Robert Sesek
ce43274139
Add the "webview_zygote" domain. am: dc43f7cd84 am: d94ae33832 am: 1dfbcab386
...
am: b4830b23ab
2016-11-11 15:51:01 +00:00
Robert Sesek
b4830b23ab
Add the "webview_zygote" domain. am: dc43f7cd84 am: d94ae33832
...
am: 1dfbcab386
2016-11-11 15:44:00 +00:00
Robert Sesek
1dfbcab386
Add the "webview_zygote" domain. am: dc43f7cd84
...
am: d94ae33832
2016-11-11 15:37:00 +00:00
Robert Sesek
d94ae33832
Add the "webview_zygote" domain.
...
am: dc43f7cd84
2016-11-11 15:30:00 +00:00
Robert Sesek
dc43f7cd84
Add the "webview_zygote" domain.
...
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.
Test: m
Test: angler boots
Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
2016-11-11 10:13:17 -05:00
Jason Monk
16d5ce62a0
Add persist.vendor.overlay. to properties am: 0e1cbf568a am: 829672f098 am: e6a26a2a01
...
am: cd6265f01d
2016-11-11 00:25:10 +00:00
Jason Monk
cd6265f01d
Add persist.vendor.overlay. to properties am: 0e1cbf568a am: 829672f098
...
am: e6a26a2a01
2016-11-11 00:19:09 +00:00
Jason Monk
e6a26a2a01
Add persist.vendor.overlay. to properties am: 0e1cbf568a
...
am: 829672f098
2016-11-11 00:13:38 +00:00
Jason Monk
829672f098
Add persist.vendor.overlay. to properties
...
am: 0e1cbf568a
2016-11-11 00:07:08 +00:00
Jason Monk
0e1cbf568a
Add persist.vendor.overlay. to properties
...
Allow the system_server to change. Allow the zygote to read it as well.
Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
2016-11-10 17:35:39 -05:00
Nick Kralevich
ced59af355
Revert "Restore system_server ioctl socket access." am: 58305da980 am: b2245d6420 am: f4c76c5fd5
...
am: 74d3b416f7
2016-11-09 01:50:22 +00:00
Nick Kralevich
74d3b416f7
Revert "Restore system_server ioctl socket access." am: 58305da980 am: b2245d6420
...
am: f4c76c5fd5
2016-11-09 01:43:48 +00:00
Nick Kralevich
f4c76c5fd5
Revert "Restore system_server ioctl socket access." am: 58305da980
...
am: b2245d6420
2016-11-09 01:38:51 +00:00
Nick Kralevich
b2245d6420
Revert "Restore system_server ioctl socket access."
...
am: 58305da980
2016-11-09 01:33:12 +00:00
Sandeep Patil
a03dc5da5b
Merge "healthd: create SEPolicy for 'charger' and reduce healthd's scope"
2016-11-08 23:45:16 +00:00
Nick Kralevich
58305da980
Revert "Restore system_server ioctl socket access."
...
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde0863ce3e7c7
2016-11-08 12:40:44 -08:00
Nick Kralevich
16b4b92707
profman/debuggerd: allow libart_file:file r_file_perms am: 364fd19782 am: d62abbeea3 am: ff6715f3d2
...
am: c9d0e1e9b9
2016-11-08 20:25:09 +00:00
Nick Kralevich
c9d0e1e9b9
profman/debuggerd: allow libart_file:file r_file_perms am: 364fd19782 am: d62abbeea3
...
am: ff6715f3d2
2016-11-08 20:19:40 +00:00
Nick Kralevich
ff6715f3d2
profman/debuggerd: allow libart_file:file r_file_perms am: 364fd19782
...
am: d62abbeea3
2016-11-08 20:14:08 +00:00
Nick Kralevich
d62abbeea3
profman/debuggerd: allow libart_file:file r_file_perms
...
am: 364fd19782
2016-11-08 20:08:38 +00:00
Nick Kralevich
364fd19782
profman/debuggerd: allow libart_file:file r_file_perms
...
Addresses the following auditallow spam:
avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
2016-11-08 09:28:28 -08:00
Polina Bondarenko
d15db77471
sepolicy: Add policy for thermal HIDL service am: 9785f2addd am: 458888a7d3 am: abbc718f19
...
am: 1bda71f5e3
2016-11-08 15:32:50 +00:00
Polina Bondarenko
1bda71f5e3
sepolicy: Add policy for thermal HIDL service am: 9785f2addd am: 458888a7d3
...
am: abbc718f19
2016-11-08 15:26:19 +00:00
Polina Bondarenko
abbc718f19
sepolicy: Add policy for thermal HIDL service am: 9785f2addd
...
am: 458888a7d3
2016-11-08 15:19:49 +00:00
Polina Bondarenko
458888a7d3
sepolicy: Add policy for thermal HIDL service
...
am: 9785f2addd
2016-11-08 15:13:48 +00:00
TreeHugger Robot
b602b3b6b5
Merge "Revert "Restore system_server ioctl socket access.""
2016-11-08 14:35:16 +00:00
Polina Bondarenko
9785f2addd
sepolicy: Add policy for thermal HIDL service
...
Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8
2016-11-08 13:34:31 +01:00
Nick Kralevich
cbefe07f1c
installd: r_dir_file(installd, system_file) am: 68f233648e am: b8b0d3746f am: 24176ec819
...
am: 5bfb4b3ce8
2016-11-08 03:42:09 +00:00
Nick Kralevich
5bfb4b3ce8
installd: r_dir_file(installd, system_file) am: 68f233648e am: b8b0d3746f
...
am: 24176ec819
2016-11-08 03:36:39 +00:00
Nick Kralevich
24176ec819
installd: r_dir_file(installd, system_file) am: 68f233648e
...
am: b8b0d3746f
2016-11-08 03:31:08 +00:00
Nick Kralevich
b8b0d3746f
installd: r_dir_file(installd, system_file)
...
am: 68f233648e
2016-11-08 03:25:38 +00:00
Nick Kralevich
863ce3e7c7
Revert "Restore system_server ioctl socket access."
...
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde0
2016-11-07 17:01:08 -08:00
Nick Kralevich
68f233648e
installd: r_dir_file(installd, system_file)
...
Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app
Addresses the following auditallow spam:
avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
2016-11-07 16:18:38 -08:00
Roshan Pius
92318b4637
Merge "wpa.te: Add binder permission back" am: b0c375d46d am: fd637d065f am: d4d7d190a3
...
am: e659cf26f8
2016-11-07 23:57:16 +00:00
Roshan Pius
e659cf26f8
Merge "wpa.te: Add binder permission back" am: b0c375d46d am: fd637d065f
...
am: d4d7d190a3
2016-11-07 23:52:18 +00:00
Roshan Pius
d4d7d190a3
Merge "wpa.te: Add binder permission back" am: b0c375d46d
...
am: fd637d065f
2016-11-07 23:43:48 +00:00
Roshan Pius
fd637d065f
Merge "wpa.te: Add binder permission back"
...
am: b0c375d46d
2016-11-07 23:39:02 +00:00
Treehugger Robot
b0c375d46d
Merge "wpa.te: Add binder permission back"
2016-11-07 23:28:35 +00:00
Roshan Pius
cec44a61ba
wpa.te: Add binder permission back
...
Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.
Denials in logs:
11-03 14:37:54.831 9011 9011 I auditd : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834 9011 9011 I auditd : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834 9011 9011 I auditd : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834 9011 9011 I auditd : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
2016-11-07 12:51:07 -08:00
Etan Cohen
47e25deb7a
Merge "[NAN-AWARE] Remove NAN service" am: 0182a87dab am: 2143eab887 am: 178dcd8074
...
am: abf4cdc369
2016-11-06 22:15:23 +00:00
Etan Cohen
abf4cdc369
Merge "[NAN-AWARE] Remove NAN service" am: 0182a87dab am: 2143eab887
...
am: 178dcd8074
2016-11-06 22:10:22 +00:00
Etan Cohen
178dcd8074
Merge "[NAN-AWARE] Remove NAN service" am: 0182a87dab
...
am: 2143eab887
2016-11-06 22:05:52 +00:00
Etan Cohen
2143eab887
Merge "[NAN-AWARE] Remove NAN service"
...
am: 0182a87dab
2016-11-06 22:01:22 +00:00
Etan Cohen
0182a87dab
Merge "[NAN-AWARE] Remove NAN service"
2016-11-06 21:56:05 +00:00
Etan Cohen
8b0ef6c8d2
Merge "[NAN-AWARE] Add Aware service" am: 8da9cd640b am: 66502077a9 am: e8c7b7832f
...
am: f12798dbad
2016-11-05 04:18:38 +00:00
Etan Cohen
f12798dbad
Merge "[NAN-AWARE] Add Aware service" am: 8da9cd640b am: 66502077a9
...
am: e8c7b7832f
2016-11-05 04:14:37 +00:00
Etan Cohen
e8c7b7832f
Merge "[NAN-AWARE] Add Aware service" am: 8da9cd640b
...
am: 66502077a9
2016-11-05 04:10:37 +00:00
Etan Cohen
66502077a9
Merge "[NAN-AWARE] Add Aware service"
...
am: 8da9cd640b
2016-11-05 04:06:07 +00:00
Etan Cohen
8da9cd640b
Merge "[NAN-AWARE] Add Aware service"
2016-11-05 04:00:40 +00:00
Sandeep Patil
c73d0022ad
healthd: create SEPolicy for 'charger' and reduce healthd's scope
...
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.
While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.
Test: Tested all modes {recovery, charger-only, android} with new policy
Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-11-04 13:41:30 -07:00
