tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Treehugger Robot	d35399ffd1	Merge changes I513cdbfd,Ia1fa1fd6 * changes: Allow mediaextractor to load libraries from apk_data_file Allow scanning extractor library directory	2018-01-23 23:51:25 +00:00
Jong Wook Kim	25e183a9f5	Merge "MAC Anonymization: wificond SIOCSIFHWADDR sepolicy"	2018-01-23 22:09:37 +00:00
Dongwon Kang	1134bd001e	Allow mediaextractor to load libraries from apk_data_file This is an experimental feature only on userdebug and eng build. Test: play MP4 file. install & uninstall media update apk. Bug: 67908547 Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474	2018-01-23 11:21:11 -08:00
Marco Nelissen	e2f4140cef	Allow scanning extractor library directory so we can dlopen the libraries that are there Test: build&run Merged-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855 Change-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855	2018-01-23 11:21:11 -08:00
Yi Jin	bc24ba7283	Selinux permissions for incidentd project Bug: 64222712 Test: manual Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3	2018-01-23 19:08:49 +00:00
Tri Vo	0a2f862715	Merge "dumpstate: remove access to 'proc' and 'sysfs' types."	2018-01-23 19:08:33 +00:00
Tom Cherry	873d6ad6fa	Merge "Allow vendor_init without compatible_property to write most properties"	2018-01-23 18:34:34 +00:00
Eino-Ville Talvala	0a1c9a9447	Merge "Cameraserver: Allow shell user to use 'cmd media.camera'"	2018-01-23 18:30:09 +00:00
Jong Wook Kim	72030486c6	MAC Anonymization: wificond SIOCSIFHWADDR sepolicy Add sepolicy rules to grant wificond permission to use SIOCSIFHWADDR ioctl. This permission is needed to dynamically change MAC address of the device when connecting to wifi networks. Bug: 63905794 Test: Verified manually that wificond can dynamically change MAC address. Change-Id: If2c6b955b0b792f706d8438e8e2e018c0b4cfc31	2018-01-22 20:42:12 -08:00
Max Bires	842cc26816	Fixing traceur selinux permission error getattr for trace_data_file:dir permissions was missing, impacting functionality. Bug:68126425 Test: Traceur functionality is properly working Change-Id: I2c8ae5cf3463a8e5309b8402713744e036a64171	2018-01-22 19:59:35 -08:00
Treehugger Robot	7724907ff4	Merge "Allow dumpstate to call statsd. This is needed for bugreport."	2018-01-23 03:27:43 +00:00
Tri Vo	218d87c01c	dumpstate: remove access to 'proc' and 'sysfs' types. And grant appropriate permissions to more granular types. Bug: 29319732 Bug: 65643247 Test: adb bugreport; no new denials to /proc or /sys files. Change-Id: Ied99546164e79bfa6148822858c165177d3720a5	2018-01-23 03:24:37 +00:00
Treehugger Robot	e58fa54803	Merge "Clarify sysfs_leds neverallow."	2018-01-23 02:37:24 +00:00
Eino-Ville Talvala	c41a7bd121	Cameraserver: Allow shell user to use 'cmd media.camera' Test: atest cts/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java Change-Id: Id9adcec4db2e55f2e41ebd1b018ebc40aa0be404	2018-01-22 17:10:12 -08:00
Steven Moreland	623d9f0683	Clarify sysfs_leds neverallow. Now that init no longer uses it. Fixes: 70846424 Test: no neverallows tripped Change-Id: I5c22dd272b66fd32b4758c1dce659ccd98b8a7ba	2018-01-22 22:03:51 +00:00
Max Bires	35c363897d	Adding write permissions to traceur Fixing denials that stopped traceur from being able to write to debugfs_tracing. Also cleaning up general find denials for services that traceur doesn't have permission to access. Additionally, labeling /data/local/trace as a trace_data_file in order to give traceur a UX friendly area to write its traces to now that it will no longer be a shell user. It will be write/readable by traceur, and deletable/readable by shell. Test: Traceur functionality is not being blocked by selinux policy Bug: 68126425 Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36	2018-01-22 21:06:36 +00:00
Steven Moreland	8bda3dfaa1	Add policy for 'blank_screen'. This util allows init to turn off the screen without any binder dependencies. Bug: 70846424 Test: manual + init use Change-Id: I4f41a966d6398e959ea6baf36c2cfe6fcebc00de	2018-01-22 20:27:01 +00:00
Tom Cherry	6473ae8307	Allow vendor_init without compatible_property to write most properties These property sets will be long term restricted with compatible_property but allowing them now eases the transition. Bug: 62875318 Test: boot marlin without audits for setprop in vendor_init Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2	2018-01-22 19:11:54 +00:00
Paul Crowley	68e31786f0	Merge "Allow access to the metadata partition for metadata encryption."	2018-01-22 18:30:08 +00:00
Treehugger Robot	64271de12c	Merge "Fix error message format"	2018-01-22 16:55:16 +00:00
Yin-Chia Yeh	30793234f6	Camera: add external camera service Change-Id: I37695d6c952b313e641dd145aa1af1d02e9cc537	2018-01-21 16:25:07 -08:00
Tri Vo	a3e8572875	Merge "priv_app: remove access to 'proc' and 'sysfs' types."	2018-01-20 05:01:25 +00:00
Badhri Jagan Sridharan	4f6eb37f6c	usbd sepolicy Sepolicy for the usb daemon. (ag/3373886/) Bug: 63669128 Test: Checked for avc denial messages. Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af	2018-01-20 03:41:21 +00:00
Tri Vo	f92cfb9e4f	priv_app: remove access to 'proc' and 'sysfs' types. Bug: 65643247 Test: walleye boots with no denials from priv_app. Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63	2018-01-20 01:05:56 +00:00
Tri Vo	06d7dca4a1	Remove proc and sysfs access from system_app and platform_app. Bug: 65643247 Test: manual Test: browse internet Test: take a picture Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd	2018-01-20 01:05:21 +00:00
Treehugger Robot	04b70519cf	Merge "Label esdfs as sdcardfs"	2018-01-20 00:40:38 +00:00
Tao Bao	d7d9cfcad2	Add rules for system_update service. system_update service manages system update information: system updater (priv_app) publishes the pending system update info through the service, while other apps can read the info accordingly (design doc in go/pi-ota-platform-api). This CL adds the service type, and grants priv_app to access the service. Bug: 67437079 Test: Build and flash marlin image. The system_update service works. Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375	2018-01-19 15:03:21 -08:00
Jeff Vander Stoep	e63686011b	Fix error message format "/n" --> "\n" Fixes: 72225980 Test: build (this is a build test) Change-Id: Iffd7241b4d7b9b429fff34dc2e25baad32d8008d	2018-01-19 15:00:41 -08:00
Paul Crowley	ab318e30d3	Allow access to the metadata partition for metadata encryption. Bug: 63927601 Test: Enable metadata encryption in fstab on Taimen, check boot success. Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f	2018-01-19 14:45:08 -08:00
Yifan Hong	829c6fef14	Merge "move /vendor VINTF data to /vendor/etc/vintf"	2018-01-19 22:01:28 +00:00
Daniel Rosenberg	9d0d6856c1	Label esdfs as sdcardfs Test: esdfs should be mountable and usable with selinux on Bug: 63876697 Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e	2018-01-19 13:50:02 -08:00
Treehugger Robot	38adc92797	Merge "hal_usb_gadget sepolicy"	2018-01-19 21:41:00 +00:00
Treehugger Robot	2b38971ed1	Merge "Allow system apps to read log props."	2018-01-19 19:32:13 +00:00
Treehugger Robot	1572cbaffa	Merge "Don't record audio if UID is idle - sepolicy"	2018-01-19 19:31:42 +00:00
Treehugger Robot	43ef5f21f1	Merge "No camera for idle uids - selinux"	2018-01-19 19:01:22 +00:00
Yifan Hong	8d8da6a2e2	move /vendor VINTF data to /vendor/etc/vintf Test: boots Test: hwservicemanager can read these files Bug: 36790901 Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09	2018-01-19 10:57:13 -08:00
Badhri Jagan Sridharan	7bee33e665	hal_usb_gadget sepolicy Bug: 63669128 Test: Checked for avc denail messages. Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda	2018-01-19 18:56:16 +00:00
Tri Vo	0338f7db2d	Merge "Coredomain can't execute vendor code."	2018-01-19 17:47:33 +00:00
Yao Chen	b10ff337bf	Allow dumpstate to call statsd. This is needed for bugreport. Selinux violations while calling dump() on statsd by bugreport. avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1 denied { use } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1 avc: denied { write } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 avc: denied { getattr } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 Test: manual Change-Id: I46c5b119548378cc80c6e4498d00edad5959d188	2018-01-19 09:21:49 -08:00
Treehugger Robot	536d195469	Merge "neverallow shell access to 'device' type"	2018-01-19 05:20:30 +00:00
Treehugger Robot	5d5284ad93	Merge "Disallow sysfs_leds to coredomains."	2018-01-19 04:56:36 +00:00
Jaekyun Seok	5971d678e6	Merge "Add rcs.publish.status to the whitelist"	2018-01-19 03:22:34 +00:00
Treehugger Robot	1dafee26ee	Merge "charger: allow to read /sys/class/power_supply"	2018-01-19 03:18:43 +00:00
Steven Moreland	09fddac1d7	Disallow sysfs_leds to coredomains. Bug: 70846424 Test: neverallow not tripped Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13	2018-01-18 18:10:06 -08:00
Yifan Hong	2d64886d08	charger: allow to read /sys/class/power_supply Test: charger mode correctly shuts off when unplugged Change-Id: I06a7ffad67beb9f6d9642c4f53c35067b0dc2b3d Fixes: 71328882	2018-01-18 16:46:17 -08:00
Treehugger Robot	74828e65d5	Merge "Add default namespaces of odm properties"	2018-01-18 23:11:09 +00:00
Jaekyun Seok	34aad97ea9	Add rcs.publish.status to the whitelist Bug: 72154054 Test: tested with walleye Change-Id: I35271c6044946c4ec639409c914d54247cfb9f79	2018-01-19 07:35:44 +09:00
Tri Vo	5dab913441	neverallow shell access to 'device' type Bug: 65643247 Test: builds, the change doesn't affect runtime behavior. Change-Id: I621a8006db7074f124cb16a12662c768bb31e465	2018-01-18 21:56:00 +00:00
Tri Vo	3ac8456fed	Merge "system_server: remove access sysfs_devices_system_cpu"	2018-01-18 20:26:30 +00:00
Treehugger Robot	ec4d4a5ed3	Merge "Suppress denials for non-API access"	2018-01-18 20:03:15 +00:00

1 2 3 4 5 ...

13259 commits