Narayan Kamath
41f233f465
Allow system_server to link,relabel and create_dir dalvikcache_data_file.
...
Required by the installation flow for split APKs.
bug: 20889739
Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1
2015-06-04 11:07:24 +00:00
Paul Lawrence
3aac44ed17
Move crypt commands to a different listener in vold
...
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.
While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.
Bug: 19197175
Change-Id: I819f6a54c0a232826016823f2fde3adf7be31f9d
2015-06-03 14:09:21 -07:00
Mark Salyzyn
1dfc551f44
am 7e0838aa
: logd: logpersistd
...
* commit '7e0838aaebc5c0a04df2f13ccef176a9096e4dc3':
logd: logpersistd
2015-06-03 02:20:59 +00:00
Mark Salyzyn
27b8cad3a3
am 0d22c6ce
: logd: logpersistd
...
* commit '0d22c6cec62d2fa31fa013513a46440d71a65835':
logd: logpersistd
2015-06-02 22:45:23 +00:00
Mark Salyzyn
7e0838aaeb
logd: logpersistd
...
(cherry pick from commit 0d22c6cec6
)
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 15:24:11 -07:00
Mark Salyzyn
0d22c6cec6
logd: logpersistd
...
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 13:56:01 -07:00
Paul Lawrence
cd24232a20
am 35e50159
: DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
...
* commit '35e50159ad8392362910a9e33d76047d22682f04':
DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
2015-06-01 14:30:25 +00:00
Paul Lawrence
721a3218a6
am e2c0c9de
: (-s ours) DO NOT MERGE Securely encrypt the master key
...
* commit 'e2c0c9de7b99ed5cd2349e0585284fd6a0ad768a':
DO NOT MERGE Securely encrypt the master key
2015-06-01 14:30:25 +00:00
dcashman
cf075e5cc3
am 8dcf48c0
: Merge "Allow system_app to find all system services." into mnc-dev
...
* commit '8dcf48c0e4c89261e00b547169d21bef25a84cec':
Allow system_app to find all system services.
2015-05-29 21:08:36 +00:00
Paul Lawrence
35e50159ad
DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
...
(cherry-picked from change f7163597f5
)
This is one of three changes to enable this functionality:
https://android-review.googlesource.com/#/c/146259/
https://android-review.googlesource.com/#/c/146264/
https://android-review.googlesource.com/#/c/146265/
Bug: 18151196
Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-05-29 17:50:12 +00:00
Paul Lawrence
e2c0c9de7b
DO NOT MERGE Securely encrypt the master key
...
(chery-picked from commit 13dec5fa5b
)
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.
Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.
This is one of four changes to enable this functionality:
https://android-review.googlesource.com/#/c/148586/
https://android-review.googlesource.com/#/c/148604/
https://android-review.googlesource.com/#/c/148606/
https://android-review.googlesource.com/#/c/148607/
Bug: 18151196
Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-05-29 17:42:09 +00:00
dcashman
cdab26a016
am bf0c34d5
: Allow system_app to find all system services.
...
* commit 'bf0c34d59bd47f9f286c9b5cd97196c1b075b7b1':
Allow system_app to find all system services.
2015-05-29 00:05:01 +00:00
dcashman
8dcf48c0e4
Merge "Allow system_app to find all system services." into mnc-dev
2015-05-28 23:49:16 +00:00
dcashman
48c1f613e0
Allow system_app to find all system services.
...
SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.
This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.
Addresses the following denials:
SELinux : avc: denied { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager
(cherry-pick of commit: bf0c34d59b
)
Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8
2015-05-28 16:33:45 -07:00
dcashman
bf0c34d59b
Allow system_app to find all system services.
...
SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.
This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.
Addresses the following denials:
SELinux : avc: denied { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager
Bug: 20762975
Bug: 21446739
Change-Id: I92b7629077eb5aabffb72170f4ef71f574ebb95c
2015-05-28 15:47:00 -07:00
Tao Bao
bc2ecea950
am 12e8b61b
: Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
...
* commit '12e8b61bc08da1482a9309e8b2dc1a0670671445':
Allow system server and uncrypt to operate pipe file
2015-05-28 22:35:57 +00:00
Tao Bao
12e8b61bc0
Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
2015-05-28 21:47:45 +00:00
Tao Bao
70c6dbf06c
Allow system server and uncrypt to operate pipe file
...
System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.
Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
2015-05-27 17:06:40 -07:00
Stephen Smalley
d3f3f1572b
am e8178b31
: Remove unused userspace security classes.
...
* commit 'e8178b31e636dff4dcc6c5b1464f74f51cc65acf':
Remove unused userspace security classes.
2015-05-26 22:07:00 +00:00
Stephen Smalley
770dc6de37
am 20d0ad0e
: Remove zygote security class declaration.
...
* commit '20d0ad0ed8786585683cac32a610fc57b4ff3c5e':
Remove zygote security class declaration.
2015-05-26 21:10:59 +00:00
Stephen Smalley
e02b536270
am a0c9d207
: Remove zygote security class declaration.
...
* commit 'a0c9d207b10c32fb3f312da36fce190fb75a1759':
Remove zygote security class declaration.
2015-05-26 20:37:39 +00:00
Stephen Smalley
20d0ad0ed8
Remove zygote security class declaration.
...
All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.
(cherry-pick of commit: a0c9d207b1
)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change-Id: I2e17e522a78120c3658d81035e202aab861a3b22
2015-05-26 13:31:59 -07:00
Stephen Smalley
e8178b31e6
Remove unused userspace security classes.
...
These are all userspace security class definitions that are
unused in Android; they are only meaningful in Linux distributions.
Change-Id: I99738752da996d9a1c7793eea049d937ffe4255b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-26 16:24:34 -04:00
Stephen Smalley
a0c9d207b1
Remove zygote security class declaration.
...
All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.
Change-Id: Id6b08b624c9eea824f5a55d99b7a4ebf9c9f207e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-26 14:39:38 -04:00
Bill Yi
2658ad2a6b
am 5ca3dfee
: Update MODULE_LICENSE
...
* commit '5ca3dfee93883c5dfacd155f0dc374aa2585b615':
Update MODULE_LICENSE
2015-05-22 17:54:18 +00:00
Bill Yi
5ca3dfee93
Update MODULE_LICENSE
...
Change-Id: Ic5935f8a6ab55c1aa02a0e5753c3baf4b948eda7
2015-05-22 10:31:21 -07:00
Jim Miller
e760216864
am 83554d2c
: Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
...
* commit '83554d2c923b17b6d5ee811c278e2ab0bb65579d':
Selinux: Allow system_server to create fpdata dir.
2015-05-22 15:31:54 +00:00
Jim Miller
83554d2c92
Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
2015-05-22 01:42:29 +00:00
Jim Miller
a39b131e9d
Selinux: Allow system_server to create fpdata dir.
...
Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6
2015-05-21 17:43:28 -07:00
dcashman
4c1d471424
am 894911d7
: Expand rtc_device label to match all rtc class drivers.
...
* commit '894911d78f2a88261d9f853ed022327044bb3030':
Expand rtc_device label to match all rtc class drivers.
2015-05-21 23:33:28 +00:00
dcashman
894911d78f
Expand rtc_device label to match all rtc class drivers.
...
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.
(cherry-pick of 1b4b3b918b
)
Change-Id: Iea6e1271fb054ea7f44860724e04143875867d78
2015-05-21 15:39:11 -07:00
Eino-Ville Talvala
ad76b86651
Merge branch 'mnc-dev-plus-aosp' of https://googleplex-android.googlesource.com/_direct/platform/external/sepolicy into mnc-dev-plus-aosp
2015-05-21 18:53:09 +00:00
dcashman
0d525e66be
am a9bfc888
: Merge "Expand rtc_device label to match all rtc class drivers."
...
* commit 'a9bfc888143150126363b9b9676d6197965da66f':
Expand rtc_device label to match all rtc class drivers.
2015-05-21 18:51:42 +00:00
Chad Brubaker
c24f344b7e
am b3df4389
: Merge "Rename keystore methods and delete unused permissions" into mnc-dev
...
* commit 'b3df4389f31b5ae206fc2c1f50f1efe4de1bcf75':
Rename keystore methods and delete unused permissions
2015-05-21 18:49:24 +00:00
dcashman
a9bfc88814
Merge "Expand rtc_device label to match all rtc class drivers."
2015-05-21 18:19:29 +00:00
Bill Yi
99c71e50e8
am 7ceda717
: Add MODULE_LICENSE
...
* commit '7ceda71706ba35afd2753fb757fecd87ced2df68':
Add MODULE_LICENSE
2015-05-21 18:05:58 +00:00
Bill Yi
7ceda71706
Add MODULE_LICENSE
...
Change-Id: Iec14c79f060f3e54985828932112911067c973ea
2015-05-21 10:40:32 -07:00
dcashman
1b4b3b918b
Expand rtc_device label to match all rtc class drivers.
...
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.
Change-Id: I50d15aa62e87509e940acd168474433803b2115d
2015-05-21 10:35:57 -07:00
Chad Brubaker
b3df4389f3
Merge "Rename keystore methods and delete unused permissions" into mnc-dev
2015-05-21 17:26:54 +00:00
Jim Miller
523397621b
am 5d78c07d
: Merge "Add selinux policy for fingerprintd" into mnc-dev
...
* commit '5d78c07d4a463ec5ed0403850be718de670c9e97':
Add selinux policy for fingerprintd
2015-05-21 12:22:19 +00:00
Jim Miller
5d78c07d4a
Merge "Add selinux policy for fingerprintd" into mnc-dev
2015-05-21 00:57:37 +00:00
Ruben Brunk
3aaff8bdb5
am a983621f
: Merge "camera: Add AIDL interface for CameraServiceProxy." into mnc-dev
...
* commit 'a983621fbc04ee26f519fde68b9a8e6788facf49':
camera: Add AIDL interface for CameraServiceProxy.
2015-05-20 21:11:50 +00:00
Ruben Brunk
a983621fbc
Merge "camera: Add AIDL interface for CameraServiceProxy." into mnc-dev
2015-05-20 20:44:38 +00:00
Jim Miller
264eb6566a
Add selinux policy for fingerprintd
...
Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
2015-05-19 18:28:45 -07:00
Ruben Brunk
e1edbe9c97
camera: Add AIDL interface for CameraServiceProxy.
...
- Update selinux policy for CameraServiceProxy.
Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10
2015-05-19 17:26:31 -07:00
Jeff Sharkey
23f5610ecf
am 6e1f405c
: Allow MediaProvider to traverse /mnt/media_rw.
...
* commit '6e1f405c8b8b5d91a350ff14d1100930d7bff844':
Allow MediaProvider to traverse /mnt/media_rw.
2015-05-19 22:52:05 +00:00
Jeff Sharkey
6e1f405c8b
Allow MediaProvider to traverse /mnt/media_rw.
...
As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.
Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider. The actual
access control is still managed by POSIX permissions on that
directory.
avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
2015-05-19 14:12:28 -07:00
dcashman
5c2a5a1dca
am 807d8d02
: Label /dev/rtc0 as rtc_device.
...
* commit '807d8d0249f196e172f30b96b48699e3b10a3866':
Label /dev/rtc0 as rtc_device.
2015-05-18 22:21:45 +00:00
dcashman
53d3b99c5d
resolved conflicts for merge of c7594898
to mnc-dev-plus-aosp
...
Change-Id: I81937479a0cb37d4e781e076c2e5ff6551cbf822
2015-05-18 15:15:15 -07:00
dcashman
807d8d0249
Label /dev/rtc0 as rtc_device.
...
Grant access to system_server, as it is used by AlarmManagerService.
(cherry-pick of c7594898db
)
Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
2015-05-18 14:18:11 -07:00