Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Apr 15, 2017
  3. Apr 14, 2017
  5. Apr 13, 2017
    • Jerry Zhang's avatar
      Add configfs file permissions to init. · b04bb4bc
      Jerry Zhang authored 
      am: f3b5bd64

Change-Id: I7515097dc3c410fdf3544d72d9d99be772f62d0c
      b04bb4bc
    • Jeff Vander Stoep's avatar
      bluetooth: Remove domain_deprecated · ff1e0184
      Jeff Vander Stoep authored 
      Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.

Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
      that no audited (granted) avc messages for bluetooth exist in
      in the logs.

Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085
      ff1e0184
    • Jerry Zhang's avatar
      Add configfs file permissions to init. · f3b5bd64
      Jerry Zhang authored 
      These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.

Addresses denial:

init    : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0

Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215
      f3b5bd64
  7. Apr 12, 2017
  9. Apr 11, 2017
    • Tom Cherry's avatar
      remove /dev/log · 8c60f74d
      Tom Cherry authored 
      This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

Test: see that logging still works on bullhead

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
      8c60f74d
    • Sandeep Patil's avatar
      sepolicy_version: change current version to NN.m format · 52f3c178
      Sandeep Patil authored 
      am: 9a3a6a81

Change-Id: If95f7f3f75f213549a15cdab969073a25b9776c3
      52f3c178
    • Jorge Lucangeli Obes's avatar
      system_server: Report dalvikcache_data_file execute violations. · 665128fa
      Jorge Lucangeli Obes authored 
      With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
      665128fa
    • Dan Cashman's avatar
      Add PLATFORM_SEPOLICY_VERSION. · bec5e57e
      Dan Cashman authored 
      Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

(cherry-pick of commit 6f14f6b7)

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
      bec5e57e
    • Sandeep Patil's avatar
      sepolicy_version: change current version to NN.m format · 9a3a6a81
      Sandeep Patil authored 
      
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

(cherry-pick of commit 42f95984)

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: default avatarSandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
      9a3a6a81
  11. Apr 10, 2017
  13. Apr 07, 2017
  15. Apr 06, 2017
    • Dan Cashman's avatar
      Move mapping_sepolicy.cil to /system partition. · 04ef57bf
      Dan Cashman authored 
      This is a necessary first step to finalizing the SELinux policy build
process.  The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

(cherry-pick of commit: 0e9c47c0)

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
      04ef57bf
    • Josh Gao's avatar
      Add /dev/kmsg_debug. · a015186f
      Josh Gao authored 
      Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
      a015186f
    • Tianjie Xu's avatar
      Allow recovery to read thermal info · 3da2f21f
      Tianjie Xu authored 
      We want to track temperature metrics during an OTA update.

denial message:
denied  { search } for  pid=349 comm="recovery" name="thermal"
dev="sysfs" ino=18029 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

denied  { read } for  pid=326 comm="recovery" name="temp"
dev="sysfs" ino=18479 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0

Bug: 36920500
Bug: 32518487
Test: temperature logs on angler
Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e
      3da2f21f
  17. Apr 04, 2017
  19. Apr 03, 2017
    • Mark Salyzyn's avatar
      logcatd: introduce logcatd executable · 88cdd71d
      Mark Salyzyn authored 
      logcatd is the same as logcat, except that the -L flag, if supplied,
runs once, then the command re-runs itself without the -L flag with
the same argument set.  By introducing a logcatd daemon executable
we can solve the problem of the longish reads from pstore that
sometimes occur when the system is excessively busy spinning in a
foreground task starving this daemon as we absorb the delay in
an init service, rather than in an init exec.  This would not have
been efficiently possible without the introduction of liblogcat.

Test: gTest logcat-unit-tests
Test: Manual check logpersist operations
Bug: 28788401
Bug: 30041146
Bug: 30612424
Bug: 35326290
Change-Id: I3454bad666c66663f59ae03bcd72e0fe8426bb0a
      88cdd71d
  21. Mar 31, 2017