Commits · 66e27bf502246c8e8870b7b3e2573a8c87e89fe1 · CodeLinaro / public-release-test / platform / system / sepolicy

Apr 16, 2017
- label hal_wifi_offload to be vendor type · 66e27bf5
  Sandeep Patil authored 7 years ago
```
Bug: 36463595
Test: make -j48 sepolicy
Change-Id: Id8e66e3e08ceb1301c36824af93410aa84def8d3
Signed-off-by: Sandeep Patil <sspatil@google.com>
```
  66e27bf5
- Merge "Allow mediacodec access to sync fences." into oc-dev am: e506cda3 · 627f286d
  Martijn Coenen authored 7 years ago
```
am: 6cc5334a

Change-Id: Ic465169a0ac0c04a2114a4268caae3b82a7b6706
```
  627f286d
- Merge "Allow mediacodec access to sync fences." into oc-dev · 6cc5334a
  Martijn Coenen authored 7 years ago
```
am: e506cda3

Change-Id: I9df35ecb00db0ed5d3a1430e64056e09579ab0a5
```
  6cc5334a
- Merge "Allow mediacodec access to sync fences." into oc-dev · e506cda3
  Martijn Coenen authored 7 years ago
  
  e506cda3
Apr 15, 2017
- Merge "add netutils_wrappers" into oc-dev am: acb66317 · 2ad88481
  Sandeep Patil authored 7 years ago
```
am: 6a4b6c68

Change-Id: Ie9c93a313215652d22fa2bc93aeb2a468916e008
```
  2ad88481
- Merge "add netutils_wrappers" into oc-dev · 6a4b6c68
  Sandeep Patil authored 7 years ago
```
am: acb66317

Change-Id: Ib10b8c031066507b72361e302204646d3c9f9814
```
  6a4b6c68
- Merge "add netutils_wrappers" into oc-dev · acb66317
  TreeHugger Robot authored 7 years ago
  
  acb66317
- Allow mediacodec access to sync fences. · b4d701bf
  Martijn Coenen authored 7 years ago
```
Test: WIP
Change-Id: I678b0d0e9750b25628b86060574fd516d3749cdf
```
  b4d701bf
- secilc: expand generated attributes on non-treble devices am: 748cae86 · 33070fb9
  Jeff Vander Stoep authored 7 years ago
```
am: 405e7283

Change-Id: I6045f5edf0ef32d3001eb76a8437a2b92790cca3
```
  33070fb9
- secilc: expand generated attributes on non-treble devices · 405e7283
  Jeff Vander Stoep authored 7 years ago
```
am: 748cae86

Change-Id: Ia9c8f25a66ba8cf8528e80b3ce4c151f10574a6d
```
  405e7283
- add netutils_wrappers · c6d89024
  Sandeep Patil authored 7 years ago
```
Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi

Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>
```
  c6d89024
- secilc: expand generated attributes on non-treble devices · 748cae86
  Jeff Vander Stoep authored 7 years ago
```
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
```
  748cae86
- Give apps, cameraserver, and system_server access to sync fences. am: de2e79c5 · 34f00ee2
  Martijn Coenen authored 7 years ago
```
am: d6ceae5a

Change-Id: I03753dbba73acf23e557e8abdebbd45df310a9fe
```
  34f00ee2
- Give apps, cameraserver, and system_server access to sync fences. · d6ceae5a
  Martijn Coenen authored 7 years ago
```
am: de2e79c5

Change-Id: Icc632129142cba968ca05206690adfef445f62c7
```
  d6ceae5a
- Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba am:... · 94e595d6
  Tianjie Xu authored 7 years ago
```
Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba am: afa8120a am: 16118451
am: d5c8c6b6

Change-Id: I5b20d4028cc1a1f9d1b3d7b9bf84109198e64781
```
  94e595d6
- Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba am: afa8120a · d5c8c6b6
  Tianjie Xu authored 7 years ago
```
am: 16118451

Change-Id: I55938593a2dd5f284dd2332a3685a737acbe1aec
```
  d5c8c6b6
- Merge "Allow recovery to read thermal info on sailfish" am: 5ab5cfba · 16118451
  Tianjie Xu authored 7 years ago
```
am: afa8120a

Change-Id: Ie7c760c3952650b5b7b60f956a0a5934a64e399f
```
  16118451
- Merge "Allow recovery to read thermal info on sailfish" · afa8120a
  Tianjie Xu authored 7 years ago
```
am: 5ab5cfba

Change-Id: I1fd254e6991d4d7f9afa6e36b26cc879c73fa6da
```
  afa8120a
- Merge "Allow recovery to read thermal info on sailfish" · 5ab5cfba
  Treehugger Robot authored 7 years ago
  
  5ab5cfba
Apr 14, 2017

Give apps, cameraserver, and system_server access to sync fences. · de2e79c5

Martijn Coenen authored 7 years ago

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

de2e79c5

Allow recovery to read thermal info on sailfish · b4e4565d

Tianjie Xu authored 7 years ago

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
Change-Id: Ib4e89ba48cdc383318e5f3b7b15f542434e43564

b4e4565d

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev am: e9e11a79 · 03e92f14
Sandeep Patil authored 7 years ago
```
am: ff2febc0

Change-Id: Iccca8a3c2add3eecf9f8dbb1fad4ff9e3c03b534
```
03e92f14
Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev am: a8c0b2d9 · f84aa486
Iliyan Malchev authored 7 years ago
```
am: b4aa5da9

Change-Id: Iebe2b6c646916d3ea5ef7de7a57266f39a64938f
```
f84aa486
Merge changes from topic 'add_vendor_shell_toybox' into oc-dev · ff2febc0
Sandeep Patil authored 7 years ago
```
am: e9e11a79

Change-Id: I4afe3e0fbd9fd17d19f2e498162c9f68234a8fb5
```
ff2febc0
Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev · b4aa5da9
Iliyan Malchev authored 7 years ago
```
am: a8c0b2d9

Change-Id: If0bae6172f3f7e5c05b4745dc7a00b890b4905e5
```
b4aa5da9

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev · e9e11a79

TreeHugger Robot authored 7 years ago

* changes:
  suppress audit logs from rild's access to core domain through system()
  sepolicy: auditallow vendor components to execute files from /system
  vendor_shell: add sepolicy for vendor shell
  toolbox: add sepolicy for vendor toybox
  Do not allow priv_apps to scan all exec files

e9e11a79

Merge "Transition mediacodec to /dev/hwbinder and /dev/vndbinder" into oc-dev · a8c0b2d9
TreeHugger Robot authored 7 years ago

a8c0b2d9
Remove unnecessary attributes am: 20c2d4e9 · fd060ab6
Alex Klyubin authored 7 years ago
```
am: b83fc712

Change-Id: I9236e4f3cb9456e5280c38ebc6338e23a5f5b9b7
```
fd060ab6
Remove unnecessary attributes · b83fc712
Alex Klyubin authored 7 years ago
```
am: 20c2d4e9

Change-Id: I0a6aeb383854eb7df3b701ff2a080cb5a12398db
```
b83fc712

Transition mediacodec to /dev/hwbinder and /dev/vndbinder · 56cdcd48

Iliyan Malchev authored 7 years ago


This change disables /dev/binder access to and by mediacodec on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin
Change-Id: I1e30a6c56950728f36351c41b2859221753fd91a
Signed-off-by: Iliyan Malchev <malchev@google.com>

56cdcd48

Merge "SE Linux policies for OemLockService" into oc-dev am: 31c55240 · e89907e5
Andrew Scull authored 7 years ago
```
am: a95cf663

Change-Id: Ia1273a45798a0ae8a038ad90c8187f81960d6681
```
e89907e5

Remove unnecessary attributes · 20c2d4e9

Alex Klyubin authored 7 years ago

Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a959)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0

20c2d4e9

suppress audit logs from rild's access to core domain through system() · 7bbf7a6e
Sandeep Patil authored 7 years ago
```
Change-Id: Ic9a9026df6f36d65fa02cc7b264bc901a14546f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
```
7bbf7a6e

sepolicy: auditallow vendor components to execute files from /system · 0ca17178

Sandeep Patil authored 7 years ago


Adds a rule to audit vendor domains from executing programs from /system
with the exception of domains whitelisted in the rule.

Bug: 36463595
Test: Boot sailfish
Test: Run SELinuxHostTests with the tests that checks for new violators
      (without the API check) to ensure it fails for sailfish. The API
      check will allow the test to skip the check.

Change-Id: Id19f32141bceba4db4bd939394ff3ee0b3c4b437
Signed-off-by: Sandeep Patil <sspatil@google.com>

0ca17178

vendor_shell: add sepolicy for vendor shell · c96bb1ed

Sandeep Patil authored 7 years ago


Bug: 36463595
Test: Boot sailfish and make sure all vendor services that are shell scripts
      work. (Checke exited status)

Change-Id: I3d1d564114a914dec8179fb93a9e94493c2808da
Signed-off-by: Sandeep Patil <sspatil@google.com>

c96bb1ed

Merge "SE Linux policies for OemLockService" into oc-dev · a95cf663
Andrew Scull authored 7 years ago
```
am: 31c55240

Change-Id: I69d9ff422aaa8ae2b8b725a85cdb6374ba617014
```
a95cf663
Merge "SE Linux policies for OemLockService" into oc-dev · 31c55240
Andrew Scull authored 7 years ago

31c55240
Make hal_tv_cec_default exec a vendor_file_type am: 5d81208e · c493a88e
Sandeep Patil authored 7 years ago
```
am: 6f3fbd6a

Change-Id: Ibe500a319b929c558b1f0289dd0f84a1b00d0019
```
c493a88e
Make hal_tv_cec_default exec a vendor_file_type · 6f3fbd6a
Sandeep Patil authored 7 years ago
```
am: 5d81208e

Change-Id: If6446ab310961d37a302e0482aaee4ec70c39c9a
```
6f3fbd6a
Merge "bluetooth: Remove domain_deprecated" am: e453801d am: f169d6a3 am: d06d8c81 · 0856d4a4
Jeff Vander Stoep authored 7 years ago
```
am: 5337a2a9

Change-Id: I26514fe1fa8bb59f8158b79d3565dba7fafa0600
```
0856d4a4