Yifan Hong
150f84e06c
Merge "super_block_device -> super_block_device_type" am: 93b81f30ae
...
am: f0e9c939cc
2019-03-28 13:51:29 -07:00
Yifan Hong
f0e9c939cc
Merge "super_block_device -> super_block_device_type"
...
am: 93b81f30ae
2019-03-28 13:38:11 -07:00
Yifan Hong
93b81f30ae
Merge "super_block_device -> super_block_device_type"
2019-03-28 19:55:44 +00:00
Florian Mayer
512ff44523
Merge "Allow heapprofd to read test files." am: eda65027c7
...
am: b3f934c382
2019-03-28 11:46:08 -07:00
Florian Mayer
b3f934c382
Merge "Allow heapprofd to read test files."
...
am: eda65027c7
2019-03-28 11:37:46 -07:00
Florian Mayer
eda65027c7
Merge "Allow heapprofd to read test files."
2019-03-28 18:21:10 +00:00
Yifan Hong
ab85caaa56
super_block_device -> super_block_device_type
...
Domains that access super_block_device should instead
access super_block_device_type, which includes appropriate
block devices for retrofit DAP devices.
Test: boots (sanity)
Test: manual OTA
Bug: 128991918
Change-Id: Ie025b1e3c17e82330042aaa4a3e2e4a02ec1265b
2019-03-28 18:08:19 +00:00
Florian Mayer
ba385e3116
Merge "Relabel /data/system/packages.list to new type." am: 7145b25226
...
am: 1d0b6aed97
2019-03-28 10:52:00 -07:00
Florian Mayer
1d0b6aed97
Merge "Relabel /data/system/packages.list to new type."
...
am: 7145b25226
2019-03-28 10:47:56 -07:00
Florian Mayer
7145b25226
Merge "Relabel /data/system/packages.list to new type."
2019-03-28 17:36:36 +00:00
YH_Lin
8dd0afad0d
Merge "sepolicy: add sepolicy rules for vold to write sysfs gc_urgent" am: a2186d08ca
...
am: d155e2c768
2019-03-28 07:32:19 -07:00
YH_Lin
d155e2c768
Merge "sepolicy: add sepolicy rules for vold to write sysfs gc_urgent"
...
am: a2186d08ca
2019-03-28 07:27:55 -07:00
Treehugger Robot
a2186d08ca
Merge "sepolicy: add sepolicy rules for vold to write sysfs gc_urgent"
2019-03-28 14:19:20 +00:00
Hector Dearman
9bb344c5f3
Merge "Fix typos in genfs_contexts" am: 2d4894323c
...
am: 2344a6732c
2019-03-28 04:05:34 -07:00
Hector Dearman
2344a6732c
Merge "Fix typos in genfs_contexts"
...
am: 2d4894323c
2019-03-28 04:01:29 -07:00
Hector Dearman
2d4894323c
Merge "Fix typos in genfs_contexts"
2019-03-28 10:51:03 +00:00
Florian Mayer
4ab64c940f
Relabel /data/system/packages.list to new type.
...
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.
Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list
diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };
Bug: 123186697
Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-28 10:27:43 +00:00
David Anderson
d25ee0ab07
Add sepolicy for installing GSIs to external storage. am: 6557d87b0f
...
am: 9ca965a943
2019-03-28 03:08:53 -07:00
David Anderson
9ca965a943
Add sepolicy for installing GSIs to external storage.
...
am: 6557d87b0f
2019-03-28 03:00:02 -07:00
David Anderson
6557d87b0f
Add sepolicy for installing GSIs to external storage.
...
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-27 17:12:51 -07:00
Steven Moreland
83849d94b6
Merge "private: allow zygote mnt_expand_file:dir getattr;" am: 180ffccc8f
...
am: b2267841db
2019-03-27 16:32:35 -07:00
Steven Moreland
b2267841db
Merge "private: allow zygote mnt_expand_file:dir getattr;"
...
am: 180ffccc8f
2019-03-27 16:18:40 -07:00
Steven Moreland
180ffccc8f
Merge "private: allow zygote mnt_expand_file:dir getattr;"
2019-03-27 22:59:49 +00:00
Victor Hsieh
0f94ee2784
Merge "Move fs-verity key loading into fsverity_init domain" am: 3337a33609
...
am: db2334d3aa
2019-03-27 13:47:20 -07:00
Victor Hsieh
db2334d3aa
Merge "Move fs-verity key loading into fsverity_init domain"
...
am: 3337a33609
2019-03-27 13:40:45 -07:00
Treehugger Robot
3337a33609
Merge "Move fs-verity key loading into fsverity_init domain"
2019-03-27 20:31:19 +00:00
Nick Kralevich
2b8292302c
Merge "Revert "Temporarily hide denial to fix tests."" am: 76a1a76b35
...
am: fb9e32b288
2019-03-27 10:17:23 -07:00
Nick Kralevich
fb9e32b288
Merge "Revert "Temporarily hide denial to fix tests.""
...
am: 76a1a76b35
2019-03-27 10:12:07 -07:00
Hector Dearman
714b917411
Fix typos in genfs_contexts
...
Each tracing event is listed twice in this file, once in
debugfs and once in tracefs:
genfscon debugfs /tracing/events/sched/sched_switch/
genfscon tracefs /events/sched/sched_switch/
Some of the debugfs entries are missing the required leading
/tracing/ prefix, probably a copy paste error from when they were
added.
Test: make
Change-Id: I6e64eac0c2b95b38c4648b92765c748c631348b7
2019-03-27 17:06:39 +00:00
Treehugger Robot
76a1a76b35
Merge "Revert "Temporarily hide denial to fix tests.""
2019-03-27 16:54:12 +00:00
Victor Hsieh
3d4ee1dba5
Move fs-verity key loading into fsverity_init domain
...
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-27 16:31:01 +00:00
Nick Kralevich
9097360049
Revert "Temporarily hide denial to fix tests."
...
This reverts commit 94b5fe4af5https://android-review.googlesource.com/933916
Bug: 129298168
Change-Id: I6b34cfdf76b5094db17ee06831d8a662ea360956
Test: Build.
2019-03-27 13:56:20 +00:00
Florian Mayer
12f7e0e658
Allow heapprofd to read test files.
...
This is needed to test the unwinding of test binaries.
03-26 19:55:44.311 939 939 W heapprofd: type=1400 audit(0.0:13): avc: denied { search } for name="nativetest" dev="sda45" ino=6815745 scontext=u:r:heapprofd:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=dir permissive=0
Change-Id: Icfbc6060a8755934f1c3935aac55ce7792dc7d85
2019-03-27 11:07:05 +00:00
Yifan Hong
75117c19c9
Merge changes from topic "lpdumpd" am: 40f1682ba6
...
am: 7f891f414f
2019-03-26 15:35:01 -07:00
Yifan Hong
7f891f414f
Merge changes from topic "lpdumpd"
...
am: 40f1682ba6
2019-03-26 14:24:19 -07:00
Nick Kralevich
811e373efb
Merge "Temporarily hide denial to fix tests." am: a2b90b5efc
...
am: a95d5e8b03
2019-03-26 13:54:32 -07:00
Nick Kralevich
d644476185
Merge "Don't audit audit_access denials to /dev/binder" am: f3e8dce5d4
...
am: 83484d2346
2019-03-26 13:53:57 -07:00
Nick Kralevich
a95d5e8b03
Merge "Temporarily hide denial to fix tests."
...
am: a2b90b5efc
2019-03-26 13:38:35 -07:00
Nick Kralevich
83484d2346
Merge "Don't audit audit_access denials to /dev/binder"
...
am: f3e8dce5d4
2019-03-26 13:37:29 -07:00
Yifan Hong
b1a5384b71
Merge "Add super_block_device_type" am: b9be03d63a
...
am: 9d8a33b32b
2019-03-26 13:36:10 -07:00
Yifan Hong
40f1682ba6
Merge changes from topic "lpdumpd"
...
* changes:
Add rules for lpdump and lpdumpd
Allow to getattr kmsg_device
2019-03-26 20:35:36 +00:00
Yifan Hong
9d8a33b32b
Merge "Add super_block_device_type"
...
am: b9be03d63a
2019-03-26 13:19:52 -07:00
Nick Kralevich
a2b90b5efc
Merge "Temporarily hide denial to fix tests."
2019-03-26 20:06:49 +00:00
Nick Kralevich
f3e8dce5d4
Merge "Don't audit audit_access denials to /dev/binder"
2019-03-26 19:51:01 +00:00
Yifan Hong
b9be03d63a
Merge "Add super_block_device_type"
2019-03-26 19:30:12 +00:00
Joel Galenson
94b5fe4af5
Temporarily hide denial to fix tests.
...
This shoud be removed once the offending code is fixed.
Bug: 129298168
Test: Build.
Change-Id: Ie94a626be777a094fb587f72b3987994e085a23e
2019-03-25 17:37:51 -07:00
Tri Vo
786b973c96
Don't audit audit_access denials to /dev/binder
...
Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.
Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
2019-03-25 17:23:36 -07:00
Tri Vo
35cc47b2d6
Merge "Allow system_suspend access to /sys/power/wake_[un]lock." am: a109fa645c
...
am: 262995e560
2019-03-25 16:56:04 -07:00
Tri Vo
262995e560
Merge "Allow system_suspend access to /sys/power/wake_[un]lock."
...
am: a109fa645c
2019-03-25 16:51:07 -07:00
Tri Vo
a109fa645c
Merge "Allow system_suspend access to /sys/power/wake_[un]lock."
2019-03-25 23:38:09 +00:00
