Commits · 745c9b443a4b3465b5fd2556dfdc82d1ffd3b182 · CodeLinaro / public-release-test / platform / system / sepolicy

Apr 29, 2017
- Merge "allow surfaceflinger to use socket from adbd" into oc-dev am: 8027f979 · 745c9b44
  Chris Forbes authored 7 years ago
```
am: ebcb5806

Change-Id: I75a10381448606004af255a5f9dfc1a8f6b6350e
```
  745c9b44
- Merge "allow surfaceflinger to use socket from adbd" into oc-dev · ebcb5806
  Chris Forbes authored 7 years ago
```
am: 8027f979

Change-Id: I51f5c7186619238cb82b04d3db26b961d0c361a4
```
  ebcb5806
- Merge "allow surfaceflinger to use socket from adbd" into oc-dev · 8027f979
  Chris Forbes authored 7 years ago
  
  8027f979
- Merge "Add default label and mapping for vendor services" into oc-dev am: 74a96734 · a78cf4ed
  Jeff Vander Stoep authored 7 years ago
```
am: ea9d1b1f

Change-Id: I1f7a86c0abf6d7c65a0f47772ac47026a961bee6
```
  a78cf4ed
- Merge "Add default label and mapping for vendor services" into oc-dev · ea9d1b1f
  Jeff Vander Stoep authored 7 years ago
```
am: 74a96734

Change-Id: Id1a20ebb9c2bd1dfa6edcb11354bcb3e525e3f04
```
  ea9d1b1f
- Merge "Add default label and mapping for vendor services" into oc-dev · 74a96734
  TreeHugger Robot authored 7 years ago
  
  74a96734
- Merge "untrusted_apps: allow untrusted_apps to execute from /vendor/app" into oc-dev am: 11772818 · 01deeab7
  Sandeep Patil authored 7 years ago
```
am: b525fd0b

Change-Id: Ib6b086efb93d866207879a97e379851de6a7a84b
```
  01deeab7
- Merge "untrusted_apps: allow untrusted_apps to execute from /vendor/app" into oc-dev · b525fd0b
  Sandeep Patil authored 7 years ago
```
am: 11772818

Change-Id: Ia8e5462edc9038be7142331cfb524efd4f0e2edf
```
  b525fd0b
- Merge "untrusted_apps: allow untrusted_apps to execute from /vendor/app" into oc-dev · 11772818
  TreeHugger Robot authored 7 years ago
  
  11772818
- Merge "Enable the use of IOmxStore service" into oc-dev am: d8112255 · a832e56c
  Pawin Vongmasa authored 7 years ago
```
am: f7e9cee6

Change-Id: Ib4f4a9b29e93984aafe702ad46b9cda89d289584
```
  a832e56c
- Merge "Enable the use of IOmxStore service" into oc-dev · f7e9cee6
  Pawin Vongmasa authored 7 years ago
```
am: d8112255

Change-Id: I2b30d171bbce0013b4f63fd3639747936d6674df
```
  f7e9cee6
- Merge "Enable the use of IOmxStore service" into oc-dev · d8112255
  TreeHugger Robot authored 7 years ago
  
  d8112255
- Sepolicy: Fix new access from the linker for postinstall am: bddd1893 · ef156bfb
  Andreas Gampe authored 7 years ago
```
am: 72a8d918

Change-Id: I0723954ba2243a537d7b53545e1c9295a56c9556
```
  ef156bfb
- Sepolicy: Fix new access from the linker for postinstall · 72a8d918
  Andreas Gampe authored 7 years ago
```
am: bddd1893

Change-Id: I9c312bd8203cb859bb5bc6f2604d17bbc812a1a6
```
  72a8d918
- Sepolicy: Fix new access from the linker for postinstall · bddd1893
  Andreas Gampe authored 7 years ago
```
The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39
```
  bddd1893
Apr 28, 2017

Enable the use of IOmxStore service · 98b7f66d

Pawin Vongmasa authored 7 years ago

Test: Manual use of Camera app
Test: lshal shows IOmxStore

Bug: 37657124
Bug: 37726880
Change-Id: I5459d992c2feb14bd26765673864e583d48e3ba4

98b7f66d

allow surfaceflinger to use socket from adbd · 676003cf

Chris Forbes authored 7 years ago

Fixes `adb shell cmd gpu vkjson`, which was previously failing due to
surfaceflinger not being able to use the socket passed to it by adbd.

Bug: b/37157136
Test: run above command, verified on marlin + bullhead
Change-Id: I57fa7e99d5c3dc7bc7d033b83f8ce6032162d7d3

676003cf

Merge "Add default label and mapping for vendor services" · 02bbb402
TreeHugger Robot authored 7 years ago

02bbb402

untrusted_apps: allow untrusted_apps to execute from /vendor/app · ef7b2109

Sandeep Patil authored 7 years ago


The typical use case is where vendor apps which run as untrusted apps
use libraries that are packaged withing the apk

Bug: 37753883
Test: Tested by runnig pre-installed app that packages a library from
      /vendor/app

Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf
Signed-off-by: Sandeep Patil <sspatil@google.com>

ef7b2109

Add default label and mapping for vendor services · 082eae4e

Jeff Vander Stoep authored 7 years ago

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

082eae4e

Add default label and mapping for vendor services · 639a2b84

Jeff Vander Stoep authored 7 years ago

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80

639a2b84

Sepolicy-Analyze: Plug leak am: ee8b67df am: 4a318ad6 am: 4c1385a6 · a04aa3cd
Andreas Gampe authored 7 years ago
```
am: a1ccbd3d

Change-Id: I0fc9473875e27c9d3fcfb4d20aafa9b3741ccf35
```
a04aa3cd
Sepolicy-Analyze: Plug leak am: ee8b67df am: 4a318ad6 · a1ccbd3d
Andreas Gampe authored 7 years ago
```
am: 4c1385a6

Change-Id: I4da23806c532acfaaa1535ee87b25383a99723d7
```
a1ccbd3d
Sepolicy-Analyze: Plug leak am: ee8b67df · 4c1385a6
Andreas Gampe authored 7 years ago
```
am: 4a318ad6

Change-Id: Iffd30a9cfee48626dc01635877b90ef7a1e8f9b0
```
4c1385a6
Sepolicy-Analyze: Plug leak · 4a318ad6
Andreas Gampe authored 7 years ago
```
am: ee8b67df

Change-Id: Ic2fe390f95f0be43ad39a50366e0300a398aa0ad
```
4a318ad6
Merge "Correct documentation in untrusted_app_all" into oc-dev am: 89671020 · dcb471f2
Nick Kralevich authored 7 years ago
```
am: 3644d0f5

Change-Id: I7da846bfe3db1a19782db13be6c2ab3d1b17accb
```
dcb471f2
Merge "Correct documentation in untrusted_app_all" into oc-dev · 3644d0f5
Nick Kralevich authored 7 years ago
```
am: 89671020

Change-Id: Icbb3d5a87181e65d574007764d69c766d7b31e57
```
3644d0f5
Merge "Correct documentation in untrusted_app_all" into oc-dev · 89671020
Nick Kralevich authored 7 years ago

89671020
Merge "Allow vr_hwc and virtual_touchpad to query for permissions" into oc-dev am: 22ebf24e · c4816868
Daniel Nicoara authored 7 years ago
```
am: c9e21b60

Change-Id: If501dc948b6214052e5ee3ab2c50e0efc439bcf0
```
c4816868
Merge "Allow vr_hwc and virtual_touchpad to query for permissions" into oc-dev · c9e21b60
Daniel Nicoara authored 7 years ago
```
am: 22ebf24e

Change-Id: If8dc1ae0d2269cbe70617748fded75b5162780b8
```
c9e21b60
Merge "Allow vr_hwc and virtual_touchpad to query for permissions" into oc-dev · 22ebf24e
Daniel Nicoara authored 7 years ago

22ebf24e
Merge changes Ia9960af9,I6987d60c into oc-dev am: b9d5d5cc · 179f26bd
Ruchi Kandoi authored 7 years ago
```
am: d792de48

Change-Id: I94257c20a5b7621c883c9386dc327501e713860c
```
179f26bd

Sepolicy-Analyze: Plug leak · ee8b67df

Andreas Gampe authored 7 years ago

Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167

ee8b67df

Merge changes Ia9960af9,I6987d60c into oc-dev · d792de48
Ruchi Kandoi authored 7 years ago
```
am: b9d5d5cc

Change-Id: Ie43b0d5ad797501a965ff6f69c37ba619fb5f588
```
d792de48

Apr 27, 2017

Merge changes Ia9960af9,I6987d60c into oc-dev · b9d5d5cc

TreeHugger Robot authored 7 years ago

* changes:
  NFC HAL no longer violates socket access restrictions
  Remove access to sock_file for hal_nfc

b9d5d5cc

SELinux configuration for TextClassifier model updates. am: adfc5db0 · 0fbd4f3e
Abodunrinwa Toki authored 7 years ago
```
am: f0226fd3

Change-Id: If2878d81835f8e429dd7c82c17edd4290028d4d1
```
0fbd4f3e
SELinux configuration for TextClassifier model updates. · f0226fd3
Abodunrinwa Toki authored 7 years ago
```
am: adfc5db0

Change-Id: Id0f7e56ee0473a2cf8bc04e4d1d02d6fa23d649c
```
f0226fd3

SELinux configuration for TextClassifier model updates. · adfc5db0

Abodunrinwa Toki authored 7 years ago

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

adfc5db0

NFC HAL no longer violates socket access restrictions · 688a7667

Ruchi Kandoi authored 7 years ago


Test: compiles
Bug: 37640900
Change-Id: Ia9960af9da880fd130b5fb211a054689e2353f1d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

688a7667

Remove access to sock_file for hal_nfc · 468eabb1

Ruchi Kandoi authored 7 years ago


Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit ad41fa8d)

468eabb1