Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. May 07, 2015
    • William Roberts's avatar
      Replace unix_socket_connect() and explicit property sets with macro · 2f5a6a96
      William Roberts authored 
      
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@linux.intel.com>
      2f5a6a96
  3. May 06, 2015
    • Dehao Chen's avatar
      Update sepolicy to add label for /data/misc/perfprofd. · 34a468fa
      Dehao Chen authored 
      Bug: 19483574
(cherry picked from commit 7d66f783)

Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48
      34a468fa
    • Than McIntosh's avatar
      New sepolicy for perfprofd, simpleperf. · 38d0247d
      Than McIntosh authored 
      Bug: http://b/19483574

(cherry picked from commit 0fdd364e)

Change-Id: If29946a5d7f92522f3bbb807cea5f9f1b42a6513
      38d0247d
    • Nick Kralevich's avatar
      kernel: allow rebooting, and writing to /dev/__kmsg__ · 618efe8c
      Nick Kralevich authored 
      Addresses the following denials:

  avc:  denied  { write } for  pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
  avc:  denied  { write } for  pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
  avc:  denied  { sys_boot } for  pid=1 comm="init" capability=22  scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0

(cherrypicked from commit e550e79c)

Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
      618efe8c
  5. May 05, 2015
  7. May 04, 2015
    • dcashman's avatar
      Allow system_app to list all services. · c6290ac2
      dcashman authored 
      The Settings app contains a SystemPropPoker class which notifies every service
on the system that a property has changed.

Address the following denial:
avc:  denied  { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Cherry-pick of Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c

Bug: 20762975
Change-Id: I665a460f30a1ef57b513da9166aad60097dd4886
      c6290ac2
    • Jeff Vander Stoep's avatar
      Update policy version to enable ioctl whitelisting · 64b01c61
      Jeff Vander Stoep authored 
      Bug: 20756547
Bug: 18087110
Change-Id: I9ff76f1cf359e38c19d7b50a5b7236fd673d937e
      64b01c61
  9. May 01, 2015
    • Jeff Sharkey's avatar
      Allow installd to move APKs. · ecc82e0f
      Jeff Sharkey authored 
      As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

(Cherry-pick of 8f821db7)

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458
      ecc82e0f
    • Stephen Smalley's avatar
      Ensure that domain and appdomain attributes are assigned. · 3c242caf
      Stephen Smalley authored 
      
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.

Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.

Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      3c242caf
  11. Apr 29, 2015
  13. Apr 25, 2015
  15. Apr 24, 2015