Steven Thomas
f7d5d2d936
Merge "Selinux changes for vr flinger vsync service" am: 663a827b47
...
am: 4b3ec1984e
Change-Id: Ib6786e4c5a7cf3713d8cc4b3fb0ce013831e74d1
2018-07-17 16:26:06 -07:00
Steven Thomas
4b3ec1984e
Merge "Selinux changes for vr flinger vsync service"
...
am: 663a827b47
Change-Id: Icc345eda8c645065cc30f14fe4d3de07ba888c25
2018-07-17 16:21:34 -07:00
Treehugger Robot
663a827b47
Merge "Selinux changes for vr flinger vsync service"
2018-07-17 23:15:13 +00:00
Josh Gao
dc86cc0da9
system_server: allow appending to debuggerd -j
pipe. am: 5ca755e05e
...
am: 98545f075c
Change-Id: Ie60925c143519732d737fd82948aab7a88b050df
2018-07-17 15:29:40 -07:00
Josh Gao
98545f075c
system_server: allow appending to debuggerd -j
pipe.
...
am: 5ca755e05e
Change-Id: I92b326f5f1c9f1db083c329ecc8eca952039dc06
2018-07-17 15:25:36 -07:00
Yifan Hong
bf7bf3ba0e
perfprofd: talk to health HAL.
...
am: 65c568d0dd
Change-Id: I67a358cb33f9ba546ab3b42f58d48c1c0a5c763e
2018-07-17 13:24:23 -07:00
Josh Gao
5ca755e05e
system_server: allow appending to debuggerd -j
pipe.
...
Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3
2018-07-17 12:46:01 -07:00
Yifan Hong
65c568d0dd
perfprofd: talk to health HAL.
...
Test: perfprofd tests
Bug: 110890430
Change-Id: I0f7476d76b8d35b6b48fe6b77544ca8ccc71534d
2018-07-17 11:37:26 -07:00
Jeff Vander Stoep
a0afe6eaf6
[automerger skipped] crash_dump: disallow ptrace of TCB components am: f0e6a70ab5
am: 7f6df93026
am: db8835e0c3
-s ours
...
am: a2bc6f8cfc
-s ours
Change-Id: Ib11f5cda0d40754fb773e7c4f3a8b2e364f83c8a
2018-07-13 21:47:05 -07:00
Jeff Vander Stoep
a2bc6f8cfc
[automerger skipped] crash_dump: disallow ptrace of TCB components am: f0e6a70ab5
am: 7f6df93026
...
am: db8835e0c3
-s ours
Change-Id: I29ed491f8e482f0233f5e68847b96f98c147b47b
2018-07-13 21:41:59 -07:00
Jeff Vander Stoep
db8835e0c3
crash_dump: disallow ptrace of TCB components am: f0e6a70ab5
...
am: 7f6df93026
Change-Id: I6b3b7204317bdad91f44bcf6cfce7d3810693b42
2018-07-13 21:37:55 -07:00
Jeff Vander Stoep
3d4d8899d1
crash_dump: disallow ptrace of TCB components
...
am: 573d333589
Change-Id: I5d0bd81b6b486a6a5cffd8159d99cfcdcf0f464f
2018-07-13 21:35:08 -07:00
Jeff Vander Stoep
7f6df93026
crash_dump: disallow ptrace of TCB components
...
am: f0e6a70ab5
Change-Id: Ia2c196281ae051e2d3ee1ad3f810b12901af8d69
2018-07-13 21:34:51 -07:00
Steven Thomas
7bec967402
Selinux changes for vr flinger vsync service
...
Add selinux policy for the new Binder-based vr flinger vsync service.
Bug: 72890037
Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.
- Confirmed the CTS test
android.security.cts.SELinuxHostTest#testAospServiceContexts, when
built from the local source tree with this CL applied, passes.
- Confirmed the CTS test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
when built from the local source tree with this CL applied, passes.
Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
2018-07-13 17:17:01 -07:00
Yifan Hong
b1b3a31e61
Merge changes from topic "coredomain_batteryinfo" am: 6397d7e0cb
...
am: c74c0fbb34
Change-Id: I43163ef3484dd31d0ead3f5432b572bc5568bde3
2018-07-13 13:08:55 -07:00
Yifan Hong
c74c0fbb34
Merge changes from topic "coredomain_batteryinfo"
...
am: 6397d7e0cb
Change-Id: I88c793acd19ce05e275d6f2883f90540f37d52b6
2018-07-13 12:42:47 -07:00
Treehugger Robot
6397d7e0cb
Merge changes from topic "coredomain_batteryinfo"
...
* changes:
vold: not allowed to read sysfs_batteryinfo
full_treble: coredomain must not have access to sysfs_batteryinfo
2018-07-13 18:42:32 +00:00
Yifan Hong
711908e60b
vold: not allowed to read sysfs_batteryinfo
...
It doesn't need to read batteryinfo to function properly.
Bug: 110891415
Test: builds and boots
Change-Id: I7f388180a25101bfd0c088291ef03a9bf8ba2b2c
2018-07-12 11:45:28 -07:00
Yifan Hong
b5f7f28c26
full_treble: coredomain must not have access to sysfs_batteryinfo
...
... but should do it via health HAL and healthd.
Bug: 110891415
Test: builds
Change-Id: Ib124f82d31f1dfbe99a56475dba04a37f81bdca3
2018-07-12 11:45:28 -07:00
Jeff Vander Stoep
573d333589
crash_dump: disallow ptrace of TCB components
...
Remove permissions.
Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: If8b9c932af03a551e40e786d591544ecdd4e5c98
Merged-In: If8b9c932af03a551e40e786d591544ecdd4e5c98
(cherry picked from commit f1554f1588
)
2018-07-12 11:33:30 -07:00
Jeff Vander Stoep
f0e6a70ab5
crash_dump: disallow ptrace of TCB components
...
Remove permissions and add neverallow assertion.
Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: If8b9c932af03a551e40e786d591544ecdd4e5c98
Merged-In: If8b9c932af03a551e40e786d591544ecdd4e5c98
(cherry picked from commit f1554f1588
)
2018-07-12 17:30:25 +00:00
Aalique Grahame
c1e84a6ac5
Merge "sepolicy: create rules for system properties" am: 280c6afab2
...
am: 5626ee67a9
Change-Id: Icd66784f207472346ac823ad565e6e7b834dcbc8
2018-07-10 21:45:02 -07:00
Aalique Grahame
5626ee67a9
Merge "sepolicy: create rules for system properties"
...
am: 280c6afab2
Change-Id: I879d46d8e004a4ea63c1b131cdb5348e90adca0d
2018-07-10 21:40:58 -07:00
Florian Mayer
9d144e1f00
Merge "Allow to read events/header_page with debugfs_tracing" am: 7d7328b807
...
am: 139bb3f279
Change-Id: Ifb564911815c938a489c32f4c648d9b8c3612c6f
2018-07-10 21:38:01 -07:00
Treehugger Robot
280c6afab2
Merge "sepolicy: create rules for system properties"
2018-07-11 04:36:36 +00:00
Florian Mayer
139bb3f279
Merge "Allow to read events/header_page with debugfs_tracing"
...
am: 7d7328b807
Change-Id: I6bd14e069dd07b81b6cf33cfe8dd22e641d8f1f9
2018-07-10 21:35:06 -07:00
Treehugger Robot
7d7328b807
Merge "Allow to read events/header_page with debugfs_tracing"
2018-07-11 04:28:23 +00:00
Aalique Grahame
2fc89a71f7
sepolicy: create rules for system properties
...
Add new sepolicy rules to support audio system properties
Bug: 110564278
Change-Id: If774a40b50e56f9e83bcb4ab8a84581dc03058ad
2018-07-03 08:54:04 -07:00
Anton Hansson
64bcf9ddda
Merge "Split selinux_policy module into two." am: 43a0a8e10c
...
am: 72a3251989
Change-Id: Ie898a9ef453521c010ac7a7fcdcb04b026a988dc
2018-07-03 06:31:11 -07:00
Anton Hansson
72a3251989
Merge "Split selinux_policy module into two."
...
am: 43a0a8e10c
Change-Id: Iba96f0b88256b7549eb1278bdf87e65bca041594
2018-07-03 06:27:44 -07:00
Anton Hansson
43a0a8e10c
Merge "Split selinux_policy module into two."
2018-07-03 13:19:35 +00:00
Anton Hansson
8cfe1e6128
Split selinux_policy module into two.
...
Create one _system and one _nonsystem target, which together contains
the same artifacts as before, just split by whether they go on the
system partition or not.
The product build hierarchy is being refactored to be split by
partition, so these targets facilitate inclusion of just the
system parts where necessary. Also keep the selinux_policy target
around for products that don't need the split.
Bug: 80410283
Test: for t in eng userdebug user; do lunch mainline_arm64-${t}; m nothing; done
Test: verified walleye /system and /vendor identical before and after, via:
Test: /google/data/rw/users/cc/ccross/bin/compare-target-files.sh P6259983 walleye-userdebug "SYSTEM/*" "VENDOR/*"
Test: only diffs are in build.prop files (timestamps and the like)
Change-Id: I0f5d8a1558a164ce5cfb7d521f34b431855ac260
2018-07-03 14:04:20 +01:00
Florian Mayer
a62ce04a8c
Allow to read events/header_page with debugfs_tracing
...
Bug: 110900684
Change-Id: I9fd141e0d56d0135c563467b7ca2f08b6af6700b`
2018-07-03 09:36:42 +00:00
Bowgo Tsai
6e5e109333
Merge "Sepolicy for rw mount point for product extensions." am: 589dbe1429
...
am: dc7e8d3de5
Change-Id: I2f726b1cf758e3d2744966552bf30ad8756aa754
2018-07-02 19:06:48 -07:00
Pawin Vongmasa
6dea29712a
Merge "Allow surfaceflinger to call into mediacodec" am: 48f1c4ce22
...
am: 35f9e08bcd
Change-Id: I561ce4fb68e165b1c18f8dee5138941b68fd7276
2018-07-02 19:06:08 -07:00
Bowgo Tsai
dc7e8d3de5
Merge "Sepolicy for rw mount point for product extensions."
...
am: 589dbe1429
Change-Id: Ife838a971f7145583d2d1444a2c366515060e5a4
2018-07-02 19:03:52 -07:00
Pawin Vongmasa
35f9e08bcd
Merge "Allow surfaceflinger to call into mediacodec"
...
am: 48f1c4ce22
Change-Id: I9362732c00cf9daf4b68f30885664a000dd0f3b8
2018-07-02 19:03:07 -07:00
Treehugger Robot
589dbe1429
Merge "Sepolicy for rw mount point for product extensions."
2018-07-03 00:21:01 +00:00
Treehugger Robot
48f1c4ce22
Merge "Allow surfaceflinger to call into mediacodec"
2018-07-03 00:19:50 +00:00
Yabin Cui
474389dfb4
Merge "Export more files in proc_perf." am: 74f86551af
...
am: ca685e9e91
Change-Id: I87a9f426c49807a273943612bcf495854624f059
2018-07-02 15:22:27 -07:00
Yabin Cui
ca685e9e91
Merge "Export more files in proc_perf."
...
am: 74f86551af
Change-Id: I16f29c89431a5ca4ac604869e21cd8312bd37f9e
2018-07-02 15:18:49 -07:00
Yabin Cui
74f86551af
Merge "Export more files in proc_perf."
2018-07-02 22:12:03 +00:00
Yongqin Liu
cb7a9e8aae
public/netd.te: allow netd to operate icmp_socket that passed to it am: 8a8d4ef532
...
am: 29ed5f16ed
Change-Id: Ibabe55bc17d64226b5ebbe221f8e8cbb4ca4926f
2018-07-02 14:59:46 -07:00
Yongqin Liu
29ed5f16ed
public/netd.te: allow netd to operate icmp_socket that passed to it
...
am: 8a8d4ef532
Change-Id: Ib48576d7f47811870661e0bb66cebad0f26a6782
2018-07-02 14:55:41 -07:00
Yabin Cui
09464811ca
Export more files in proc_perf.
...
Export /proc/sys/kernel/perf_cpu_time_max_percent and
/proc/sys/kernel/perf_event_mlock_kb in proc_perf. So
they can be read in shell and written by init.
This is needed by simpleperf to control cpu percent and
memory used for profiling.
Bug: 110706031
Test: build and boot hikey960 successfully.
Change-Id: I2a01f583508003ab73427bab30a7982a27dfa677
2018-07-02 11:39:40 -07:00
Yongqin Liu
8a8d4ef532
public/netd.te: allow netd to operate icmp_socket that passed to it
...
This should be supplement for the change here:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/708638
When test the cts libcore.libcore.io.OsTest#test_socketPing test case, it will fail
with avc denial message like following:
[ 1906.617027] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617189] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617206] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617313] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617330] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1907.832425] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
Test: run cts -m CtsLibcoreTestCases -t libcore.libcore.io.OsTest#test_socketPing
Change-Id: If41cb804292834b8994333f170d1f7f837bcd7df
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2018-07-02 18:34:18 +08:00
Pawin Vongmasa
ff2dccaf38
Allow surfaceflinger to call into mediacodec
...
Test: adb logcat | grep "Wrong interface type."
Bug: 77924251
Change-Id: Idf9d7ae6db0d41bb0c2f94b2183bfe23f0c21155
2018-07-01 19:04:03 -07:00
Todd Poynor
c66af8944e
[automerger skipped] remove thermalcallback_hwservice am: c6afcb7fc0
-s ours
...
am: 29e292e9d2
Change-Id: Id9655ad460a971cb6a93ab77591998ca1b8bc226
2018-06-29 19:19:11 -07:00
Todd Poynor
29e292e9d2
[automerger skipped] remove thermalcallback_hwservice
...
am: c6afcb7fc0
-s ours
Change-Id: I9c89b5179d68943f4e090fbd596b4cd4be68100f
2018-06-29 19:14:10 -07:00
Todd Poynor
c6afcb7fc0
remove thermalcallback_hwservice
...
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.
Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
2018-06-29 23:01:43 +00:00