Commits · b03831fe58be86cfd94c31b91def6ae53ebd614f · CodeLinaro / public-release-test / platform / system / sepolicy

Dec 08, 2015

Add rules for running audio services in audioserver · b03831fe

Marco Nelissen authored 9 years ago

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

b03831fe

Dec 03, 2015
- Merge "Support fine grain read access control for properties" am: 6fa6bdb6 am: c28d9091 · f2fe3486
  Tom Cherry authored 9 years ago
```
am: 67100b5f

* commit '67100b5f':
  Support fine grain read access control for properties
```
  f2fe3486
- shell.te: allow pulling the currently running SELinux policy am: ad22e867 am: d483d2f3 · bc115666
  Nick Kralevich authored 9 years ago
```
am: 42aaf56f

* commit '42aaf56f':
  shell.te: allow pulling the currently running SELinux policy
```
  bc115666
- Merge "Support fine grain read access control for properties" am: 6fa6bdb6 · 67100b5f
  Tom Cherry authored 9 years ago
```
am: c28d9091

* commit 'c28d9091':
  Support fine grain read access control for properties
```
  67100b5f
- Merge "Support fine grain read access control for properties" · c28d9091
  Tom Cherry authored 9 years ago
```
am: 6fa6bdb6

* commit '6fa6bdb6':
  Support fine grain read access control for properties
```
  c28d9091
- Merge "Support fine grain read access control for properties" · 6fa6bdb6
  Tom Cherry authored 9 years ago
  
  6fa6bdb6
- Support fine grain read access control for properties · 949d7cbc
  Tom Cherry authored 9 years ago
```
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
```
  949d7cbc
- shell.te: allow pulling the currently running SELinux policy am: ad22e867 · 42aaf56f
  Nick Kralevich authored 9 years ago
```
am: d483d2f3

* commit 'd483d2f3':
  shell.te: allow pulling the currently running SELinux policy
```
  42aaf56f
- shell.te: allow pulling the currently running SELinux policy · d483d2f3
  Nick Kralevich authored 9 years ago
```
am: ad22e867

* commit 'ad22e867':
  shell.te: allow pulling the currently running SELinux policy
```
  d483d2f3
- Merge "Allow priv_apps to stat files on the system partition" am: 1d58b2fd am: d95780ac · 977e0b1d
  Jeffrey Vander Stoep authored 9 years ago
```
am: 06366398

* commit '06366398':
  Allow priv_apps to stat files on the system partition
```
  977e0b1d
- Merge "Allow priv_apps to stat files on the system partition" am: 1d58b2fd · 06366398
  Jeffrey Vander Stoep authored 9 years ago
```
am: d95780ac

* commit 'd95780ac':
  Allow priv_apps to stat files on the system partition
```
  06366398
- shell.te: allow pulling the currently running SELinux policy · ad22e867
  Nick Kralevich authored 9 years ago
```
Allow pulling the currently running SELinux policy for CTS.

Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516
```
  ad22e867
- Merge "Allow priv_apps to stat files on the system partition" · d95780ac
  Jeffrey Vander Stoep authored 9 years ago
```
am: 1d58b2fd

* commit '1d58b2fd':
  Allow priv_apps to stat files on the system partition
```
  d95780ac
- Merge "Allow priv_apps to stat files on the system partition" · 1d58b2fd
  Jeffrey Vander Stoep authored 9 years ago
  
  1d58b2fd
- Allow priv_apps to stat files on the system partition · 2b56e484
  Jeff Vander Stoep authored 9 years ago
```
Allows safetynet to scan the system partition which is made up of
files labeled system_file (already allowed) and/or files with the
exec_type attribute.

Bug: 25821333
Change-Id: I9c1c9c11bc568138aa115ba83238ce7475fbc5e4
```
  2b56e484
Dec 02, 2015

Merge "bootanim: Remove domain_deprecated" am: a0757c4d am: d9c22bc4 · 6130a2c6
Jeffrey Vander Stoep authored 9 years ago
```
am: d7ce3c6b

* commit 'd7ce3c6b':
  bootanim: Remove domain_deprecated
```
6130a2c6

Explicitly added permissions that were previously granted through... · e6f27898

Felipe Leme authored 9 years ago

Explicitly added permissions that were previously granted through domain_deprecated. am: 15a1e0d4 am: 1bee3fd2
am: b969955d

* commit 'b969955d':
  Explicitly added permissions that were previously granted through domain_deprecated.

e6f27898

Merge "bootanim: Remove domain_deprecated" am: a0757c4d · d7ce3c6b
Jeffrey Vander Stoep authored 9 years ago
```
am: d9c22bc4

* commit 'd9c22bc4':
  bootanim: Remove domain_deprecated
```
d7ce3c6b
Merge "bootanim: Remove domain_deprecated" · d9c22bc4
Jeffrey Vander Stoep authored 9 years ago
```
am: a0757c4d

* commit 'a0757c4d':
  bootanim: Remove domain_deprecated
```
d9c22bc4
Merge "bootanim: Remove domain_deprecated" · a0757c4d
Jeffrey Vander Stoep authored 9 years ago

a0757c4d

bootanim: Remove domain_deprecated · 855ffe58

Jeff Vander Stoep authored 9 years ago

Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.

As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c

855ffe58

Explicitly added permissions that were previously granted through domain_deprecated. am: 15a1e0d4 · b969955d
Felipe Leme authored 9 years ago
```
am: 1bee3fd2

* commit '1bee3fd2':
  Explicitly added permissions that were previously granted through domain_deprecated.
```
b969955d
Explicitly added permissions that were previously granted through domain_deprecated. · 1bee3fd2
Felipe Leme authored 9 years ago
```
am: 15a1e0d4

* commit '15a1e0d4':
  Explicitly added permissions that were previously granted through domain_deprecated.
```
1bee3fd2
Explicitly added permissions that were previously granted through · 15a1e0d4
Felipe Leme authored 9 years ago
```
domain_deprecated.

BUG: 25965160
Change-Id: I586d082ef5fe49079cb0c4056f8e7b34fae48c03
```
15a1e0d4
mdnsd: Remove domain_deprecated am: 4367cf2d am: 8dc92446 · 2434e08a
Nick Kralevich authored 9 years ago
```
am: e6a97e97

* commit 'e6a97e97':
  mdnsd: Remove domain_deprecated
```
2434e08a
mdnsd: Remove domain_deprecated am: 4367cf2d · e6a97e97
Nick Kralevich authored 9 years ago
```
am: 8dc92446

* commit '8dc92446':
  mdnsd: Remove domain_deprecated
```
e6a97e97
mdnsd: Remove domain_deprecated · 8dc92446
Nick Kralevich authored 9 years ago
```
am: 4367cf2d

* commit '4367cf2d':
  mdnsd: Remove domain_deprecated
```
8dc92446

mdnsd: Remove domain_deprecated · 4367cf2d

Nick Kralevich authored 9 years ago

Remove domain_deprecated from mdnsd. This removes some unnecessarily
permissive rules from mdnsd.

As part of this, re-allow /proc/net access, which is removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: Ie1cf27179ac2e9170cf4cd418aea3256b9534603

4367cf2d

Add permissions back to app / shell domains am: 8ff6a86d am: f7a0cc51 · b901a7b7
Nick Kralevich authored 9 years ago
```
am: d0f197d4

* commit 'd0f197d4':
  Add permissions back to app / shell domains
```
b901a7b7
Add permissions back to app / shell domains am: 8ff6a86d · d0f197d4
Nick Kralevich authored 9 years ago
```
am: f7a0cc51

* commit 'f7a0cc51':
  Add permissions back to app / shell domains
```
d0f197d4
Add permissions back to app / shell domains · f7a0cc51
Nick Kralevich authored 9 years ago
```
am: 8ff6a86d

* commit '8ff6a86d':
  Add permissions back to app / shell domains
```
f7a0cc51

Add permissions back to app / shell domains · 8ff6a86d

Nick Kralevich authored 9 years ago

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73

8ff6a86d

Dec 01, 2015

Allow appdomains to write on cgroup so it can start threads. am: d618eb6f am: 781a4bed · 23d41be9
Nick Kralevich authored 9 years ago
```
am: 07d06266

* commit '07d06266':
  Allow appdomains to write on cgroup so it can start threads.
```
23d41be9
Allow appdomains to write on cgroup so it can start threads. am: d618eb6f · 07d06266
Nick Kralevich authored 9 years ago
```
am: 781a4bed

* commit '781a4bed':
  Allow appdomains to write on cgroup so it can start threads.
```
07d06266
Allow appdomains to write on cgroup so it can start threads. · 781a4bed
Nick Kralevich authored 9 years ago
```
am: d618eb6f

* commit 'd618eb6f':
  Allow appdomains to write on cgroup so it can start threads.
```
781a4bed

Allow appdomains to write on cgroup so it can start threads. · d618eb6f

Nick Kralevich authored 9 years ago

Addresses the following denial:

avc: denied { write } for path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=716 scontext=u:r:shell:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0

which started occurring because of https://android-review.googlesource.com/184260

Bug: 25945485
Change-Id: I6dcfb4bcfc473478e01e0e4690abf84c24128045

d618eb6f

Nov 30, 2015
- Merge "Allow system_server access to system logs" · 5e4e7316
  Vinit Deshpande authored 9 years ago
  
  5e4e7316
- Remove domain_deprecated from adbd and shell am: 8ca19368 am: 78d03007 · ab26b489
  Nick Kralevich authored 9 years ago
```
am: 06f94977

* commit '06f94977':
  Remove domain_deprecated from adbd and shell
```
  ab26b489
- Remove domain_deprecated from adbd and shell am: 8ca19368 · 06f94977
  Nick Kralevich authored 9 years ago
```
am: 78d03007

* commit '78d03007':
  Remove domain_deprecated from adbd and shell
```
  06f94977
- Remove domain_deprecated from adbd and shell · 78d03007
  Nick Kralevich authored 9 years ago
```
am: 8ca19368

* commit '8ca19368':
  Remove domain_deprecated from adbd and shell
```
  78d03007