tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
6122 commits 1 branch 0 tags 50 MiB
Commit graph

6122 commits

This branch
This branch
All branches
Author SHA1 Message Date
dcashman
c8b21438c6 Allow platform app to get handle to voiceinteraction service. 
Address the following denial caused by systemui:
avc:  denied  { find } for service=voiceinteraction pid=10761 uid=10029 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0

Bug: 26842457
Change-Id: I8274d7f31a4390ccfb885389302e4fea9ce0e389
 2016-02-01 13:09:56 -08:00
Jeffrey Vander Stoep
c68c5019d5 Merge "init: allow to access console-ramoops with newer kernels" am: 84fbd53a1b 
am: fa3353065d

* commit 'fa3353065d2cc095bb613a54e3d3c8570b412f49':
  init: allow to access console-ramoops with newer kernels
 2016-02-01 19:40:04 +00:00
Jeffrey Vander Stoep
fa3353065d Merge "init: allow to access console-ramoops with newer kernels" 
am: 84fbd53a1b

* commit '84fbd53a1b39dbec2703b56f92d6fe2612c4a4a4':
  init: allow to access console-ramoops with newer kernels
 2016-02-01 19:20:59 +00:00
Jeffrey Vander Stoep
84fbd53a1b Merge "init: allow to access console-ramoops with newer kernels" 2016-02-01 19:15:15 +00:00
Christopher Tate
b8104a47dd Move staged backup content to a specific cache subdir 
Also narrowly specify the domain for the local transport's bookkeeping.

Bug 26834865

Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535
 2016-01-29 14:05:35 -08:00
Chris Tate
02bffbb8dc Merge "Add rules for original + processed wallpaper files" 2016-01-29 00:38:36 +00:00
Christopher Tate
fdeeb59bdb Add rules for original + processed wallpaper files 
Bug 25454501

Change-Id: I31357e658ecdbcc69df47fbc2d22e4849dd1539b
 2016-01-28 13:52:09 -08:00
Marco Nelissen
b1bf83fd79 Revert "selinux rules for codec process" 
This reverts commit 2afb217b68.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
 2016-01-28 13:51:28 -08:00
Jeffrey Vander Stoep
c08eeee540 Merge "mediaserver: grant perms from domain_deprecated" am: 3d8391e759 
am: 15decd6955

* commit '15decd6955093683a9d78cc2983d7ea49f20bba2':
  mediaserver: grant perms from domain_deprecated
 2016-01-28 15:40:30 +00:00
Jeffrey Vander Stoep
b89e0e1316 Merge "logd: grant perms from domain_deprecated" am: 61e9386030 
am: e02124ff0a

* commit 'e02124ff0a7aa1bbfbc9dcf78b1dc2e3c1481936':
  logd: grant perms from domain_deprecated
 2016-01-28 15:40:27 +00:00
Jeffrey Vander Stoep
1d7f15070f Merge "kernel: grant perms from domain_deprecated" am: e48ab7848d 
am: d9fcee9ddc

* commit 'd9fcee9ddca74ec3a6cce9dedb5932d8180fb10c':
  kernel: grant perms from domain_deprecated
 2016-01-28 15:40:23 +00:00
Jeffrey Vander Stoep
15decd6955 Merge "mediaserver: grant perms from domain_deprecated" 
am: 3d8391e759

* commit '3d8391e759fd3ffe70f10fc77e252fe71c902836':
  mediaserver: grant perms from domain_deprecated
 2016-01-28 15:38:17 +00:00
Jeffrey Vander Stoep
e02124ff0a Merge "logd: grant perms from domain_deprecated" 
am: 61e9386030

* commit '61e9386030d67a14030d7191a19838ed7d06e076':
  logd: grant perms from domain_deprecated
 2016-01-28 15:38:13 +00:00
Jeffrey Vander Stoep
d9fcee9ddc Merge "kernel: grant perms from domain_deprecated" 
am: e48ab7848d

* commit 'e48ab7848dac5fecfe64fcabeef786156eeae261':
  kernel: grant perms from domain_deprecated
 2016-01-28 15:38:10 +00:00
Jeffrey Vander Stoep
3d8391e759 Merge "mediaserver: grant perms from domain_deprecated" 2016-01-28 15:35:17 +00:00
Jeffrey Vander Stoep
61e9386030 Merge "logd: grant perms from domain_deprecated" 2016-01-28 15:34:28 +00:00
Jeffrey Vander Stoep
e48ab7848d Merge "kernel: grant perms from domain_deprecated" 2016-01-28 15:34:06 +00:00
dcashman
4cfa4decc1 Allow apps to check attrs of /cache am: 0e591bd256 
am: a38af1a903

* commit 'a38af1a903f038ee08490db898c2416885f859db':
  Allow apps to check attrs of /cache
 2016-01-28 04:22:24 +00:00
Jeff Vander Stoep
72e78bfcac mediaserver: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7
 2016-01-27 19:33:42 -08:00
Jeff Vander Stoep
2f3979a778 logd: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02
 2016-01-27 19:25:52 -08:00
Jeff Vander Stoep
bc2b76b06b kernel: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
 2016-01-27 19:18:01 -08:00
dcashman
a38af1a903 Allow apps to check attrs of /cache 
am: 0e591bd256

* commit '0e591bd256233add2c06c306bc17f5ebd71fe088':
  Allow apps to check attrs of /cache
 2016-01-28 02:18:17 +00:00
Chien-Yu Chen
4000cc33de Merge "selinux: Update policies for cameraserver" 2016-01-28 02:04:43 +00:00
Jeffrey Vander Stoep
739f31f09d Merge "vold: grant perms from domain_deprecated" am: 1cf93217fa 
am: 9001f6f892

* commit '9001f6f892a8a9eb73dd27c040ab6398ec238fe5':
  vold: grant perms from domain_deprecated
 2016-01-27 23:53:08 +00:00
Jeffrey Vander Stoep
9001f6f892 Merge "vold: grant perms from domain_deprecated" 
am: 1cf93217fa

* commit '1cf93217fa578b3439b37b7f5a3b5045a97ec5d4':
  vold: grant perms from domain_deprecated
 2016-01-27 23:49:33 +00:00
dcashman
0e591bd256 Allow apps to check attrs of /cache 
Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6
 2016-01-27 15:49:11 -08:00
Jeffrey Vander Stoep
1cf93217fa Merge "vold: grant perms from domain_deprecated" 2016-01-27 23:44:48 +00:00
Jeffrey Vander Stoep
e618841de3 Merge "healthd: grant perms from domain_deprecated" am: f33507dfc5 
am: e329140391

* commit 'e329140391790f1aa0ac7ed6a35903d7f8b445d9':
  healthd: grant perms from domain_deprecated
 2016-01-27 21:05:08 +00:00
Daniel Cashman
fb10981c45 Merge "remove access_kmsg macro, because it to be more explicit." am: fea9ad7c29 
am: 07ae9d5db4

* commit '07ae9d5db41814a6748e8f125ef8205bc2eb4221':
  remove access_kmsg macro, because it to be more explicit.
 2016-01-27 21:05:04 +00:00
Jeffrey Vander Stoep
e329140391 Merge "healthd: grant perms from domain_deprecated" 
am: f33507dfc5

* commit 'f33507dfc588692e01fac148d6f151f2dbac8b04':
  healthd: grant perms from domain_deprecated
 2016-01-27 20:51:20 +00:00
Daniel Cashman
07ae9d5db4 Merge "remove access_kmsg macro, because it to be more explicit." 
am: fea9ad7c29

* commit 'fea9ad7c290f54b601934ae585efef8ffcdc08ca':
  remove access_kmsg macro, because it to be more explicit.
 2016-01-27 20:51:16 +00:00
Jeffrey Vander Stoep
f33507dfc5 Merge "healthd: grant perms from domain_deprecated" 2016-01-27 20:47:31 +00:00
Daniel Cashman
fea9ad7c29 Merge "remove access_kmsg macro, because it to be more explicit." 2016-01-27 20:46:44 +00:00
Jeffrey Vander Stoep
409b38bcba Merge "zygote: grant perms from domain_deprecated" am: eecaa0b5f9 
am: fde8ca5383

* commit 'fde8ca5383038775ce9ea36ea505acffaabde309':
  zygote: grant perms from domain_deprecated
 2016-01-27 20:41:52 +00:00
Jeffrey Vander Stoep
fde8ca5383 Merge "zygote: grant perms from domain_deprecated" 
am: eecaa0b5f9

* commit 'eecaa0b5f9d83bb86b66d5ad7feacb5c4d6d83f7':
  zygote: grant perms from domain_deprecated
 2016-01-27 20:40:08 +00:00
Jeffrey Vander Stoep
eecaa0b5f9 Merge "zygote: grant perms from domain_deprecated" 2016-01-27 20:35:12 +00:00
Jeff Vander Stoep
9306072c97 vold: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
 2016-01-27 12:24:26 -08:00
Daniel Cashman
8a7887470b Merge "Reduce accessibility of voiceinteraction_service." 2016-01-27 19:30:58 +00:00
Chien-Yu Chen
e0378303b5 selinux: Update policies for cameraserver 
Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
 2016-01-27 11:29:11 -08:00
Jeff Vander Stoep
12401b8d18 healthd: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e
 2016-01-27 11:20:52 -08:00
Jeff Vander Stoep
cee6a0e748 zygote: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
 2016-01-27 10:55:03 -08:00
dcashman
b61d07a269 Allow sdcardd tmpfs read access. am: db559a348e 
am: 555f14c2ed

* commit '555f14c2ed5c80561e17229fcad22499f52462bf':
  Allow sdcardd tmpfs read access.
 2016-01-27 18:53:05 +00:00
dcashman
555f14c2ed Allow sdcardd tmpfs read access. 
am: db559a348e

* commit 'db559a348ed23f3cc2a214de456524129c048d66':
  Allow sdcardd tmpfs read access.
 2016-01-27 18:50:31 +00:00
Jeffrey Vander Stoep
7116c1bbc2 Merge "Revert "zygote: grant perms from domain_deprecated"" am: 98f60e5c74 
am: 7d3e54674f

* commit '7d3e54674f50a11ea8bb0b6fdd1f636f6a35f75d':
  Revert "zygote: grant perms from domain_deprecated"
 2016-01-27 18:45:34 +00:00
Jeffrey Vander Stoep
7d3e54674f Merge "Revert "zygote: grant perms from domain_deprecated"" 
am: 98f60e5c74

* commit '98f60e5c742d32ed878ca420636cd86d4bf64272':
  Revert "zygote: grant perms from domain_deprecated"
 2016-01-27 18:43:46 +00:00
dcashman
db559a348e Allow sdcardd tmpfs read access. 
Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee
 2016-01-27 10:42:54 -08:00
Jeffrey Vander Stoep
b9b07da098 Revert "zygote: grant perms from domain_deprecated" 
This reverts commit e52fff83a1.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
 2016-01-27 10:42:44 -08:00
Jeffrey Vander Stoep
98f60e5c74 Merge "Revert "zygote: grant perms from domain_deprecated"" 2016-01-27 18:39:42 +00:00
Jeffrey Vander Stoep
b898360e27 Revert "zygote: grant perms from domain_deprecated" 
This reverts commit e52fff83a1.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
 2016-01-27 18:39:28 +00:00
Jeffrey Vander Stoep
21eede46ae Merge "zygote: grant perms from domain_deprecated" am: 4115beae63 
am: 299e1d5a85

* commit '299e1d5a85edb3fc3bf7845779a27a91de864b30':
  zygote: grant perms from domain_deprecated
 2016-01-27 18:15:08 +00:00