_service.
...
The services under this label are not meant to be exposed to all apps.
Currently only priv_app needs access.
Bug: 26799206
Change-Id: I07c60752d6ba78f27f90bf5075bcab47eba90b55
2016-01-26 15:12:08 -08:00
Jeffrey Vander Stoep
e449446548
Merge "Remove domain_deprecated from sdcard domains" am: cdae042a07
...
am: dd55b44d08
* commit 'dd55b44d08d6e4be36f110c35bc69c8309c0161e':
Remove domain_deprecated from sdcard domains
2016-01-26 23:02:58 +00:00
Jeffrey Vander Stoep
dd55b44d08
Merge "Remove domain_deprecated from sdcard domains"
...
am: cdae042a07
* commit 'cdae042a07cda569f2366cb8f6b0b036f0a8c634':
Remove domain_deprecated from sdcard domains
2016-01-26 22:56:07 +00:00
SimHyunYong
093ea6fb9a
Using r_dir_file macro in domain.te
...
r_dir_file(domain, self)
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;
te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f
2016-01-27 07:54:47 +09:00
Jeffrey Vander Stoep
cdae042a07
Merge "Remove domain_deprecated from sdcard domains"
2016-01-26 22:44:14 +00:00
James Hawkins
327da659be
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." am: ae29dea8b7
...
am: c119fab939
* commit 'c119fab9392cc8a7d95d88417ff8a1c2a521566f':
bootstat: Fix the SELinux policy after removing domain_deprecated.
2016-01-26 21:54:59 +00:00
Jeff Vander Stoep
59e47dd5de
resolve merge conflicts of ef9a0be598
to master.
...
Change-Id: I65d7c0bb306f61dfe0ad2a5581f28dbc2942a1eb
2016-01-26 13:38:03 -08:00
James Hawkins
c119fab939
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated."
...
am: ae29dea8b7
* commit 'ae29dea8b7580478bd18f4354adeff38b1de1476':
bootstat: Fix the SELinux policy after removing domain_deprecated.
2016-01-26 21:31:19 +00:00
James Hawkins
ae29dea8b7
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated."
2016-01-26 21:26:37 +00:00
Arunesh Mishra
7a17cf5c95
Merge "Allow "soundtrigger" system service to run."
2016-01-26 21:16:37 +00:00
SimHyunYong
ef9a0be598
Delete policy it is alread included in binder_call macros.
...
am: 7171232c02
* commit '7171232c02d27e777ad2267f1a8b5246b3aabc8d':
Delete policy it is alread included in binder_call macros.
2016-01-26 20:08:55 +00:00
Arunesh Mishra
400266bfae
Allow "soundtrigger" system service to run.
...
In the same process as voiceinteraction.
Please see related CL ag/852049
Bug: 22860713
Change-Id: I43ebfdba2aafb151dd7db0814570027e1164508a
2016-01-26 11:27:46 -08:00