Commit: e58a8de5e7 added a new type
which has no analogue in 26.0. Record it as such.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1
Commit: 86cb521502 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4
Commit: 38f0928fb0 added a type for a
new system service. This service did not exist previously, so mark
the type as not needing any compat entry.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd
Commit: 78e595deab added a new hwservice,
which replaced a previous system service. This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659
When moving SELinux rules from file_contexts to genfs_contexts, we
added some genfs rules to label specific files. It turns out that one
of those files was the prefix of some other files, and since genfs
does prefix-labeling, those other files had their labels changed.
To fix this, we are changing the whole tracefs /instances/wifi from
debugfs_tracing_instances to debugfs_wifi_tracing (a few of the files
already had this label). This simplifies the rules.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that the files
have the correct context and that wifi, camera, and traceur work.
Change-Id: Id62db079f439ae8c531b44d1184eea26d5b760c3
Commit: b8f7a40833 removed three
attributes from public policy. These attributes could be assigned
to vendor types, and so need to be kept in policy when combined with
vendor policy of that version.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I7d71ef7795f8b82c214c2ef72478c3ca84d1869c
Commit: 4dc88795d0 changed the label of
uid_time_in_state from proc to proc_uid_time_in_state. This file
could have been used by vendor services. Add a compat mapping.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I2e5222c4d4fe12cb0bbc4e85ba53c1f59b714d61
Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.
In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.
Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
armeabi-v7a CtsSecurityHostTestCases completed in 4s.
501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.
In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.
Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
armeabi-v7a CtsSecurityHostTestCases completed in 4s.
501 passed, 0 failed, 0 not executed
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
The code used to look like this, but in commit
4cae28d43c we replaced the generic
regexes to improve performance. Now that we've switched to genfs,
this no longer affects performance, so let's simplify the labeling.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: I1a859d17075fa25543ee090cc7a7478391bc45c1
This should slightly improve performance, as file_contexts is slower
than genfs_contexts.
Now that the kernel patch enabling genfs labeling of tracefs has
landed, we can re-enable this.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: Ifc1c6ac634b94e060ed1f311049bd37f6fcc8313
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: I379567772c73e52f532a24acf640c21f2bab5c5b
Merged-In: I379567772c73e52f532a24acf640c21f2bab5c5b
