Commit graph

4965 commits

Author SHA1 Message Date
Narayan Kamath
41f233f465 Allow system_server to link,relabel and create_dir dalvikcache_data_file.
Required by the installation flow for split APKs.

bug: 20889739

Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1
2015-06-04 11:07:24 +00:00
Paul Lawrence
3aac44ed17 Move crypt commands to a different listener in vold
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.

While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.

Bug: 19197175
Change-Id: I819f6a54c0a232826016823f2fde3adf7be31f9d
2015-06-03 14:09:21 -07:00
Mark Salyzyn
1dfc551f44 am 7e0838aa: logd: logpersistd
* commit '7e0838aaebc5c0a04df2f13ccef176a9096e4dc3':
  logd: logpersistd
2015-06-03 02:20:59 +00:00
Mark Salyzyn
27b8cad3a3 am 0d22c6ce: logd: logpersistd
* commit '0d22c6cec62d2fa31fa013513a46440d71a65835':
  logd: logpersistd
2015-06-02 22:45:23 +00:00
Mark Salyzyn
7e0838aaeb logd: logpersistd
(cherry pick from commit 0d22c6cec6)

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 15:24:11 -07:00
Mark Salyzyn
0d22c6cec6 logd: logpersistd
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 13:56:01 -07:00
Paul Lawrence
cd24232a20 am 35e50159: DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
* commit '35e50159ad8392362910a9e33d76047d22682f04':
  DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
2015-06-01 14:30:25 +00:00
Paul Lawrence
721a3218a6 am e2c0c9de: (-s ours) DO NOT MERGE Securely encrypt the master key
* commit 'e2c0c9de7b99ed5cd2349e0585284fd6a0ad768a':
  DO NOT MERGE Securely encrypt the master key
2015-06-01 14:30:25 +00:00
dcashman
cf075e5cc3 am 8dcf48c0: Merge "Allow system_app to find all system services." into mnc-dev
* commit '8dcf48c0e4c89261e00b547169d21bef25a84cec':
  Allow system_app to find all system services.
2015-05-29 21:08:36 +00:00
Paul Lawrence
35e50159ad DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
(cherry-picked from change f7163597f5)

This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-05-29 17:50:12 +00:00
Paul Lawrence
e2c0c9de7b DO NOT MERGE Securely encrypt the master key
(chery-picked from commit 13dec5fa5b)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-05-29 17:42:09 +00:00
dcashman
cdab26a016 am bf0c34d5: Allow system_app to find all system services.
* commit 'bf0c34d59bd47f9f286c9b5cd97196c1b075b7b1':
  Allow system_app to find all system services.
2015-05-29 00:05:01 +00:00
dcashman
8dcf48c0e4 Merge "Allow system_app to find all system services." into mnc-dev 2015-05-28 23:49:16 +00:00
dcashman
48c1f613e0 Allow system_app to find all system services.
SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

(cherry-pick of commit: bf0c34d59b)

Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8
2015-05-28 16:33:45 -07:00
dcashman
bf0c34d59b Allow system_app to find all system services.
SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

Bug: 20762975
Bug: 21446739
Change-Id: I92b7629077eb5aabffb72170f4ef71f574ebb95c
2015-05-28 15:47:00 -07:00
Tao Bao
bc2ecea950 am 12e8b61b: Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
* commit '12e8b61bc08da1482a9309e8b2dc1a0670671445':
  Allow system server and uncrypt to operate pipe file
2015-05-28 22:35:57 +00:00
Tao Bao
12e8b61bc0 Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev 2015-05-28 21:47:45 +00:00
Tao Bao
70c6dbf06c Allow system server and uncrypt to operate pipe file
System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
2015-05-27 17:06:40 -07:00
Stephen Smalley
d3f3f1572b am e8178b31: Remove unused userspace security classes.
* commit 'e8178b31e636dff4dcc6c5b1464f74f51cc65acf':
  Remove unused userspace security classes.
2015-05-26 22:07:00 +00:00
Stephen Smalley
770dc6de37 am 20d0ad0e: Remove zygote security class declaration.
* commit '20d0ad0ed8786585683cac32a610fc57b4ff3c5e':
  Remove zygote security class declaration.
2015-05-26 21:10:59 +00:00
Stephen Smalley
e02b536270 am a0c9d207: Remove zygote security class declaration.
* commit 'a0c9d207b10c32fb3f312da36fce190fb75a1759':
  Remove zygote security class declaration.
2015-05-26 20:37:39 +00:00
Stephen Smalley
20d0ad0ed8 Remove zygote security class declaration.
All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.

(cherry-pick of commit: a0c9d207b1)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I2e17e522a78120c3658d81035e202aab861a3b22
2015-05-26 13:31:59 -07:00
Stephen Smalley
e8178b31e6 Remove unused userspace security classes.
These are all userspace security class definitions that are
unused in Android; they are only meaningful in Linux distributions.

Change-Id: I99738752da996d9a1c7793eea049d937ffe4255b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-26 16:24:34 -04:00
Stephen Smalley
a0c9d207b1 Remove zygote security class declaration.
All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.

Change-Id: Id6b08b624c9eea824f5a55d99b7a4ebf9c9f207e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-26 14:39:38 -04:00
Bill Yi
2658ad2a6b am 5ca3dfee: Update MODULE_LICENSE
* commit '5ca3dfee93883c5dfacd155f0dc374aa2585b615':
  Update MODULE_LICENSE
2015-05-22 17:54:18 +00:00
Bill Yi
5ca3dfee93 Update MODULE_LICENSE
Change-Id: Ic5935f8a6ab55c1aa02a0e5753c3baf4b948eda7
2015-05-22 10:31:21 -07:00
Jim Miller
e760216864 am 83554d2c: Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
* commit '83554d2c923b17b6d5ee811c278e2ab0bb65579d':
  Selinux: Allow system_server to create fpdata dir.
2015-05-22 15:31:54 +00:00
Jim Miller
83554d2c92 Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev 2015-05-22 01:42:29 +00:00
Jim Miller
a39b131e9d Selinux: Allow system_server to create fpdata dir.
Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0

Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6
2015-05-21 17:43:28 -07:00
dcashman
4c1d471424 am 894911d7: Expand rtc_device label to match all rtc class drivers.
* commit '894911d78f2a88261d9f853ed022327044bb3030':
  Expand rtc_device label to match all rtc class drivers.
2015-05-21 23:33:28 +00:00
dcashman
894911d78f Expand rtc_device label to match all rtc class drivers.
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

(cherry-pick of 1b4b3b918b)

Change-Id: Iea6e1271fb054ea7f44860724e04143875867d78
2015-05-21 15:39:11 -07:00
Eino-Ville Talvala
ad76b86651 Merge branch 'mnc-dev-plus-aosp' of https://googleplex-android.googlesource.com/_direct/platform/external/sepolicy into mnc-dev-plus-aosp 2015-05-21 18:53:09 +00:00
dcashman
0d525e66be am a9bfc888: Merge "Expand rtc_device label to match all rtc class drivers."
* commit 'a9bfc888143150126363b9b9676d6197965da66f':
  Expand rtc_device label to match all rtc class drivers.
2015-05-21 18:51:42 +00:00
Chad Brubaker
c24f344b7e am b3df4389: Merge "Rename keystore methods and delete unused permissions" into mnc-dev
* commit 'b3df4389f31b5ae206fc2c1f50f1efe4de1bcf75':
  Rename keystore methods and delete unused permissions
2015-05-21 18:49:24 +00:00
dcashman
a9bfc88814 Merge "Expand rtc_device label to match all rtc class drivers." 2015-05-21 18:19:29 +00:00
Bill Yi
99c71e50e8 am 7ceda717: Add MODULE_LICENSE
* commit '7ceda71706ba35afd2753fb757fecd87ced2df68':
  Add MODULE_LICENSE
2015-05-21 18:05:58 +00:00
Bill Yi
7ceda71706 Add MODULE_LICENSE
Change-Id: Iec14c79f060f3e54985828932112911067c973ea
2015-05-21 10:40:32 -07:00
dcashman
1b4b3b918b Expand rtc_device label to match all rtc class drivers.
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

Change-Id: I50d15aa62e87509e940acd168474433803b2115d
2015-05-21 10:35:57 -07:00
Chad Brubaker
b3df4389f3 Merge "Rename keystore methods and delete unused permissions" into mnc-dev 2015-05-21 17:26:54 +00:00
Jim Miller
523397621b am 5d78c07d: Merge "Add selinux policy for fingerprintd" into mnc-dev
* commit '5d78c07d4a463ec5ed0403850be718de670c9e97':
  Add selinux policy for fingerprintd
2015-05-21 12:22:19 +00:00
Jim Miller
5d78c07d4a Merge "Add selinux policy for fingerprintd" into mnc-dev 2015-05-21 00:57:37 +00:00
Ruben Brunk
3aaff8bdb5 am a983621f: Merge "camera: Add AIDL interface for CameraServiceProxy." into mnc-dev
* commit 'a983621fbc04ee26f519fde68b9a8e6788facf49':
  camera: Add AIDL interface for CameraServiceProxy.
2015-05-20 21:11:50 +00:00
Ruben Brunk
a983621fbc Merge "camera: Add AIDL interface for CameraServiceProxy." into mnc-dev 2015-05-20 20:44:38 +00:00
Jim Miller
264eb6566a Add selinux policy for fingerprintd
Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
2015-05-19 18:28:45 -07:00
Ruben Brunk
e1edbe9c97 camera: Add AIDL interface for CameraServiceProxy.
- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10
2015-05-19 17:26:31 -07:00
Jeff Sharkey
23f5610ecf am 6e1f405c: Allow MediaProvider to traverse /mnt/media_rw.
* commit '6e1f405c8b8b5d91a350ff14d1100930d7bff844':
  Allow MediaProvider to traverse /mnt/media_rw.
2015-05-19 22:52:05 +00:00
Jeff Sharkey
6e1f405c8b Allow MediaProvider to traverse /mnt/media_rw.
As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.

Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider.  The actual
access control is still managed by POSIX permissions on that
directory.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
2015-05-19 14:12:28 -07:00
dcashman
5c2a5a1dca am 807d8d02: Label /dev/rtc0 as rtc_device.
* commit '807d8d0249f196e172f30b96b48699e3b10a3866':
  Label /dev/rtc0 as rtc_device.
2015-05-18 22:21:45 +00:00
dcashman
53d3b99c5d resolved conflicts for merge of c7594898 to mnc-dev-plus-aosp
Change-Id: I81937479a0cb37d4e781e076c2e5ff6551cbf822
2015-05-18 15:15:15 -07:00
dcashman
807d8d0249 Label /dev/rtc0 as rtc_device.
Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898db)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
2015-05-18 14:18:11 -07:00