Commits · 14b6f44933a9bdbe7ad48faf461901e2c016585d · CodeLinaro / public-release-test / platform / system / sepolicy

Dec 08, 2015

Allow update_verifier to access bootctrl_block_device. · 14b6f449

Tao Bao authored 9 years ago

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4
(cherry picked from commit 8eaf2585)

14b6f449

Nov 19, 2015

DO NOT MERGE Move update_engine policy to AOSP. · 500a598e

David Zeuthen authored 9 years ago

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
(cherry picked from commit a10f789d)

500a598e

Nov 16, 2015
- Add support for building without ramdisk · 2b4183a7
  Daniel Rosenberg authored 9 years ago
```
Change-Id: I9496af008aa3ad1bf33fb5911c8dd711af219440
```
  2b4183a7
- Allow init to mount filesystems on properly labeled folders · f3500608
  Daniel Rosenberg authored 9 years ago
```
Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
```
  f3500608
Oct 29, 2015

Enable permission checking by binderservicedomain. · 1c749e07
dcashman authored 9 years ago
```
am: 32d207e0

* commit '32d207e0':
  Enable permission checking by binderservicedomain.
```
1c749e07

Enable permission checking by binderservicedomain. · 32d207e0

dcashman authored 9 years ago

binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control.  Allow these
services to query the permission service for access decisions.

Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b

32d207e0

Oct 22, 2015
- Merge "Revert "Update sepolicy to allow ThermalObserver system service"" into cw-e-dev · 753148a8
  Anthony Hugh authored 9 years ago
  
  753148a8
- Revert "Update sepolicy to allow ThermalObserver system service" · 2d8c2d97
  Anthony Hugh authored 9 years ago
```
This reverts commit cda36e31.
This will be moved to a device specific file.

BUG: 24555181

Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec
```
  2d8c2d97
Oct 21, 2015
- Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD am: 7d20f408 am: a8bbe96d · 4bb2bdc1
  Bill Yi authored 9 years ago
```
am: 5eac9217

* commit '5eac9217':
```
  4bb2bdc1
- Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD am: 7d20f408 · 5eac9217
  Bill Yi authored 9 years ago
```
am: a8bbe96d

* commit 'a8bbe96d':
```
  5eac9217
- Merge remote-tracking branch \'goog/mnc-cts-release\' into HEAD · a8bbe96d
  Bill Yi authored 9 years ago
```
am: 7d20f408

* commit '7d20f408':
```
  a8bbe96d
- Merge remote-tracking branch 'goog/mnc-cts-release' into HEAD · 7d20f408
  Bill Yi authored 9 years ago
  
  7d20f408
Oct 19, 2015
- Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev · 40367ad8
  Nick Kralevich authored 9 years ago
```
am: 6ab438dc

* commit '6ab438dc':
  untrusted_apps: Allow untrusted apps to find healthd_service.
```
  40367ad8
- Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev · 6ab438dc
  Nick Kralevich authored 9 years ago
  
  6ab438dc
- untrusted_apps: Allow untrusted apps to find healthd_service. · ac8b5750
  Ruchi Kandoi authored 9 years ago
```
This allows apps to find the healthd service which is used to query
battery properties.

Bug: 24759218
Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
```
  ac8b5750
Oct 14, 2015
- am 9fcc949f: am 63af426a: bluetooth.te: Relax bluetooth neverallow rule. am: 33a779fe · 4cf4ce3e
  Nick Kralevich authored 9 years ago
```
* commit '9fcc949f':
  bluetooth.te: Relax bluetooth neverallow rule.
```
  4cf4ce3e
- am 63af426a: bluetooth.te: Relax bluetooth neverallow rule. am: 33a779fe · 9fcc949f
  Nick Kralevich authored 9 years ago
```
* commit '63af426a':
  bluetooth.te: Relax bluetooth neverallow rule.
```
  9fcc949f
- bluetooth.te: Relax bluetooth neverallow rule. · 63af426a
  Nick Kralevich authored 9 years ago
```
am: 33a779fe

* commit '33a779fe':
  bluetooth.te: Relax bluetooth neverallow rule.
```
  63af426a
- bluetooth.te: Relax bluetooth neverallow rule. · 33a779fe
  Nick Kralevich authored 9 years ago
```
Bug: 24866874
Change-Id: Ic13ad4d3292fe8284e5771a28abaebb0ec9590f0
```
  33a779fe
Sep 25, 2015
- Update sepolicy to allow ThermalObserver system service · cda36e31
  Bryce Lee authored 9 years ago
```
Bug: 21445745
Change-Id: I59fd20f61a5e669e000f696f3738cc11071920aa
```
  cda36e31
Sep 15, 2015
- am 48dae29f: Merge "Allow system_server to bind ping sockets." into mnc-dr-dev · f5d828d4
  Lorenzo Colitti authored 9 years ago
```
* commit '48dae29f':
  Allow system_server to bind ping sockets.
```
  f5d828d4
- Merge "Allow system_server to bind ping sockets." into mnc-dr-dev · 48dae29f
  Lorenzo Colitti authored 9 years ago
  
  48dae29f
Sep 14, 2015

Allow system_server to bind ping sockets. · 16c36f68

Lorenzo Colitti authored 9 years ago

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687

(cherry picked from commit c3712143)

Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

16c36f68

Sep 11, 2015
- am 0b764ae9: Allow untrusted_app to list services. · 887fd5d1
  dcashman authored 9 years ago
```
* commit '0b764ae9':
  Allow untrusted_app to list services.
```
  887fd5d1
Sep 10, 2015

Allow untrusted_app to list services. · 0b764ae9

dcashman authored 9 years ago

CTS relies on the ability to see all services on the system to make sure
the dump permission is properly enforced on all services.  Allow this.

Bug: 23476772
Change-Id: I144b825c3a637962aaca59565c9f567953a866e8

0b764ae9

Sep 01, 2015
- DO NOT MERGE Grant Bluetooth the ability to acquire wake locks. · bea8a99c
  Sharvil Nanavati authored 9 years ago
```
Bug: 23375670
Change-Id: I0454c580b465a2f0edc928cf0effb71733866f03
```
  bea8a99c
Aug 28, 2015
- am 4496a389: am 78b54b5d: am bf323ff8: am 21827ff0: am f82f5e01: Accept... · 1c38b8a2
  dcashman authored 9 years ago
```
am 4496a389: am 78b54b5d: am bf323ff8: am 21827ff0: am f82f5e01: Accept command-line input for neverallow-check.

* commit '4496a389':
```
  1c38b8a2
- am f84c740b: am ed21ab14: am c9b882dc: am a045ca42: am 87f3802a: appdomain:... · 1116759c
  Nick Kralevich authored 9 years ago
```
am f84c740b: am ed21ab14: am c9b882dc: am a045ca42: am 87f3802a: appdomain: relax netlink_socket neverallow rule

* commit 'f84c740b':
```
  1116759c
- am 5e911116: am f35d737d: am a669507e: am b5dd69a1: am c423b1aa: Add... · d0e9419d
  Stephen Smalley authored 9 years ago
```
am 5e911116: am f35d737d: am a669507e: am b5dd69a1: am c423b1aa: Add neverallow checking to sepolicy-analyze.

* commit '5e911116':
```
  d0e9419d
- am 7dea3ae2: am 22db098e: am 5c190886: am 57dec60c: am 6f201ddc: App: add... · 38869ad4
  Jeff Hao authored 9 years ago
```
am 7dea3ae2: am 22db098e: am 5c190886: am 57dec60c: am 6f201ddc: App: add permissions to read symlinks from dalvik cache.

* commit '7dea3ae2':
```
  38869ad4
- am c80e805c: am f08d0446: am 582620ae: am c2eb12b2: am 9f0af9ec: Merge... · 583425ee
  Jeff Hao authored 9 years ago
```
am c80e805c: am f08d0446: am 582620ae: am c2eb12b2: am 9f0af9ec: Merge "zygote/dex2oat: Grant additional symlink permissions" into lmp-sprout-dev

* commit 'c80e805c':
```
  583425ee
- am eced16c0: am fd352211: am f83e617f: am 4008b6c6: am b7934922: allow run-as... · f7b2792d
  Nick Kralevich authored 9 years ago
```
am eced16c0: am fd352211: am f83e617f: am 4008b6c6: am b7934922: allow run-as to access /data/local/tmp

* commit 'eced16c0':
```
  f7b2792d
- am 8ef2fed6: am d5d55306: am 330dd6e4: am 0edbecf2: am 7cd346a7: am 0055ea90:... · beb40b5d
  Nick Kralevich authored 9 years ago
```
am 8ef2fed6: am d5d55306: am 330dd6e4: am 0edbecf2: am 7cd346a7: am 0055ea90: Allow recovery to create device nodes and modify rootfs

* commit '8ef2fed6':
```
  beb40b5d
- am 58aa4481: am f992c4fa: am aa03e496: am e2ba13b9: am 7adc8cfe: Allow adbd to write to /data/adb · b4b562dd
  Nick Kralevich authored 9 years ago
```
* commit '58aa4481':
```
  b4b562dd
- am 78b54b5d: am bf323ff8: am 21827ff0: am f82f5e01: Accept command-line input for neverallow-check. · 4496a389
  dcashman authored 9 years ago
```
* commit '78b54b5d':
```
  4496a389
- am ed21ab14: am c9b882dc: am a045ca42: am 87f3802a: appdomain: relax netlink_socket neverallow rule · f84c740b
  Nick Kralevich authored 9 years ago
```
* commit 'ed21ab14':
```
  f84c740b
- am f35d737d: am a669507e: am b5dd69a1: am c423b1aa: Add neverallow checking to sepolicy-analyze. · 5e911116
  Stephen Smalley authored 9 years ago
```
* commit 'f35d737d':
```
  5e911116
- am 22db098e: am 5c190886: am 57dec60c: am 6f201ddc: App: add permissions to... · 7dea3ae2
  Jeff Hao authored 9 years ago
```
am 22db098e: am 5c190886: am 57dec60c: am 6f201ddc: App: add permissions to read symlinks from dalvik cache.

* commit '22db098e':
```
  7dea3ae2
- am f08d0446: am 582620ae: am c2eb12b2: am 9f0af9ec: Merge "zygote/dex2oat:... · c80e805c
  Jeff Hao authored 9 years ago
```
am f08d0446: am 582620ae: am c2eb12b2: am 9f0af9ec: Merge "zygote/dex2oat: Grant additional symlink permissions" into lmp-sprout-dev

* commit 'f08d0446':
```
  c80e805c
- am fd352211: am f83e617f: am 4008b6c6: am b7934922: allow run-as to access /data/local/tmp · eced16c0
  Nick Kralevich authored 9 years ago
```
* commit 'fd352211':
```
  eced16c0